Introduction
The Government of India recently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”) under the Information Technology Act, 2000. The rules are what would be expected from full-blown privacy legislation with regulations on how companies collect, disclose, and transfer sensitive personal data or information. The terms “personal information” and “sensitive personal data or information” have been defined broadly and encompass a wide range of activities. Consequently, there is a concern, stemming from a plain reading of the Privacy Rules, that it has the potential of disruptively affecting the way in which most companies do business in India. Of particular concern is the effect these rules will have on the outsourcing industry in India, much of whose entire business depends on the processing of personal information for customers around the world. This article analyzes the Privacy Rules in the context of the provisions of the Information Technology Act, 2000 and seeks to place the rules in their proper context in order to understand the actual impact that these rules will have on business.
Privacy Under the Information Technology Act
The Privacy Rules have been enacted under a specific section of the Information Technology Act, 2000 that relates to privacy. In order to understand how these rules will apply to businesses in India it is necessary to understand the statutory context in which they have been drafted.
The Introduction of Section 43A
In 2008, a new Section 43A was introduced into the IT Amendment Act in 2008 to address concerns relating to privacy. The section applied specifically to “bodies corporate” that either possessed, dealt with, or handled sensitive personal data or information in a computer resource that they owned, controlled, or operated. If, as a result of any negligence in the implementation or maintenance by that body corporate of reasonable security practices and procedures, any person suffered wrongful loss or gain, the body corporate would be liable to pay damages by way of compensation to the person affected.
Some of the terms used in Section 43A, such as “sensitive personal data or information” and “reasonable security practices and procedures,” were left to be defined later by the Central Government. The explanation in Section 43A relating to the term “reasonable security practices and procedures” is relevant and has been reproduced below:
“Reasonable security practices and procedures means those practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.” [Emphasis supplied]
The scheme of Section 43A therefore, was to allow the parties to agree on the types of practices and procedures they will adopt in order to protect sensitive personal data or information from unauthorized access or use or to abide by any specific law that might have stipulated practices and procedures. It is only if there were neither an agreement between the parties nor a suitable law, that the “reasonable security practices and procedures” prescribed by the Central Government would apply.
The Rule-Making Power to Enact the Privacy Rules
When the amendment was introduced in 2008, no rules were issued by the Central Government. Parties were left to determine the appropriate practices and procedures to be adopted in relation to sensitive personal data and information through agreement. It was only in April 2011, that the Central Government issued the Rules to prescribe the practices and procedures under Section 43A.
The rules have been specifically enacted under Section 87(2)(ob) (read with Section 43A) which empowers the Central Government to make rules relating to “reasonable security practices and procedures and sensitive personal data or information under Section 43A.” The language of the section makes it clear that the rule-making power of the Central Government is limited to two matters alone—(i) reasonable security practices and procedures and (ii) sensitive personal data or information. Even a cursory glance over the provisions of the Rules indicates that they go much further and articulate a privacy framework way beyond the mandate available under Section 87(2)(ob).
In this context, there is an argument to be made that the Rules should be struck down as being in excess of the rule-making power of the Central Government—an argument which is likely to succeed should it be brought before the courts. However, if the Rules can be read harmoniously with the provisions of Section 43A, it may be possible to present an interpretation that is consistent.
Harmonious Construction
The explanation to Section 43A makes it clear that the Central Government has been authorized to prescribe reasonable security practices and procedures. If we can treat the Rules as a set of security practices and procedures in relation to collection, disclosure and transfer of sensitive personal data or information, it may be possible for us to read these Rules harmoniouslyalong with the provisions of Section 43A to ensure that they both remain enforceable. What this means, however, is that the Rules would occupy a slightly less central position in the general scheme of data protection provisions. If in fact the Rules are just a set of practices and procedures, Section 43A states that the practices and procedures prescribed by the Central Government only would apply in the absence of an agreement or a law. If the parties have agreed on the security practices and procedures that would govern the treatment of sensitive personal data or information, this agreement will prevail over the Rules.
The Privacy Rules
Now that we have this context, let us examine the provisions of the Privacy Rules to understand their impact on business.
Definitions
The Privacy Rules have defined the term “personal information” to mean any information that relates to a natural person and which is capable of identifying that person. Corporations or other legal persons are implicitly excluded. It is probably appropriate to mention that the term personal information has relevance only to the extent that it is used in the definition of “sensitive personal data and information.” The Privacy Rules have not specified different treatment for personal information and sensitive personal information as is common in data protection statutes around the world.
The term “sensitive personal data or information” has been defined to mean personal information that contains information relating to passwords; financial information; physical, physiological and mental health condition; sexual orientation; medical history and records; and biometric information. Specifically excluded from this definition is information that is either in the public domain or that is furnished under the Right to Information Act, 2005. Under Section 43A of the Information Technology Act and the Privacy Rules, it is this sensitive personal data or information that is protected and regulated.
Bodies corporate will need to adapt their practices to ensure that to the extent that they are collecting, disclosing, or transferring personal information containing the elements mentioned above, they will need to implement reasonable security practices and procedures in order to avoid paying compensatory damages.
Collection, Disclosure and Transfer
Under the Privacy Rules, sensitive personal data or information can only be collected for a lawful purpose that is related to the function or activity of the entity collecting it, and even then only after obtaining consent. Such data, once collected, can only be used for the stated purpose, and should be held securely and only for as long as necessary to achieve the purpose. The person from whom the information is collected should be made aware of the fact that the information is being collected, the purpose for which it is being collected, the intended recipients of the information, and the name and address of the agency collecting and retaining the information. That person must have a right to review the information and correct any inaccuracies or deficiencies and must be provided an opt-out option at the time of collection as well as subsequently.
Sensitive personal data or information cannot be disclosed to a third-party without prior permission unless there is a contract to the contrary or if required in order to comply with a legal obligation. Any third party recipient cannot disclose it further. The exception to this rule is government agencies empowered under law to obtain such information. Even so, the government agency in question will have to requisition this information formally and is prohibited from sharing the information with any other person.
The Privacy Rules also prescribe restrictions on the transfer of data. Any such transfer must only be undertaken with the consent of the person who provided the data and only if necessary for the performance of a contract. At all times, sensitive personal data or information must only be transferred to any other body corporate that ensures the same level of data protection as provided under the Privacy Rules.
As mentioned before, the mandate of the Central Government under the rule-making power of Section 87(2)(ob) is limited to making rules with regard to reasonable security practices and procedures. Read in this context, all these rules in relation to collection, disclosure, and transfer represent the practices and procedures prescribed by the Central Government for bodies corporate to follow when dealing with sensitive personal data or information. Under Section 43A, parties are free to agree to practices and procedures for data collection, disclosure and transfer that are different from those set out here. If such practices and procedures are implemented in accordance with the agreement, the body corporate will not be liable for loss suffered. However, if no such applicable practices and procedures have been agreed to, the bodies corporate would be bound to follow the provisions set out in the Privacy Rules, and should any loss be suffered as a consequence of not following these rules, will be liable to pay damages by way of compensation to those affected.
Privacy Policy
One of the requirements of the new rules is that corporate entities will be obliged to set out a privacy policy describing the manner in which they handle personal information. The policy should list the types of sensitive personal data or information collected by the body corporate; the purpose for collection and usage; the restrictions on its disclosure, and the security practices and procedures adopted. This is a practice/procedure prescribed by the Central Government and should be implemented by bodies corporate in relation to personal information that they handle.
Reasonable Security Practices and Procedures
The Privacy Rules also establish what constitutes reasonable security practices and procedures in relation to sensitive personal data or information. A body corporate will be deemed to have complied with reasonable security practices and procedures if they have a comprehensive documented information security program and policy and if they can demonstrate, in the event of an information security breach, that the policy was implemented as documented. The policy should contain managerial, technical, operational and physical security measures commensurate with the information assets being protected. The rules recommend the implementation of International Standard IS/ISO/I
Analysis and Implications on Business
From this analysis it is clear that the Rules are not the all-encompassing privacy legislation that they appear to be. At worst they constitute an executive act in excess of the Central Government’s administrative power to enact. At best they are no more than government-prescribed practices and procedures that bodies corporate could choose to follow in order to avoid the consequences set out in Section 43A.
Nevertheless, with the enactment of the Rules, corporate entities are forced to re-examine the manner in which they deal with sensitive personal information or data. They now will have to either put in place policies and agreements in relation to the handling of information or resign themselves to complying with the Rules. Failure to do so will bring with it the risk of compensatory damages.
Most bodies corporate, particularly those in the outsourcing industry that deal with personal data, have already put in place detailed rules relating to the privacy of personal information and the procedures and practices to be adopted. To the extent that corporate entities have these sorts of agreements in place and are applying them consistently, the Rules will have little impact. However, where companies do not have such policies and contracts in place, the procedures and practices under the Rules will apply and, should any loss be suffered, the company in question will be liable to pay compensation by way of damages to the aggrieved person.
Privacy Legislation
The Government of India is in the process of preparing a Privacy Bill that will set out the legal framework for the country’s data protection regime. That Bill will pass through Parliament and will be enacted as stand-alone privacy legislation. Once enacted, the principles established under that legislation would form the benchmark against which privacy provisions of all laws in the country will be tested. Under such circumstances, the Privacy Rules made under the Information Technology Act, 2000 would have to comply with the provisions of this forthcoming Privacy Bill.
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.