New Indian Privacy and Data Security Rules – Ambiguity Creates Uncertainty
On April 13, 2011, the Indian Central Government issued final regulations implementing parts of the Information Technology (Amendment) Act, 2008, dealing with protection of personal information.
Pillsbury does not provide legal advice on Indian law, but we have been in contact with the Indian legal community and service providers. Here is what we have learned.
As drafted, the new Reasonable Security Practices and Procedures and Sensitive Personal Information rules appear to apply to all information in the possession of organizations in India, regardless of where it came from or how it got there.
The new rules define both “personal information” and “sensitive personal information” and prescribe how such information may be collected and used by virtually all organizations in India. As drafted, among other obligations, prior written consent from the data subject will be required, without exception, to collect and use sensitive personal information. If enforced as written, these consent requirements would be far more restrictive than what is required under most (if not all) US laws and the EU Directive.
As a result, U.S. and European multinational businesses that currently rely on their India-based operations or Indian outsourcing service providers to handle sales and other transaction-related calls from their U.S.- or EU-based customers (or even benefit-related calls from their U.S.- or foreign-based employees) may have to adjust their personal data collection practices to conform to the new Indian data protection rules, even though their current practices may comply fully with applicable US or EU privacy rules.
If enforced as written, these new rules could have a profound effect on multinational businesses that either outsource business functions to Indian service providers or maintain their own operations in India.
However, the rules are not as clear cut as they might be. Because of the significant ambiguity in the way the rules are worded, the relevant authorities in India are likely to have to issue clarifications before anybody really knows what they mean on a practical level.
The general view among Indian service providers and attorneys seems to be that the rules shouldn’t have extra-territorial application (i.e., application to data imported into India), but the new rules don’t contain language that would create such an exception. For now, according to Indian service providers, the government is not providing any indication that Indian service providers will be required to do anything materially different from what they do today to comply with privacy laws in the US and Europe.
For entities who have (or are negotiating) existing contracts with Indian service providers where sensitive personal information is being stored or processed in India, since the burden of compliance will be on the Indian service providers, now would be a good time to look at the provisions of the contracts associated with compliance with laws and who bears the risk/cost of regulatory changes.
Privacy legislation in India that would, among other things, facilitate the interaction of India’s outsourcing industry with the EU data privacy rules, has been “coming” for years. Earlier this year, a draft privacy bill that had been circulating informally for comment was withdrawn from consideration. The Indian Central Government indicated to industry that they would be “starting over” on the drafting process (again).
However, in February India’s Department of Information Technology quietly posted for public comment a set of draft regulations implementing parts of the Information Technology (Amendment) Act, 2008, dealing with protection of personal information, data security, due diligence observed by service providers, and guidelines for cyber cafes. On April 13, the Central Government issued the final privacy-related rules.
Given the expansive nature of the new rules and the ambiguities in their drafting, these new rules have caused significant debate in the privacy and outsourcing communities with regard to their meaning and impact. The following is intended to give you a background on the interpretational debate, it is not intended to be a substitute for getting an expert guidance for your specific situation.
The more expansive interpretation of the new rules would mean that they could impact all information processing and business processes outsourced to India. The new rules define “sensitive personal information” broadly and prohibit the collection of sensitive information unless it is to be used for a lawful purpose. The rules require adherence to traditional fair information practices related to notice, choice and access.
Under Section 43A of the Indian Information Technology (Amendment) Act 2008, a company that holds sensitive personal data or information in a computer system that it owns, controls or operates, and that is negligent in implementing and maintaining reasonable security practices and procedures, and causes wrongful loss or wrongful gain to another person, has to pay damages to the person so affected. Failure to comply with the provisions of the IT Act 2008 can result in prosecution/legal action initiated against the business itself, directors, and those individuals within the company who are responsible for the company’s performance.
If this is the correct interpretation, given the penalties applicable to violations of the IT Act 2008, outsourcing providers in India may be required to insist that they provide notice and obtain consent from every individual who calls a helpdesk or customer service, and IT outsourcing vendors may seek to impose data security obligations on their customers to ensure that the customer complies with Indian law.
A different interpretation has been expressed by other commentators that when the April 2011 Privacy Rules are published in India’s Gazette they will apply only to matters that fit under Section 43A of the 2008 Act, and only if there is no other agreement between be parties. In other words, under this interpretation the rule making power of the Central Government in this context extends only to the scopes specified in Section 43A and anything outside the ambit of the matters discussed in that Section can neither be implemented nor enforced. In other words, these new rules are intended to define what constitutes reasonable security practices and procedures solely for the purposes of Section 43A.
The Explanation to Section 43A (provided as part of the IT Act 2008) defines the term “reasonable security practices and procedures” as “those practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”
Under the Explanation to Section 43A, parties are free to specify in an agreement the types of practices and procedures to be adopted in order to protect sensitive data. It is also possible that such practices and procedures may be specified in some other law. However, if there is neither an agreement between the parties nor any applicable law, then the term “reasonable security practices and procedures” will be deemed to mean the practices and procedures prescribed by the Central Government.
Thus, under this more conservative interpretation, India’s Central Government has published the Privacy Rules to do what the Explanation had set out with respect to Section 43A, and they are not the all-encompassing privacy legislation that some have described, but, rather a set of government prescribed practices and procedures that corporations could follow, in the absence of other agreements, to avoid any of the consequences set out in Section 43A.
Under the narrow and, according to commentators in India, more likely interpretation, it seems more likely that the new rules will serve two functions: (a) they will serve as a default if a contract does not specify requirements for security and procedures for handling sensitive personal information, and (b) if an Indian entity suffers a data breach where sensitive personal information is exposed, they will be the standard against which the Indian entity’s practices are judged for the purposes of evaluating the degree to which the Indian entity is at fault for the breach.
Hopefully, given the tempest these new rules have created, the Central Government will come out with a clarification quickly (but “quickly” on government time may still take quite a while).