Focus: Outsourcing – June 2008
Deficiencies in data protection under the spotlight in India
In brief: A long awaited Information Technology
(Amendment) Bill is currently up for consideration by India's upper house. The
Bill seeks to address, among other issues, deficiencies under Indian law
relating to data protection in the wake of publicised incidents of data breaches
involving Indian offshore service providers. Senior Associate Ken Shiu and
Partner Michael Pattison
How does it affect you?
- Australian corporations that are considering IT outsourcing (ITO) and business process outsourcing (BPO) to Indian offshore service providers will need to be aware of the draft Bill's personal data protection liability regime.
- Although the Bill improves the protection afforded to personal data, corporations with offshoring arrangements with Indian ITO or BPO service providers will still need to ensure appropriate contractual structures are in place to protect and enforce confidentiality obligations with respect to the handling and use of data.
Background
In 2005, an expert review panel committee (the Expert Committee) comprised of Indian legal, IT industry and government experts was formed and subsequently released proposed amendments to India's Information Technology Act of 2000 (the Act).
The amendments addressed the key concern of data security and followed industry calls for review of the Act in the wake of several highly publicised customer data handling breaches by Indian service providers. The Expert Committee also reviewed the local regulation of cyber crime (for example, phishing); technology neutrality for digital signatures; the liability of network service providers for material transmitted using their networks; and the regulation of cybercafes.
The Expert Committee's final report and the resulting Information Technology (Amendment) Bill 2006 (the draft Bill) was introduced to Lok Sabha, the lower house of Indian Parliament, on 15 December 2006, which referred that report to a Standing Committee (Standing Committee) for further review. After prolonged consultation with industry and Indian government agencies, the Standing Committee finalised its review of the draft Bill on 29 August 2007 and presented its report on 7 September 2007.
The draft Bill with the Standing Committee's report is now tabled in the current session before the Rajya Sabha, the upper house of Indian Parliament, for consideration and passage.
Proposed reforms
The following table outlines some of the relevant key amendments to the Act in relation to data offences under the draft Bill and the Standing Committee's recommendations. The amendments deal with many issues that are already comprehensively dealt with in Australia under various legislation including the federal Copyright Act 1968 (Cth) and the Privacy Act 1988 (Cth).
| Issue | Current position under the Act | Draft Bill proposal | Standing Committee |
|---|---|---|---|
| Personal Data Protection (Handling and negligent/unauthorised disclosure of personal information) | Not addressed | Any body corporate that handles 'sensitive personal data' on computer systems
it owns or operates and is found negligent in implementing or maintaining
'reasonable security practices and procedures' that causes wrongful loss or wrongful gain
to any person is liable to pay compensation to a maximum of 5 crore (approx. A$1.2m) to the person affected.
In the draft Bill, the definitions of 'sensitive personal data' are made referable to the determinations of the Central Government in consultation with professional bodies and 'reasonable security practices and procedures' are referable to contractual agreement or as may be specified by law (or in the absence of such law, security practices and procedures prescribed by the Central Government in consultation with professional bodies. |
The original maximum compensation fine of 25 crore (approx. $A6m) should be re-instated.
The Act should specifically deal with data retention. The current complicated process for seeking adjudication should be simplified to ensure that damages remedies can be effectively implemented. |
| Personal Data Privacy (Collection and use of personal information) | Not addressed | Not addressed | The Act should include provisions defining and protecting personal privacy. |
| Liability of Network Service Providers/ Intermediaries | A network service provider or intermediary is not liable for any third party information or data made available by it, provided that it can prove that any related offence was committed without its knowledge or that it had undertaken all due diligence to prevent that offence. | The definition of intermediary now expressly includes telcos, ISPs, search engines and
cybercafes but excludes a body corporate that handles sensitive personal data.
Intermediaries are not liable for any unlawful third party information or link made available by it (where it is simply providing access to its communication system for transmission of the information and it does not initiate, select the receiver of the transmission or modify the information). Intermediaries are liable where they fail to expeditiously remove or disable access to the information if it has actual knowledge or is notified by the authorities that the information or link is being used to commit an unlawful act. |
The definition and role of intermediaries are not clear, especially in relation to the exclusion of body corporates handling sensitive personal data. |
| Hacking | General hacking offence punishable with up to 3 years imprisonment and/or fine of 2 lakh rupees (approx. A$5,000). | Moves the previous hacking offence (Section 66) to the more general computer-related offences provision (Section 43), which specifically identifies various computer offences. Shift in emphasis of offences to civil penalties. The hacking offence is now subject to maximum imprisonment term reduced from 3 years to 2 years while the maximum civil penalties have increased to 5 lakhs (approx A$12,000). | The specific use of the word 'hacking' should be restored to the drafting of the new Section 43(i)
[old Section 66(1) offence].
The fines for other Section 43 general offences due to their serious nature should be greater than the current 1 crore (approx. A$250,000). |
| Spam | Not addressed; however, there is a general offence for sending grossly offensive, menacing or false messages by computer or any communications device. | Not addressed | The Act should specifically deal with spam. |
The local industry players have concurrently attempted to implement their own compliance measures to alleviate concerns over data handling by employees. The Indian IT industry body, NASSCOM, operates a national registry for ITO and BPO workers that it believes will assist Indian IT employers to screen employee candidates. In addition, many Indian IT service providers adopt workplace policies ranging from prohibiting workers from downloading or printing information to carrying camera-enabled mobile phones into their work areas.
Conclusion
The draft Bill's proposed reforms will be relevant to the increasing number of Australian companies exploring ITO and BPO offshoring to India. Although the Bill increases the protection afforded to personal information, Australian companies will still need to supplement its protection with contracted obligations to comply with Australian equivalent data privacy obligations and industry security standards.
We will continue to monitor the passage of the draft Bill through Indian Parliament.
For further information, please contact:
- Michael PattisonPartner,
Melbourne
Ph: +61 3 9613 8839
Michael.Pattison@aar.com.au - Fred ChiltonPartner,
Sydney
Ph: +61 2 9230 4871
Fred.Chilton@aar.com.au - Peter JamesPartner,
Brisbane
Ph: +61 7 3334 3360
Peter.James@aar.com.au - Darren MurphyPartner,
Perth
Ph: +61 8 9488 3768
Darren.Murphy@aar.com.au - Donald HessPartner,
Hong Kong
Ph: +852 2903 6201
Don.Hess@aar.com.au
|
||||||||||||||||||||||||||||||
