The collection, compilation and subsequent use of data sets may prove to be a tedious and meticulous task spanning a significant period of time. The data may have been collected to serve many different purposes, most commonly originating as a repository of client- or user-related information.
The nature of such data, which often include many personal details of individuals, calls for sensitive handling and the protection of the information contained in it against threats of theft or misappropriation.
Meanwhile, with the growth of the internet, crimes involving the illegal retrieval and unauthorized use of information have become more frequent. A need has arisen to create rights for those who have their data stored, and to create responsibilities for those who collect, store and process such data.
Copyright law in India recognizes a database to be a “literary work” as defined in Section 2(a) of the Copyright Act 1957. However, more recent legislation, the Information Technology Act, 2000, says under Section 2(1)(v) that:
‘information’ includes data, text, images, sound, voice, codes, computer programs, software and databases or microfilm or computer generated microfiche.
‘Data’, however, is more specifically defined under Section 2(1)(o) of the Act:
‘Data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
Cases that have decided on data protection have looked at the issues including copyright violation, violation of privacy under IT Act 2000, and criminal breach of trust and dishonest misappropriation under the Indian Penal Code, 1860.
The Naukri-Bixee case
The Naukri-Bixee case, decided by the High Court of Delhi, involved the theft of data held by naukri.com, an online job-search portal. The case was the first of its kind and, while dealing with the allegation of data theft, also looked into the aspect of ‘deep linking’. The lawsuit, instituted in November 2005, asked for Rs5 million in damages to cover the loss in potential revenue and the heavy strain on network resources caused by the allegedly illegal behaviour. The Delhi High Court granted an injunction restraining Bixee from copying, downloading and reproducing the content of Naukri.
The Justdial case
A more recent development in this area of law is the issue that arose between Justdial, a popular multipurpose local search engine, and the website askme.in. Alleging the theft of its extensive and popular database, Justdial alleged that the commission of theft was evident from the repetition of mistakes on askme.in’s database which were also to be found in Justdial’s data sets. The plaintiff asserted that the creation of the database had involved the expenditure of considerable economic and human resources, and that close to 14 years had been spent in building it to its existing volume.
The court in this case recognized the seriousness of the matter, deciding that irreparable loss would accrue to Justdial if askme.in continued to replicate and misuse the database. Accordingly, it pronounced an ex parte injunction order in favour of Justdial, restraining askme.in from infringing the said copyright.
Further, the defendant was also restrained from running the website until the next date of hearing. In addition to these measures, the court also ordered the appointment of local commissioners so that search and seizure operations for all the hardware and storage devices containing any part of the proprietary database belonging to Justdial could be carried out.
While the courts are yet to decide conclusively on the matter, we can observe how they have applied the law in this case. This is especially relevant in view of the fact that the Information Technology Act, 2000 has undergone significant amendments to accommodate safety of data. The amendments, ratified in February 2009, notably inserted section 72A into the scheme of the Act. Prior to the insertion of the new provision, section 72 dealt with the breach of confidentiality and privacy. It propounds that any person charged under the section shall be punished by imprisonment for a term which may extend to two years, or by a fine which may extend to Rs 100,000, or by both. The inserted section, however, appears to address data protection concerns more stringently, providing “punishment for disclosure of information in breach of a lawful contract”:
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to five lakh [500,000] rupees, or with both.
The legislative developments incorporated in the scheme of the Act seem to have been introduced with the intent to ensure the security of data and to enforce its rightful protection. Data theft being recognized as a serious offence, especially in view of increasing internet-related commerce, it is necessary that stringent measures be employed to ensure the safety of data and information against misuse and misappropriation.
Manisha Singh Nair is a partner at Lex Orbis, an intellectual property practice law firm headquartered in New Delhi.