SlideShare a Scribd company logo

Startups - data protection

M
Mathew Chacko

The document summarizes key aspects of data protection law in India, including the Data Protection Rules under the Information Technology Act, which impose obligations on companies that process personal data. It discusses concepts like sensitive personal data, consent requirements, data retention, complaints procedures, penalties for non-compliance, and sector-specific regulations. It also provides an overview of the European Union's General Data Protection Regulation and obligations it places on controllers and processors of personal data.

Law
Related topics:
Data Protection PracticesData Analysis Insights
1 of 6
Downloaded 11 times
1
2
3
4
5
6
Data Protection 101 for Startups Data protection law is concerned with questions of who can collect and use personal information and the conditions under which it should be done. Prior to 2017, a large part of the Indian law on this subject could be found in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Data Protection Rules”) under the Information Technology Act, 2000 (“IT Act”). Today, the Constitution of India, a plethora of cases and sectoral regulations all must be read together for a comprehensive understanding of India’s data laws. The Data Protection Rules and the IT Act The Data Protection Rules impose general obligations on body corporates including companies, firms, sole proprietorships, and other associations of individuals engaged in commercial or professional activities, which handle sensitive personal data or information, or any persons who process personal information on their behalf. “Processing” “Processing” is the broad term that includes collecting, receiving, possessing, storing, dealing, or handling personal data. While these rules apply only to entities located in India, even those Indian entities that process sensitive or personal information or the data of individuals situated outside India are bound by their requirements. “Sensitive personal data or information” “Sensitive or personal data or information” means passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information. It does not include any personal data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law. Consent, “opt-out”, withdrawal of consent In general, consent is the foundation of the scheme of the Data Protection Rules. If consent for processing data or information is obtained through a standard form contract, then the terms of that contract must be reasonable. Any person who provides data should have at all times, while availing services from body corporates, an option to opt out of providing the data or information. They should also have the option to withdraw consent that might have provided earlier. However, if they do not consent or withdraw their consent, the Data Protection Rules allow body corporates to deny the goods or services for which the information was sought. People who provide data or information also have the right to review the information they have provided and have it corrected if it is wrong.
Cross-border transfers The export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Data retention Apart from some financial sector entities that have to retain data for a certain period of time, there is no prescribed limit to the period for which data can be stored. So even though the general principle is that information should not be retained for longer than required, it is commonly retained until limitation precludes any cause of action that may arise. Complaints Any complaints that the people who provide information may have with respect to the processing of that information have to be addressed in a time-bound manner, and no later than a month from the date of receiving the grievance. All companies that deal with data have to appoint a “Grievance Officer” to redress such grievances. Data Breaches Some types of cyber security incidents, such as the targeted scanning or probing of critical networks or systems, compromise of critical systems or information, and unauthorised access of IT systems or data, have to be reported to the Indian Computer Emergency Response Team (“CERT-In”). It is an organization set up under the IT Act, which has a duty to remain ethical and maintain “reasonable controls and internal checks” to ensure the confidentiality of information relating to cyber security incidents collected from individuals, organisations, and computer resources. All other data breaches may be voluntarily disclosed to CERT-In. Penalties For negligence in implementing and maintaining security practices and procedures for protecting sensitive personal data or information, a body corporate may be liable to pay compensation to the people affected. No ceiling has been specified for the compensation that may have to paid in this fashion, which is separate from other penalties. The penalty for disclosing information, documents, correspondence, electronic records, or other material to third parties, without the consent of the person disclosing the information, can extend to imprisonment for up to two years and fines. Directors and others responsible for the conduct of the business may be liable for the offences of companies unless they prove they did not have knowledge of the contravention or that they exercised diligence to prevent the offence. A larger penalty -
imprisonment for up to three years and a fine, may be imposed on people, including intermediaries, if they disclose personal information to third parties in breach of contract or without the consent of the person to whom the personal information belongs. Authority In the absence of a data protection authority, clarifications on the IT Act and the Data Protection Rules must be sought from the Ministry of Communications and Information Technology (“MCIT”), which does not have a formal process for it. Sectoral Guidelines In addition to the general obligations placed by the IT Act and the Data Protection Rules, more specific regulations apply in the finance, telecom, and insurance sectors. Banks have to, under the regulations of the Reserve Bank of India (“RBI”), preserve the confidentiality and availability of personal and sensitive information through suitable systems and processes. Information obtained by banks and non-banking financial institutions through “know your customer” schemes should remain confidential. Banks need to ensure while considering requests for data from the government or other agencies, that the disclosure of information does not violate laws relating to secrecy in banking transactions. Banks also have to obtain consent from customers before revealing any information about credit cards. The RBI even recommends board-approved information security policies and information security committees . Under the Unified Licence Agreements issued by the Department of Telecommunications, telecom service providers (“TSPs”) have to safeguard the privacy and confidentiality of the information they receive while providing services to customers. It can only be disclosed with the prior consent of the owner of the information and all subsequent disclosure has to be in accordance with the consent obtained. They also have to maintain records of call details, exchange details, and internet provider details for at least one year. Under regulations issued by the Insurance Regulatory and Development Authority of India (“IRDA”), insurers have to ensure that the service providers to whom they outsource insurance activities to, maintain the confidentiality and security of policyholders’ information even after their contract terminates. If an outsourcing agreement is terminated, insurers should ensure that they retrieve the information from service providers and that customer information is not used further by service providers. Europe’s GDPR The GDPR, or the General Data Protection Regulation, is the European Union's comprehensive data protection regime. In some circumstances, it applies even to entities that process personal information in India. v v v
They are: (1) if the processing is related to the offering of goods or services to people located in the European Union, or (2) if the processing is related to the monitoring of any part of their behaviour that happens in the European Union. Two types of entities have obligations under the GDPR – (1) controllers, which are the entities that determine the means and purposes of processing data, and (2) processors, which are the entities that process data on behalf of the controllers. Th GDPR may apply to a vast majority of companies providing Software-As-A-Service, to outsourcing companies, and to multinational companies that have subsidiaries in India. Controller’s obligations A controller's general obligation is to consider (a) the nature, scope, context, and purposes of processing, and (b) the risks to the rights and freedoms (mainly privacy) of people, and implement “appropriate technical and organisational measures” to comply with the GDPR. To comply with the GDPR, a controller can implement data protection policies and adhere to codes of conduct or certification mechanisms. They are obliged to consider the impact of processing on the personal information of data subjects, at the time it determines the means of processing and then throughout all its processing operations. This is called data protection by design. The GDPR also requires a controller to ensure that the processing of personal data is ordinarily kept to the minimum required for each specific purpose of processing. This is called data protection by default. Data controllers should only process personal information lawfully. The GDPR lists the sets of conditions, including the informed consent of data subjects, under which the processing of personal information is lawful. For some types of information that are particularly sensitive, processing is only lawful if an additional set of conditions are satisfied. Controllers also have to adopt appropriate technical and organisational measures to ensure the security and privacy of the personal data that they are processing. To determine what measures are appropriate, they may have to first assess the risk to the privacy of data subjects. They may also have obligations to limit the damage caused by threats to the privacy of data subjects, such as obligations to notify data breaches. Controllers are only allowed to use processors that guarantee technical and organisational measures that meet GDPR standards under a written contract that establishes the terms of their relationship and the obligations and rights of the controller. v
The GDPR also lists the rights of data subjects over the data that is being processed, including the rights to data portability and the right to erasure. These rights may place corresponding obligations on controllers once they receive a request from a data subject. For instance, a data subject has a right to receive from a controller, personal data in their control, in a commonly used format. Once a data subject makes such a request to a data controller, the latter is obliged to make that information available within a specified time period. Processor’s obligations A processor's most important obligation is to not process any personal information without documented instructions from the controller. In addition to their contractual obligations to their processors, they also have obligations in relation to security, record-keeping, and data breach notifications. Penalties Non-compliance with the GDPR can attract administrative fines of up to 4% of the annual global turnover of a controller or processor entity or €20 million – whichever is greater. It also provides people the right to compensation for damage resulting from an infringement of the GDPR. Impact of Puttaswamy After many weeks of arguments, nine judges of the India’s Supreme Court unanimously held in August of 2017 that the right to privacy was an intrinsic element of the fundamental right to life and personal liberty. Puttaswamy, as the judgment came to be known, changed the contours of privacy law. It has affected the interpretation of privacy rules and given birth to what may become a robust common law tort of violation of privacy, independent of the statutory rules. Any law that encroached upon the right to privacy would be subject to constitutional scrutiny, the Supreme Court said. Such a law would have to be (a) legal, (b) necessary, and (c) proportional. As such, the decision changed the prism through which India’s data laws are to be viewed. The Supreme Court also instructed the government of India to put in place a law to protect the privacy of the personal information of Indian citizens from state and non-state actors. Some of the recent efforts at lawmaking need to be seen in that context. Data Localisation for Payment Systems A notification issued by the RBI in April, 2018 has serious implications for the data management measures taken by payment system operators, whether operating from within or outside India. They have to ensure that all the data related to their payment systems, including the complete end-to-end transaction details and information collected, carried, and processed as part of a message or payment instruction, should be stored only in systems located in India. The notification refers not only to data v v v
stored with the system providers, but also with their service providers, intermediaries and third-party vendors, and other entities in the payment ecosystem. The data relating to the foreign leg of an international transaction can also be stored in the foreign country. Apart from banks and NBFCs, this notification has fairly serious implications for Fin-tech companies. DISHA The Ministry of Health & Family Welfare has published a draft Digital Information Security in Healthcare Act (“DISHA”), which addresses the collection, storage, treatment, ownership, and transmission of and access to “digital health data” by “clinical establishments”. It provides for the rights of the owners of data through concepts such as “informed consent” and the rectification of incorrect data. The privacy and confidentiality obligations of clinical establishments include physical and technical measures and processes, procedures for data breaches, and training and oversight of personnel. Punishments for serious offences under DISHA can include a minimum fine of INR 500,000 and imprisonment that can extend from three years up to five years. Do reach out to us if you have any comments or question. Mathew Chacko Ankita Hariramani mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com Aadya Misra Aishwarya Todalbagi aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.com

More Related Content

PDF
Personal data protection bill
Mathew Chacko
 
PDF
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
PDF
An overview of the Indian Data Privacy Bill
Komal Gadia
 
PPT
Data protection in_india
Altacit Global
 
PDF
India's Data Protection Law 2018- Future Road Ahead
EquiCorp Associates
 
PDF
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PDF
Half day public-seminar_on_pdpa_2010_-_250711
Quotient Consulting
 
PPT
Personal Data Protection in Malaysia
khenghoe
 
Personal data protection bill
Mathew Chacko
 
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
An overview of the Indian Data Privacy Bill
Komal Gadia
 
Data protection in_india
Altacit Global
 
India's Data Protection Law 2018- Future Road Ahead
EquiCorp Associates
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
Half day public-seminar_on_pdpa_2010_-_250711
Quotient Consulting
 
Personal Data Protection in Malaysia
khenghoe
 

What's hot (20)

PDF
An Indian Outline on Database Protection
Singhania2015
 
PDF
GDPR and Analytics
brunomase
 
PPT
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
PPT
Data Privacy in India and data theft
Amber Gupta
 
PDF
Guide to-the-general-data-protection-regulation
N N
 
PPTX
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Data Protection & Privacy in Malaysian Total Hospital Information System
Quotient Consulting
 
PDF
Data Protection Bill 2019 Participative Role of General Public
ijtsrd
 
PDF
The Personal Data Protection Act challenge in Singapore
Jean Luc Creppy
 
PDF
Pdpa(kewal)
Kewal Pradhan
 
PDF
(SACON) Nandan Nilekani - Identity Payments and Data Empowerment 
Priyanka Aash
 
PDF
Complying with Singapore Personal Data Protection Act - A Practical Guide
Daniel Li
 
PPTX
Gdpr powerpoint 15.01.18
Jon Rathbone
 
PDF
Cognizant business consulting the impacts of gdpr
audrey miguel
 
PDF
Complete Guide to General Data Protection Regulation (GDPR)
Happiest Minds Technologies
 
PPTX
Intercity technology - GDPR your training toolkit
joshquarrie
 
PDF
Insight on Non-Personal Data Governance Framework
Shifali singh
 
PDF
Are you GDPRed yet?
Datamatics Business Solutions Ltd.
 
PPT
Data Protection Act
Yizi
 
PPTX
Data protection and privacy
himanshu jain
 
An Indian Outline on Database Protection
Singhania2015
 
GDPR and Analytics
brunomase
 
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
Data Privacy in India and data theft
Amber Gupta
 
Guide to-the-general-data-protection-regulation
N N
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
Data Protection & Privacy in Malaysian Total Hospital Information System
Quotient Consulting
 
Data Protection Bill 2019 Participative Role of General Public
ijtsrd
 
The Personal Data Protection Act challenge in Singapore
Jean Luc Creppy
 
Pdpa(kewal)
Kewal Pradhan
 
(SACON) Nandan Nilekani - Identity Payments and Data Empowerment 
Priyanka Aash
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Daniel Li
 
Gdpr powerpoint 15.01.18
Jon Rathbone
 
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Complete Guide to General Data Protection Regulation (GDPR)
Happiest Minds Technologies
 
Intercity technology - GDPR your training toolkit
joshquarrie
 
Insight on Non-Personal Data Governance Framework
Shifali singh
 
Are you GDPRed yet?
Datamatics Business Solutions Ltd.
 
Data Protection Act
Yizi
 
Data protection and privacy
himanshu jain
 
Ad

Similar to Startups - data protection (20)

PDF
Spice Route Legal Data Protection & Privacy Update
Mathew Chacko
 
PDF
The Data Protection Act What You Need To Know
EamonnORagh
 
DOCX
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
gemaherd
 
PDF
General data protection regulation GDPR
AfraAlZadjali
 
PPT
Safety And Security Of Data 4
Wynthorpe
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
PDF
The principles of the Data Protection Act in detail - uk
- Mark - Fullbright
 
PDF
GDPR for developers
Exove
 
PPT
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
DOCX
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
jeanettehully
 
PPTX
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited
 
PPTX
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
PPS
Legislation
megabyte
 
PPTX
General Data Protection Regulation or GDPR
Nupur Samaddar
 
PDF
LOPD - Spanish ethical and legal issues in the context of an international IC...
Natalia Monllor
 
PDF
GDPR Whitepaper
Richard Goddard
 
PDF
Preparing for EU GDPR
IT Governance Ltd
 
DOCX
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
glendar3
 
DOCX
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
todd581
 
PDF
Key Issues on the new General Data Protection Regulation
Olivier Vandeputte
 
Spice Route Legal Data Protection & Privacy Update
Mathew Chacko
 
The Data Protection Act What You Need To Know
EamonnORagh
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
gemaherd
 
General data protection regulation GDPR
AfraAlZadjali
 
Safety And Security Of Data 4
Wynthorpe
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
The principles of the Data Protection Act in detail - uk
- Mark - Fullbright
 
GDPR for developers
Exove
 
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
jeanettehully
 
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited
 
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
Legislation
megabyte
 
General Data Protection Regulation or GDPR
Nupur Samaddar
 
LOPD - Spanish ethical and legal issues in the context of an international IC...
Natalia Monllor
 
GDPR Whitepaper
Richard Goddard
 
Preparing for EU GDPR
IT Governance Ltd
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
glendar3
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
todd581
 
Key Issues on the new General Data Protection Regulation
Olivier Vandeputte
 
Ad

More from Mathew Chacko (16)

PDF
Overview of digital payments in india
Mathew Chacko
 
PDF
Abuse of dominance
Mathew Chacko
 
PDF
Competition law and Joint Ventures
Mathew Chacko
 
DOCX
Blockchain (2019)
Mathew Chacko
 
PDF
Video on Demand: Indian Law
Mathew Chacko
 
PDF
An eye in the sky?
Mathew Chacko
 
PDF
The defence india start up challenge
Mathew Chacko
 
PDF
Anatomy of a simple India - Delaware flip
Mathew Chacko
 
PDF
Online wallets: part 2 (compliance)
Mathew Chacko
 
PDF
Wallets an overview
Mathew Chacko
 
PDF
The long arm of the gdpr
Mathew Chacko
 
PDF
ICOs: A Primer
Mathew Chacko
 
PPTX
Transparency gdpr
Mathew Chacko
 
PPSX
consent:gdpr
Mathew Chacko
 
PPSX
The Law on Token sales
Mathew Chacko
 
PPSX
Blockchain & the law 101
Mathew Chacko
 
Overview of digital payments in india
Mathew Chacko
 
Abuse of dominance
Mathew Chacko
 
Competition law and Joint Ventures
Mathew Chacko
 
Blockchain (2019)
Mathew Chacko
 
Video on Demand: Indian Law
Mathew Chacko
 
An eye in the sky?
Mathew Chacko
 
The defence india start up challenge
Mathew Chacko
 
Anatomy of a simple India - Delaware flip
Mathew Chacko
 
Online wallets: part 2 (compliance)
Mathew Chacko
 
Wallets an overview
Mathew Chacko
 
The long arm of the gdpr
Mathew Chacko
 
ICOs: A Primer
Mathew Chacko
 
Transparency gdpr
Mathew Chacko
 
consent:gdpr
Mathew Chacko
 
The Law on Token sales
Mathew Chacko
 
Blockchain & the law 101
Mathew Chacko
 

Recently uploaded (20)

PDF
CRIMINAL PROCEDURE BY HON. JUSTICE BAH.pdf
PiepandaMusa
 
PPTX
RULE_4_Out_of_Court_or_Informal_Restructuring_Agreement_or_Rehabilitation.pptx
sherileeneva3
 
PPTX
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
PPTX
Digital Security in Cyber Law and Mitigating Cyberxrimes
Shibly Ahamed
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PPT
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
PPTX
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
PDF
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
PDF
Vinayaka Mission Law School Courses and Infrastructure.pdf
monash2629
 
PPTX
POSH Awareness and policy ppt with all design covering .
asvnandan
 
PDF
Kayla Coates Wins no-insurance case Against the Illinois Workers’ Benefit Fund
Ankin Law Office, LLC
 
PPTX
Law of Torts , unit I for BA.LLB integrated course
theworthlessone69
 
PPTX
PART-3-FILIPINO-ADMINISTRATIVE-CULTURE.pptx
JadeParreno1
 
PDF
Nancy Gorby Sucessor Trustee Invoice.pdf
VOLUNTÁRIA CAUSA SOCIAL
 
PPTX
Lecture Notes on Family Law - Knowledge Area 5
Frimpong Eric
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PPTX
BUSINESS LAW AND IT IN CONTRACT SIGNING AND MANAGEMENT
daudevarist18
 
DOCX
FOE Reviewer 2022.docxhgvgvhghhghyjhghggg
ibrahimnorlainie
 
PPTX
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
CRIMINAL PROCEDURE BY HON. JUSTICE BAH.pdf
PiepandaMusa
 
RULE_4_Out_of_Court_or_Informal_Restructuring_Agreement_or_Rehabilitation.pptx
sherileeneva3
 
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
Digital Security in Cyber Law and Mitigating Cyberxrimes
Shibly Ahamed
 
Understanding the Impact of the Cyber Act
dhanesh96
 
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
Vinayaka Mission Law School Courses and Infrastructure.pdf
monash2629
 
POSH Awareness and policy ppt with all design covering .
asvnandan
 
Kayla Coates Wins no-insurance case Against the Illinois Workers’ Benefit Fund
Ankin Law Office, LLC
 
Law of Torts , unit I for BA.LLB integrated course
theworthlessone69
 
PART-3-FILIPINO-ADMINISTRATIVE-CULTURE.pptx
JadeParreno1
 
Nancy Gorby Sucessor Trustee Invoice.pdf
VOLUNTÁRIA CAUSA SOCIAL
 
Lecture Notes on Family Law - Knowledge Area 5
Frimpong Eric
 
Understanding the Impact of the Cyber Act
dhanesh96
 
BUSINESS LAW AND IT IN CONTRACT SIGNING AND MANAGEMENT
daudevarist18
 
FOE Reviewer 2022.docxhgvgvhghhghyjhghggg
ibrahimnorlainie
 
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 

Startups - data protection

  • 1. Data Protection 101 for Startups Data protection law is concerned with questions of who can collect and use personal information and the conditions under which it should be done. Prior to 2017, a large part of the Indian law on this subject could be found in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Data Protection Rules”) under the Information Technology Act, 2000 (“IT Act”). Today, the Constitution of India, a plethora of cases and sectoral regulations all must be read together for a comprehensive understanding of India’s data laws. The Data Protection Rules and the IT Act The Data Protection Rules impose general obligations on body corporates including companies, firms, sole proprietorships, and other associations of individuals engaged in commercial or professional activities, which handle sensitive personal data or information, or any persons who process personal information on their behalf. “Processing” “Processing” is the broad term that includes collecting, receiving, possessing, storing, dealing, or handling personal data. While these rules apply only to entities located in India, even those Indian entities that process sensitive or personal information or the data of individuals situated outside India are bound by their requirements. “Sensitive personal data or information” “Sensitive or personal data or information” means passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information. It does not include any personal data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law. Consent, “opt-out”, withdrawal of consent In general, consent is the foundation of the scheme of the Data Protection Rules. If consent for processing data or information is obtained through a standard form contract, then the terms of that contract must be reasonable. Any person who provides data should have at all times, while availing services from body corporates, an option to opt out of providing the data or information. They should also have the option to withdraw consent that might have provided earlier. However, if they do not consent or withdraw their consent, the Data Protection Rules allow body corporates to deny the goods or services for which the information was sought. People who provide data or information also have the right to review the information they have provided and have it corrected if it is wrong.
  • 2. Cross-border transfers The export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Data retention Apart from some financial sector entities that have to retain data for a certain period of time, there is no prescribed limit to the period for which data can be stored. So even though the general principle is that information should not be retained for longer than required, it is commonly retained until limitation precludes any cause of action that may arise. Complaints Any complaints that the people who provide information may have with respect to the processing of that information have to be addressed in a time-bound manner, and no later than a month from the date of receiving the grievance. All companies that deal with data have to appoint a “Grievance Officer” to redress such grievances. Data Breaches Some types of cyber security incidents, such as the targeted scanning or probing of critical networks or systems, compromise of critical systems or information, and unauthorised access of IT systems or data, have to be reported to the Indian Computer Emergency Response Team (“CERT-In”). It is an organization set up under the IT Act, which has a duty to remain ethical and maintain “reasonable controls and internal checks” to ensure the confidentiality of information relating to cyber security incidents collected from individuals, organisations, and computer resources. All other data breaches may be voluntarily disclosed to CERT-In. Penalties For negligence in implementing and maintaining security practices and procedures for protecting sensitive personal data or information, a body corporate may be liable to pay compensation to the people affected. No ceiling has been specified for the compensation that may have to paid in this fashion, which is separate from other penalties. The penalty for disclosing information, documents, correspondence, electronic records, or other material to third parties, without the consent of the person disclosing the information, can extend to imprisonment for up to two years and fines. Directors and others responsible for the conduct of the business may be liable for the offences of companies unless they prove they did not have knowledge of the contravention or that they exercised diligence to prevent the offence. A larger penalty -
  • 3. imprisonment for up to three years and a fine, may be imposed on people, including intermediaries, if they disclose personal information to third parties in breach of contract or without the consent of the person to whom the personal information belongs. Authority In the absence of a data protection authority, clarifications on the IT Act and the Data Protection Rules must be sought from the Ministry of Communications and Information Technology (“MCIT”), which does not have a formal process for it. Sectoral Guidelines In addition to the general obligations placed by the IT Act and the Data Protection Rules, more specific regulations apply in the finance, telecom, and insurance sectors. Banks have to, under the regulations of the Reserve Bank of India (“RBI”), preserve the confidentiality and availability of personal and sensitive information through suitable systems and processes. Information obtained by banks and non-banking financial institutions through “know your customer” schemes should remain confidential. Banks need to ensure while considering requests for data from the government or other agencies, that the disclosure of information does not violate laws relating to secrecy in banking transactions. Banks also have to obtain consent from customers before revealing any information about credit cards. The RBI even recommends board-approved information security policies and information security committees . Under the Unified Licence Agreements issued by the Department of Telecommunications, telecom service providers (“TSPs”) have to safeguard the privacy and confidentiality of the information they receive while providing services to customers. It can only be disclosed with the prior consent of the owner of the information and all subsequent disclosure has to be in accordance with the consent obtained. They also have to maintain records of call details, exchange details, and internet provider details for at least one year. Under regulations issued by the Insurance Regulatory and Development Authority of India (“IRDA”), insurers have to ensure that the service providers to whom they outsource insurance activities to, maintain the confidentiality and security of policyholders’ information even after their contract terminates. If an outsourcing agreement is terminated, insurers should ensure that they retrieve the information from service providers and that customer information is not used further by service providers. Europe’s GDPR The GDPR, or the General Data Protection Regulation, is the European Union's comprehensive data protection regime. In some circumstances, it applies even to entities that process personal information in India. v v v
  • 4. They are: (1) if the processing is related to the offering of goods or services to people located in the European Union, or (2) if the processing is related to the monitoring of any part of their behaviour that happens in the European Union. Two types of entities have obligations under the GDPR – (1) controllers, which are the entities that determine the means and purposes of processing data, and (2) processors, which are the entities that process data on behalf of the controllers. Th GDPR may apply to a vast majority of companies providing Software-As-A-Service, to outsourcing companies, and to multinational companies that have subsidiaries in India. Controller’s obligations A controller's general obligation is to consider (a) the nature, scope, context, and purposes of processing, and (b) the risks to the rights and freedoms (mainly privacy) of people, and implement “appropriate technical and organisational measures” to comply with the GDPR. To comply with the GDPR, a controller can implement data protection policies and adhere to codes of conduct or certification mechanisms. They are obliged to consider the impact of processing on the personal information of data subjects, at the time it determines the means of processing and then throughout all its processing operations. This is called data protection by design. The GDPR also requires a controller to ensure that the processing of personal data is ordinarily kept to the minimum required for each specific purpose of processing. This is called data protection by default. Data controllers should only process personal information lawfully. The GDPR lists the sets of conditions, including the informed consent of data subjects, under which the processing of personal information is lawful. For some types of information that are particularly sensitive, processing is only lawful if an additional set of conditions are satisfied. Controllers also have to adopt appropriate technical and organisational measures to ensure the security and privacy of the personal data that they are processing. To determine what measures are appropriate, they may have to first assess the risk to the privacy of data subjects. They may also have obligations to limit the damage caused by threats to the privacy of data subjects, such as obligations to notify data breaches. Controllers are only allowed to use processors that guarantee technical and organisational measures that meet GDPR standards under a written contract that establishes the terms of their relationship and the obligations and rights of the controller. v
  • 5. The GDPR also lists the rights of data subjects over the data that is being processed, including the rights to data portability and the right to erasure. These rights may place corresponding obligations on controllers once they receive a request from a data subject. For instance, a data subject has a right to receive from a controller, personal data in their control, in a commonly used format. Once a data subject makes such a request to a data controller, the latter is obliged to make that information available within a specified time period. Processor’s obligations A processor's most important obligation is to not process any personal information without documented instructions from the controller. In addition to their contractual obligations to their processors, they also have obligations in relation to security, record-keeping, and data breach notifications. Penalties Non-compliance with the GDPR can attract administrative fines of up to 4% of the annual global turnover of a controller or processor entity or €20 million – whichever is greater. It also provides people the right to compensation for damage resulting from an infringement of the GDPR. Impact of Puttaswamy After many weeks of arguments, nine judges of the India’s Supreme Court unanimously held in August of 2017 that the right to privacy was an intrinsic element of the fundamental right to life and personal liberty. Puttaswamy, as the judgment came to be known, changed the contours of privacy law. It has affected the interpretation of privacy rules and given birth to what may become a robust common law tort of violation of privacy, independent of the statutory rules. Any law that encroached upon the right to privacy would be subject to constitutional scrutiny, the Supreme Court said. Such a law would have to be (a) legal, (b) necessary, and (c) proportional. As such, the decision changed the prism through which India’s data laws are to be viewed. The Supreme Court also instructed the government of India to put in place a law to protect the privacy of the personal information of Indian citizens from state and non-state actors. Some of the recent efforts at lawmaking need to be seen in that context. Data Localisation for Payment Systems A notification issued by the RBI in April, 2018 has serious implications for the data management measures taken by payment system operators, whether operating from within or outside India. They have to ensure that all the data related to their payment systems, including the complete end-to-end transaction details and information collected, carried, and processed as part of a message or payment instruction, should be stored only in systems located in India. The notification refers not only to data v v v
  • 6. stored with the system providers, but also with their service providers, intermediaries and third-party vendors, and other entities in the payment ecosystem. The data relating to the foreign leg of an international transaction can also be stored in the foreign country. Apart from banks and NBFCs, this notification has fairly serious implications for Fin-tech companies. DISHA The Ministry of Health & Family Welfare has published a draft Digital Information Security in Healthcare Act (“DISHA”), which addresses the collection, storage, treatment, ownership, and transmission of and access to “digital health data” by “clinical establishments”. It provides for the rights of the owners of data through concepts such as “informed consent” and the rectification of incorrect data. The privacy and confidentiality obligations of clinical establishments include physical and technical measures and processes, procedures for data breaches, and training and oversight of personnel. Punishments for serious offences under DISHA can include a minimum fine of INR 500,000 and imprisonment that can extend from three years up to five years. Do reach out to us if you have any comments or question. Mathew Chacko Ankita Hariramani mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com Aadya Misra Aishwarya Todalbagi aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.com