HSBC case is an eye opener

Updated: Jul 10 2006, 05:30am hrs
The recent HSBC case has once again highlighted the various loopholes and drawbacks in the existing system impacting the outsourcing sector. Time and again, various cases have been happening like the Karan Bahree and the Mphasis incidents that have demonstrated the utter inadequacy of existing cyberlaws to deal with data theft-related cases. A perusal of the entire scheme of the Information Technology Act, 2000 clearly shows that the IT Act is not a data protection law. It is merely an e-commerce enabling law, which also addresses a couple of other issues.

There are a couple of generic provisions which could be applied in some cases of data breach but that is hardly any consolation. The point to reflect before us is that the provision of the offence of hacking under Section 66 of the Information Technology Act 2000 cannot be a single weapon in the armoury of any nation wanting to deal with the intricate challenges of data theft and various of the kinds of data breaches. The unfortunate news is that even the proposed amendments to the Information Technology Act, 2000 do not deal with the provisions relating to data protection. Even the rights and duties of data subjects are not clearly defined under the law. Further, the definition of personal and confidential data clearly needs to be clarified, in order to remove all prevailing ambiguities around their interpretation.

The proposed move by the government to amend the cyberlaws in such a manner so as to exempt all call centres and another network service providers from the ambit of liability for third party data or information made available by them is indeed not good news. While the object behind the proposed amendments may be noble, in the long-run, throwing a protective ring around the network service providers and call centre would ultimately have the effect of scaring away foreign clients. The government has to have a complete re-look at the proposed amendments and analyse them in detail, before deciding to legislate them.

I think the HSBC case would have to wake up the government from its complacence in the area of data protection. In case, India does not have a dedicated stringent law on data protection, it may cost the outsourcing industry very dearly in the coming times. This is all the more so since the discomfort of the foreign clients is on the increase. Let us face it. While the cost arbitrage is a huge advantage, in the ultimate analysis, no one wants to go to a legal jurisdiction, where the legal system does not provide effective, efficient and expeditious remedies in the event of any kind of data breach.

Another major challenge in this regard is that the concept of data as a valuable commodity has still not permeated through all levels of the law enforcement agencies.

Another major lacuna in the existing legal system is that India does not have fast track courts in the field of IT. Foreign clients do not either have the time, patience or inclination to wait for years before any conviction can come through. India requires fast paced e-courts to deal with all information technology and data related cases.

Often we realise that getting a conviction for a cyber crime in India is a tall order. There are various reasons behind this strange phenomenon. Today, corporates are afraid to report their data breaches and other cyber crimes to the law enforcement agencies in order to avoid potential harassment at their hands.

It is high time that the Indian outsourcing industry comes together and sets up its own self-regulatory mechanisms.

The writer is a Supreme Court advocate specialising in cyber law