Mainstream

Home > Archives (2006 on) > 2008 > July 12, 2008 > Adequately Protected in India?

Mainstream, Vol XLVI No 30

Adequately Protected in India?

The Need For A Separate Legislation

Wednesday 16 July 2008, by Neetika Yadav, T Priyadarshini

India started a process of economic liberalisation in the 1990s. One of the main features of this process has been to simplify rules and regulations to attract foreign investment. As a result of this, India is becoming easier to enter from a regulatory and commercial point of view but there are still issues to overcome, one of them being Indian privacy standards for the outsourcing company.

Much of the early outsourcing to India was from the United States, which had no comprehensive data protection laws. As a result, great quantities of personal data were, and continue to be, shipped from the United States without the complications that arise where cross-border transfer restrictions apply. However, an increasing amount of outsourcing now involves data that is subject to the laws of the Member States of the European Union (the “EU”).

As outsourcing becomes more widespread and competition in the marketplace grows, the ability to illustrate the existence and continued use of powerful safeguards will increasingly become one of the significant factors for companies that are deciding which provider to link up with. Safeguards have been adopted by countries by enacting laws and directives. The US and the UK have well-defined and comprehensive laws on data security and privacy. The US has sector-specific laws and laws at the federal and the state level. The UK has a comprehensive Data Protection Act covering all sectors1 . While India lacks specific laws on privacy and data protection it cannot be denied that there are proxy laws2 and other indirect safeguards, which provide adequate protection to companies offshoring work.

The Ministry of Information Technology, on August 29, 2005, proposed certain amendments to the Information Technology Act, 2000 and issued a press release in connection therewith.3 The press release by the Ministry emphasised the need for data protection in the context of Business Process Outsourcing4 operations due to certain “recent developments nationally and internationally”. The “recent developments” could be a reference to certain incidents including (i) the sting operation carried out by the Sun on the Indian BPO mentioned before,5 (ii) the circulation of a multi-media clip depicting the naked body of a woman allegedly morphed with the face of an upcoming Indian actress,6 (iii) the attempted credit card frauds by an Indian BPO, and (iv) the alleged sale of a sexually explicit multi-media clip depicting a sexual act by two schoolchildren (and shot by one of them) on an auction portal owned by E-Bay Inc.7

With this background, the objective of this article is to look at whether India should go for a separate legislation for data protection or the Information Technology Act after the amendment meets the global requirements. Hence, the focal topic of discussion in the paper is the adequacy of data protection laws in India which has been examined by analysing the constitutional perception of privacy and the international standards of data protection.

Need for Data Protection Laws in India

THE primary question in consideration is: “Why are Data Protection Laws required in India?” This can be answered with a two-fold argument:

• Firstly, the perception of privacy as envisaged by the Constitution and by the Courts has certain limitations which render it inappropriate for application to BPOs.

• Secondly, the Data Protection Laws have to comply with the international standards for facilitating the outsourcing industry and developing commerce.

1. The Constitutional Perception of Privacy in India and its Limitations

Even after the Constitution came into force, no fundamental right to privacy was explicitly guaranteed. However, the Constitution of India embodied Fundamental Rights in Part III, which are enumerated in Article 14-30. Judicial activism has then brought the Right to Privacy within the realm of Fundamental Rights.

Some decisions of the Supreme Court address privacy matters. These decisions draw the contours of the right to privacy, where necessary, and balance it against other rights and interests. The Apex Court held that the Article 21 of the Constitution includes “right to privacy” as a part of the right to “protection of life and personal liberty”. The Court equated ‘personal liberty’ with ‘privacy’, and observed that

the concept of liberty in Article 21 was comprehensive enough to include privacy and that a person’s house, where he lives with his family, is his ‘castle’ and that nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy.8-

Later it was observed that “a citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child bearing and education among other matters. None can publish anything concerning the above matters without his consent—whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages”.9
A perusal of the observations given by the Supreme Court gives rise to three themes:

(i) that the individual’s right to privacy exists and any unlawful invasion of privacy would make the ‘offender’ liable for the consequences in accordance with law;

(ii) that there is constitutional recognition given to the right of privacy which protects personal privacy against unlawful governmental invasion;

(iii) that the person’s “right to be let alone” is not an absolute right and may be lawfully restricted for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of others;

The above mentioned judgements show, that a Right to Privacy is recognised in India but it is rather limited since it covers only “first generation rights” as understood in Europe.

2) International Standards of Adequacy

The Indian outsourcing industry needs to be complying with requirements of data protection in the American and EU jurisdictions. It is necessary to give the potential client the confidence in the services provided by the Indian outsourcing industry.

Data Protection Law in European Union10

THE European Union Directive 95/46/EC11 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is the law of Data Protection in the EU. The European Commission realised that diverging data protection legislations in the EU member states would impede the free flow of data within the EU zone. Therefore, the European Commission decided to harmonise data protection regulation and proposed the Directive on the protection of personal data. These are addressed to the member states, and are not legally binding for citizens in principle. The member states must transpose the directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states have enacted their own data protection legislation.

The guiding principle of this Directive is that personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories:

• Transparency: the data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair.12

• Legitimate purpose: personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes.13

• Proportionality: personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.

Personal data is defined as Article 2(a), “any information relating to an identified or identifiable natural person, ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” This definition mandates a wide scope. The responsibility for compliance rests on the shoulders of the controller14 and the data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data.15 Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online shop trading with EU citizens will process some personal data and is using equipment in the EU to process the data (the customers computer). As a consequence, the website operator would have to comply with the European data protection rules.

Assessment of Adequacy of a Data Protection Regime: Article 25 of Directive 95/46/EC regulates the transfer of personal data from member states of the European Union to third countries, that is, countries outside the EU. According to Art. 25(1), transfer of personal data “may take place only if the third country in question ensures an adequate level of protection”.16 The essential concern of the Directive on this point is to ensure that data relating to European citizens and residents remain subject to safeguards when transferred out of the EU. The Directive states that adequacy of protection shall be assessed in the light of all the circumstances surrounding a data transfer or set of data transfer operations.16 According to Article 25(6), the European Commission has the power to make determinations of adequacy which are binding on EU member states.17 Positive determinations of adequacy have hitherto been made for Hungary18, Switzerland19, Canada, Argentina20 and the United States’ “safe harbour” scheme.21

Adequacy shall be assessed in the light of all circumstances surrounding a data transfer operation.22 Consideration must be given to the nature of the data, and the purpose and duration of the proposed processing operations. The rules of law in general and in specific sectors must be analysed.23 The content of the rules applicable and the means for ensuring their effective application must be also considered.

The principal legal criteria for assessing data protection regime are the rules in Directive 95/46/EC as construed and applied by the European Court of Justice (ECJ). There are as yet no decisions of the ECJ interpreting the concept of ‘adequacy’.

The principle methodological criteria for assessing data protection for third world countries would be as set out by the Article 29 Data Protection Working Party in its document, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection Directive.24 While the core criteria suggested by the Working Party do not have any legal standing, they are the considered view of Europe’s data protection authorities as to what constitutes ‘adequacy’, and are derived from the Working Party’s assessment of the most important requirements of Directive 95/46/EC and other international data protection texts.25

Finally, while assessing the content of applicable rules, account is not only taken of formal legal rules and formal oversight mechanisms rooted in legislation. Other means which contribute to ensure an adequate level of data protection as, for example, professional rules and security measures which are complied with in India. The Directive requires that account be taken of non-legal rules that may be in force in the third country in question, provided that these rules are complied with. Moreover, the way in which a regime function will be tied not just to the rules found in both “hard” and “soft law” instruments but also to a myriad of relatively informal customs and attitudes which prevail in the country concerned, for example, the extent to which the country’s administrative and corporate cultures are imbued with a respect for authority or respect for fair information principles.26

In the year 2002, in light of the tremendous growth of the BPO sector and the massive amounts of data transfers taking place, the EU issued Directive 2002/58/EC to ensure that all member states adopt the guidelines concerning the processing of personal data and the protection of privacy in the E-Communications sector. The EU Directive follows a three pronged approach with regard to control of abuse of personal information and provides for the personal ownership of data and individual consent to use such personal data. Further, companies are allowed to use the data collected for only those purposes that the business previously identified. The Directive provides that data must be processed fairly and lawfully and that it should be collected for specified, explicit and legitimate purposes without any further processing that would be incompatible with those purposes. Thus, the Directive is only a set of minimum requirements and member nations are free to go for even more stringent regulations.

The development and implementation of the EU Data Directives have had international consequences. Anyone who wishes to collect data from citizens of the EU has to ensure compliance with the Directives. Member states of the EU have also been given the power to enact laws prohibiting the transfer of data to countries which do not have an adequate level of data protection. The Directive further restricts the ‘onward transfer’ of personal information to another third party. However, there is a provision in the Directive for countries to enter into contractual clauses to convince countries in the EU about the safeguards it can provide. This ensures that there can be transfer of data even though there might not exist adequate levels of protection at the national level, if such countries agree to provide the necessary protection through contractual clauses.

United States’ Safe Harbour Principles

THE ‘Safe Harbour’ principles were issued by the US Department of Commerce on July 21, 2000. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation and self-regulation.

Given those differences, many US organisations expressed uncertainty about the impact of the EU-required “adequacy standard” on personal data transfers from the European Union to the United States. To diminish that uncertainty and provide a more predictable framework for such data transfers, the Department of Commerce issued the “Safe Harbour” principles under its statutory authority to foster, promote, and develop international commerce.

US companies can opt into the programme as long as they adhere to the seven principles outlined in the Directive. These principles must provide:

• Notice—Individuals must be informed that their data is being collected and about how it will be used.

• Choice—Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.

• Onward Transfer—Transfers of data to third parties may only occur to other organisations that follow adequate data protection principles.

• Security—Reasonable efforts must be made to prevent loss of collected information.

• Data Integrity—Data must be relevant and reliable for the purpose it was collected for.

• Access—Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

• Enforcement—There must be effective means of enforcing these rules.
Mechanisms for assuring compliance with the Safe Harbour principles may take different forms. Organisations may satisfy the requirements through the following mechanisms: (1) through compliance with the private sector developed privacy programmes that include effective enforcement mechanisms; (2) through compliance with legal or regulatory supervisory authorities; or (3) by committing to cooperate with data protection authorities located in the European Community or their authorised representatives, provided those authorities agree. This list is intended to be illustrative and not limiting. The private sector may design other mechanisms to provide enforcement, so long as they meet the requirements of these principles.27

In general, enforcement of the Safe Harbour takes place in the United States in accordance with US law and is carried out primarily by the private sector. Private sector self regulation and enforcement is backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organisation’s safe harbour commitments the force of law vis-a-vis that organisation.

Initiatives Towards Data Protection

THE incidents sparked a moral outrage through the national conscience, propelling the government to bring out certain amendments to the IT Act to accommodate the concerns being raised. The amendments are as follows:

• The Act has been made technology neutral by replacing the term ‘digital’ with ‘electronic’:

• Section 43 of the Act has been amended to include a new subsection (2) wherein there is a proposal to handle sensitive personal information with reasonable security practices and procedures.

• Section 66 of the Act dealing with computer related offences has been revised to be in line with Section 43 related to penalty for damage to computer resource.

• A new section on Section 67 (2) has been added to address child pornography with higher punishment.

• Keeping in line with the principles in EC Directive 2000/31/EC, section 79 has been revised to bring out explicitly the extent of liability of intermediary in certain cases.

The first in the series of amendments involving privacy protection is to provide compensation by an organisation, “…that owns or handles sensitive personal data or information in a computer resource that it owns or operates”. If such an organisation has been negligent in implementing and maintaining “reasonable security practices” and procedures to protect “sensitive personal data”, it shall be liable to pay compensation to any person affected by such negligence.

The next amendment in the series of privacy related amendments deals with disclosure of information by intermediaries and service providers. Section 72 of the Act penalised those agencies which “in pursuance” of the powers conferred on them by the Act (for example, certifying authorities) having access to personal information disclosed it without authorisation.28 It had limited scope because it could only be applied to those cases where an agency disclosed personal information to which it was privy because of requirements under the Act.

The amendment to this Section now does away with this limitation and penalises any intermediary who discloses subscriber information to which it is privy by reason of that subscriber availing of the services provided by the intermediary. It is to be noted that the provision states that if an intermediary discloses this information, “without the consent of such subscriber and with intent to cause injury to him….”, the subscriber is entitled to compensation.

Without going into legal intricacies, it is evident that the language in which the provision is couched will make it extremely difficult for a subscriber to get compensation from the errant intermediary. This is because no intermediary would ever disclose such information with the intent to cause injury to any subscriber. Rather the disclosure would most likely be caused by the intent to derive profit with the knowledge that injury might result from such disclosure.

The Conflicting Views

THE issues relating to data protection have invoked two types of reaction

• Firstly, that the existent legislation meet the requirements of data protection and a clarificatory notification has been provided vide the Amendment.

• Secondly, that it is inappropriate to accommodate data protection requirements in the IT Act by the amendments.

In support of the Information Technology Act and the Amendment.

It is argued that the non-existence of legal provisions protecting data is a myth. In pursuance, it is said that the issues are not confined to “Data Protection” alone but it essentially and inevitably involves, among other things, a “sound E-governance and E-commerce base” as well. Further, it is argued that a careful and closer evaluation of the provisions of TRIPS Agreement, the Copyright Act, 1957 and the Information Technology Act, 2000 reveals that they adequately meet the requirements of Data Protection Laws in India. And that a separate legislation is not required at all. All that is needed is a “clarificatory notification” that will give the much-needed “sense of security” to the MNCs. And this clarificatory notification has been provided vide the Amendment.

Under the IT Act, 2000 BPOs may be defined as an intermediary as given under Section 2 (1) (w)29 as it would be within the purview of “provider of service”. A BPO can also be called as “Network Service Provider” under Section 7930 as it is acting as a service provider making available information or data.

They further argue that BPOs can be held responsible for breach of confidentiality and privacy of data and computer database. Reference is made to Section 7231 and the inserted Section 72 A32 vide amendment which provides for penalty. Though Section 72A has made it clear, Section 72 provides power to Network Service Provider. And the liability of the Network Service Provider for disclosure of information, correspondence etc without the consent of the person concerned.

Hence, the view is that the Information Technology Act 2000 is an enabler, which needs to be strengthened by addressing the issues related to unauthorised misuse of personal information or data33 in order to provide a sense of security to the outsourcing companies.

Insufficiency of the Information Technology Act

The major argument substantiating the insufficiency of the IT Act would be with respect to the fact that the Indian Information Technology Act 2000, intended to cope generally with e-commerce and contains only a brief mention of privacy-type issues, but has nothing specifically directed toward privacy. The Act focuses instead on computer abuse and evidentiary matters related to proving computer-related cases.

Utmost importance is given to the fact that the absence of a specific privacy law in India has resulted in a loss of substantial foreign investment and other business opportunities. This deficiency has also served as an obstacle to the real growth of electronic commerce. Thus, a statute addressing various issues related to privacy is of utmost importance today. Accordingly, it has been recommended that a statute addressing the issues of privacy be brought into force as soon as possible.34

Moreover, in order to meet international standards it is necessary that there should be separate data protection legislation. This is to facilitate the compliance with the adequacy requirements of the EU Directive and Safe Harbour principles. The amendment is seen as a reaction to recent data thefts and other incidents and has to do more with issues related to cyber crime and e-commerce transactions. While the amended version of the Act strengthens provisions on confidentiality and data privacy, the inclusion of a solitary provision on data privacy is quite in contrast to Europe where data protection provisions are enshrined in directives at the EU level and in national legislation. In fact, data protection is sine qua non for aspirant members to the EU.

To conclude, we are confronted with a situation where the nation’s data protection needs are being met by legislation, that is, the IT Act, whose preamble and purpose is to regulate e-commerce. With commercial nations devoting an entire legislation for the purpose of data protection, thereby facilitating the outsourcing industry, does our IT Act with few provisions on this issue, fall short?

Hence the question of sufficiency of data protection legislation when examined in the light of arguments both for and against the need for a separate legislation. We conclude that it would be of greater benefit to the country if a separate and concisely drafted legislation covering all issues of privacy is enforced. The IT Act does not afford any comprehensive legislation for data protection. As a country we stand at the threshold of dominating the Information Technology sector. Any lapse on our part would lead to an irrecoverable stumble from the pinnacle. Therefore to capitalise and optimise in the present scenario the above suggestion is inevitable. A contradictory argument, of courses is the lack of resources for drafting a new legislation but as they say necessity is the mother of invention, and this certainly is a necessity.

REFERENCES

1. See: Regulatory Environment in India, http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id= 26104

2. A few of the proxy laws are Section 65, 66 and 72 of the Indian IT Act, the Indian Contract Act, Section 406 and 420 of the Indian Penal Code, and the Indian Copyright Act.

3. See a copy of the Press Release, Summary of the proposed amendments and Full Text of the report of the Expert Committee at http://www.mit.gov.in/itact2000/index.asp (Visited in November 2005).
4. Hereinafter referred to as “BPO”.

5. “Sun’s sting operation”, Economic Times, June 29, 2005, Times News Network. See: http://www.crime-research.org/news/29.06.2005/1324

6. “Gettin’ over the MMS Mess”, July 19, 2005, 2118 hrs IST, Afsana Ahmed, TNN.

7. “DPS student involved in MMS case arrested in Delhi”, Sunday, December 19, 2004, See: http://news.indiainfo. com/2004/12/19/1912mmscase.html

8. Kharak Singh v State of UP AIR 1963 SC 1295.

9. R. Rajagopal v State of Tamil Nadu AIR 1995 SC 264. Also See: Peoples Union for Civil Liberties (PUCL) v Union of India, AIR 2003 SC 2363, X v Hospital Z, AIR 1999 SC 495, Sharda v Dharmpal, AIR 2003 SC 3450, District Registrar and Collector v Canara Bank, (2005)1 SCC 496, State of Karnataka v Krishnappa, AIR 2000 SC 1470, State v N. M. T. Joy Immaculate”, AIR 2004 SC 2282, Saroj Rani v Sudarshan Kumar Chadha, AIR 1984 SC 1562, Sudhansu Sekhar Sahoo v State of Orissa, AIR 2003 SC 2136, State of Punjab v Baldev Singh, AIR 1999 SC 2378.

10. Hereinafter Referred to as “EU”.

11. Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data– hereinafter also termed “the data protection Directive” or “Directive”.

12. Articles 10 and 11.

13. Article 6(b).

14. A controller refers to the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (art. 2 d).
15. Article 4.

16. Article 25(2).

17. The Commission does not make such decisions on its own but with input from: (i) the Data Protection Working Party established pursuant to Article 29 of the Directive (which may deliver a non-binding opinion on the proposed decision (Article 30(1)(a) and (b)); (ii) the Committee of Member State representatives set up under Article 31 of the Directive (which must approve the proposed decision and which may refer the matter to the Council for final determination (Article 31(2)); and (iii) the European Parliament (which is able to check whether the Commission has properly used its powers). The procedure follows the ground rules contained in Council Decision 1999/468/EC of 28.6.1999 laying down the procedures for the exercise of implementing powers conferred on the Commission.

18. Commission Decision 2000/519/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Hungary.

19. Commission Decision 2000/518/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland. The Commission has recently reaffirmed the adequacy of the Swiss regime: See Commission Staff Working Document SEC (2004) 1322, Brussels, 20.10.2004.

20. Commission Decision C(2003) 1731 of 30.6.2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina (OJ L 168, 5.7.2003, p. 19 et seq.)

21. 2000/520/EC: Commission Decision of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441).

22. Supra.

23. Alexander Zinser, ”International Data Transfer out of the European Union: The Adequate Level of Data Protection According to Article 25 of the European Data Protection Directive”, [2003] 21 John Marshall J. of Comp. and Inf. Law, 547 at. p. 550 et seq.

24. See also European Commission, Preparation of a methodology for evaluating the adequacy of the level of protection of individuals with regard to the processing of personal data (Luxembourg: Office for Official Publications of the EC, 1998).

25. The headings of the core criteria suggested by the Working Party consists of the Content Principles which includes, Purpose limitation, Data quality and proportionality, Transparency, Security, Rights of access rectification and opposition, Restrictions on onward transfers, Additional principles in appropriate types of processing, such as those concerning (i) sensitive data, (ii) direct marketing and (iii) automated decisions and The Procedural/enforcement mechanisms which includes Delivery of a good level of compliance, Support to individual data subjects, Provision of appropriate redress to the injured parties.

26. D.H. Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill / London: University of North Carolina Press, 1989).

27. Principle 7.

28. The existing Sections (namely, 43, 65, 66 and 72) have been revisited and some amendments/more stringent provisions have been provided for. Notably amongst these are: (i) Proposal at Section 43(2) related to handling of sensitive personal data or information with reasonable security practices and procedures thereto (ii) Gradation of severity of computer related offences under Section 66, committed dishonestly or fraudulently and punishment thereof (iii) proposed additional Section 72 (2) for breach of confidentiality with intent to cause injury to a subscriber.

29. Section 2(1)(w) “intermediary” with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.

30. Network service providers not to be liable in certain cases.: For the removal of doubts, it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. Explanation—for the purposes of this section,—(a) “network service provider” means an intermediary; (b) “third party information” means any information dealt with by a network service provider in his capacity as an intermediary.

31. Section 72. Penalty for breach of confidentiality and privacy. Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

32. Section 72A. Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to five lakh rupees, or with both.’

33. “Policy”, Nasscom BPO Newsline, October 2003.

34. Recommendations by Asian School of Cyber Laws.

Notice: The print edition of Mainstream Weekly is now discontinued & only an online edition is appearing. No subscriptions are being accepted