India - Data Protection 2016 ICLG - International Comparative Legal Guides

4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
India
DataProtection2016
OrdertheBook
OrderChapterasPDF

Published:09/05/2016
ChaptercontentFreeaccess
1 RelevantLegislationandCompetentAuthorities
2 Definitions
3 KeyPrinciples
4 IndividualRights
5 RegistrationFormalitiesandPriorApproval
6 AppointmentofaDataProtectionOfficer
7 MarketingandCookies
8 RestrictionsonInternationalDataTransfers
9 WhistleblowerHotlines
10 CCTVandEmployeeMonitoring
11 ProcessingDataintheCloud
12 BigDataandAnalytics
13 DataSecurityandDataBreach
14 EnforcementandSanctions
15 Ediscovery/disclosuretoforeignLawenforcementagencies
16 TrendsandDevelopments
1 RelevantLegislationandCompetentAuthorities
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 1/20
1.1Whatistheprincipaldataprotectionlegislation?
Intheabsenceofspecificlegislation,dataprotectionisachievedinIndiaonthebasisofthefollowing
legislation,whichappliesalsotootheraspectsofonlineregulations,suchasecommerceand
cybercrime:
TheInformationTechnologyAct(2000),amendedbytheInformationTechnology(Amendment)Act
(2008)henceforthreferredtoastheITActwhichcontainsprovisionsfortheprotectionof
electronicdata.TheITActpenalisescybercontraventionswhichattractcivilprosecutionunder
section43(a)(h)andcyberoffenceswhichattractcriminalactionundersections6374.The
formercategoryincludesgainingunauthorisedaccessto,anddownloadingorextractingdatafrom,
computersystemsornetworks.Thelattercoversseriousoffencesliketamperingwithcomputer
sourcecode,hackingwithintenttocausedamageandbreachofconfidentialityandprivacy.

InApril2011,theIndianMinistryofCommunicationsandTechnologypublishedfoursetsofrules
implementingcertainprovisionsoftheInformationTechnology(Amendment)Act(2008),asfollows:
TheSecurityPracticesRulesrequireentitiesholdingsensitivepersonalinformationofusersto
maintaincertainspecifiedsecuritystandards.
TheIntermediaryGuidelinesRulesprohibitcontentofspecificnatureontheinternet.Anintermediary,
suchasawebsitehost,isrequiredtoblocksuchcontent.
TheCyberCafRulesrequirecybercafstoregisterwitharegistrationagencyandmaintainalogof
identityofusersandtheirinternetusage.
UndertheElectronicServiceDeliveryRules,theGovernmentcanspecifycertainservices,suchas
applications,certificates,licences,etc.,tobedeliveredelectronically.

Ofrelevancetotheissueofdataprotectionisthefirstsetofrulesinthelistabove:
TheInformationTechnology(ReasonableSecurityPracticesandProceduresandSensitivePersonal
DataorInformation)Rules(2011)henceforthreferredtoastheITRuleswhichwereframed
undersection43AoftheInformationTechnologyAct(2000)asamendedin2008.TheITRulesset
outproceduresforcorporateentitieswhichcollect,processorstorepersonaldata(including
sensitivepersonalinformation).TheseRulesalsodistinguishpersonalinformationfromsensitive
personalinformation.

Itmustbepointedoutthatbecausethestatutesinquestionwerenotdraftedspecificallywiththe
protectionofdatainmind,thepatchworkofexistinglegislationcurrentlybeingusedforthispurpose
certainlyleavesalottobedesiredintermsofeffectiveprotectionofdataandevenabasicdefinitionof
scopeandsanctions.
TheGovernmentrecognisesthis,andhasalsoproposedtoenactspecificlegislationonprivacy(the
PrivacyBill)which,ifitcomesintoforce,willoverridetheITRules.ThePrivacyBillrecognisesan
individualsrighttoprivacyandprovidesthatthisrightcannotbeinfringedexceptincertain
circumstancesspecifiedintheBill,whichincludeprotectionofnationalintegrityorsovereignty,national
security,preventionofcrimeandpublicorder.AlthoughthePrivacyBillwasfirstdraftedin2011,and
multiplereviseddraftshavebeenpublishedregularlyeversince,theBillhasnotyetpassedintoLaw.
Currently,twomajorissuesarehinderingsmoothpassageoftheBillintheLegislature:
1)Adisagreementbetweenthejudiciaryandintelligenceagenciesoverwhetherornottheagencies
oughttobeunderthescrutinyofacompetentcourtwithrespecttointerceptionofpersonaldatawhen
theydeemitnecessary.
2)Adebateovertheextensionofprotectiongrantedbythelegislationtoallresidentsofthecountry
(asopposedtoonlythecitizens).
Thebillisexpectedtobecomelawlaterthisyear.Itmustbenotedthatalthoughthelatestdraftofthe
proposedBillwasallegedlycirculatedtotheCommitteeofSecretariesandleakedtotheCentrefor
InternetandSociety(anindependentnonprofitorganisationinDelhiandBangalore)in2014,thislast
draftisnotyetpubliclyavailable.AllreferencestothedraftPrivacyBillinthischapterthereforereferto
thepubliclyavailabledraftfrom2011.
1.2Isthereanyothergenerallegislationthatimpactsdataprotection?
Dataprotectionmayalsosometimesoccurthroughtheenforcementofpropertyrightsbasedonthe
following:
TheCopyrightAct(1957):SincetheActprotectsintellectualpropertyrightsindifferenttypesof
creativeworkincludingliteraryworks,andthetermliteraryworkstatutorilyincludescomputer
databases,copyingacomputerdatabase,orcopyingordistributingadatabasecouldamountto
copyrightinfringementundertheAct.Thisprovidessomescopeforprotectingdifferenttypesof
dataasliteraryworks.Itisimportanttonote,however,thatthereisadifferencebetweendatabase
protectionanddataprotection,bothofwhichserveverydifferentpurposes.Databaseprotection
protectsthecreativeinvestmentincompilation,presentationandverificationofdatabases,whiledata
protectionaimstoprotecttheprivacyofindividualsbylimitingorrestrictingaccesstotheirpersonal
orsensitiveinformation.

TheIndianPenalCode(1860):Thiscouldbeusedtopreventtheftofdata.Theoffencesoftheftand
misappropriationtechnicallyapplyonlytomovablepropertyundertheIndianPenalCode,butthe
termmovablepropertyhasbeendefinedtoincludecorporealpropertyofeverydescriptionexcept
landorpropertythatispermanentlyattachedtotheearth.

TheIndianConstitution:Article21oftheConstitutionprotectsanindividualsrighttolifeand
personalliberty.TheSupremeCourtofIndiahasrepeatedlyheldthattherighttoprivacyisimplicitin
therighttolifeandpersonalliberty.The2014draftofthePrivacyBillrecognisestherighttoprivacy
asbeingunderthescopeofArticle21oftheConstitution.Article300AoftheConstitutionalso
guaranteestherightnottobedeprivedofonespropertyexceptbyauthorityoflaw,soifthedatain
questionisregardedasproperty,thisprovisionmaybereliedupon.Itmustbenoted,however,that
rightsguaranteedbytheConstitutionmaynormallyonlybeusedagainsttheStateorStateowned
enterprises.

Inadditiontotheabove,invasionorbreachofprivacycouldleadtoanactionintort.
1.3Isthereanysectorspecificlegislationthatimpactsdataprotection?
BusinessProcessOutsourcingUnitsimplementselfregulatoryprocesses,suchastheBS7799andthe
ISO17799standards,tostandardiseinformationsecuritymanagementandrestrictthequantityofdata
madeavailabletoemployees.
TheReserveBankofIndiaperiodicallyissuesguidelines,regulationsandcircularstomaintainthe
confidentialityandprivacyofclientinformation,andin2006,inconjunctionwithseveralotherbanks
belongingtotheIndianBanksAssociation,alsoestablishedabodycalledtheBankingCodesand
StandardsBoardofIndiatoevolveasetofvoluntarynormswhichbanksmustenforcethemselves
throughinternalgrievanceredressalmechanismswithineachbank.Thesemechanismsincludea
designatedCodeComplianceOfficerandanOmbudsman.
Similarly,theSecuritiesandExchangeBoardofIndiaisasecuritiesmarketregulatorwhichrequires
securitiesmarketintermediariestomaintainconfidentialityofclientdata,includingpersonaldata.
TheseregulationsapplyinadditiontotheITRules.Whiletheyprovideacertaindegreeofsecurity,the
lackoflegislativeenforcementandforesightmeanthattheyareenforcedinvaryingdegreesbyeach
individualinstitutionanddonotcomewithguaranteedparliamentarysanction.
1.4Whatistherelevantdataprotectionregulatoryauthority(ies)?
TherearenospecificnationalregulatorsdealingwithadministrationofprivacylawsinIndia.However,
thePrivacyBillcontemplatesthecreationofaDataProtectionAuthorityofIndiawhichwillmonitorand
enforcecompliancewiththeBill.
Incaseswherethecompensationamountclaimedforafailuretoprotectconfidentialityofsensitive
personalinformationislessthanINR50,000,000,theITActprovidesfortheGovernmenttoappointan
AdjudicatingOfficer.AllproceedingsbeforetheAdjudicatingOfficeraredeemedtobejudicial
proceedingsandtheofficerhasthepowersofacivilcourt.Thedetailsoftheenquiryprocedurethatthe
AdjudicatingOfficermustuseareprovidedintheInformationTechnology(QualificationandExperience
ofAdjudicatingOfficersandMannerofHoldingEnquiry)Rules(2003).
2 Definitions
2.1Pleaseprovidethekeydefinitionsusedintherelevantlegislation:
PersonalData
Thelegislationdoesnotcontainadefinitionofthetermpersonaldata.However,theITRulesdefine
personalinformationasanyinformationthatrelatestoanaturalperson,which,eitherdirectlyor
indirectly,incombinationwithotherinformationavailableorlikelytobeavailablewithabodycorporate,
iscapableofidentifyingsuchaperson.
TheITActdefinesdataasarepresentationofinformation,knowledge,facts,conceptsorinstructions
whicharebeingpreparedorhavebeenpreparedinaformalisedmanner,andisintendedtobeprocessed
orhasbeenprocessedinacomputersystemorcomputernetwork,andmaybeinanyform(including
computerprintouts,magneticoropticalstoragemedia,punchedcards,punchedtapes)orstored
internallyinthememoryofthecomputer.
ThedraftoftheproposedPrivacyBilldefinespersonaldataasanydatawhichrelatestoaliving,
naturalperson,ifthatpersoncan,eitherdirectlyorindirectly,inconjunctionwithotherdatathatthedata
controllerhasorislikelytohave,beidentifiedfromthatdata.Thisincludesanyexpressionofopinion
aboutsaidperson.
SensitivePersonalData
TheITRulesdefinesensitivepersonaldataorinformationassuchpersonalinformationwhich
consistsofinformationrelatingto:
passwords
financialinformation,suchasbankaccountorcreditcardordebitcardorotherpayment
instrumentdetails
physical,physiologicalandmentalhealthconditions
sexualorientation
medicalrecordsandhistory
biometricinformation
anydetailsrelatingtotheaboveclausesasprovidedtoabodycorporateforprovisionof
servicesand
anyinformationreceivedundertheaboveclausesbyabodycorporateforprocessing,or
whichhasbeenstoredorprocessedunderlawfulcontractorotherwise.
Providedthatanyinformationthatisfreelyavailableoraccessibleinthepublicdomain,orfurnished
undertheRighttoInformationAct(2005)oranyotherlawcurrentlyinforce,shallnotberegardedas
sensitivepersonaldataorinformationforthepurposesoftheserules.
TheproposedPrivacyBillprovidesamorespecificdefinitionofsensitivedataasfollows:
Sensitivepersonaldataofanindividualmeanspersonaldatarelatingto:
1.UniqueIdentifierssuchastheAadharnumberorPAN(PersonalAccountNumber)
2.physicalandmentalhealth,includingmedicalhistory
3.biometricorgeneticinformation
4.criminalconvictions
5.bankingcreditandfinancialdataand
6.narcoanalysisand/orpolygraphtestdata.
Processing
NeithertheITActnortheITRulescontainadefinitionofthetermprocessing.
However,theproposedPrivacyBilldefinesprocessingasanyoperation,orsetofoperations,whether
carriedoutthroughautomaticmeansornot,thatrelateto:
1.theorganisation,collation,storage,update,modification,alterationoruseofpersonaldataor
2.themerging,linking,blocking,degradation,erasureordestructionofpersonaldata.
DataController
NeithertheITActnortheITRulescontainadefinitionofthetermdatacontroller.
However,theproposedPrivacyBilldefinesthetermasanypersonwhoprocessespersonaldata.This
includesbodiescorporate,partnerships,societies,trusts,associationsofpersons,Government
companies,Governmentdepartments,urbanlocalbodies,agenciesorinstrumentsoftheState.
DataProcessor
NeithertheITActnortheITRulescontainadefinitionofthetermdataprocessor.
However,itisgenerallyunderstoodthatbodiescorporatecollectingandprocessingdatafromdata
subjectsarecalleddataprocessors.Thisunderstandingisbroadlyaffirmedbythedefinitionprovidedin
theproposedPrivacyBill,whichstatesthatinrelationtopersonaldata,adataprocessorisanyperson
(otherthananemployeeofthedatacontroller)whoprocessesthedataonbehalfofthedatacontroller.
DataSubject
InAugust2011,theMinistryofCommunicationsandInformationissuedaPressNote(Clarification
onthePrivacyRules)whichstatesthatthetermproviderofinformationreferstothosenatural
personswhoprovidesensitivepersonaldataorinformationtoabodycorporate.Itisgenerally
understoodthatproviderofinformationissynonymouswithdatasubject,althoughthelegislation
containsnodefinitionofeitherterm.
AccordingtotheproposedPrivacyBill,adatasubjectisanylivingindividualwhosepersonaldatais
processedbyadatacontrollerinIndia.
Otherkeydefinitionspleasespecify(e.g.,PseudonymousData,DirectPersonalData,
IndirectPersonalData)
PseudonymousData
NeithertheITActnortheITRulescontainadefinitionofthetermpseudonymousdata.
DirectPersonalData
NeithertheITActnortheITRulescontainadefinitionofthetermdirectpersonaldata.
IndirectPersonalData
NeithertheITActnortheITRulescontainadefinitionofthetermindirectpersonaldata.
3 KeyPrinciples
3.1Whatarethekeyprinciplesthatapplytotheprocessingofpersonaldata?
Transparency
UndertheITRules,datacontrollersanddataprocessorsmustprovideaprivacypolicyforthehandling
ofordealinginpersonalinformation,includingsensitivepersonalinformation,andensurethatthis
policyisavailabletothedatasubjectwhohasprovidedsaidinformationbylawfulcontract.Further,the
policyshallbepublishedonthewebsiteofthebodycorporateoranypersononitsbehalf,andshall
provide:
1.clearandeasilyaccessiblestatementsofthepracticesandpoliciesofthedatacontroller
2.typesofsensitiveorpersonaldataorinformationcollectedbythebodycorporateandasdefined
bytheITRules
3.thepurposeofcollectionandusageofsuchinformation
4.disclosureofinformationincludingsensitivepersonaldataorinformationasandwhenitis
requestedbythedatasubjectunderspecifiedconditionsand
5.reasonablesecuritypracticesandproceduresasspecifiedintheRules.
TheproposedPrivacyBill,inChapterIII,section9,furtherprovidesforthefollowingprinciplestobe
adheredtointhetransparentcollectionofpersonaldata:
Personaldatamustbedirectlycollectedfromthedatasubjectexceptif:
1.theinformationispartofthepublicrecordorhasbeenmadepublicbythedatasubjector
2.thedatasubjecthasconsentedtothecollectionofpersonaldatafromanothersource.
Further,theBillalsostatesthatwhenpersonaldataiscollecteddirectlyfromthedatasubject,thedata
controllermust,atanytimebeforethedataisprocessed,takereasonablestepstomakethedatasubject
awareofthefollowing:
1.thedocumentedpurposeforwhichsuchpersonaldataisbeingcollected
2.whetherprovisionofdatabythedatasubjectisvoluntaryormandatoryunderthelaw,orsimply
inordertoavailofanyproductsorservices
3.theconsequencesofthefailuretoprovidesaidpersonaldata
4.therecipientorcategoryofrecipientsofthepersonaldata
5.thenameandaddressofthedatacontrollerandallpersonswhoare,orwillbe,processing
informationonbehalfofthedatacontrollerand
6.ifitisintendedthatthepersonaldatabetransferredoutofthecountry,thendetailsofsaid
transfer.
Lawfulbasisforprocessing
TheITRulesmandatethatthebodycorporate(oranypersononitsbehalf)mustobtainconsentin
writingfromthedatasubjectforthespecificpurposeforwhichthedatawillbeused,beforethe
collectionofthedata.Sensitivepersonalinformationmayonlybecollectedforalawfulpurpose
connectedwithafunctionorpurposeofthecorporateentity,andonlyifsuchcollectionisconsidered
necessaryforthatpurpose.Thecorporateentitymustensurethattheinformationisbeingusedonlyfor
thepurposeforwhichitwascollected.
TheproposedPrivacyBillfurtherprovidesthatpersonaldatashallbecollectedonlywiththeconsentof
thedatasubject,unlesssaidcollectioniseithernecessaryforthedatacontrollerinordertocomplywith
aparticularlaworordinance,orismandatoryundercurrentlaw.However,foranydatasubjectunderthe
ageof18,obtainingconsentfromtheirlegalornaturalguardianismandatory,regardlessofthe
exceptionspreviouslymade.
TheBillalsoprovides,insections9and10ofChapterIII,guidelinesforthelawfulprocessingof
personaldata,specifyingthatpersonaldatamustbeprocessedonlyinafair,appropriateandlawful
mannerandforthedocumentedpurposealone.TheBillstatesthatthedatacontrollershallcollectand
processonlysuchtypeandamountofpersonaldataasisabsolutelynecessarytofulfillthedocumented
purpose.Datacontrollersmustalsoensure,accordingtotheBill,thatallpersonsinvolvedinanystage
oftheprocessingofpersonaldatashalltreatthepersonaldataasconfidential,andshallcommunicate
saiddataonlywithpeoplewhoaredirectlyemployedbythedatacontroller,oranysubcontractorofthe
datacontrollerwhoisunderanobligationtomaintainconfidentiality.
ThedraftersoftheproposedPrivacyBillhavealsoseenfittodrawadistinctionbetweentheguidelines
forthelawfulprocessingofpersonaldataandthosethatgoverntheprocessingofsensitivepersonal
data.ChapterIII,section12oftheBillspecificallyaddressestheprocessingofsensitivepersonaldata,
statingthatitshallnotbecollectedorprocessedunlessauthorisedbyauthority,furtherstatingthat
nosuchauthorisationshallberequiredinaparticularlistofcircumstances,whichinclude,among
otherthings,thatthecollectionorprocessingofsuchdataisrequiredbylaw,thesaiddatahasalready
beenmadepublicbythedatasubject,suchcollectionandprocessingismadeinconnectionwithany
legalproceedingsifsaidprocessingisnecessaryforthepurposesofobtaininglegaladvice,orfor
establishingordefendinglegalrights,andifdatarelatingtocriminalconviction,biometricsandgenetic
informationiscollectedandprocessedbylawenforcementagencies.
Purposelimitation
TheITRulesortheActdonotprovideaspecifictimeframefortheretentionofsensitivepersonal
information.However,theITRulesstatethatabodycorporateoranypersononitsbehalfholding
sensitivepersonaldataorinformationshallnotretainthatinformationforlongerthanisrequiredforthe
purposesforwhichtheinformationmaylawfullybeusedorisotherwiserequiredunderanyotherlawfor
thetimebeinginforce.
Dataminimisation
Thereisnostatutorydefinitionorguidancewithrespecttodataminimisation.
Proportionality
Thereisnostatutorydefinitionorguidancewithrespecttoproportionality.
Retention
Asexplainedabove,neithertheITRulesnortheITActprovidesspecificguidancewithrespecttothe
timeframeforretentionofsensitivepersonalinformation.However,theRulesdonotoverride
provisionsofotherlawsthatmayspecifyamaximumperiodofretentionforsensitivedata.Forexample,
telecomlicencesrequirelicenseestomaintain,forsecurityreasonsandforscrutinybytheDepartmentof
Telecommunication,allcommercialrecordsrelatedtocommunicationsexchangedonthenetworkforat
leastoneyear.
Section67CoftheITActrequiresanintermediarytoretainsuchinformation,andforsuchperiodof
timeasshallbeprescribedbytheCentralGovernment.Intermediaryincludestelecomservice
providers,networkserviceproviders,internetserviceproviders,webhostingserviceproviders,search
engines,onlineauctionsites,onlinemarketplacesandcybercafs.TheCentralGovernmenthasyetto
framerulesimplementingtheretentionprovision,andthereforethenatureofdatatoberetainedandthe
durationofretentionareunclear.
TheproposedPrivacyBillwillclarifythelawonretentionofpersonaldata,statingasitdoesinsection
13ofChapterIIthatpersonaldatashallonlyberetainedforaslongasisnecessarytoachievethe
documentedpurpose,unless:
1.itisrequiredbylawtoberetainedforalongerperiod
2.thedatasubjectconsentstoitsretentionforalongerperiod
3.suchretentionisrequiredbyacontractbetweenthedatasubjectandthedatacontrolleror
4.itisrequiredtobesoretainedforhistorical,statisticalorresearchpurposes.
TheBillfurtherstatesthatallpersonaldatathatneednolongerberetainedinaccordancewiththeabove
shalleitherbedestroyedoranonymised.Duringtheprocessofdestructionoranonymisation,thedata
controllermustensurethatunauthorisedpersonsdonotgainaccesstothepersonaldata.The
destructionofpersonaldatamustbecarriedoutinamannerthatensuresthatitisimpossibletore
identifythepersonaldataonceithasbeendestroyed.
Otherkeyprinciplespleasespecify
Therearenootherkeyprinciplesinparticular.
4 IndividualRights
4.1Whatarethekeyrightsthatindividualshaveinrelationtotheprocessingoftheirpersonal
data?
Accesstodata
Rule5,subsection6oftheITRulesmandatesthatthebodycorporateoranypersononitsbehalfmust
permitprovidersofinformationordatasubjectstoreviewtheinformationtheymayhaveprovided.
However,theRulesdonotexplaintheproceduretobefollowedbydatasubjectsinexercisingtheright
toaccessthedatatheyhaveprovided.Italsodoesnotdetailwhetherthereisatimelimitwithinwhich
thedataprocessormustcomplywitharequestforaccess.
ThissituationwillbeclarifiedsomewhatbytheproposedPrivacyBill,whichstatesthatanydatasubject
shall,providedheorshecanproveheridentity,havetherighttoaskforconfirmationfromthedata
controllerthatitdoeshavecompletecontroloverthepersonaldata,requestdetailswithrespecttowho
elseincludinganythirdpartieshasaccesstothepersonaldata,andrequirethedatacontrollerto
provideinformationaboutthelogicinvolvedintheautomatedprocessofdecisionmakingwherethe
personaldatainquestionisbeingprocessedautomaticallyforevaluationpurposes.
TheBillstatesthatdatacontrollersmustprovidetherequiredinformationtothedatasubjectwithin45
daysofreceivingarequestforit,providedthattherequestwasaccompaniedbytheprerequisitefee,
andthatthedatacontrollerisobligedtoinformthedatasubjectthatthelattermaylegallyaskthedata
controllertomakeanychangestoinaccurateordeficientpersonaldata.Accesstopersonaldatamaybe
deniedonlyiftheinformationcannotbegivenoutwithoutalsodisclosinginformationaboutanother
datasubjectwhocouldbeidentifiedfromthatinformation,unlessthatdatasubjecthasconsentedto
suchdisclosure.
Correctionanddeletion
Rule5,subsection6oftheITRulesstatesthatdatasubjectsmustbeallowedaccesstothedata
providedbythemandensurethatanyinformationfoundtobeinaccurateordeficientshallbecorrected
oramendedasfeasible.AlthoughtheRulesdonotdirectlyaddressdeletionofdata,theystatein
Rule5,subsection1,whichcorporateentitiesorpersonsrepresentingthemmustobtainwrittenconsent
fromdatasubjectsregardingtheusageofthesensitiveinformationtheyprovide.Further,datasubjects
mustbeprovidedwiththeoptionnottoprovidethedataorinformationsoughttobecollected.
TheproposedPrivacyBillaffirmstheabove,andfurtherstatesthatunlessthedatacontrollercan
adduceadequateevidenceofthecompleteaccuracyandcompletenessofthedataandthefactthatitis
entirelyfittingwithrespecttothepurposeofthedatacollectioninquestion,orofthelawfulnessofits
collection,thedatasubjecthastherighttorequestadatacontrollertodestroyanypersonaldatathathe
orsheconsiderseitherexcessiveinrelationtothedocumentedpurposeofcollection,orbasedon
incorrectfacts,orprocessedunlawfully.
Objectiontoprocessing
Rule5oftheITRulesstatesthatthedatasubjectorproviderofinformationshallhavetheoptiontolater
withdrawconsentwhichmayhavebeengiventothecorporateentitypreviouslysuchwithdrawalof
consentmustbestatedinwritingtothebodycorporate.Onwithdrawalofconsent,thebodycorporate
isprohibitedfromprocessingthepersonalinformationinquestion.
Inthecaseofthedatasubjectnotprovidingconsent,orlaterwithdrawingconsent,thebodycorporate
shallhavetheoptionnottoprovidethegoodsorservicesforwhichtheinformationwassought.
Objectiontomarketing
Thisisthesameastheobjectiontoprocessingseeabove.
Complainttorelevantdataprotectionauthority(ies)
Rule5,subsection9oftheITRulesmandatesthatalldiscrepanciesorgrievancesreportedtodata
controllersmustbeaddressedinatimelymanner.CorporateentitiesmustdesignateGrievanceOfficers
forthispurpose,andthenamesanddetailsofsaidofficersmustbepublishedonthewebsiteofthe
bodycorporate.TheGrievanceOfficermustredressrespectivegrievanceswithinamonthfromthedate
ofreceiptofsaidgrievances.
Otherkeyrightspleasespecify
Disclosureofdata
Datasubjectsalsopossessrightswithrespecttodisclosureoftheinformationtheyprovide.Disclosure
ofsensitivepersonalinformationrequirestheproviderspriorpermission,unlesseither:
1.disclosurehasalreadybeenagreedtointhecontractbetweenthedatasubjectandthedata
controlleror
2.disclosureisnecessaryforcompliancewithalegalobligation.
Theexceptionstothisruleareifanorderunderlawhasbeenmade,orifadisclosuremustbemadeto
Governmentagenciesmandatedunderthelawtoobtaininformationforthepurposesof:
1.verificationofidentity
2.prevention,detectionandinvestigationofcrimeor
3.prosecutionorpunishmentofoffences.
Recipientsofthissensitivepersonalinformationareprohibitedfromfurtherdisclosingsaidinformation.
5 RegistrationFormalitiesandPriorApproval
5.1Inwhatcircumstancesisregistrationornotificationrequiredtotherelevantdataprotection
regulatoryauthority(ies)?(E.g.,generalnotificationrequirement,notificationrequiredforspecific
processingactivities.)
Therearenostatutoryregistrationornotificationrequirementsforeitherdataprocessorsordata
controllers.
TheproposedPrivacyBillprovidesfortheestablishmentofaDataProtectionAuthorityofIndia,andin
ChapterVII,section43,stipulatesthattheAuthorityshallestablishandmaintainaNationalData
ControllerRegistryanonlinedatabasetofacilitatetheefficientandeffectiveentryofparticularsby
datacontrollers.IftheBillisenacted,datacontrollersshallnotbepermittedtoprocessanydata
belongingtoanydatasubjectforagivendocumentedpurpose,unlesstheyfirstmakeanentryinthe
RegistryinaformattobepreordainedbytheCentralGovernment.
5.2Onwhatbasisareregistrations/notificationsmade?(E.g.,perlegalentity,perprocessing
purpose,perdatacategory,persystemordatabase.)
Asstatedinquestion5.1,Indiahasnocurrentlegislativerequirementswithrespecttoregistrationor
notification.However,thedraftoftheproposedPrivacyBillsuggeststhattheregistrationrequirements
itprescribes,onceenforced,willfunctionasperthedocumentedpurposeofprocessing.
5.3Whomustregisterwith/notifytherelevantdataprotectionauthority(ies)?(E.g.,locallegal
entities,foreignlegalentitiessubjecttotherelevantdataprotectionlegislation,representativeor
branchofficesofforeignlegalentitiessubjecttotherelevantdataprotectionlegislation.)
Asstatedinquestions5.1and5.2above,legislationcurrentlyinforceinIndiacontainsnoinformation
onregistrationrequirementsfordataprocessorsorcontrollers.However,theproposedPrivacyBill
statesthatalldatacontrollerswhowishtoprocessdataforaparticularpurposemustfirstregisterwith
theNationalDataControllerRegistrywithrespecttothatparticulardocumentedpurpose.
5.4Whatinformationmustbeincludedintheregistration/notification?(E.g.,detailsofthe
notifyingentity,affectedcategoriesofindividuals,affectedcategoriesofpersonaldata,processing
purposes.)
Asstatedinquestions5.1,5.2and5.3above,Indiacurrentlydoesnothaveanylegislativerequirements
withrespecttoregistrationornotificationproceduresfordatacontrollersorprocessors.However,the
proposedPrivacyBillprescribesinChapterVII,section43(5)thattheNationalDataControllerRegistry
shallcontainthefollowingdetailsofdatacontrollersinrespectofeachdocumentedpurposeforwhich
thepersonaldataisbeingprocessed:
1.name
2.addressofprincipalplaceofbusinessofthedatacontroller
3.nameandaddressofthenominatedrepresentativeofthedatacontrollerifonehasbeenso
nominated
4.descriptionofthedocumentedpurpose
5.descriptionofthepersonaldatabeingprocessedortobeprocessedbythedatacontroller
6.descriptionoftherecipientsofthepersonaldataoranypersonstowhomthedatacontrollermay
disclosethepersonaldataand
7.descriptionofthecountriestowhichthedatacontrollerdirectlyorindirectlytransfersorintends
totransferthepersonaldata.
5.5Whatarethesanctionsforfailuretoregister/notifywhererequired?
SinceIndianlegislationdoesnotcurrentlyspecifyanyparticularregistrationornotificationrequirements
fordataprocessorsorcontrollers,thelawiscorrespondinglysilentonthequestionofsanctionsfor
failuretodothesame.
TheproposedPrivacyBillincludes,withinthefunctionsoftheDataProtectionAuthorityofIndia,the
functionofreceivingandinvestigatingallegedviolationsofdataprotection,aswellasanydatasecurity
breaches,andissuingappropriateordersasmayberequiredtosafeguardsecurityinterestsofthedata
subjectsinquestion.
TheproposedBilldoesstateinChapterX,section60,thatthepenaltyforfailuretoregisterwillbeafine
extendinguptoINR500,000.
5.6Whatisthefeeperregistration(ifapplicable)?
Neitherthecurrentnorproposedlegislationprescriberegistrationfees.
5.7Howfrequentlymustregistrations/notificationsberenewed(ifapplicable)?
Neitherthecurrentnorproposedlegislationprescribeguidelineswithrespecttorenewals.
5.8Forwhattypesofprocessingactivitiesispriorapprovalrequiredfromthedataprotection
regulator?
TheITActandassociatedamendmentsandrulesdonotprescribepriorapprovalrequirements
specificallywithrespecttodataprotectionregulators.However,asstatedinquestion4.1above,data
controllersmustobtaintheconsentofthedatasubjectregardingthepurposeofusebeforecollecting
anysensitivepersonalinformation.Theymustnotcollectanysensitivepersonalinformationunless:
1.theinformationiscollectedforalawfulpurposeandisconnectedwithafunctionoractivityof
thedatacontrollerand
2.thecollectionoftheinformationisconsiderednecessaryforthatpurpose.
Thelegislationbothcurrentandproposeddoesnotaddressrequirementsforanyotherapproval
thatdatacontrollersarerequiredtotake,orwhatactivitieswarrantsaidapproval.
5.9Describetheprocedureforobtainingpriorapproval,andtheapplicabletimeframe.
Thisisnotapplicable.Seetheanswertoquestion5.8above.
6 AppointmentofaDataProtectionOfficer
6.1IstheappointmentofaDataProtectionOfficermandatoryoroptional?
NeithertheITActnortheITRulesmentiontheappointmentorroleofaDataProtectionOfficer.
Accordingtosection46oftheITAct,anAdjudicatingOfficershallbeappointedbyorderoftheCentral
Governmentforthepurposeofdiscerningwhetherornotanypersonhascontravenedanyprovisionof
theITAct.TheAdjudicatingOfficerhasthetrappingsofacivilcourt.
Inaddition,section48oftheActprovidesfortheestablishmentbynotificationofanappellate
tribunalknownastheCyberRegulationsAppellateTribunal.Thetribunalwillhaveanappellate
jurisdictionandisentitledtoexerciseitsjurisdictionbothonfactandlawoveradecisionororder
passedbytheAdjudicatingOfficerortheControllerofCertifyingAuthorities.
TheappointmentsofboththeAdjudicatingOfficer,aswellastheCyberRegulationsAppellateTribunal,
areoptionalandentirelyatthediscretionoftheCentralGovernment.TheActdoesnotspecifywhich
circumstancesjustifytheappointmentoftheAdjudicatingOfficerortheAppellateTribunal.Itisalso
unclearwhethersuchappointmentismadesuomotuoronrepresentationbyanotherparty.
6.2WhatarethesanctionsforfailingtoappointamandatoryDataProtectionOfficerwhere
required?
NeithertheITActnortheITRulesaddressthequestionofsanctionsinthecircumstancesthatan
AdjudicatingOfficerisnotappointed.
6.3WhataretheadvantagesofvoluntarilyappointingaDataProtectionOfficer(ifapplicable)?
Thisisnotapplicable.
6.4PleasedescribeanyspecificqualificationsfortheDataProtectionOfficerrequiredbylaw.
SincethelawdoesnotaddresstheappointmentofaDataProtectionOfficerspecifically,thereareno
statutorilyprescribedqualificationsforthisposition.
However,undersection46oftheITAct,theAdjudicatingOfficermustnotbebelowtherankofa
DirectortotheGovernmentofIndia,oranequivalentofficeroftheStateGovernment,andmustpossess
suchexperienceinthefieldofinformationtechnologyandlegalorjudicialexperienceasmaybe
prescribedbytheCentralGovernment.IfmorethanoneAdjudicatingOfficerisappointed,theCentral
Governmentwilldeterminethejurisdictionalpowersoftheofficers.
Undersection48oftheITAct,theCentralGovernmenthasbeengivenamandatetoemploymorethan
oneCyberRegulationsAppellateTribunal,butthelanguageofRule13oftheCyberRegulations
Tribunal(Procedure)Rules(2000)makesitclearthatthereshallbeonlyonetribunal.Thetribunalmust
consistofonepersononly,referredtoinsection49oftheActasthePresidingOfficeroftheCyber
AppellateTribunal.ThequalificationsofthePresidingOfficermustbethefollowing:
1.thatheis,orhasbeen,orisqualifiedtobe,aJudgeoftheHighCourtor
2.heis,orhasbeenamemberoftheIndianLegalServiceandisholdingorhasheldapostinGrade
1ofthatserviceforatleastthreeyears.
TheCentralGovernmenthasnotsofarappointedaPresidingOfficerfortheCyberRegulations
AppellateTribunal.
6.5WhataretheresponsibilitiesoftheDataProtectionOfficer,asrequiredbylawortypicalin
practice?
Section46oftheITActmandatesthatanAdjudicatingOfficerisappointedbytheCentralGovernment
forthepurposesofholdinganinquiryinthemannerprescribedbytheCentralGovernment.
ThissectionfurtherstatesthattheAdjudicatingOfficershall,aftergivingthepersonwhohascommitted
theallegedcontraventionareasonableopportunityformakingrepresentationinthematter,andif,on
suchinquiry,heissatisfiedthatthepersonhascommittedthecontravention,mayimposesuchpenalty
orawardsuchcompensationashethinksfitinaccordancewiththeprovisionsofthatsection.
Section47oftheActstatesthatthefactorstobetakenintoaccountbytheAdjudicatingOfficerin
determiningthequantumofcompensationarethefollowing:
(a)theamountofgainofunfairadvantage,whereverquantifiable,madeasaresultofthedefaultand
(b)theamountoflosscausedtoanypersonasaresultofthedefaultandtherepetitivenatureofthe
default.
TheCyberRegulationsAppellateTribunal,beinganappellatebody,hasthepowertoexamine
thecorrectness,legalityorproprietyofthedecisionororderpassedbytheControllerofCertifying
AuthoritiesortheAdjudicatingOfficerundertheITAct.Thispowerisabsolutewhich,byimplication,
barsthejurisdictionofcivilcourtstohearsuchappeals.
TheActgrantsanunconditionalrightofappealtoanyaggrievedpartytoappealanordermadebythe
ControlleroranAdjudicatingOfficerunderthisAct.Further,theappealbeforetheTribunalshallbe
filedwithinaperiodof45daysfromthedateonwhichacopyoftheordermadebytheControllerorthe
AdjudicatingOfficerisreceivedbythepersonsoaggrieved,accordingtosection57oftheAct.
ThejudicialfunctionoftheCyberRegulationsAppellateTribunalistogivethepartiestotheappealan
opportunitytobeheard,andtopasssuchordersthereonasitthinksfit,confirming,modifyingorsetting
asidetheorderappealedagainst.
Undersection57,subsection6oftheAct,theemphasisisonemployingalljudicialmeanstodispose
oftheappealwithinsixmonthsofthedateofreceiptoftheappeal.
TheActfurtherprovidesasecondforumofappealintheformoftheHighCourt(thefirstbeingthe
CyberRegulationsAppellateTribunal)toanypersonaggrievedbyanydecisionororderoftheCyber
RegulationsAppellateTribunal.Anappealistobefiledwithin60daysfromthedateofcommunication
ofthedecisionororderoftheCyberRegulationsAppellateTribunal,onanyquestionoffactorlaw
arisingoutofsaidorder.
6.6MusttheappointmentofaDataProtectionOfficerberegistered/notifiedtotherelevantdata
protectionauthority(ies)?
NeithertheITActnortheITRulesprescribenotification/registrationrequirementsfortheappointment
ofanAdjudicatingOfficer.
7 MarketingandCookies
7.1Pleasedescribeanylegislativerestrictionsonthesendingofmarketingcommunicationsby
post,telephone,email,orSMStextmessage.(E.g.,requirementtoobtainprioroptinconsentorto
provideasimpleandfreemeansofoptout.)
Therearenolegislativeguidelinesorstatutoryregulationsgoverningmarketingcommunications
throughemailorpost.However,theTelecomUnsolicitedCommercialCommunicationsRegulations
(2007)andtheTelecomCommercialCommunicationsCustomerPreferenceRegulations(2010),bothmade
undertheTelecomRegulatoryAuthorityofIndia(TRAI)1997,regulateunsolicitedcommercial
communicationsthroughtelephoneorbytext.TheRegulationsstatethattelemarketersmustregister
themselveswithTRAIbeforetheymaysendoutmarketingcommunicationthroughtelephoneortext
messages.
TheRegulationsalsoprovideforthosewhowishnottoreceiveunsolicitedcommercialcommunication
tooptoutofreceivingsaidtelephonecallsortextmessages.Thisisdonesimplybyregisteringones
preferencewiththeCustomerPreferenceRegistrationFacility,whichisstatutorilyrequiredtobesetup
bythelocalaccessprovider(definedintheRegulationsasincludingthebasictelephoneservice
provider,thecellularmobiletelephoneserviceproviderandtheunifiedaccessserviceprovider)orby
registeringwiththeNationalDoNotCallRegister.
TheproposedPrivacyBill,inChapterVI,section30,placesrestrictionsondirectmarketing.Whenthe
Billisenacted,nopersonshallbepermittedtoholdorprocessapersonaldatabaseusedfordirect
marketingservices,unlessheisregisteredwiththeNationalDataRegistryandoneofthepurposesof
registrationisinfactdirectmarketing,hehasarecordstatingthesourcefromwhichheobtainedthe
personaldata,andalltheindividualswhosedataiscontainedinthedatabasehaveconsentedtoreceive
directmarketingcommunicationfromthepersoninquestion.
7.2Istherelevantdataprotectionauthority(ies)activeinenforcementofbreachesofmarketing
restrictions?
Asstatedabove,therearenomarketingrestrictionsontheinternetorthroughmail.However,TRAI
activelyenforcespenaltiesontelemarketerswhoareinbreachofitsregulationsinrespectofcommercial
communicationthroughtelephoneandtextmessages.
7.3Arecompaniesrequiredtoscreenagainstanydonotcontactlistorregistry?
TheTRAIregulationsfortelemarketersprescribethattelemarketersmustdownloaddatafromthe
NationalCustomerPreferenceRegisterandthattheyshallupdatetheirnationalcustomerpreferencedata
withtheupdateddeltadataeveryTuesdayandFriday.Inordertoensureuseofonlyupdated
synchroniseddata,theregulationsstatethatthedeltadataupdatedanddownloadedonTuesdayswill
beusedfrom0000hrsonWednesdaysto2359hrsonFridays,andthedeltadataupdatedand
downloadedonFridayswillbeusedfrom0000hrsonSaturdaysto2359hrsonTuesdays.
Theregulationsfurtherstatethatthetelemarketer,beforesendinganySMSormakingatelemarketing
calltoatelecomsubscriber,shallscrubthetelephonenumberofthesubscriberwiththeupdated
database,downloadedasdescribedabovefromtheNationalCustomerPreferenceRegisterwebsite
atwww.nccptrai.gov.in.
7.4Whatarethemaximumpenaltiesforsendingmarketingcommunicationsinbreachof
applicablerestrictions?
TelemarketersmayapplytoAccessProvidersfortelemarketingresourcesonlyaftertheyhaveregistered
withTRAI.Iftelemarketerscontinuetosendunsolicitedcommercialcommunicationtotelephoneand
mobilenumberswhohaveregisteredthemselveswiththeNationalDoNotCallRegisterorhaveopted
outofreceivingsaidcommunicationwiththeCustomerPreferenceRegistrationFacility,complaintsmay
bemade,tollfree,totheAccessProvider,whothenservesanoticeuponthetelemarketerinbreach.
ChapterIII,Regulation18oftheTelecomCommercialCommunicationsCustomerPreferenceRegulations
(2010)providesfortheblacklistingoftelemarketerswhohavereceivedsaidnoticesixtimesormore.No
AccessProviderispermittedtoprovidetelecomresourcestosaidtelemarketer.
7.5Whattypesofcookiesrequireexplicitoptinconsent,asmandatedbylaworbinding
guidanceissuedbytherelevantdataprotectionauthority(ies)?
DuetothefactthatIndiahasnocomprehensivedataprotectionregime,issuessuchascookieconsent
havenotsofarbeenaddressedbyIndianlegislation.ItisplannedthatthePrivacyBillwillintroduce
dataprotectionlegislationmorespecificallytargetedtoissuesofcybersecurity.
7.6Forwhattypesofcookiesisimpliedconsentacceptable,underrelevantnationallegislation
orbindingguidanceissuedbytherelevantdataprotectionauthority(ies)?
Pleaserefertoquestion7.4above.
7.7Todate,hastherelevantdataprotectionauthority(ies)takenanyenforcementactionin
relationtocookies?
7.8Whatarethemaximumpenaltiesforbreachesofapplicablecookierestrictions?
8 RestrictionsonInternationalDataTransfers
8.1Pleasedescribeanyrestrictionsonthetransferofpersonaldataabroad?
Section7oftheITRulesstatesthatbodiescorporatecantransfersensitivepersonaldatatoanyother
bodycorporateorpersonwithinoroutsideIndia,providedthatthetransfereeensuresthesamelevelof
dataprotectionwhichthebodycorporatehasmaintained,asrequiredbytheITRules.Adatatransferis
onlyallowedifeither:
1.itisrequiredfortheperformanceofalawfulcontractbetweenthedatacontrollerandthedata
subjectsor
2.thedatasubjectshaveconsentedtothetransfer.
TheproposedPrivacyBill,ifenacted,willplaceslightlymorestringentrestrictionsoninternational
transfersofpersonaldata.TheBillstatesinChapterIII,section22thatcrossbordertransfersof
personaldatabydatacontrollersshallnotbepermittedunless:
1.thetransfereeissubjecttoalaw,codeofconductorcontractwhichbindssaidtransfereeto
principlesofadaptprotectionsubstantiallysimilartothosestipulatedinthePrivacyBill
2.thedatasubjectconsentstothetransferor
3.thetransferisnecessaryinconnectionwithacontracttowhichboththecontrolleraswellasthe
subjectareparties.
8.2Pleasedescribethemechanismscompaniestypicallyutilisetotransferpersonaldataabroad
incompliancewithapplicabletransferrestrictions.
InaPressNotereleasedonAugust24,2011,theMinistryofInformationTechnologyclarifiedthatthe
rulesonsensitivedatatransferdescribedabovearelimitedinjurisdictiontoIndianbodiescorporateand
legalentitiesorpersons,anddonotapplytobodiescorporateorlegalentitiesabroad.Assuch,
informationtechnologyindustriesandbusinessprocessoutsourcingcompaniesascribetosecure
methodsofdatatransferwhichtheyprefer,providedthatthetransferinquestiondoesnotviolateany
laweitherinIndiaorinthecountrytowhichthedataisbeingtransferred.
8.3Dotransfersofpersonaldataabroadrequireregistration/notificationorpriorapprovalfrom
therelevantdataprotectionauthority(ies)?Describewhichmechanismsrequireapprovalor
notification,whatthosestepsinvolve,andhowlongtheytake.
Neitherthecurrentnortheproposedlegislationspecifiesanyrequirementsforregistrationor
notificationsfordatatransfersabroad.Therequirementsarelimitedtothecriteriaspecifiedinquestion
8.1above.
9 WhistleblowerHotlines
9.1Whatisthepermittedscopeofcorporatewhistleblowerhotlinesunderapplicablelawor
bindingguidanceissuedbytherelevantdataprotectionauthority(ies)?(E.g.,restrictionsonthescope
ofissuesthatmaybereported,thepersonswhomaysubmitareport,thepersonswhomareportmay
concern.)
Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.
9.2Isanonymousreportingstrictlyprohibited,orstronglydiscouraged,underapplicablelawor
bindingguidanceissuedbytherelevantdataprotectionauthority(ies)?Ifso,howdocompaniestypically
addressthisissue?
anonymousreporting.
9.3Docorporatewhistleblowerhotlinesrequireseparateregistration/notificationorprior
approvalfromtherelevantdataprotectionauthority(ies)?Pleaseexplaintheprocess,howlongit
typicallytakes,andanyavailableexemptions.
anonymousreporting.
9.4Docorporatewhistleblowerhotlinesrequireaseparateprivacynotice?
anonymousreporting.
9.5Towhatextentdoworkscouncils/tradeunions/employeerepresentativesneedtobenotified
orconsulted?
anonymousreporting.
10 CCTVandEmployeeMonitoring
10.1DoestheuseofCCTVrequireseparateregistration/notificationorpriorapprovalfromthe
relevantdataprotectionauthority(ies)?
CurrentlegislationdoesnottouchuponquestionsrelatingtoCCTVsurveillance.However,the
proposedPrivacyBillstatesinChapterV,section26thattheinstallationandoperationofCCTV
surveillanceinpublicareasshallbeinaccordancewithprescribedprocedureforlegitimateand
proportionateobjectives,andwillnotaffecthisrighttoprivacy.Therearenoregistrationrequirements
specificallylaidoutinthisproposedlegislation,neitherdoesitelaborateonwhattheprescribed
procedurefortheinstallationandoperationofCCTVwillbe.
10.2Whattypesofemployeemonitoringarepermitted(ifany),andinwhatcircumstances?
NeithercurrentnorproposedlegislationcontainsspecificprovisionsrelatingtoCCTVsurveillanceof
employees.However,theproposedPrivacyBill,wheninforce,willbancovert,intrusiveordirected
surveillanceexceptincertainspecifiedcircumstances,includingobjectivesofnationalsecurityorpublic
safety.TheproposedBillalsostatesthattheprovisionsitcontainsrelatingtothestorage,processing,
retention,sharing,securityanddisclosureofpersonaldataapplyequallytodatacollectedthrough
surveillance.
10.3Isconsentornoticerequired?Describehowemployerstypicallyobtainconsentorprovide
notice.
Currentlegislationcontainsnoprovisionsrelatingtorequirementsofconsentfromemployees.
However,theproposedPrivacyBillbanscovertsurveillance,whichsuggeststhatconsentwillhaveto
beobtainedfromemployeesoncethislawcomesintoforce,althoughtheBillissilentondetailsrelating
towhatqualifiesasconsentandhowitmaybeobtained.
10.4Towhatextentdoworkscouncils/tradeunions/employeerepresentativesneedtobenotified
orconsulted?
Neithercurrentnorproposedlegislationcontainsprovisionsonthismatter.
10.5Doesemployeemonitoringrequireseparateregistration/notificationorpriorapprovalfrom
therelevantdataprotectionauthority(ies)?
Neithercurrentnorproposedlegislationcontainsprovisionsonthismatter.
11 ProcessingDataintheCloud
11.1Isitpermittedtoprocesspersonaldatainthecloud?Ifso,whatspecificduediligencemustbe
performed,underapplicablelaworbindingguidanceissuedbytherelevantdataprotection
authority(ies)?
Neithercurrentnorproposedlegislationcontainsprovisionspertainingtocloudbaseddataprocessing.
11.2Whatspecificcontractualobligationsmustbeimposedonaprocessorprovidingcloudbased
services,underapplicablelaworbindingguidanceissuedbytherelevantdataprotection
authority(ies)?
Neithercurrentnorproposedlegislationcontainsprovisionspertainingtocloudbaseddataprocessing.
12 BigDataandAnalytics
12.1Istheutilisationofbigdataandanalyticspermitted?Ifso,whatduediligenceisrequired,
underapplicablelaworbindingguidanceissuedbytherelevantdataprotectionauthority(ies)?
Bigdataandanalyticsareincreasinglybeingrecognisedasessentialforthegrowthofmostindustries,
withthetelecom,retailandecommercesectors,andeventheDepartmentofNationalSecurity,among
others,alreadyemployingeitherorbothtomanageandprocesslargeamountsofdataandtrackdatain
realtime.Indianlegislationdoesnotcurrentlydirectlyaddressissuesofduediligenceorprovide
guidelinesfortheusageofbigdataandanalytics.TheITRulesprovidereasonablesecuritypracticesas
statutorysecurityproceduresforcorporateentitiesthatcollect,handleandprocessdatatofollow,which
alsoapplytotheuseofbigdata.
13 DataSecurityandDataBreach
13.1Whatdatasecuritystandards(e.g.,encryption)arerequired,underapplicablelaworbinding
guidanceissuedbytherelevantdataprotectionauthority(ies)?
Rule8oftheITRulesdescribesreasonablesecuritypracticesandproceduresasfollows:
1)Abodycorporate,orapersononitsbehalf,shallbeconsideredtohavecompliedwithreasonable
securitypracticesandproceduresiftheyhaveimplementedsuchsecuritypracticesandstandards,have
acomprehensivedocumentedinformationsecurityprogrammeandinformationsecuritypoliciesthat
containmanagerial,technical,operationalandphysicalsecuritycontrolmeasuresthatarecommensurate
withtheinformationassetsbeingprotectedandwiththenatureofthebusinessinquestion.
2)Intheeventofaninformationsecuritybreach,thebodycorporateorapersononitsbehalfshallbe
requiredtodemonstrate,asandwhencalledupontodosobytheagencymandatedunderthelaw,that
theyhaveimplementedsecuritycontrolmeasuresaspertheirdocumentedinformationsecurity
programmeandinformationsecuritypolicies.TheinternationalstandardIS/ISO/IEC27001on
InformationTechnologySecurityTechniquesInformationSecurityManagementSystem
Requirementsisonesuchstandard.
3)Anyindustryassociationoranentitywhosemembersareselfregulatingbyfollowingcodesother
thantheIS/ISO/IECcodesofbestpracticefordataprotectionasper(1)above,shallgetitscodesofbest
practicedulyapprovedandnotifiedbytheCentralGovernment.
4)Thebodycorporateorapersononitsbehalf,thathasimplementedeithertheIS/ISO/IEC27001
standardorthecodesofbestpracticefordataprotectionasapprovedandnotifiedunderpoint(3)
above,shallbedeemedtohavecompliedwithreasonablesecuritypracticesandprocedures,provided
thatsuchastandardorsuchcodesofbestpracticearecertifiedorauditedonaregularbasisbyan
independentauditor,dulyapprovedbytheCentralGovernment.Thisauditshallbecarriedoutbyan
auditoratleastonceayear,orasandwhenthebodycorporateundertakesasignificantupgradeofits
processandcomputerresources.
InAugust2011,theMinistryofCommunicationsandInformationissuedaPressNote(Clarification
onthePrivacyRules)whichprovidesthatanyIndianoutsourcingserviceprovider/organisation
providingservicesrelatingtocollection,storage,dealingorhandlingofsensitivepersonalinformation
orpersonalinformationundercontractualobligationswithalegalentitylocatedwithinoroutside
Indiaisnotsubjecttocollectionanddisclosureofinformationrequirements,orconsentrequirementas
detailedbytheITRules,provideditdoesnothavedirectcontactwiththedatasubjectswhenproviding
theirservices.
TheproposedPrivacyBill,whichwilloverridetheITRulesifenacted,alsocontainsprovisions
pertainingtothesecurityofpersonaldata,statingspecificallythateverydatacontrollermustset
appropriatetechnological,organisationalandphysicalstandardsforthesecurityofdataunderits
control.InChapterIII,section15oftheproposedBill,itisalsostatedthattheDataProtection
Authority(theestablishmentofwhichisprovidedforinthesameBill)mayprescriberegulationsor
codesofpractice,layingdownstandardsfortechnological,organisationalandphysicalmeasuresfor
protectionofpersonaldata,andthatdifferentstandardsmaybeprescribedfordifferentclassesof
organisation.
13.2Istherealegalrequirementtoreportdatabreachestotherelevantdataprotection
authority(ies)?Ifso,describewhatdetailsmustbereported,towhom,andwithinwhattimeframe.Ifno
legalrequirementexists,describeunderwhatcircumstancestherelevantdataprotectionauthority(ies)
expectsvoluntarybreachreporting.
Thecurrentlegislationcontainsnolegalrequirementstoreportdatasecuritybreachestoeither
authoritiesordatasubjects.
TheproposedPrivacyBill,inChapterIII,section16,prescribesthatwhereadatacontrollerhas
reasonablegroundstobelievethatthepersonaldataofanydatasubjectunderitscontrolhasbeen
accessedoracquiredbyunauthorisedpersons,thedatacontrollermust,assoonasisreasonably
possibleafterdiscoveringthebreach,notifyboththedatasubjectandtheDataProtectionAuthority.
Thenotificationshallbeinwriting,andshallbesenteithertothelastknownaddressofthedatasubject
byregisteredpostrequestingdueacknowledgment,orpublishedinatleasttwonationalnewspapers.
Thenotificationmustcontainsufficientinformationasisnecessarytoenablethedatasubjecttotake
stepstomitigatethepotentialconsequencesofthedatasecuritybreach,including,ifpossible,the
identityofthepersonwhomayhavecommittedthebreachandthedateonwhichitoccurred.
13.3Istherealegalrequirementtoreportdatabreachestoindividuals?Ifso,describewhat
detailsmustbereported,towhom,andwithinwhattimeframe.Ifnolegalrequirementexists,describe
underwhatcircumstancestherelevantdataprotectionauthority(ies)expectsvoluntarybreach
reporting.
Thecurrentlegislationdoesnotcontainanysuchrequirement.However,asexplainedinquestion13.2
above,theproposedlegislationdoes.TheonlyexceptiontotherequirementintheproposedPrivacy
BillthatthedatacontrollernotifythedatasubjectintheeventofabreachisiftheDataProtection
Authoritybelievesthatsuchanotificationwillimpedeacriminalinvestigation,oriftheidentityofthe
datasubjectcannotpossiblybeidentified.
13.4Whatarethemaximumpenaltiesforsecuritybreaches?
Aspreviouslyexplained,thelegislationcurrentlyinforcedoesnotdealwithdatabreachesatall,except
asindicatedinquestion13.1above.TheproposedPrivacyBillelaboratesonpenaltiesfordifferent
typesofbreaches,includingviolationofsecurity/secrecy/confidentialitylicences,unauthorised
interceptionofcommunication(anddisclosureofsaidinterceptedcommunication),obtainingpersonal
informationonfalsepremises,disclosure,datatheftandcontraventionofthedirectionsoftheproposed
DataProtectionAuthority.Thepenaltiesimposedareintheformofheavyfines,whichvaryforeach
offencebutwhichdonotextendbeyondINR1,000,000.Theonlyexceptiontothisisapenaltyimposed
forcontraventionofdirectionoftheDataProtectionAuthority,whichmayextendtoINR200,000and,in
thecaseofacontinuingbreach,anadditionalsumwhichmayextendtoINR200,000foreverydaythat
thedefaultcontinues.
14 EnforcementandSanctions
14.1Describetheenforcementpowersofthedataprotectionauthority(ies):
IndianlegislationdoesnotspecificallyprovidefortheestablishmentandfunctionofDataProtection
Authorities,althoughproposedlegislationintheformofthePrivacyBillseekstoalterthis.Pleaserefer
tosections1and6aboveforfurtherinformationoncurrentlegislationwithrespecttoDataProtection
Authorities.
14.2Describethedataprotectionauthoritysapproachtoexercisingthosepowers,withexamples
ofrecentcases.
IndianlegislationdoesnotspecificallyprovidefortheestablishmentandfunctionofDataProtection
Authorities,althoughproposedlegislationintheformofthePrivacyBillseekstoalterthis.Pleaserefer
tosections1and6aboveforfurtherinformationoncurrentlegislationwithrespecttoDataProtection
Authorities.
15 Ediscovery/disclosuretoforeignLawenforcementagencies
15.1Howdocompanieswithinyourjurisdictionrespondtoforeignediscoveryrequests,or
requestsfordisclosurefromforeignlawenforcementagencies?
Aslongasrequestsfromforeigncompaniesarebasedonanorderfromacourtoflawandifthecountry
inquestionhasareciprocalarrangementwithIndia,thensucharequestmaybeenforcedinIndia,if
necessary,throughanIndiancourt.Absentacourtorder,Indiancompaniesdonothaveanyobligation
torespondtoforeignediscoveryrequestsorrequestsfordisclosure.
15.2Whatguidancehasthedataprotectionauthority(ies)issued?
None.Pleaserefertoquestion14.1above.
16 TrendsandDevelopments
16.1Whatenforcementtrendshaveemergedduringtheprevious12months?Describeany
relevantcaselaw.
TheissueofdataprotectionhasbeenraisedbeforetheIndianHighCourtsinrespectofafewPatent
cases,buttheCourtshavegenerallytakentheviewthatwhatisnotexpresslyprohibitedispermitted.
Onceproperlegislativeenactmentscomeintoforcetoplugtheexistingloopholes,onemayexpecta
seriesofjudicialpronouncementsclarifyingandimplementingthelaw.However,theITActhascome
underjudicialscrutinyforreasonsoutsidethesphereofIntellectualPropertyRights.InShreyaSinghal
vUOI,theSupremeCourtstruckdownsection66AoftheITAct,whichmadeitacriminaloffenceto
sendelectronicallyanyinformationthatisgrosslyoffensive,menacing,causesannoyance,
obstruction,insult,andhatredamongstotherthings.Itneitherdefinedanyofthesewordsnorgave
anyindicationoftheirimport.Thesectionhadlongbeencriticisedbyfreespeechactivistsithad
oftenbeenused,forinstance,againstuserswhohadtakentoFacebooktocriticisethecurrentruling
partyinParliament.TheSupremeCourtstruckitdownspecificallyduetoitschillingeffectonfree
speech,itsvaguenessandwhatthecourtreferredtoasoverbreadth.Thesignificanceofthismovelies
mainlyinthejudicialacknowledgementofthethoroughundesirabilityofextremecensorship.
16.2Whathottopicsarecurrentlyafocusforthedataprotectionregulator?
SeveralimportantamendmentstotheITActarebeingconsideredbytheIndianGovernment.The
proposedamendments,iftheycomethrough,willincreasethescopeforliabilityincaseofanybreachof
dataprotectionrules.Additionally,amendmentsbasedontheEuropeanUniondirectivearebeing
considered.

India - Data Protection 2016 ICLG - International Comparative Legal Guides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

India - Data Protection 2016 ICLG - International Comparative Legal Guides

Uploaded by

Copyright:

Available Formats

4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

You might also like