By Abir Roy
India doesn’t have a comprehensive and specific legislation on data protection, but certain guidelines on data protection can be inferred from the Information Technology Act, 2000, and rules issued thereunder, namely the Information Technology (Reasonable Security Practice and Procedures and Sensitive Personal Data or Information) Rules, 2011. The IT Act under Section 43A provides that where a body corporate possesses/deals with sensitive personal data or information in a computer resource that it owns, controls or operates and is negligent in maintaining reasonable security procedures, such body corporate will be liable to pay damages by way of compensation to such person(s) so affected. Section 75 mandates that provisions of this Act shall apply to an offence/contravention committed outside India by any person if the conduct constituting an offence involves a computer/computer network located in India. Notably, Section 72A of the Act provides for a fine and/or imprisonment when there is disclosure of personal information in breach of a contract or without consent of the person the information is obtained from.
The IT Rules have been incorporated vide Section 43A of the IT Act and provide for minimum standards on collection, disclosure and transfer of personal information—which is defined as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
Sensitive personal data/information: The IT Rules further mandate a body corporate shall obtain prior consent from the provider of ‘sensitive personal data or information’ for using such sensitive information. The Rules provide for a list of personal information that can be construed to be ‘sensitive’ and includes passwords, financial information, health parameters, sexual orientation, etc.
Transfer of data/information: A body corporate or any person on its behalf may transfer sensitive personal data or information to any other body corporate in India or any other country, if it ensures the same level of data protection that is provided by the transferor as per the IT Rules.
Data localisation: Sector-specific
Data localisation is a method of safeguarding sensitive information within the borders of a country where the data is generated. In India, various sectors such as financial, telecom, healthcare have their own pre-existing laws and procedures for protection and localisation of data and other information. Some of the sector-specific laws that impact data protection are:
w RBI issues guidelines, regulations and circulars to maintain secrecy of client information and propounds methods to evolve voluntary norms that banks must enforce on themselves, for payments data protection. On April 6, 2018, RBI issued a circular mandating that all data related to payment systems should be locally stored in India—issued in light of the Personal Data Protection Bill (PDPB) passed by the MeitY and it continues to provide recommendations for the regulation of the payments data present in the financial sphere.
The DoT in consonance with the TRAI continues to issue guidelines for protection and localisation of data collected by service providers from their customers. TSPs and ISPs in India must comply with provisions of the Unified Access Licence.
The Medical Council of India under the ambit of the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002, governs issues relating to collection of personal data of patients, issues of consent and the extent to which complicated procedures may be carried out. In August 2018, amendments were made to the Drugs and Cosmetics Rules, 1945, requiring e-pharmacists to localise the data generated of their customers, provided that in no case the data generated or duplicated through the e-pharmacy portal shall be sent or stored outside India.
There are entities who have promulgated procedures for safely storing records of database/information acquired by them:
(a) NASSCOM has set up the Data Security Council of India that is committed to making the cyberspace safe, secure and trusted by establishing best practices and standards in the cybersecurity space.
(b) SEBI promulgated the Data Sharing Policy in October 2018, which aimed at simplifying the process of data sharing and formalisation of data protection measures to prevent data from misuse.
(c) IRDAI introduced IRDAI (Outsourcing of Activities by Indian Insurers) Regulations’ 2017 that apply to all insurers registered under IRDAI and any outsourcing arrangements entered into by them.
Personal Data Protection Bill, 2018
After the Supreme Court’s landmark judgment in the Justice KS Puttaswamy case, which held that privacy is a constitutional right, the MeitY formed a committee for making recommendations for a draft Bill on protection of personal data:
PDPB is influenced by the EU’s General Data Protection Regulation (GDPR). While businesses should be able to replicate processes that have been implemented to comply with the GDPR, this reciprocity of data protection norms is expected to reduce the compliance requirements of the outsourcing and technology industry attracting clients from Europe.
PDPB categorises data into personal data and sensitive personal data. (Sensitive data under the Bill means to include passwords, financial data, health data, sexual orientation, biometric data, generic data etc.)
PDPB proposes a Data Protection Authority under Section 49 and has promulgated its powers and functions under Section 60—categorisation of sensitive/critical data from time to time, prevent any misuse of personal data, ensure compliance with the provisions of PDPB, and promote awareness of data protection etc.
Section 36 of PDPB mandates every data fiduciary to appoint a data protection officer who shall undertake responsibilities provided under PDPB and help in effective data protection by the data fiduciary as per the applicable provisions of the Bill.
PDPB provides that data can be processed without the consent of the provider only while performing functions of the state, to ensure compliance with law or court order, responding to a medical emergency or for any other reasonable specified purposes.
PDPB imposes certain restrictions on cross-border data flow. It is mandatory to store at least one serving copy of all personal data within the territory of India.
Section 69 of PDPB provides for penalties in case of contravention of provisions of the Bill—failure to appoint a data protection officer, data audit, unlawful data transfer, etc. Section 90 and 91 prescribe criminal punishment and/or fine, when personal data and sensitive personal data is obtained, disclosed, transferred or sold in contravention of provisions of the Bill.
(The author is co-founder & advocate, Sarvada Legal, New Delhi)