PRIVACY AND DATA PROTECTION

                                                    PRIVACY AND DATA PROTECTION

DATA THEFT

       Data Theft is the theft of software through the illegal copying and selling of copyrighted data or software codes in open market without permission of the owner's company

       Some examples of Data theft:

       1. When you use a single user license for multiple user.

       2. When you make duplicate CD or DVD of your software CD and sell it.

       3. If any employee carries a software code made by his company and reproduces it with different name and sells it in market.

       India did not have a separate data protection law and when the Information Technology Act, 2000 first came into force on October 17, 2000 it lacked provisions for protection and the procedure to be followed to ensure the safety and security of sensitive personal information of an individual.

       This led to the introduction of the Information Technology Bill, 2006 in the Indian Parliament which later led to the Information Technology (Amendment) Act, 2008 whose provisions came into force on October 27, 2009. The Information Technology (Amendment) Act, 2008 inserted Section 43A in the IT Act and the Central Government, in exercise of the powers conferred by clause (ob) of sub-section (2) of Section 87 read with Section 43A of the IT Act, 2000 notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the "2011 Rules").

Important Provisions of IT Act related to Data Protection

       Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.

       Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.

       Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

       The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 only apply to bodies corporate and persons located in India. This was clarified vide a press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology wherein it was stated the 2011 Rules were applicable to a body corporate or any person located within India1.

       Rule 3 of the 2011 Rules provides a list of items that are to be treated as "sensitive personal data", and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. It is further clarified that any information is freely available or accessible in the public domain is not considered to be sensitive personal data.

       Rule 4 imposes a duty on Body Corporates seeking sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected and the reasonable security practices that have been undertaken to maintain the confidentiality of such information.

Rule 5

       Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate:

Obtain consent from the person(s) providing information in writing or by Fax or by e-mail before collecting such sensitive personal data. Vide the press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology it was clarified that consent includes consent given by any mode of electronic communication;

       Information shall not be collected unless it is for lawful purpose, and is considered necessary for the purpose. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required;

       Ensure that the person(s) providing information are aware about the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies retaining and collecting the information;

       Retain the information for no longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force;

       Offer the person(s) providing information an opportunity to review the information provided and make corrections, if required;

       Before collection of the information, provide an option to the person(s) providing information to not provide the information sought;

       Maintain the security of the information provided; and

       Designate a Grievance Officer, whose name and contact details should be on the website who shall be responsible to address grievances of information providers expeditiously. A maximum period of one month has been provided for resolution of such grievances.

       Rule 6 provides that a Body Corporate must seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if request for such information is made by government agencies mandated under law or any other third party by an order under law.

       Rule 8 provides the reasonable security processes and procedures that may be implemented by Body Corporates. International Standards (IS / ISO / IEC 27001) is one such standard which can be implemented by a body corporate to maintain data security. It is pertinent to note that an audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource

       Other Clarifications Issued by Ministry of Communications and Information Technology

       It was clarified that any Body Corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India was not subject to the requirements of Rules 5 & 6. However, body corporates providing services to the provider of information under a contractual obligation directly with them, as the case may be, are subject to Rules 5 & 6.

Data Protection Bill 2018

       Data is the new gold. The Government of India introduced the Personal Data Protection Bill, 2018 (Bill) in Parliament for scrutiny by the relevant Parliamentary Committee for review. This Bill spells out a framework for date protection and lays down the limits on how personal data is going to be used, collected, and processed. A Data Protection Regulator is to be set up. With an increasingly digital economy, the Bill aims to create accountability and prevent data misuse in light of the Right to Privacy, which is recognized as a fundamental right in India.

Some of the key features of the Bill include:

       It regulates the processing of personal data of individuals (data principals) by both Government as well as private entities (data fiduciaries) in India and broad.

       The individual (data principals) must provide explicit consent to process personal data.

       Private entities (Data Fiduciary) must notify individuals (data principals) on nature and purpose of data processing.

       It allows certain information to be exempted from regulation for 'reasonable purposes' such as national security, unlawful activity, whistleblowing, health services, journalistic purposes, legal proceedings, etc. The Government retains the power to review and change the list of exemptions from time to time. The Government may also exempt any governmental agency from compliance.

       It mandates that personal data must be stored within the territory of India. Categories of personal data that are notified as critical personal data by the Government can be processed only within the territory of India. Passwords, financial data, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious belief and political belief are considered sensitive personal data.

       It provides for the establishment of a national level Data Protection Authority (DPA) to supervise and regulate data fiduciaries (private entities).

       It also provides provisions for compensation and stiff penalties for data breach

       Current Position

       The Joint Parliamentary Committee on December 16, 2021 presented its report on the proposed data protection law, along with a revised version of the bill, the Data Protection Bill, 2021 in the Parliament.1 The draft bill was yet to be tabled as a draft law for consideration and passing by the Parliament. Subsequent to the draft bill being made public, there had also been calls from the industry for a fresh consultation since many of the provisions deviate from the previous version published two years ago. The draft bill, which had flavours of the GDPR, brings in a number of significant changes as compared to the earlier iterations of the proposed law, such as expanding the scope of the law to cover not only personal data, but non-personal data as well. Also introduced were stringent data breach reporting requirements (within seventy two hours), regulation of hardware manufacturers and enabling a certification mechanism for all digital and IoT devices to mitigate data breaches. The draft bill also provides for a phased implementation wherein the central government may notify different dates for enactment of different provisions

       http://nishithdesai.com/SectionCategory/33/Research-and-Articles/12/60/ResearchatNDA/4988/1.html

Aug, 2022

       The Indian government withdrew the Personal Data Protection (PDP) Bill, 2019 from Parliament on August 4, 2022. The bill had been pending in Parliament since 2019 and a Joint Parliamentary Committee (JPC) had submitted a detailed report on it. The sudden move to withdraw the bill has been met with cautious optimism in some quarters and disappointment in others. The withdrawal indicates the desire for a serious rethink on the shape and scope of data regulation within the government. 

       Typically, once a bill is in Parliament, the government is free to make changes before the bill is taken up for final discussion and voting. Governments usually do so if, for example, they wish to incorporate suggestions from parliamentary committees. This would have been the most likely process if it were just a question of incorporating the JPC’s recommendations. In this case, however, the government has withdrawn the bill completely. IT Minister Ashwini Vaishnav has stated that the PDP bill will be replaced by a new one that is part of a “comprehensive legal framework.” 

https://carnegieindia.org/2022/08/22/withdrawal-of-proposed-data-protection-law-is-pragmatic-move-pub-87710#:~:text=The%20withdrawal%20of%20the%20Personal,policy%20in%20a%20holistic%20manner.&text=The%20Indian%20government%20withdrew%20the,Parliament%20on%20August%204%2C%202022.

 

Comments

Post a Comment

Popular posts from this blog

JOINT PROMISORS AND THE NATURE OF THEIR LIABILITY

  JOINT PROMISORS AND THE NATURE OF THEIR LIABILITY Sections 42, 43 and 44 of the Contract Act deal with the question of liability of the joint promisors. The following rules are contained in these Sections: The liability of the joint promisors is joint and several When two or more persons make a joint promise, the promisee may, in the absence of express agreement to the contrary, compel or more of such joint promisors to perform the whole of the promise. It depends on the discretion of the promisee as to which of the promisors are to be made liable for the whole of the promise. If one of the promisors is sued to meet the whole of the claim, he cannot say that as between different promisors, his liability is for a part of the promise only. For example, A, B and C jointly promise to pay D 3,000 rupees. D may compel either A or B or C to pay him 3,000 rupees. If two or more persons jointly take a lease, and their liability to pay the rent is joint and several under Section 43...
Read more
  List of Forms and Sections in Trademark Compiled by Ridhima Dixit ( https://www.linkedin.com/pulse/trademark-forms-india-per-rules-2007-riddhima-dixit/ )   As per the earlier provisions of law so prescribed under the Trademark Rules, 2002, there were 75 different kinds of forms for the various procedures relating to the trademark filing and registration. However, as per the proposed amendment, the Ministry of Commerce and Industry had issued the Trademark (Amendment) Rules, 2017. In the new set of rules, the number of forms were reduced to 8, to simplify and streamline the whole trademark filing and prosecution process. These forms are available online and are easy to access even by a layman, who does not have any knowledge on how to apply for a trademark protection. The purpose of each form is, thereby, very essential to be understood properly. 1.         TM- A  (‘Application for registration of a trademark’) This form...
Read more

CONTINGENT CONTRACTS

  CONTINGENT CONTRACTS What is a contingent contract According to Section 31, a contingent contract is a contract to do or not to do something, if some event, collateral to such contract, does not happen. When the contract is dependent or conditional upon the happening or non-happening of a certain future event, the contract is contingent. For example, A contracts to pay B Rs. 10,000 if B's house is burnt, this is a contingent contract. (Illustration to Section 31). The payment of the amount is contingent on the happening of a collateral event, i.e., the burning of the house. All contracts of insurance or indemnity aim at payment of money only after a certain event happens, or the loss is caused, and, therefore, they are contingent contracts. A wagering agreement is also a contingent contract, but that type of contingent contract has been specifically declared to be void by Section 30. A distinction is to be drawn between a contract under which a present obligation is created...
Read more