Despite a global economic downturn, India has remained an‘attractive’ destination for inbound investment (http://emergingmarkets.ey.com/wp-content/uploads/downloads/2012/03/india-attractiveness-final-version1.pdf). Based onextant foreign direct investment policy, released by the Ministry of Commerce & Industry, foreign entities may either invest in Indian entities upto a permissible percentage or may establish 100% wholly- owned subsidiaries. Typically, forease of administration,such foreign investor companies prefer to retain certain data pertaining to their local companies on a common server located in the said foreign parent/investorcompany’s jurisdiction. Such data may, inter alia, range from employee related details to customer databases.For clarity, hereinafter persons who have provided bodies corporate with data pertaining to themselves have been referred to as “data subjects”). The local company collects relevant data from data subjects and transfers the same to the foreign parent/groupcompany.

Given the lack of a data protection regime in India till mid-2011, such collection and/or transfer of data from India to an overseasjurisdiction did not throw up a major challenge. While Indian Parliament did enact a legislation, particularly the Information Technology Act, 2000 (the “Act”), the same did not provide for a structured data protection framework.

In April 2011, the Ministry of Communications and Information Technology (“Ministry”) notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) under section 43-A of the IT Act. Section 43-A, inter alia, states that:

where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

It defines a ‘body corporate’ to mean “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”.However, Section 43-A failed to provide watertight definitions of either of the terms of ‘sensitive personal data’ or ‘reasonable security practices and procedures’, thereby making its implementation ineffective. The Rules delineate certain practices and procedures that an Indian company must adhere to, in orderto, inter alia, collect and/ortransfer certain categories of data.

This article attempts to discussprovisions of the Rules regardingcollection of data by an Indian company and subsequent transfer of such data to its parent/group company in a foreign jurisdiction. However, before we delve into the details regarding the steps a company must implement to be in consonance with the requirements of the Rules in this regard, it would be interesting to note the applicability of the Rules.

Applicability of the Rules

A common question that arises in situations of cross-border data transfer is regarding the applicability of the Rules.If data is being transferred to or retained by the foreign company, would such foreign companybe required to be in compliancewith the Rules?

The Rules, read with Section 43-A of the IT Act, seem to be applicable to any company possessing, handling or dealing with ‘sensitive personal data’ (as has been defined and discussed hereafter). A subsequent press note dated August 24, 2011 (the “Press Note”) released by the Ministry clarified the situation: the Rules are applicable only to Indian body corporates. In other words, foreign companies do not fall within the ambit of the Rules and therefore do not necessarily have to be compliant with the Rules.

Kinds of data

The Rules deal with two categories of data viz. sensitive personal data and personal data. The Rules define these categories of data, as has been discussed hereafter.

(i) personal data, being data which by itself, or in conjunction with other data is capable of identifying a person (“personal data”) (Rule 2 (1) (i) of the Rules); and

(ii) sensitive personal data, such as data relating to passwords; financial information such as bank account . credit card, or debit card details ; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information i.e. technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, “facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes; and any detail relating to the above as provided to a company for providing service: provided that, any data that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force is not be regarded as sensitive personal data) (“sensitive personal data”, Rule 3 of the Rules).

There are compliance requirements that are common to both personal and sensitive personal data. However, in the case of sensitive personal data, there are additional compliance requirements. Therefore, determining the category of data being handled would be the first step towards compliance with provisions of the Rules.

Compliance vis-a-vis collection, transfer, retention or use of personal or sensitive personal data

In this section we, we will deal with various stipulations to be adhered to by an Indian company with regard to collection and/or transfer of personal or sensitive personal data to a foreign company.

Maintenance of Privacy Policy (Rule 4 of the Rules)

If the Indian company determines that it is handling either personal or sensitive personal data, it must drafta privacy policy, which is to be amdeavaialbe to all. For ease of administration, it is advisable to post the said privacy policy on the Indian company’s website.

The Rules clearly set out the contents of the said privacy policy. Among other items, the following has to be addressed in the privacy policy:

• purpose of data collection/receipt/retention/use;
• category of data being handled;
• security procedures maintained to secure suchdata from wrongful dissemination; and
• circumstances under which such data may be disclosed to third parties (together with such third party’s details).

Below, we shall highlight the other important contents of a privacy policy.

Reasonable Security Practices and Procedures

This is probably the most important highlight of the Rules. , The international arena has time and again expressed concern over the lack of security standards in India for security of data. The Rules specifythat a company collecting/using/storing/transferring personal or sensitive personal data must adopt reasonable security practices and procedures not lower than standards of IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System- Requirements”.

In order to establish compliance with such security requirements, it is recommended that the Indian company maintainscomprehensive documentation highlighting the security programmeand policies implemented by it. Such documents may contain details on managerial, technical, operational and physical security control measures.

Referring back to the privacy policy, it is recommended that it address the issue of data security, stating that security procedures implemented by it are not lower than the IS/ISO/IEC 27001 standards.

Transfer of Information(Rule 7 of the Rules)

There may arise a situation where the personal or sensitive data may require to be transferred to a foreign jurisdiction.The Rules provide for specific conditions, upon the satisfaction of which, a company may transfer personal or sensitive personal data. An Indian company proposing to transfer personal or sensitive personal data to a foreign company may proceed with such transfer, provided:

• the transferee entity maintains the same level of data protection as is stipulated in the Rules i.e. not lower than the standards of IS/ISO/IEC 27001; and
• the transfer is necessary for the performance of any lawful contract between the said Indian company and data subject

However, an exception from the above conditions has been carved out for transfer of personal or sensitive personal data with prior consent of data subject. Therefore, the aforementioned privacy policy of the Indian company should ideally state that it is compliant with the above provisions vis-a-vis transfer of personal or sensitive personal data.

Additional compliance with regard to sensitive personal data

Let us assume a situation when the Indian company determines that it handles sensitive personal data. The following are additional measures that would be required to be undertaken in such a scenario:

Collection of Sensitive Personal Data and Mode of Obtaining Consent

If the Indian company determines that it is collecting and/or transferring sensitive personal data from data subjects, it will be under the obligation to obtain prior consent of such data subjects for the same (Rule 5(1) of the Rules). Such consent may be obtained through letter or fax or email. Electronic consent vide tick box or ‘I Agree’ tab is also permitted. In order to make the process of obtaining consent easier, the privacy policy of each body corporate may contain an ‘I Agree’ tab at the end of the text. A click on the tab by data subject would constitute valid consent.

However, prior to such collectionof sensitive personal data, the Indian company must ensure that:

• itinformsdata subjects of the purpose for which data is being collected, that the data so collected may be transferred, the intended recipients of the data and names/addresses of the agencies collecting and retaining this data (Rule 5 (3) of the Rules).
• thatsensitive personal data is beingso collected for lawful purposes, connected with an integral activity of the company (Rule 5(2) of the Rules).
  

Right to Opt Out

A practical concern that hasbeen raised with regard to collection of data is the availability of an option to withdraw consent. As per the Rules, the Indianentity collecting/using/transferring/retaining sensitive personal data must be provided an option to opt-out of the consent so given at any point in time (Rule 5 (7) of the Rules).

While seeking consent of data subject, the privacy policy of the Indian company must also mention data subject’s right to opt-out of such consent. In terms of procedure, the right to opt-out must be exercised through a written requisition to that effect, duly submitted to the Indian company.

Disclosure and Transfer of Data

Since the concerned data is sensitive personal in nature, the Indian company is precluded from disclosingit to any third party (including group companies), without prior permission of data subject (Rule 6 of the Rules). However, if data subject has provided the Indian company with prior permission for suchdisclosure by executinga contract between the Indian company and data subject, then the same acts as exception to the above rule. To further protect sensitive personal data, the third party is restricted from further transferring sensitive personal data.

A practical way to address this stipulation would be to include sufficient language in the privacy policy stating that data subject consents, not only to collection, but also disclosure of his sensitive personal data to a third party However, the onus remains on the Indian company to ensure that such third party implements reasonablesecurity practices and procedures, as explained above.

Retention and Use

The Indian company must ensure that sensitive personal data collected by a company from a data subject is not retained for longer than is required to fulfill the purpose for which such data was collected or is otherwise required under law to be retained. The data so collected must be used only for the purpose(s) for which is has been collected.

The privacy policy of the Indian company may be drafted in a manner to assert that sensitive personal data is collected for valid purpose and the same will not be abused by retaining it for longer than required.

In order to provide data subject with sufficient control over his sensitive personal data, the Rulesmandate that a data subject be provided with a right to access and review his sensitive personal data (Rule 5(6) of the Rules). However, the Rules have not provided a structured procedure to be adopted for review of databy data subject. Apart from being compliant with the Rules, provision of this right would also ensure that a companyis not held responsible for the authenticity of data supplied by data subject.

Grievance Officer (Rule 5(9) of the Rules)

Every company dealing with sensitive personal data must appoint a grievance officer to address complaints/queries regarding data subjects’ sensitive personal data. The name and contact details of such grievance officer must be made available to data subjects. The intent is to have a designated person to address any issues that may arise with regard to sensitive personal data, within one months’ time. Given the absence of any directive from the Ministry regarding qualificationsfor the position of grievance officer, the Indian company may designate one of their existing employees as the ‘grievance officer’.

Conclusion

While the move to induce a stricter data privacy framework by means ofthe notification of the Rules has been appreciated, various industry bodies are skeptical about the implementation of the same: for example, while the Rules provide for an audit of data protection practices prevalent in a company, there is no clarity as to who should perform this audit and based on what parameters. In the absence of any clarification from the Ministry regarding implementation of the Rules, the privacy policy of an Indian company is of utmost importance. In the event of an investigation, it is one document which may form strong evidence of the Indian company being compliant with the Rules. Therefore, until the Ministry releases further notifications regarding the implementation of the Rules, it is recommended that Indian companies frame their privacy policies wisely and generally, adhere to the Rules.

Ankita Ray is an Associate with J. Sagar Associates, Bangalore, India. She can be contacted atankita.ray@jsalaw.com.

 

 

By Ankita Ray