Q&A on Data Protection and Cybersecurity

1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

Current Legal Framework

1.1 As on date, the primary legislation governing privacy in India is the Information Technology Act, 2000 (“IT Act“) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules“).

1.2 Section 43A of the IT Act requires a body corporate[1] possessing, dealing or handling ‘sensitive personal data or information‘ (“sensitive PII“)[2] in a computer resource, to implement and maintain ‘reasonable security practices and procedures’ to prevent such sensitive PII from unauthorized access, use, alteration, disclosure or damage; failing which the body corporate is required to compensate the Data Subject (defined below) for loss caused on account of unauthorized access or disclosure.

1.3 It is pertinent to note that: –

(a) Section 43A only deals with sensitive PII, not with personal information (“PII“).[3] Having said so, the Privacy Rules (formulated under this Section) regulate both, PII as well as sensitive PII;[4]

(b) The Privacy Rules only apply to data of natural persons (“Data Subjects“);

(c) The Privacy Rules are agnostic to the sector or activities that the concerned body corporate engages in. Any body corporate possessing, dealing or handling data of Data Subjects in a computer resource is required to comply with these requirements; and

(d) There is no dedicated regulatory authority that enforces the Privacy Rules. These Rules can however be enforced by the nodal ministry viz. the Ministry of Electronics and Information Technology, Government of India (“MeitY“).

1.4 The ‘reasonable security practices and procedures’ prescribed under the Privacy Rules include, amongst others: –

(a) publishing a privacy policy;[5]

(b) requirement to obtain informed consent before collecting sensitive PII;

(c) stipulations regarding purpose[6] and storage limitations;[7]

(d) providing the Data Subjects an opportunity to not provide or withdraw consent;

(e) conditions governing transfer of PII and sensitive PII; and

(f) other reasonable security practices and procedures to be implemented.[8]

Privacy as a Fundamental Right

1.5 In addition to the IT Act and the Privacy Rules, the right to privacy has now also been recognized as a fundamental right by the highest court, i.e. the Supreme Court (“SC“), in India. In Justice K S Puttaswamy (Retd.) and Another v. Union of India and Others,[9] the SC held that: –

(a) the ‘right to privacy’ is a fundamental right guaranteed under the Constitution of India (“Constitution“);

(b) privacy is intrinsic to life and personal liberty guaranteed under Article 21[10] of the Constitution; and

(c) right to life and personal liberty are inalienable rights inseparable from human existence and hence, similar constitutional safeguards should be applicable to an individual’s right to privacy.

New Privacy Regime

1.6 India is in the process of overhauling its data privacy framework and seems to be taking guidance in this regard from principles outlined under the EU General Data Protection Regulation (“EU GDPR“). As part of this exercise, a draft bill titled ‘Personal Data Protection Bill, 2019’ (“Privacy Bill“)[11] has been proposed by the Government of India.[12] Wherever relevant, we have identified provisions of the Privacy Bill, as they are presently proposed.[13] However, the Privacy Bill may undergo further modifications, before being finally notified.

Sector-specific Regulations

1.7 Several other regulators / authorities including the Telecom Regulatory Authority of India, Central Drugs Standard Control Organization, Reserve Bank of India etc. either presently regulate or are seeking to regulate the data which may fall within their respective domains (such as subscriber data, and payments data). It seems that these regulators / authorities have provided inputs to the Privacy Bill or for such regulators / authorities to further supplement the Privacy Bill with their own respective data protection requirements.

2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

Privacy Rules

2.1 The IT Act and the Privacy Rules do not provide for any registration or licensing requirements for body corporates possessing, dealing or handling PII or sensitive PII.

Privacy Bill

2.2 The Privacy Bill introduces the concept of “significant data fiduciaries” – classified on the basis of volume and sensitivity of personal data processed, turnover etc. It is proposed for such significant data fiduciaries to register themselves with the Data Protection Authority (to be set up once the Privacy Bill is enacted, referred as “Authority“).[14] There is no registration requirement for data fiduciaries, which are not significant data fiduciaries.

3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

Privacy Rules

3.1 The Privacy Rules define PII and sensitive PII as follows: –

(a) PII – means “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.

(b) Sensitive PII of a person means “such personal information which consists of information relating to:

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules”.

Privacy Bill

3.2 The Privacy Bill renames the terms PII and sensitive PII as “personal data” (“PD“) and “sensitive personal data” (“SPD“), respectively. In these responses, any reference to PD and SPD in context of the Privacy Bill will mean PII, and sensitive PII respectively.

3.3 The scope of PD as well as SPD has been enhanced under the Privacy Bill.

3.4 PD not only includes data in relation to a natural person who is directly or indirectly identifiable, it also includes any inference drawn from such data for the purpose of profiling.[15]

3.5 SPD has been defined under the Privacy Bill to mean personal data relating to financial data, health data, official identifier, information regarding sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, and any other category of data as may be specified by the Authority. Therefore, the proposed definition will bring in new concepts to the definition of SPD such as official identifier,[16] information regarding sex life, genetic data,[17] transgender status,[18] intersex status,[19] caste or tribe, and religious or political belief or affiliation.

4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

Privacy Rules

4.1 Processing of PII is subject to the following restrictions: –

(a) Privacy policy – A body corporate which collects, receives, stores, deals or handles PII needs to have a privacy policy. The policy should be published on the website, and should include – purpose of collection, intended usage of information, circumstances in which information may be disclosed and security practices & procedures for securing against unauthorized access.

(b) Knowledge of the Data Subject – The body corporate is required to take reasonable steps to ensure that the Data Subjects are aware that their information is being collected, the purpose for collection, intended recipient of such information, and names and addresses of agencies collecting & retaining the information.

(c) Purpose limitation – PII collected can only be used for the purpose for which it is collected.

(d) Opportunity to review – Data Subjects are entitled to review the information provided by them and correct any inaccuracy or deficiency.

(e) Opportunity to not provide & withdraw consent – Prior to collecting PII, Data Subjects have an opportunity not to provide such information. They can also withdraw previously given consent.[20]

4.2 Certain other stipulations apply only to sensitive PII. Details in this regard are given in response to Query 6 below.

Privacy Bill

4.3 In relation to PD, the Privacy Bill contains following provisions: –

(a) Consent – Prior consent by the Data Subject for processing of PD.[21]

(b) Privacy policy – The data fiduciary is required to provide a privacy policy. More extensive requirements are prescribed.

(c) Purpose limitation – Express recognition of purpose limitation principle, i.e.:

(i) PD should be processed in a fair and reasonable manner and should ensure the privacy of the Data Subjects; and

(ii) PD should be processed only for the purpose specified by the data fiduciary or for any other incidental purpose reasonably expected by the Data Subject to be connected to such specified purpose. The test for any incidental usage is from the lens of the Data Subjects and what they can reasonably expect. We expect that a widely worded ‘catch-all’ consents may not be valid under the Privacy Bill.

(d) Storage limitation – The data fiduciary can retain PD only until necessary to satisfy the purpose for which it was processed. Data fiduciaries have to conduct periodic reviews to determine whether retention of PD continues to be necessary.

(e) Data quality – Data fiduciary to take reasonable steps to ensure that the PD processed is complete, accurate, not misleading and updated, in view of the intended purpose.[22]

5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

Privacy Rules

5.1 The Privacy Rules require consent of the Data Subjects for collection of sensitive PII. No format has been prescribed. No consent is required for collection of PII.

5.2 In India, it is standard practice for companies to obtain a general consent that covers business requirements for sensitive PII and PII. This is achieved through privacy policies, written contracts, or click – wrap ‘I agree’ buttons.

Privacy Bill

5.3 The Privacy Bill proposes that: –

(a) Consent needs to be taken for processing of PD. Such consent should be taken before commencement of processing.

(b) ‘Explicit consent’ needs to be taken for processing of SPD.[23]

5.4 It is expected that the Authority will issue codes / formats for processing of PD and SPD.[24]

6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

Privacy Rules

6.1 Under the Privacy Rules, prior written consent is required for collection of sensitive PII.  For seeking this consent, intended usage must be communicated to the Data Subjects.

6.2 With respect to sensitive PII, the Privacy Rules also prescribe: -[25]

(a) Lawful purpose – Sensitive PII can only be collected for a lawful purpose connected with the function / activity of the concerned body corporate and where collection of sensitive PII is necessary for that purpose.

(b) Storage limitation – Sensitive PII cannot be retained for longer than it is required for the purpose for which is was collected.

(c) Conditions for transfer – Prior consent of the Data Subjects needs to be taken before sensitive PII can be disclosed to a third party unless such disclosure is: –

(i) agreed under a contract; or

(ii) necessary for compliance with a legal obligation.

(d) Stipulations for third party recipients – Any third party receiving sensitive PII from a body corporate is restricted from disclosing it further.[26]

(e) Publishing restriction – Sensitive PII cannot be published.

6.3 No category of sensitive PII is prohibited from collection.

Privacy Bill

6.4 The Privacy Bill prescribes incremental requirements for processing (which also includes storage) of SPD.

6.5 Processing of SPD requires “explicit consent” of the Data Subjects and prescribes additional requirements for enabling cross-border transfer of SPD.[27]

6.6 While the Privacy Bill does not by itself prohibit any category of SPD from being collected, it empowers the Central Government to notify such biometric data[28] which cannot be processed,[29] unless specifically permitted.

7. How do the laws in your jurisdiction address children’s PII?

Privacy Rules

7.1 The Privacy Rules do not contain specific provision for protection of PII or sensitive PII of children.

Privacy Bill

7.2 These concepts have been proposed under the Privacy Bill, such as: –

(a) requiring data fiduciaries to process PD of children[30] in a manner that protects their rights and is in their best interest;

(b) requiring data fiduciaries to verify the age[31] and to take the consent of the parent or guardian;[32] and

(c) notification of certain data fiduciaries as ‘guardian data fiduciaries’.[33]

Other Legislations

7.3 There are other legislations which protect PII or sensitive PII of children and its usage, such as the Juvenile Justice (Care and Protection of Children) Act, 2015. This legislation prohibits disclosure of name, address, school or other particulars which may lead to identification of a child[34] in need of care or protection, a victim or witness of crime etc.

8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation?  If so, please describe how businesses typically meet these requirements.

Privacy Rules

8.1 The Privacy Rules require body corporates to implement reasonable security practices and procedures including having comprehensive & documented information security programme & policies. One standard prescribed in this regard is ISO/IEC 27001 standard “Information Technology – Security Techniques – Information Security Management System – Requirements” (“ISO Code“).[35]

8.2 Therefore, data processor entities operating in India specify compliance with such standards in their privacy policies or notices.

8.3 No other specific records or written documentation need to be maintained under the Privacy Rules. Specific circumstances such as occurrence of cyber security incidents, etc. may lead to a data processor being asked by regulatory authorities to maintain / produce necessary records.

8.4 The IT Act specifically requires intermediaries to preserve and retain such information and for such duration as may be specified by the Central Government.[36]

Privacy Bill

8.5 In terms of internal processes and documentation, the Privacy Bill requires all data fiduciaries to prepare a privacy by design policy containing: –

(a) managerial / organizational / technical systems to identify and avoid harm to Data Subjects;

(b) obligations of data fiduciaries;

(c) the technology used in the processing of PD is in accordance with commercially accepted or certified standards;

(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;

(e) protection of privacy throughout the cycle of processing;

(f) the processing of PD in a transparent manner; and

(g) the interests of Data Subjects are accounted for at every stage.[37]

8.6 Separately, the Privacy Bill requires significant data fiduciaries to maintain up-to date record of important operations in the life cycle of processing of PD, including collection, transfers, and erasure.

9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

9.1 The Privacy Rules do not mention any consultation requirements with MeitY, or any other authority.

9.2  We have identified below some scenarios where consultation may be undertaken or where interaction with the authorities will be required: –

(a) In case of information security breach – The Privacy Rules prescribe that the affected body corporate will need to demonstrate that it has implemented security control measures as per its information security programme and policies.[38]

(b) Prior to introducing a new legislation – MeitY often publishes consultation papers / draft legislations and seeks comments from the public. The private sector, particularly affected entities, exhibit active involvement in this process.[39]

(c) In case information is requested by authorized Government agencies including CERT-In (as defined below) – In specific events such as prevention and detection of cyber security incidents, emergency measures for handling cyber security incidents, prosecution of offences, national security, etc.

10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

Privacy Rules

10.1 No such requirement has been prescribed under existing laws. From a practical perspective, such risk assessments would depend on the nature of reasonable security practices and procedures implemented by the body corporate.[40]

Privacy Bill

10.2 The Bill proposes for significant data fiduciaries to undertake data protection impact assessment in specific scenarios, where the processing activities involve: –

(a) usage of new technologies;

(b) large scale profiling;

(c) usage of SPD (such as genetic or biometric data); or

(d) other activities which could pose significant risk of harm to the Data Subjects.

10.3 The Authority may also specify circumstances / class of data fiduciaries / processing operations where data protection impact assessment would be mandatory.

10.4 Such risk assessment must contain: –

(a) description of the processing activity, purpose of processing and nature of PD being processed;

(b) assessment of potential harm to Data Subjects; and

(c) measures for managing / minimizing / mitigating / removing such risk of harm.

10.5 The Authority is expected to provide guidance on the manner in which data protection impact assessment may be carried out.

11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

Privacy Rules

11.1 The Privacy Rules mandate appointment of a grievance officer by the body corporate. The role of such grievance officer is limited to addressing discrepancies and grievances of Data Subjects relating to processing of their information by the body corporate.[41]

11.2 Under existing laws, there is no provision for appointment of a data protection officer, common in other jurisdictions.

Privacy Bill

11.3 Only “significant data fiduciaries” are required to appoint data protection officers (“DPO“) under the Privacy Bill.[42]

11.4 The Authority may lay down the minimum qualification and experience requirements that DPOs must possess.

11.5 DPOs will have the following responsibilities: –

(a) monitoring processing activities of data fiduciaries to ensure compliance with the Privacy Bill;

(b) co-operating with the Authority on compliance with the Privacy Bill;

(c) maintaining an inventory of all records related to processing activities of the data fiduciaries, as prescribed under the Privacy Bill etc.

11.6 The DPOs should be based in India and represent the data fiduciaries.

11.7 Separately, it appears that data fiduciaries, other than significant data fiduciaries, are required to designate an officer to whom Data Subjects may make complaints regarding contraventions of the provisions of the Privacy Bill.

12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

Privacy Rules

12.1 Yes, the Privacy Rules require Data Subjects to be informed through a notice / privacy policy, which should be posted online. For more details, please refer to our response to Query 4 above.

Privacy Bill

12.2 All data fiduciaries are required to provide a notice at the time of collection of PD directly from Data Subjects[43] stating, amongst other things, the purpose for which PD may be processed, the basis for processing, the period of storage, and information about cross-border transfer.

12.3 The Authority may prescribe the format in which such notice is to be provided.

13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

Privacy Rules

13.1 The Privacy Rules apply directly to bodies corporate who collect, receive, possess, store etc. PII and sensitive PII.

13.2 While such bodies corporate may transfer information of Data Subjects to third parties (such as to third party service providers for processing), such transfer is permitted subject to the condition that the transferee ensures the same level of data protection that is maintained by the transferor, minimum standards for which are provided under the Privacy Rules.[44]

13.3 Hence, service providers may be statutorily liable for negligence.

Privacy Bill

13.4 Data processors[45] will need to comply with both – Privacy Bill as well as contractual requirements.

13.5 Certain provisions of the Privacy Bill directly apply to data processors. Examples include implementing adequate security safeguards, complying with directions issued by the Authority, paying compensation to the Data Subjects on account of non-compliance with the provisions of the Bill directly applicable to them etc.

13.6 Under the Privacy Bill, data processors can be appointed pursuant to a contract between such processors and the data fiduciaries. Accordingly, the data processors would also need to abide by any contractual conditions and restrictions imposed by data fiduciaries with respect to their processing activities.

14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

For transfer of PII and sensitive PII, equivalent security standards have to be maintained by the transferee, which would typically be included in the contract between the transferor and the transferee.[46] No additional requirements including with respect to minimum contract terms or due diligence of service provider are mandated under the Privacy Rules.

15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

Privacy Rules

15.1 Transfer of PII outside India is not restricted. The Privacy Rules permit transfer of PII and sensitive PII by a transferor to a transferee, irrespective of whether such transferee is located within or outside India.

15.2 Such transfer is subject to the following conditions: –

(a) the transferee ensures the same level of data protection that is maintained by the transferor, minimum standards for which are provided under the Privacy Rules; and

(b) the Data Subject consents to such transfer or the transfer is necessary for performance of a lawful contract between the transferor and the Data Subject.

15.3 There is no requirement to notify or seek authorisation from a regulator before transfer of PII or sensitive PII outside India.

Sector Specific Issues

15.4 Further to a directive issued by the Reserve Bank of India on April 6, 2018, payment system providers (such as banks, non – bank licensees which operate payment systems, card networks such as Visa, Mastercard, etc.) and payment intermediaries operating in the payments sector in India were mandated to comply with data localization norms. The directive requires all data (i.e. end-to-end transaction details) relating to payment systems to be stored in India. Only the foreign leg of a payment transaction is permitted to be stored outside India.

Privacy Bill

15.5 The Privacy Bill proposes incremental requirements for cross-border transfer of SPD, such as: –

(a) The transfer requires explicit consent of the Data Subjects;

(b) The transfer will be made in accordance with model contract clauses or intra group schemes to be approved by the Authority OR the transfer is made to some adequate jurisdiction which has been notified as such by the Central Government;[47]

(c) A copy of such transferred SPD should be stored by the data fiduciary in India; and

(d) ‘Critical personal data’ (which would be a sub-category of SPD, to be notified by the Central Government) can be processed in India only.

16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

Privacy Rules

16.1 The Privacy Rules require body corporates to implement security practices and standards and have comprehensive information security programme & policies (that contain managerial, technical, operational and physical security control measures) that are commensurate with the information being protected. This requirement is applicable for both, PII & sensitive PII.

16.2 One such standard prescribed under the Privacy Rules is the ISO Code.

16.3 Any body corporate which collects, receives, stores, deals or handles PII and sensitive PII has to ensure these security practices and standards are implemented. As stated above, if any such body corporate intends to transfer the PII and/or sensitive PII, the transferee should ensure the same level of data protection.

Privacy Bill

16.4 The Privacy Bill requires the data fiduciaries to implement necessary security safeguards taking into account: –

(a) the nature, scope and purpose of processing PD;

(b) the risks associated with such processing; and

(c) the likelihood and severity of the harm that may result from such processing.

16.5 The security safeguards that may be implemented by data fiduciaries include: –

(a) using methods such as de-identification and encryption;

(b) steps necessary to protect the integrity of PD; and

(c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of PD.

16.6 The Authority may specify the security standards that need to be implemented by data fiduciaries.

16.7 Data fiduciaries are also required periodically review their security safeguards in a manner as may later be prescribed.[48]

17. Does your jurisdiction impose requirements of data protection by design or default?

Privacy Rules

17.1 The Privacy Rules embody certain principles of data protection by default. These include purpose and storage limitations. Please refer to our response to Query 4 above for more details.

Privacy Bill

17.2 The Privacy Bill, while retaining above principles, also introduces the concept of privacy by design.

17.3 It requires data fiduciaries to prepare a privacy be design policy. Please see our response to Query 8 above for more details.

18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

Rules under the IT Act

18.1 Yes. The Central Government has appointed the Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology (“CERT-In“) as the national agency to address cyber incidents including cyber security breaches. CERT-In’s functions include collection, analysis of information on security incidents, forecast and alerts of cyber security incidents, emergency handling measures etc.

18.2 The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules“) have been issued under the IT Act and define: –

(a) “cyber security breaches” to mean “unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource“; and

(b) “cyber security incident” to mean “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorisation“.

18.3 CERT-In has been authorized to call for information and give directions to service providers, intermediaries, data centres, body corporates and any other person for the purposes of, amongst others, analysis of cyber incidents, alerts of cyber security incidents, emergency measures for handling cyber security incidents etc.

Privacy Bill

18.4 Security breaches are also addressed under the Privacy Bill.

18.5 The Privacy Bill uses the term “personal data breach” and defines it as “any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal“.

19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?

Rules under the IT Act

19.1 The requirement to report security breaches may flow from various rules formulated under the IT Act. These include: –

(a) CERT-In Rules – The CERT-In Rules require certain cyber security incidents to be mandatorily reported by an individual, organisation or corporate entity affected by such incident. These are: –

(i) targeted scanning/probing of critical networks/systems;

(ii) compromise of critical systems/information;

(iii) unauthorized access of IT systems/data;

(iv) defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites etc.;

(v) malicious code attacks such as spreading of virus/worm/trojan/botnets/spyware;

(vi) attacks on servers such as database, mail and DNS and network devices such as routers;

(vii) identity theft, spoofing and phishing attacks;

(viii) denial of service and distributed denial of service attacks;

(ix) attacks on critical infrastructure, SCADA systems and wireless networks; and

(x) attacks on applications such as e-governance, e-commerce etc.

(b) The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines“) – The Intermediary Guidelines require intermediaries[49] to report cyber security incidents and also to share cyber security incidents[50] related information with CERT-In.

19.2 Separately, the Privacy Rules require body corporates to share PII or sensitive PII (without first obtaining consent from the Data Subjects) with authorized Government agencies for the purposes of investigating cyber incidents.[51]

Privacy Bill

19.3 The Privacy Bill has specific provisions pertaining to reporting of data breach and requires data fiduciaries to notify the Authority of any PD breach, where such breach is likely to cause harm to any Data Subject.

19.4 The Authority may thereafter require the data fiduciary to report the breach to the Data Subject taking into account the severity of harm that may be caused or whether some action of the Data Subject is required to mitigate the harm.

19.5 The Authority may require details of the PD breach to be uploaded on the website of the data fiduciary and may also post such details on its own website.

20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion?  If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.

Privacy Rules

20.1 As indicated in our response to Query 4 above, the Privacy Rules provide Data Subjects certain rights. These include – the opportunity to review, the opportunity to not provide and withdraw consent. Please see our earlier response for a general description of these rights.

20.2 Whilst such rights have been provided to the Data Subjects, the Privacy Rules do not impose any obligation on bodies corporate to communicate these to the Data Subjects. Even the provision which identifies the components that need to be included in the privacy policies does not require for communication of Data Subjects rights and how these rights may be exercised.

Privacy Bill

20.3 The Privacy Bill, on the other hand, recognises several rights of Data Subjects. These include right to confirmation and access, right to correction and erasure, right of portability of PD from one data fiduciary to another, right to be prevent continuing disclosure of PD, right to receive compensation in case of breach of obligations by the data fiduciary etc. The Privacy Bill stipulates that privacy policies should expressly provide for the existence of and procedure by which the Data Subjects can exercise these rights.

21. Are individual rights exercisable through the judicial system or enforced by a regulator or both?  When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?  Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law?  Is actual damage required or is injury of feelings sufficient?

IT Act

21.1 Individual rights may be exercisable by seeking remedies before regulators or the judicial system, as applicable.

21.2 Typically, the initial step is to raise a complaint before the grievance officer of the body corporate. If they fail to respond or adequately address the issue, other remedies may be sought.

21.3 Section 43A of the IT Act mandates that any negligence by a body corporate to protect PII or sensitive PII of a Data Subject in accordance with the IT Act or the Privacy Rules, which causes wrongful loss or gain to any person, will render the corporate liable to pay damages by way of compensation.

21.4 The Central Government has appointed adjudicating officers (namely the Secretary of the Department of Information Technology of each State) for conducting inquiry into complaints for breach of Section 43A. For claims up to INR 5 crore, the State Secretaries have exclusive jurisdiction, and their orders can be appealed before the Appellate Tribunal constituted under the IT Act.[52] For claims above this threshold, the jurisdiction of civil Courts will apply.

21.5 While determining the quantum of compensation, the State Secretary is expected to consider the following: –

(a) quantum of unfair advantage, as a result of the default;

(b) amount of loss caused; and

(c) repetitive nature of the default.

21.6 As mentioned above, under the IT Act, the State Secretary will consider amount of loss caused, prior to awarding compensation. In India, Courts are conservative in awarding damages, and it is required that damages must be proved for seeking compensation.

Privacy Bill

21.7 The Privacy Bill also entitles Data Subjects to receive compensation if they suffer harm as a result of any breach. In order to claim compensation, Data Subjects have to file a complaint before adjudicating officers appointed by the Authority.

21.8 The adjudicating officers will take the following into account whilst determining the quantum of compensation: –

(a) nature, duration and extent of violation;

(b) nature and extent of harm suffered;

(c) intentional or negligent character of the violation;

(d) transparency and accountability measures that have been implemented;

(e) action taken to mitigate the damage;

(f) previous history of violation etc.

22. How are the laws governing privacy and data protection enforced?  What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

IT Act

22.1  The laws governing privacy and data protection are enforced by MeitY as well as the Courts. The machinery may be set in motion by filing of complaints by Data Subjects before the grievance officers (appointed pursuant to the Privacy Rules) or by reporting of cyber security incidents by body corporates or regulators requesting information from service providers, intermediaries etc.

22.2 Negligence in implementing and maintaining reasonable security practices and procedures which cause wrongful loss or wrongful gain to any person render the concerned body corporate liable to pay damages to the person who is affected.[53] Additionally, where any person has access to materials containing personal information of another person (while providing services under a contract) discloses such personal information without the consent or in breach of contract within an intent to cause wrongful loss or wrongful gain, such person is punishable with imprisonment up to 3 years and/or fine up to INR 500,000.

22.3 We have not come across any restriction applicable to PII owners from appealing the decisions of regulators (such as MeitY) before Courts in India. The exact nature of action that may be brought will vary basis certain factors, such as the cause of action, the counter party, the remedy prescribed under statute, the relief being sought etc.

Privacy Bill

22.4 The exact nature of penalties or fines under the Privacy Bill depends on the nature of non-compliance.

22.5 Highest penalties are applicable in the following events: –

(a) processing PD or SPD in a non-compliant manner;

(b) failure to implement security safeguards;

(c) transfer of SPD in a non-compliant manner etc.

The penalty for the above will be higher of – INR 150 million (approx. USD 2 million) or 4% of the total worldwide turnover of the preceding financial year.

22.6 Comparatively lower penalties have been prescribed for failure to: –

(a) take prompt action in case of a data security breach; or

(b) comply with provisions applicable to significant data fiduciaries.

The penalty for the above will be higher of – INR 50 million (approx. USD 0.7 million) or 2% of the total worldwide turnover of the preceding financial year.

22.7 The Privacy Bill also prescribes penalties for certain other offences such as failure to comply with requests of Data Subjects or failing to furnish information to the Authority where required etc.

22.8 Lastly, the Privacy Bill proposes imprisonment and/or fine on persons who re-identify and process PD which was earlier de-identified.

23. Does the law include any derogations, exclusions or limitations other than those already described?  Please describe the relevant provisions.

IT Act

23.1 The IT Act, and the rules framed thereunder constitute a Central legislation, which is applicable to the whole of India. The Central Government is exclusively empowered to legislate on matters relating to data protection, hence it is not permitted for States to derogate by passing secondary legislation.

23.2 Generally speaking, bodies corporate are not permitted to derogate from or claim exemptions from the requirements imposed therein, except in specific circumstances, including information access and disclosure requests from authorized Government agencies including CERT-In for prevention or investigation of cyber security incidents, prosecution and punishment of offences, to name a few.

Privacy Bill

23.3 Certain provisions of the Privacy Bill do not apply to small entities processing PD using non-automated means of processing.[54]

23.4 These provisions (which are not applicable to small entities) include, amongst others, those pertaining to: –

(a) display of privacy policy;

(b) requiring a privacy by design policy;

(c) implementation of security safeguards;

(d) significant data fiduciaries etc.

24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

IT Act

24.1 There is no specific restriction given under the IT Act in respect of use of monitoring / profiling / tracking technologies (such as cookies).

24.2 This is typically governed by the conditions of use of websites.

Privacy Bill

24.3 The Privacy Bill defines the term “profiling” as “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal“.

24.4 It prohibits guardian data fiduciaries from profiling, tracking or behaviourally monitoring of, or targeted advertising directed at, children and undertaking any other processing of PD that can cause significant harm to a child.[55]

25. Please describe any laws addressing email communication or direct marketing?

25.1 The transmission of voice calls and SMS using telecommunication services is governed by the Telecom Commercial Communications Customer Preference Regulations, 2018 (“Regulations“).

25.2 The Regulations govern transmission of the following kinds of commercial communications[56] – promotional,[57] transactional[58] and service SMS / calls and unsolicited commercial communications (“UCC“).[59]

25.3 For the present context, the Regulations provide that: –

(a) Any commercial communication sent which is neither as per the consent nor as per the preference(s) of the recipient, as registered pursuant to the Regulations, is considered as UCC. The Regulations prohibit any person from sending UCC.

(b) Notwithstanding the above, a person may send promotional communication only after obtaining registration with an access provider and to such customers who have either provided their consent or have chosen to receive such communications.

25.4 The Regulations only govern communications via phone and SMS. They presently do not regulate email communications.

25.5 Having said the above, the Draft E-Commerce Policy, amongst other aspects, contemplates consumer protection and for the present purpose provides that: –

(a) unsolicited commercial messages on various platforms including emails need to be regulated; and

(b) a legal framework in this regard will be developed.

Authors:
Rachit Bahl, Partner
Aprajita Rana, Partner
Aman Gera, Senior Associate

Footnotes:

[1] “Body corporate” is defined in IT Act to mean “any company and includes a firm, proprietorship or other association of individuals engaged in commercial or professional activities“.
[2] “Sensitive personal data or information” means personal information which consists of password, financial information (such as bank account or credit card or debit card details), physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information etc.
[3] “Personal information” is defined in the Privacy Rules to mean any information relating to an individual which (either by itself or in combination with other information available with a body corporate) is capable of identifying such individual. This is the Indian equivalent of PI or PII, commonly referred in other jurisdictions.
[4] Under Indian laws, PII and sensitive PII are popularly referred to as PI and SPDI respectively.
[5] The privacy policy should identify statement of practices and policies of the body corporate, type of PII or sensitive PII being collected, purpose of collection and usage of such information, disclosure of information as envisaged under the Privacy Rules etc.
[6] In relation to purpose limitation, PII & sensitive PII collected can only be used for the purpose for which they are collected. Any new purpose not initially informed to the Data Subject hence will require a new consent.
[7] In relation to storage limitation, sensitive PII cannot be retained for longer than is required for the purpose for which is was collected.
[8] Details in relation to some of these aspects have been provided in our responses below.
[9] (2017) 10 SCC 1, delivered on August 24, 2017.
[10] Article 21 of the Constitution states that no person shall be deprived of his life or personal liberty except according to procedure established by law.
[11] The Privacy Bill introduces a unique concept of a fiduciary relationship between Data Subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing of personal data). It classifies Data Subjects as ‘data principals’ and data controllers as ‘data fiduciaries’.
[12] A Joint Parliamentary Committee recently sought views and suggestions on the Privacy Bill from all relevant stakeholders. The deadline to submit views and suggestions passed on February 25, 2020.
[13] The Privacy Bill provides for formulation of codes, rules and regulations. These codes, rules and regulations (once enacted or released in draft form) will provide further clarity in relation to various provisions of the Privacy Bill (such as how consent and explicit consent may be obtained for processing of information protected under the Privacy Bill).
[14] Certain provisions of the Privacy Bill will specifically apply to significant data fiduciaries. These include data audits, data protection impact assessment, record-keeping etc.
[15] “Personal data” is defined in the Privacy Bill to mean “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling“.
[16] “Official identifier” is defined in the Privacy Bill to mean “any number, code, or other identifier, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal“.
[17] “Genetic data” is defined in the Privacy Bill to mean “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question“.
[18] “Transgender status” is defined in the Privacy Bill to mean “the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure“.
[19] “Intersex status” is defined under the Privacy Bill to mean “the condition of a data principal who is – (i) a combination of female or male; (ii) neither wholly female nor wholly male; or (iii) neither female nor male“.
[20] Bodies corporate are entitled to not provide goods or services for which any information is sought – in respect of which consent has not been provided or has been withdrawn.
[21] Note that the requirement to procure consent for processing of PII is not present under the existing regime i.e. the Privacy Rules.
[22] While this obligation has been imposed on the data fiduciaries under the Privacy Bill, the actions that may need to be undertaken by the data fiduciaries to comply with this obligation need to be ascertained. This may be important since correction of incorrect data, completion of incomplete data and updating of out of date data is within the domain of the Data Subject. The Data Subject also has the right of correction under the Privacy Bill.
[23] The Privacy Bill provides parameters for when consent will be considered explicit consent, such as, consent should be informed (taking into account that the Data Subjects are made aware that the processing may have significant consequence for the Data Subjects), clear (taking into account that the consent is meaningful and without inference from conduct), and specific (taking into account whether the Data Subjects are given the choice to separately consent  to use of different categories of SPD relevant to processing).
[24] While the Privacy Bill does not prescribe the form in which consent and explicit consent may be obtained, once the Authority is set up, it may prescribe guidance in this area.
[25] Please note that measures applicable for processing of PII (identified in our response at Para 4.1 to Query 4 above) also apply to processing of sensitive PII.
[26] The security requirements to be complied with by third party recipients have been indicated in our response to Query 15 below.
[27] Please see our responses to Queries 5 and 15 for more details in this regard.
[28] “Biometric data” has been defined under the Privacy Bill to mean “facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person“.
[29] “Processing” has been broadly defined under the Privacy Bill and includes collection within its ambit.
[30] The term “child” has been defined under the Privacy Bill as a data principal below the age of 18 years.
[31] The manner in which age may be verified will be prescribed under the regulations taking into account – volume of PD processed, proportion of such PD likely to be that of children, possibility of harm to children etc.
[32] The Authority may prescribe regulations governing how consent of parent or guardian may be taken or the manner of verification of age of a child.
[33] The Authority may notify the following the following as guardian data fiduciaries – data fiduciaries who operate commercial websites or online services directed at children, or data fiduciaries who process large volume of PD of children. The Privacy Bill prohibits guardian data fiduciaries from carrying out certain activities, namely, profiling, tracking, behavioral monitoring of, targeted advertising directed at children or undertaking any other processing that may cause significant harm to children.
[34]  The term “child” has been defined to mean a person below 18 years of age.
[35] We have included more details in this regard in our response to Query 16 below.
[36] The Central Government is yet to notify specific rules on this issue.
[37] The privacy by design policy may be certified by the Authority and such certified policy is to be displayed on the website of the data fiduciary and the Authority.
[38] We have provided further details in relation to information security programme and policies in our response to Query 16 below.
[39] Please note that this is not a mandatory legal requirement.
[40] Please see our response to Queries 8 and 16 for more details.
[41] The grievance officer is required to redress grievances expeditiously, no later than one month from the date of grievance.
[42] Please see our response to Query 2 for more details in relation to significant data fiduciaries.
[43] If PD is not directly collected from the Data Subject, the notice under the Privacy Bill needs to be provided as soon as reasonably practicable.
[44] Please see our response to Query 15 below in relation to conditions governing transfer of PII and sensitive PII.
[45] “Data processor” is defined in the Privacy Bill to mean “any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary“.
[46] More details relating to transfer are given in our responses to Queries 13 and 15.
[47] The Central Government, in consultation with the Authority, may specify countries, entities etc. to whom SPD may be transferred, having regard to adequacy of protection offered there and such transfer not prejudicially impacting the enforcement of laws.
[48] Note that the obligation to implement security standards is also applicable to data processors, i.e. those who process PD on behalf of data fiduciaries.
[49] The term “intermediary“, with respect to an electronic record, has been defined under the IT Act to mean “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.
[50] The definition of “cyber security incident” under the Intermediary Guidelines is the same as the one provided under the CERT-In Rules.
[51] “Cyber incidents” is defined in the Privacy Rules to mean “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation“.
[52] The Telecom Disputes Settlement and Appellate Tribunal is the Appellate Tribunal for the purposes of the IT Act. Appeals from decisions of the Appellate Tribunal, on any question of fact or law, lie with the High Courts.
[53] This penalty has been prescribed under Section 43A of the IT Act, which only deals with sensitive PII and not PII.
[54] Who qualifies as a small entity for the purposes of these exclusions will be identified by the Authority taking into account – the turnover in the preceding financial year, purpose of collection of PD for disclosure to other entities, and volume of PD processed on any one day in the preceding 12 months.
[55] Please see our response to Query 7 above in relation to more details on guardian data fiduciaries.
[56] “Commercial communication” is defined in the Regulations to mean “any voice call or message using telecommunication services, where the primary purpose is to inform about or advertise or solicit business for
(a)   goods or services; or
(b)   a supplier or prospective supplier of offered goods or services; or
(c)    a business or investment opportunity; or
(d)   a provider or prospective provider of such an opportunity
“.
[57] “Promotional messages” is defined in the Regulations to mean “commercial communication message for which the sender has not taken any explicit consent from the intended Recipient to send such messages“.
[58] “Transactional message” is defined in the Regulations to mean “a message triggered by a transaction performed by the Subscriber, who is also the Sender’s customer, provided such a message is sent within thirty minutes of the transaction being performed and is directly related to it.
Provided that the transaction may be a banking transaction, delivery of OTP, purchase of goods or services, etc.
[59] “Unsolicited commercial communication or UCC” is defined in the Regulation to mean “any commercial communication that is neither as per the consent nor as per registered preference(s) of recipient, but shall not include:
(i) Any transactional message or transactional voice call;
(ii) Any service message or service voice call;
(iii) Any message or voice calls transmitted on the directions of the Central Government or the State Government or bodies established under the Constitution, when such communication is in Public Interest;

(iv) Any message or voice calls transmitted by or on the direction of the Authority or by an agency expressly authorized for the purpose by the Authority.”

Published In:Legal 500
Date: May 11, 2020