On 11 April 2011, India’s Ministry of Communications and Information Technology notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under the Information Technology Act, 2000. India now has a privacy law, brought into force with immediate effect with wide ramifications on the way companies will do business in India. This article provides a description and review of the new law.
Information Technology Act
Until a couple of years ago, Indian law had no provisions dealing with privacy protection. The enactment of the Right to Information Act, 2005 gave a fillip to transparency in government dealings and concurrently provided some protection against the unwarranted disclosure of confidential information under that law. In 2008, the Information Technology Act was amended to introduce the following:
§ a new civil provision prescribing damages for an entity that is negligent in using ‘reasonable security practices and procedures’ while handling ‘sensitive personal data or information’ resulting in wrongful loss or wrongful gain to any person
§ criminal punishment for a person if (a) he discloses sensitive personal information; (b) does so without the consent of the person or in breach of the relevant contract; and (c) intends or knows that the disclosure would cause wrongful loss or gain.
In effect, the civil provision merely provided for damages for negligent conduct which is already available under common law. The criminal provision is fairly narrow and includes an element of mens rea, ie actual intention to do wrong is required. The two provisions were clearly not comprehensive in terms of privacy protection in India.
Salient Features of the New Rules
The following are the salient features of the new rules:
1. Sensitive Personal Information. The law relates to dealing with both personal information generally and ‘sensitive personal data or information’ (SPD). SPD is defined to cover the following: (a) passwords, (b) financial information such as bank account or credit card or debit card or other payment instrument details; (c) physical, physiological and mental health condition; (d) sexual orientation; (e) medical records and history; and (f) biometric information. It may be noted that SPD deals only with information of individuals and not information of businesses.
2. Privacy Policy. Every business is required to have a privacy policy, to be published on its web site. The business has to also appoint a grievance officer. The privacy policy appears to be required whether or not the business deals with SPD. The privacy policy must describe what information is collected, the purpose of use of the information, to whom or how the information might be disclosed and the reasonable security practices followed to safeguard the information.
3. Consent for collection. A business cannot collect SPD unless it obtains the prior consent of the provider of the information. The consent has to be provided by letter, fax or e-mail. The business must also, prior to collecting the information, give the option to the provider of the information not to provide such information. In such case, the business can cease providing the goods and services for which the information is sought.
4. Notification. The business should ensure that the provider of the information is aware that the information is being collected, the purpose of use of the information, the recipients of the information and the name and address of the agency collecting the information. Prior consent is required for disclosure of the information to any party other than the government.
5. Use and retention. The business can use personal information only for the purpose for which it was collected. Also, the business cannot retain the SPD for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law.
6. Right of access, correction and withdrawal. The business should permit the provider of the information the right to review that information and should ensure that any information found to be inaccurate or deficient be corrected. The provider of the information also has the right to withdraw its consent to the collection and use of the information.
7. Transnational transfer. A business can only transfer the SPD or information to a party overseas if the overseas party ensures the same level of protection provided for under the Indian rules. Further, the information can be transferred only if it is necessary for the performance of a lawful contract between the body corporate and the information provider or where the information provider has provided his consent to such transfer.
8. Security procedures. The Information Technology Act requires reasonable security procedures to be maintained in order to escape liability (see above). The rules appear to state that reasonable security procedures would be either (a) the IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’; or (b) a code developed by an industry association and approved and notified by the government. The security procedure has to be audited on a regular basis by an independent auditor, who has been approved by the Government of India. Such audit should be carried out at least once a year or as and when the body corporate has undertaken a significant upgrade of its computer resource.
Implications of the New Rules
Employers
Employers in India will need to prepare a privacy policy and obtain the consent of the employees to the privacy policy by fax, letter or email. The employer has to give the employee the right not to provide SPD (and, consequently, not to hire the employee, though this is not entirely clear). The privacy policy needs to set out what information is being collected, what it will be used for and the name and address of the agency collecting the information. A serious concern would be the right of the employee to access all information about him, to review and correct the information and to require the information to be deleted.
Multinationals in India
Multinationals tend to maintain centralized databases of information about their businesses all over the world, including, in particular, information about employees, service providers and customers. Since the rules are in some parts more stringent than even the European rules, overseas group entities who receive the information will have to build in processes to comply with the rules. Further, the Indian entity will need to meet the requirements for having a privacy policy, consent for collection, notification about purpose of use of the information and who will be collecting the information and consent from the providers for providing such information to another party.
Outsourcing Industry
The rules are framed under the Information Technology Act 2000 which applies to ‘the whole of India’. On a plain reading, this means that any business dealing with personal information or SPD in India has to comply with the rules, even if such information relates to an individual based outside India. The logical effect of this is that the vendor in India or his customer overseas will need to fulfill the requirements of the law with the concerned individual, such as the consent for collection, notification obligations, right of access, correction and withdrawal. This has grave implications for the outsourcing industry and could lead to disruption of BPO operations in India.
Review of the New Rules
There are some significant concerns associated with the implementation of the new law. These are as follows:
1. Transition period. The law does not have a transition period. It comes into force with immediate effect. It applies to ‘body corporates’ which includes sole proprietors, partnerships and associations of persons doing business. The effect is that the law has to be implemented in a hurried manner by every single business in the country. This is clearly quite impractical. Most small businesses are likely to ignore the law and not comply with it.
2. Ultra vires the statute? The rules have been framed under the provision relating to the civil remedy (described above) in case an organisation does not use ‘reasonable security practices and procedures’. Accordingly, the government was only supposed to have set forth what those procedures would be and what constitutes SPD. However, the rules instead talk about the right to use personal information itself and several other related matters. One may be able to make out a case that the rules go beyond what is permitted by the statute. However, the government can remedy this by amending the rules to provide that they have been issued under the general rule making power under the statue and not the specific rule making power as stated above.
3. Applicability to information generally. The law defines ‘sensitive personal data and information’. In some places, references are to SPD and in other places to personal information generally. There is sometimes some ambiguity over whether certain provisions apply to all personal information or only to SPD. In some cases, it seems clear that the applicability is to personal information generally, thereby widening the ambit of the law.
4. Applicability to financial information. Unlike in the European law, the law includes financial information within SPD. A large part of business information is financial in nature. The inclusion of financial information sets a high standard of privacy protection relating to information that is received in the ordinary course of business. This is likely to have a disruptive effect on business in India.
5. Consent as a condition. The requirement of consent as a mandatory condition for the use of all SPD is surprising and restrictive. Under European law, consent is just one ground on the basis of which SPD can be used. For example, for personal information generally (including financial information), one can process such information without consent of the provider if it is necessary for the purpose of performance of a contract with the provider of the information.
6. Method of consent. The method of consent required is very surprising! The consent can be obtained only through letter, fax or e-mail! It appears that the consent cannot be obtained through an online consent, perhaps, not even through a contract and definitely not through the acceptance of a privacy policy. One would have expected an electronic law to be thought through more in electronic terms.
7. Unlimited right of access. The right of access is provided too broadly without regard to various exceptions that would need to be built in. For example, an employee can demand to see a confidential review report by management on the performance of the employee. European law contains numerous exceptions that cover obvious situations.
8. Withdrawal of consent. The right of the provider to ‘withdraw’ consent is naïve and impractical. Business cannot be conducted without the flow of information and consent cannot be the only factor in the collection, use or continued use of such information. Once that information has been received and processed, it may be required by the recipient and cannot be unilaterally withdrawn by the provider. Even safeguards relating to legal requirements for record keeping, which are present in the language on duration of retention, are not present in this provision.
9. Security standards. Under the statute, the prescribed security standards apply only if the provider and recipient of the information have not agreed on the standards in a contract. The law seems to suggest that one either follows IS/ISO/IEC 27001 or a government approved code developed by an industry body. It is not clear whether these are the only two options or merely that, if either of these options is used, the concerned business is ‘deemed’ to have complied with its obligation to use ‘reasonable security procedures’. It is our understanding that the requirements of this code are quite onerous and largely followed by banks and large organisations that need very high standards of security.
10. Applicability to Government. The rules do not apply to the government, thereby exempting one of the largest processors of personal information in the country. This means that one of the key reasons for having a privacy law has not been fulfilled. Perhaps, the non applicability to the government can be understood in the context of a separate project that the government is commencing – to draft a law to deal with concerns relating to the Government’s creation of an identity database.
Conclusion
Overall, the law, while laudable in objective, is poorly written, not properly thought through, too simplistic and fails to address more complex nuances of data protection issues that find a place in the European law. It has grave implications for doing business in India, particularly for multinationals operating in India and the outsourcing industry. This appears to be a case of one step forward and two steps backward!
An exercise is urgently required to clarify and in some cases amend the rules so that ambiguity is removed and obvious exceptions are built in to the rules. India will probably also need a government agency to implement the rules in a pro-active, business-minded manner along the lines of the Information Commissioner in the UK.
Stephen Mathias is a leading technology lawyer in India, partner in Kochhar & Co and co-chairs the firm’s Technology Law Practice: stephen.mathias@bgl.kochhar.com
