How General Data Protection Regulation is Not Too General to India

Introduction:

The General Data Protection Regulation (“GDPR”), Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data came into force on May 25, 2018 in the European Union. GDPR replaces the erstwhile EU Directive 95/46/EC. Enactment of GDPR have huge implications for Indian Companies doing business in Europe and dealing with data subjects (natural persons) who are in the European Union. This piece highlights that even before GDPR came into picture, India had enacted similar rules for the protection of personal data.

The Information Technology Act, 2000

The Information Technology Act, 2000 was enacted to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternative to paper-based methods of communication and storage of information to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the India Evidence Act, 1872, the Banker’s Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.

In exercise of the powers conferred by sections 43A and 87 of the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were notified by the Ministry of Communications and Information Technology.

Key Features of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

·        Rule 3 encapsulates what constitutes sensitive personal data or information. Sensitive personal data or information of a person means such personal information which consists of information relating to;—(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to Body Corporate for providing service; and (viii) any of the information received under above clauses by Body Corporate for processing, stored or processed under lawful contract or otherwise.

·        Rule 4 casts a duty upon the Body Corporate to provide a privacy policy for dealing with personal information and sensitive data and it also requires that the policy should be available on the website of the Body Corporate. The policy shall provide for—(i) Clear and easily accessible statements of practices and policies of Body Corporate; (ii) type of personal or sensitive personal data or information collected under rule 3; (iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information as provided in rule 6; (v) reasonable security practices and procedures as provided under rule 8.

·        Rule 5 states various provisions which govern the collection of information by the Body Corporate. The main clauses are as follows:

                                           i.           Body Corporate shall not collect sensitive personal data without obtaining consent in writing or by fax or e-mail form the provider regarding the purpose for which the data is being collected.

                                         ii.           Any personal information or sensitive data shall not be collected unless and until it is for a lawful purpose connected with a function or activity of the Body Corporate or any person on its behalf and the collection is necessary for the fulfilment of that purpose.

                                       iii.           The provider shall be made aware of the facts as to the information collected, its purpose, its recipients and the agencies that are collecting and retaining the information.

                                       iv.           Body Corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

                                         v.           The information collected shall be used only for the purpose for which it is collected.

                                       vi.           Body Corporate or any person on its behalf should permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible.

                                     vii.           The Body Corporate shall not be responsible for the authenticity and reliability of any personal data or sensitive information.

                                   viii.           The provider shall be given an option to opt out of providing such information along with an option to withdraw his consent to the collection at any later stage as well.

                                       ix.           The Body Corporate shall keep the data secured and it shall designate a grievance redressing body for any discrepancies arising in future.

·        Rule 6 requires that the Body Corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed by the parties through any contract. However, such information can be shared without any prior consent with government agencies mandated under law or any other third party by an order under the law, who shall be under a duty not to disclose it further. It further provides that the Body Corporate or any person on its behalf shall not publish the sensitive personal data or information.

·        Rule 7 provides that a Body Corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other Body Corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the Body Corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the Body Corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

·        Rule 8 clarifies that a Body Corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Rule 8 (2) mentions the name of one such ISO security standard for data protection i.e. The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements". However, any industry association that is following any code of best practice other than that mentioned in rule 8(2) shall get their code duly approved by the Central Government. Body Corporate and agencies who have implemented either IS/ISO/IEC 27001 standards or any other standard duly approved by the central government shall be considered to have implemented security measures provided that such codes have been audited on a yearly basis by independent auditors approved by the government.

Conclusion

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 mandate that Body Corporate in India should follow security measures to protect personal data or information. Though, they are not as detailed as GDPR, however, Companies have to follow the same to protect the interest of provider of personal data. From a perusal of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, it can be definitely concluded that GDPR is not to general for India.