This article is written by Amala Maria George pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.com.
In a survey conducted by Sophos on cybersecurity, 52% of companies said that they had been victims of a successful cybersecurity attack in the previous 12 months. The Covid-19 pandemic has forced more companies to begin work from home and has seen an increase in online activity and digital transactions. A host of companies including Linkedin, Upstox, Facebook, MobiKwik, Domino’s India have fallen prey to data breaches in the recent few months. These developments have highlighted the huge regulatory lacunae in the Indian data privacy and cybersecurity area. Although the discussions for a data privacy regulation and the regime have been going on since July 2017 with the constitution of the B.N. Srikrishna committee and the release of the white paper in November 2017, the Personal Data Protection Bill which was introduced in Parliament in December 2019 is yet to be passed and has not yet become legislation.
In the absence of exhaustive legislation on data privacy, an increasingly digital business environment, and an increase in the number of cyber-attacks and data breach it is imperative that corporates in India adopt international best practices in data privacy and security. The article evaluates the existing data privacy regime in India, analyses the requirements laid down in the Personal Data Protection Bill, 2019 (“PDP Bill”) and covers the kind of practices corporates in India can adopt in the interim period.
Existing data privacy regulations and obligations in India
Currently, in India, corporates and business entities are bound by data privacy and security regulations in the form of rules made under the Information Technology Act, 2000 and the regulations, circulars, and guidelines issued by the financial sector regulators.
The Information Technology Act, 2000 (“the Act”) has provisions relating to cybersecurity and in particular two provisions relating to the protection of sensitive personal data or information. Section 43A provides damages by way of compensation to the person affected if a corporate body is negligent in dealing with sensitive personal data or information. Section 87 provides the Central government the power to make rules to provide for reasonable security practices and procedures and sensitive personal data or information under section 43A. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”) were made in this regard.
Analysis of SPDI Rules
Definition of what constitutes sensitive personal data or information
The SPDI Rules define personal information, sensitive personal data or information (SPDI), and is applicable to body corporates or persons located in India. SPDI Rules defines personal information to mean any information relating to a natural person which in combination with other information available with the corporate is capable of identifying such person and defines SPDI to mean personal information relating to eight kinds of data which has been listed in the definition. Although a distinction is made, the legislative authority of the SPDI Rules is restricted to SPDI as defined, and obligations relating to personal information may not be enforceable in courts of law.
It is applicable to body corporates and body corporates have been defined to include companies, firms, sole proprietorship, or other associations of individuals engaged in commercial or professional activities. It was later vide a press note clarified that it is applicable to a body corporate or person located in India. This restricts the applicability only to business entities and leaves a wide gap in the regulation of non-profit organizations, governmental bodies, and departments. It also raises questions on whether corporates outside India but with computer resources in India or providing internet-based services to people in India will have to comply with the regulations.
It requires body corporates to obtain consent from the provider of SPDI in writing, by fax or email, or through any mode of electronic communication. This consent should be based on the disclosure of the collection of such information and the purpose and usage of the information collected. The body corporate shall also take steps to ensure that the person knows who the recipients of the data are and the name and address of the agencies collecting and retaining the information. Rule 5 also provides that the body corporate should give the person providing the information not to provide such information and an option to withdraw the given consent at any time while availing the services.
Disclosure of SPDI to third parties requires the prior consent of the provider of such information with exceptions in case the disclosure has been agreed in the contract between the body corporate and provider of such information, or where disclosure is necessary for compliance of a legal obligation or with government agencies in relation to prevention investigation or prosecution of offences or by an order under law.
Purpose limitation and data minimization
Rule 5 also embodies the principle of purpose limitation, data minimization by requiring that it should not retain the data longer than required for the purposes and only that data should be collected which is necessary for that purpose.
Review and correction
Rule 5 requires the provider of information to be allowed to review and if data is found to be inaccurate or deficient the provider should correct/ amend the data if feasible.
The body corporate is required to designate a Grievance Officer to address any discrepancies and grievances of their provider of the information with respect to the processing of information expeditiously and within one month of the receipt of the grievance. The nature of discrepancies and grievances for which the provider of information can have recourse is unclear and there is no recourse provided in case of failure of the Grievance officer to resolve the issue.
Transfer of information
Transfer of information to another body corporate or person shall be done only if the body corporate or person ensures the same level of data protection that is adhered to as provided in the SPDI Rules. The transfer may only be done if necessary, to the performance of the contract or if consented to by the information provider.
Reasonable security practices and procedures
The SPDI Rules require body corporates to have reasonable security practices and procedures which are comprehensive and documented and commensurate with the nature of the data and business. The SPDI Rules lays down that a body corporate which has implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection approved and notified by the central government shall be deemed to have complied with reasonable security practices and procedures. There is also a requirement of an audit every year or when the body corporate undertakes a significant upgrade of its processes.
Data privacy regulations in the financial services sector
The financial sector regulators of India namely the Reserve Bank of India (“RBI”), Insurance Regulatory and Development Authority of India (“IRDAI”), and Securities Exchange Board of India (“SEBI”) have laid down extensive and in detail cybersecurity frameworks or guidelines for their regulated entities. These are quite comprehensive and cover data in all stages i.e. data at the source, in motion, in use, at rest, and destruction. There are few common threads such as the requirement of a Board approved cybersecurity plan, planning for a cyber-security crisis and its response, a business continuity plan, risk management framework, audit requirements, access control systems, periodic training of employees and staff, third party management, etc. IRDAI and RBI have also put in place data localization norms and requirements for its regulated entities.
Summary of requirements under the Personal Data Protection Bill 2019
This section will briefly summarize the requirements of the much-awaited and dissected PDP Bill, 2019–
- The PDP Bill defines Personal data and Sensitive personal data differently and clearly specifies different obligations for both kinds of data.
- It has clearly defined the applicability of the proposed law to the processing of personal data within India, processing of personal data by the State, Indian entities, or citizens. Processing of personal data in connection with any activity regarding data principles within India or any business carried on in India. It clearly excludes the processing of anonymized data from its ambit.
- It lays down obligations of data fiduciaries like purpose limitation and data minimization, notifying the data principal of the nature and purposes of data collection, notifying data breach to the Data Protection Authority when such a breach is likely to cause harm to any data principal and limitation on data storage period.
- It clearly defines and delineates the kind of consent required for personal data and sensitive personal data. For sensitive personal data, it requires affirmative and explicit consent not inferred through conduct.
- It codifies the rights of the data principal such as the right to access to the data, right to confirmation or correction or erasure of the data, right to data portability and right to be forgotten.
- It prescribes security safeguards including de-identification and encryption, steps to protect the integrity of personal data
- It exhaustively deals with system controls by mandating data protection impact assessment for significant data fiduciaries, record keeping and audits, and appointment of a data protection officer.
- It requires data localization of sensitive personal data and mandates that data notified as critical personal data must only be processed within India. There are restrictions on cross-border transfer such as it being based on contract and consent of the data fiduciary.
Best practices for Indian corporates to adopt an effective and compliant framework for data privacy
After a brief analysis of the existing regulations and the possible future legislation for data privacy, we move on to a quick cheat guide for setting up an effective and compliant framework for data privacy. Adopting these practices will ensure a smooth transition when the PDP Bill becomes law and will ensure that customer data and by extension trust are protected at all times.
The concept of giving notice to customers and persons whose data is being collected means giving information regarding the data being collected, this provides transparency and helps in building the trust of the customers.
- the kinds of data it will be collecting,
- the purpose of the data being collected and how it will be used,
- whether it will be shared with third parties and who will have access to the data
- the grievance redressal mechanism available to the customers
- There should be no secret record-keeping systems apart from what is declared in the notice. Once the notice is prepared, corporations need to make decisions based on the corporate’s commitment to data privacy on how to share it with the customers. The notice should be accessible to its customers. The corporates can consider-
- Putting the notice up on the website in an accessible and noticeable area
- Whether it should be displayed to the customer every time before giving consent to data collection and processing?
- Whether to provide frequent reminders (annually or quarterly) in the form of emails or alerts to the customers?
- Whether the company wants to take acknowledgment from the customers that they have seen, read, and understood the privacy notice or whether only sending/ making available the notice to the customers is sufficient.
Consent is one of the cornerstones of having an effective data privacy compliance framework. Taking informed consent from the customers can in some cases negate the liability of the corporates in case of cybersecurity breaches. While talking of consent mechanism there are a number of ways of taking and recording consent.
Implied consent based on conduct
Some companies do not take explicit consent rather infer consent basis the conduct of the customer in availing the services. This could be practiced by putting up a privacy notice on the website or a simple pop-up notification stating “by using the website you agree to our terms of privacy”. In such a case the customer will not be actively choosing to agree to disagree, by way of conduct the customer’s consent will be recorded.
Companies may have a checkbox requiring consent from the customer to proceed. This will be mandatory to proceed, hence the customer has to opt-in or opt-out.
- Opt-out consent- In this mechanism, the affirmative consent indicator will automatically and by default be checked or chosen even though the customer can change the selection. These companies capitulate on the web browsing patterns of consumers who will not change a selection or read the terms and conditions and choose to agree with the pre-selected options.
- Opt-in consent- In contrast to the opt-out mechanism, here the default selection would be the negative option, or there would be no default selection therefore customers would be required to manually choose the affirmative option to give positive consent.
Consent for primary and secondary usage of data collected
Many times companies collect data for a primary purpose and may store the data for usage in secondary purposes. For example- A pizza delivery would require contact and address details for a particular order placed by the customer, this would be the primary purpose of the data collection however it retains and stores the data to send promotional messages, advertising campaigns, and a faster checkout process in case of future orders, which will be the secondary usage of the data. This can be done by a blanket consent taken for both kinds of users or companies can take different consent for primary and secondary usage of the data using either opt-in or opt-out mechanisms. Since data collected for secondary purposes like promotional campaigns is a potential source of revenue and is often not consented to by consumers given a choice, blanket consent mechanisms are often used by companies.
It is advisable to have an opt-in consent mechanism for sensitive personal data to comply with EU GDPR and the impending PDP Bill.
Withdrawal of consent
Data subjects should be provided with the opportunity to withdraw consent at any point during their relationship with the service providing corporate or thereafter.
Purpose limitation and data minimization
Access and correction: Right to erasure
It is recommended that corporates provide data subjects with access to the data and the right to correction of data in case of any discrepancy or error. Access to the data may be based on a fee model in some cases wherein the data is difficult to track or gather depending on the company. Option to the erasure of data should ideally be provided by corporates, this would prove difficult in the case of some business models and industries like internet search engines.
Most corporates have to share some part of the data with third-party vendors or service providers to ensure completion of service or to provide better and more efficient services. For instance, a social media application might be sharing the mouse-tracking data it collects on its websites to advertisers to understand consumer preferences and behavior. Another example is of a banking service provider sharing its website tracking data to marketing companies to understand the needs/ preferences of the customer and provide targeted advertising.
- Managing risks associated with data sharing- Companies also need to ensure that there are systems in check to ensure security safeguards by such third-party vendors and service providers. One way of ensuring that third parties have security safeguards is through putting specific information security clauses and downstream assurances in the agreements. Agreements must-have clauses on the vendor implementing specific data security standards or acceptable data privacy and security practices, sharing personal information only on the need to know basis, defining ownership of data, purging data after usage, indemnity in case of a breach, data privacy compliance training to employees and staff of third parties and allowing periodic systems audits by the company sharing the data. Companies should undertake anonymization/encryption of data wherever possible before sharing it with third parties.
- Training and sensitization of employees and staff- Any company with a good compliance culture knows the importance of compliance training and sensitization, the same applies in the case of data privacy. It is essential for corporates to undertake sensitization of employees while dealing with the personal data of consumers. Appropriate and adequate training should be given basic access to confidential and private data or hierarchy.
Implementation of a data privacy and security policy, effective systems, and processes
Data theft, hacking, ransomware, and the likes are on the increase and it is essential for companies to have proper data privacy and security policy, effective technology tools, systems, and processes to ensure that reasonable safeguards against cyber attacks and data theft.
- Confidential and personal information of customers should be shared with employees on a need-to-know basis.
- There should be system safeguards like password authentication, hard disk, and data copying authorization, VPN to ensure data security
- There should be an effective use of technology and implementation of recognized or notified data security standards for information systems and processes.
- Periodic reviews or audits of systems and processes must be conducted either by the organization itself or third-party auditors. Companies must have processes for constant monitoring of threats and procedures for employees/ users to report possible cybersecurity threats.
It is recommended that corporates set up a dedicated grievance redressal point of contact and procedure for consumers and consumers who have grievances with respect to the way their data is being processed. There should be a well-defined timeline for the response and redressal of the grievance. This is a requirement under SPDI Rules and under PDP Bill.
The regulators/ authorities must be notified in case of a data breach. Reporting of cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In) is currently a requirement under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. Notification to the Data Protection Authority (DPA) is also envisaged under the PDP Bill and the DPA may require notification to the data principal as well. Under the EU GDPR, a data breach likely to result in a high risk to the rights and freedoms of natural persons has to be notified to the data subject as well. Corporates should decide on public notification of a significant data breach or an attempted cyber-attack based on the risk it poses to the customers. While reputation might be at stake, it is also essential to consider the rights of the customers and its trust relationship with its customers.
It is essential that corporates have emergency response, a mitigation strategy, cyber crisis management plan, and business continuity processes in place. These should be periodically reviewed and updated based on changes in the nature of data collected, updation in technology and systems, and the evolution of cyber threats. It is not only essential to review it periodically but it also should be tested for quick response and implementation.
With most corporates and brick and mortar businesses going digital, it is essential that corporates start thinking of implementing data privacy and security systems and procedures in place. Even though there are lacunae in the data privacy regime in India, it is a matter of time before the PDP Bill is enacted and corporates are burdened with a huge set of compliances. Adopting best practices adopted by international companies and setting up a good data privacy set-up in anticipation of the PDP Bill will be in favor of the corporates. Not only will it ensure a smooth transition for companies if and when the PDP Bill is enacted into legislation and implemented, but it will also help win and maintain the trust of the customers.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.