Despite a global economic downturn, India has remained an‘attractive’ destination for inbound investment (http://emergingmarkets.ey.com/wp-content/uploads/downloads/2012/03/india-attractiveness-final-version1.pdf). Based onextant foreign direct investment policy, released by the Ministry of Commerce & Industry, foreign entities may either invest in Indian entities upto a permissible percentage or may establish 100% wholly- owned subsidiaries. Typically, forease of administration,such foreign investor companies prefer to retain certain data pertaining to their local companies on a common server located in the said foreign parent/investorcompany’s jurisdiction. Such data may, inter alia, range from employee related details to customer databases.For clarity, hereinafter persons who have provided bodies corporate with data pertaining to themselves have been referred to as “data subjects”). The local company collects relevant data from data subjects and transfers the same to the foreign parent/groupcompany.
Given the lack of a data protection regime in India till mid-2011, such collection and/or transfer of data from India to an overseasjurisdiction did not throw up a major challenge. While Indian Parliament did enact a legislation, particularly the Information Technology Act, 2000 (the “Act”), the same did not provide for a structured data protection framework.
In April 2011, the Ministry of Communications and Information Technology (“Ministry”) notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) under section 43-A of the IT Act. Section 43-A, inter alia, states that:
where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
It defines a ‘body corporate’ to mean “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”.However, Section 43-A failed to provide watertight definitions of either of the terms of ‘sensitive personal data’ or ‘reasonable security practices and procedures’, thereby making its implementation ineffective. The Rules delineate certain practices and procedures that an Indian company must adhere to, in orderto, inter alia, collect and/ortransfer certain categories of data.
This article attempts to discussprovisions of the Rules regardingcollection of data by an Indian company and subsequent transfer of such data to its parent/group company in a foreign jurisdiction. However, before we delve into the details regarding the steps a company must implement to be in consonance with the requirements of the Rules in this regard, it would be interesting to note the applicability of the Rules.
Applicability of the Rules
A common question that arises in situations of cross-border data transfer is regarding the applicability of the Rules.If data is being transferred to or retained by the foreign company, would such foreign companybe required to be in compliancewith the Rules?
The Rules, read with Section 43-A of the IT Act, seem to be applicable to any company possessing, handling or dealing with ‘sensitive personal data’ (as has been defined and discussed hereafter). A subsequent press note dated August 24, 2011 (the “Press Note”) released by the Ministry clarified the situation: the Rules are applicable only to Indian body corporates. In other words, foreign companies do not fall within the ambit of the Rules and therefore do not necessarily have to be compliant with the Rules.
Kinds of data
The Rules deal with two categories of data viz. sensitive personal data and personal data. The Rules define these categories of data, as has been discussed hereafter.
(i) personal data, being data which by itself, or in conjunction with other data is capable of identifying a person (“personal data”) (Rule 2 (1) (i) of the Rules); and
(ii) sensitive personal data, such as data relating to passwords; financial information such as bank account . credit card, or debit card details ; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information i.e. technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, “facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes; and any detail relating to the above as provided to a company for providing service: provided that, any data that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force is not be regarded as sensitive personal data) (“sensitive personal data”, Rule 3 of the Rules).
There are compliance requirements that are common to both personal and sensitive personal data. However, in the case of sensitive personal data, there are additional compliance requirements. Therefore, determining the category of data being handled would be the first step towards compliance with provisions of the Rules.
Compliance vis-a-vis collection, transfer, retention or use of personal or sensitive personal data
In this section we, we will deal with various stipulations to be adhered to by an Indian company with regard to collection and/or transfer of personal or sensitive personal data to a foreign company.
- purpose of data collection/receipt/retention/use;
- category of data being handled;
- security procedures maintained to secure suchdata from wrongful dissemination; and
- circumstances under which such data may be disclosed to third parties (together with such third party’s details).
Reasonable Security Practices and Procedures
This is probably the most important highlight of the Rules. , The international arena has time and again expressed concern over the lack of security standards in India for security of data. The Rules specifythat a company collecting/using/storing/transferring personal or sensitive personal data must adopt reasonable security practices and procedures not lower than standards of IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System- Requirements”.
In order to establish compliance with such security requirements, it is recommended that the Indian company maintainscomprehensive documentation highlighting the security programmeand policies implemented by it. Such documents may contain details on managerial, technical, operational and physical security control measures.
Transfer of Information(Rule 7 of the Rules)
There may arise a situation where the personal or sensitive data may require to be transferred to a foreign jurisdiction.The Rules provide for specific conditions, upon the satisfaction of which, a company may transfer personal or sensitive personal data. An Indian company proposing to transfer personal or sensitive personal data to a foreign company may proceed with such transfer, provided:
- the transferee entity maintains the same level of data protection as is stipulated in the Rules i.e. not lower than the standards of IS/ISO/IEC 27001; and
- the transfer is necessary for the performance of any lawful contract between the said Indian company and data subject
Additional compliance with regard to sensitive personal data
Let us assume a situation when the Indian company determines that it handles sensitive personal data. The following are additional measures that would be required to be undertaken in such a scenario:
Collection of Sensitive Personal Data and Mode of Obtaining Consent
However, prior to such collectionof sensitive personal data, the Indian company must ensure that:
- itinformsdata subjects of the purpose for which data is being collected, that the data so collected may be transferred, the intended recipients of the data and names/addresses of the agencies collecting and retaining this data (Rule 5 (3) of the Rules).
- thatsensitive personal data is beingso collected for lawful purposes, connected with an integral activity of the company (Rule 5(2) of the Rules).
Right to Opt Out
A practical concern that hasbeen raised with regard to collection of data is the availability of an option to withdraw consent. As per the Rules, the Indianentity collecting/using/transferring/retaining sensitive personal data must be provided an option to opt-out of the consent so given at any point in time (Rule 5 (7) of the Rules).
Disclosure and Transfer of Data
Since the concerned data is sensitive personal in nature, the Indian company is precluded from disclosingit to any third party (including group companies), without prior permission of data subject (Rule 6 of the Rules). However, if data subject has provided the Indian company with prior permission for suchdisclosure by executinga contract between the Indian company and data subject, then the same acts as exception to the above rule. To further protect sensitive personal data, the third party is restricted from further transferring sensitive personal data.
Retention and Use
The Indian company must ensure that sensitive personal data collected by a company from a data subject is not retained for longer than is required to fulfill the purpose for which such data was collected or is otherwise required under law to be retained. The data so collected must be used only for the purpose(s) for which is has been collected.
In order to provide data subject with sufficient control over his sensitive personal data, the Rulesmandate that a data subject be provided with a right to access and review his sensitive personal data (Rule 5(6) of the Rules). However, the Rules have not provided a structured procedure to be adopted for review of databy data subject. Apart from being compliant with the Rules, provision of this right would also ensure that a companyis not held responsible for the authenticity of data supplied by data subject.
Grievance Officer (Rule 5(9) of the Rules)
Every company dealing with sensitive personal data must appoint a grievance officer to address complaints/queries regarding data subjects’ sensitive personal data. The name and contact details of such grievance officer must be made available to data subjects. The intent is to have a designated person to address any issues that may arise with regard to sensitive personal data, within one months’ time. Given the absence of any directive from the Ministry regarding qualificationsfor the position of grievance officer, the Indian company may designate one of their existing employees as the ‘grievance officer’.
Ankita Ray is an Associate with J. Sagar Associates, Bangalore, India. She can be contacted firstname.lastname@example.org.
By Ankita Ray