Introduction
With the advent of the 21st century, we have moved into the age where technology drives every aspect of our life. With the technological devices we use becoming our closest companions, it becomes imperative to ensure that the data collected is appropriately secured as per applicable law.
The Right of Privacy of individuals was brought to the forefront when the Supreme Court passed a judgement in the case of Justice K S Puttaswamy & Ors v. Union of India.[1] In this case informational privacy was recognised as a facet of privacy.
The provisions concerning data privacy in India are enshrined within statutes such as The Information Technology Act, 2000 (hereinafter “ITA”); The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”); The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Intermediary Rules”), and other such supplemental rules.
This article aims to provide a bird’s eye view of the corporate compliances with regard to prevailing data privacy laws. It also briefly elucidates upon the Data Protection Bill, 2021.
Compliance by Companies under prevailing data privacy laws
The key compliances applicable to companies differs in accordance with the type of data is being collected. Hence, it is pertinent to first determine whether the data falls under sensitive personal data and information or other than sensitive data. The term ‘Personal Information’ has been defined in the IT Rules to refer to any information which relates to a natural person and can be used, either directly or indirectly, in order to identify the person.[2] Furthermore, ‘Sensitive Personal Data Information’ is defined to include items such as an individual’s usernames and passwords, financial information, health conditions, medical records, sexual orientations and biometric information.[3]
A company is required to comply with the following legal provisions governing data privacy in India:
- Section 43A of the ITA obliges any corporate body which possess, deals or handles any data or information which may be sensitive or personal, to maintain reasonable security practices and procedures.[4] In the instance of negligence in this regard, liability to compensate the affected person shall fall upon the company.
- Further, section 72A of the ITA makes one liable for punishment for knowingly disclosing personal information, without the consent of the person concerned, which was acquired under a lawful contract, in breach of such contract.[5]
- The IT Rules necessitate body corporate to provide for a privacy policy.[6] This privacy policy must include the following particulars:
- Information regarding practices and policies;
- Type of information which is being collected;
- Purpose of the collection and usage of such information;
- Details of the intended recipients of the information. This would include details regarding any disclosure of the information to third parties; and
- Details of the security practices and procedures that are put into place by the entity.
- The IT Rules also provide that consent must be obtained in writing or via email by the provider of information with regard to the purpose such information is going to be used, before the collection of the information.[7] Further, the rules provides that the entity must allow an individual to opt out of providing such information, and also must allow the withdrawal of consent at any time.[8]
- Any disclosure of information to a third party requires prior permission from the provider who has provided such information under a lawful contract. This third party must not publish or disclose further such information, unless a lawful contract has been entered into with regard to such transfer.[9] An exception to the same has been enumerated as well wherein prior consent from the provider is not required wherein the information is shared with a government agency mandated under the law to obtain information or any compliance with applicable laws.
- Within the IT rules, it is mandated that reasonable security practices and procedures as per approved standards must be adopted by an entity and must be regularly audited at least once a year. [10]
- Further, provisions relating to due diligence which must be adhered to by intermediaries are enumerated within the IT Intermediary Rules. It obliges an intermediary to publish its rules, privacy policy and user agreement to make them accessible.[11] Further, the intermediary must periodically, and at least once in a year inform its users of the same, along with any changes which may have been made.[12]
- The IT Intermediary Rules stipulates that intermediaries must appoint a ‘Grievance Redressal Officer’ with their details published for easy access. This officer must acknowledge the complaint within twenty-four (24) hours and redress the complaint within a period of thirty (30) days from the date of its receipt.[13]
- An intermediary must also appoint a Chief Compliance Officer in order to ensure that the intermediary has complied with the IT Act and rules made thereunder.[14]
Data Protection Bill
A Joint Parliamentary Committee was set up in 2019 in order to analyse the draft Personal Data Protection Bill, 2019. In 2021, the Committee published its report along with the finalised Data Protection Bill, 2021. This bill, if passed shall impose obligations upon data fiduciaries with regard to the collection and processing of personal data. Some of these include providing a notice to the data principle containing particulars of purposes for which personal data shall be processed, the nature and categories of data being collected, the identity and details of the data fiduciary, the rights of the data principal, the procedure for grievance redressal, among other particulars. In case of a casualty of death, the right to decide how a data principal’s data is handled can be exercises through the nomination of a legal representative. This bill also prescribes provisions to process personal data of children in order to protect their rights. This bill shall make all major social media platforms which do not act as intermediaries to be treated as publishers and thereby be accountable for the content they host.
Conclusion
Data Protection has been largely ignored by the legislature. In the instance that the Data Protection Bill, 2021 is passed, it shall form a welcome change to replace the archaic data protection regime in India. Until then, companies must act in compliance with the Act and the Rules framed thereunder.
[1] Justice K S Puttaswamy & Ors v. Union of India, ((2017) 10 SCC 1).
[2] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §2 (i).
[3] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §3.
[4] Information Technology Act, 2000, §46.
[5] Information Technology Act, 2000, §72A
[6] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §4.
[7] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §5(1).
[8] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §5 (7).
[9] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §6.
[10] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, §8.
[11] The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021, §3 (1).
[12] Id.
[13] The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021, § 3(2).
[14] The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021, §4.
