I OVERVIEW

A decidedly inadequate collection of statutes currently governs cybersecurity and data protection in India. Authorities constituted to regulate compliance and enforce penalties for non-compliance under the Information Technology Act 2000 and the Information Technology (Amendment) Act 2008 have been inactive for years, and very little significant jurisprudential development had occurred on the subjects of cybersecurity, privacy and data protection until late 2017. In 2013, the government drafted a National Cybersecurity Policy, which generated considerable interest both in India as well as abroad, particularly in view of India's position as an exponentially growing business process outsourcing destination. Sadly, progress on the policy was stymied for unknown reasons, reflecting rather poorly on the government's intention to provide clear, robust and watertight law on these matters.

This is not to say that the urgent need for change in this respect has not been recognised.

Subsequent to the government's launch of a heavily advertised campaign called Digital India in 2015, the major agenda of which was to create 'digital infrastructure' to facilitate the digital delivery of services and increase digital literacy, the prime minister has been involved in an aggressive attempt to compensate for lost time as regards the enhancement of cybersecurity. Digital India triggered major investment flows into the technology sector, and the campaign has caused questions to be raised in the media and academia about privacy and the protection of data, which will hopefully spur the government on to legislate more clearly and in detail on these subjects.

In 2016, Parliament passed the Aadhar Act, a piece of legislation aimed at the targeted delivery of financial benefits to the poor. Also under this Act, every Indian citizen was to be issued with a national identity card called the Aadhar card with a unique identification number similar to social security numbers in the United States.

In 2017, the government amended the Income Tax Act 1961 to make it mandatory for taxpayers to link their permanent account numbers to their Aadhar cards in order to file income tax returns, open bank accounts and conduct financial transactions beyond a threshold, to curb tax evasion and money laundering. In essence, this would provide the government with an enormous database of financial information on every citizen of the country, with no real protocols, safeguards or laws to regulate the storage, use and control of this information. The Department of Telecommunications also sought to use Aadhar cards as tools for subscriber verification from existing mobile telephone subscribers and made it mandatory for these cards to be linked to new mobile telephone connections.

The Aadhar Act was challenged in a series of petitions that questioned its constitutional validity. One question raised in these petitions was whether privacy is a fundamental right guaranteed under the Constitution of India. The verdict on these petitions was delivered by a nine-judge constitutional bench of the Supreme Court, which held privacy to be a fundamental right of every citizen under the Constitution. The move to link Aadhar cards to the financial and biometric information of all Indian citizens was also challenged before the Supreme Court. In September 2018, the Supreme Court upheld the Aadhar Act but struck down certain provisions therein. The Court stated that while the use of Aadhar cards will remain mandatory for the filing of income tax returns and issuance of permanent account numbers, Aadhar cards would no longer need to be linked to individual bank accounts or mobile telephone connections. Along with the recognition of privacy as a constitutionally guaranteed fundamental right by the Supreme Court in 2017, this development indicated the genuine interest of the judiciary in compensating for years of legislative apathy with specific regard to data protection and privacy.

II THE YEAR IN REVIEW

The government empanelled a 10-member committee under the chairmanship of Justice BN Srikrishna, a retired Supreme Court judge, to put together detailed reviews of current data protection laws as well as suggestions on how to fill judicial and legislative lacunae. The committee compiled an extensive report containing a draft data protection framework, along with the draft Personal Data Protection Bill 2018. Since 2011, various iterations of the Privacy Bill have been released, the latest of which was the Data Privacy Bill 2017. It appears that the draft Personal Data Protection Bill 2018 may be intended to replace the Data Privacy Bill 2017, although the intention of the legislature in this regard is unclear at the moment. Barring some limited overlap, both documents cover different aspects of the law, and perhaps the public interest will be better served if both were to coexist. A number of rounds of consultation have already been conducted on the draft Personal Data Protection Bill 2018, and extensive feedback has been submitted by various stakeholders, including the US government. The draft Personal Data Protection Bill 2018 may be brought before in Parliament later this year.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

In the absence of specific legislation, data protection is achieved in India through the enforcement of privacy rights on the basis of a patchwork of legislation, as follows.

The Information Technology Act (2000) (IT Act) and the Information Technology (Amendment) Act 20082

The IT Act contains provisions for the protection of electronic data. The IT Act penalises 'cyber contraventions' (Section 43(a)–(h)), which attract civil prosecution, and 'cyber offences' (Sections 63–74), which attract criminal action.

The IT Act was originally passed to provide legal recognition for e-commerce and sanctions for computer misuse. However, it had no express provisions regarding data security. Breaches of data security could result in the prosecution of individuals who hacked into the system, under Sections 43 and 66 of the IT Act, but the Act did not provide other remedies such as, for instance, taking action against the organisation holding the data. Accordingly, the IT (Amendment) Act 2008 was passed, which, inter alia, incorporated two new sections into the IT Act, Section 43A and Section 72A, to provide a remedy to persons who have suffered or are likely to suffer a loss on account of their personal data not having been adequately protected.

The Information Technology Rules (the IT Rules)

Under various sections of the IT Act, the government routinely gives notice of sets of Information Technology Rules to broaden its scope. These IT Rules focus on and regulate specific areas of collection, transfer and processing of data, and include, most recently, the following:

  1. the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,3 which require entities holding users' sensitive personal information to maintain certain specified security standards;
  2. the Information Technology (Intermediaries Guidelines) Rules,4 which prohibit content of a specific nature on the internet, and an intermediary, such as a website host, is required to block such content;
  3. the Information Technology (Guidelines for Cyber Cafe) Rules,5 which require cybercafés to register with a registration agency and maintain a log of users' identities and their internet usage; and
  4. the Information Technology (Electronic Service Delivery) Rules,6 which allow the government to specify that certain services, such as applications, certificates and licences, be delivered electronically.

The IT Rules are statutory law, and the four sets specified above were notified on 11 April 2011 under Section 43A of the IT Act.

Penalties for non-compliance are specified by Sections 43 and 72 of the IT Act.

Additional legislation

In addition to the legislation described above, data protection may also sometimes occur through the enforcement of property rights based on the Copyright Act (1957). Further, other legislation such as the Code of Criminal Procedure (1973), the Indian Telegraph Act 1885, the Companies Act (1956), the Competition Act (2002) and, in cases of unfair trade practices, the Consumer Protection Act (1986), would also be relevant. Finally, citizens may also make use of the common law right to privacy, at least in theory – there is no significant, recent jurisprudence on this.

A Data (Privacy and Protection) Bill 2017 (the Data Privacy Bill 2017) was introduced in Parliament in July 2017 by a private member. Apart from intending to make the right to privacy a statutory right and streamlining the data protection regime in India, it seeks the establishment of a Data Privacy and Protection Authority for the regulation and adjudication of privacy-related disputes. It is yet to be enacted into law. Additionally, the draft Personal Data Protection Bill 2018, referred to above, may also be introduced into law later this year.

Compliance regulators

CERT-In

Under Section 70B of the IT (Amendment) Act 2008, the government constituted CERT-In, which the website of the Ministry of Electronics and Information Technology refers to as the 'Indian Computer Emergency Response Team'. CERT-In is a national nodal agency responding to computer security incidents as and when they occur. The Ministry of Electronics and Information Technology specifies the functions of the agency as follows:

  1. collection, analysis and dissemination of information on cybersecurity incidents;
  2. forecast and alerts of cybersecurity incidents;
  3. emergency measures for handling cybersecurity incidents;
  4. coordination of cybersecurity incident response activities; and
  5. issuance of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response to and reporting of cybersecurity incidents.7
Cyber Regulations Appellate Tribunal (CRAT)

Under Section 48(1) of the IT Act 2000, the Ministry of Electronics and Information Technology established CRAT in October 2006. The IT (Amendment) Act 2008 renamed the tribunal Cyber Appellate Tribunal (CAT). Pursuant to the IT Act, any person aggrieved by an order made by the Controller of Certifying Authorities, or by an adjudicating officer under this Act, may prefer an appeal before the CAT. The CAT is headed by a chairperson who is appointed by the central government by notification, as provided under Section 49 of the IT Act 2000.

Before the IT (Amendment) Act 2008, the chairperson was known as the presiding officer. Provisions have been made in the amended Act for CAT to comprise of a chairperson and such a number of other members as the central government may notify or appoint.8

Definitions

The legislation does not contain a definition of 'personal data'. The IT Rules do define personal information as any information that relates to a natural person that, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.

Further, the IT Rules define 'sensitive personal data or information' as personal information consisting of information relating to:

  1. passwords;
  2. financial information, such as bank account, credit card, debit card or other payment instrument details;
  3. physical, physiological and mental health conditions;
  4. sexual orientation;
  5. medical records and history;
  6. biometric information;
  7. any details relating to the above clauses as provided to a body corporate for the provision of services; or
  8. any information received under the above clauses by a body corporate for processing, or that has been stored or processed under lawful contract or otherwise.

Provided that any information is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law for the time being in force, it shall not be regarded as sensitive personal data or information for the purposes of these rules.

The Data Privacy Bill 2017 contains more specific definitions of the above terms, and also defines concepts not found in the current legislation, such as 'processing', 'data controller' and 'data processor'.

The draft Personal Data Protection Bill 2018, defines 'sensitive personal data' as personal data revealing, related to or constituting passwords; financial data; health data; official identifier; sex life; sexual orientation; biometric data; genetic data; transgender status; intersex status; caste or tribe; religious or political belief or affiliation; or any other category of data specified by the Authority under Section 22 where the Authority is the data protection authority envisaged by the bill, and Section 22 empowers this authority to specify further categories of sensitive personal data as it deems necessary to do so. The draft Personal Data Protection Bill 2018 also defines 'personal data' as 'data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.' Unlike the IT Act and Rules, the draft Personal Data Protection Bill 2018 also contains definitions for 'processing', 'data fiduciary', 'data processor', 'data principal' and, crucially, 'consent'.

ii General obligations for data handlers

Obligations for data processors, controllers and handlers

Transparency

The IT Rules state that all data handlers must create a privacy policy to govern the way they handle personal information. Further, the policy must be made available to the data subject who is providing this information under a lawful contract.

Lawful basis for processing

A body corporate (or any person or entity on its behalf) cannot use data for any purpose unless it receives consent in writing from the data subject to use it for that specific purpose. Consent must be obtained before collection of the data. The IT Rules also mandate that sensitive personal information may not be collected unless it is connected to the function of the corporate entity collecting it, and then only if the collection is necessary for that function. It is the responsibility of the body corporate to ensure that the sensitive personal information thus collected is used for no other purpose than the one specified. The draft Personal Data Protection Bill 2018 defines 'consent' and 'explicit consent' and provides grounds, including the functions of the state, or compliance with a court order, for the lawful processing of personal data as well as sensitive personal data.

Purpose limitation

Neither the IT Rules nor the IT Act specify a time frame for the retention of sensitive personal information. However, the IT Rules state that a body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force. The draft Personal Data Protection Bill 2018 prescribes that personal data be processed only for 'clear, specific and lawful' purposes and for such purposes that the data principal would 'reasonably expect the personal data to be used for, having regard to the specified purposes', as well as the 'context and circumstances' (Section 5). It also limits the collection of personal data in Section 6 to such data that is necessary for the purposes of processing.

Data retention

Section 67C of the IT Act requires that an intermediary preserve and retain information in a manner and format and for such period of time as prescribed by the central government. The draft Personal Data Protection Bill 2018 states that retention by fiduciaries may occur only for so long as it is 'reasonably necessary to satisfy the purpose for which it is processed' (Section 10). The draft Personal Data Protection Bill 2018 also allows for longer periods of retention if required by compliance with legal obligations, and prescribes periodic reviews by data fiduciaries for an ongoing assessment of the continued necessity of the retention of personal data. The data protection authority envisaged by the draft Personal Data Protection Bill 2018 must also, under Section 61, develop a code of practice for 'measures pertaining to the retention of personal data under section 10'.

Registration formalities

India currently does not have any legislative requirements with respect to registration or notification procedures for data controllers or processors. However, the draft Privacy Bill proposes to change this by introducing not only specific registration criteria and formalities, but also sanctions for failure to register. The draft Personal Data Protection Bill 2018 requires in Section 38 that based on certain criteria, the data protection authority envisaged by the bill shall notify certain data fiduciaries as being 'significant'. Significant data fiduciaries will be required to register with the authority in a manner specified by it, and will also be subject to data protection impact assessments, data audits, etc. Under Section 38, the data protection authority may also require registration by other data fiduciaries at its discretion, even if such entities are not 'significant'.

Rights of individuals

Access to data

Rule 5, Subsection 6 of the IT Rules mandates that the body corporate or any person on its behalf must permit providers of information or data subjects to review the information they may have provided. Sections 24 of the draft Personal Data Protection Bill 2018, teases out this right in more detail, providing for the data principal to obtain from the data fiduciary in a clear and concise manner, confirmation on whether its personal data is being (or has been) processed and a brief summary of processing activities. Section 28 states the procedure by which such rights may be exercised by the data principal.

Correction and deletion

Rule 5, Subsection 6 of the IT Rules states that data subjects must be allowed access to the data provided by them and to ensure that any information found to be inaccurate or deficient shall be corrected or amended as feasible. Although the Rules do not directly address deletion of data, they state in Rule 5, Subsection 1 that corporate entities or persons representing them must obtain written consent from data subjects regarding the usage of the sensitive information they provide. Further, data subjects must be provided with the option not to provide the data or information sought to be collected. The proposed Privacy Bills affirm the above. The draft Personal Data Protection Bill 2018 provides for a separate, detailed right to rectification of errors, such as inaccurate or misleading personal data, incomplete personal data, and outdated personal data, in Section 25, and a right to be forgotten in Section 27. Incidentally, Section 27 provides for the data principal's right to restrict or prevent continuing disclosure of personal data by the data fiduciary, but only if the data protection authority, through an adjudicating officer, determines that any of the listed grounds for restriction or prevention of disclosure have been found. Further, there is no reference in Section 27 to the deletion of data already in possession of the data fiduciary.

The Supreme Court of India in a nine-judge bench decision in August 2017 in KS Puttaswamy & Ors v. Union of India & Ors9 also identified the right to be forgotten, in physical and virtual spaces such as the internet, under the umbrella of informational privacy.

Objection to processing and marketing

Rule 5 of the IT Rules states that the data subject or provider of information shall have the option to later withdraw consent that may have been given to the corporate entity previously, and the withdrawal of consent must be stated in writing to the body corporate. On withdrawal of consent, the corporate body is prohibited from processing the personal information in question. In the case of the data subject not providing consent, or later withdrawing consent, the corporate body shall have the option not to provide the goods or services for which the information was sought.

Right to restrict processing

The proposed Data Privacy Bill 2017 states that during the pendency of request for removal of specific personal data, the data controller and data processor shall restrict processing of the specific personal data of the person but it shall not restrict the collection or storage of personal data. As mentioned above, Section 27 of the draft Personal Data Protection Bill 2018 provides for a data principal's right to restrict or prevent continuing disclosure of personal data by the data fiduciary, but only if the data protection authority, through an adjudicating officer, determines that any of the listed grounds for restriction or prevention of disclosure have been found.

Right to data portability

The proposed Data Privacy Bill 2017 states that every person shall, as and when required, receive the personal data concerning him, which he has provided to a data controller, in a structured, commonly used and machine-readable format and have the right to data portability to another data controller without any hindrance.

Right to withdraw consent

The proposed Data Privacy Bill 2017 envisages the right to seek removal of personal data from the data controller, where a person has withdrawn his consent.

Disclosure of data

Data subjects also possess rights with respect to disclosure of the information they provide. Disclosure of sensitive personal information requires the provider's prior permission unless either disclosure has already been agreed to in the contract between the data subject and the data controller; or disclosure is necessary for compliance with a legal obligation.

The exceptions to this rule are if an order under law has been made, or if a disclosure must be made to government agencies mandated under the law to obtain information for the purposes of verification of identity; prevention, detection and investigation of crime; or prosecution or punishment of offences.

Recipients of this sensitive personal information are prohibited from further disclosing the information.

Right to complain to the relevant data protection authority

Rule 5, subsection 9 of the IT Rules mandates that all discrepancies or grievances reported to data controllers must be addressed in a timely manner. Corporate entities must designate grievance officers for this purpose, and the names and details of said officers must be published on the website of the body corporate. The grievance officer must redress respective grievances within a month from the date of receipt of said grievances.

The proposed Privacy Bills also seek establishment of a Data Privacy and Protection Authority for regulation and adjudication of privacy-related complaints and disputes. The draft Data Protection Bill, 2018, in Section 28, allows for a data principal to complain to the data protection authority if it is unreasonably hindered by the data fiduciary in the exercise of its rights.

iii Specific regulatory areas

Financial privacy

Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act 198310

Under this Act, public financial institutions are prohibited from divulging any information relating to the affairs of their clients except in accordance with laws of practice and usage.

The Prevention of Money Laundering Act 200211

The Prevention of Money Laundering Act (PMLA) was passed in an attempt to curb money laundering and prescribes measures to monitor banking customers and their business relations, financial transactions, verification of new customers, and automatic tracking of suspicious transactions. The PMLA makes it mandatory for banking companies, financial institutions and intermediaries to furnish to the Director of the Financial Intelligence Unit (under the PMLA) information relating to prescribed transactions, and which can also be shared, in the public interest, with other government institutions or foreign countries for enforcement of the provisions of the PMLA or through exchanges of information to prevent any offence under the PMLA.

Credit Information Companies (Regulation) Act 2005 and The Credit Information Companies Regulations 2006 12

This legislation is essentially aimed at regulation of sharing and exchanging credit information by credit agencies with third parties. Disclosure of data received by a credit agency is prohibited, except in the case of its specified user and unless required by any law in force.

The regulations prescribe that the data collected must be adequate, relevant, and not excessive, up to date and complete, so that the collection does not intrude to an unreasonable extent on the personal affairs of the individual. The information collected and disseminated is retained for a period of seven years in the case of individuals. Information relating to criminal offences is maintained permanently while information relating to civil offences is retained for seven years from the first reporting of the offence. In fact, the regulations also prescribe that personal information that has become irrelevant may be destroyed, erased or made anonymous.

Credit information companies are required to obtain informed consent from individuals and entities before collecting their information. For the purpose of redressal, a complaint can be written to the Reserve Bank of India.

Payment and Settlement Systems Act 2007 13

Under this Act, the Reserve Bank of India (RBI) is empowered to act as the overseeing authority for regulation and supervision of payment systems in India. The RBI is prohibited from disclosing the existence or contents of any document or any part of any information given to it by a system participant.

Foreign Contribution Regulation Act 2010 14

This Act is aimed at regulating and prohibiting the acceptance and utilisation of foreign contributions or foreign hospitality by certain individuals, associations or companies for any activities detrimental to the national interest and, under the Act, the government is empowered to call for otherwise confidential financial information relating to foreign contributions of individuals and companies.

Workplace privacy

In the present scenario, employers are required to adopt security practices to protect sensitive personal data of employees in their possession, such as medical records, financial records and biometric information. In the event of a loss to an employee due to lack of adequate security practices, the employee would be entitled to compensation under Section 43A of the Information Technology Act 2000. Other than this piece of legislation, there is no specific legislation governing workplace privacy, although, in relation to the workplace, the effect of the Supreme Court judgment on privacy as a fundamental right remains to be seen.

Children's privacy

Section 74 of the Juvenile Justice (Care and Protection of Children) Act 2015 mandates that the name, address or school, or any other particular, that may lead to the identification of a child in conflict with the law or a child in need of care and protection or a child victim or witness of a crime shall not be disclosed in the media unless the disclosure or publication is in the child's best interest.

Health and medical privacy

Under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (Code of Ethics Regulations 2002)15 regulations, physicians are obliged to protect the confidentiality of patients during all stages of procedures, including information relating to their personal and domestic lives unless the law mandates otherwise or there is a serious and identifiable risk to a specific person or community of a notifiable disease.

Medical Termination of Pregnancy Act 1971

This Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the state. The register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the final entry.

Ethical Guidelines for Biomedical Research on Human Subjects

These Guidelines require investigators to maintain confidentiality of epidemiological data. Data of individual participants can be disclosed in a court of law under the orders of the presiding judge if there is a threat to a person's life, allowing communication to the drug registration authority in cases of severe adverse reaction and communication to the health authority if there is risk to public health.

iv Technological innovation and privacy law

There are no marketing restrictions on the internet or through email. Because India has no comprehensive data protection regime, issues such as cookie consent have not yet been addressed by Indian legislation.

The IT Rules provide reasonable security practices to follow as statutory security procedures for corporate entities that collect, handle and process data, and these also apply to the use of big data. Unfortunately, no specific guidelines exist for the use of big data and big-data analytics in India.

IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

Despite India's dogged attempts to join the APEC for several years, its inclusion on the forum has so far been limited to observer status. APEC rules therefore do not apply in the Indian jurisdiction thus far.

In terms of restrictions on transfer of data, Section 7 of the IT Rules states that bodies corporate can transfer sensitive personal data to any other body corporate or person within or outside India, provided the transferee ensures the same level of data protection that the body corporate maintained, as required by the IT Rules. A data transfer is only allowed if it is required for the performance of a lawful contract between the data controller and the data subjects; or the data subjects have consented to the transfer.

The proposed Privacy Bill, if enacted, will place slightly more stringent restrictions on international transfers of personal data. As per the draft Personal Data Protection Bill 2018, cross-border data transfers outward from India may be regulated by the central government. Section 40 lists that every data fiduciary shall ensure the storage of at least one serving copy of personal data on a server or data centre located in India, and the central government shall notify categories of personal data as being critical personal data, to be processed only in a server or data centre in India. In Section 41, sub-section 2, the draft Personal Data Protection Bill 2018 states that the central government will be entitled to permit such transfers only under certain specific circumstances.

As worded, Section 7 of the IT Rules is already rather restrictive. However, in some ways this is no different from EU data protection legislation, which restricts transfers of personal data outside the EU unless certain measures are taken, such as requiring the data importer to sign up to EU Model Contract Clauses. In addition, the Ministry of Information Technology clarified via a press note released on 24 August 2011 that the rules on sensitive data transfer described above are limited in jurisdiction to Indian bodies corporate and legal entities or persons, and do not apply to bodies corporate or legal entities abroad. As such, information technology industries and business process outsourcing companies may subscribe to whichever secure methods of data transfer they prefer, provided that the transfer in question does not violate any law either in India or in the country the data are being transferred to. Presumably litigation in this sector – so far non-existent – will further clarify matters.

In general, data protection laws in India apply to businesses established in other jurisdictions as well. Section 75 of the IT Act states that the provisions of the Act would apply to any offence or contravention thereunder committed outside India by any person (including companies), irrespective of his or her nationality, if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

V COMPANY POLICIES AND PRACTICES

The general obligations for data handlers elaborated above apply to all companies handling data, and their policies must reflect as much. In addition, the IT Rules contain specific legislation to deal with best practices, particularly in the context of breach and security.

Rule 8 of the IT Rules describes reasonable security practices and procedures as follows:

1. A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
2. The international standard IS/ISO/IEC 27001 on 'Information Technology – Security Techniques – Information Security Management System – Requirements' is one such standard referred to in sub-rule (1).
3. Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule (1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
4. The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resources.

There are no statutory registration or notification requirements for either data processors or data controllers. The proposed Privacy Bills provide for the establishment of a Data Protection Authority of India, and Chapter VII, Section 43 stipulates that the Authority shall establish and maintain a National Data Controller Registry – 'an online database to facilitate the efficient and effective entry of particulars by data controllers'. If the Bill is enacted, data controllers shall not be permitted to process any data belonging to any data subject for a given documented purpose, unless they first make an entry in the Registry in a format to be determined by the central government. Similarly, the draft Personal Data Protection Bill 2018 also envisages the establishment of a data protection authority, which may require registration by data fiduciaries under certain circumstances, as described above in Section III.ii.

VI DISCOVERY AND DISCLOSURE

If requests from foreign companies are based on an order from a court of law, and if the country in question has a reciprocal arrangement with India, then an Indian court is likely to enforce the request in India. In the absence of a court order, however, no obligation exists against an Indian company to make any kind of disclosure.

In a Ministry of Communications and Information Technology press release, the government clarified that any Indian outsourcing service provider or organisation providing services relating to collection, storage, dealing or handling of sensitive personal information or personal information under contractual obligations with a legal entity located within or outside India is not subject to the IT Rules requirements with respect to disclosure of information or consent, provided it does not have direct contact with the data subjects when providing services.

See also the exceptions to the consent requirements for disclosure detailed in Section III.ii.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

In addition to the security practices and policies outlined in Section V, and as mentioned in Section III.i, the proposed Privacy Bills and the draft Data Protection Bill, 2018, conceptualise the creation of a data protection authority for the enforcement of data protection legislation and to oversee compliance with it. These Bills will likely become the principal data protection legislation if enacted, and in that event, provisions pertaining to the security of personal data that state specifically that every data controller must set appropriate technological, organisational and physical standards for the security of data under its control will also come into force.

ii Recent enforcement cases

As is evident from the above, India has no distinct legislative framework to support litigation in the areas of privacy, cybersecurity and data protection. There has been no significant litigation in this area in the recent past. It is to be hoped that with the passage of the Privacy Bill or the draft Data Protection Bill, 2018, into law and a clearer definition of rights in this sector, the enforcement of rights will become both more active and more stringent.

iii Private litigation

Karmanya Singh Sareen & Anr v. UOI & Ors16

This case was filed before the High Court of New Delhi in the public interest by two university students against WhatsApp, Facebook and the Union of India (through the Department of Telecommunications (DoT) and the Telecom Regulatory Authority of India (TRAI)). Subsequent to its acquisition by Facebook, WhatsApp updated its privacy policy in August 2016, stating that it would now share a limited amount of user information with Facebook for optimised advertising and networking suggestions. The petitioners contended that this change in policy compromised the privacy of the users of WhatsApp.

On 23 September 2016, the High Court of New Delhi passed an order directing WhatsApp to 'scrub' all user data collected prior to 25 September for users who chose to opt out of the service prior to this date. For users choosing to continue to make use of the service, the High Court directed that only data collected after 25 September could be shared by WhatsApp with Facebook and its group companies. The Court also directed DoT and TRAI to examine the feasibility of bringing WhatsApp (and other internet-based messaging applications) under a statutory regulatory framework, ordering that these respondents must take an appropriate decision on this matter 'at the earliest'.

This decision is significant in that it is the only emphatic recognition of the right to privacy for individuals that our jurisprudence has seen in the past few years, other than the landmark Supreme Court judgment striking down Section 66A of the IT Act in 2015.

In 2017, the petitioners filed an appeal before the Supreme Court challenging the order of the High Court. The petitioners impugned the directions of the High Court and sought directions of the Supreme Court since, according to the petitioners, the policy formulated by WhatsApp was unconscionable and unacceptable. The Supreme Court is still hearing the matter and it seems unlikely that the controversy will be resolved this year.

KS Puttaswamy & Ors v. Union of India & Ors17

In KS Puttaswamy & Ors v. Union of India & Ors, and litigation that followed it, the constitutional validity of the Aadhar Act scheme was challenged on the grounds that it was ultra vires in relation to the Constitution and violated the rights of every citizen.

The matter was initially heard by a three-judge bench, which referred it to a five-judge bench. However, owing to previous judgments by larger benches of the Supreme Court, a nine-judge bench was constituted to address the issue of whether privacy was a fundamental right guaranteed under the Constitution. The nine-judge bench issued a unanimous decision holding privacy to be a fundamental right of every citizen of the country, with qualified riders. In fact, the judgment acknowledges neo-libertarian values, such as the right to be forgotten, and will go down as a landmark judgment. The challenge to the constitutional validity of the Aadhar Act itself is still pending and a judgment of the Supreme Court in this matter is expected soon.

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

Unfortunately, Indian jurisprudence sheds no light on compliance requirements for organisations functioning outside India (see Section IV).

IX CYBERSECURITY AND DATA BREACHES

See Sections V and VI for information on breaches and breach reporting requirements. In addition to the information given in those sections, it is pertinent to note that in the context of a legal requirement to report data breaches to individuals, while the law as it is contains no such provision, the draft Privacy Bill does. In fact, the draft exempts the data protection authority from this requirement in only two scenarios: if the data protection authority believes that such a notification will impede a criminal investigation or the identity of the data subject cannot possibly be identified.

Earlier this year it emerged that Cambridge Analytica – a political consultancy firm – harvested social media giant Facebook's users' data without consent to influence elections. Indian authorities have indicated that the Cambridge Analytica will be investigated to ascertain the nature of its work in India.18

X OUTLOOK

There is no doubt that India urgently needs to take a keen look at its poorly regulated digital spaces and at the virtual activities of individuals, private organisations and governmental authorities alike. The several agencies performing cybersecurity operations in India, such as the National Technical Research Organisation, the National Intelligence Grid and the National Information Board, require robust policy and legislative and infrastructural support from the Ministry of Electronics and Information Technology, and from the courts, to enable them to do their jobs properly. The EU's General Data Protection Regulation may provide impetus for India in this regard, particularly given that not only will the regulation affect cross-border information flow (and India is a net information exporter), but also the EU has exposed several lacunae in the standards applied by the Indian government to the protection of data and enforcement of cybersecurity in a report following approval of its new data protection regulation. While it seems that the government is concerned and keen to bring about change in this sector, in view of India's rather poor record in prioritising these matters, optimism is not necessarily warranted at this stage.


Footnotes

1 Aditi Subramaniam is an associate principal and Sanuj Das is a managing associate at Subramaniam & Associates.

2 Links to pdf versions of the IT Act and Rules are available on the website of the Ministry of Electronics and Information Technology: meity.gov.in/content/cyber-laws.