Data privacy and protection law in India: understanding the regime

Right to privacy has long been read into Article 21 (right to life and personal liberty) of the Constitution of India. However, with the proliferating use of the internet and the exorbitant rise in transfer of data through multiple technologies, the concepts of ‘data privacy’ and ‘data protection’ have started demanding greater attention than ever before. Therefore, such concepts were introduced in the Information Technology Act, 2000 (Act) through Section 43-A (Compensation for failure to protect data) and Section 72-A (Punishment for disclosure of information in breach of lawful contract).

 Section 43-A primarily deals with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information (“SPDI”). Section 72-A deals with personal information and provides punishment for disclosure of information in breach of lawful contract or without the information provider’s consent.

On 13 April 2011, the Ministry of Communications and Information Technology (MCIT), Government of India, notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules). Further, on 24 August 2011, the MCIT released a press note (Press Note) which clarified a number of provisions of the Rules. Amongst others, the Press Note clarified that the Rules relate to SPDI and are applicable to body corporate (i.e. organisation) or any person located in India. The Press Note exempts outsourcing companies in India from the provisions of collection and disclosure, as set out under the Rules.

Essentially, SPDI consists of the following:

–     Passwords;

–     Financial information such as bank account or credit card or debit card or other payment instrument details;

–     Physical, physiological and mental health condition;

–     Sexual orientation;

–     Medical records and history;

–     Biometric information.

Section 43-A of the Act defines ‘reasonable security practices and procedures’ to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force…

In light of the above, the Rules now stipulate that the requirement of ‘Reasonable Security Practices and Procedures’ will be satisfied if a body corporate has implemented such security practices and standards and have comprehensive documented information security programmes and policies that are commensurate with the information assets being protected.

The Rules also set out that International Standards (IS / ISO / IEC 27001) is one such standard (Standards) which could be implemented by a body corporate. If any industry association, etc are following standards other than IS / ISO / IEC 27001 for data protection, they need to get their codes (Codes) approved and notified by the Central Government.

The Rules state that the bodies corporate who have implemented the Standards or Codes need to get the same certified or audited by independent auditors approved by the Central Government. The audit is required to be carried out by the auditor at least once a year or as and when there is a significant upgradation of processes and computer resources.

The Rules provide that a body corporate should obtain prior consent from the information provider regarding purpose of usage of the SPDI. The information should be collected only if required for a lawful purpose connected with functioning of the body corporate and if collection of such information is necessary.

The body corporate is required to take reasonable steps to ensure that the information provider knows that the information is being collected, the purpose of collecting such information, the intended recipients and the name and address of the agency collecting and retaining the information. The information should be used only for the purpose for which it is collected and should not be retained for a longer period than is required.

The Rules further provide that a body corporate is required to permit the information provider to review / amend the SPDI and give an option to withdraw consent at any time, in relation to the information so provided. In case of withdrawal of consent, the body corporate has the option not to provide the goods or services for which the concerned information was sought.

The Rules give a body corporate the liberty to transfer SPDI to those body corporate(s), located anywhere, who ensure(s) the same / equal level of data protection that is adhered to by the body corporate as per the Rules. However, the transfer may be permitted only if the same is necessary for the performance of lawful contract between the body corporate and information provider or where such information provider has consented to the transfer.

Apart from applicable legal obligations or information sought by Government agencies, a body corporate is required to obtain permission from the information provider prior to disclosure of such information to a third party, unless such disclosure has been agreed to in a contract between the parties.

The Rules require that a body corporate handling SPDI shall provide a privacy policy. Such privacy policy shall contain the prescribed details such as type of information collected, purpose for collection of information, disclosure policy, security practices and procedures followed, etc. The privacy policy is required to be made available to information providers and is required to be clearly published on website of the body corporate.

According to the Rules, a body corporate is required to designate a Grievance Officer to address grievances of its information providers and should publish the name and contact details of such Grievance Officer on its website. The Grievance Officer is required to redress the grievances within one month.

Undoubtedly, the concept of data privacy and protection is at a nascent stage in India. Framers of the Rules have attempted to adopt ideas from jurisdictions which have long standing and mature data protection regulations. These Rules are only therefore a first step. Stringent implementation of the law and healthy development of the data privacy and protection jurisprudence in the long run is what one needs to watch out for.

Supratim Chakraborty