A decidedly inadequate collection of statutes currently governs cybersecurity and data protection in India. Authorities constituted to regulate compliance and enforce penalties for non-compliance under the Information Technology Act 2000 and the Information Technology (Amendment) Act 2008 have been inactive for years, and very little significant jurisprudential development has occurred on the subjects of cybersecurity, privacy and data protection over the past few years. In 2013, the then government drafted a National Cybersecurity Policy, which generated considerable interest both in India as well as abroad, particularly in view of India's position as an exponentially growing business process outsourcing destination. Sadly, progress on the policy was stymied for reasons that have not been made public, reflecting rather poorly on the government's intention to provide clear, robust and watertight law on these matters.
The foregoing is not to say that the urgent need for change in this respect has not been recognised. In July 2016 the Joint Secretary for Cyber Laws and E-Security, R K Sudhanshu, stated to the press that the government is in the process of developing new encryption and cybersecurity policies as part of a thorough overhaul of the law regulating cybersecurity in India.2
In 2017, the Minister for Law and IT, Ravi Shankar Prasad, said that the government is finalising cybersecurity standards for mobile phones and has already issued notice to most smartphone manufacturers asking them to furnish details related to cybersecurity.3
Following the government launch, in 2015, of a heavily advertised campaign called Digital India, the major agenda of which was to create 'digital infrastructure' to facilitate the digital delivery of services and increase digital literacy, the prime minister has been involved in an aggressive attempt to compensate for lost time as regards the enhancement of cybersecurity. Digital India triggered major investment flows into the technology sector, and the campaign has caused questions to be raised in the media and academia about privacy and the protection of data, which will hopefully spur the government on to legislate more clearly and in detail on these subjects.
Subsequently, 2016 was a mixed bag of both encouraging and slightly disturbing developments, although notably none of these developments resulted in the substantive renovation or repair of statutory law, as has been repeatedly promised by the authorities for several years, with the exception of the introduction of the Aadhar Act, to provide targeted delivery of financial benefits.
The Aadhar Act was challenged in a series of petitions that questioned its constitutional validity. A moot question raised in these petitions was whether privacy is a fundamental right guaranteed under the Constitution of India. The verdict on these petitions was delivered this year by a nine-judge constitutional bench of the Supreme Court, which held privacy to be a fundamental right of every citizen under the Constitution.4
In addition to the litigious developments described above, 2017 saw the government amending the Income Tax Act 1961–2017 to make it mandatory for taxpayers to link their Permanent Account Numbers (PANs) to file income-tax returns, open bank accounts and conduct financial transactions beyond a threshold, to curb tax evasion and money laundering. The Department of Telecommunications has also mandatorily sought to use the Aadhar Act as a tool for subscriber verification from existing mobile telephone subscribers and made it mandatory for new connections.5 The policies of the government were criticised and challenged in the Supreme Court, which has reserved a verdict that is expected later in 2018.
While the developments of previous years set the tone for 2018, an impetus to make specific data protection legislation came with a private member's bill – the Data Privacy Bill 2017 – and the release of Justice BN Srikrishna Committee's recommendations.6 These developments are discussed in detail below.
II THE YEAR IN REVIEW
The following major developments of note occurred in the course of the past year, and these affect national policy, legislation and jurisprudence on cybersecurity, data protection and privacy to varying degrees.
i Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (the Aadhar Act)
The government pushed the Aadhar Bill through Parliament in a week in March 2016, resulting in the Aadhaar Act. Briefly, the Act provides for the issuance of an identification number issued by the Unique Identification Authority of India to citizens of the country. This number will be used to deliver state subsidies directly into the hands of beneficiaries.
The Aadhaar scheme was first mooted as the Indian equivalent to the social security number in the United States. The passage of this bill into law has, however, generated furious debate about the privacy concerns it necessarily raises – the Act envisages the creation of a database of personal identifying information of potentially a billion unsuspecting citizens, and also the use of the data therein to facilitate mass surveillance, and absolutely no framework or legislation is in place to regulate either the former or the latter. The Act contains provisions on the strict limitation on sharing the data collected, but also makes rather large exceptions to these limitations that are a major cause for concern.7
In a writ petition before the apex court of the country, the Aadhar Act was challenged as being ultra vires in relation to the Constitution owing to its severe violation of citizens' fundamental right to privacy. It was put to the court that the Aadhar Act coerces individuals to part with their personal information, including biometric details, and creates an environment that can be used for surveillance. While the fate of the Aadhar Act is still undecided, one of the biggest hurdles in the matter has been resolved by the Supreme Court in a landmark judgment. A nine-judge constitution bench, presided over by the Chief Justice of India, was posed the question of whether privacy is in fact a fundamental right guaranteed under the Constitution.
The Court ruled on this question in the affirmative and in doing so observed that it is not an absolute right but one subject to certain reasonable restrictions. On the data protection aspect, the Court observed that the right of an individual to exercise control over his or her personal data and to be able to control his or her own life would also encompass the right to control his or existence on the internet. The judgment also states that consent obtained from users has to be informed consent, given in an informed manner by users, and cannot be shrouded in lengthy agreement terms, The Court even upheld the right of an individual to be forgotten from the internet by observing that:
If we were to recognise a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information/data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.
The Supreme Court resumed hearing on the constitutional validity of the Aadhar Act itself in May 2018 and after a marathon hearing lasting 38 days, reserved its judgment. Among other issues, the Supreme Court's judgment will shed light on whether the government is entitled to collect citizens' biometric and demographic data and the manner in which it is entitled to do so.
ii WhatsApp litigation and Justice BN Srikrishna Committee
In widely publicised litigation in the public interest against WhatsApp, the privacy policies of WhatsApp and Facebook were called into question. This case is discussed in more detail in Section VII.iii.
iv India selected as a member of the UN group of governmental experts (GGE) to identify 'rules of the road' for cyberspace
India has been selected to be a member of the 2016 GGE set up to identify 'rules of the road' for cyberspace. While the GGE's report is endorsed by the General Assembly, it is not officially binding. However, in combination with the initiation of the US–India Cyber Relationship, India's participation in the 2016 GGE meeting signifies a way forward in the framing of issues that must be addressed in these matters.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
In the absence of specific legislation, data protection is achieved in India through the enforcement of privacy rights on the basis of a patchwork of legislation, as follows.
The Information Technology Act (2000) (IT Act) and the Information Technology (Amendment) Act 20088
The IT Act contains provisions for the protection of electronic data. The IT Act penalises 'cyber contraventions' (Section 43(a)–(h)), which attract civil prosecution, and 'cyber offences' (Sections 63–74), which attract criminal action.
The IT Act was originally passed to provide legal recognition for e-commerce and sanctions for computer misuse. However, it had no express provisions regarding data security. Breaches of data security could result in the prosecution of individuals who hacked into the system, under Sections 43 and 66 of the IT Act, but the Act did not provide other remedies such as, for instance, taking action against the organisation holding the data. Accordingly, the IT (Amendment) Act 2008 was passed, which, inter alia, incorporated two new sections into the IT Act, Section 43A and Section 72A, to provide a remedy to persons who have suffered or are likely to suffer a loss on account of their personal data not having been adequately protected.
The Information Technology Rules (the IT Rules)
Under various sections of the IT Act, the government routinely gives notice of sets of Information Technology Rules to broaden its scope. These IT Rules focus on and regulate specific areas of collection, transfer and processing of data, and include, most recently, the following:
- the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,9 which require entities holding users' sensitive personal information to maintain certain specified security standards;
- the Information Technology (Intermediaries Guidelines) Rules,10 which prohibit content of a specific nature on the internet, and an intermediary, such as a website host, is required to block such content;
- the Information Technology (Guidelines for Cyber Cafe) Rules,11 which require cybercafes to register with a registration agency and maintain a log of users' identities and their internet usage; and
- the Information Technology (Electronic Service Delivery) Rules,12 which allow the government to specify that certain services, such as applications, certificates and licences, be delivered electronically.
The IT Rules are statutory law, and the four sets specified above were notified on 11 April 2011 under Section 43A of the IT Act.
Penalties for non-compliance are specified by Sections 43 and 72 of the IT Act.
In 2011 and subsequently in 2014, draft versions of a proposed law referred to as the Privacy Bill were released on the internet by a non-profit organisation called the Centre for Internet and Society, which claimed that these drafts had been leaked by the Department of Electronics and Information Technology.13 The Privacy Bill recognises an individual's right to privacy, but states also that certain circumstances, including protection of national integrity or sovereignty, national security, prevention of crime and public order, warrant the invasion of that privacy. In May 2016, the Minister for Communications and Information Technology, Ravi Shankar Prasad, stated in the upper house of Parliament that the government is still working on the proposed law.14
In addition to the legislation described above, data protection may also sometimes occur through the enforcement of property rights based on the Copyright Act (1957). Further, other legislation such as the Code of Criminal Procedure (1973), the Indian Telegraph Act 1885, the Companies Act (1956), the Competition Act (2002) and, in cases of unfair trade practices, the Consumer Protection Act (1986), would also be relevant. Finally, citizens may also make use of the common law right to privacy, at least in theory – there is no significant, recent jurisprudence on this.
A Data (Privacy and Protection) Bill 2017 (the Data Privacy Bill 2017) was introduced in Parliament in July 2017 by a private member. Apart from intending to make the right to privacy a statutory right and streamlining the data protection regime in India, it seeks the establishment of a Data Privacy and Protection Authority for the regulation and adjudication of privacy-related disputes. It is yet to be enacted into law.
Under Section 70B of the IT (Amendment) Act 2008, the government constituted CERT-In, which the website of the Ministry of Electronics and Information Technology refers to as the 'Indian Computer Emergency Response Team'. CERT-In is a national nodal agency responding to computer security incidents as and when they occur. The Ministry of Electronics and Information Technology specifies the functions of the agency as follows:
- collection, analysis and dissemination of information on cybersecurity incidents;
- forecast and alerts of cybersecurity incidents;
- emergency measures for handling cybersecurity incidents;
- coordination of cybersecurity incident response activities; and
- issuance of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response to and reporting of cybersecurity incidents.15
Cyber Regulations Appellate Tribunal (CRAT)
Under Section 48(1) of the IT Act 2000, the Ministry of Electronics and Information Technology established CRAT in October 2006. The IT (Amendment) Act 2008 renamed the tribunal Cyber Appellate Tribunal (CAT). Pursuant to the IT Act, any person aggrieved by an order made by the Controller of Certifying Authorities, or by an adjudicating officer under this Act, may prefer an appeal before the CAT. The CAT is headed by a chairperson who is appointed by the central government by notification, as provided under Section 49 of the IT Act 2000.
Before the IT (Amendment) Act 2008, the chairperson was known as the presiding officer. Provisions have been made in the amended Act for CAT to comprise of a chairperson and such a number of other members as the central government may notify or appoint.16
The legislation does not contain a definition of 'personal data'. The IT Rules do define personal information as any information that relates to a natural person that, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.
Further, the IT Rules define 'sensitive personal data or information' as personal information consisting of information relating to:
- financial information, such as bank account, credit card, debit card or other payment instrument details;
- physical, physiological and mental health conditions;
- sexual orientation;
- medical records and history;
- biometric information;
- any details relating to the above clauses as provided to a body corporate for the provision of services; or
- any information received under the above clauses by a body corporate for processing, or that has been stored or processed under lawful contract or otherwise.
Provided that any information is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law for the time being in force, it shall not be regarded as sensitive personal data or information for the purposes of these rules.
The draft of the proposed Privacy Bill 2011 defines 'personal data' as any data that relates to a living, natural person, if that person, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have, can be identified from that data. This includes any expression of opinion about said person.
The Data Privacy Bill 2017 also defines 'sensitive personal data' as follows:
- unique identifiers such as the Aadhar number or personal account number;
- physical and mental health, including medical history;
- biometric or genetic information;
- criminal convictions;
- banking credit and financial data; and
- narco analysis or polygraph test data.
The Privacy Bill 2011 and Data Privacy Bill 2017 contains more specific definitions of the above terms, and also defines concepts not found in the current legislation, such as 'processing', 'data controller' and 'data processor'.
ii General obligations for data handlers
Obligations for data processors, controllers and handlers
Lawful basis for processing
A body corporate (or any person or entity on its behalf) cannot use data for any purpose unless it receives consent in writing from the data subject to use it for that specific purpose. Consent must be obtained before collection of the data. The IT Rules also mandate that sensitive personal information may not be collected unless it is connected to the function of the corporate entity collecting it, and then only if the collection is necessary for that function. It is the responsibility of the body corporate to ensure that the sensitive personal information thus collected is used for no other purpose than the one specified.
Neither the IT Rules nor the IT Act specify a time frame for the retention of sensitive personal information. However, the IT Rules state that a body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
Legislation is yet to be clarified on specific rules with respect to the retention of data by data processors or handlers. The proposed Privacy Bill 2011 will clarify the law on retention of personal data, stating as it does in Section 13 of Chapter II that personal data shall only be retained for as long as is necessary to achieve the documented purpose, unless:
- it is required by law to be retained for a longer period;
- the data subject consents to its retention for a longer period;
- such retention is required by a contract between the data subject and the data controller; or
- it is required to be so retained for historical, statistical or research purposes.
The Bill further states that all personal data that need no longer be retained in accordance with the above shall either be destroyed or anonymised. During the process of destruction or anonymisation, the data controller must ensure that unauthorised persons do not gain access to the personal data. The destruction of personal data must be carried out in a manner that ensures that it is impossible to re-identify the personal data once it has been destroyed.
India currently does not have any legislative requirements with respect to registration or notification procedures for data controllers or processors. However, the draft Privacy Bill proposes to change this by introducing not only specific registration criteria and formalities, but also sanctions for failure to register.
Rights of individuals
Access to data
Rule 5, Subsection 6 of the IT Rules mandates that the body corporate or any person on its behalf must permit providers of information or data subjects to review the information they may have provided. This situation will be clarified somewhat by the proposed Privacy Bill 2011, which states that any data subject shall, provided he or she can prove her identity, have the right to ask for confirmation from the data controller has complete control over the personal data, request details with respect to who else − including any third parties − has access to the personal data, and require the data controller to provide information about the logic involved in the automated process of decision-making where the personal data in question is being processed automatically for evaluation purposes.
The Bill states that data controllers must provide the required information to the data subject within 45 days of receiving a request for it, provided that the request was accompanied by the prerequisite fee, and that the data controller is obliged to inform the data subject that the latter may legally ask the data controller to make any changes to inaccurate or deficient personal data. Access to personal data may be denied only if the information cannot be given out without also disclosing information about another data subject who could be identified from that information, unless that data subject has consented to such disclosure.
Correction and deletion
Rule 5, Subsection 6 of the IT Rules states that data subjects must be allowed access to the data provided by them and to ensure that any information found to be inaccurate or deficient shall be corrected or amended as feasible. Although the Rules do not directly address deletion of data, they state in Rule 5, Subsection 1 that corporate entities or persons representing them must obtain written consent from data subjects regarding the usage of the sensitive information they provide. Further, data subjects must be provided with the option not to provide the data or information sought to be collected. The proposed Privacy Bills affirm the above, and further states that unless the data controller can adduce adequate evidence of the complete accuracy and completeness of the data and the fact that it is entirely fitting with respect to the purpose of the data collection in question, or of the lawfulness of its collection, the data subject has the right to request a data controller to destroy any personal data that he or she considers either excessive in relation to the documented purpose of collection, or based on incorrect facts, or processed unlawfully.
The Supreme Court of India in a nine-judge bench decision in August 2017 in KS Puttaswamy & Ors v. Union of India & Ors17 also identified the right to be forgotten, in physical and virtual spaces such as the internet, under the umbrella of informational privacy.
Objection to processing and marketing
Rule 5 of the IT Rules states that the data subject or provider of information shall have the option to later withdraw consent that may have been given to the corporate entity previously, and the withdrawal of consent must be stated in writing to the body corporate. On withdrawal of consent, the corporate body is prohibited from processing the personal information in question. In the case of the data subject not providing consent, or later withdrawing consent, the corporate body shall have the option not to provide the goods or services for which the information was sought.
Right to restrict processing
The proposed Data Privacy Bill 2017 states that during the pendency of request for removal of specific personal data, the data controller and data processor shall restrict processing of the specific personal data of the person but it shall not restrict the collection or storage of personal data.
Right to data portability
The proposed Data Privacy Bill 2017 states that every person shall, as and when required, receive the personal data concerning him, which he has provided to a data controller, in a structured, commonly used and machine-readable format and have the right to data portability to another data controller without any hindrance.
Right to withdraw consent
The proposed Data Privacy Bill 2017 envisages the right to seek removal of personal data from the data controller, where a person has withdrawn his consent.
Disclosure of data
Data subjects also possess rights with respect to disclosure of the information they provide. Disclosure of sensitive personal information requires the provider's prior permission unless either disclosure has already been agreed to in the contract between the data subject and the data controller; or disclosure is necessary for compliance with a legal obligation.
The exceptions to this rule are if an order under law has been made, or if a disclosure must be made to government agencies mandated under the law to obtain information for the purposes of verification of identity; prevention, detection and investigation of crime; or prosecution or punishment of offences.
Recipients of this sensitive personal information are prohibited from further disclosing the information.
Right to complain to the relevant data protection authority
Rule 5, subsection 9 of the IT Rules mandates that all discrepancies or grievances reported to data controllers must be addressed in a timely manner. Corporate entities must designate grievance officers for this purpose, and the names and details of said officers must be published on the website of the body corporate. The grievance officer must redress respective grievances within a month from the date of receipt of said grievances.
The proposed Privacy Bills also seek establishment of a Data Privacy and Protection Authority for regulation and adjudication of privacy-related complaints and disputes.
iii Specific regulatory areas
Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act 198318
Under this Act, public financial institutions are prohibited from divulging any information relating to the affairs of their clients except in accordance with laws of practice and usage.
The Prevention of Money Laundering Act 200219
The Prevention of Money Laundering Act (PMLA) was passed in an attempt to curb money laundering and prescribes measures to monitor banking customers and their business relations, financial transactions, verification of new customers, and automatic tracking of suspicious transactions. The PMLA makes it mandatory for banking companies, financial institutions and intermediaries to furnish to the Director of the Financial Intelligence Unit (under the PMLA) information relating to prescribed transactions, and which can also be shared, in the public interest, with other government institutions or foreign countries for enforcement of the provisions of the PMLA or through exchanges of information to prevent any offence under the PMLA.
Credit Information Companies (Regulation) Act 2005 and The Credit Information Companies Regulations 2006 20
This legislation is essentially aimed at regulation of sharing and exchanging credit information by credit agencies with third parties. Disclosure of data received by a credit agency is prohibited, except in the case of its specified user and unless required by any law in force.
The regulations prescribe that the data collected must be adequate, relevant, and not excessive, up to date and complete, so that the collection does not intrude to an unreasonable extent on the personal affairs of the individual. The information collected and disseminated is retained for a period of seven years in the case of individuals. Information relating to criminal offences is maintained permanently while information relating to civil offences is retained for seven years from the first reporting of the offence. In fact, the regulations also prescribe that personal information that has become irrelevant may be destroyed, erased or made anonymous.
Credit information companies are required to obtain informed consent from individuals and entities before collecting their information. For the purpose of redressal, a complaint can be written to the Reserve Bank of India.
Payment and Settlement Systems Act 2007 21
Under this Act, the Reserve Bank of India (RBI) is empowered to act as the overseeing authority for regulation and supervision of payment systems in India. The RBI is prohibited from disclosing the existence or contents of any document or any part of any information given to it by a system participant.
Foreign Contribution Regulation Act 2010 22
This Act is aimed at regulating and prohibiting the acceptance and utilisation of foreign contributions or foreign hospitality by certain individuals, associations or companies for any activities detrimental to the national interest and, under the Act, the government is empowered to call for otherwise confidential financial information relating to foreign contributions of individuals and companies.
In the present scenario, employers are required to adopt security practices to protect sensitive personal data of employees in their possession, such as medical records, financial records and biometric information. In the event of a loss to an employee due to lack of adequate security practices, the employee would be entitled to compensation under Section 43A of the Information Technology Act 2000. Other than this piece of legislation, there is no specific legislation governing workplace privacy, although, in relation to the workplace, the effect of the Supreme Court judgment on privacy as a fundamental right remains to be seen.
Section 74 of the Juvenile Justice (Care and Protection of Children) Act 2015 mandates that the name, address or school, or any other particular, that may lead to the identification of a child in conflict with the law or a child in need of care and protection or a child victim or witness of a crime shall not be disclosed in the media unless the disclosure or publication is in the child's best interest.
Health and medical privacy
Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (Code of Ethics Regulations 2002)23
Under these regulations, physicians are obliged to protect the confidentiality of patients during all stages of procedures, including information relating to their personal and domestic lives unless the law mandates otherwise or there is a serious and identifiable risk to a specific person or community of a notifiable disease.
Medical Termination of Pregnancy Act 1971
This Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the state. The register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the final entry.
Ethical Guidelines for Biomedical Research on Human Subjects
These Guidelines require investigators to maintain confidentiality of epidemiological data. Data of individual participants can be disclosed in a court of law under the orders of the presiding judge if there is a threat to a person's life, allowing communication to the drug registration authority in cases of severe adverse reaction and communication to the health authority if there is risk to public health.
iv Technological innovation and privacy law
There are no marketing restrictions on the internet or through email. Because India has no comprehensive data protection regime, issues such as cookie consent have not yet been addressed by Indian legislation.
The IT Rules provide reasonable security practices to follow as statutory security procedures for corporate entities that collect, handle and process data, and these also apply to the use of big data. Unfortunately, no specific guidelines exist for the use of big data and big-data analytics in India.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Despite India's dogged attempts to join the APEC for several years, its inclusion on the forum has so far been limited to observer status. APEC rules therefore do not apply in the Indian jurisdiction thus far.
In terms of restrictions on transfer of data, Section 7 of the IT Rules states that bodies corporate can transfer sensitive personal data to any other body corporate or person within or outside India, provided the transferee ensures the same level of data protection that the body corporate maintained, as required by the IT Rules. A data transfer is only allowed if it is required for the performance of a lawful contract between the data controller and the data subjects; or the data subjects have consented to the transfer.
The proposed Privacy Bill, if enacted, will place slightly more stringent restrictions on international transfers of personal data.
As worded, Section 7 is already rather restrictive. However, in some ways this is no different from EU data protection legislation, which restricts transfers of personal data outside the EU unless certain measures are taken, such as requiring the data importer to sign up to EU Model Contract Clauses. In addition, the Ministry of Information Technology clarified via a press note released on 24 August 2011 that the rules on sensitive data transfer described above are limited in jurisdiction to Indian bodies corporate and legal entities or persons, and do not apply to bodies corporate or legal entities abroad. As such, information technology industries and business process outsourcing companies may subscribe to whichever secure methods of data transfer they prefer, provided that the transfer in question does not violate any law either in India or in the country the data are being transferred to. Presumably litigation in this sector – so far non-existent – will further clarify matters.
In general, data protection laws in India apply to businesses established in other jurisdictions as well. Section 75 of the IT Act states that the provisions of the Act would apply to any offence or contravention thereunder committed outside India by any person (including companies), irrespective of his or her nationality, if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.
V COMPANY POLICIES AND PRACTICES
The general obligations for data handlers elaborated above apply to all companies handling data, and their policies must reflect as much. In addition, the IT Rules contain specific legislation to deal with best practices, particularly in the context of breach and security.
Rule 8 of the IT Rules describes reasonable security practices and procedures as follows:
- A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
- The international standard IS/ISO/IEC 27001 on 'Information Technology – Security Techniques – Information Security Management System – Requirements' is one such standard referred to in sub-rule (1).
- Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule (1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
- The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resources.
There are no statutory registration or notification requirements for either data processors or data controllers. The proposed Privacy Bills provide for the establishment of a Data Protection Authority of India, and Chapter VII, Section 43 stipulates that the Authority shall establish and maintain a National Data Controller Registry – 'an online database to facilitate the efficient and effective entry of particulars by data controllers'. If the Bill is enacted, data controllers shall not be permitted to process any data belonging to any data subject for a given documented purpose, unless they first make an entry in the Registry in a format to be determined by the central government.
VI DISCOVERY AND DISCLOSURE
If requests from foreign companies are based on an order from a court of law, and if the country in question has a reciprocal arrangement with India, then an Indian court is likely to enforce the request in India. In the absence of a court order, however, no obligation exists against an Indian company to make any kind of disclosure.
In a Ministry of Communications and Information Technology press release, the government clarified that any Indian outsourcing service provider or organisation providing services relating to collection, storage, dealing or handling of sensitive personal information or personal information under contractual obligations with a legal entity located within or outside India is not subject to the IT Rules requirements with respect to disclosure of information or consent, provided it does not have direct contact with the data subjects when providing services.
See also the exceptions to the consent requirements for disclosure detailed in Section III.ii.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
In addition to the security practices and policies outlined in Section V, and as mentioned in Section III.i, the proposed Privacy Bill conceptualises the creation of a data protection authority for the enforcement of data protection legislation and to oversee compliance with it. The Privacy Bill will override the IT Rules if it is enacted, and in that event, its provisions pertaining to the security of personal data that state specifically that every data controller must set appropriate technological, organisational and physical standards for the security of data under its control will also come into force.
ii Recent enforcement cases
As is evident from the above, India has no distinct legislative framework to support litigation in the areas of privacy, cybersecurity and data protection. There has been no significant litigation in this area in the recent past. It is to be hoped that with the passage of the Privacy Bill into law and a clearer definition of rights in this sector, the enforcement of rights will become both more active and more stringent.
iii Private litigation
Karmanya Singh Sareen & Anr v. UOI & Ors24
On 23 September 2016, the High Court of New Delhi passed an order directing WhatsApp to 'scrub' all user data collected prior to 25 September for users who chose to opt out of the service prior to this date. For users choosing to continue to make use of the service, the High Court directed that only data collected after 25 September could be shared by WhatsApp with Facebook and its group companies. The Court also directed DoT and TRAI to examine the feasibility of bringing WhatsApp (and other internet-based messaging applications) under a statutory regulatory framework, ordering that these respondents must take an appropriate decision on this matter 'at the earliest'.
This decision is significant in that it is the only emphatic recognition of the right to privacy for individuals that our jurisprudence has seen in the past few years, other than the landmark Supreme Court judgment striking down Section 66A of the IT Act in 2015.
In 2017, the petitioners filed an appeal before the Supreme Court challenging the order of the High Court. The petitioners impugned the directions of the High Court and sought directions of the Supreme Court since, according to the petitioners, the policy formulated by WhatsApp was unconscionable and unacceptable. The Supreme Court is still hearing the matter and it seems unlikely that the controversy will be resolved this year as well. However, pursuant to the KS Puttaswamy judgment in 2017 – holding privacy a fundamental right – the Supreme Court had constituted the Justice BN Srikrishna Committee to identify key data protection issues in India and recommend methods of addressing them. The Committee released its recommendations in August 2018, some of the salient recommendations being:
- the establishment of an autonomous body, styled the Arbitration Promotion Council of India (APCI), having representatives from all stakeholders for grading arbitral institutions in India;
- the recognition of professional institutes by the APCI, providing for the accreditation of arbitrators;
- training workshops and interactions with law firms and law schools organised by the APCI to train advocates with an interest in arbitration, with the goal of creating a specialist arbitration bar;
- the creation of a specialist arbitration bench within courts to deal with such commercial disputes;
- various provisions of the 2015 Amendments in the Arbitration and Conciliation Act intended to make arbitration faster and more efficacious and incorporate international best practices.
Finally, the Committee released the draft of the Personal Data Protection Bill 2018, which if implemented, could address the issue around privacy of personal information in India. Among other important inclusions, the Personal Data Protection Bill draft puts an emphasis on informed user consent for the processing of personal data and enshrines the right to be forgotten.
KS Puttaswamy & Ors v. Union of India & Ors25
In KS Puttaswamy & Ors v. Union of India & Ors, and litigation that followed it, the constitutional validity of the Aadhar Act scheme was challenged on the grounds that it was ultra vires in relation to the Constitution and violated the rights of every citizen.
The matter was initially heard by a three-judge bench, which referred it to a five-judge bench. However, owing to previous judgments by larger benches of the Supreme Court, a nine-judge bench was constituted to address the issue of whether privacy was a fundamental right guaranteed under the Constitution. The nine-judge bench gave a unanimous decision holding privacy to be a fundamental right of every citizen of the country, with qualified riders. In fact, the judgment acknowledges neo-libertarian values, such as the right to be forgotten, and will go down as a landmark judgment. The challenge to the constitutional validity of the Aadhar Act itself is still pending and a judgment of the Supreme Court in this matter is expected soon.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Unfortunately, Indian jurisprudence sheds no light on compliance requirements for organisations functioning outside India (see Section IV).
IX CYBERSECURITY AND DATA BREACHES
See Sections V and VI for information on breaches and breach reporting requirements. In addition to the information given in those sections, it is pertinent to note that in the context of a legal requirement to report data breaches to individuals, while the law as it is contains no such provision, the draft Privacy Bill does. In fact, the draft exempts the data protection authority from this requirement in only two scenarios: if the data protection authority believes that such a notification will impede a criminal investigation or the identity of the data subject cannot possibly be identified.
Earlier this year it emerged that Cambridge Analytica – a political consultancy firm – harvested social media giant Facebook's users' data without consent to influence elections. Indian authorities have indicated that the Cambridge Analytica will be investigated to ascertain the nature of its work in India.26
There is no doubt that India urgently needs to take a keen look at its poorly regulated digital spaces and at the virtual activities of individuals, private organisations and governmental authorities alike. The several agencies performing cybersecurity operations in India, such as the National Technical Research Organisation, the National Intelligence Grid and the National Information Board, require robust policy and legislative and infrastructural support from the Ministry of Electronics and Information Technology, and from the courts, to enable them to do their jobs properly. The EU's General Data Protection Regulation may provide impetus for India in this regard, particularly given that not only will the regulation affect cross-border information flow (and India is a net information exporter), but also the EU has exposed several lacunae in the standards applied by the Indian government to the protection of data and enforcement of cybersecurity in a report following approval of its new data protection regulation. While it seems that the government is concerned and keen to bring about change in this sector, in view of India's rather poor record in prioritising these matters, optimism is not necessarily warranted at this stage.
1 Aditi Subramaniam is an associate principal and Sanuj Das is a managing associate at Subramaniam & Associates.
24 (WP(C) 7663/2016): lobis.nic.in/ddir/dhc/GRO/judgement/24-09-2016/GRO23092016CW76632016.pdf.