PROTECTION OF DATA BASES AND INDIA
Author: K. Mihira Chakravarthy, I year of B.A.,LL.B from Damodaram Sanjivayya National University (DSNLU).
Database is a structured collection of data which can be used to access, manage, control and modify easily. The protection of database is important because there would be infringement of the data when there is a cyber-attack on it. Databases are protected by three following ways:
Copyrights Act: To protect the originality and authorship, the database is secured under Copyrights Act. However, in many circumstances, the databases don’t qualify basic conditions to be protected under this act, as they might not contain intellectual skills involved.
Sui generis property right: Database rights are similar to copyrights but it gives protection to the databases for recognizing the investment put in it. Creativity isn’t required for it.
Contracts: The database can be used by the others when there’s a license which is issued by the owner of the property. The issuing of license doesn’t affect the ownership of the database.
There are private and public databases. Private database contains confidential information like individual facts, statistics, or items of information which are mostly numeric. While the public databases can be accessed by all.
For instance, if a company’s database is breached then all the data and statistics could be analyzed and its rivals would take advantage and cause huge loss to the company as they can guess their next step and also there would be security threat to its customers’ data which leads to breach of trust. In case of the databases like Public Libraries, data will be available for everyone to access it. Government web portals partially allow the public to access the databases and the confidential data related to defense, army and the economy wouldn’t be allowed to access.
Global conventions like WIPO Copyright Treaty adopted at Geneva, BERNA, seek to protect the data globally, promote originality and prevent the data breach.
International Conventions and A few International Laws
There are three international agreements that consequently protect databases. They are:
Berne Convention: It’s an international agreement with the 179 contracting party countries, regarding the protection of Literary and Artistic works in 1886. Most of the countries that participated in this were also the members of Paris Convention 1971. The Article 2(5) of the convention restricts itself to Collections of literary or artistic works such as encyclopedias and anthologies which, by reason of the selection and arrangement of their contents, constitute intellectual creations shall be protected as such, without prejudice to the copyright in each of the works forming part of such collections. Databases were not mentioned directly in the article but they were included, in the ‘literary and artistic work’.
TRIPS: Trade Related Aspects of Intellectual property rights is multilateral agreement accepted by many nations which were in Berne Convention and World Trade Organization (WTO), which was signed in 1994 and was came into effect from 1995. Under Article 10.2, the protection of data was mentioned as compilation of data which is either machine readable or not, must be protected. It is also said that it agrees with the Berne’s Art 2 (5) and it’s just an advancement made by labelling it as ‘Intellectual creation’ which is protected under the linguistic and artistic works.
Copyright Treaty: This treaty was signed in 1996, Geneva and came into effect in 2002. It was a WIPO Treaty concerning the issue of the protection of database in digital environment where, Article 5 of the treaty protects the compilation of data (databases) that incorporate copyrightable authorship. The provisions concern the electronic dissemination of copyrights, restrictions on manufacture, sui generis protection etc. In August 2021, there totally were 110 countries contracting under this treaty. The WCT and WIPO Performances and Phonograms Treaties are called together as WIPO ‘Internet Treaties’.
Sui Generis database rights are the rights that protect the databases on an overall basis without the condition of ‘creativity’. EU Database Directive was implemented and even UK was also included in it, which gave protection to European Economic Area (EAA). Later in 2021, UK split its way creating its own directive, ‘Copyrights and Rights in Databases Regulation’ where there would be protection only to the citizens of that nation.
General Database Protection Regulation is the toughest privacy and security law by the European Union. Though it was drafted and passed by the legislation, it was stopped by the disagreement of a few organizations. The GDPR came into effect on May 25, 2018. The penalties are up to 10 million euros in case of any data breach. The regulation is applicable of the other nations when they’re dealing with the EU citizens. Many other nations like Japan, UK, South Korea etc., are following the similar kind of directives and rules to protect the data. A few articles that protect the data are:
Article 4 of the regulation consists of precise definition of data, controller, data subject, processing and processor.
Article 48 states that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may not be recognized or enforceable in any manner unless based on an international agreement, like a mutual legal assistance treaty in force between the requesting third (non-EU) country and the EU or a member state.
The lead authority thus acts as a "one-stop shop” to supervise all the processing activities of that business throughout the EU (Articles 46–55 of the GDPR).
US Privacy Laws
Unlike the GDPR of the European Union, US has multiple data privacy laws which protect the nation. They are:
HIPAA: Health Insurance Portability and Accountability Act covers the data between the patient and the covered entities like the doctors, pharmacies, hospitals etc., It has very little to do with the data protection. It doesn’t protect the data of the people from Fitbits and doesn’t restrict the information to know about the COVID vaccination status.
FCRA: The Fair Credit Reporting Act, limits the information the that the credit bureaus can collect for the credit purposes.
FERPA: Family Educational Rights and Privacy Act, limits people to ask for the educational details of the students and people who are eligible to collect the information of the student is: the school, the student’s parents, student him/herself, eligible students and other schools for the verification purposes.
The Glamm Leach Bliley Act (GLBA) requires consumer financial products, such as loan services or investment-advice services, to explain how they share data, as well as the customer’s right to opt out.
ECPA: The Electronic Communications Privacy Act, restricts the government from wiretapping the telephones and electric devices. It also sets the rules for the amount of monitoring the employee information by the employees.
COPPA: The Children’s Online Privacy Protection Act is a US Federal law which protects children under 13 years from the companies, collecting data from them.
The Video Privacy Protection Act (VPPA) averts the disclosure of VHS rental records.
One of the most important cases regarding the database protection by the copyrights is:
Feist Publications, Inc. v. Rural Telephone Service Co
The judgement was given by the Supreme Court of United states. The Rural, filed a case of copyright infringement against Feist Publications. Where the court established that the information alone can’t be enough to claim copyrights, it also requires minimum amount of creativity and the telephone listings weren’t qualified to procure the damages. While the doctrine ‘sweat of the brow’, which gave copyrights to the anyone who invested a lot of time, energy and investment in it.
The Justice Sandra Day O’Connor gave her ruling that the United States runs on 2 principles which are established:
Sine Qua Non is the Originality.
Rural claimed the collection of copyright in its telephone directory and also mentioned the doctrine “sweat of the brow” which means “industrious collection” which is “promote Useful Arts and Progress of Science” that’s to encourage creative expression.
Despite the Rural spent a lot of money and time in collecting the data as it didn’t have an element of originality in it and was irrelevant to the copyrights. Thus, Rural’s copyright claim was dismissed.
DATABASE PROTECTION LAWS IN INDIA
Contracts Act 1872:
When the parties enter a contract, business entities require protection under the common law and the contract law. When Indian companies act as data exporters and the other nation company act as data exporters, these contracts would be binding and under the national legislation. There are clauses in case of breach of contract and remedies are to be availed through alternate dispute resolution, by arbitration, conciliation and mediation.
Database protection under copyrights, 1957:
The databases are protected under the copyrights where the infringement may be punishable both in civil and a criminal way. Following the Berne convention and the TRIPS agreement, ‘Computer database’ is treated as a ‘literary work’.
The factor that India still follows ‘sweat of the brow’ doctrine which gives copyrights for the time, energy and money invested upon the work and the originality of it. Nevertheless, the copyright requires minimum amount of creativity (i.e., Modicum of creativity).
Information Technology Act, 2000:
On 17th May 2000, Both the Houses approved the IT bill and on June 9th 2000 the Act was passed. The database protection was mentioned in Section 43, which protects the database from the infringement and also the compensation to be paid not exceeding 1 crore if a person without the consent of the owner downloads, copies, extracts the data from a computer. The section defines ‘database’ as representation of information, knowledge, fact-based works, concepts or instructions prepared in a formalized manner. Section 72 of this act protects the data of the party involved in a contract in case of breach. According to the section, the data breacher will be liable and must pay compensation not exceeding 5lacs or imprisonment of 3years or both.
Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011:
The Section 43A states the protection of sensitive personal data or information. If a body of corporate contains the sensitive data of the people, it needs to take safety precautions and procedures to safe guard it. In case of breach, the body has to pay compensation for the people whose data is leaked.
The following will be categorized under Sensitive Personal Data:
Psychological, Physiological, Physical health conditions
Financial information like bank account number, credit card, debit card etc.
Medical records and history
Rule 3 of the 2011 Rules has two more entries, which are as follows:
any detail relating to the above clauses as provided to body corporate for providing service
any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Personal Data Protection Bill:
In July 2017, the Supreme Court of India said that privacy was a fundamental right under Article 21- Right to life and personal liberty and the breaching of personal information led to violation of fundamental right. A committee of experts headed by Justice B.N. Srikrishna was formed to observe the problems related to the Data protection in India. A bill was drafted in 2018 and presented before the Parliament in 2019. But it is still in the observatory stage by the Joint Parliamentary Committee and yet to become an Act.
The present bill supports the IT Act 2000 and IT 2011 Rules and makes the data protection rules more stringent. No company prior the consent of the customer must not be allowed to share his/her data to the third party. The IT rules are applicable only to the Companies but not the Government.
The government can access the data of an individual in case of the clear, specific and lawful purpose. The personal data can be procured if it is required by the state to grant something, for the legal proceedings and to respond to medical emergency.
If there’s an infringement of personal data, an individual can approach the Data Protection Authority which the Bill sets up. If the individuals aren’t okay with the data fiduciaries, they can file the case to the Tribunal which directs it to the Supreme Court of India.
Indian Data Breach Cases
Aadhar Data Breach Case:
In 2018, the Aadhar Card data breach happened and more than 1.1 billion Aadhar card holders’ personal data was breached from UADAI where the biometric and demographic data was also collected. The Tribune newspaper reported that 10,000 Ex- employees of Ministry of Electronics and Information Technology had access to the database and even the LPG had access to the private information of the Aadhar Holders. The WEF Global Risk Report deemed it to be the one of the world’s largest cases.
Air India Data breach case:
On May 21, 2021 there was a database breach case of Air India where more than 4.5 million customers’ passport, visa, credit card and personal information was compromised.
Big Basket Case:
In November 2020, 2 Crore users’ data was leaked and it was done by an SQL link and by clicking that link, the database was accessed by the breacher. The data was put to sale on dark web for 30 lacs. The Big Basket Company approached the Bengaluru Cyber Cell and the breach is still under investigation.
Domino’s India data breach case:
On May 2021, the Domino’s India, subsidiary of Jubilant Food works, 18 crore orders were leaked on the dark web including the order details, phone numbers, emails etc.
The databases are important sources as the technology is growing day by day and a lot of information is being stored online, where there are many thefts despite the security and the care that’s being taken. When a nation prepares laws on the data protection, people find loopholes to get through them and access the data and it is important to make more stringent laws and regulations to safeguard the databases and fact-based works.
The laws that protect the databases and data from being breached, have a major role to play in the tech savvy world. It is important to protect the data of the people, companies from falling into others hands without their permission as they spend a lot of time and investment on them.
As the Supreme Court quotes that Article 21 is about right to life and liberty, which includes right to privacy too, according to K.S. Puttaswamy case v. Union of India. When the personal data or any data that is being unauthorizedly accessed, wouldn’t that amount to the infringement of Fundamental right?
India has been developing itself in protecting its data for individuals and in future it would also be protecting the nation’s company databases and help the economy improve. When compared to GDPR, India lacks in building up itself. The Personal Data Protection Bill is a one step forward to the connection with the corporate entities and foreign nations by linking the personal data infringement in case of data breach or unauthorized access towards an individual’s data even if it’s a foreign country, it would be bound to follow the rules if the bill is made to an Act.