Analysis of the Data Protection Laws in India

The exponential growth of technology is clear evidence of digital revolution in India. With this digital revolution, protecting of data (particular the personal data of individuals) has assumed primary significance. According to Article 21 of the Indian Constitution, the right to privacy is recognised as a fundamental right which was upheld by the Supreme Court (in 2012) in the landmark case of Justice KS Puttaswamy v. Union of India. It was highlighted by the Court that data protection and privacy are intertwined and if a person's personal information is released without that person's consent, privacy rights will have been violated. In this article we intent to discuss the meaning and scope of important terms related to personal data/information and provide an analysis of the Data Protection Laws in India.

As regards the legislative scenario in India (pertaining to data privacy laws), the Government of India in accordance with Section 43A of the Information Technology Act of 2000 (“IT Act”), has published the Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). These SPDI Rules govern various aspects of personal data as well as sensitive personal data of individuals provided to a body corporate (which would cover any company as well as a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities).

Meaning and scope of the terms ‘personal data or information’ and ‘sensitive personal data or information’

The SPDI Rules provides for the following two bifurcations of information of individuals (both of which overlap to an extent): 

• Personal Data or Information
• Sensitive Personal Data or Information

As per Rules 2(i) of the SPDI Rules, ‘personal information’ means “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a Body Corporate, is capable of identifying such person.” In simpler words, any piece of information (with or without combination with other information) through which an individual person can be identified will qualify as personal data or information. For instance, the name, phone number, residence, age, email address, etc. would qualify as personal information.

Meanwhile, Rule 3 of the SPDI elaborates on what would qualify as ‘sensitive personal data or information’. According to Rule 3, the following types of data or information will qualify as ‘sensitive personal data’:

• Passwords
• Financial information such as bank account, credit card, debit card, or any other payment instrument detail
• Physical, physiological and mental health condition
• Medical records
• Sexual orientation
• Biometric information

It is crucial to keep in mind that the statutory requirements are substantially stricter when it comes to collection and handling of sensitive personal data or information. This is primarily because the risks associated with a breach of such sensitive personal data or information are greater than any personal data or information.

Scope of applicability of the statute

Only Body Corporate (and persons on their behalf) are covered under the SPDI Rules and Section 43A of the IT Act. Entities in or outside of India that process personal data either (i) in India or (ii) have a computer, computer system, or computer network located in India, as defined in the IT Act, are required to comply with the provisions of the IT Act (including in respect of matters governed by the applicable rules). It's important to remember that the IT Act’s SPDI Rules only apply to electronic records and do not cover the collection and upkeep of manual records.

Requirement of consent under the statute

Consent is currently the primary consideration which provides for legal basis for collection of data (as well as processing of such data). Before collecting sensitive personal data or information from the Information Provider, Body Corporate must seek consent of the provider of such information in writing through letter, fax or email. The Information Provider must have the ability to review, modify, or change the sensitive personal data or information, as well as the option to decline submission of such information sought and to withdraw its consent by notifying the Body Corporate in writing. Moreover, the Body Corporate must make sure that the person who provided the information has been informed that the information is being collected, why it is being collected, who it will be shared with, who will receive it, and who will store it. The agency collecting and retaining the sensitive personal data or information must also be identified, along with its name and address.

The SPDI Rules permit Body Corporate to refrain from offering the goods or services for which the information was requested if the Information Providers refuse to provide consent for collecting of information or otherwise withdraw their consent.

Collection of Information and Disclosure to third party

As per Rule 5(1) of the SPDI Rules, the data obtained by the Body Corporate should only be used for lawful and necessary purposes with respect to its function or activities. 

The Body Corporate is required to take reasonable precautions to safeguard the information being received. Additionally, the Body Corporate is prohibited from publishing any sensitive personal data or information unless the disclosure of such information is mandated by a contract between the Body Corporate and the Information Provider

A body corporate may disclose such information collected with prior consent of the provider only:

1. if a government agency requests the information to verify an individual's identity, prevent, detect, or investigate a crime, including cyber incidents, or to prosecute and punish offenders, and the agency request clearly states the purpose in writing; or
2. if it is necessary to comply with a legal obligation; or
3. if the provider of such information agrees to the disclosure in a written agreement, and ; or
4. if the Body Corporate has obtained the provider's prior consent.

Transfer of information

Subsequent to the fulfilment of the following conditions specified under Rule 7 of the SPDI Rules, a Body Corporate may transfer sensitive personal data or information or any other information to another body corporate or individual based in India or any other country:

1. the receiving entity or person follows the same standards for data security as the Body Corporate providing the information; and
2. the transfer is required to carry out a valid agreement between the Body Corporate and the provider of information, or where the provider of information has consented to such transfer of information.

It is to be noted that this rule is not only applicable to the Information Provider’s sensitive personal data or information but also to any other information that is being transferred.

Security practices and procedures to be adopted by Body Corporate

The statute provides that in order to handle sensitive personal data or information, a Body Corporate must implement reasonable security practises, procedures, and standards. These practises would include managerial, technical, operational, and physical security control measures that are proportionate to the information assets that the Body Corporate seeks to protect. In order for a Body Corporate to comply with this requirement, the SPDI Rules specify that IS/ISO/IEC 27001 on “Information Technology-Security Techniques-Information Security Management System-Requirements” would be an appropriate standard for ensuring compliance with this provision.

Apart from the ISO standard expressly prescribed by the SPDI Rules, the Bureau of India Standards (“BIS”) introduced IS 17428 for data privacy assurance in 2021. The BIS certification for IS 17428 can also be considered as an appropriate standard for a Body Corporate to comply with the information security requirement under the SPDI Rules. 

Further, the SPDI Rules mandate that a Body Corporate must have its security practises and procedures certified and audited at least once annually by an independent auditor (approved by the Central Government).

Resolution of user grievances

As per Rule 5(9) of the SPDI Rules, a Body corporate is required to appoint a grievance officer to handle the grievances lodged by a user. Further, the grievance officer’s contact information must be published on the online platform of the Body Corporate. The statute also provides that any grievance raised by a user must be resolved within one (1) month from date of receipt of grievance.

Consequences of non-compliance with the provisions of the Rules

A Body Corporate that deals with sensitive personal data or information is liable for damages if it is negligent or fails to develop and maintain acceptable security practices and procedures as required by the SPDI Rules. Section 43A of the IT Act, states that in case the Body Corporate fails to implement and maintain reasonable security practises and procedures to protect sensitive personal data or information in a computer resource that is owned, controlled, or operated by it, it will be responsible for paying damages as compensation to affected persons. 

Moreover, as per Section 72A of the IT Act, any person or intermediary who, while performing services under the terms of a legal contract, obtains access to any material containing personal information about another person and discloses that material to another person without that person's consent or in violation of a legal contract shall be punished with imprisonment for a term that may not exceed three years, or with fine which may extend to 5,00,000/- (Rupees Five Lakh), or both.

Conclusion

A stringent data protection law is necessary to ensure that adequate safeguards are in place for data processing, regulation, and protection of individual rights; enforcement of regulations against unauthorised access; as well as imposition of sanctions against offenders. The SPDI Rules are designed to safeguard sensitive personal data or information collected online. Additionally, the present law doesn’t contain any mechanism for protection of personal data or information which is not sensitive personal data or information; the sole requirement in respect of personal information is that of publishing of a privacy policy.

There are a number of aspects which need to be addressed in a comprehensive and effective data protection statute, which is currently lacking in India case. While a bill has been published in the public domain for comments, it remains to be seen how soon that particular bill gets to see the light of the day.