Data Protection and Corporate Liability

February 7, 2011, by | Start Discussion


India – The Emerging IT super power

In the recent years India has emerged as one of the preferred destinations for offshore business in outsourcing, financial, educational, legal, banking, healthcare, marketing and telecommunication services.

The factors that have turned India into one of the hotspots for offshore outsourcing are the educated and unemployed masses, enterprising nature of Indians who have excellent spoken English skills and relatively cheap labour. 

Business Process Outsourcing, popularly called BPO is the industry which is multiplying by the day in India.

The Black side

In April 2005, five employees of MsourcE in Pune were arrested for allegedly pulling off a fraud worth nearly Rs 2.5 crore from Citibank accounts of four New York-based account holders.

In June 2005, the British tabloid Sun conducted a sting operation by purchasing the bank account details of 1,000 Britons for about 5.50 dollars each from Karan Bahree, an employee of Gurgaon-based BPO Company Infinity E-Search.

Similarly, in June 2006, Nadeem Kashmiri, an employee at HSBC's call center in Bangalore, sold the customer’s credit card information to a group of scamsters who used the information to siphon off nearly Rs 1.8 crore from bank accounts of UK-based customers. In another 3 months, the Channel 4 data theft scandal has hit the headlines, and coincidentally, it was also UK based. 

All these incidents sparked off a debate among the offshore industry circles, media and the legal world as to how safe foreign data is in Indian hands.  The discussions were also veered towards the need for some kind of protection for personal data in India which is currently absent. 

Cyber security has always been and continues to be a critical area for organizations and will continue to increase in importance as attacks become stealthier, have a greater financial impact on an organization, and cause reputational damage.

The Law

It is significant to note that by the recent amendments to the Information Technology Act, 2000, Indian Government has provided a new legal direction to data protection and privacy.

Two new Sections have been inserted by the amendment that focuses on corporate liability in case of breach of privacy. These are:-

Sec. 43A Compensation for failure to protect data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation. — For the purposes of this section,—

(i) “Body corporate” refers to any company and includes a firm, sole proprietorship or any other association of individuals who engaged in commercial or professional activities;

(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.’

Here, amount of damages to be paid by the way of compensation is unlimited.

Power of adjudication of offences committed under Sec. 43A is with the “Adjudicating Officer” if the amount of compensation claimed is upto Rupees Five Crore; if it is above Rupees Five Crore then it is with the “Civil Court”.

This Section imposes liability on corporate entities to ensure adoption of Reasonable Security Practices for the protection of Sensitive Personal Information of customers.

Hence, Banks, Call centers, BPO’s, etc are under legal scanner to ensure adoption of reasonable security practices to maintain secrecy of data otherwise they will be legally liable to pay damages.

Illustration:-

Some employees of a famous multinational bank leaked out sensitive personal information of its customers without their consent.

In such a case, the bank can be held liable under this Section for failure to adopt reasonable security practices for the protection of the Sensitive Personal Information.

Sec. 72A Punishment for disclosure of information in breach of lawful contract

Same as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.’’

This Section specifically imposes liability on intermediary, or any person or a corporate body which discloses personal information of users while providing services under lawful contract. Hence now Banks, BPO’s, Call centers, ISP’s, Mobile Network Service providers etc are under legal a scanner to maintain the privacy of customer’s private data.

Illustration:-

“Lex Experts”, an LPO (Legal Process Outsourcing Company) is working on the introduction of an IPO (Initial Public Offer) of a company. While working on it, they had access to confidential financial information about a company including Balance-sheets of previous financial years, list of Creditors, Shareholding pattern of a Company, etc which is supposed to be kept in privacy.

Some employees of that LPO leaked out this confidential information to a rival company in return of huge amount of money.

In this case, they can be held liable under Section 72A for disclosure of information in breach of lawful contract.

Power of adjudication of offence committed under Section 72A is with Judicial Magistrate First Class or Metropolitan Magistrate (In Metro Cities).

Conclusion

The recent amendments in the Information Technology Act, 2000 have introduced the concept of Data privacy in India for the first time. Prior to this there were no express provisions for Data Privacy.

As per the amendments, corporate bodies now are under obligation to ensure the adoption of reasonable security practices for prevention of misuse of data. However, law is still not clear about defining what “reasonable security practices” are?

Additionally, The Information Technology Act, 2000 is not data a or privacy protection legislation per se. It does not lay down any specific data protection or privacy principles. It is a generic legislation, which focuses on many issues.


Sagar is a Law graduate. He is Head at Asian School of Cyber Laws(Maharashtra). He specializes in Cyber Law, Intellectual Property Law and Corporate Law. He teaches at numerous educational institutions across India.

Leave a Reply