 | « Back to article | Print this article |
The committee on amendments to the Information Technology Act 2000 is expected to include a data protection clause, besides recommending changes to the liability of network service providers.
"We have suggested that employees who have access to privileged information must come under the purview of the Act," said Nasscom president Kiran Karnik, who is also a member of the committee.
The committee was set up in January this year to review the provisions of the IT Act and is expected to submit its recommendations this week.
At present, the Act only covers government and enforcement employees who have disclosed information accessed by them.
The recommendations on data protection may not be modelled on the framework in the US and UK, as both have exclusive laws dealing with the issue.
The much-talked about data theft by Karan Bahree and arrest of Baazi.com CEO Avnish Bajaj would mean that issues of data protection and liability of the network service providers will be part of the recommendations that the committee will make.
"Data protection and liability of network service providers seem to be the most pressing issues which the committee will address," said Pawan Duggal, an expert in cyber laws.
The law, originally enacted to facilitate e-commerce and the use of digital signatures, currently has no provisions for privacy and protection of data owned by foreigners.
As India moves higher up the value chain and graduates to high-end outsourcing work like clinical trials, there is need to make the confidentiality clause a legal obligation and not just a contractual obligation, he added.
The addition of a data protection clause, to be effective, will increase the quantum of damages under section 43 as penalty for damage to computer or a computer system.
Currently, any theft of data, under the act, is treated only as a civil offense and the damage is upto Rs 1 crore (Rs 10 million).
'The amount that can be lost via data theft can run into tens of crores, while the maximum damage specified by the law is only one crore. This incongruence will have to be addressed for a data protection clause to be effective,' said Vaibhav Parikh, a senior lawyer with Nishith Desai and Associates.
The arrest of Baazi.com CEO, last year, highlighted that the liability of the network service provider also has to addressed.
'Section 79 of the act which deals with liability of NSP must be amended as it makes the act very all-encompassing in its nature,' added Parikh.
Most security analysts and lawyers believe that the Act in its current avatar is draconian and arbitrary which will also be addressed.
The law defines the powers of the police, which specifies that there can be arrest without a warrant.