By Vijay Pal Dalmia, Advocate
Supreme Court of India & High court of Delhi
Mobile: +91 9810081079
Email: vpdalmia@vaishlaw.com

Article 21 of the Constitution of India provides that no person shall be deprived of life or personal liberty except according to the procedure established by law. Right to privacy has evolved out of Article 21 of the constitution and other provisions protecting fundamental right of a citizen of India. The Supreme Court of India (Justice Puttuswamy v. UOI, Writ Petition (Civil) No. 494 of 2012 decided on August 24, 2017) has held that the right to privacy is a fundamental right and is implicit in the right to life and personal liberty guaranteed to citizens of India.

It is pertinent to note that India, presently, does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 ("IT Act") and the (Indian) Contract Act, 1872, which deals with the contractual relationship between the parties, and as such is relevant for deciding upon the issues relating to data protection and privacy.

Sections 43A & 72A of the IT Act, are the only two sections which deal with processing/protection of personal data in India. These two provisions deal with the issues relating to payment of compensation (Civil remedy) and punishment (Criminal recourse) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. However, it is crucial to note that both these sections do not apply to data stored in a non-electronic medium.

The Department of Information Technology had published the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules, 2011"), under Section 43A of the IT Act, which were notified on 13th April, 2011.

In terms of the IT Rules, 2011, 'Personal Information' is defined as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Under Section 43A of the IT Act, "Body Corporate" is defined to include any company, a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

Rule 3 of IT Rules, wherein 'Sensitive Personal data" is defined as such personal information which consists of information relating to the following:

  • Password;
  • Financial information such as Bank account or credit card or debit card or other payment instrument detail;
  • Physical, physiological and mental health condition;
  • Sexual orientation;
  • Medical records and history;
  • Biometric information;
  • Any detail relating to the above clauses as provided to body corporate for providing service; and
  • Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;

An information shall not be regarded as sensitive personal data or information under the IT Rules, 2011, if such information is:

  • freely available or accessible in public domain; or
  • furnished under the Right to Information Act, 2005; or
  • furnished under any other law for the time being in force.

It is pertinent to note that IT Rules, 2011 are only applicable to 'Sensitive Personal data' as defined above. Accordingly, if the data falls under the definition of 'Sensitive Personal data', it shall be bound by the IT Rules, 2011, which lay down a number of obligations on the entity collecting the sensitive personal data.

Limitation on Transfer of Information outside India

Section 75 of the IT Act speaks about the extra-territorial applicability of the Act. It provides that IT Act shall apply to any offence committed by any person irrespective of his nationality, provided such act or conduct constituting the offence involves a computer, computer system or computer network located in India. Therefore, when the personal sensitive data is taken outside the territories of India, sections (43A and 72A) of the IT Act may be applicable.

Sec. 43A of the IT Act provides the remedy of compensation to the "person affected" when "wrongful loss" is caused to him or "wrongful gain" is caused to another person at the expense of the affected person. It is to be noted that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances. The affected person can claim compensation from the "Body Corporate", which has been negligent in the protection of the data relating to the "provider of information". It also imposes a responsibility of "implementing and maintaining Reasonable Security Practice and Procedures" to be followed on the Data handlers.

Section 72A of the IT Act, provides for punishment for disclosure of information, knowingly and intentionally in breach of the lawful contract. It provides that any person including an intermediary who, while providing services under a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term extending to three years or fine extending to INR 5,00,000 or both.

Rule 7 of the IT Rules, 2011 which allows a body corporate or its representative to transfer the sensitive personal data or information to another body corporate or its representative in India or located in any other country that ensures the same level of data protection that is adhered to by the body corporate as provided for under the IT Rules, 2011. However, such transfer is allowed only in the following two circumstances:

  1. It is necessary for the performance of the lawful contract between the body corporate and "provider of information"; or
  2. Where "provider of information" has consented to such data transfer.

It is imperative to understand that the transfer of data is allowed if such transfer is necessary for the performance of the lawful contract. Further, the data can also be transferred to another entity or its representative in India or located in any other country, if the "provider of information"/data subject has specifically consented to such transfer.

Obligations under the IT Rules, 2011 in case the data collected falls under Sensitive Personal data:

Mandatory Privacy Policy: Rule 4 of the IT Rules, 2011 provide that a body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of "provider of information"1, shall have a privacy policy for handling of or dealing in personal information including sensitive personal data or information. Furthermore, such privacy policy shall be available for view by such 'providers of information'.

Rule 4 further mandates that such policy shall be published on website of body corporate or its representative and must provide the following details:

  • Clear and easily accessible statements of its practices and policies;
  • Type of personal or sensitive personal data or information collected under rule 3;
  • Purpose of collection and usage of such information as provided under Rule 5;
  • Disclosure of information including sensitive personal data or information as provided in rule 6;
  • Reasonable security practices and procedures as provided under rule 8.

Prior Consent of "provider of information": Rule 5 (1) enjoins that before the collection of sensitive personal date or information, a body corporate or its representative must obtain the consent of "provider of information" in writing through letter or fax or any mode of electronic communication including email regarding purpose of usage of such information.

Opt-out Option: Rule 5 (7) of the IT Rules, 2011 puts a mandatory requirement on a body corporate or its representative to give "provider of information" an option to not provide sensitive personal data or information sought to be collected. Such option shall be given before collection of such data. It further allows the "provider of information" to withdraw its consent given earlier to a body corporate.

However, in case of taking an opt-out option or withdrawal of consent by "provider of information", a body corporate has an option of not providing its goods or services for which the said information was sought.

Collection of Information: Rule 5 (2) provides that a body corporate or its representative can collect sensitive personal data or information only in the following circumstances:

  • The information is collected for a lawful purpose connected with a function or activity of the body corporate or its representative; and
  • The collection of the sensitive personal data or information is considered necessary for that purpose.

Rule 5 (3) of the IT Rules, 2011 provide that the body corporate or its representative shall take reasonable steps to ensure that the "provider of information" is having knowledge of:

  • The fact that the information is being collected;
  • The purpose for which the information is being collected;
  • The intended recipients of the information; and
  • The name and address of (a) the agency that is collecting the information; and (b) the agency that will retain the information.

Rule 5 (8) of the IT Rules, 2011 mandatorily requires a body corporate or its representative to keep the collected information secure as provided under Rule 8.

Use of Information: Rule 5 (5) of the IT Rules, 2011 clearly provide that the information collected shall be used only for the purpose for which it has been collected.

Retention of Information: Rule 5 (4) of the IT Rules, 2011 lays down the duration of retention of sensitive personal data or information. It provides that a body corporate or its representative must not retain such information for longer than is required for the purposes for which the information may lawfully be used. Furthermore, it also provides for retention of such information as required under any other law for the time being in force.

Access and Review of Information: Rule 5 (6) of the IT Rules, 2011 puts a mandatory requirement on a body corporate or its representative to permit the "provider of information", on their request, to access and review the information provided by them. It further allows the "provider of information" to correct or amend the inaccurate or deficient information. However, a body corporate or its representative shall not be responsible for the authenticity of the information provided to them by the "provider of information".

Grievance Mechanism: Rule 5 (9) of the IT Rules, 2011 requires a body corporate to address any discrepancies and grievances of the "provider of information" with respect to processing of information. It mandates a body corporate to designate a Grievance Officer and publish its name and contact details on its website. The designated Grievance Officer shall redress the grievances of "provider of information" within one month from the date of receipt of grievance.

Limitation on Disclosure of Information: Rule 6 of the IT Rules, 2011 restricts a body corporate from disclosing the sensitive personal data or information to any third party, received from the "provider of information" under a lawful contract or otherwise. It provides that any such disclosure to any third party shall require prior permission from the "provider of information".

However, a body corporate or its representative is exempt from taking such prior permission for disclosure of information in the following scenarios:

  • Where such disclosure has been agreed to in the contract between the body corporate and "provider of information", or
  • Where such disclosure is necessary for compliance of a legal obligation.
  • Where such disclosure is required by a Government Agency mandated under law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. However, the Government agency shall send such request in writing to the body corporate clearly stating the purpose of seeking such information. The Government Agency should not publish or share such information with any other person.

Rule 6 (3) of the IT Rules, 2011 provide that a body corporate or its representatives should not publish such sensitive personal data or information.

Rule 6 (4) of the IT Rules, 2011 provide that a third party receiving such information is prohibited from disclosing it further.

Reasonable Security Practices and Procedures: "Reasonable Security Practices and Procedures" means security practices and procedure designed to protect such information from unauthorized access, damages, use, modification, disclosure or impairment, as may be specified in:

  • an agreement between the parties; or
  • any law for the time being in force; or
  • in absence of such agreement or law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Rule 8 of the IT Rules, 2011 provide for the reasonable security practices and procedures which are to be followed by a body corporate. It provides that a body corporate or a person on its behalf shall implement such security practices and standards, containing:

  • A comprehensive documented information security programme; and
  • Information security policies for managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business.

The International Standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is one such standard prescribed under the IT Rules, 2011 which can be followed by a body corporate.

It is further provided under Rule 8 that in the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate that they have implemented security control measures as per their documented information security programme and information security policies.

Footnote

1. "Providers of information", are those natural persons who provide sensitive personal data or information to a body corporate.

© 2018, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy Marg New Delhi-110001 (India).

The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.