Vous êtes sur la page 1sur 4

OutsourcingLawhttp://www.outsourcinglaw.

com

2011IndianPrivacyLaw

byKochhar&Co
www.kochhar.com
att:stephen.mathias@bgl.kochhar.com
Introduction
OnApril11,2011,IndiasMinistryofCommunicationsandInformationTechnologynotifiedthe
InformationTechnology(Reasonablesecuritypracticesandproceduresandsensitivepersonaldata
orinformation)Rules,2011undertheInformationTechnologyAct,2000.Indianowhasaprivacy
law,broughtintoforcewithimmediateeffectwithwideramificationsonthewaycompanieswilldo
businessinIndia.Thisclientadvisoryprovidesadescriptionandreviewofthenewlaw.

InformationTechnologyAct
Untilacoupleofyearsago,Indianlawhadnoprovisionsdealingwithprivacyprotection.The
enactmentoftheRighttoInformationAct,2005gaveafilliptotransparencyingovernmentdealings
andconcurrentlyprovidedsomeprotectionagainsttheunwarranteddisclosureofconfidential
informationunderthatlaw.In2008,theITActwasamendedtointroducethefollowing:

Anewcivilprovisionprescribingdamagesforanentitythatisnegligentinusingreasonablesecurity
practicesandprocedureswhilehandlingsensitivepersonaldataorinformationresultingin
wrongfullossorwrongfulgaintoanyperson.
Criminalpunishmentforapersonif(a)hedisclosessensitivepersonalinformation(b)doesso
withouttheconsentofthepersonorinbreachoftherelevantcontractand(c)withanintentionof,
orknowingthatthedisclosurewouldcausewrongfullossorgain.
Ineffect,thecivilprovisionmerelyprovidedfordamagesfornegligentconductwhichisalready
availableundercommonlaw.Thecriminalprovisionisfairlynarrowandincludesanelementofmens
rea,i.e.,actualintentiontodowrongisrequired.Thetwoprovisionswereclearlynotcomprehensive
intermsofprivacyprotectioninIndia.

SalientFeaturesofNewRules
Thefollowingarethesalientfeaturesofthenewrules:

SensitivePersonalInformation.Thelawrelatestodealingwithinformationgenerally,personal
informationandsensitivepersonaldataorinformation(hereinafter,SPD).SPDisdefinedto
coverthefollowing:(a)passwords,(b)financialinformationsuchasbankaccountorcreditcardor
debitcardorotherpaymentinstrumentdetails(c)physical,physiologicalandmentalhealth
condition(d)sexualorientation(e)medicalrecordsandhistoryand(f)biometricinformation.It
maybenotedthatSPDdealsonlywithinformationofindividualsandnotinformationofbusinesses.
PrivacyPolicy.Everybusinessisrequiredtohaveaprivacypolicy,tobepublishedonitswebsite.
ThebusinesshastoalsoappointaGrievanceOfficer.Theprivacypolicyappearstoberequired
whetherornotthebusinessdealswithSPD.Theprivacypolicymustdescribewhatinformationis
collected,thepurposeofuseoftheinformation,towhomorhowtheinformationmightbedisclosed
andthereasonablesecuritypracticesfollowedtosafeguardtheinformation.
Consentforcollection.AbusinesscannotcollectSPDunlessitobtainsthepriorconsentofthe
provideroftheinformation.Theconsenthastobeprovidedbyletter,faxoremail.Thebusiness
mustalso,priortocollectingtheinformation,givetheoptiontotheprovideroftheinformationto
notprovidesuchinformation.Insuchcase,thebusinesscanceaseprovidinggoodsandservicesfor
whichtheinformationissought.
Notification.Thebusinessshouldensurethattheprovideroftheinformationisawarethatthe
informationisbeingcollected,thepurposeofuseoftheinformation,therecipientsofthe
informationandthenameandaddressoftheagencycollectingtheinformation.Priorconsentis
requiredfordisclosureoftheinformationtoanypartyotherthanthegovernment.
Useandretention.Thebusinesscanusepersonalinformationonlyforthepurposeforwhichitwas
collected.Also,thebusinesscannotretaintheSPDforlongerthanisrequiredforthepurposesfor
whichtheinformationmaylawfullybeusedorisotherwiserequiredunderanyotherlaw.
Rightofaccess,correctionandwithdrawal.Thebusinessshouldpermittheproviderofthe
informationtherighttoreviewthatinformationandshouldensurethatanyinformationfoundtobe
inaccurateordeficientbecorrected.Theprovideroftheinformationalsohastherighttowithdrawits
consenttothecollectionanduseoftheinformation.
Transnationaltransfer.AbusinesscanonlytransfertheSPDorinformationtoapartyoverseasif
theoverseaspartyensuresthesamelevelofprotectionprovidedforundertheIndianrules.
Further,theinformationcanbetransferredonlyifitisnecessaryfortheperformanceofalawful
contractbetweenthebodycorporateandtheinformationproviderorwheretheinformationprovider
hasprovidedhisconsenttosuchtransfer.
Securityprocedures.TheITActrequiresreasonablesecurityprocedurestobemaintainedinorderto
escapeliability(seeabove).Therulesappeartostatethatreasonablesecurityprocedureswouldbe
either(a)theIS/ISO/IEC27001onInformationTechnologySecurityTechniquesInformation
SecurityManagementSystemRequirementsor(b)acodedevelopedbyanindustryassociation
andapprovedandnotifiedbythegovernment.Thesecurityprocedurehastobeauditedonaregular
basisbyanindependentauditor,whohasbeenapprovedbytheGovernmentofIndia.Suchaudit
shouldbecarriedoutatleastonceayearorasandwhenthebodycorporatehasundertakena
significantupgradationofitscomputerresource.
ImplicationsoftheNewRules
ForEmployers
Employerswillneedtoprepareaprivacypolicyandobtaintheconsentoftheemployeestothe
privacypolicybyfax,letteroremail.Theemployerhastogivetheemployeetherightnottoprovide
SPD(andconsequently,nottohiretheemployee,thoughthisisnotentiretyclear).Theprivacy
policyneedstosetoutwhatinformationisbeingcollected,whatitwillbeusedforandthenameand
addressoftheagencycollectingtheinformation.Aseriousconcernwouldbetherightofthe
employeetoaccessallinformationabouthim,toreviewandcorrecttheinformationandtorequire
theinformationtobedeleted.

ForMultinationalsinIndia
Multinationalstendtomaintaincentralizeddatabasesofinformationabouttheirbusinessesallover
theworld,includinginparticular,informationaboutemployees,serviceprovidersandcustomers.
SincetherulesareinsomepartsmorestringentthaneventheEuropeanrules,overseasgroup
entitieswhoreceivetheinformationwillhavetobuildinprocessestocomplywiththerules.Further,
theIndianentitywillneedtomeettherequirementsforhavingaprivacypolicy,consentfor
collection,notificationaboutpurposeofuseoftheinformationandwhowillbecollectingthe
informationandconsentfromtheprovidersforprovidingsuchinformationtoanotherparty.

FortheOutsourcingIndustry
TherulesareframedundertheInformationTechnologyAct2000whichappliestothewholeof
India.Onaplainreading,thismeansthatanybusinessdealingwithinformationorSPDinIndiahas
tocomplywiththerules,evenifsuchinformationrelatestoanindividualbasedoutsideIndia.The
logicaleffectofthisisthatthevendorinIndiaorhiscustomeroverseaswillneedtofulfillthe
requirementsofthelawwiththeconcernedindividual,suchastheconsentforcollection,notification
obligations,rightofaccess,correctionandwithdrawal.Thishasgraveimplicationsforthe
outsourcingindustryandcouldleadtodisruptionofBPOoperationsinIndia.

ReviewoftheNewRules:
Therearesomesignificantconcernsassociatedwiththeimplementationofthenewlaw.Theseareas
follows:

Transitionperiod.Thelawdoesnothaveatransitionperiod.Itcomesintoforcewithimmediate
effect.Itappliestobodycorporateswhichincludessoleproprietors,partnershipsandassociations
ofpersonsdoingbusiness.Theeffectisthatthelawhastobeimplementedinahurriedmannerby
everysinglebusinessinthecountry.Thisisclearlyquiteimpractical.Mostsmallbusinessesarelikely
toignorethelawandnotcomplywithit.
Ultraviresthestatute?Theruleshavebeenframedundertheprovisionrelatingtothecivilremedy
(describedabove)incaseanorganizationdoesnotusereasonablesecuritypracticesand
procedures.Accordingly,thegovernmentwasonlytohavesetforthwhatwouldbethose
proceduresandwhatconstitutesSPD.However,therulesinsteadtalkabouttherighttouse
personalinformationitselfandseveralotherrelatedmatters.Onemaybeabletomakeoutacase
thattherulesgobeyondwhatispermittedbythestatute.However,thegovernmentcanremedy
thisbyamendingtherulestoprovidethattheyhavebeenissuedunderthegeneralrulemaking
powerunderthestatueandnotthespecificrulemakingpowerasstatedabove.
Applicabilitytoinformationgenerally.Thelawdefinessensitivepersonaldataandinformation
(SPD).Insomeplaces,referencesaretoSPDandinotherplacestopersonalinformationandto
informationgenerally.Thereissometimessomeambiguityoverwhethercertainprovisionsapplyto
allinformation,personalinformationoronlytoSPD.Insomecases,itseemsclearthatthe
applicabilityistoinformationgenerally,therebywideningtheambitofthelaw.
Applicabilitytofinancialinformation.UnlikeintheEuropeanlaw.thelawincludesfinancialinformation
generallywithinSPD.Alargepartofbusinessinformationisfinancialinnature.Theinclusionof
financialinformationsetsahighstandardofprivacyprotectionrelatingtoinformationthatisreceived
intheordinarycourseofbusiness.ThisislikelytohaveadisruptiveeffectonbusinessinIndia.
Consentasacondition.TherequirementofconsentasamandatoryconditionfortheuseofallSPD
issurprisingandrestrictive.UnderEuropeanlaw,consentisjustonegroundonthebasisofwhich
SPDcanbeused.Forexample,forpersonalinformationgenerally,(includingfinancialinformation),
onecanprocesssuchinformationwithoutconsentoftheproviderifitisnecessaryforthepurpose
ofperformanceofacontractwiththeprovideroftheinformation.
MethodofConsent.Themethodofconsentrequiredisverysurprising!Theconsentcanbe
obtainedonlythroughletter,faxoremail!Itappearsthattheconsentcannotbeobtainedthrough
anonlineconsent,perhaps,noteventhroughacontractanddefinitelynotthroughtheacceptance
ofaprivacypolicy.Onewouldhaveexpectedanelectroniclawtobethoughtthroughmorein
electronicterms!
Unlimitedrightofaccess.Therightofaccessisprovidedtoobroadlywithoutregardtovarious
exceptionsthatwouldneedtobebuiltin.TheEuropeanlawcontainsoveradozenexceptionsthat
coverobvioussituations.
Withdrawalofconsent.Therightoftheprovidertowithdrawconsentisnaiveandimpractical.
Businesscannotbeconductedwithouttheflowofinformationandconsentcannotbetheonlyfactor
inthecollection,useorcontinueduseofsuchinformation.Oncethatinformationhasbeenreceived
andprocessed,itmayberequiredbytherecipientandcannotbeunilaterallywithdrawnbythe
provider.Evensafeguardsrelatingtolegalrequirementsforrecordkeeping,whicharepresentinthe
languageondurationofretention,arenotpresentinthisprovision.
Securitystandards.Underthestatute,theprescribedsecuritystandardsapplyonlyiftheprovider
andrecipientoftheinformationhavenotagreedonthestandardsinacontract.Thelawseemsto
suggestthatinsuchasituation,oneeitherfollowsIS/ISO/IEC27001oragovernmentapproved
codedevelopedbyanindustrybody.Itisnotclearwhetherthesearetheonlytwooptionsor
merelythatifeitheroftheseoptionsisused,theconcernedbusinessisdeemedtohavecomplied
withitsobligationtousereasonablesecurityprocedures.Itisourunderstandingthatthe
requirementsofthiscodearequiteonerousandlargelyfollowedbybanksandlargeorganizations
thatneedveryhighstandardsofsecurity.
ApplicabilitytoGovernment.Therulesdonotapplytothegovernment,therebyexemptingoneof
thelargestprocessorsofpersonalinformationinthecountry.Thismeansthatoneofthekey
reasonsforhavingaprivacylawhasnotbeenfulfilled.Perhaps,thenonapplicabilitytothe
governmentcanbeunderstoodinthecontextofaseparateprojectthatthegovernmentis
commencingtodraftalawtodealwithconcernsrelatingtotheGovernmentscreationofan
identitydatabase.ItmaybenotedthatKochhar&Cowasrecentlyawardedtheprojecttoreview
existinglawsandframerulesfortheprotectionofidentityinformationcontainedinthedatabase.
Conclusion
Overall,thelaw,whilelaudableinobjective,ispoorlywritten,notproperlythoughtthrough,too
simplisticandfailstoaddressmorecomplexnuancesofdataprotectionissuesthatfindplaceinthe
Europeanlaw.IthasgraveimplicationsfordoingbusinessinIndia,particularlyformultinationals
operatinginIndiaandtheoutsourcingindustry.Thisappearstobeacaseofonestepforwardand
twostepsbackward!

Anexerciseisurgentlyrequiredtoclarifyandinsomecases,amendtherulessothatambiguityis
removedandobviousexceptionsarebuiltintotherules.Wewouldprobablyalsoneeda
governmentagencytoimplementtherulesinaproactive,businessmindedmanneralongthelines
oftheInformationCommissionerintheUK.

Kochhar&Co

ArticleprintedfromOutsourcingLaw:http://www.outsourcinglaw.com

URLtoarticle:http://www.outsourcinglaw.com/2011/07/2011indianprivacylaw/
Copyright2012OutsourcingLaw.Allrightsreserved.