This article is written by Shanuja Thakur, pursuing Diploma in US Technology Law and Paralegal Studies: Structuring, Contracts, Compliance, Disputes and Policy Advocacy from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Table of Contents
Introduction
The advent of the digital revolution in India is evident as the technology and digital space is evolving exponentially. Data privacy and protection in today’s world has become a matter of Individual rights. The right to privacy is recognized as a fundamental right under Article 21 of the Indian constitution which was held in the historic verdict by the Supreme Court in the case of Justice KS Puttaswamy v. Union of India. India’s digital transformation requires the law to transform as well. Information Technology Act, 2000 (‘the IT Act’) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the SPDI Rules’) is one of the key legislations in this area. In this article we will discuss how there is a need to transform the rules on sensitive personal data and analyze if these are effective enough for a gigantic economy which is in the middle of a technology revolution like India.
What are SPDI Rules 2011?
Let’s understand what SPDI rules talk about and the key provisions governing sensitive personal information.
Under Section 87(2) read with Section 43 – A of the IT Act were issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) on 13th of April 2011 which govern the Sensitive Personal Data or information and apply to body corporate or any person located in India.
• The rules define sensitive personal data under the Rule 3 that the following types of data or information shall be considered as personal and sensitive:
o Passwords,
o Bank Account details,
o Credit/debit card details,
o Present and past health records,
o Sexual orientation,
o Biometric data.
• An information provider is a person who provides information to the body corporate and under these rules, he has certain rights over the sensitive personal information, this information can’t be collected without the providers’ consent and he or she has the right to abstain from giving consent and can withdraw the consent by writing to the body corporate.
• Under Rule 6, a body corporate is not permitted to publish or disclose such data or information to any third party without the information provider’s prior consent. However, there are two exceptions to this rule –
o Disclosure has been agreed to in the contract between body corporate and the information provider.
o Compliance to a legal obligation.
• The information provider can at any point of time review the information provided or amend it if found to be inaccurate.
• The information collected can be used only for the purpose for which it has been collected and such information can’t be held by the body corporate for a time period longer than is required to fulfil the lawful purpose for which information was collected.
• Any grievances or discrepancies of the information provider shall be addressed by the body corporate within one month by the grievance officer of the body whose details are mandatorily published on its website.
• A body corporate may transfer sensitive personal data or information to any other body corporate or a person in or outside India that ensures the same level of data protection under these rules only when it is necessary for performance of the contract or the provider has consented to such transfer.
• The Rules further makes it mandatory for the body corporate handling SPDI to provide for a privacy policy specifying the type of information collected, the purpose for collection of information, the disclosure policy, the security practices, and procedures followed etc and also requires the said policy to be published on its website and also implement ‘reasonable security practices and procedures in relation to SPDI. One such standard is IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”.
Needs of digital India
• India’s enormous data market and lack of stringent laws allows free flow of data. Any sort of data can be marketed, if the potential of the data market is harnessed in an efficient manner the government can provide employment opportunities to people. Hence we need legislation to create an organized digital economy for the benefit of citizens, government, local and global businesses.
• To make cross border data transfer smooth, Indian organizations need to adhere to international standards and levels of security especially in case of transfers to nations like the UK, USA or the European Union. Moreover, as per Article 51 of the Indian Constitution, states should make efforts to “promote respect for international law and contractual obligations in the dealing of organized persons with one another”.
• Digital sovereignty is a political reality and India as a sovereign, socialist and democratic nation should make sure that the data which is produced in the country should remain within the country, considering its security objectives and the data should be used for national welfare, so there is a need for data localization as well.
• With recognition of the right to privacy as a fundamental right and intrinsic to the right to life and personal liberty under article 21 of the Indian constitution, it is necessary to make the data provides a key party in the digital economy and balance the power which the companies hold to process and transfer data as they have higher bargaining power as compared to the consumers or data providers.
• Differentiation of data into personal data, non-personal data, sensitive personal data and essential personal data is vital because different categories of data need varying levels of protection. Each data set has a distinct impact on every aspect related to data processing, from data analytics, cross border transfers control to law enforcement agencies.
Are the SPDI 2011 Rules enough?
Let’s examine why the rules need a change and how these rules are ineffective for a data-driven economy and how these rules fulfil the needs of data protection and security as discussed above.
• The rules do not apply to corporations based outside India, even though the right to privacy is a fundamental right and it can be enforced against the state. But what if the data has been misused by Facebook, what would be the remedy? It applies to offences that occur outside India only if the data resource is based in India.
The new data protection bill which is a data protection legislation under progress solves this problem to an extent, the bill applies to the processing of personal data within India, processing of data by any Indian entity, citizen or the state and processing by data fiduciaries that are not based India, but only if the processing is concerning either any business carried on in India or the fiduciary offers goods or services to data principles within the territory of India and in case of profiling data principals in India.
• The scope of the definition of sensitive information is not wide enough, it does not include information like transgender identity; intersex status, sex life, caste. Moreover, the scope of financial data is limited to account number, debit card and credit card details but sensitive data of a bank account holder is much more than just these details such as financial status, credit history etc. Health data only includes past and present health records so the definition and scope of health data is not given in these rules or the act.
• One of the major problems with the rules and even the IT act is that it doesn’t recognize the rights of data providers such as the right to be forgotten, data portability, Objection to direct marketing and profiling which are recognized by a majority of nations who adhere to GDPR compliances.
• Under the IT Act or SPDI rules, no data protection authority is set up in India which can enforce the law, hear complaints or inquiries and ensure data protection. The arena of data protection will keep on evolving, so a body is required to monitor this evolution and make sure that the laws and data protection practices keep up with the advancements.
• Consent is not clearly defined under the rules so collection, disclosure and transfer data works on general principles of contract for processing data. The body corporate as a measure of protecting data is only required to have a privacy policy and implement reasonable security practices and procedures but the standards of such policy is not specified.
• The body corporate is also not obligated to provide adequate notice of data processing, it is not their duty either to check accuracy of data and ensure it is not misleading.
• The rules allow the sensitive personal data or information to be exported outside India provided the information is in pursuance to a contract and has been consented to by the information provider, provided that the same data protection standards required in India are adhered to, there is no data localization. RBI requires all data related to the processing of cross border transactions to be stored in India and deletion of all records outside India, even if the payment is made outside India. The information provider should be aware of where the information is being stored and data localization ensures data security, privacy and sovereignty of data from foreign surveillance, effective investigation of crimes by law enforcement agencies and threats to national security. Moreover, in the era where every service provider needs data analytics, data warehousing has become a huge business and can help employment.
• The redressal mechanism in SPDI rules provides for redressal by a grievance officer who is appointed by the body corporate within period of one month but the duties and responsibilities of the grievance officer are not specified, the procedure of redressal and appointment of such officer if the body corporate is based out of India is also not emphasized upon.
• Most importantly SPDI rules do not mention any process to be followed in the event of a data breach or any mandatory compliance by the entities who are processing citizen’s data or any remedial action to be taken to compensate the information providers.
• There is no provision concerning collection and processing of children’s data since children are not eligible to give valid consent and companies are advised to obtain parent’s or guardian’s consent, there are no rules for the protection of children on social media and children may not be aware of the risks involved while sharing information so they need extra protection.
Conclusion
There is a lack of a single data protection legislation that can resolve all the ongoing cases and concerns related to data privacy which can’t be resolved by the current IT Act and SPDI rules of 2011. Even the recently introduced Personal Data Protection Bill, 2019 has many loopholes such as data animosity is not covered under the bill, personal information can be accessed without consent in some cases and many more. Not being party to any international convention on data protection such as GDPR, India needs stringent legislation to become cyber resilient as digital transformation accompanies several risks and vulnerabilities and makes the international data transfer process smooth. Recognition of the right to privacy is not enough, making it enforceable against state as well as private entities is the need of the hour. The pending data protection bill is under progress and is awaited to become legislation soon. With evolving data and digital space, the legislation must evolve, it is high time that we recognize the inefficiency of 2011 rules on SPDI which don’t serve the needs of data providers of 2021, hence a change in this field is a must to serve the economy and its citizens better.
References
- Justice K.S.Puttaswamy(Retd) vs Union Of India on 26 September, 2018 (indiankanoon.org)
- https://www.khaitanco.com/sites/default/files/2021-04/Data%20Protection%20in%20India%20Overview.pdf
- https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.