FACULTY OF LAW

DATA SECURITY
SBP & CO. VS Patel Engineering Ltd. (2005)

LAW AND IT

SUBMITTED TO:-

DR. GHULAM YAZDANI

B.A.LL.B (HONS)
AASIF SHAH
SECTION-B
CLASS ROLL NO. 40
 Table of Contents

SNO. Contents Page No.

1) List of Cases 2

2) Introduction 3-4

3) Power of Chief Justice under Section 11(6) whether 4-6

Administrative or Judicial

4) Judicial Decisions regarding whether power under 6-12

Section 11(6) of Chief Justice Administrative or
Judicial power

5) Effect of SBP Company v. Patel Engineering Ltd. 13-17

Judgement

6) Changes brought by the Arbitration Amendment 17-18

Act,2015

7) Conclusion 18

8) Bibliography 19

Page | 2
 List of Cases

1) Sundaram Finance Ltd. v NEPC India Ltd. (1999)2 SCC 479.

2) Ador Samia (P) Ltd. v. Peekay Holdings Ltd. (1999) 8 SCC 572.

3) Konkan Railway Corpn. Ltd. v. Mehul Construction Co. (2000) 7 SCC 201.

4) Konkan Railway Corpn. Ltd. v. Rani Construction (P) Ltd. (2000) 8 SCC 159.

5) SBP & Co v. Patel Engineering Ltd., (2005) 8 SCC.

6) State of Kerala v. Mathai Verghese, (1986) 4 SCC 746.

7) Magor & St. Mellons RDC v. Newport Corpn. 1952 AC 189.

8) Maharishi Dayanand University v. Anand Co-operative LIC SocietyDecided on 25th April 2017.

9) Shree Ram Mills v. Utilty Premises (2007) 4 SCC 599.

10) National Insurance Company Limited v. Boghara Polyfab Private Limited (2009) 1 SCC 267.

11) Chloro Controls India Private Limited v. Seven Trent Water Purification Inc. and others (2013) 1
SCC 641.

12) Arasmeta Captive Power Company Private Limited and Anr.vs Lafarge India Private Limited AIR
2014 SC 525.

Page | 3
 DATA SECURITY

Data security means protecting digital data, such as those in a database, from destructive
forces and from the unwanted actions of unauthorized users, such as a cyberattack or
a data breach.

Disk encryption

Disk encryption refers to encryption technology that encrypts data on a hard disk drive.
Disk encryption typically takes form in either software (see disk encryption software) or
hardware (see disk encryption hardware). Disk encryption is often referred to as on-the-fly
encryption (OTFE) or transparent encryption.

Software versus hardware-based mechanisms for protecting data

Software-based security solutions encrypt the data to protect it from theft. However,
a malicious program or a hacker could corrupt the data in order to make it unrecoverable,
making the system unusable. Hardware-based security solutions can prevent read and
write access to data and hence offer very strong protection against tampering and
unauthorized access.

Hardware based security or assisted computer security offers an alternative to software-

only computer security. Security tokens such as those using PKCS#11 may be more secure
due to the physical access required in order to be compromised. Access is enabled only
when the token is connected and correct PIN is entered (see two-factor authentication).
However, dongles can be used by anyone who can gain physical access to it. Newer
technologies in hardware-based security solves this problem offering full proof security
for data.

Working of hardware-based security: A hardware device allows a user to log in, log out
and set different privilege levels by doing manual actions. The device uses biometric
technology to prevent malicious users from logging in, logging out, and changing privilege
levels. The current state of a user of the device is read by controllers in peripheral devices
such as hard disks. Illegal access by a malicious user or a malicious program is interrupted
based on the current state of a user by hard disk and DVD controllers making illegal
access to data impossible. Hardware-based access control is more secure than protection
provided by the operating systems as operating systems are vulnerable to malicious attacks
by viruses and hackers. The data on hard disks can be corrupted after a malicious access is
obtained. With hardware-based protection, software cannot manipulate the user privilege
levels. It is impossible for a hacker or a malicious program to gain access to secure data
protected by hardware or perform unauthorized privileged operations. This assumption is

Page | 4
broken only if the hardware itself is malicious or contains a backdoor.[3] The hardware
protects the operating system image and file system privileges from being tampered.
Therefore, a completely secure system can be created using a combination of hardware-
based security and secure system administration policies.

Backups

Backups are used to ensure data which is lost can be recovered from another source. It is
considered essential to keep a backup of any data in most industries and the process is
recommended for any files of importance to a user.

Data masking

Data masking of structured data is the process of obscuring (masking) specific data within
a database table or cell to ensure that data security is maintained and sensitive information
is not exposed to unauthorized personnel.This may include masking the data from users
(for example so banking customer representatives can only see the last 4 digits of a
customers national identity number), developers (who need real production data to test
new software releases but should not be able to see sensitive financial data), outsourcing
vendors, etc.

Data erasure

Data erasure is a method of software based overwriting that completely destroys all
electronic data residing on a hard drive or other digital media to ensure that no sensitive
data is lost when an asset is retired or reused.

International laws and standards

International laws

In the UK, the Data Protection Act is used to ensure that personal data is accessible to
those whom it concerns, and provides redress to individuals if there are inaccuracies. This
is particularly important to ensure individuals are treated fairly, for example for credit
checking purposes. The Data Protection Act states that only individuals and companies
with legitimate and lawful reasons can process personal information and cannot be
shared. Data Privacy Day is an international holiday started by the Council of Europe that
occurs every January 28.

Since the General Data Protection Regulation (GDPR) of the European Union (EU)
became law on May 25th, 2018, organizations may face significant penalties of up to
€20million or 4% of their annual revenue if they do not comply with the regulation. It is
intended that GDPR will force organizations to understand their data privacy risks and

Page | 5
take the appropriate measures to reduce the risk of unauthorized disclosure of consumers’
private information.

International standards

The international standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013 covers data
security under the topic of information security, and one of its cardinal principles is that all
stored information, i.e. data, should be owned so that it is clear whose responsibility it is to
protect and control access to that data. The following are examples of organizations that
help strengthen and standardize computing security:

The Trusted Computing Group is an organization that helps standardize computing

security technologies.

The Payment Card Industry Data Security Standard is a proprietary international

information security standard for organizations that handle cardholder information for the
major debit, credit, prepaid, e-purse, ATM and POS(Point Of Sale) cards.

The General Data Protection Regulation (GDPR) proposed by the European Commission
will strengthen and unify data protection for individuals within the European Union (EU),
whilst addressing the export of personal data outside the EU.

Page | 6
 RECENT EFFORTS IN INDIA TOWARDS DATA PROTECTION

Instances of data theft have compelled both the government and the industry to remedy the
situation as a response to international pressure, in terms of providing some sort of
framework for data protection. Some of these efforts are discussed below.

A. Proposal to Amendment to the IT Act

Proposed Amendments to The IT Act In view of growing concerns raised by recent

instances of data theft, the Ministry of Information Technology proposed certain
amendments to the IT Act, 2000. One such amendment, pertinent to data protection, is the
proposed insertion of a new Section 43A wherein sensitive personal information would be
handled with reasonable security practices and procedures. The proposed amendment
reads as follows:

43A. Where a body corporate, possessing, dealing or handling any sensitive personal data
or information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to
pay damages by way of compensation not exceeding five crore rupees, to the person so
affected.

Explaining:-

(i) ‘body corporate’ means any company and includes a firm, sole Proprietorship or other
association of individuals engaged in commercial or professional activities;

(ii) ‘reasonable security practices and procedures’ means security practices and procedures
designed to protect such information from unauthorized access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as
may be specified in any law for the time being in force and in the absence of such
agreement or any law, such reasonable security practices and procedures, as may be
prescribed by the Central Government in consultation with such professional bodies or
associations as it may deem fit;

(iii) ‘sensitive personal data or information’ means such personal information as may be
prescribed by the Central Government in consultation with such professional bodies or
associations as it may deem fit. This has taken the form of Clause 20 of the Information
Technology (Amendment) Bill, 2006. However, nothing in the proposed amendments
deals with crucial aspects of data protection such as the processing of personal data,

Page | 7
handling of sensitive personal data, the conditions under which data may be collected from
an individual, the precautions to be taken while collecting data, confidentiality and
security of processing of the data collected and so on. The proposed amendments have not
yet materialized into new provisions under The IT Act and have only recently received the
comments of the Standing Committee on Parliamentary Affairs.

B. The Data Security Council of India

The National Association of Software and Services Companies (NASSCOM) has set up a
self-regulatory initiative in data security and privacy protection called the Data Security
Council of India (DSCI). What led to the establishment of the DSCI is the continuing
effort by NASSCOM to ensure that the Indian information technology industry has a safe
environment that can be benchmarked with the rest of the world.[viii]

The DSCI is a self-regulatory body established under the premise that the industry, rather
than the government, is best positioned to develop appropriate data privacy and security
standards as it has greater knowledge and better understanding of the practical commercial
issues involved. It is felt that such an approach would allow the DSCI to evolve and
effectively respond to global developments. The DSCI would adopt global standards in
order to move towards this end, initially focussing on establishing its membership and
evolving a code of conduct by promoting a culture of privacy. Initially, the DSCI would
promote and encourage voluntary compliance with the code of conduct, gradually creating
a mechanism for enforcement of the same in an effort to establish its credibility.[ix]

The DSCI is envisaged as a non-profit organisation, with its governing body having an
adequate representation of independent directors and industry specialists. Organisations
associated with data security and privacy protection such as Information Technology (IT)
and Information Technology enabled Services (ITeS) companies, academic or research
institutions and universities can also become members of the DSCI.

‘Do Not Call’ Registry

Effective from October, 2007, TRAI put in place the National ‘Do Not Call’ Registry
(NDNC), with the primary objective of curbing unsolicited commercial communication
(UCC). The Telecom Unsolicited Commercial Communications Regulations, 2007,
defines UCC as, “any message, through telecommunications service, which is transmitted
for the purpose of informing about or soliciting or promoting any commercial transaction
in relation to goods, investments or services which a subscriber opts not to
receive.”[x] Exceptions to UCC are messages received under a contract, communications
relating to charities etc., and communications transmitted under the directions of the
government, in the interest of the sovereignty and integrity of India. The NDNC register

Page | 8
will, therefore, be a database containing the list of all telephone numbers of subscribers
who do not wish to receive UCC.

CONCLUSION

A reading of the report of the Standing Committee on Information Technology on the

proposed amendments to The IT Act concerning data protection makes it clear that while
the industry and the legislators are familiar with terms like ‘personal data’, ‘sensitive
personal data’, ‘personal privacy’, ‘data privacy’ and so on, there is a lot of ambiguity as
to how these terms should be interpreted for effective data protection in India. Without an
in-depth understanding of the industry’s needs and what is involved in the protection of
data and data privacy in India, all the above efforts will remain mere efforts. Nor would
attempts to do patchwork on existing legislation, so as to protect data, meet the current
need for a legal framework. Emulating the European example of data protection by
distinguishing it from protection of e-commerce transactions would undoubtedly place
India on the global map when it comes to data protection. Besides, it would also create a
safe environment for foreign companies to invest in India. Till then, it needs to be seen
how long the off-shoring industry is going to indulge India’s baby steps towards data
protection.

The rise of the networked information economy and its contributions to both freedom and
development seem to be an important and immediate conclusion of a systematic study of
law and technological change in our age. We are in the midst, however, of a series of deep
transformations in how we produce information, knowledge and culture and how these
elements of human knowledge will be applied to improve the human condition. The next
few decades will offer more opportunities to do the right thing, as well as to go wrong.
Incumbents will generally try to optimise law to protect their rents and business models.
But in order to diagnose the likely benefits or costs of new practices, and, as a
consequence, of the laws that will be proposed and opposed along the fault lines of these
transformations, one must have a good analytical basis from which to evaluate both the old
and the new and the stakes of the transition from one to the other. This is why the study of
law and technology will be central to the understanding of human flourishing, welfare and
freedom for many years to come.

Page | 9
Page | 10
 Bibliography

Primary Source-

Act Referred-

1) Information Technology Act, 2000

2) Telecom Unsolicited Communications Regulations 2007, Regulation 2(q).

Secondary Source-

Websites Referred-

1) See Data Security Council of India (DSCI), available at

http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=51973.

2) See Data Security Council of India: A Self-Regulatory Initiative in Data Security and Privacy

Protection, available at http://www.nasscom.in/upload/5216/Datasecurity.pdf (setting out

the objectives of the Council in the guiding principles).

Page | 11