Affecting all, the Central Government has recently, on 11th April, 2011, dramatically transformed the privacy and data protection landscape in India by promulgating the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The new Rules have wide scope and extraterritorial application. These new Rules could have a profound effect on multinational businesses that either outsource business functions to Indian service providers or maintain their own operations in India. The Rules impose wide ranging obligations on any "body corporate" regarding use and collection of personal information.
These Rules cast a duty upon the Corporate to have a MANDATORY PRIVACY POLICY for handling, processing and use of PERSONAL SENSITIVE DATA.
It also requires a body corporate to PUBLISH THE PRIVACY POLICY on its website. It also restricts the processing of sensitive personal data, restricts international data transfers, establishment of a dispute resolution mechanism and requires additional security measures.
Some of the provisions under the new Rules appear to be more restrictive than regulations under US laws and the EU Directive. It is argued that the new Rules could have a dramatic effect on the IT landscape in India and for overseas companies that contract IT services with Indian companies.
The Rules apply to Corporations in India getting any information from anywhere. These Rules define "sensitive personal data" to include PASSWORD, BANK ACCOUNT DETAILS, CREDIT CARD, DEBIT CARD, HEALTH CONDITIONS, SEXUAL ORIENTATION, MEDICAL RECORDS etc. and permit the collection of such information by Corporate only for a 'lawful purpose' connected with their function or activity and 'necessary' for that purpose.
The most important feature of the Rules is the absolute requirement of taking CONSENT, in writing by email, fax or letter, before the collection of sensitive personal data, regarding purpose of usage of such information and before disclosing any information to any third party. Thus, Outsourcing companies in India will have to inform the client regarding purpose of usage before collection of such information. This would put additional responsibility on Indian suppliers to obtain consent from the customers of their clients. It is interesting to note that the consent is not required in case of disclosure to the Government.
These Rules further provide that a corporation should take REASONABLE STEPS to INFORM an individual that personal information about them has been collected and the PURPOSE of that collection. The sensitive information must not be retained for longer than is necessary. Furthermore, personal information must only be used for the purpose for which it was collected. It also empowers a person to access its personal information or sensitive information which is held by a corporation, and to correct inaccuracies. These Rules also require that an individual should be provided with the option to OPT OUT of providing personal information. These Rules lay down the standards for protection of sensitive personal information. However, Corporate is free to follow their own standards provided it is duly approved and audited annually.
It also makes it OBLIGATORY for a Corporate to establish a dispute resolution mechanism for issues that arise during the handling, processing and use of personal information. In the event, a body corporate FAILS TO HAVE AN ELABORATE PRIVACY POLICY or FAILS TO FOLLOW THE RULES for handling and processing of personal sensitive data, it becomes LIABLE TO PAY COMPENSATION TO THE AGGRIEVED PERSON. It is to be noted that there is NO UPPER LIMIT specified for the compensation that can be claimed by the affected party in such circumstances.
The Rules ALLOW THE TRANSFER OF PERSONAL DATA to any person or Corporate, in India or abroad, provided that such person or Corporate ensures the same level of data protection that is adhered to by the Corporate as provided under these rules. This puts EXTRA RESPONSIBILITY on the Corporate to ensure the compliance of prescribed standards by the transferee.
The new rules lack clarity creating ambiguity as to the extent of applicability of these rules. Furthermore, certain terms are not defined and may prove difficult to determine how they apply to typical scenarios.
In view of the above, it becomes necessary that the Corporations in India should review their Privacy Policy and any online terms and conditions available on its website to ensure compliance with the new Rules.
It also entails REVISION of the Employment contracts and offer letters, requiring specific consent of the employee with respect to the employer collecting, accessing and using personal information and sharing such information with third parties in accordance with the new Rules.
© 2011. All rights reserved with Vaish Associates
Advocates, IPR & IT Laws Practice Division
Flat # 903, Indra Prakash Building, 21, Barakhambha Road, New Delhi
110001 (India)
The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.
