It may be interesting to notethat prior to April 2011,India had no data privacylaws. So, any data theftgenerally led to proceedingsunder provisions of the Indian Penal Code,1860; where a penal action did not remedy aloss suffered by the person whose data wasstolen, or an action under Indian ContractAct, if there was a “confidentiality” or a “nondisclosureagreement” (“NDA”) is executedbetween the Parties. This situation wasamusing and concerning at the same time,since India had been at the forefront of ITrevolution for more than a decade before thedata privacy laws actually came into force.
The Central Government recognized thislacuna, and while it did not formulate anystringent detailed laws or regulations forprotection of data or maintaining dataprivacy, it introduced amendments to theInformation Technology Act, 2000 (“IT Act”)by introducing S. 43-A.
Simply put, S. 43-A of the IT Act requires abody corporate (such as, a company, firm,proprietorship) possessing or handling’sensitive personal information’ to implementprescribed security measures to prevent suchinformation from unauthorized access ordisclosure. In the event it fails to or isnegligent in implementing such securitymeasures, which results in wrongful loss to theperson so affected (‘data subject’), such bodycorporate will be liable to pay damages by wayof compensation to the affected person.
As they say, and correctly so, the devil is inthe detail. The Central Government notifiedrules under S. 43-A viz. the InformationTechnology (Reasonable Security Practices andProcedures and Sensitive Personal Data orInformation) Rules, 2011 (“IT Rules”); whichraises many more challenges.
The IT Rules define sensitive personal dataor information as ‘personal information’ whichconsists of information relating to password,financial information (bank account,credit/debit card details), medicalcondition/history, biometric information etc.Given that the IT Rules define ‘personalinformation’ only in context of ‘naturalpersons’, sensitive information that relates toindividuals only, is accorded statutoryprotection under the IT Act. Information thatmay be in the nature of corporate confidentialinformation has not been accorded suchexpress protection, though a claim based intorts or a breach of contract (if there is a NDAin place) may still be initiated.
Further, the obligation to implement thesesecurity measures is only on the ‘bodycorporate’, which does not includegovernment departments, at a time when thegovernment is one of the largest repositoriesof sensitive personal data.
On the one hand, S. 43-A of the IT Act givesthe flexibility to parties to mutually agree towhat security measures need to beimplemented for protecting sensitiveinformation. On the other hand, the CentralGovernment has prescribed IS/ISO/IEC27001on Information Technology – SecurityTechniques – Information SecurityManagement System – Requirements (“IEC27001”) as one of the standards recognized as’reasonable security practices and procedures’,under the IT Rules.
Although, the IT Rules seems to allow theparties to mutually agree to other securitypractices for protecting sensitive information(apart from IEC 27001), the challenge remainsin situations where one of the contractingparties is not in a comparable negotiatingposition. An employment contract is a case inpoint, where the candidate mostly signs onthe dotted line. So the question will remainwhether a company escape liability onaccount of ‘agreed’ security measures beingimplemented, even if such measures areobviously inadequate?
Some guidance can be found in Rule 8 ofthe IT Rules which states that a company willbe considered to have implementedreasonable security practices if they have acomprehensive document information securityprogram that contains (a) managerial, (b)technical, (c) operational and (d) physicalsecurity control measures commensurate withthe nature of information being protected.While these tests can be subjective, at leastthey provide guidance on what are theconstituents of reasonable security practices.
Simultaneously, it also creates a paradoxgiven that the parent legislation does notqualify reasonableness of security measures tobe judged against these parameters and whereparties have the flexibility to mutually agreeto security measures being put in place.Consequently, it is debatable whether the ITRules can impose an obligation, which the statute does not otherwise contemplate.
Rule 7 of the IT Rules has caused someconfusion regarding ‘transfer’ of ‘personalinformation’. While the IT Rules require thecompany to obtain consent of the datasubject before his / her sensitive personalinformation can be transferred (within oroutside India, always subject toimplementation of prescribed securitymeasures), strangely this Rule 7 applies to”sensitive personal data or informationincluding any information”. Inclusion of thewords ‘any information’ causes uncertaintyregarding applicability of this rule, as it doesnot seem to be confined to sensitive personalinformation anymore. Does it mean thattransfer of any personal information willrequire compliance with this Rule 7 of ITRules? Given that the IT Rules are framedunder S. 43-A of the IT Act, which relates to’sensitive personal data or information’, thescope of Rule 7 cannot, arguably, be expandedto include ‘any information’ within its scope.
S. 43-A and the IT Rules seem to place a lotof emphasis on empowering and protectingthe interests of the data subject and it alsointroduces significant and round-the-clockcompliance requirements on companies toimplement these privacy measures. The personaffected by unauthorized disclosure ofsensitive personal information is entitled todamages by way of compensation, whichimplies that the affected person will firstneed to establish and quantify loss inmonetary terms, before a claim under S. 43-Acan be successful. Barring cases involvingdisclosure of financial information (where losscan be quantified and directly attributed todisclosure of sensitive information), the lawmay not be of great help to affected persons.So, there still remains a need for a morecomprehensive legislation on these veryimportant aspects of each stakeholder in-linewith similar provisions in western world. Wehope and trust that we will see that soon.
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
