Overview of Data Privacy Laws in India and Aspects of Data Protection That Your Company Should Take into Account When Establishing a Business in India
Feb 25, 2017 QuickCounsel Download PDF
By Supratim Chakraborty, Principal Associate and Aritri Roy Chowdhury, Associate, Khaitan & Co LLP, Kolkata1
OverviewIndia is taking a giant leap towards digitization and cashless economy. It is also liberalizing its foreign investment related laws and requirements. These favourable moves are aimed at attracting more foreign players to establish their presence in India. While global players opening shop in India bring with them superior global standards of data protection and data privacy, it is also imperative for them to be mindful of the unique local Indian law requirements. Any failure to follow the Indian legal requirements could trigger civil or criminal liabilities. Further, this could also entail irreparable loss of reputation.
While the concept of ‘data privacy’ is not explicitly mentioned under Indian laws, the courts of the country have, over time, entwined the concept of privacy with the interpretation of right to life and personal liberty as provided under Article 21 of the Constitution. It may be interesting to note here that the Supreme Court of India is yet to conclusively decide whether right to privacy is naturally a fundamental right guaranteed under Article 21 of the Constitution. This decision is expected to be taken by the Apex Court shortly. However, such a right is enforceable against the State alone and this poses a perplexing question as to which legislation governs the non-state related aspects of privacy breach. In this regard, though avenues under law of torts and Indian Penal Code, 1860, always existed, the concepts of data privacy and data protection were given focused attention through provisions of the Information Technology Act, 2000 (“IT Act”) after its amendments in the year 2009 (“Information Technology (Amendment) Act, 2008”).
The Information Technology (Amendment) Act, 2008, brought into existence provisions such as Section 43-A and Section 72-A. Whereas Section 43-A of the IT Act primarily concentrates on the compensation for negligence in implementing and maintaining ‘reasonable security practices and procedures’ in relation to ‘sensitive personal data or information’ (“SPDI”), Section 72-A of the IT Act mandates punishment for disclosure of ‘personal information’ in breach of lawful contract or without the information provider’s consent.
On 13 April 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) were promulgated. Though the Rules attempted to elaborate further on the requirements of Section 43-A of the IT Act, it gave rise to considerable amount of confusion primarily because of certain drafting ambiguities. In order to remedy the situation, a press note (“Press Note”) was released by the Ministry of Communications and Information Technology on 24 August 2011. This Press Note clarified several provisions of the Rules, including applicability of certain provisions of the Rules to players in the outsourcing industry.
Apart from the IT Act and the Rules, there are certain sectoral regulations and guidelines which also address various aspects of data privacy and data protection in India. For example, the financial regulator (The Reserve Bank of India), securities market regulator (Securities and Exchange Board of India) and insurance sector regulator (Insurance Regulatory and Development Authority of India), all have prescribed various requirements in this regard, from time to time.
Further, it is interesting to note that in recent times, India is experiencing a number of litigations which are throwing up questions on data privacy and data protection that were never addressed before. Recently, the Supreme Court of India has issued notices to social media giants, WhatsApp and Facebook, and the Telecom Regulatory Authority of India, to explain their legal position over privacy concerns raised in a petition on WhatsApp’s data sharing policy.
Thus, with the increasing sensitivity of the Indian legal system towards data protection and privacy, it is imperative that corporate houses seeking to establish business in India must adhere to the local data privacy and data protection laws. This QuickCounsel will provide an overview of the data privacy and data protection requirements in relation to SPDI, as prescribed under Section 43-A of the IT Act and the Rules.
The Rules identify the following personal information as SPDI:
Reasonable Security Practices and Procedures
Section 43-A of the IT Act mandates following of ‘reasonable security practices and procedures’ in relation to SPDI. The International Standard IS/ISO/IEC 27001 relating to ‘Information Technology-Security Techniques-Information Security Management System–Requirements’ is one of the standards (“Stipulated Standard”) specified under the Rules that may be implemented by a body corporate while handling SPDI. If any industry association or entity is following any standard apart from the Stipulated Standard for data protection, they are required to get their codes (“Codes”) approved and notified by the Government of India. Such body corporates which have implemented the Stipulated Standard or Codes need to get the same certified or audited by an independent auditor approved by the Central Government. Further, an audit has to be carried out by such an auditor at least once a year or as and when there is a significant upgradation of processes and computer resources.
Collection of SPDIUnder the Rules, a body corporate is required to obtain prior consent from the information provider regarding the purpose of usage of the SPDI. Such information should be collected only if it is essential and required for a lawful purpose connected with functioning of the body corporate. The body corporate is also mandated to take reasonable steps to ensure that the information provider has knowledge about the collection of information, the purpose of collection of such information, the intended recipients and the name and address of the agency collecting and retaining the information. The information should be used only for the purpose for which it is collected and should not be retained for a period longer than what is required.
The body corporate has to allow the information provider the right to review or amend the SPDI and give the information provider an option to retract consent at any point of time, in relation to the information that has been so provided. In case of withdrawal of consent, the body corporate has the option to not provide the goods or services for which the concerned information was sought.
Transfer of SPDIA body corporate may transfer SPDI to other body corporates, located anywhere across the globe, provided that the transferee ensures the same or equal level of data protection that is adhered to by the body corporate as per the Rules. However, the transfer may be permitted only if the same is necessary for the performance of lawful contract between the body corporate and information provider or where such information provider has consented to such a transfer.
Disclosure to Third PartyThe Rules specify that apart from the information sought by governmental agencies or under applicable legal provisions, a body corporate is required to obtain permission from the information provider, prior to disclosure of such information to a third party, unless such disclosure has been agreed to in an agreement between the parties.
Grievance OfficerThe Rules provide that a body corporate must address grievances of the information provider within a specified time. For this, a body corporate should appoint a Grievance Officer to address such grievance within a period of 1 (one) month from receipt of the grievance.
ConclusionData privacy and data protection laws by their very nature need to be dynamic, constantly expanding and improving to deal with new impediments and hindrances. As India is increasingly becoming a prominent part of the global economy with ever burgeoning foreign investment, there is unprecedented thrust now to upgrade the data privacy and data protection standards in the country. Further, the judiciary’s pro-active interest in data privacy issues and opinion that trustees of customer’s data must be judged on ‘tougher standards’ and that a ‘strong signal must be sent’ to hold defaulting entities liable, have made business houses align themselves steadily with the data privacy and data protection laws of the country. It is imperative, therefore, for foreign companies establishing business in India to ensure that their local Indian entity adheres to Indian data privacy and data protection law requirements even if the local entity has been following global best practices in this regard.
1The authors can be reached at firstname.lastname@example.org and email@example.com.
Additional ACC Resources
ACC Resource Library - Top Ten - Sponsored by Jackson Lewis P.C.
ACC Resource Library - Primer
Top Ten - EU Data Transfers: Comparing the Proposed Privacy Shield to the Standard Contractual Clauses
ACC Resource Library - Top Ten - Sponsored by Arent Fox LLP
Have an idea for a quickcounsel or interested in writing one?
This resource is sponsored by:
Table of Contents