ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
Data Privacy in India and data theft
1. Data Privacy
IIA – Bombay Chapter
August 23, 201 2
Amber Gupta
Head - Compliance , Legal & Secretarial
Aditya Birla Money
2. Disclaimer:
“Views expressed here are the views of the
individual and do not necessarily reflect the views
or policies of the Organization.”
3. Overview
No specific legislation governing data protection or privacy
The Information Technology Act, 2000 main enactment
The Information Technology (Amendment Act) 2008
[Sec 43A and 72A]
Protection of Sensitive personal data or information
Maintenance of reasonable security practices and
procedures
Civil and Criminal liabilities
4. International Privacy laws – some eg.
Federal Data Protection Act, Germany
Data Protection Act, UK
Personal Information Protection Act, Japan
Privacy Act, Australia
National Privacy Principle for Private Organizations
Information Privacy Principles for Government Agencies
4
5. IT (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011.
Government notified Information Technology (Reasonable
security practices and procedures and sensitive personal
data or information) Rules, 2011. (“SPDI rules”) on April
11,2011.
Clarification dated August 24, 2011, that these Rules would
apply only to bodies corporate or persons located within
India – i.e it will only apply to Indian companies to the extent they
obtain personal data directly and not as part of an outsourced service
provision arrangement.
5
6. SPDI Rules
Applicability:
To body corporate or any person, who on behalf of body
corporate collects, receives, possesses, stores, deals or handle
sensitive data or information should adhere to these Rules.
Personal information defined and it shall ‘”mean any information that
relates to a natural person, which, either directly or indirectly, in
combination with other information available or likely to be available with
a body corporate, is capable of identifying such person.
7. SPDI Rules
Sensitive Personal Data or Information (SPDI) defined as
any information, not freely available relating to a person’s
password,
financial information,
physical, physiological and mental health condition,
sexual orientation,
Medical records and history,
biometric information or any
detail relating to the above clauses as provided to body
corporate for providing service or for processing,
any information received under above clauses by body
corporate for processing, storage or processed under lawful
contract or otherwise
8. SPDI Rules
POLICY FOR PRIVACY Provide a privacy policy for handling of or
AND DISCLOSURE OF dealing in personal information including
INFORMATION sensitive personal data or information
The policy shall provide for:
•Clear and easily accessible statements of its
practices and policies;
•type of personal or sensitive personal data or
information collected;
•purpose of collection and usage of such
information;
•disclosure of information including sensitive
personal data or information;
•reasonable security practices and procedures
Policy shall be published on website
9. SPDI Rules
COLLECTION OF Consent in writing to be obtained
INFORMATION
Information collected for a lawful purpose,
considered necessary and connected with a
function or activity of the body corporate or any
person on its behalf.
The provider of information to have
•knowledge of the fact that the information is
being collected,
•the purpose for which the information is being
collected,
•the intended recipients of the information,
•the name and address of the agency that is
collecting the information, and
•the agency that will retain the information.
10. SPDI Rules
COLLECTION OF The provider of information permitted to review the
INFORMATION information so provided and to correct / amend if
found in accurate or deficient
Provider of information have an option
•not to provide the data or information sought to be
collected.
•option to withdraw its consent given earlier
•Such withdrawal of the consent shall be sent in writing
to the body corporate.
Information not to be retained for longer than is
required for the purposes for which the information
may lawfully be used or is otherwise required under any
other law for the time being in force.
11. SPDI Rules
DISCLOSURE OF •Prior permission to be obtained in case of disclosure
INFORMATION to any third party
• Consent not necessary in case of sharing with Govt
agencies or as mandated under the law
•Not to publish the sensitive personal data or
information
• third party receiving information shall not disclose
further
12. SPDI Rules
TRANSFER OF Conditions:
INFORMATION
•The same level of data protection that is adhered
to by the body corporate is adhered to by the
transferee,
•it is necessary for the performance of the lawful
contract between the body corporate or any
person on its behalf and provider of information
•such person has consented to data transfer.
GRIEVANCE HANDLING •Designate a Grievance Officer
•Publish his name and contact details on its
website,
•Grievances to be resolved within one month
13. SPDI Rules
TRANSFER OF Conditions:
INFORMATION
•The same level of data protection that is adhered
to by the body corporate is adhered to by the
transferee,
•it is necessary for the performance of the lawful
contract between the body corporate or any
person on its behalf and provider of information
•such person has consented to data transfer.
GRIEVANCE HANDLING •Designate a Grievance Officer
•Publish his name and contact details on its
website,
•Grievances to be resolved within one month
14. SPDI Rules
REASONABLE Implement security practices and standards
SECURITY PRACTICES •IS/ISO/IEC 27001
AND PROCEDURES. •Documentation of Practices and standards in form of
information security programme that contain
•managerial,
•technical,
•operational and physical security control
measures
•the codes of best practices (by any industry
association or an entity formed by such an
association, whose members are self-regulating by
following other than IS/ISO/IEC codes of best
practices) for data protection.
•Such standard or the codes of best practices to be
certified or audited on at least once a year , through
independent auditor, duly approved by the Central
Government, or as and when there is a significant up
gradation of its process and computer resource.,
15. Data Theft
Unauthorised copying or removal of confidential information
could be in form of theft of customer or company’s proprietary or
intellectual property
Data theft involves issues of copyright violation, violation of privacy under
IT Act 2000, as well criminal breach of trust and dishonest
misappropriation under Indian Penal Code, 1860
Section 43(b), read with Section 66 and Sec 379, 405 & 420 of IPC
Section 43(b)
“any person without permission of the owner or any other person
who is in-charge of a computer, computer system or computer
network downloads, copies or extracts any data, computer data
base or information from such computer, computer system or
computer network including information or data held or stored in
any removable storage medium”
15
16. Penal Provisions
Sections Penal Provisions
43A (failure to protect data) Damages by way of compensation to the person so
affected.
•Upto Rs. 5 crore (adjudicating officer)
•Above Rs. 5 crore (civil court)
65 (hacking / tampering) imprisonment up to three years, or with fine which may
extend up to two lakh rupees, or with both.
66C(identity theft) Imprisonment for a term, may extend to three years and
shall also be liable to fine which may extend to rupees one
lakh.
66E (Punishment for violation imprisonment which may extend to three years or with
of privacy.) fine not exceeding two lakh rupees, or with both
67C (Preservation and imprisonment for a term which may extend to three
Retention of information by years and shall also be liable to fine.
intermediaries)
16
17. Penal Provisions
Sections Penal Provisions
70 (unauthorized access of Imprisonment for a term, which may extend to 10 years
protected systems) and shall also be liable to fine.
72 (Breach of confidentiality imprisonment for a term which may extend to 2 years, or
and privacy) with fine which may extend to one lakh rupees, or with
both.
72A (Disclosure of information Imprisonment for a term, which may extend to 3 years or
in breach of lawful contract) with fine, which may extend to five lakh rupees, or with
both.
85 (Offences by Companies) No express provision vis-à-vis penalties and
compensation.
Onus is on the Company / Personal Responsible
17
18. Case Study
Umashankar Sivasubramaniam case decided against
ICICI bank (phishing fraud) (2010)
The adjudicating Officer held that :
The Respondent bank has failed to put in place a foolproof
Internet Banking system with adequate levels of
authentication and validation which would have prevented
unauthorised access….found guilty of the offences made out
under section 85 r/w section 43 of the Act
Award Rs. 13 lakhs compensation
18
19. Case Study
Nasscom vs Ajay Sood & Others (March 2005)
Delhi High Court declared phishing on the internet
to be an illegal act, entailing injunction and recovery
of damages
Personal data was illegally collected by misrepresenting the
identity of legitimate party
DHC held that “misrepresentation made in the course of trade
leading to confusion as to the source and origin of the e-mail
causing immense harm not only to consumer but even to the
person whose name, identity or password is misused
Award Rs.1.6 million against the defendants
19
20. Case Study
M/S JUST DIAL PRIVATE LIMITED Vs. M/S INFOMEDIA 18 LIMITED &
OTHERS (2010)
JUSTDIAL alleged that their extensive and valuable database was copied by Infomedia
18 limited, on their website askme.in.
JUST DIAL moved the High Court against ‘ASKME.IN’ for breach of copyright with
respect to database.
JUST DIAL submitted that Infomedia 18, had substantially copied the data base of just
dial, which was evident from the reproduction of same mistakes in the database of
askme.in. They contended that a minimum of 14 yrs were spent in producing the data
base and a lot of resource was put in for the same.
The Court granted an exparte injunction against Infomedia 18, restraining them from
infringing the said copyright and from running the website askme.
20