siliconindia | | May 202019tion. Section 43A clearly lays down that a body corporate which fails to protect any personal data shall be liable to pay dam-ages. Section 72 mandates that anyone who breaches the confidentiality of any person by accessing his personal information without their consent shall be liable for imprisonment for up to two years or pay a fine up to Rs. 1 lakh or both. The Information Technology (Reason-able Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 rein-forces the same principle. Rule 7 provides that no person-al data can be published without the consent of such infor-mation provider. The Rules also define the term `sensitive personal data or information' as information which is not readily available in the public domain such as passwords, financial information. There are various such Regula-tions, in relation to each Sector. Therefore, where TSP's are required to maintain customer database for the pur-pose of its services, they are prohibited from disclosure of the same to third-parties without the customer's consent. Even if customers blindly provide consent to dissemina-tion of personal data, if the manner of such dissemination violates any statutory requirement, the same may not be held to be proper consent.In addition to this, there are sectorial regulations in place to further tighten the protection mandated by the ITA. For example RBI has issued guidelines for e-banking and risk management thereof. The guideline has a sepa-rate chapter on IT outsourcing wherein cases of outsourc-ing, due diligence needs to be exercised as to the vulner-abilities with respect to the protection of customer data. Only after proper risk assessment has been done, such outsourcing can be done by banks. Risk assessment and vulnerability assessment differs from case to case and though the ultimate control and responsibility for such data lies with the bank only, in certain circumstances other service providers may also become liable.The FDI policy on Telecom Sector 2016 & 2017 (governing telecom and other ser-vice providers), provide security conditions that need to be met by the licensee and the Service Providers. These include clauses 37 and 39.23 of the Unified License Agree-ment, as well as the National Long Distance Operators License Agreement which prohibits transmission and storage of customers' personal data in any place outside India, restricting the physical location of servers. These are in addition to restrictions under the ITA.TSP's are dynamic when it comes to the services they provide. The problem that may arise is what happens when operations of the TSP are covered by multiple leg-islations? Let us take the example of payment gateways which are in vogue. Such payment gateways are simply software that allow its users to make online payment. Now, with advent of Payments Bank, the question that arises is, would it suffice for them to comply with the IT Act or do they need to conform to the Banking and Telecom Regulations as well? There is no clear answer to this; it may be difficult to classify such service under one particular head, nor can we prioritize between any of the sectorial regulations and the umbrella legislation i.e. the ITA. It would depend on the services being offered and the business model being operated by the Service Provider, to understand which regulations will apply, in each case.The recent 9-judge bench judgment of Supreme Court, declaring Individual Privacy as a fundamental right, [Justice K.S. Puttaswamy V. Union of India], also has far reaching impact on the issue of data protection vis-à-vis right to privacy. The ITA already recognizes right against breach of personal information without consent as a legal right. Recognition of privacy as a fundamental right by the Supreme Court has opened a new avenue to ensure protection of privacy, the Government will pos-sibly come up with stringent measures by way of new Regulations to ensure that the Service Providers protect customer data. Therefore, in future, it would be pru-dent and advisable for the Service Providers to exercise greater caution while handling customer data. It has to be remembered that fundamental rights champions over all other rights. Risk assessment and vulnerability assessment differs from case to case and though the ultimate control and responsibility for such data lies with the bank only, in certain circumstances other service providers may also become liableAmit Kumar Bhattacharyya
< Page 9 | Page 11 >