How safe is your data?

Inadequate privacy laws are putting client information at risk and jeopardizing the future of India’s outsourcing industry Rodney Ryder and Salman Waris explain

Outsourcing IT-enabled services (ITES) to India is an attractive proposition. It allows businesses to slash application development and maintenance costs, deal effectively with the peaks and troughs of software demand and focus on more strategic work. As a result, half to two-thirds of all Fortune 500 companies are already outsourcing to India.

As the industry grows so does the quantity of data processed and stored in the country.

So it is surprising to find that much of this data faces a significant and constant danger: There is virtually no legal protection for data in India.

This absence of a culture of privacy and the lack of regulations to protect information is a huge issue, one that can affect clients and potentially cripple the very significant outsourcing industry.

India’s constitution does not explicitly grant a right to privacy. It wasn’t until after the Supreme Court extrapolated that right from the Right to Life and Personal Liberty (Article 21) that judicial activism brought privacy to the realm of fundamental rights enshrined in the constitution (Articles 14-30).

A number of statutes provide some safeguards to make up for the lack of explicit data protection laws but they fall far short of providing adequate protection.

The IT Act

The Information Technology Act, 2000, includes some data-protection provisions but does not define personal data.

Chapters IX and XI define cyber contraventions related to unauthorized access to computer systems or networks as well as unauthorized tampering, such as alteration, deletion, addition, modification, destruction, duplication or transmission.

Unfortunately, in the six years since the act came into force it has become increasingly evident that it does not contain sufficient privacy and data protection provisions.

Aware of this regulatory shortcoming, the government appointed an Expert Committee on Cyber Laws to propose amendments.

The committee proposed a number of changes including:

• • A new section calling for reasonable security in handling sensitive personal information;

• • A gradation of the severity and the appropriate punishment for dishonest or fraudulent practices;

• • Changes to Section 72(1) and the addition of Section 72 (2) to deal with breaches of confidentiality with intent to cause injury to a subscriber;

• • Revised language for Section 66, dealing with computer-related offences, to bring it more in line with Section 43, which outlines penalties for damage to computer resources. These penalties are graded based on the degree of severity of the offence.

The IT act created three authorities for the arbitration, adjudication and settlement of civil disputes – the Controller of Certifying Authorities, the Adjudicating Officer, and the Presiding Officer of the Cyber Regulations Appellate Tribunal.

Plaintiffs can seek damages up to Rs10 million (about US$244,000) by filing a complaint with the Adjudicating Officer, a quasi-judicial authority with limited powers.

Although restricted by the provisions of the act, the government in 2003 gave the Adjudicating Officer powers similar to those of a civil court.

In turn, the Cyber Regulations Appellate Tribunal (CRAT) can examine the decisions of either the Controller or the Adjudicating Officer, implicitly barring the courts from hearing appeals related to the IT act. However, the act does provide one forum for appeal in the High Court, which can examine the decisions of the Cyber Regulations Appellate Tribunal.

The IT act is based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) and is often said to contain provisions for data protection.

But throughout this piece of legislation, the concept of personal data is not even defined, and the proposed amendments are not likely to be enough to protect this information.

The fundamental problem is that the IT act deals more with e-commerce and cyber crime than with protecting data.

Other protection

Aware of the inadequacy of the IT act, outsourcers have sought protection elsewhere. Many have drawn up binding contracts based on the Indian Contract Act, 1872, specifically Article 366(10).

Indian companies acting as data importers may enter into contracts with data exporters to adhere to a high standard of protection.

These contracts are binding and may meet foreign legislative requirements.

Many Indian companies active in IT or business process outsourcing (BPO) already have very stringent policies to safeguard client data, and employees are contractually bound to protect confidential information.

To prevent breaches, the Specific Relief Act allows for temporary and perpetual injunctions as well as damage awards when those contractual obligations are breached.

Another piece of legislation, the Credit Information Companies (Regulation) Act, 2005 contains some provisions related to data protection but the provisions are limited in scope.

The act only covers credit information companies, credit institutions and specified users while processing credit information.

Moreover, there is no specific authority to ensure implementation.

Still, some of the regulations it contains do provide a degree of protection for credit information.

Judicial interpretation

Although the Supreme Court has construed a general right to privacy, this right is not absolute. It can be curtailed when there is a countervailing interest. Furthermore, in the absence of a general data protection act, there is no specific data protection authority.

The best solution may be a set of still-to-be-adopted regulations proposed by the Reserve Bank of India.

These would empower the bank to impose penalties or reprimand any credit company, institution or user that falls foul of the regulations.

If these regulations are adopted, the Reserve Bank could eventually be seen as a sort data protection authority for credit information.

Self-imposed solutions

If a serious and well-publicized breach of confidentiality was to occur, clients would lose confidence and the effects on India’s burgeoning outsourcing industry could be catastrophic. Well aware of these risks, it is no surprise that the industry is turning to self-regulation as a solution.

The National Association of Software and Service Companies (NASSCOM) is an adviser, consultant and coordinating body for the software and services industry in India. In 2000, NASSCOM urged the government to pass a data protection law to protect information transmitted over computer networks and to meet European data protection standards.

This initiative led to the adoption of an “IT Action Plan” and, subsequently, to the implementation of the IT act.

Since then NASSCOM has been proactive in ensuring that the Indian information security environment becomes one of the most stringent in the world.

As a part of its Trusted Sourcing initiative, it is in the process of setting up the Data Security Council of India (DSCI) to establish, popularize, monitor and enforce privacy and data protection standards for India’s ITES and BPO industry.

The DSCI will be based on five guidelines: Self-regulation, best global practices, independent oversight, a focused mission and an enforcement mechanism.

The initiative would encourage Indian IT/ITES organizations to meet a high standard of security and data protection, build capacity to provide security certification, create a common platform to disseminate knowledge about information security and foster a community of security professionals while creating awareness among industry leaders and other stakeholders.

New government initiatives

Considering India’s woefully inadequate data protection regime, it is no surprise that the government is also considering new initiatives to create a safer environment for data.

If enacted, the Personal Data Protection Bill, 2006, would be the government’s first foray into the realm of data protection. It defines personal data as information relating to a living individual who can be identified from that information and provides for the protection of personal data and information collected for a particular purpose. It would also restrict the use of data to the organization that collected it and allow for damages if the information is disclosed without consent.

The bill says data can only be used for the purpose it was collected for, unless the individual that provided it consents.

A few exemptions relate to the prevention of crime, prosecuting offenders and assessing taxes.

The bill imposes sanctions if personal data is disclosed for direct marketing or commercial gain but allows for personal data to be disclosed to charity and voluntary organizations as long as there is prior consent.

It also calls for the appointment of data controllers and outlines requirements for organizations to report what data they collect and its purpose; take adequate measures to maintain confidentiality and security; and collect only essential information.

Contraventions would be punishable by fines and jail terms of up to three years as well as compensation for damages.

The bill also puts a considerable onus on company employees and officials by stating that every person responsible for the conduct of business shall be guilty of a contravention and potentially liable.

All offences would be tried summarily under the provisions of the criminal code.

A long way to go

Until the Personal Data Protection Bill is enacted, the industry will continue to satisfy privacy requirements with contractual agreements. Although generally effective to date, this approach is a piecemeal effort at best and a more appropriate and long-term solution is urgently required.

A number of recent data theft cases have underlined the need to build a “culture of privacy and data protection”.

More effective legislation could reduce risks associated with confidential and personal data, while shoring up the reputation of a critical industry in one of the world’s fastest-growing economies.

There is already movement on this front. Banks and IT majors have introduced training modules on privacy law, data processing and handling procedures. Similar moves industry wide would go a long way towards creating proper data handling and data use values while ensuring the secrecy of personal information.

Much needs to be done. Data users must be educated regarding the proper use of personal data and best-practice handling and storage procedures should be adopted on an industry-wide level. Moreover, a specific data protection act is urgently needed to ensure that society at large will reap the benefits India’s IT revolution.

Rodney D Ryder is a partner with FoxMandal Little where he heads the Technology Law Practice. He is an adviser to the Ministry of Communications and Information Technology, the Technology Law Committee of the Indian Parliament and the Data Security Council of India.

Salman Waris is an associate with the Technology Law Practice at FoxMandal Little and member of International Medial Lawyers Association Programme for Comparative Media Law and Policy, Centre for Socio-Legal Studies, University of Oxford. He has written extensively and also conducted training on technology, data protection, privacy and intellectual property issues.