The concept of ‘data privacy’ is not specifically stated under existing Indian laws, the Indian courts have, from time to time, interlaced the concept of privacy with the interpretation of the right to life and personal liberty under Article 21 of the Constitution.
SPDI & Data Privacy before the Supreme Court:
On August 24, 2017, in a landmark nine-judge bench ruling, the Apex Court in Justice K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors., unanimously declared the right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution. In the this case, Chandrachud J., notes that any invasion of life or personal liberty must meet the three requirements of (a) legality, i.e. there must be a law in existence; (b) legitimate aim, which he illustrates as including goals like national security, proper deployment of national resources, and protection of revenue; and (c) proportionality of the legitimate aims with the object sought to be achieved.
It is important to note that past decisions of the Supreme Court in (i) M.P. Sharma Vs. Satish Chandra, District Magistrate, Delhi [(1954) SCR 1077] which held that right to privacy is not protected by the Constitution and (ii) in Kharak Singh Vs. State of U.P [(1964) 1 SCR 332] to the extent that it held that right to privacy is not protected by the Constitution, stand over-ruled by the judgement in Justice K.S. Puttuswamy (Retd) case.
Data Privacy as Fundamental Right:
It is imperative to note that fundamental rights are enforceable against the State alone and privacy as a fundamental right is not enforceable against non-state actors. This poses a question as to which legislation governs privacy breaches where non-state actors are involved. To address the issue, Information Technology Act, 2000 (“IT Act”) was amended in the year 2008 to bring in new provisions such as Section 43-A and Section 72-A. Section 43-A of the IT Act primarily deals with the compensation for negligence in implementing and maintaining ‘reasonable security practices and procedures’ in relation to ‘sensitive personal data or information’ (“SPDI”) while Section 72-A of the IT Act mandates punishment for disclosure of ‘personal information’ in breach of lawful contract or without the information provider’s consent.
On 13 April 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) were issued under section (2) of section 87 read with section 43-A of the IT Act. SPDI Rules only apply to bodies corporate and persons located in India and in few cases the rules only apply to relations between an individual and a body corporate, and not between two body corporates.
Data Privacy: Key Features of the SPDI Rules:
– Financial information, such as bank account or credit card or debit card or other payment instrument details;
– Physical, physiological and mental health condition;
– Sexual orientation;
– Medical records and history;
– Biometric information;
– Any detail relating to the above as provided to body corporate for providing service; and
– Any information received under the above by body corporate for processing, stored or processed under lawful contract or otherwise
Under rule 5, a body corporate is required to obtain prior consent from the information provider regarding the purpose of usage of the SPDI. Such information should be collected only if it is essential and required for a lawful purpose connected with the functioning of the body corporate. The body corporate is also required to take reasonable steps to ensure that the information provider has knowledge about the collection of information, the purpose of collection of such information, the intended recipients and the name and address of the agency collecting and retaining the information. The information should be used only for the purpose for which it is collected and should not be retained for a period longer than what is required.
The body corporate has to allow the information provider the right to review or amend the SPDI and give the information provider an option to retract consent at any point of time, in relation to the information that has been so provided. In case of withdrawal of consent, the body corporate has the option to not provide the goods or services for which the concerned information was sought.
Under rule 7, a body corporate is permitted to transfer SPDI to other body corporates outside India, provided that the transferee ensures the same or equal level of data protection that is adhered to by the body corporate as per the Rules. However, the transfer may be permitted only if the same is necessary for the performance of a lawful contract between the body corporate and information provider or where such information provider has consented to such a transfer.
The SPDI Rules specify that apart from the information sought by governmental agencies or under applicable legal provisions, a body corporate is required to obtain permission from the information provider, prior to disclosure of such information to a third party, unless such disclosure has been agreed to in an agreement between the parties.
Under rule 8, a body corporate is required to implement ‘reasonable security practices and procedures’ in relation to SPDI. One such standard is IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”.
The SPDI Rules provide that a body corporate must address grievances of the information provider within a specified time. For this, a body corporate should appoint a Grievance Officer to address such grievance within a period of 1 (one) month from receipt of the grievance.
Penalties for breach of Data Privacy | SPDI:
As discussed earlier, Section 43-A of the IT Act provides that bodies corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource owned, controlled or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information.
Section 72-A of the IT Act provides for a fine of up to INR 5,00,000 or imprisonment for a period of three years or both when there is disclosure of personal information in breach of a lawful contract or without consent.
Sector Specific Data Privacy Regulations:
Apart from the IT Act and the SPDI Rules, there are certain sectoral regulations and guidelines which also address various aspects of data privacy and data protection in India. For example: i) The Reserve Bank of India mandates all system providers to store the payments data in India, ii) Insurance Regulatory and Development Authority of India in April 2017 has issued guidelines on cybersecurity of insurers which are binding on all insurance companies, iii) Cyber Security and Cyber Resilience Framework of Stock Exchanges, Clearing Corporations and Depositories, dated 6 July 2016 issued by SEBI. Further in March 2018, Ministry of Health & Family Welfare notified draft Digital Information Security in Healthcare Act inviting public comments.
Data Protection Bill, 2018:
The Committee, chaired by Justice Srikrishna, constituted by the Ministry of Electronics & Information Technology, Government of India to put together a draft of data protection law for India released a Personal Data Protection Bill, 2018 (the “Bill”) on July 27, 2018 along with the report titled ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians‘ (the “Report”). On a casual reading of the bill, one can easily note the similarities between the Bill and the General Data Protection Regulation (the “GDPR”) recently notified in the European Union. The Bill when turns into an Act supersedes Section 43-A of the IT Act and the SPDI Rules.
*Data Protection Bill, 2018 will be discussed in detail in another post.