Privileged & Confidential 1 India: an up-date on Data Protection Legislation by Tejas Karia (BSL, LLM (LSE), Advocate, Solicitor Associate, Amarchand &

Privileged & Confidential 1

India:India:an up-date on Data Protection Legislation an up-date on Data Protection Legislation

bybyTejas KariaTejas Karia

(BSL, LLM (LSE), Advocate, Solicitor(BSL, LLM (LSE), Advocate, SolicitorAssociate, Amarchand & Mangaldas)Associate, Amarchand & Mangaldas)

Amarchand & Mangaldas & Suresh A. Shroff & Co.Solicitors & Advocates

Amarchand Towers, 216 Okhla Industrial Estate, Phase - III New Delhi-110 020 India

Tel: + (91 11) 2692 0500, 5159 0700 Fax: + (91 11) 2692 4900

e-mail: [email protected]

9th February 2006


Status of Data Protection Status of Data Protection Legislation in IndiaLegislation in India

• The existing legal framework for protecting sensitive personal data.

• Overview of the investment in India by other countries for handling personal data.

• Need of Data Protection legislation in India.• Attempts for passing the legislation.• Present status. • Way forward …


Existing Legal FrameworkExisting Legal Framework

• Information Technology Act, 2000

– Section 43: Penalty for download, copy or extract of data without permission of the owner of a computer etc. – not exceeding rupees ten million to the person affected.

– Section 65: Punishment for tempering with Computer Source Code – imprisonment up to 3 years, or fine up to rupees 200,000, or both.

– Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services rendered by very few

• Disadvantage of dollar rupee inequality• Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of

domestic practices is very likely



• Information Technology Act, 2000

– Section 66: Hacking - imprisonment up to three years, fine up to rupees 200,000, or both.

– Section 72: Penalty for breach of confidentiality and privacy: unauthorised access to any electronic record, book, register, correspondence, information, document and disclosure of the same – imprisonment up to 2 years, or fine up to rupees 100,000, or both.


• Disadvantage of dollar rupee inequality• Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of

domestic practices is very likely



• Indian Contract Act, 1872:

– Breach of Contract: Violation of terms of the contract or non-performance of the obligations.

– Remedies:• Damages• Specific Performance


• Disadvantage of dollar rupee inequality• Phased entry as was done in Singapore, China and the Asean region is required as otherwise

cannibalisation of domestic practices is very likely



• Indian Penal Code, 1860:

– Section 406: Criminal Breach of Trust: Imprisonment, which may extend to 3 years, or fine, or with both.

– Section 420: Cheating: Imprisonment, which may extend to 7 years and a fine.



• Consumer Protection Act, 1986:– “Deficiency in Service”: complaint before consumer

forum / commission.

• Specific Relief Act, 1963: – Temporary and permanent injunctions against

unauthorised disclosure of confidential information.


Overview of Investment in IndiaOverview of Investment in India

• India controls 65% of of the global market in software-code outsourcing and 46% in back-office outsourcing.

• Indian software and services export was approximately $ 17.2 billion in 2004-05, as compared to $ 12.8 billion (an increase of 34%)

• Outsourcing revenues are expected to reach $ 60 billion by 2010.

• As per the Nasscom-Mckinsey survey, the export revenue from IT sector would add 7% to India’s GDP by 2010 along with creation of 8.8 million new jobs.


Overview of Investment in IndiaOverview of Investment in India

• IT solutions business in India is expected to grow at 25% to touch $ 35 billion in export revenues.

• The BPO business would witness a CAGR of 37% to account $ 25 billion of the projected $ 60 billion.

• According to Indian IT body – National Association of Software and Service Companies (“NASSCOM”), India could potentially accelerate the overall IT export by almost $ 15-20 billion by 2010 if it focuses on multi-dimensional innovation.


Need for Data Protection Need for Data Protection Legislation in IndiaLegislation in India

• Absence of data protection and privacy law in India often cited as a strong reason for stopping the movement of call center and BPO work in India

• Necessity for creating appropriate confidence among investors and foreign companies about safety and protection of personal data.

• Adequate level of protection for allowing Safe Harbor for transfer of data from EU countries.

• Unenforceability of contractual provisions regarding protection of data.


Various attempts for passing Various attempts for passing Data Protection LegislationData Protection Legislation

• Drafting of separate legislation.

• Amendments to existing Information Technology Act.

• Expert Committee on Cyber Law



• Drafting of separate legislation:

– A separate and exclusive legislation embodying the Data Protection principles like other Countries.

– EU model vs. US model• Stringent legislative protection vs. Self-Regulatory Organizations• Enforcement: statutory rights v. contractual rights• Safe Harbor Principles

– Failure to enact separate legislation



• Amendments to existing Information Technology Act, 2000:– Insertion of definitions of:

• Personal data, Data Controller, Data Processor, Data Subject, Processing etc.

– Introduction of Chapter VIIIA for Data Protection• Provisions for reciprocity and exemptions

– Guidelines on rights of Data Subjects and Minimum Security and Organisational Standards to be adopted by Data Controllers and Data Processors



• Expert Committee on Cyber Laws:– Appointed to suggest the amendments to Information

Technology Act, 2000– Minimal changes suggested to existing law for introducing

the protection for handling sensitive personal data.– Introduction of concept of ‘sensitive personal data’ in

existing Section 43:• Any body corporate, that owns or handles sensitive personal data or

information in a computer resource, if found to be negligent in implementing and maintaining reasonable security practices and procedure – shall be liable to pay damages by way of compensation not exceeding rupees ten million to the person so affected.



• Expert Committee on Cyber Laws:– What is “reasonable security practices and procedures” ?

• In the absence of a contract between the parties or any special law, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorised access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with self-regulatory bodies of the industries, if any.

– “Sensitive personal data or information” – which is prescribed as “sensitive” by the Central Government in consultation with self-regulatory bodies of the industry, if any.



• Expert Committee on Cyber Laws:– Section 66: Definition of Hacking replaced by Computer

related offences– Computer related offences are defined as:

• If any person, dishonestly or fraudulently, without permission accesses or secures access to such computer resource Downloads, copies or extracts any data, computer data base or

information from such computer resource including information or data held or stored in any removable storage medium

Denies or causes the denial of access to any person authorised to access any computer resource

shall be punishable with imprisonment up to 1 year or a fine which may extend up to rupees 200,000 or with both.



• Expert Committee on Cyber Laws:– Computer related offences are defined as:

• If any person, dishonestly or fraudulently, without permission Introduces or causes to be introduced computer virus into computer resource; Disrupts or causes disruption or impairment of electronic resources; Charges the services by tampering with or manipulating any computer

resources; Provides assistance to any person to facilitate access to a computer resource

in contravention of the provisions of the IT Act, 2000, rules, regulations made thereunder;

Damages or causes to be damaged any computer resource, date, computer database, or other programmes residing in such computer resource;

shall be punishable with imprisonment up to 2 years or a fine which may extend up to rupees 500,000 or with both.



• Expert Committee on Cyber Laws:– Section 72: Breach of confidentiality and privacy:

• Penalty increased to rupees 500,000• Additional provisions for intermediaries• Intentional capturing and broadcasting images violating the privacy• Bar on jurisdiction of courts to take congnizance except upon

complaint filed by the aggrieved person in writing before a Magistrate

• Punishment: damages by way of compensation of rupees 2.5 million to the person so affected

– Section 79: Exemption from liability of intermediary in certain cases.


Present StatusPresent Status

• No clarity on form of legislation.• Absence of any specific protection causes concern for

trans-border flow of personal data.• Stray incidents of misuse of personal data by persons

handling personal data.• The recommendations of Expert Committee likely to

be placed before Parliament in February 2006 for amending the existing Information Technology Act, 2000.

• No certaninity of enforcement mechanism.


Way forward…Way forward…

• Need for comprehensive legislation on data protection in India.

• At least the proposed amendments should capture all the aspects of data protection principles.


THANK YOU

Privileged & Confidential 1 India: an up-date on Data Protection Legislation by Tejas Karia (BSL, LLM (LSE), Advocate, Solicitor Associate, Amarchand &

Documents

amarchand mangaldas

india tel

likely slide

extract of data

sensitive personal data

handling personal data

primary stage

breach of contract