India is proposing a new Privacy Bill, slated for the next Indian Parliamentary session. There are a number of ground-breaking rules but I noticed that there is no specific safe harbor from penalties when data encryption software like AlertBoot is used to protect information. On the other hand, the law does specify that “every data controller shall ensure the security of data under its control by taking appropriate measures.”
Lots of New Rules
While the bill is not yet officially open for public debate, it is being discussed in the press that it covers a range of issues:
- Protections for health information of Indian citizens
- Revocation of telecommunication licenses for any companies that illegally intercept phone calls
- The creation of a Data Protection Authority of India that will monitor and enforce compliance of the bill
- Fines of Rs 1 lakh and 5-year jail sentence for illegal snooping, and fines of Rs 50,000 and a 3-year jail sentence for anyone who was involved (I’m assuming indirectly).
- Pretexting (getting information under false pretenses) results in a fine of Rs 5 lakh
- Government officials (department heads) are not absolved from their subordinates’ actions
According to this copy of the proposed bill, section 40 deals with data security, which is reproduced below:
- Every data controller shall ensure the security of data under its control by taking appropriate measures to prevent —
- The loss of theft of, or damage to, or unauthroised destruction of such data; or
- The unlawful processing of such data; or
- The unauthroised disclosure (either accidental or intentional) of such data.
- Where a data controller engages a sub-contractor to process the data on its behalf, the data controller shall ensure that the data entrusted to the sub-contractor under a contract arrangement is maintained in the same manner as if it is maintained by the data controller itself
- Every sub-contractor shall be deemed to be the data controller in respect of the data under his control and shall deal with the data in accordance with the provisions of this Act.
Clearly, there is no mention on whether the use of encryption software offers safe harbor, be it form potential penalties or from having to send breach notification letters.
However, I get the feeling that the UK’s own Data Protection Act had something of an influence on this particular bill. If true, there’s a good chance that the Data Protection Authority of India (yet to be established) will judge favorably upon the use of encryption programs, something that the UK’s own Information Commissioner’s Office already does (and regularly includes as provision its Undertakings with breached entities — the use of encryption, that is).
I’m not about a bill that’s not yet passed, but I did notice that many in the media are reporting this:
Taking a tough stand against government officers, the Bill proposes that “where an offence under this Act has been committed by any department of the Government, the Head of the Department shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly unless he proves that the offence was committed without his/her knowledge or he/she exercised due diligence to prevent the commission of such offence.” [deccanherald.com, my emphasis]
While many would applaud this, it seems to me that there are problems with it.
First off, it asks one to prove the non-existence of something. If you know anything about basic logic, you know this is impossible. The simplest example is proving that black swans exist. Today we know that black swans exist, but prior to 1697, it was common knowledge that they didn’t. The “evidence” was that all the swans people could find were white. Obviously, all you need to topple that argument is one black swan, which is what an explorer came across in Australia in the 17th century. Coming back to our government officials, there’s no way that they can prove they didn’t know.
Second — which builds on the first problem I’ve pin-pointed above — a subordinate could make trouble for his superior by committing an offense and then claiming that the superior ordered him to do it. It’s his word against the superior’s, and we’ve already shown that the superior can’t prove, at least on purely logical terms, that he wasn’t.
Granted, there is a due diligence clause, but these can be used or abused to suit particular needs, be it political or otherwise. That’s not to say that department heads should not be held accountable for breaches. I’m just pointing out how it’s a particularly hard task.
Regardless, if the bill passes, it would mean better privacy rights for Indian citizens.
Related Articles and Sites: