Module_12

MODULE 12: PRIVACY BILL, 2011 – CRITICAL ANALYSIS

India introduced the Information Technology
[Reasonable security practices and procedures and sensitive personal data or
information] Rules, 2011 [the “DP Rules”], under the Information Technology
Act, 2000 [the “IT Act”] which became effective from 11 April 2011.

The DP Rules significantly alter the privacy landscape in India and have
implications for multinational companies outsourcing business to India or
operating in India. They are also relevant for service providers in India.

12.1 IMPLICATIONS FOR BUSINESS

The DP Rules are effective from 11 April 2011 as a transition period has not been provided.
The DP Rules could have a significant impact on the business processes of companies
operating in India or outsourcing to India. Such companies would be well advised to:

• review their procedures for collection, handling and storage of sensitive personal
data or information [the “SPD”] and personal information for compliance with the
DP Rules, the IT Act and any applicable sectoral legislation; consider if their security
practices for SPD meet the requirements specified by the DP Rules;

• ensure that service providers in India who collect, handle, process or store personal
information or SPD on their behalf, comply with the DP Rules. Conversely service
providers in India who do not have direct contact with the providers of information
should ensure that the person collecting personal information or SPD and or the
providers of information, as applicable, have obtained necessary consents regarding
the collection, use, storage, handling, processing and transfer of such information;

• review their privacy policies and terms of use of websites and nominate grievance
officers; and

• consider if transfer of SPD outside India is permissible by the DP Rules.

Further, unless the Government of India clarifies that the DP Rules apply to data collected
after 11 April 2011 [which we understand is currently being deliberated by the
Government], companies who have offshored health, financial or IT administration to India
should review their consent requirements and provide separate consent forms to their
customers.

Unlike the UK, India does not have a data protection authority to oversee implementation of
the law and issue guidance. Therefore, clarifications on the DP Rules or the IT Act would
have to be obtained from the Ministry of Communications and Information Technology. The
Ministry does not have a formal process for seeking clarification and companies may
consider approaching industry bodies such as the Data Security Council of India, FICCI or CII
to make representations on areas of concern arising out of the DP Rules.

12.2 DATA PROTECTION FRAMEWORK

Comprehensive data protection legislation has been on the agenda in India for several years
and piecemeal progress was made over the years. The IT Act was amended in 2008 to
provide:

• civil penalties for failure to protect sensitive personal data [though sensitive personal
data was not defined until introduction of the DP Rules];

• civil and criminal penalties for disclosure of information, documents, electronics
records and the like without consent of the person providing the information, in
certain circumstances; and

• civil and criminal penalties for disclosure of personal information in breach of
contractual obligations. Again ‘personal information’ was not defined, until
introduction of the DP Rules.

• Separately, sectoral regulations for licensed telecommunications companies and
financial service companies containing data protection obligations were prescribed.

• None of these regimes created a comprehensive data protection regime. This
situation continues despite the DP Rules. Indeed, the DP Rules are wide in their
scope, use terms that are not always defined [e.g. the terms “person”, “provider of
information”] and the extent to which some of the rules apply to personal
information and to SPD is unclear, as outlined below.

12.3 THE DP RULES

The DP Rules apply to “body corporates”[1] or to any person who on behalf of a body
corporate, collects, receives, possesses, stores, deals or handles personal information
including sensitive personal data. We find here the classical distinction between a data
controller and processor.

The territorial application of the DP Rules is not specified in the 2011 revision. However, the
IT Act applies to the whole of India and to any offences or contraventions committed
outside India by any person if the offence or contravention involves a computer, system or
network in India [Section 1[2] and Section 75 of the IT Act[2]]. Thus, any contravention of
the DP Rules involving a computer, system or network located in India is caught by the DP
Rules, irrespective of data controller or processor’s location.

12.4 DEFINITION OF PERSONAL AND SENSITIVE PERSONAL INFORMATION

Personal information is defined as any information relating to a natural person which
directly or indirectly [on its own or in combination with other information] is capable of
identifying an individual.

• SPD [sensitive personal data or information] comprises of personal information
relating to:

• passwords;
• financial information [e.g. bank account, credit card, debit card, payment instrument

details];
• physical, physiological and mental condition;
• sexual orientation;
• medical records and history; and
• biometric information,
• but excludes freely available information, information in the public domain or

information provided under the Right to Information Act, 2005 or any other law.
Under the Right to Information Act, public authorities must on request disclose
information about private bodies held by them, unless specific exemptions apply,
including the ability to withhold disclosure of personal information if such disclosure
is not in public interest. Mirroring the EU definition of SPD, the Indian definition
more broadly encompasses passwords, financial and biometric information as part of
SPD.

12.5 KEY PROVISIONS - PERSONAL INFORMATION [INCLUDING SPD]

Issue Obligation

Notice Personal information will be processed fairly if information such as [a] the
fact that the information is being collected; [b] the purposes of such
collection; [c] the recipient’s of the information; and [d] the name and
address of the company collecting the information and the one retaining the
information, is provided to individual[s] concerned.
The DP Rules are unclear on whether the above requirements apply to
collection of personal information and SPD. However, it is prudent to comply
with these requirements when collecting personal information.

A body corporate or persons who collects, receives, possesses, stores, deals
or handles personal information including SPD must publish a privacy policy
Privacy policy on its website detailing what information is collected, its purposes of use, to
whom or how the information might be disclosed and the reasonable
security practices in place.

On request, the providers of information [the “Providers”] are entitled to

Rights of review the personal information or SPD provided by them and have
Access and inaccurateor deficient information corrected.
Correction The term ‘provider of information’ suggests that it could include the
individual to whom the information belongs and any other person with

access to SPD or personal information.

Opting out Before collecting personal information [including SPD], the Provider must
have the opportunity to decline providing the information and withdraw his
consent to collection previously given. This withdrawal needs to be sent in
writing.

Security Security practices must be adopted to keep information secure. There are
two ways to fulfil this obligation:

Grievance complying with the International Standard ISI/ISO/IEC 27001 on
officer “Information Technology – Security Techniques – Information
Security Management System – Requirements”; or
complying with self regulated industry associations or entities’ code of best
practices approved and notified by the Government of India. As of today, no
code appears to have been approved.
In case of a security breach, the data controller or processor must be able to
demonstrate implementation of its documented security control measures.
Note that compliance with the standard or approved code should be audited
[by a Government approved independent auditor] annually or earlier if a
major IT infrastructure upgrade is undertaken.

A grievance officer must be appointed by the body corporate and his name
and contact details must be published on its website. Complaints by
Providers must be redressed by the grievance officer.

12.5.1 KEY PROVISIONS – SPD

Issue Obligation

Consent Before collecting SPD, written consent by letter, fax or e-mail, from the
Provider must be obtained, disclosing the purpose of collecting SPD.
SPD must be collected for lawful purposes connected with the activities of
the body corporate [or the entity collecting SPD on its behalf] and its
collection must be necessary for the purpose of collection.

Retention SPD must not be retained for longer than necessary. While this is a
principle under the DP Rules, separate retention rules apply to certain
financial services companies. It is also questionable why this obligation
does not embrace personal information.

Disclosure SPD must not be disclosed to third parties without consent of the Provider,
unless the disclosure is required by law, to comply with a legal obligation,
or by Government agencies under specified instances.
While these requirements apply to SPD, the IT Act provides consequences
for breach of privacy and disclosure of information in breach of contract.
These provisions could be attracted if personal information [that is not
SPD] is disclosed, though in the latter case the standard of proof is high as
intent to cause loss or gain by the disclosure must be established.

SPD may be transferred to any other body corporate or person in or
outside India, if the recipient’s data protection standards are similar to
those imposed by the DP Rules. The transfer of data must be necessary for
Transfer of data performance of a contract or the Provider must have consented to its
- within and transfer.
outside India This suggests that transfer of personal information would not be regulated
since the DP Rules deal with transfer of SPD alone. However, additional
restrictions on cross border transfer of certain data apply to licensed
telecommunication companies.

12.6 CONSEQUENCES OF BREACH

A body corporate negligent in implementing and maintaining security practices and
procedures for protecting SPD, may be liable to pay compensation [the maximum
compensation that may be imposed is not specified] to the person affected.

Separately, persons acquiring information under the powers granted by the IT Act or the DP
Rules may be penalised up to two years imprisonment and/or a fine up to Rs. 100,000
[approximately €1,560] for disclosing information, documents, correspondence, electronic
records or other material to third parties, without consent of the person disclosing the
information. Directors and other persons responsible for conduct of the business are liable
for offences by companies, unless they prove they did not have knowledge of the
contravention or that they exercised diligence to prevent the offence.

Any person including an intermediary with access to personal information and providing
services under a contract, may be liable to imprisonment up to three years and/or a fine of
up to Rs. 500,000 [approximately €7,790], if they disclose personal information to third
parties in breach of contract or without consent of the person to whom the personal
information belongs.

12.7 DATA PRIVACY – AN OVERVIEW

Finally, the long wait for clarifications over many techno-legal, compliance and other issues
regarding Data / Information Privacy would soon be over. Though, Right to Privacy has been
given due consideration under Article 21 of the Constitution of India but on the ground we
have seen no respect of the Law. At present two ministries under the Government of India
namely Ministry of Law & Justice and Ministry of Personnel, Training & Public Grievances
are busy preparing drafts of the Data Privacy Bill. At the outset, Government’s proactive
move to bring about a specific umbrella legislation concerning Data privacy in India has
received many accolades. The ‘Bill’ comes in the wake of the assurance given by the
Government of India to the Supreme Court of India while hearing a writ petition filed by Mr.
Ratan Tata that challenged the publication of the Ms. Nira Radia tapes which in turn is
alleged to have violated Mr. Ratan Tata’s right to privacy.

The Bill aims at providing a data privacy law for the citizens of India [and only the citizens of
India] by regulating collection, maintenance, use and dissemination of their personal
information and purports to penalize any violation whatsoever. Currently, data privacy is
governed by a private standard contract between the provider of the information and the
corporation. The contract identifies the mode and manner in which the data / information is
to be used. The new legislation will definitely empower the citizen when it comes to
violations on the part of the corporations or any of its subsidiaries and employees. The new
law will also put a tab on the manner in which corporations use personal data / information.

12.8 HIGHLIGHTS OF THE BILL

1. Consent of individual made mandatory for further process, use and dissemination of
data residing in India.

2. Constitution of a Central Communication Interception Review Committee to examine
and review the interception orders passed.

3. Establishment of a Data Protection Authority of India to monitor development in
data processing and computer technology. The Authority can investigate any data
security breach and issue orders to safeguard the security interests of affected
individuals.

4. Interception of communication as well as disclosure of such information has been
made an offence punishable with imprisonment or fine or both.

5. Obtaining any record of information concerning an individual from any officer of the
government or agency under false pretext is an offence.

6. Distinguishes between Data and Personal Information.
7. Purports a very strong liability for Government [including government officers] and

related organizations for violation of privacy.
8. Stringent punishment for telecom service providers for illegally intercepting

telephone calls and making their content public.
9. Prohibits Surveillance without proper authorization.
10. Provides for Health Information Privacy.

12.9 ANALYSIS AND COMMENTS

The Bill recognizes the right to privacy as a statutory right which, at the same time, is not
identified as an absolute right. It also envisages modifying the existing system of
interception and phone taping by the Government by providing various procedural
safeguards that would put an end to illegal and unauthorized tapings. Since the law is also
regulatory in nature Data Protection Authority of India will supervise the mechanism. The
Bill also discusses referral of disputes to the Cyber Appellate Tribunal, a judicial function
dispensing authority established under the Information Technology Act, 2000 [Amended in
2008].

The Bill primarily stipulates that every individual has a right to privacy. Further, several laws
have also been made exempt from the privacy right under Section 90. Right to Information
Act and The Prevention of Corruption Act has been expressly removed from the ambit of the
privacy right.

Listed below are manifestations of privacy provided under Section 3 [2]:

1. Confidentiality of communication
2. Confidentiality of private/ family life
3. Protection of honor and good name
4. Protection from search, detention, or exposure of lawful communication between

and among individuals
5. Privacy from surveillance
6. Confidentiality of banking and financial transactions
7. Confidentiality of medical and legal information

8. Protection from identity theft (criminal, financial, identity cloning, medical)
9. Protection from use of photographs, fingerprints, DNA samples, and other samples

taken at police stations or other places
10. Privacy of health information
11. Protection of data relating to an individual

The foremost attempt of the law is to provide clarifications regarding Confidentiality and
Interception. The Bill goes on to define both these terms in detail which are as follows:

1. “Confidentiality” has been defined as “a process of sharing facts, ideas, opinions,
thoughts, and information through speech, writing, gestures, sound, images, signals
or pictures, graphs, symbols, diagrams between two or more individuals through
telephonic conversations, radio messages, electronic mode (including internet or
satellite) or postal letter or any other mode”.

2. “Interception” has been defined as “undertaking the stopping of transmission of any
communication, or interception or detention thereof (including tapping of the
telephone conversation or copying of data)”.

The Bill prohibits interception of communications except in certain cases with the approval
of a “Secretary Level Officer” not below the rank of home secretary at the Center and State
levels. A review committee is to be constituted named Central Communication Interception
Review Committee (CCIRC) to examine and review all interception orders passed. The
Committee is empowered to destroy all intercepted data at any time although there is a
provision of mandatory destruction of intercepted material by the service provider within
two months of discontinuance of interception. Unauthorized interception and Disclosure of
legally intercepted communication has been expressly rendered punishable under the law.

Moreover, the Bill adds muscle to Data Protection by the proposed establishment of Data
Protection Authority of India. The authority should function to monitor development in data
processing and computer technology, to examine law & evaluate its effect on data
protection, to forward recommendations, to receive representations, to investigate any
data security breach and issue orders to safeguard the security interests of affected
individuals / entities. In case of data being resident in India and the place of business
abroad, the entity is forbidden to make process data without the consent of the provider of
the information.

Interestingly, the Bill provides rules for ‘Use of Materials collected at a police station’. Use of
materials like photographs, fingerprints, DNA samples, etc at police stations is most
specifically aimed at here. The provision forbids disclosure of such information in public.
Another interesting provision included is about ‘Health Information Privacy’. Health related
information must be used for the purpose consented for by the provider of the information
and should not be disclosed in public.

The Bill identifies various punishments or fine or both under the offences and penalties
section. The following has been listed under the Bill:

1. Unauthorized Interception of Communication
2. Unauthorized Processing of personal data
3. Disclosure of Intercepted Communication
4. Obtaining personal information on False Pretence
5. Violation of conditions of License to Service Providers
6. Undertaking surveillance [In contravention of the Bill]
7. Disclosure of Personal Information without consent
8. Taking and using of photographs, fingerprints, DNA samples in public
9. Declaration of Health Information [Without permissions]
10. Contravention of Directions of the Data Authority
11. Data Theft

Also, the Bill recognizes three kinds of remedies in the form of Compensation, Civil Action
and Criminal Action.

In a nutshell, the privacy law secures its citizens from identity theft, undue surveillance,
illegal interception, illegitimate use of data / personal information including health
information, etc. At the same time, the law directs establishment of Data Protection
Authority of India, National Data Controller Registry and Central Communication
Interception Review Committee for the logistic implementation of the law.

Government’s step to provide a law to protect and regulate privacy of personal data /
information has been welcomed by experts but at the same time they point out that the
new legislation is far from seeing the light of the day. The main concerns include
overlapping existing laws and the immoderate technological advancement. It would be hard
for the government to seek effective implementation while keeping pace with the dynamic
technological advancement although one thing is clear the end product must strike true
balance between public interests and securing privacy.