Is there any data protection law in India?
Indian companies, whether they operated locally or even if they had international clients, did not have any serious data protection obligations. India lacked a data protection law. Occasionally, international clients of Indian tech companies would require them to observe strict data protection standards as per their contract or service level agreements.
This was essential if they had an EU client as the EU data protection norms did not allow data to be moved for processing to any country without observing very high level of data security. There are instances showing that many Indian companies lacked the capability to enforce such norms internally through internal legal and technological mechanisms, as it increased costs, was too difficult to monitor, or for some other reasons.
Overall, this compromised the scope of work for most Indian outsourcing/ data processing companies especially with respect to Europe (USA is yet to have comparably strict data protection norms like European Union).
The situation in India has been changing as India’s IT Act was amended in 2008 to include data protection provisions. This was done to make cross-border of transfer of data easier with respect to regions which have stricter data protection regimes. It has only been partially implemented so far.
However, the Government is likely to make detailed rules to make the remaining parts enforceable soon, in accordance with its usual practice, and to make India a country compliant with strict EU data protection requirements for the promotion of BPO industry.
Data protection when a public authority / government access private data
In India, data protection law is in a very nascent stage, especially when compared to the well-developed Directives in the EU. The Information Technology Act grants the status of confidentiality to any data or information which is accessed by an authority in the exercise of its powers under the Act. This was a useful protection against misuse of information, in a country where abuse of power by police and investigation authorities is not uncommon. Apart from this, there was no other protection granted to data. As a civil society initiative, NASSCOM has in set up the Data Security Council of India as a not-for-profit, self-regulatory organization to promote data protection standards for the IT industry.
New data protection obligations of commercial entities under 2008 amendment
However, another kind of confidentiality, which aims at protection of personal data from private parties, has only recently been introduced in the information Technology Act in 2008 through an amendment. The amendment was introduced to make Indian law compliant with EU law on Data Protection so that data could be passed on by European companies to India for processing.
The new section states that every entity handling, possessing or dealing with ‘sensitive personal data or information’ to implement and maintain reasonable security practices and procedures. If it is negligent in maintaining the same and wrongful loss or gain is caused to any person, then it shall be liable to pay compensation. However, there are certain limitations to the application of this provision.
First, the entity handling data must be engaged in professional or commercial activities. Therefore, NGOs, social service organizations do not come within its purview.
Second, it has been left upon the Central Government to define what is sensitive personal information based upon consultation with professional bodies. The Central Government has not issued any notification in respect of the same. Until the expression ‘sensitive personal information’ is defined, the provision is practically ineffective and cannot be enforced. Fortunately, the DSCI website mentions that the Government shall be defining and notifying it soon.
Third, confidentiality and personal data is not per se protected. A simple leak of the data will not be covered, unless somebody gains or losses from it wrongfully. Even after a notification is issued, the liability upon a service provider for breach of confidentiality is likely to hinge upon whether someone suffered any wrongful gain or loss.
Obligations on a service provider handling sensitive data
Once the scope of sensitive personal data is defined by the Government, a service or Goods Company handling data is required to maintain reasonable security practices and procedures under the law. In order to assess which practices are reasonable, there are three determining factors:
1. An agreement or contract between the service provider and the customer (if there is any)
If there has been an agreement between the company and the customer, then the procedures mentioned in the agreement must be implemented.
2. Security practices and procedures specified under any law for the time being in force
While there is no umbrella legislation for data protection specifying security practices presently, we could soon have one, as explained in the next paragraph. Further, in certain sectors such as banking, insurance and financial services, security procedures have to be in compliance with the directions passed by sectoral regulators. Credit information companies specifically have the obligation to keep certain kinds of data confidential.
Recently (November 2010), a draft proposal has been submitted to the Government on having a new data protection law, which may be accessed here
. The draft mentions a detailed list of the categories of information that could be described as personal, and it argues for protection from State and private entities equally. The draft has been released for public comment by data protection and confidentiality issues in the Department of Personnel Training, the nodal agency of the Government for coordinating efforts on an independent privacy. This paves the way for a more elaborate data protection law to be introduced in India.
3. In the absence of either of the two conditions above, such procedures which the Central Government may specify in consultation with professional bodies or associations
In case a company does fall under any of the sectors where the regulators have passed specific directives, and if it has also not entered into any such agreement with the customer, then any standards prescribed by the Central Government will become relevant. So far, no such standards have been prescribed. However, one may hope that data protection procedures and standards will be specified if specific data protection law mentioned in point 2 is passed.
Interestingly, the Data Security Council of India released a study in December this year, on Reasonable Security Practices under IT Amendment Act,2008, jointly conducted by DSCI and TCS released in the Information Security Summit 2010, which is available here
. For IT companies and all those handling personal data, it may be useful to go through this guide and be ready in advance for the change.