What is the existing framework for data protection laws in India?Article 21 of the Indian Constitution is a fundamental right that guarantees protection of life and personal liberty.On August 24th, 2017, the Supreme Court in the decision of Justice K.S. Puttaswamy (retd.) &Anr vs. Union of India and Ors held that privacy is a constitutionally protected right which arises out of Article 21 of the Indian Constitution. The protection under Article 21 is not absolute and is subject to certain restrictions. For instance, the right could be restricted if there is a law created by the legislature to restrict the same (such law should promote a legitimate state interest, should not be arbitrary and should be proportionate to the object of the law).A draft Personal Data Protection Bill is presently under consideration. As on date, the current framework for data protection laws in India is set out in the Information Technology, 2000 (“IT Act”) and the rules issued the reunder, most importantly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”). IT ACT AND THE IT RULES
Does the IT Act mandate protection of data? As per Section 43A of the IT Act, where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures causes wrongful loss or wrongful gain to any person, such body corporate will be liable to pay damages by way of compensation to the person so affected.
What falls under the definition of a body corporate for the purposes of the IT Act? A body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.
What are the reasonable security practices and procedures to be observed by body corporates under the IT Act?‘Reasonable security practices and procedures’ means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices as may be prescribed by the Central Government.
Do the provisions of the IT Act extend to entities outside India?Section 75 of the IT Act stipulates that the provisions of the IT Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting an offence or contravention involves a computer, computer system or computer network located in India.
What is an Intermediary?
An ‘Intermediary’ with respect to electronic records means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.
Is an Intermediary liable for any third party information made available or hosted by him? If no, are there any conditions to avail such exemption?An Intermediary is not liable for any third party information, data or communication link made available or hosted by him. The exemption is subject to the following conditions:
The function of the intermediary should be limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
The intermediary does not: (i) initiate the transmission; (ii) select the receiver of the transmission; and (iii) select or modify the information contained in the transmission; and
The intermediary observes due diligence while discharging his duties under the IT Act.
What is the significance of the IT Rules? The IT Rules have been issued under the IT Act and they have prescribed minimum standards on the privacy and disclosure of information, collection of information, transfer of information and reasonable security practices and procedures.
How has the term ‘personal information’ been defined under the IT Rules? Personal information means any information relating to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
What is the kind of sensitive personal data or information prescribed under the IT Rules?The IT Rules list the type of personal information which may be construed as sensitive personal data or information, and includes: (i) password; (ii) financial information; (iii) health parameters (including physical, physiological and mental health conditions and medical records or history); (iv) sexual orientation; and (v) biometric information.
Is any consent required for collection of sensitive personal data or information?Yes, a body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
Are body corporates bound to share certain aspects of the information collected with the providers of information? Yes, while collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of (i) the fact that the information is being collected; (ii) the purpose for which the information is being collected; (iii) the intended recipients of the information; (iv) the name and address of the agency that is collecting the information; and (v) the agency that will retain the information.
For what purposes can such information be used? The information collected may be used only for the purpose for which it has been collected.
Is there an option for the providers of information to opt-out of providing the information? Yes, a body corporate or any person on its behalf is required to, prior to the collection of information, provide an option to the provider of the information to not to provide the data or information sought to be collected.
Is there an option to the provider of information to withdraw any information which has already been collected? If yes, how?Yes, the provider of information has the option to withdraw his / her earlier granted consent. Such withdrawal of the consent is required to be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate has the option of not providing goods or services for which the said information was sought.
What are the provisions of disclosure of information under the IT Rules?Disclosure of sensitive personal data or information can be done only with prior permission from the provider of such information, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.
Can a body corporate publish information collected under the IT Rules? No, a body corporate or any person on its behalf cannot publish the sensitive personal data or information.
How can information be transferred under the ambit of IT Rules, within India and/or outside India? A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under the IT Rules. The transfer may however be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to such data transfer.GENERAL DATA PROTECTION REGULATION
What is the GDPR?The GDPR is the new EU legal framework governing the use of personal data across the EU. It lays down rules relating to the protection of natural persons with regard to the processing and free movement of personal data. It replaces the Data Protection Directive 95/46/EC.
What does the GDPR regulate?The GDPR regulates the processing of personal data wholly or partly by automated means and to the processing other than by automated means relating to individuals in the EU. The GDPR does not apply to the processing of personal data which is done by an individual in the course of a purely personal or household activity or by competent authorities for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties (including safeguarding against and preventing threats to public security).
Who does the GDPR apply to?The GDPR applies globally and the companies outside EU have to comply with the GDPR if they process personal data of EU data subjects in connection with the offering of goods or services or monitoring of their behaviour within the EU.
Does the GDPR apply to Indian organisations?Yes, though the GDPR is a European law, it will apply to an Indian organisation if such organisation provides goods or services to EU citizens or monitors their behaviour within EU. An Indian organisation can either act as a controller (i.e. determine how and why data needs to be processed), or a processor (i.e. process data on behalf of a controller). The GDPR has prescribed specific obligations and penalties in both the cases.
Does India have something similar to the GDPR?Presently, India does not have a data protection regime which is similar to the GDPR. However, the Ministry of Electronics & Information Technology in 2017 formed the B.N. Srikrishna Committee for making recommendations for a draft bill on data protection law. The Committee submitted their report in July 2018 along with the draft Personal Data Protection Bill (“Bill”) which will have jurisdiction over processing of personal data, if that data has been used, shared, disclosed, collected or otherwise processed in India, and aims at data localization, i.e. a copy of all personal data mandatorily being stored in India.
How does the Bill define ‘Data’?The Bill categorizes data into two categories: (i) Personal Data; and(ii) Sensitive Personal Data. Personal Data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information. Sensitive Personal Data means personal data revealing, related to, or constituting, as may be applicable: (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe.
Can data be processed without consent?The data can be processed without consent only while performing functions of the State, ensuring compliance with a law or court order or responding to a medical emergency or for any other reasonable specified purposes.
Where would the data collected be stored? Is cross-border data flow allowed under the Bill?The Bill envisages data localization and mandates that all data collected by a data fiduciary be stored in a server located in India. The Bill imposes certain restrictions on the cross-border data flows. It is mandatory to store at least one serving copy of all personal data within the territory of India. This outflow is subject to certain conditions (provided that the data doesn’t fall under the restricted data) : (i) the transfer is to be made subject to standard contractual clauses which is to be approved by the Data Protection Authority and the data principal has provided her consent/explicit consent to such transfer; (ii) personal data can be transferred to a country which has been prescribed the Central Government and the consent/explicit consent for the same has been given; (iii) transfers as approved by the Data Protection Authority because of a necessary situation.
Recognising that startups can drive sustainable economic growth and generate large scale employment, the Government of India’s ‘Startup India’ Initiative has sought to develop an ecosystem to strengthen such entities. This ecosystem includes policies that reduce regulatory burdens and provide various concessions that make ‘doing business’ easy.
Clauses related to representations, warranties and indemnifications are widely negotiated clauses of commercial contracts especially in M&A transactions. The interests of the parties to a contract typically do not align with respect to the representation and warranties clause of the contract, which usually comprises a major chunk of the agreement.
The United Nations Commission on International Trade Law - Model Law on International Commercial Arbitration, 1985 (“Model Law”) was drafted for the individual States to adopt “in their statutory arbitration laws either in its entirety, or a substantial part of its provisions, or at least its general shape and philosophy, so as to bring about a certain amount of uniformity amongst national laws…”.
Patents are a measure of innovation. A healthy patent portfolio of a company indicates that the company has invested significant time, money, and effort in research and development activities within the organization. It also indicates that the company is evolving and constantly striving to bring newer and better products or services into the market.
However, patents need to be also looked at as business opportunities and should, ideally, align with the business strategies of the company. Owning a patent gives a company the legal right to commercially exploit its innovation and prevent competitors from imitating or replicating its innovation. Every innovative company, therefore, needs a good Patent Strategy to be successful in the long run.
Partnerships in India are governed by the Indian Partnership Act, 1932 ("Act"). The Act defines partnership as 'The relation between persons who have agreed to share the profits of a business carried on by all or any of them acting for all'. The Act while laying down the provisions with respect to rights and duties of the partners also details the consequences of retirement of a partner and dissolution of a partnership firm.
On October 02, 2006, the Government of India brought into effect, the Micro, Small and Medium Enterprises Development Act, 2006 (“Act”) for facilitating the promotion, development and enhancing the competitiveness of micro small and medium enterprises. Through Section 7 of the Act, the criteria of micro, small and medium enterprises was defined.
The ethics of intellectual property has always been a highly debated issue, and spans a range of issues, not least around what kind of patentable subject matter can be regarded as ethically permissible. Jurisdictions, including India, try to tackle this issue by legislating for it in the laws, and excluding inventions that may be morally questionable, but such laws are inherently subjective, and open to interpretation. This note examines the questions that have arisen around inventions related to the tobacco industry in India in this context.
Time and again, it has been held by various courts that an unreasonable delay in enforcing a legal right by a person amounts to acquiescence, which can be fatal to a case for the grant of an interim injunction. In a recent trademark case, the High Court of Delhi reiterated that the Plaintiff, being aware of the Defendant’s adoption of a similar mark, did not bother to conduct due diligence about the use of the mark; as a result of which the Plaintiff was bound to suffer the consequences of delay in seeking injunction.
In India, foreign investments through equity instruments (other than share warrants) are regulated in accordance with the terms of the Foreign Exchange Management (Non-debt Instruments) Rules, 2019 (“NDI Rules”). A recent amendment to the NDI Rules has clarified that any acquisition of shares by foreign investors pursuant to renunciation of rights by a resident will be subject to the pricing guidelines under the Foreign Exchange Management Act, 1999 (“FEMA”).