Data Protected, Offenses , confidentiality, Penalties and Dispute Resolution under the Indian Information Technology Act, 2000

India presently does not have any express legislation governing data protection or privacy. However, the Information Technology Act, 2000 (“IT Act”) and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules, 2011”) framed there under, deal with the aspects about protection of data including sensitive personal information. Some of the main laws in India, which directly or indirectly deal with the data protection, are enumerated below:

•        The (Indian) Information Technology Act, 2000;

•        The Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011.

In India, privacy rights are recognized by the Constitution of India. Article 21 of the Constitution of India provides that no person shall be deprived of life or personal liberty except according to the procedure established by law.The Supreme Court of India has held in some cases that the right to privacy is implicit in the right to life and personal liberty guaranteed to citizens of India.

Sections 43A & 72A of IT Act deal with processing/protection of personal data in India. These two provisions deal with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. However, both these sections do not apply to data stored in a non-electronic medium.

Sec 43A of the IT Act is applicable only to ‘sensitive personal data or information’. Sec. 43A of the IT Act provides the remedy by way of compensation to the “person affected” when “wrongful loss” is caused to him or “wrongful gain” is caused to another person at the expense of the affected person.There is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances. The affected person can claim compensation from the Body Corporate (“Body Corporate means a company, a firm, a sole proprietorship or other association of individuals engaged in commercial or professional activities”), which has been negligent in the protection of the data relating to the “provider of information”. It also imposes a responsibility of “implementing and maintaining Reasonable Security Practice and Procedures” to be followed by any ‘body corporate’ possessing, dealing or handling sensitive personal data or information.

Section 43A of the IT Act states that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.The Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 are notified under Section 43 A of the IT Act.

Section 72A of the IT Act, provides for punishment for disclosure of information, knowingly and intentionally in breach of the lawful contract. It provides that any person including an intermediary who, while providing services under a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term extending to three years or fine extending to INR 5,00,000 (approximately, USD 8,33,5) or both. This section applies to an intermediary as well.

Types of data protected in India

  • Personal information”, means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

 

  • ‘Sensitive Personal data” is defined as such personal information which consists of information relating to the following:

        1.        Password;

        2.        Financial information such as bank account or credit card or debit card or other payment instrument details;

        3.        Physical, physiological and mental health condition;

        4.        Sexual orientation;

        5.        Medical records and history;

        6.        Biometric information;

        7.        Any detail relating to the above clauses as provided to body corporate for providing service; and

        8.        Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

 

However, the following information shall not be regarded as sensitive personal data or information under the IT Rules, 2011:

1.     Any information that is freely available or accessible in public domain; or

2.     Any information that is furnished under the Right to Information Act, 2005; or

3.     Any information that is furnished under any other law for the time being in force.

 

Presently, the data on companies is not considered to be personal data  under the provisions of the IT Act.

 

Offences

Section 43A of the IT Act states that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource(“computer resource” means computer, computer system, computer network, data, computer database or software), which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Section 43A uses the word ‘possessing’, ‘dealing’ or ‘handling’ of the sensitive personal data or information. It implies that the acts of possession, dealing or handling of the sensitive personal data or information would be covered under the IT Act. Even mere possession of such information and its subsequent misuse would render any person who possesses such data liable to damages. However, IT Act only applies to sensitive personal data or information in a computer resource and does not apply to data stored in a non-electronic medium.

Section 72A of the IT Act, provides for punishment for disclosure of personal information, knowingly and intentionally in breach of the lawful contract.

IT Rules, 2011 provide that a body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of “provider of information”, shall have a privacy policy for handling of or dealing in sensitive personal data.

Exceptions

IT Act only applies only to sensitive personal data or information in a computer resource and does not apply to personal data or data stored in a non-electronic medium.

Further, the following information is also exempted as it does not fall under the sensitive personal data or information:

1.     Any information that is freely available or accessible in public domain; or

2.     Any information that is furnished under the Right to Information Act, 2005; or

3.     Any information that is furnished under any other law for the time being in force.

 

Further, as Body Corporate is defined as any company, a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Therefore, Government Institutions not engaged in ‘commercial or professional activities’ are not covered under the IT Act.

 

IT Act applies to the whole of India and also has extra-territorial effect in case of offenses or contraventions committed outside India, by any person, if the act or conduct constituting such offenses or contraventions involves a computer, computer system or computer network located in India.

Dispute resolution

Under the IT Act, the power to adjudicate disputes is vested with the Adjudicating Officer, and competent court depending upon the claim amount or a Police Officer not below the rank of Inspector in cases of criminal offenses. The Central Government, vide its notification no. G.S.R.240 (E) dated 25.3.2003 appointed the Secretary of the Department of Information Technology of each of the States or Union Territories as Adjudicating Officer for the IT Act. The appeals from the order made by the Controller or by an Adjudicating Officer shall lie to Cyber Appellate Tribunal.

 

Under the IT Act, the power to adjudicate a dispute up to Rs.5,00,00,000.00 (approximately, USD 8,33,500) for a claim for injury or damages, has been vested upon the Adjudicating Officer, appointed by the Government of India.  There are several such Adjudicating Officers, who have been appointed under the Act to adjudicate matters about their jurisdiction.  The jurisdiction of an Adjudicating Officer depends on the State for which such an Adjudicating Officer has been appointed.

For any claim amount over and above Rs.5,00,00,000.00 (approximately, USD 8,33,500), a competent court will have jurisdiction to try and decide upon such claim.

For any criminal offense under the Act, the power to investigate lies with a Police Officer not below the rank of Inspector.  In India, there are several Police establishments established by each State, and the Government of India.  Organisations like Central Bureau of Investigation (CBI) investigate the cases which are delegated to CBI by the Government of India or a Court of law.

IT Rules, 2011 provides that a body corporate or its representative can collect sensitive personal data or information only in the following circumstances:

1.     The information is collected for a lawful purpose connected with a function or activity of the body corporate or its representative; and

2.     The collection of the sensitive personal data or information is considered necessary for that purpose.

IT Rules, 2011 allows a body corporate or its representative to transfer the sensitive personal data or information to another body corporate or its representative in India or located in any other country that ensures the same level of data protection that is adhered to by the body corporate as provided for under the IT Rules, 2011.

 

Confidentiality

IT Rules, 2011 restricts a body corporate from disclosing the sensitive personal data or information to any third party, which is received from the “provider of information”. It provides that any such disclosure to any third party shall require prior permission from the “provider of information”.

However, a body corporate or its representative is exempt from taking such prior permission for disclosure of information in the following scenarios:

1.     Where such disclosure has been agreed to in the contract between the body corporate and “provider of information”; or

2.     Where such disclosure is necessary for compliance with a legal obligation; or

3.     Where such disclosure is required by a government agency mandated under law to obtain information including sensitive personal data or information for verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses. However, the government agency shall send such request in writing to the body corporate clearly stating the purpose of seeking such information. The government agency should not publish or share such information with any other person.

IT Rules, 2011 provide that a body corporate or its representatives should not publish such sensitive personal data.

IT Rules, 2011 also provide that a third party receiving such information is prohibited from disclosing it further.