Synopsis: The article gives a detailed analysis of importance of data, how it is collected, stored, disseminated and used by companies. It also enumerates on the national and international laws which protect data.
The recent Facebook-Cambridge Analytica scandal yet again demonstrated the lax in data security and the resulting vulnerability of the users of world’s biggest social media network. If some claims are to be believed, Cambridge Analytica, a political consulting firm, used data collected from Facebook to affect Trump’s victory and Brexit. Closer home, PM Narendra Modi’s app got embroiled in controversy when users’ data was shared with a third party without requisite permissions. Reasons for such data leaks are hotly debated but the fact that it is a data breach cannot be questioned.
Such data breaches when quantified can run into millions. In 2005, Karan Bahree, a bank employee leaked information pertaining to banking and financial data of 1,000 accounts for 2,750 pounds. In another instance, Nadeem Kashmiri, an employee of HSBC bank was alleged to have sold financial data of HSBC clients for 2,33,000 pounds.
Instances of data breach have become more common in today’s world where data disclosures occur on a daily basis to payment gateways, e-wallets, mobile applications, employers etc. Now, imagine a scenario where a payment gateway leaks your passwords, or your mobile application discloses your personal information, or your employer collects your medical records and publishes them on a website. The consequences would be disastrous!
Furthermore, imagine a situation when your information is secretly collected, analyzed to determine your psychological profile and content in form of news or ads is generated to colour your opinions or sway your decisions. This kind of psychological warfare is what is said to have happened during the American elections and the Brexit vote.
Currently, in India, the Information Technology Act, 2000 (‘the Act’) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the Rules’) are the only legislations governing data privacy. Together, they lay down regulations on the collection, storage, disclosure and transfer of data; prescribe reasonable security practices to body corporates collecting and storing such data; and lay down the penalty for disclosure of confidential information. The Adjudicating Officer, an authority created under the Act, hears all disputes arising under the Act up to the value of Rs. five crores. Appeals are heard by the Cyber Appellate Tribunal which at present, is not functioning and then the High Courts and Supreme Court.
Types of information
The Rules define any personally identifiable information as personal information. Therefore, names, mobile numbers and email addresses of individuals inter alia qualify as personal information.
Further, sensitive personal data or information which is a subset of such personal information consists of information relating to the following, according to Rule 3 of the Rules –
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, psychological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information;
- Any detail relating to the above clauses as provided to a body corporate for providing service; and
- Any of the information received under the above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Sensitive personal data is subject to stronger security measures. Banks, hospitals, employers, mobile application providers, websites and other entities collecting such information should be in compliance of the Rules.
Collection and storage of information
The Rules require a body corporate collecting sensitive personal data or information to obtain the consent in writing from the provider of such information regarding the purpose of usage of such information.
The Rules further state that the information shall be collected –
- for a lawful purpose only;
- for a purpose connected with a function or activity of the body corporate; and
- the collection of such sensitive personal data or information shall be considered necessary for that purpose.
For example, a company may seek information from its employees regarding their food allergies to ensure the food served at the workplace is fit for their consumption. This is considered a ‘lawful purpose’ because providing food during office hours is an ‘activity of a body corporate’ and information regarding only food allergies should be collected because only such information ‘is necessary for the lawful purpose’.
It is important to note that the Rules require that all the 3 conditions be met. Further, information can be collected only with the written consent of the person. To explain in context to the previous example, even when the company has met all the 3 requirements to collect the information, an employee can refuse to disclose information about his allergies, if he so wishes. Hence, consent to collect information is a primary requirement.
Further, the sensitive personal data or information shall not be retained by the body corporate for a period longer than as required for the purpose for which such information is collected. Additionally, the providers of the information may refuse to provide information to such body corporate and may, at any time, withdraw consent which they have already given to such body corporate.
Disclosure and transfer of information
The Rules mandate that the body corporate is required to obtain the permission of the provider of the sensitive personal data or information prior to disclosing it to any third party. Although the Rules do not prescribe that such permission has to be taken in writing, it is advisable to do so.
In continuation to our earlier example of a company collecting employees’ allergies information, the company may be required to disclose the collected information to an outsourced catering company. However, before doing so, the Rules require it to take the consent of the employees.
Further, the sensitive personal data or information may be transferred only to such entities, in India or outside, that ensure at least the same level of data protection as the body corporate itself. Such transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate and the provider of the information or where such consent has been expressly provided by the provider.
This is particularly relevant in cases of those entities that transfer information about clients, employees etc. to their parent/subsidiary companies or other affiliates in foreign countries or store data on servers located outside India.
It is pertinent to note that there may be sector and industry wise restrictions on such international transfer of data. For example, the Telecom Regulatory Authority of India prohibits storage or transfer of data of telecom customers by telecom service providers outside the territory of India. In the finance sector, Non-Banking Financial Companies (NBFCs) may outsource information to service providers located overseas if the NBFCs are outsourcing any of their activities to such overseas provider and only if the service providers are bound by confidentiality agreements. Further, such NBFCs should monitor the security measures of the service providers, the service providers should report security breaches to the NBFCs who will then report the same to RBI. Further, in the medical and legal fields, doctor-patient confidentiality and attorney-client privileges are binding.
The only instances when a body corporate need not obtain the consent of the provider of sensitive information are –
- where the disclosure of the sensitive personal data or information is required for compliance of a legal obligation or as per the law for the time being in force; or
- where the consent of the provider for such disclosure has been agreed to in the contract between the provider of the information and the body corporate; or
- where Government agencies require such information and request for the same in writing, provided that the Government agency states that the information shall not be shared or published.
Reasonable security practices and procedures
In order to ensure protection of the data collected, body corporates are required to maintain reasonable security practices and procedures for protection of data and may be called upon to prove such compliance. The body corporates are required to have policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of the business. The IS/ISO/IEC 27001 is one such standard prescribed under the Rules.
Sector-wise specifications are prescribed in certain cases. For example, the banking regulations require banks to follow ISO/IEC 27001 and ISO/IEC 27002. The securities exchange regulations require stock exchanges, depositories and clearing corporations to follow standards such as ISO 27001, ISO 27002 and COBIT 5. Recently, on July 16, 2018, the Telecom Regulatory Authority of India released recommendations on privacy, security and ownership of data in the telecom sector which could have great implications on the industry.
There are other such reasonable security practices and procedures practiced by foreign countries that will be applicable to Indian body corporates when transacting with them. One such practice is the EU General Data Privacy Regulations (GDPR).
The EU General Data Privacy Regulations and their impact on Indian entities
The GDPR came into effect on May 25, 2018. These regulations have extra-terrestrial applicability and will also apply to the entities situated outside the European Union that process personal data of persons locate within Europe. Such non-EU entities, in certain cases, will also be required to appoint a representative in the EU. Therefore, all Indian entities receiving personal information of EU citizens will fall under the purview of the GDPR and will have to ensure compliance with the same.
The GDPR mandates that entities collecting information should use a simple and clearly worded form to collect the data; and the providers of such the information have the right to withdraw consent and to have all their data erased – in such cases, the providers may also require the entities to cease the dissemination of their information. Breach of GDPR may attract a heavy fine of up to 4% of annual global turnover or €20 million (whichever is greater). A breach notification is required to be given to the providers of the information within 72 hours of the knowledge of such breach.
Unfortunately, there are not many legislations or case laws relating to data protection in India leaving much to be desired. The laws are not able to keep up with the technological advancement hence, leaving the areas grey and open to interpretation. In addition to this, lack of national regulatory authority for data protection is causing delays and problems for the aggrieved.
In 2017, a 9-Judge Bench of the Supreme Court in the case of Justice Puttaswamy (retd.) v. Union of India, WP (C) 494 of 2012 held that right to privacy is a fundamental right. Since the roots of data protection lie in right to privacy, this case has the potential to impact the course of data protection. On the downside, this judgment does not impact private entities and therefore, does not regulate data protection measures by such private entities.
The final judgment in the above case is now before the Supreme Court which has directed the Government to draft a new legislation to regulate data privacy. The proposed legislation and the outcome of this case will define the future of data privacy in India and bring much-needed clarity to data protection in India.
DISCLAIMER: The information provided in this article is for educational purposes only. The same cannot be construed as legal advice.