Continuing from my previous post on the Intermediary Rules released under the Information Technology Act (“the IT Act”), I will attempt to outline a few flagrant issues in the second set of rules that were also notified in April 2011—the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“the Privacy Rules”).
The new rules prescribe how personal information may be collected, stored, processed, and used by virtually all organisations in India, including personal information collected from individuals located outside of India. Thus, the Privacy Rules will have a significant impact on multi-national businesses that operate outside of India, but rely on data collection exercises within India. Given that these rules prescribe stringent requirements for data protection, the following issues may be relevant from a legal and practical perspective.
1. Exceeding the mandate under the IT Act
As in the case of the Intermediary Rules, it appears that the Department of Information Technology (“the DIT”) has exceeded its mandate by not only prescribing reasonable security practices and procedures and clarifying the definition of sensitive personal data or information as authorised under Section 43A of the IT Act, but has also issued detailed procedures for the collection, storage, and transfer of such data. Technology and corporate lawyer, Nikhil Narendran agrees with this and notes that “the limited purpose of 43A being to ensure compensation for persons affected by data security breach, it is unclear why the Government would want to prescribe extensive collection and transfer procedures as well.”
2. Effect on outsourcing contracts
The Privacy Rules are set to have a resounding international impact on businesses that deal with the collection of personal information in India and there are varying degrees of concerns about its impact on arrangements about outsourcing to India. While some argue that outsourcing providers in India may be required to insist that they provide notice to customers and obtain consent from every individual who calls a helpdesk or customer service, others like Mr. Narendran contend that the impact will be minimal since “most outsourcing contracts have detailed security standards dealing with data protection and these entities already have these sorts of agreements in place and are applying them consistently”.
3. Possibility of contracting out of compliance standards
The reason for the minimal impact is that under Section 43A, the requirements for reasonable security practices and procedures are either as agreed between parties by means of a contract or by any law in force. In the absence of these two, the Privacy Rules would apply. However, an important point for businesses to keep in mind is the extent to which they can brush aside the Privacy Rules when a contract is in place. Nikhil is of the view that a body corporate might be required to ensure that the sensitive personal data that is being collected and processed is in compliance with the Privacy Rules, in addition to following reasonable security practices under the contract. Thus, the Privacy Rules appear to have introduced new compliance standards in respect of collection and processing, which a company may not be able to contract out of.
4. Jurisdictional issues: Applicability to non-citizens
Another issue that is bound to distress international businesses that have either back-offices in India or depend on third-party outsourcing providers in India is the applicability of the IT Act to non-citizens. The IT Act has extra-territorial jurisdiction and neither the IT Act nor the Privacy Rules restrict their applicability to the collection and use of personal data from or about Indian citizens or residents alone. Further, they do not limit their application to situations where the Indian entity is acting as the “data controller” or the “principal”. There is therefore, significant cause for worry to such businesses. So long as the data is being collected from within India, the Rules will be applicable. More importantly however, the IT Act specifies that violations committed outside of India would also fall within its ambit, and hence personal information that is collected in India from individuals located outside of India and then transferred outside of India should be collected, used, and protected in accordance with the Privacy Rules of India, thus nullifying the relevance of the location of the collecting entity.
5. Inconsistency between statutes on the issue of consent
Nandita Saikia, a lawyer who routinely analyses technology and intellectual property related legislations raises some interesting issues on the question of consent under the Privacy Rules and the possible inconsistencies between various rules on this point. She takes an example from the realm of broadcasting to illustrate such potential inconsistencies. An IPTV service (a system to deliver television on the Internet) might involve the collection of information relating to different persons. While the Indian Broadcasting Federation’s Content Code does not explicitly prohibit the invasion of privacy, unless it is unwarranted or against public interest, the Privacy Rules require consent from the provider of information to be obtained before the information is collected, and it forbids the publication of the information. She reads this to mean contractual consent, which then raises the important point – can the non-publication restriction contained in the Privacy Rules be bypassed by issuing a contract? More importantly, can the Privacy Rules be said to apply to television broadcasting at all, without slipping into legal infirmities?
6. Changes in websites that gather data from users
Thus, a host of concerns emerge from two of the four sets of rules recently notified by the Government under the Information Technology Act. It is distressing to see that views of civil society organisations were ignored, and now that the rules have come into effect, one can only hope that the matter is raised in Parliament, so that a quick reversal is effected. Till then, we will have to live like it is 1984.
(Amlan Mohanty is a student of the National Law School of India University, Bangalore.)