Stiffer penalties for data theft proposed in India

BANGALORE, India - A committee set up by India's Ministry of Communications and Information Technology to amend the country's Information Technology Act 2000 has recommended tighter provisions and stiffer penalties for data theft.

The ministry released the recommendations of the committee to the public on Monday on its Web site, requesting views and suggestions by Sept. 19. However, it did not indicate when the proposed amendments would be enacted.

The committee, which was set up in January, has proposed amending section 66 of the IT Act to include data theft as an offense. Section 66 currently only deals with punishment for hacking.

The committee has also recommended a penalty for companies and other corporate bodies that have been negligent in "implementing and maintaining reasonable security practices and procedures."

Business process outsourcing and call center companies in India that handle large volumes of sensitive data from the U.S. and Europe have for the last two years been putting increasing pressure on the Indian government to pass a data protection law.

The proposed amendments also cover various issues relating to breach of confidentiality and privacy, including disclosure of private data with intent to injure, and the capture or broadcast of what the committee calls "an image of a private area of an individual" without his consent. These breaches of privacy are not covered under the current IT Act.

A section to deal with electronic publishing and transmission of child pornography has also been proposed.

Under the proposed amendment, intermediaries such as ISPs (Internet service providers), search engines, Web hosting service providers and telecommunication service providers will no longer be "liable under any law for the time being in force, for any third party information, data, or link made available by him, except when the intermediary has conspired or abetted in the commission of the unlawful act."

In the current act, the onus is on the intermediary to prove that the offense or contravention was committed without its knowledge, or that it had exercised all due diligence to prevent such offense or contravention.

This provision came under criticism from the industry in India when in December last year Avnish Bajaj, chief executive officer of eBay Inc.'s Indian subsidiary, was arrested under Section 67 of India's Information Technology Act, which relates to transmission of obscene material through electronic media. An MMS (multimedia messaging service) clip of two Delhi minors engaged in oral sex was put up for auction on eBay.

The Mumbai subsidiary of eBay argued through its lawyers that it was unaware of the clip's content, and that the item was removed as soon as it was found to be pornographic.

The committee's report can be seen at http://www.mit.gov.in/rti/index1.asp.