India: Transfer Of Data Out Of India- Implications Under Information Technolgy (IT) & Data Privacy Laws

Last Updated: 28 March 2019
Article by Vijay Pal Dalmia, Partner

By Vijay Pal Dalmia, Advocate
Supreme Court of India & High court of Delhi
Mobile: +91 9810081079
Email: vpdalmia@vaishlaw.com

Article 21 of the Constitution of India provides that no person shall be deprived of life or personal liberty except according to the procedure established by law. Right to privacy has evolved out of Article 21 of the constitution and other provisions protecting fundamental right of a citizen of India. The Supreme Court of India (Justice Puttuswamy v. UOI, Writ Petition (Civil) No. 494 of 2012 decided on August 24, 2017) has held that the right to privacy is a fundamental right and is implicit in the right to life and personal liberty guaranteed to citizens of India.

It is pertinent to note that India, presently, does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 ("IT Act") and the (Indian) Contract Act, 1872, which deals with the contractual relationship between the parties, and as such is relevant for deciding upon the issues relating to data protection and privacy.

Sections 43A & 72A of the IT Act, are the only two sections which deal with processing/protection of personal data in India. These two provisions deal with the issues relating to payment of compensation (Civil remedy) and punishment (Criminal recourse) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. However, it is crucial to note that both these sections do not apply to data stored in a non-electronic medium.

The Department of Information Technology had published the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules, 2011"), under Section 43A of the IT Act, which were notified on 13th April, 2011.

In terms of the IT Rules, 2011, 'Personal Information' is defined as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Under Section 43A of the IT Act, "Body Corporate" is defined to include any company, a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

Rule 3 of IT Rules, wherein 'Sensitive Personal data" is defined as such personal information which consists of information relating to the following:

  • Password;
  • Financial information such as Bank account or credit card or debit card or other payment instrument detail;
  • Physical, physiological and mental health condition;
  • Sexual orientation;
  • Medical records and history;
  • Biometric information;
  • Any detail relating to the above clauses as provided to body corporate for providing service; and
  • Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;

An information shall not be regarded as sensitive personal data or information under the IT Rules, 2011, if such information is:

  • freely available or accessible in public domain; or
  • furnished under the Right to Information Act, 2005; or
  • furnished under any other law for the time being in force.

It is pertinent to note that IT Rules, 2011 are only applicable to 'Sensitive Personal data' as defined above. Accordingly, if the data falls under the definition of 'Sensitive Personal data', it shall be bound by the IT Rules, 2011, which lay down a number of obligations on the entity collecting the sensitive personal data.

Limitation on Transfer of Information outside India

Section 75 of the IT Act speaks about the extra-territorial applicability of the Act. It provides that IT Act shall apply to any offence committed by any person irrespective of his nationality, provided such act or conduct constituting the offence involves a computer, computer system or computer network located in India. Therefore, when the personal sensitive data is taken outside the territories of India, sections (43A and 72A) of the IT Act may be applicable.

Sec. 43A of the IT Act provides the remedy of compensation to the "person affected" when "wrongful loss" is caused to him or "wrongful gain" is caused to another person at the expense of the affected person. It is to be noted that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances. The affected person can claim compensation from the "Body Corporate", which has been negligent in the protection of the data relating to the "provider of information". It also imposes a responsibility of "implementing and maintaining Reasonable Security Practice and Procedures" to be followed on the Data handlers.

Section 72A of the IT Act, provides for punishment for disclosure of information, knowingly and intentionally in breach of the lawful contract. It provides that any person including an intermediary who, while providing services under a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term extending to three years or fine extending to INR 5,00,000 or both.

Rule 7 of the IT Rules, 2011 which allows a body corporate or its representative to transfer the sensitive personal data or information to another body corporate or its representative in India or located in any other country that ensures the same level of data protection that is adhered to by the body corporate as provided for under the IT Rules, 2011. However, such transfer is allowed only in the following two circumstances:

  1. It is necessary for the performance of the lawful contract between the body corporate and "provider of information"; or
  2. Where "provider of information" has consented to such data transfer.

It is imperative to understand that the transfer of data is allowed if such transfer is necessary for the performance of the lawful contract. Further, the data can also be transferred to another entity or its representative in India or located in any other country, if the "provider of information"/data subject has specifically consented to such transfer.

Obligations under the IT Rules, 2011 in case the data collected falls under Sensitive Personal data:

Mandatory Privacy Policy: Rule 4 of the IT Rules, 2011 provide that a body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of "provider of information"1, shall have a privacy policy for handling of or dealing in personal information including sensitive personal data or information. Furthermore, such privacy policy shall be available for view by such 'providers of information'.

Rule 4 further mandates that such policy shall be published on website of body corporate or its representative and must provide the following details:

  • Clear and easily accessible statements of its practices and policies;
  • Type of personal or sensitive personal data or information collected under rule 3;
  • Purpose of collection and usage of such information as provided under Rule 5;
  • Disclosure of information including sensitive personal data or information as provided in rule 6;
  • Reasonable security practices and procedures as provided under rule 8.

Prior Consent of "provider of information": Rule 5 (1) enjoins that before the collection of sensitive personal date or information, a body corporate or its representative must obtain the consent of "provider of information" in writing through letter or fax or any mode of electronic communication including email regarding purpose of usage of such information.

Opt-out Option: Rule 5 (7) of the IT Rules, 2011 puts a mandatory requirement on a body corporate or its representative to give "provider of information" an option to not provide sensitive personal data or information sought to be collected. Such option shall be given before collection of such data. It further allows the "provider of information" to withdraw its consent given earlier to a body corporate.

However, in case of taking an opt-out option or withdrawal of consent by "provider of information", a body corporate has an option of not providing its goods or services for which the said information was sought.

Collection of Information: Rule 5 (2) provides that a body corporate or its representative can collect sensitive personal data or information only in the following circumstances:

  • The information is collected for a lawful purpose connected with a function or activity of the body corporate or its representative; and
  • The collection of the sensitive personal data or information is considered necessary for that purpose.

Rule 5 (3) of the IT Rules, 2011 provide that the body corporate or its representative shall take reasonable steps to ensure that the "provider of information" is having knowledge of:

  • The fact that the information is being collected;
  • The purpose for which the information is being collected;
  • The intended recipients of the information; and
  • The name and address of (a) the agency that is collecting the information; and (b) the agency that will retain the information.

Rule 5 (8) of the IT Rules, 2011 mandatorily requires a body corporate or its representative to keep the collected information secure as provided under Rule 8.

Use of Information: Rule 5 (5) of the IT Rules, 2011 clearly provide that the information collected shall be used only for the purpose for which it has been collected.

Retention of Information: Rule 5 (4) of the IT Rules, 2011 lays down the duration of retention of sensitive personal data or information. It provides that a body corporate or its representative must not retain such information for longer than is required for the purposes for which the information may lawfully be used. Furthermore, it also provides for retention of such information as required under any other law for the time being in force.

Access and Review of Information: Rule 5 (6) of the IT Rules, 2011 puts a mandatory requirement on a body corporate or its representative to permit the "provider of information", on their request, to access and review the information provided by them. It further allows the "provider of information" to correct or amend the inaccurate or deficient information. However, a body corporate or its representative shall not be responsible for the authenticity of the information provided to them by the "provider of information".

Grievance Mechanism: Rule 5 (9) of the IT Rules, 2011 requires a body corporate to address any discrepancies and grievances of the "provider of information" with respect to processing of information. It mandates a body corporate to designate a Grievance Officer and publish its name and contact details on its website. The designated Grievance Officer shall redress the grievances of "provider of information" within one month from the date of receipt of grievance.

Limitation on Disclosure of Information: Rule 6 of the IT Rules, 2011 restricts a body corporate from disclosing the sensitive personal data or information to any third party, received from the "provider of information" under a lawful contract or otherwise. It provides that any such disclosure to any third party shall require prior permission from the "provider of information".

However, a body corporate or its representative is exempt from taking such prior permission for disclosure of information in the following scenarios:

  • Where such disclosure has been agreed to in the contract between the body corporate and "provider of information", or
  • Where such disclosure is necessary for compliance of a legal obligation.
  • Where such disclosure is required by a Government Agency mandated under law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. However, the Government agency shall send such request in writing to the body corporate clearly stating the purpose of seeking such information. The Government Agency should not publish or share such information with any other person.

Rule 6 (3) of the IT Rules, 2011 provide that a body corporate or its representatives should not publish such sensitive personal data or information.

Rule 6 (4) of the IT Rules, 2011 provide that a third party receiving such information is prohibited from disclosing it further.

Reasonable Security Practices and Procedures: "Reasonable Security Practices and Procedures" means security practices and procedure designed to protect such information from unauthorized access, damages, use, modification, disclosure or impairment, as may be specified in:

  • an agreement between the parties; or
  • any law for the time being in force; or
  • in absence of such agreement or law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Rule 8 of the IT Rules, 2011 provide for the reasonable security practices and procedures which are to be followed by a body corporate. It provides that a body corporate or a person on its behalf shall implement such security practices and standards, containing:

  • A comprehensive documented information security programme; and
  • Information security policies for managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business.

The International Standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is one such standard prescribed under the IT Rules, 2011 which can be followed by a body corporate.

It is further provided under Rule 8 that in the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate that they have implemented security control measures as per their documented information security programme and information security policies.

Footnote

1. "Providers of information", are those natural persons who provide sensitive personal data or information to a body corporate.

© 2018, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy Marg New Delhi-110001 (India).

The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Vijay Pal Dalmia, Partner
Similar Articles
Relevancy Powered by MondaqAI
Singh & Associates
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Singh & Associates
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions