Data privacy: importance, standards and regulations

This article talks about the concept of next friend in law. It highlights its meaning, advantages and powers a next friend enjoys in law along with how it is different from a ‘guardian’.

Synopsis: The article gives a detailed analysis of importance of data, how it is collected, stored, disseminated and used by companies. It also enumerates on the national and international laws which protect data.

The recent Facebook-Cambridge Analytica scandal yet again demonstrated the lax in data security and the resulting vulnerability of the users of world’s biggest social media network. If some claims are to be believed, Cambridge Analytica, a political consulting firm, used data collected from Facebook to affect Trump’s victory and Brexit. Closer home, PM Narendra Modi’s app got embroiled in controversy when users’ data was shared with a third party without requisite permissions. Reasons for such data leaks are hotly debated but the fact that it is a data breach cannot be questioned.

Such data breaches when quantified can run into millions. In 2005, Karan Bahree, a bank employee leaked information pertaining to banking and financial data of 1,000 accounts for 2,750 pounds. In another instance, Nadeem Kashmiri, an employee of HSBC bank was alleged to have sold financial data of HSBC clients for 2,33,000 pounds.

Instances of data breach have become more common in today’s world where data disclosures occur on a daily basis to payment gateways, e-wallets, mobile applications, employers etc. Now, imagine a scenario where a payment gateway leaks your passwords, or your mobile application discloses your personal information, or your employer collects your medical records and publishes them on a website. The consequences would be disastrous!

Furthermore, imagine a situation when your information is secretly collected, analyzed to determine your psychological profile and content in form of news or ads is generated to colour your opinions or sway your decisions. This kind of psychological warfare is what is said to have happened during the American elections and the Brexit vote.

Today, more than ever, there is a pressing need to understand the importance of data protection and relevant statutory regulations, importance of a Privacy Policy, and the dreadful consequences of data security breaches. It also gives rise to several pertinent questions: What is data? How can it be collected and stored? Can data be transferred or sold?

Currently, in India, the Information Technology Act, 2000 (‘the Act’) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the Rules’) are the only legislations governing data privacy. Together, they lay down regulations on the collection, storage, disclosure and transfer of data; prescribe reasonable security practices to body corporates collecting and storing such data; and lay down the penalty for disclosure of confidential information. The Adjudicating Officer, an authority created under the Act, hears all disputes arising under the Act up to the value of Rs. five crores. Appeals are heard by the Cyber Appellate Tribunal which at present, is not functioning and then the High Courts and Supreme Court.  

Types of information

The Rules define any personally identifiable information as personal information. Therefore, names, mobile numbers and email addresses of individuals inter alia qualify as personal information.

Further, sensitive personal data or information which is a subset of such personal information consists of information relating to the following, according to Rule 3 of the Rules –

  1. Password;
  2. Financial information such as bank account or credit card or debit card or other payment instrument details;
  3. Physical, psychological and mental health condition;
  4. Sexual orientation;
  5. Medical records and history;
  6. Biometric information;
  7. Any detail relating to the above clauses as provided to a body corporate for providing service; and
  8. Any of the information received under the above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Sensitive personal data is subject to stronger security measures. Banks, hospitals, employers, mobile application providers, websites and other entities collecting such information should be in compliance of the Rules.  

Collection and storage of information

The Rules require a body corporate collecting sensitive personal data or information to obtain the consent in writing from the provider of such information regarding the purpose of usage of such information.

The Rules further state that the information shall be collected –

  1. for a lawful purpose only;
  2. for a purpose connected with a function or activity of the body corporate; and
  3. the collection of such sensitive personal data or information shall be considered necessary for that purpose.

For example, a company may seek information from its employees regarding their food allergies to ensure the food served at the workplace is fit for their consumption. This is considered a ‘lawful purpose’ because providing food during office hours is an ‘activity of a body corporate’ and information regarding only food allergies should be collected because only such information ‘is necessary for the lawful purpose’.

It is important to note that the Rules require that all the 3 conditions be met. Further, information can be collected only with the written consent of the person. To explain in context to the previous example, even when the company has met all the 3 requirements to collect the information, an employee can refuse to disclose information about his allergies, if he so wishes. Hence, consent to collect information is a primary requirement.

Further, the sensitive personal data or information shall not be retained by the body corporate for a period longer than as required for the purpose for which such information is collected. Additionally, the providers of the information may refuse to provide information to such body corporate and may, at any time, withdraw consent which they have already given to such body corporate.

Disclosure and transfer of information

The Rules mandate that the body corporate is required to obtain the permission of the provider of the sensitive personal data or information prior to disclosing it to any third party. Although the Rules do not prescribe that such permission has to be taken in writing, it is advisable to do so.

In continuation to our earlier example of a company collecting employees’ allergies information, the company may be required to disclose the collected information to an outsourced catering company. However, before doing so, the Rules require it to take the consent of the employees.

Further, the sensitive personal data or information may be transferred only to such entities, in India or outside, that ensure at least the same level of data protection as the body corporate itself. Such transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate and the provider of the information or where such consent has been expressly provided by the provider.

This is particularly relevant in cases of those entities that transfer information about clients, employees etc. to their parent/subsidiary companies or other affiliates in foreign countries or store data on servers located outside India.

It is pertinent to note that there may be sector and industry wise restrictions on such international transfer of data. For example, the Telecom Regulatory Authority of India prohibits storage or transfer of data of telecom customers by telecom service providers outside the territory of India. In the finance sector, Non-Banking Financial Companies (NBFCs) may outsource information to service providers located overseas if the NBFCs are outsourcing any of their activities to such overseas provider and only if the service providers are bound by confidentiality agreements. Further, such NBFCs should monitor the security measures of the service providers, the service providers should report security breaches to the NBFCs who will then report the same to RBI.  Further, in the medical and legal fields, doctor-patient confidentiality and attorney-client privileges are binding.

The only instances when a body corporate need not obtain the consent of the provider of sensitive information are –

  1. where the disclosure of the sensitive personal data or information is required for compliance of a legal obligation or as per the law for the time being in force; or
  2. where the consent of the provider for such disclosure has been agreed to in the contract between the provider of the information and the body corporate; or
  3. where Government agencies require such information and request for the same in writing, provided that the Government agency states that the information shall not be shared or published.

Privacy Policy

Rule 4 of the Rules prescribes that any body corporate or any person acting on behalf of such body corporate that collects, receives, possesses, stores, deals or handles personal information of third parties shall make available a Privacy Policy to such parties providing the personal information. Such policy is also required to be published on the website of the body corporate.

The contents of the Privacy Policy must include the type of information collected (e.g. password, mobile numbers, sexual orientation etc.), the purpose of such collection and usage, details pertaining to disclosure of such information and reasonable security practice and procedures, as laid down in the Rules all of which are dealt with further in this article.

Further, the body corporate shall designate a grievance officer for redressal of grievances within one month from the date of receipt of the grievance. The name and contact details of such grievance officer are to be published on the website of the body corporate. These details may also be included in the Privacy Policy.

From a consumer’s perspective, Privacy Policy of a body corporate is one of the most important documents that are required to be read and understood. As per Rule 4 of the Rules, body incorporates have to publish their Privacy Policies on their website. It is vital that one takes the time to read such documents, especially before divulging sensitive information.

Reasonable security practices and procedures

In order to ensure protection of the data collected, body corporates are required to maintain reasonable security practices and procedures for protection of data and may be called upon to prove such compliance. The body corporates are required to have policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of the business. The IS/ISO/IEC 27001 is one such standard prescribed under the Rules.

Sector-wise specifications are prescribed in certain cases. For example, the banking regulations require banks to follow ISO/IEC 27001 and ISO/IEC 27002. The securities exchange regulations require stock exchanges, depositories and clearing corporations to follow standards such as ISO 27001, ISO 27002 and COBIT 5. Recently, on July 16, 2018, the Telecom Regulatory Authority of India  released recommendations on privacy, security and ownership of data in the telecom sector which could have great implications on the industry.

There are other such reasonable security practices and procedures practiced by foreign countries that will be applicable to Indian body corporates when transacting with them. One such practice is the EU General Data Privacy Regulations (GDPR).

The EU General Data Privacy Regulations and their impact on Indian entities

The GDPR came into effect on May 25, 2018. These regulations have extra-terrestrial applicability and will also apply to the entities situated outside the European Union that process personal data of persons locate within Europe. Such non-EU entities, in certain cases, will also be required to appoint a representative in the EU. Therefore, all Indian entities receiving personal information of EU citizens will fall under the purview of the GDPR and will have to ensure compliance with the same.

The GDPR mandates that entities collecting information should use a simple and clearly worded form to collect the data; and the providers of such the information have the right to withdraw consent and to have all their data erased – in such cases, the providers may also require the entities to cease the dissemination of their information. Breach of GDPR may attract a heavy fine of up to 4% of annual global turnover or €20 million (whichever is greater). A breach notification is required to be given to the providers of the information within 72 hours of the knowledge of such breach.

Way forward

Unfortunately, there are not many legislations or case laws relating to data protection in India leaving much to be desired. The laws are not able to keep up with the technological advancement hence, leaving the areas grey and open to interpretation. In addition to this, lack of national regulatory authority for data protection is causing delays and problems for the aggrieved.

In 2017, a 9-Judge Bench of the Supreme Court in the case of Justice Puttaswamy (retd.) v. Union of India, WP (C) 494 of 2012 held that right to privacy is a fundamental right. Since the roots of data protection lie in right to privacy, this case has the potential to impact the course of data protection. On the downside, this judgment does not impact private entities and therefore, does not regulate data protection measures by such private entities.

The issue of transfer of personal information by private entities is currently being heard by the Supreme Court in the case of Karmanya Singh Sareen & Anr. v. Union of India & Ors., W.P.(C) 7663/2016 & C.M.No.31553/2016(“the WhatsApp-Facebook case”). After the mobile application ‘WhatsApp’ was acquired by Facebook, the users were informed that their information would be shared with Facebook and its group companies and the mobile app users were asked to agree to the revised Privacy Policy. The Petitioner, in this case, contended that this was an unfair practice and violated the right to privacy of individuals. The Delhi High Court gave directions for deletion of data of those users who opt out of WhatsApp and prohibiting temporarily the transfer of data of users who decide to continue to use WhatsApp to Facebook.

The final judgment in the above case is now before the Supreme Court which has directed the Government to draft a new legislation to regulate data privacy. The proposed legislation and the outcome of this case will define the future of data privacy in India and bring much-needed clarity to data protection in India.

DISCLAIMER: The information provided in this article is for educational purposes only. The same cannot be construed as legal advice.

Leave a Reply

Your email address will not be published.

You May Also Like