Wednesday, October 27, 2010

Information Security - What India Needs??

It is quite interesting to note that when it comes to the Cyber Laws, Indian IT Act 2000 (amended by Information Technology Amendment Bill 2006, passed in Lok Sabha on Dec 22 and in Rajya Sabha on Dec 23 2008 and reinstated at Indian IT Act 2008) is one of the best Cyber Laws in the world.  Incidentally,  India was just the 12th nation when the act was initially put to effect in the year 2000.  However, the Act fails to provide any point with regards to the Privacy of Personal Information.  Today when Identity Theft is one of the prime concerns in the Digital Space, India is lacking big time on the Ensuring the Integrity and Protection of Information as stored, processed and transmitted using information technology and the allied systems.

An Analysis of the Personal Data Protection Law in India by CRID - University of Namur (Submitted to Commission of the European Communities, Directorate General Justice, Freedom and Security) identified the specific lacunae as present in this area.

CRID evaluated Indian Regulatory Scenario in its 71 pager report covering the aspects of  -
  1. Federal Structure
  2. Constitution of India
  3. Judicial System
  4. Administrative Tribunals System
  5. Competence to Legislate on Data Protection
  6. Influence of International Norms
  7. General Legal Protection of Human Rights
  8. Data Protection Legislation
  9. The Right to Privacy in India
  10. Statutory Safeguards of Privacy and Data Protection Interest Outside Data Protection Legislation
  11. The Information Technology Act, 2000
  12. The Amendments to the IT Act 2000
The evaluation of Indian Regulatory / Legal environment around Privacy and / or Protection of Data has been referenced to the Article 25 of Directive 95/46/EC that regulates the transfer of personal data from Member States of the European Union (EU) to “third countries” – i.e., countries outside the EU (and EEA). According to Art. 25(1), transfer of personal data “may take place only if the third country in question ensures an adequate level of protection”.

Salient Observations by CRID are -
  1. Section 3.1.2.1 on page 30 states - No Such Concept as "Personal Data"
  2. Para 2 of the section further elaborates - "The IT Act doesn’t provide for any definition of personal data"
  3. Section 3.1.4.2 b) states - The research found no express provision in the IT Act requiring data to be kept accurate and up-to-date
  4. Para below that (again referred as 3.1.4.2) states - The research haven't found any provision in the IT Act requiring processed and transferred data to be adequate, relevant and not excessive.
  5. Section 3.1.4.3 establishes under the Head Principle of Transparency, the Information Technology Act, 2000 has no equivalent provision to the EU Privacy Directive's Articles 10 and 11
  6. Section 3.1.4.4 establishes that no specific provision requires particular security requirements that are appropriate to the risks presented by the processing of personal data. Moreover, the IT Act lacks a provision ensuring that personal data should only be processed on the instructions from the controller
  7. Section 3.1.4.5 establishes that the IT Act does not provide for any of the principles related to access, rectification and opposition by individual data subjects.
  8. Section 3.1.4.6.The principle of Restriction on Onward Transfers establishes that  The IT Act does not provide for such a principle
  9. Through and through the report highlights the areas where India Lacks in addressing Privacy and / or protection of Personal Data.  The report conclude "Given the absence of any general data protection Act, no Data Protection Authority has been established in India."
The points mentioned above certainly make a point that thought our Cyber Law is one of the Best, but it still is not the Best.  It needs to address the requirements on the lines of European Data Privacy Directive.  Moreover, the one place where India lacks is the general and overall lack of Understanding of its Cyber Laws by the Law Enforcement as well as Justice & Care Departments. A defined action plan needs to be implemented by the Law Makers to ensure that the intent and coverage of the Laws as defined and passed by the apex council are precipitated to the required levels in a manner to increase its Effectiveness and the Efficiency.

No comments: