LAW RELATING TO SENSITIVE PERSONAL INFORMATION IN INDIA

An important debate that arisen before the Supreme Court of India is whether there is a fundamental right to privacy2. The matter was referred to a nine-judge constitutional bench and a decision is forthcoming in this regard. An important point that was raised before the Court in a hearing on August 1, is that Central Government has constituted a committee of experts, led by former Supreme Court judge, Justice B.

Srikrishna, to identify "key data protection issues" and suggest a draft data protection Bill3. Reading from an office memorandum dated July 31, the Additional Solicitor General of India informed the Court that the Ministry of Electronics and Information Technology would work with the panel and hand over all necessary information to the Committee within the next eight weeks, after which the latter would start its deliberations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Introduction Unlike the European Union which adopted the Data Protection Directive in and has most recently passed the General Data Protection Regulation that is scheduled to become enforceable with effect from May 25, , India does not currently have a separate data protection law and when the Information Technology Act, hereinafter referred to as the "IT Act" first came into force on October 17, it lacked provisions for protection and the procedure to be followed to ensure the safety and security of sensitive personal information of an individual.

Important Provisions of IT Act related to Data Protection Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person s so affected.

Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract. Information Technology Reasonable security practices and procedures and sensitive personal data or information Rules, The Department of Information Technology notified Information Technology the Rules on April 11, vide notification no.

This was clarified vide a press note dated August 24, issued by the Ministry of Communication and Information Technology wherein it was stated the Rules were applicable to a body corporate or any person located within India1. It is further clarified that any information is freely available or accessible in the public domain is not considered to be sensitive personal data.

Rule 4 imposes a duty on Body Corporates seeking sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected and the reasonable security practices that have been undertaken to maintain the confidentiality of such information.

Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate: Obtain consent from the person s providing information in writing or by Fax or by e-mail before collecting such sensitive personal data. Vide the press note dated August 24, issued by the Ministry of Communication and Information Technology it was clarified that consent includes consent given by any mode of electronic communication; Information shall not be collected unless it is for lawful purpose, and is considered necessary for the purpose.

A maximum period of one month has been provided for resolution of such grievances. Rule 6 provides that a Body Corporate must seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if request for such information is made by government agencies mandated under law or any other third party by an order under law. Rule 8 provides the reasonable security processes and procedures that may be implemented by Body Corporates.

It is pertinent to note that an audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource. Recent Comments by the Government in the Supreme Court An important debate that arisen before the Supreme Court of India is whether there is a fundamental right to privacy2.

Further, the appeal before the Tribunal shall be filed within a period of 45 days from the date on which a copy of the order made by the Controller or the Adjudicating Officer is received by the person so aggrieved, according to section 57 of the Act.

Data Protection Laws In India - Everything You Must Know - Data Protection - India

The judicial function of the Cyber Regulations Appellate Tribunal is to give the parties to the appeal an opportunity to be heard, and to pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. The Act further provides a second forum of appeal in the form of the High Court the first being the Cyber Regulations Appellate Tribunal to any person aggrieved by any decision or order of the Cyber Regulations Appellate Tribunal.

An appeal is to be filed within 60 days from the date of communication of the decision or order of the Cyber Regulations Appellate Tribunal, on any question of fact or law arising out of said order. There are no legislative guidelines or statutory regulations governing marketing communications through email or post. The Regulations state that telemarketers must register themselves with TRAI before they may send out marketing communication through telephone or text messages. The Regulations also provide for those who wish not to receive unsolicited commercial communication to opt out of receiving said telephone calls or text messages.

When the Bill is enacted, no person shall be permitted to hold or process a personal database used for direct marketing services, unless he is registered with the National Data Registry and one of the purposes of registration is in fact direct marketing, he has a record stating the source from which he obtained the personal data, and all the individuals whose data are contained in the database have consented to receive direct marketing communication from the person in question. If telemarketers continue to send unsolicited commercial communication to telephone and mobile numbers who have registered themselves with the National Do Not Call Register or have opted out of receiving said communication with the Customer Preference Registration Facility, complaints may be made, toll-free, to the Access Provider, who then serves a notice upon the telemarketer in breach.

Chapter III, Regulation 18 of the Telecom Commercial Communications Customer Preference Regulations provides for the blacklisting of telemarketers who have received said notice six times or more. No Access Provider is permitted to provide telecom resources to said telemarketer. If so, are there any best practice recommendations on using such lists?

Due to the fact that India has no comprehensive data protection regime, issues such as cookie consent have not so far been addressed by Indian legislation. It is planned that the Privacy Bill, will introduce data protection legislation more specifically targeted to issues of cyber security. If so, what are the relevant factors? Section 7 of the IT Rules states that bodies corporate can transfer sensitive personal data to any other body corporate or person within or outside India, provided that the transferee ensures the same level of data protection which the body corporate has maintained, as required by the IT Rules.

A data transfer is only allowed if either:. The proposed Privacy Bill, , if enacted, will place slightly more stringent restrictions on international transfers of personal data. The Bill states in Chapter III, section 22 that cross-border transfers of personal data by data controllers shall not be permitted unless:. As such, information technology industries and business process outsourcing companies ascribe to secure methods of data transfer which they prefer, provided that the transfer in question does not violate any law either in India or in the country to which the data is being transferred.

Data Protection 2018 | India

Please describe which types of transfers require approval or notification, what those steps involve, and how long they typically take. Neither the current nor the proposed legislation specifies any requirements for registration or notifications for data transfers abroad. The requirements are limited to the criteria specified in question The Whistle Blowers Protection Act, mandates that any public servant, or any person including any non-governmental organisation, may make a public interest disclosure before the Competent Authority.

Section 4 6 of the Act states that no action shall be taken if the disclosure does not indicate the identity of the complainant. Section 6 mandates that the Competent Authority shall not take notice of any disclosure which relates to a matter or issue determined by a Court or Tribunal, to the extent that the disclosure seeks to reopen such matter or issue. It also mandates that the Competent Authority shall not investigate any disclosure involving an allegation if the complaint is made after the expiry of seven years from the date on which the action complained against is alleged to have taken place.

Section 8 of the Act exempts matters related to the sovereignty, security and integrity of India, matters which may affect friendly relations with a foreign state, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence pertaining to disclosure of proceedings of the Cabinet of the Union and State Government or any committee of the Cabinet from disclosure. An amendment was proposed and passed by the Parliament to the Act. It seeks to further exempt: The amendment is yet to receive the assent of the President and be promulgated into law.

If it is prohibited or discouraged, how do companies typically address this issue? See the answer to question There have been no reported instances where companies have had to address the issue of anonymous reporting. Current legislation does not touch upon questions relating to CCTV surveillance. However, the proposed Privacy Bill, states in Chapter V, section 26 that the installation and operation of CCTV surveillance in public areas shall be in accordance with prescribed procedure for legitimate and proportionate objectives, and will not affect his right to privacy.

There are no registration requirements specifically laid out in this proposed legislation, neither does it elaborate on what the prescribed procedure for the installation and operation of CCTV will be. However, the proposed Data Privacy Bill, provides that, apart from reasonable restrictions such as safeguarding national security or defence of India, prevention of acts of terrorism, corruption, money laundering, organised crime, sale or purchase of narcotic and psychotropic substances, investigation of cognisable offences and maintenance of public order, no person shall conduct or assist in conducting any surveillance.

Targeted profiling of individuals or of a certain section or class of persons without any basis is expressly barred.

The onus to prove that information or personal data obtained through surveillance was so done while maintaining a proper chain of custody without any tampering or external interference, in a court of law, shall be on the concerned state authority, intelligence or private entity, as the case may be. Neither current nor proposed legislation contains specific provisions relating to CCTV surveillance of employees. However, the proposed Privacy Bill, , when in force, will ban covert, intrusive or directed surveillance except in certain specified circumstances, including objectives of national security or public safety.

The proposed Bill also states that the provisions it contains relating to the storage, processing, retention, sharing, security and disclosure of personal data apply equally to data collected through surveillance. See also question Describe how employers typically obtain consent or provide notice. Current legislation contains no provisions relating to requirements of consent from employees.

1. LAW RELATING TO SENSITIVE PERSONAL INFORMATION IN INDIA;
2. Una docena de Hadas (Flopi Y Los Seres Fabulosos / Flopi and the Wonderful Beings) (Spanish Edition).
3. May You Live In Interesting Times.
4. Reversed Forecast / Small Holdings.
5. Data protection in India: overview | Practical Law!
6. Account Login!
7. .

However, the proposed Privacy Bill, bans covert surveillance, which suggests that consent will have to be obtained from employees once this law comes into force, although the Bill is silent on details relating to what qualifies as consent and how it may be obtained. If so, which entities are responsible for ensuring that data are kept secure e.

Regulation

This audit shall be carried out by an auditor at least once a year, or as and when the body corporate undertakes a significant upgrade of its process and computer resources. The proposed Privacy Bill, , which will override the IT Rules if enacted, also contains provisions pertaining to the security of personal data, stating specifically that every data controller must set appropriate technological, organisational and physical standards for the security of data under its control.

In Chapter III, section 15 of the proposed Bill, it is also stated that the Data Protection Authority the establishment of which is provided for in the same Bill may prescribe regulations or codes of practice, laying down standards for technological, organisational and physical measures for protection of personal data, and that different standards may be prescribed for different classes of organisation.

If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority ies expects voluntary breach reporting.

• Poison Seed (A Lady Serpent Egyptian Murder Story)?
• Histoire des sciences de lhomme et de la criminologie (Sciences criminelles) (French Edition).
• The First Epistle of John: Expounded in a Series of Lectures!
• Data Protection Laws in India - Lexology!
• Un aeroplano che sapeva volare (Gli emersi poesia) (Italian Edition)!

The current legislation contains no legal requirements to report data security breaches to either authorities or data subjects. The proposed Privacy Bill, , in Chapter III, section 16, prescribes that where a data controller has reasonable grounds to believe that the personal data of any data subject under its control has been accessed or acquired by unauthorised persons, the data controller must, as soon as is reasonably possible after discovering the breach, notify both the data subject and the Data Protection Authority.

India Gears Up For A Data Protection Law

The notification shall be in writing, and shall be sent either to the last known address of the data subject by registered post requesting due acknowledgment, or published in at least two national newspapers. The notification must contain sufficient information as is necessary to enable the data subject to take steps to mitigate the potential consequences of the data security breach, including, if possible, the identity of the person who may have committed the breach and the date on which it occurred.

The proposed Data Privacy Bill, also mandates that every person shall have the right to be duly and promptly informed, within seven days, about any unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure either accidental or incidental or other reasonably foreseeable risks or data security breaches pertaining to their personal data. The current legislation does not contain any such requirement. However, as explained in question The only exception to the requirement in the proposed Privacy Bill that the data controller notify the data subject in the event of a breach is if the Data Protection Authority believes that such a notification will impede a criminal investigation, or if the identity of the data subject cannot possibly be identified.

As previously explained, the legislation currently in force does not deal with data breaches at all, except as indicated in question The penalties imposed are in the form of heavy fines, which vary for each offence but which do not extend beyond INR 1,, The only exception to this is a penalty imposed for contravention of direction of the Data Protection Authority, which may extend to INR , and, in the case of a continuing breach, an additional sum which may extend to INR , for every day that the default continues. Indian legislation does not specifically provide for the establishment and function of Data Protection Authorities, although proposed legislations seek to alter this.

Main data protection rules and principles

If so, does such a ban require a court order? If so, how is this enforced? As long as requests from foreign companies are based on an order from a court of law and if the country in question has a reciprocal arrangement with India, then such a request may be enforced in India, if necessary, through an Indian court. Absent a court order, Indian companies do not have any obligation to respond to foreign e-discovery requests or requests for disclosure.

Describe any relevant case law. The court ruled on the said question in affirmative and while doing so, observed that it is not an absolute right but subject to certain reasonable restrictions. The judgment also details that consent obtained from users has to be informed consent given in an informed manner by users and cannot be shrouded in lengthy terms of agreements. The Court even upheld the right of an individual to be forgotten from the internet by observing that:. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.

Data protection in India: overview

N Srikrishna in August The committee was tasked with identifying key data protection issues in India and recommending methods of addressing them. The committee released a White Paper in November , suggesting that a framework to protect data in the country should be based on seven principles: The content of this website is for general information purposes only and does not purport to provide comprehensive full legal or other advice.

Global Legal Group Ltd. This material is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations. Please see our terms and conditions page for further details. About Us Free Newsletter. Sign up for free newsletter. Home Practice area Data Protection India. Data Protection India. Relevant Legislation and Competent Authorities. In the absence of specific legislation, data protection is achieved in India on the basis of the following legislation, which applies also to other aspects of online regulations, such as e-commerce and cybercrime: The former category includes gaining unauthorised access to, and downloading or extracting data from, computer systems or networks.

In April , the Indian Ministry of Communications and Technology published four sets of rules implementing certain provisions of the Information Technology Amendment Act , as follows: The Security Practices Rules require entities holding sensitive personal information of users to maintain certain specified security standards. The Intermediary Guidelines Rules prohibit content of specific nature on the internet. An intermediary, such as a website host, is required to block such content. Under the Electronic Service Delivery Rules, the Government can specify certain services, such as applications, certificates, licences, etc.

Of relevance to the issue of data protection is the first set of rules in the list above: The IT Rules set out procedures for corporate entities which collect, process or store personal data including sensitive personal information. Currently, two major issues are hindering smooth passage of the Bill in the Legislature: Data protection may also sometimes occur through the following: The Copyright Act Obviously, however, there is a difference between database protection and data protection.

Database protection protects the creative investment in compilation, presentation and verification of databases, while data protection aims to protect the privacy of individuals by limiting or restricting access to their personal or sensitive information. The Indian Penal Code This could be used to prevent theft of data. It must be noted, however, that rights guaranteed by the Constitution may normally only be used against the State or State-owned enterprises.

In addition to the above, invasion or breach of privacy could lead to an action in tort. However, the proposed Privacy Bill defines processing as any operation, or set of operations, whether carried out through automatic means or not, that relate to: The proposed Privacy Bills define processing as obtaining or recording the information or data or carrying out any operation or set of operations on the information or data, whether or not by automatic means, including: Other key definitions — please specify e.

Transparency Under the IT Rules, data controllers and data processors must provide a privacy policy for the handling of or dealing in personal information, including sensitive personal information, and ensure that this policy is available to the data subject who has provided said information by lawful contract. Further, the policy shall be published on the website of the body corporate or any person on its behalf, and shall provide: The proposed Privacy Bill, in Chapter III, section 9, further provides for the following principles to be adhered to in the transparent collection of personal data: Personal data must be directly collected from the data subject except if: Further, the Bill also states that when personal data are collected directly from the data subject, the data controller must, at any time before the data are processed, take reasonable steps to make the data subject aware of the following: Lawful basis for processing The IT Rules mandate that the body corporate or any person on its behalf must obtain consent in writing from the data subject for the specific purpose for which the data will be used, before the collection of the data.

Sensitive personal information may only be collected for a lawful purpose connected with a function or purpose of the corporate entity, and only if such collection is considered necessary for that purpose. The corporate entity must ensure that the information is being used only for the purpose for which it was collected.

The proposed Privacy Bill, further provides that personal data shall be collected only with the consent of the data subject, unless said collection is either necessary for the data controller in order to comply with a particular law or ordinance, or is mandatory under current law. However, for any data subject under the age of 18, obtaining consent from their legal or natural guardian is mandatory, regardless of the exceptions previously made. The Bill also provides, in sections 9 and 10 of Chapter III, guidelines for the lawful processing of personal data, specifying that personal data must be processed only in a fair, appropriate and lawful manner and for the documented purpose alone.

The Bill states that the data controller shall collect and process only such type and amount of personal data as is absolutely necessary to fulfil the documented purpose. Data controllers must also ensure, according to the Bill, that all persons involved in any stage of the processing of personal data shall treat the personal data as confidential, and shall communicate said data only with people who are directly employed by the data controller, or any sub-contractor of the data controller who is under an obligation to maintain confidentiality.

The drafters of the proposed Privacy Bill, have also seen fit to draw a distinction between the guidelines for the lawful processing of personal data and those that govern the processing of sensitive personal data. Purpose limitation The IT Rules or the Act do not provide a specific time frame for the retention of sensitive personal information. Data minimisation There is no statutory definition or guidance with respect to data minimisation.

Proportionality There is no statutory definition or guidance with respect to proportionality. Retention As explained above, neither the IT Rules nor the IT Act provides specific guidance with respect to the time frame for retention of sensitive personal information. The proposed Privacy Bill, will clarify the law on retention of personal data, stating as it does in section 13 of Chapter II that personal data shall only be retained for as long as is necessary to achieve the documented purpose, unless: Other key principles — please specify There are no other key principles in particular.

Right to object to processing Rule 5 of the IT Rules states that the data subject or provider of information shall have the option to later withdraw consent which may have been given to the corporate entity previously; such withdrawal of consent must be stated in writing to the body corporate. Right to restrict processing The proposed Data Privacy Bill, states that during the pendency of request for removal of specific personal data, the Data Controller and Data Processor shall restrict processing of the specific personal data of the person but it shall not restrict the collection or storage of personal data.

Right to data portability The proposed Data Privacy Bill, states that every person shall, as and when required, receive the personal data concerning him, which he has provided to a data controller, in a structured, commonly used and machine-readable format and have the right to data portability to another data controller without any hindrance. Right to withdraw consent The proposed Data Privacy Bill, envisages the right to seek removal of personal data from the data controller where a person has withdrawn his consent.