Effective 11 April 2011, India introduced the Information Technology
(Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011 (the “DP Rules”), under the Information Technology
Act, 2000 (the “IT Act”).
The DP Rules significantly alter the privacy landscape in India and have
implications for multinational companies outsourcing business to India or
operating in India. They are also relevant for service providers in India.
Implications for business
The DP Rules are effective from 11 April 2011 as a transition period has not been provided. The DP Rules could have a significant impact on the business processes of companies operating in India or outsourcing to India. Such companies would be well advised to:
review their procedures for collection, handling and storage of sensitive personal data or information (the “SPD”) and personal information for compliance with the DP Rules, the IT Act and any applicable sectoral legislation;
consider if their security practices for SPD meet the requirements specified by the DP Rules;
ensure that service providers in India who collect, handle, process or store personal information or SPD on their behalf, comply with the DP Rules. Conversely service providers in India who do not have direct contact with the providers of information should ensure that the person collecting personal information or SPD and or the providers of information, as applicable, have obtained necessary consents regarding the collection, use, storage, handling, processing and transfer of such information;
consider if transfer of SPD outside India is permissible by the DP Rules.
Further, unless the Government of India clarifies that the DP Rules apply to data collected after 11 April 2011 (which we understand is currently being deliberated by the Government), companies who have offshored health, financial or IT administration to India should review their consent requirements and provide separate consent forms to their customers.
Unlike the UK, India does not have a data protection authority to oversee implementation of the law and issue guidance. Therefore clarifications on the DP Rules or the IT Act would have to be obtained from the Ministry of Communications and Information Technology. The Ministry does not have a formal process for seeking clarification and companies may consider approaching industry bodies such as the Data Security Council of India, FICCI or CII to make representations on areas of concern arising out of the DP Rules.
Data protection framework
Comprehensive data protection legislation has been on the agenda in India for several years and piecemeal progress was made over the years. The IT Act was amended in 2008 to provide:
civil penalties for failure to protect sensitive personal data (though sensitive personal data was not defined until introduction of the DP Rules);
civil and criminal penalties for disclosure of information, documents, electronics records and the like without consent of the person providing the information, in certain circumstances; and
civil and criminal penalties for disclosure of personal information in breach of contractual obligations. Again ‘personal information’ was not defined, until introduction of the DP Rules.
Separately, sectoral regulations for licensed telecommunications companies and financial service companies containing data protection obligations were prescribed.
None of these regimes created a comprehensive data protection regime. This situation continues despite the DP Rules. Indeed, the DP Rules are wide in their scope, use terms that are not always defined (e.g. the terms “person”, “provider of information”) and the extent to which some of the rules apply to personal information and to SPD is unclear, as outlined below.
The DP Rules
The DP Rules apply to “body corporates” or to any person who on behalf of a body corporate, collects, receives, possesses, stores, deals or handles personal information including sensitive personal data. We find here the classical distinction between a data controller and processor.
The territorial application of the DP Rules is not specified in the 2011 revision. However, the IT Act applies to the whole of India and to any offences or contraventions committed outside India by any person if the offence or contravention involves a computer, system or network in India (Section 1(2) and Section 75 of the IT Act). Thus, any contravention of the DP Rules involving a computer, system or network located in India is caught by the DP Rules,
irrespective of data controller or processor’s location.
Definition of personal and sensitive personal information
Personal information is defined as any information relating to a natural person which directly or indirectly (on its own or in combination with other information) is capable of identifying an individual.
SPD (sensitive personal data or information) comprises of personal information relating to:
financial information (e.g. bank account, credit card, debit card, payment instrument details);
physical, physiological and mental condition;
medical records and history; and
but excludes freely available information, information in the public domain or information provided under the Right to Information Act, 2005 or any other law. Under the Right to Information Act, public authorities must on request disclose information about private bodies held by them, unless specific exemptions apply, including the ability to withhold disclosure of personal information if such disclosure is not in public interest. Mirroring the EU definition of SPD, the Indian definition more broadly encompasses passwords, financial and biometric information as part of SPD.
Key provisions - personal information (including SPD)
Personal information will be processed fairly if information such as (a) the fact that the information is being collected; (b) the purposes of such collection; (c) the recipient’s of the information; and (d) the name and address of the company collecting the information and the one retaining the information, is provided to individual(s) concerned.
The DP Rules are unclear on whether the above requirements apply to collection of personal information and SPD. However, it is prudent to comply with these requirements when collecting personal information.
|Rights of Access and Correction|
On request, the providers of information (the “Providers”) are entitled to review the personal information or SPD provided by them and have inaccurateor deficient information corrected.
The term ‘provider of information’ suggests that it could include the individual to whom the information belongs and any other person with access to SPD or personal information.
|Opting out|| Before collecting personal information (including SPD), the Provider must have the opportunity to decline providing the information and withdraw his consent to collection previously given. This withdrawal needs to be sent in writing.|
Security practices must be adopted to keep information secure. There are two ways to fulfil this obligation:
- complying with the International Standard ISI/ISO/IEC 27001 on
“Information Technology – Security Techniques – Information
Security Management System – Requirements”; or
- complying with self regulated industry associations or entities’ code of best practices approved and notified by the Government of India. As of today, no code appears to have been approved.
In case of a security breach, the data controller or processor must be able to demonstrate implementation of its documented security control measures. Note that compliance with the standard or approved code should be audited (by a Government approved independent auditor) annually or earlier if a major IT infrastructure upgrade is undertaken.
|Grievance officer||A grievance officer must be appointed by the body corporate and his name and contact details must be published on its website. Complaints by Providers must be redressed by the grievance officer.|
Key Provisions - SPD
Before collecting SPD, written consent by letter, fax or e-mail, from the Provider must be obtained, disclosing the purpose of collecting SPD.
SPD must be collected for lawful purposes connected with the activities of the body corporate (or the entity collecting SPD on its behalf) and its collection must be necessary for the purpose of collection.
| Retention||SPD must not be retained for longer than necessary. While this is a principle under the DP Rules, separate retention rules apply to certain financial services companies. It is also questionable why this obligation does not embrace personal information.|
SPD must not be disclosed to third parties without consent of the Provider, unless the disclosure is required by law, to comply with a legal obligation, or by Government agencies under specified instances.
While these requirements apply to SPD, the IT Act provides consequences for breach of privacy and disclosure of information in breach of contract. These provisions could be attracted if personal information (that is not SPD) is disclosed, though in the latter case the standard of proof is high as intent to cause loss or gain by the disclosure must be established.
|Transfer of data - within and outside India|
SPD may be transferred to any other body corporate or person in or outside India, if the recipient’s data protection standards are similar to those imposed by the DP Rules. The transfer of data must be necessary for performance of a contract or the Provider must have consented to its transfer.
This suggests that transfer of personal information would not be regulated since the DP Rules deal with transfer of SPD alone. However, additional restrictions on cross border transfer of certain data apply to licensed telecommunication companies.
Consequences of breach
A body corporate negligent in implementing and maintaining security practices and procedures for protecting SPD, may be liable to pay compensation (the maximum compensation that may be imposed is not specified) to the person affected.
Separately, persons acquiring information under the powers granted by the IT Act or the DP Rules may be penalised up to two years imprisonment and/or a fine up to Rs. 100,000 (approximately €1,560) for disclosing information, documents, correspondence, electronic records or other material to third parties, without consent of the person disclosing the information. Directors and other persons responsible for conduct of the business are liable for offences by companies, unless they prove they did not have knowledge of the contravention or that they exercised diligence to prevent the offence.
Any person including an intermediary with access to personal information and providing services under a contract, may be liable to imprisonment up to three years and/or a fine of up to Rs. 500,000 (approximately €7,790), if they disclose personal information to third parties in breach of contract or without consent of the person to whom the personal information belongs.
About Bird & Bird
Bird and Bird assists clients on a range of issues in India, including data protection and privacy, mergers and acquisitions, joint ventures, entry and exit strategies, corporate finance, contractual issues, employment, intellectual property and tax matters. As an international firm, we work with law firms in India to provide seamless, cost effective and timely advice to our clients.
|||Body corporate means any company, firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.|
|||The IT Act extends to the whole of India and unless otherwise specified, applies to offences committed outside India by any person (Section 1(2)). Section 75 provides that the IT Act applies to offences committed outside India by a person of any nationality, if the act or conduct constituting the offence involves a computer, system or network located in India.|