India does not have a specific legislation dedicated to data protection. At present, the Information Technology Act, 2000 (“IT Act”) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”) recognises the concept of personal information and sensitive personal data and to that limited extent governs data protection and privacy in India. There are no all-encompassing data privacy laws in India.
The IT Act is applicable to offences or contraventions committed outside India if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. Under the IT Act, a corporate entity is liable for any wrongful loss or wrongful gain caused to any person on account of negligence in maintaining reasonable security practices and procedures in relation to data/information. Disclosure of information in breach of lawful contract is punishable by imprisonment for a jail term of up to three years, or with a fine of up to half a million USD, or with both.
Limited data privacy laws in India
The Privacy Rules state that an organisation or any person acting on its behalf shall obtain consent in writing from the provider of the sensitive personal data or information regarding purpose of usage before information collection. Disclosure of sensitive personal data or information by an organisation to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise.
The transfer of personal data by an Indian entity to another entity in a jurisdiction other than India is permissible when the entity in another country ensures and maintains the same level of data protection as the Indian entity which is transferring such data; and the transfer of such data is necessary for the performance of a lawful contract between the Indian entity and the provider of such information or if such provider of information has consented to the transfer.
An entity will be considered to have complied with the requisite conditions as set out herein above, if it has implemented security practices and standards comprising comprehensive information security programs and information security policies that include managerial, technical, operational and physical security control measures. IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in the sub-rule.
Companies, as a general practice, enter into several contractual agreements with other companies, clients, agencies or partners to keep their information secured. Agreements usually contain confidentiality and privacy clauses and also arbitration clauses for the purpose of resolving a dispute if any arises.
Such contractual obligations regarding data protection are safeguarded under the provisions of the Indian Contract Act, 1872 which provide for remedies for contractual damages by way of compensation for violation of terms of the contract or non-performance of the obligations.
The Indian Penal Code, 1860 also ensures protection of data by providing punishment for criminal breach of trust by way of imprisonment, which may extend to 3 years, or fine, or with both.
The Specific Relief Act provides preventive relief in the form of temporary and perpetual injunctions to a plaintiff to prevent the breach of an existent obligation in his or her favour, whether expressly or by implication, or to award damages against unauthorised disclosure of confidential information.
A complaint can be filed before a consumer forum/ commission against “deficiency in service” for misuse of personal data/ information which was provided to the service provider by the data subject.
The right to Privacy is a component of the Indian constitution which guarantees “Right to Life and Liberty in India”.
Impact of international developments
Recently, the European Court of Justice passed a landmark judgement in Maximillian Schrems v. Data Protection Commissioner and Digital Rights Ireland Ltd (“Safe Harbour Decision”) on the protection of personal data by upholding the sanctity of Directive 95/46. The decision in effect invalidated the ‘Safe Harbour’ principles, which enabled data flow between US and EU and was considered an adequate level of data protection.
A Safe Harbour regime now can no longer be used as blanket exemption to the prohibition on transferring data outside the European Union or jurisdiction adduced by the Commission to provide adequate protection of data. The decision also calls into question the contracts for transferring personal data from the EU to the U.S. In this regard, German DPAs entered post the decision, will be called into question on the ability to use standard contract governing transfer of personal data to the U.S.
The transfer of data from EU has become especially challenging for India. A report prepared for the European Communities, Directorate-General for Justice, Freedom and Security, has found that data privacy laws in India, do not provide adequate protection in accordance with the EU standards. Therefore, following the Safe Harbour decision, it has become tougher for India to comply with the stringent standards required for data transfers with EU countries. In fact, the 2016 EU General Data Protection Regulations, issued as a result of the Decision, has brought about more rigorous commitments and obligations regarding the privacy of personal data and also put in place a fine for non-compliance, which is as high as 20 million euros or 4% of annual worldwide turnover of an organisation, whichever is higher. Thus, a huge burden has been placed on Indian companies to comply with EU’s standards of protection of personal data, failing which companies may lose out on both access to markets and economic revenues.
In fact, a recent NASSCOM-Data Security Council of India (DSCI) survey has found that EU clients are hesitant to set up their off-shore centres in India because of the gulf in standard of data protection between the two jurisdictions and the resultant difficulty in international and intra-group data transfers. The estimated losses incurred by the Indian IT-BPO industry due to this, are at USD 2-2.5 billion for a sample size of 15 companies. Further, DSCI has estimated that outsourcing business can further grow by USD 50 million per annum once India is granted a data secure status by the EU.
Developments for data privacy laws in India
In the absence of a concrete data protection legislation, the government of India is in the process of finalising the Right to Privacy Bill/Personal Data Protection Bill in order to strengthen the laws for the protection of privacy in India. The Bill is yet to be released for public consideration. From information available in public domain, it is indicated that the Bill proposes to establish a Data Protection Authority which will ensure adequate protection of data.
The said proposed Bill maintains that the right to privacy is part of the rights of a person under Article 21 of the Constitution and no person or entity can disclose sensitive personal data without informing and obtaining the prior consent of the data subject (the person whose data is collected).
The Safe Harbour Decision may have an adverse impact on the IT Sector in India. Lack of specific legislation dealing with data protection and data privacy laws in India are often cited as reasons for companies to avoid outsourcing business to India. However, the existing legal framework provides for adequate measures to safeguard the interest of data subjects and the contractual and self-regulatory mechanisms provide a level of confidence for international investors and corporations around safety and protection of personal data.