.jpg)
7 October, 2017
The balance between data regulation and individual privacy raises complex issues requiring delicate balances to be drawn between the legitimate concerns of the state on one hand and individual interest in the protection of privacy on the other. This has given way to one of the most debated Supreme Court judgments of recent times on ‘right to privacy’. Consequently, a robust regime for data protection is the call of the future.
With the increase in usage of technology in our personal lives and businesses, the ease of planning our day and doing business has gone up albeit with consternations about the protection of personal information and data. The concept of data protection and privacy has not been addressed in any exclusive comprehensive legislation in India. However, the Supreme Court of India through a recent landmark judgment has heralded right to privacy as a fundamental right guaranteed to an Indian citizen under Article 21 of the Constitution of India (“Constitution”). Such right to privacy impliedly includes the protection of personal and sensitive data of a person such as age, sex, date of birth, sexual orientation (which are all important aspects of dignity).
Right to privacy and data protection in India vis-à-vis the landmark SC judgment
The sphere of privacy stretches at one end to those intimate matters to which a reasonable expectation of privacy may attach. It expresses a right to be left alone. A broader connotation which has emerged in academic literature of a comparatively recent origin is related to the protection of one’s identity. Data protection relates closely with the latter sphere.
On August 24, 2017, in a landmark nine (9) bench ruling, the Apex Court in Justice K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors.1, unanimously declared right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution. The petitioners, in this case, had challenged the Aadhaar scheme which mandates citizens to part with their biometrics, as unconstitutional on the grounds that it violates the right to privacy. Although, the judgment does not comment on whether the Government's demand for Aadhaar to be linked to all financial transactions amounts to an infringement of privacy, it has ordered the Government to ensure a “"robust regime for data protection" that would deliver "a careful and sensitive balance between individual interests and legitimate concerns of the state."
Further, right to privacy as part of a fundamental right must come with certain reasonable restrictions as also stated in the judgment. Hon’ble Justice Abhay Manohar Sapre held that ‘right to privacy’ is a part of fundamental right of a citizen guaranteed under Part III of the Constitution. However, it is not an absolute right but is subject to certain reasonable restrictions which the State is entitled to impose on the basis of social, moral and compelling public interest in accordance with law. Similarly, he held that the “right to privacy” has multiple facets, and therefore, the same has to go through a process of case-to-case development as and when any citizen raises his grievance complaining of infringement of his alleged right in accordance with law.
On the point of data protection, the Apex Court in the same judgment ruled that, since the Government has initiated the process of reviewing the entire regime of data protection, it would be appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place.
It is imperative to note here that, past decisions of the Supreme Court in the case of (i) M.P. Sharma Vs. Satish Chandra, District Magistrate, Delhi [(1954) SCR 1077] which held that right to privacy is not protected by the Constitution and (ii) in Kharak Singh Vs. State of U.P [(1964) 1 SCR 332] to the extent that it held that right to privacy is not protected by the Constitution, both stand over-ruled by the aforementioned judgment.
Data protection under the Act
The Information Technology Act, 2000 (“Act”) which contains specific provisions intended to protect electronic data (including non-electronic records or information that has been, is currently or is intended to be processed electronically). The Act was amended and a section on compensation for failure to protect data was added to provide for protection of 'sensitive personal data or information' (“SPDI”) and deal with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to SPDI. As a system of checks and balances, the Act imposes punishment for disclosure of information in breach of a lawful contract or without the information provider's consent and provides for protection of personal information.
To elaborate further on the point of compensation for failure to protect data, the Ministry of Communications and Information Technology adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (“Rules”) which took effect in 2011. The Rules require corporate entities collecting, processing and storing personal data, including SPDI to comply with certain procedures. Further, in August, 2011 the Ministry of Communications and Information Technology released a press note which clarified a number of provisions of the Rules. Amongst others, the press note clarified that the Rules relate to SPDI and are applicable to any person located in India or a body corporate.
The Rules, its applicability and other obligations under its purview
What is SPDI?
Before analyzing the Rules, we must take a look at what constitutes SPDI. SPDI includes passwords, financial information, such as bank account or credit card details, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information.
Applicability and analysis of the Rules
The Rules relate to SPDI and are applicable to a body corporate or to any person located within India. Outsourcing companies/ intermediaries located within or outside India are exempt from the provisions of collection and disclosure as set out under the Rules, however, a body corporate providing services to an information provider directly under a contractual obligation is not exempt from these provisions of collection and disclosure as set out under the Rules. Information providers, as referred to in these Rules, are those natural persons who provide SPDI to a body corporate.
Further, each body corporate that collects, receives, possesses, stores, deals or handles information of information providers, shall provide a privacy policy for handling of or dealing in personal information including SPDI and ensure that the same are available for view by such information providers who have provided such information under lawful contract.
To sum up, the Rules broadly regulate the: (a) collection, receipt, possession, use, storage, dealing or handling of SPDI; (b) transfer or disclosure of SPDI; (c) security procedures for protecting SPDI; (d) transfer of SPDI outside India; and (e) disclosure of SPDI to the Government.
Obligations of the body corporate controlling SPDI under the Rules
In terms of the Rules, a body corporate shall have the following obligations to ensure data is processed properly:
a) Privacy policy: A body corporate that deals with SPDI must have a privacy policy, and publish such policy on its website. The privacy policy must describe the type of information collected, the purpose and use of the information, to whom or how the information can be disclosed and the reasonable security practices and procedures followed to safeguard the information. A body corporate must also appoint a grievance officer, whose name and contact details must be published on its website. The grievance officer must act on any grievance within one (1) month from receiving the grievance.
b) Consent and notification: A body corporate cannot collect SPDI unless it obtains the prior consent of the information provider. A business must also, before collecting the information, give the information provider the option not to provide such information. If this is the case, the business has the option to cease providing goods and services for which the information is sought. A business must also ensure that the information provider is aware:
- that the information is being collected;
- of the proposed use of the information; and
- of the name and address of the agency collecting or receiving the information.
c) Use, retention and withdrawal: Bodies corporate can only use personal information for the purpose for which it was collected. They cannot retain SPDI for longer than is required for the purposes for which the information can lawfully be used or as otherwise required under any other law. The information provider of the SPDI has the right to review the information provided and to ask for inaccurate or deficient information to be corrected. The information provider also has the right to withdraw his consent to the collection and use of the SPDI
d) Disclosure: Disclosure of SPDI to a third party is possible if: (i) it has been agreed in a contract with the information provider; (ii) it is necessary for compliance with a legal obligation; or (iii) prior permission is given by the information provider.
e) Transfer: A body corporate can only transfer SPDI to a third party, whether in India or overseas, if the receiving party ensures the same level of protection as that provided under the Rules. Additionally, SPDI can only be transferred if it is necessary for the performance of a lawful contract with the information provider, or if the information provider has consented to the transfer.
Conclusion
Data privacy and data protection laws by their very nature need to be dynamic, constantly expanding and improving to deal with new impediments and hindrances. One such hindrance was the recent WannaCry ransomware cyber- attack that affected many globally. At the same time, domestically, one such encouraging step towards data protection is the Supreme Court case ruling on ‘right to privacy’.
There is an unparalleled thrust now to upgrade the data privacy and data protection standards in India as the country is increasingly becoming a prominent part of the global economy with increase in foreign investment in India. Further, the judiciary’s pro-active interest in data privacy issues and opinion that trustees of customer’s data must be judged on ‘tougher standards’ and that a ‘strong signal must be sent’ to hold defaulting entities liable’, have made corporates align themselves with the data privacy and data protection laws of the country. It is imperative, therefore, for foreign companies establishing business in India to ensure that their local Indian entity adheres to Indian data privacy and data protection law requirements even if the local entity has been following global best practices in this regard. With new beginnings, it is the need of the hour for the Government to come up with a robust regime for data protection that would deliver a careful and sensitive balance between individual interests and legitimate concerns of the state. It would be interesting to follow the developments in this area in the near future and observe the matter to its end.
For further information, please contact:
Vineet Aneja, Partner, Clasis Law
vineet.aneja@clasislaw.com
