In recent years and specially in the context of the COVID pandemic, digitization, leaps in technological capabilities, and rise in e-commerce platforms has become the norm. As a consumer, we share personal information and data with each online platform we visit, register on and order from. However, collection, use, and disclosure of this data is largely unregulated due to the absence of specific Data Protection Laws in India..
The Personal Data Protection Bill is before the Indian Parliament and we understand the same may come in the 2021 winter session. Till such time as the aforesaid Bill becomes law, our personal data and privacy continue to be governed by a gamut of Data Protection Laws in India, some of which are summarized below.
- What is the existing framework for data protection laws in India?Article 21 of the Indian Constitution is a fundamental right that guarantees protection of life and personal liberty.On August 24th, 2017, the Supreme Court in the decision of Justice K.S. Puttaswamy (retd.) &Anr vs. Union of India and Ors held that privacy is a constitutionally protected right which arises out of Article 21 of the Indian Constitution. The protection under Article 21 is not absolute and is subject to certain restrictions. For instance, the right could be restricted if there is a law created by the legislature to restrict the same (such law should promote a legitimate state interest, should not be arbitrary and should be proportionate to the object of the law).A draft Personal Data Protection Bill is presently under consideration. As on date, the current framework for data protection laws in India is set out in the Information Technology, 2000 (“IT Act”) and the rules issued the reunder, most importantly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”). IT ACT AND THE IT RULES
- Does the IT Act mandate protection of data? As per Section 43A of the IT Act, where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures causes wrongful loss or wrongful gain to any person, such body corporate will be liable to pay damages by way of compensation to the person so affected.
- What falls under the definition of a body corporate for the purposes of the IT Act? A body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.
- What are the reasonable security practices and procedures to be observed by body corporates under the IT Act?‘Reasonable security practices and procedures’ means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices as may be prescribed by the Central Government.
- Do the provisions of the IT Act extend to entities outside India?Section 75 of the IT Act stipulates that the provisions of the IT Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting an offence or contravention involves a computer, computer system or computer network located in India.
- What is an Intermediary?
An ‘Intermediary’ with respect to electronic records means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.
- Is an Intermediary liable for any third party information made available or hosted by him? If no, are there any conditions to avail such exemption?An Intermediary is not liable for any third party information, data or communication link made available or hosted by him. The exemption is subject to the following conditions:
- The function of the intermediary should be limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
- The intermediary does not: (i) initiate the transmission; (ii) select the receiver of the transmission; and (iii) select or modify the information contained in the transmission; and
- The intermediary observes due diligence while discharging his duties under the IT Act.
- What is the significance of the IT Rules? The IT Rules have been issued under the IT Act and they have prescribed minimum standards on the privacy and disclosure of information, collection of information, transfer of information and reasonable security practices and procedures.
- How has the term ‘personal information’ been defined under the IT Rules? Personal information means any information relating to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
- What is the kind of sensitive personal data or information prescribed under the IT Rules?The IT Rules list the type of personal information which may be construed as sensitive personal data or information, and includes: (i) password; (ii) financial information; (iii) health parameters (including physical, physiological and mental health conditions and medical records or history); (iv) sexual orientation; and (v) biometric information.
- Is any consent required for collection of sensitive personal data or information?Yes, a body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
- Are body corporates bound to share certain aspects of the information collected with the providers of information? Yes, while collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of (i) the fact that the information is being collected; (ii) the purpose for which the information is being collected; (iii) the intended recipients of the information; (iv) the name and address of the agency that is collecting the information; and (v) the agency that will retain the information.
- For what purposes can such information be used? The information collected may be used only for the purpose for which it has been collected.
- Is there an option for the providers of information to opt-out of providing the information? Yes, a body corporate or any person on its behalf is required to, prior to the collection of information, provide an option to the provider of the information to not to provide the data or information sought to be collected.
- Is there an option to the provider of information to withdraw any information which has already been collected? If yes, how?Yes, the provider of information has the option to withdraw his / her earlier granted consent. Such withdrawal of the consent is required to be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate has the option of not providing goods or services for which the said information was sought.
- What are the provisions of disclosure of information under the IT Rules?Disclosure of sensitive personal data or information can be done only with prior permission from the provider of such information, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.
- Can a body corporate publish information collected under the IT Rules? No, a body corporate or any person on its behalf cannot publish the sensitive personal data or information.
- How can information be transferred under the ambit of IT Rules, within India and/or outside India? A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under the IT Rules. The transfer may however be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to such data transfer.GENERAL DATA PROTECTION REGULATION
- What is the GDPR?The GDPR is the new EU legal framework governing the use of personal data across the EU. It lays down rules relating to the protection of natural persons with regard to the processing and free movement of personal data. It replaces the Data Protection Directive 95/46/EC.
- What does the GDPR regulate?The GDPR regulates the processing of personal data wholly or partly by automated means and to the processing other than by automated means relating to individuals in the EU. The GDPR does not apply to the processing of personal data which is done by an individual in the course of a purely personal or household activity or by competent authorities for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties (including safeguarding against and preventing threats to public security).
- Who does the GDPR apply to?The GDPR applies globally and the companies outside EU have to comply with the GDPR if they process personal data of EU data subjects in connection with the offering of goods or services or monitoring of their behaviour within the EU.
- Does the GDPR apply to Indian organisations?Yes, though the GDPR is a European law, it will apply to an Indian organisation if such organisation provides goods or services to EU citizens or monitors their behaviour within EU. An Indian organisation can either act as a controller (i.e. determine how and why data needs to be processed), or a processor (i.e. process data on behalf of a controller). The GDPR has prescribed specific obligations and penalties in both the cases.
- Does India have something similar to the GDPR?Presently, India does not have a data protection regime which is similar to the GDPR. However, the Ministry of Electronics & Information Technology in 2017 formed the B.N. Srikrishna Committee for making recommendations for a draft bill on data protection law. The Committee submitted their report in July 2018 along with the draft Personal Data Protection Bill (“Bill”) which will have jurisdiction over processing of personal data, if that data has been used, shared, disclosed, collected or otherwise processed in India, and aims at data localization, i.e. a copy of all personal data mandatorily being stored in India.
- How does the Bill define ‘Data’?The Bill categorizes data into two categories: (i) Personal Data; and(ii) Sensitive Personal Data. Personal Data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information. Sensitive Personal Data means personal data revealing, related to, or constituting, as may be applicable: (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe.
- Can data be processed without consent?The data can be processed without consent only while performing functions of the State, ensuring compliance with a law or court order or responding to a medical emergency or for any other reasonable specified purposes.
- Where would the data collected be stored? Is cross-border data flow allowed under the Bill?The Bill envisages data localization and mandates that all data collected by a data fiduciary be stored in a server located in India. The Bill imposes certain restrictions on the cross-border data flows. It is mandatory to store at least one serving copy of all personal data within the territory of India. This outflow is subject to certain conditions (provided that the data doesn’t fall under the restricted data) : (i) the transfer is to be made subject to standard contractual clauses which is to be approved by the Data Protection Authority and the data principal has provided her consent/explicit consent to such transfer; (ii) personal data can be transferred to a country which has been prescribed the Central Government and the consent/explicit consent for the same has been given; (iii) transfers as approved by the Data Protection Authority because of a necessary situation.