Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Information Technology (Intermediaries guidelines) Rules, 2011

Data protection and data privacy laws had been constantly evolving all around the world. India had been lacking a dedicated Data Privacy Law or Data Protection Law as many other foreign countries. With the constantly increasing dependence on cyberspace and also the advancements like the Cloud Computing, more Privacy Violations and Cyber Security issues are likely to arise in future. A dedicated privacy and data protection law in place will considerably reduce these apprehensions. Moreover there has been a strong opinion that if India strengthens its data protection law, it can attract multi-national corporations to India. The 2008 amendment of the IT Act and the subsequent rules instigated the strengthening of the data protection laws of the country.  Prior to the 2008 amendment there were no data privacy legislations in India. The implementation of those legislations initiated the pursuit towards effective data protection; however the measures prescribed in the 2008 legislations were limited in scope. To bolster these protections, the Government of India has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Information Technology (Intermediaries guidelines) Rules, 2011.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules    (Click here to view)

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules have been notified under powers conferred under Section 87(2) read with Section 43A of the Information Technology Act 2000). It regulates the collection, disclosure, transfer and storage of sensitive personal data, and widens the scope of the regulation in Section 43A of the Act.

The sensitive personal data or information of a person dealt by the Rules consists of information relating to, passwords, financial information such as bank accounts or credit card details, his or her physiological and mental health condition, medical records and history, their sexual orientation, and biometric information. It is mandated by the rules that individuals should be informed when personal information about them is collected and also the purpose of that collection. The data thus collected cannot be retained for longer than is necessary and it cannot be used for any purpose other than for which it was collected. Individuals will have the right to access to their personal data and correct inaccuracies. They can also opt-out of providing personal data by sending a withdrawal of consent in writing. The body corporate dealing with the information is required to publish their privacy policy regarding the handling of such information.

Though the information is to be kept confidential from third parties, the Rules permit all sensitive personal details to be shared with government agencies for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The government agencies mandated under the law to obtain such information can request the body corporate stating the purpose of seeking such information.

The Rules also provide for data transfer. The body corporate can transfer the information to any other body corporate or a person in India, or located in any other country if it is necessary for the performance of the lawful contract between the body corporate and the provider of the information. However, the transferee should be ensuring the same level of data protection that is adhered to by the body corporate as provided for under these Rules.

A body corporate has to comply with reasonable security practices and procedures as mentioned in the Rules including a comprehensive documented information security programme and information security policies. In case of any information security breach, the body corporate can be required by the agency mandated under the law to demonstrate, that they have implemented the security control measures.

Generally information requests made by government agencies have certain inbuilt checks, which are apparently absent in case of these Rules, except that the request for information has to be made in writing, and reasons for seeking the information has to be stated. However the Ministry of Communications & Information Technology vide press release dated May 10, 2011 stated that the Rules does not give any undue powers to Government agencies for free access of sensitive personal information. It was also pointed out that the Rules provide for inherent checks-and-balances as the Government agencies ought to have been mandated under the law to obtain such information and the information so obtained shall not be published or shared with any other person.

There exists an ambiguity when it comes to the applicability of the Rules. The Ministry of Communications & Information Technology came up with another press release to provide clarity in this regard. The press release states that the rules are regarding sensitive personal data or information and is applicable to the body corporate or any person located within India. In the light of clarification issued by the Ministry, the Rules does not apply to body corporate outside India. The clarification is silent about the situation which involves a foreign body corporate with their computer resource located in India. However such body corporate can be brought under the purview of the rules in the light of Section 75 of IT Act which speaks about offence or contravention committed outside India which involves a computer, computer system or computer network located in India.

The press release further states Rules 5 and 6 which deal with collection and disclosure of information respectively, is not binding on a body corporate providing services under contractual obligation with any legal entity. Hence the personal data sent to India by customers outsourcing work to companies in the country will not be covered under new rules.  However a body corporate, providing services to the provider of information under a contractual obligation directly with them, is subject to Rules 5 & 6.

It has also been clarified that Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate, eliminating the uncertainty as to whether an entity which collects and provides information to another entity will be considered as a provider of information. It was also believed that the rules would make it difficult for Indian outsourcers to operate if they were required to take written consent from individuals in other countries whose data they collect and process through call centers and business process outsourcing operations. However it has been clarified that consent includes consent can be given by any mode of electronic communication.

Concerns have been raised that these rules are too restrictive and could deter foreign companies from doing business in India.  The question as to whether these Rules will turn to be advantageous or not has to be time tested.

Information Technology (Intermediaries guidelines) Rules, 2011 (Click here to view)

The Ministry of Communications and Information Technology on April 11, 2011 has notified the Information Technology (Intermediaries guidelines) Rules, 2011. These rules prescribe certain guidelines that are to be followed by intermediaries.

According to Section 2(1)(w) of the IT Act, post 2008 amendment, an Intermediary is one who receives, stores or transmits an electronic record or provides any service with respect to that record. The provision further states that Intermediaries include telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

The aforementioned rules prescribe the due diligence to be observed by intermediary in the course of its functioning. The intermediary has to publish the rules and regulations, privacy policy and user agreement for accessing the intermediary’s computer resource and it must inform the users not to host, display, upload, modify, publish, transmit, update or share any information unlawfully. The intermediary should also refrain from knowingly involving in any such activities. This does not however include temporary or transient storage of information automatically by the intermediary. If the intermediary comes to know about the existence of such information, access to such information or data has to be removed within thirty six hours. In the event of any such information and subsequent removal, the records regarding the same has to be preserved for at least ninety days for investigation purposes. The intermediary has the right to immediately terminate the access or usage rights of the users on the grounds of non-compliance with rules and regulations.

The intermediary is bound to provide assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. Cyber security incidents have to be reported to the Indian Computer Emergency Response Team. The intermediary has to publish on its website the name and contact details of the Grievance Officer and also the procedure for filing a complaint against violation of Rule 3. The Grievance Officer will redress the complaints within one month from the date of receipt of complaint.