The primary Indian legislation which regulates data privacy is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("I.T. Rules") under the Information Technology Act, 2000. The I.T. Rules are implemented by the Department of Electronics and Information Technology ("I.T. Department"). The I.T Rules seek to regulate disclosure, collection and storage of what is termed 'sensitive personal data or information' ("Protected Data").
Section 43A of the Information Technology Act, 2000 addresses the penalties for non-compliance by a recipient of Protected Data under the I.T. Rules. The section provides for penalizing the recipient of Protected Data for non-compliance, by way of imposing compensation of up to Rs. 50,000,000 (Rupees 5 Crore or 50 million). Accordingly, in the absence of exemptions and a large penalty, it is essential for each recipient of Protected Data to maintain compliance with the I. T. Rules.
PROTECTED DATA: WHO PROTECTS PROTECTED DATA?
The I.T. Rules are triggered upon possession, processing, handling or storage of any 'sensitive personal data or information' of an individual by a body corporate. It is interesting to note that the Protected Data is limited to certain data of individuals and not of corporate or other entities. While the I.T. Rules are limited in offering protection only to individuals, the set of entities obliged to protect such data are not only corporates but include firms and individuals. The I.T. Department has issued clarifications of the I.T. Rules on August 24, 2011 ("Clarification") which in effect extend the scope of the I.T. Rules to a firm, a sole proprietorship and any other association of persons engaged in commercial or professional activities.
In other words, the I.T. Rules capture Protected Data of individuals, if such data is possessed or handled by not just a company but also a firm and non-incorporated entities. The Clarification further restricts the applicability of the I.T. Rules to a situation where the holder of the Protected Data or the recipient of the Protected Data is based in India.
WHICH TYPE OF DATA QUALIFIES FOR DATA PROTECTION?
Protected data is referred in the I.T. Rules as 'sensitive personal data or information'. Rule 3 of the I.T. Rules has an inclusive/open-ended definition of Protected Data. Clearly, Protected Data includes the following data points pertaining to any individual: (i) passwords; (ii) banking and financial information; (iii) sexual orientation; (iv) medical records and history; and (v) biometric information. An important initial threshold to determine information captured as Protected Data is 'data which, either directly or indirectly, is capable of identifying an individual'.
The ambit of Protected Data is therefore fairly specific. The following are illustrations of Protected Data:
(i) Data inputs from subscribers of a health and fitness website or "app"(as this is likely to include medical history);
(ii) Financial information of debit/credit cards of purchasers on e-commerce websites if stored; and
(iii) Passwords of registered users on websites.
PROTECTED DATA: OBLIGATIONS
Disclosure, collection and storage of Protected Data trigger several compliance requirements including continuing obligations. The primary obligations have been set out below in checklist form:
- Consent [Rule 5(3)]: The I.
T. Rules mandate that Protected Data can only be collected or
transferred with prior consent from individuals. Individuals
sharing Protected Data are entitled to withhold consent and
withdraw consent at any later point of time. Individuals are also
entitled to review their Protected Data.
The request for consent of collection of Protected Data has to include: (i) proposed use of collection; and (ii) if proposed to be stored, then the time period for storage and manner of storage.
The manner of obtaining consent for Protected Data has been extended by the Clarification to any electronic form and includes consent in writing through a letter, fax or e-mail. - Privacy policy [Rule 4]: A body corporate collecting, storing or handling Protected Data is required to issue and implement a privacy policy with respect to Protected Data. The privacy policy must at the least address the following: define the type and extent of information intended to be collected; purpose for collection; the entities to whom the information may be disclosed and the security measures implemented for safeguarding the Protected Data.
- Grievance officer [Rule 5(9)]: Recipients of Protected Data are required to implement a mechanism for addressing any discrepancies and grievances of employees, customers or any other individuals providing or disclosing Protected Data. Any reported discrepancies or grievances are required to be resolved within one month from the date of receipt. For resolution of the reported discrepancies or grievances, recipients of Protected Data are required to appoint a grievance officer, whose contact details are required to be published on the website of the recipient of the Protected Data.
- Security Standards [Rules 5(8) and 8(1)]: Recipients of Protected Data are required to implement security practices and systems for management of Protected Data in accordance with the IS/ISO/IEC 27001, a set of guidelines prescribed by the Bureau of Indian Standards, or any other security practice code and system approved and notified by the Central Government. No other standard apart from IS/ISO/IEC 27001 appears to be notified and so, in effect, compliance with this standard is mandatory.
- Permitted disclosures of
Protected Data [Rules 6 (1), (4) and 7]: Recipients of
Protected Data can disclose the Protected Data to a third party if
either of the following conditions
are met with: (i) express permission of the concerned individuals is obtained; (ii) the disclosure is to a Government agency; or (iii) where the disclosure is necessary for compliance of a legal obligation in accordance with a court order or government authority or under Indian law. Further, the disclosure of Protected Data to third parties, whether within or outside India, is only permissible if such third party employs the same level of data protection that the recipient implements. Data protection standards should therefore form an integral part of counter-party due diligence in transactions that could involve transfer of Protected Data and this should also form part of representations and warranties in definitive documentation.
- There is no formal notification for
any specific jurisdiction indicating accepted territories for
sharing Protected Data. This rule in particular therefore requires
special consideration for cross-border acquisitions, joint ventures
with foreign entities, and entities that are a part of a
multi-national group and are often required to transfer information
to affiliates.
It is pertinent to note that the Clarification excludes the applicability of Rule 5 (i.e. manner of collection and subsequent handling of Protected Data) and Rule 6 (i.e. obtaining consent of individuals) for collection, storage or handling of Protected Data by third parties under contractual obligation with the recipients of the Protected Data. However, such exclusion does not absolve the original recipient of the Protected Data from complying with Rule 5 and 6. - Yearly audit [Rule 8 (4)]: Recipients of Protected Data are required to carry out yearly audits for the information security management systems implemented and upon any revision of the information security management system. The audit is to be carried out by an independent auditor approved by the Central Government.
CONCLUDING NOTE
Data privacy laws in India require disciplined and continuing compliance. The principles of data privacy laws also have to be considered in drafting transactions including routine contractual arrangements as well as for internal corporate documentation such as employment agreements. The scope of data privacy laws is fairly wide because there is no materiality threshold with respect to either the quantum of the Protected Data, or of the scale of operations of the data recipient (e.g. no relaxations for companies employing below a certain number of employees or to firms or sole proprietorships with revenues below a specified number). Further, there is no exemption for related party data transfers or data transfers in the ordinary course of business.
Assisted by Anshul Roy, National Law School of India University, Bangalore '2016The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
