By Vineet Aneja and Vasudha Luniya, Clasis Law
E: vineet.aneja@clasislaw.com,
E: vasudha.luniya@clasislaw.com
The concept of data protection and privacy has not been addressed in any exclusive comprehensive legislation in India. However, the Supreme Court of India through a recent landmark judgment has heralded right to privacy as a fundamental right guaranteed to an Indian citizen under Article 21 of the Constitution of India. Such right to privacy impliedly includes the protection of personal and sensitive data of a person such as age, sex, date of birth or sexual orientation (which are all important aspects of dignity).
Right to privacy and data protection
The sphere of privacy stretches at one end to those intimate matters to which a reasonable expectation of privacy may attach. It expresses a right to be left alone. A broader connotation which has emerged in academic literature of a comparatively recent origin is related to the protection of one’s identity. Data protection relates closely with the latter sphere.
On August 24, 2017, in a landmark nine-bench ruling, the Apex Court in Puttaswamy vs Union of India unanimously declared right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India.
On the point of data protection, the Apex Court has ordered the government to ensure a “robust regime for data protection” that would deliver “a careful and sensitive balance between individual interests and legitimate concerns of the state” is put into place soon.
Data protection
The Information Technology Act, 2000 (Act) contains specific provisions intended to protect electronic data (including non-electronic records or information that has been, is currently or is intended to be processed electronically). The Act was subsequently amended in 2008 to provide for protection of “sensitive personal data or information” (SPDI) and deal with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to SPDI. SPDI includes passwords, financial information, such as bank account or credit card details, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information.
On the point of SPDI, the Ministry of Communications and Information Technology adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules). The Rules relate to SPDI and are applicable to a body corporate or to any person located within India. Outsourcing companies/ intermediaries located within or outside India are exempt from the provisions of collection and disclosure as set out under the Rules, however, a body corporate providing services to an information provider directly under a contractual obligation is not exempt from these provisions.
Corporate obligations
A body corporate providing services relating to collection, storage, dealing or handling of SPDI under contractual obligation with any information provider shall be subject to compliance of the Rules. Information providers are those natural persons who provide SPDI to a body corporate.
To sum up, the Rules broadly regulate the: (a) collection, receipt, possession, use, storage, dealing or handling of SPDI; (b) transfer or disclosure of SPDI; (c) security procedures for protecting SPDI; (d) transfer of SPDI outside India; and (e) disclosure of SPDI to the Government.
Conclusion
Data privacy and data protection laws by their very nature need to be dynamic, constantly expanding and improving to deal with new impediments and hindrances. One such hindrance was the recent WannaCry ransomware cyber-attack which affected many globally. At the same time, domestically, one such encouraging step towards data protection is the Supreme Court case ruling on ‘right to privacy’.
It is imperative for foreign companies establishing business in India to ensure that their local Indian entity adheres to Indian data privacy and data protection law requirements even if the local entity has been following global best practices in this regard. Further, the privacy policies and other related policies of a body corporate should be in line with the Rules so as to protect the SPDI of the information provider.
E: vasudha.luniya@clasislaw.com
T: (91) 11 4213 0000
F: (91) 11 4213 0099