Data Protection, Privacy And Cyber Law In INDIA

India does not have a dedicated law on data protection or privacy but it has adopted the hybrid approach of coming up with one mother legislation that deals with all aspects pertaining to the digital format

The entire world was recently shaken up by the latest hacking scandal. This was the Ashley Madison hack story. In this incident, Ashley Madison which is an online dating site, got hacked by hackers and cyber criminals who were not only able to copy huge volumes of data, but were also able to successfully publish the said dump of data onto the Internet. This incident, apart from being a high level cyber security breach, also has huge ramifications for various stakeholders involved. At the time of writing, it has been reported that the said data dump shows various government officials and bureaucrats accessing the dating site using official computers and networks. Further, a couple of suicides have already been reported, thanks to the said leakage. In the Indian context, it has been reported that more than a lakh and half names of the total dump of data belong to Indians. The Ashley Madison hack has today symbolised not just the evil side of cyber security breach, but also spelt out disastrous consequences for reputation, goodwill, standing and repute of respected citizens in society whose private dealings on online dating websites now stand exposed in the public domain.

This entire incident once again brings to the forefront an important issue pertaining to protection of data as also privacy. In fact, data protection and privacy are concepts which are intrinsically linked with each other and have a direct connection with each other. However, both the said concepts are looking at different objectives and ends. Consequently, data protection and privacy are distinct concepts which are sought to be addressed by distinct legal frameworks in different parts of the world.

In the Indian context, we quickly need to appreciate that India does not have either a dedicated data protection law or a dedicated law on privacy. India has adopted the hybrid approach of coming up with one mother legislation that deals with all aspects pertaining to the digital format. Following the adoption of the UNCITRAL Model Law on Electronic Commerce by the General Assembly of the United Nations, India started working on its own national legislation to promote e-commerce. Consequently, the Information Technology Act, 2000 was enacted for the purpose of giving a boost to e-commerce and providing a legal framework for electronic governance activities. By the time the law got to be amended by the Information Technology (Amendment) Act, 2008, the law transformed itself from being a mere e-commerce enabling legislation to becoming an all comprehensive mother legislation dealing with all aspects pertaining to the use of computers, computer systems, computer networks, computer resources and communication devices as also data and information in the electronic form. Under the said legislation, some provisions have been incorporated which have an impact upon protecting data. The Government of India has been given the power to come up with various rules and regulations to give effect to various provisions of the Information Technology Act, 2000. Consequently, in April 2011, the Government of India came up with four sets of rules which are collectively known as the Information Technology Rules, 2011. The said Rules have sought to create a distinctive legal framework for data protection in India. Of further relevance in the said Rules are two rules being Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Information Technology (Intermediaries Guidelines) Rules, 2011.

Seen from another perspective, the said Rules have gone ahead and provided for various provisions for data protection and go much beyond the scope and ambit of the mother legislation, being the Information Technology Act, 2000. In that sense, the said Rules have overreached the ambit and scope of the main legislation being Indian Cyber law and have instead come up with a surrogate regime on data protection. By virtue of the landmark judgement of the Supreme Court in the case of Shreya Singhal v/s Union of India, the constitutional validity of various provisions of the Information Technology Act, 2000 as also the Information Technology (Intermediaries Guidelines) Rules, 2011 were upheld.

From the corporate angle, it needs to be appreciated that the Information Technology Act, 2000 as also the rules and regulations made thereunder are the relevant mother code that needs to be complied with by corporates in India till such time, the said legislation is not amended, altered, reviewed or modified accordingly.

A body corporate, which receives, possesses, deals or handles information in India is mandated to have various policies and compliances in place.

Corporates need to be alive to the fact that the law has gone ahead and given an expansive definition of personal information to mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Further, the law has gone ahead and defined what constitutes sensitive personal data or information.

Sensitive personal data or information of a person has been defined to mean such personal information which consists of information relating to:

• Password;
• Financial information such as Bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information;
• Any detail relating to the above clauses as provided to body corporate for providing service; and
• Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Companies are required to have detailed terms and conditions, rules and regulations as also privacy policies, while handling or dealing with information including sensitive personal information or data. Companies should also have policies for collection, preservation, retention, disclosure and transfer of sensitive personal information.

Further, the Indian Cyber law recognises all corporates which deal with personal information and sensitive personal data of others as intermediaries. The said intermediaries are mandated to exercise due diligence while discharging their obligations as intermediaries under the Information Technology Act, 2000. Consequently, in this context, the said companies are mandated to have in place reasonable security practices and procedures as also comprehensive documented information security programs and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with information assets being protected with the nature of the business.

Further, if the said corporates are dealing, handling or processing sensitive personal data or information, they have no choice but to implement and maintain reasonable security practices and procedures. If they fail to do so, and pursuant to their failure and negligence to implement and maintain reasonable security practices and procedures, there is a wrongful loss or wrongful gain caused to any person, the same becomes a ground for seeking unlimited damages by way of compensation against the said corporates. Further, the failure to comply with mandatory requirements of law, could also expose top management of companies to criminal liability in the form of imprisonment and fine.

Thus, corporates in India increasingly need to ensure that their compliances under Indian Cyber law are in place.
As of date, the law pertaining to electronic data and its protection is only beginning to evolve. In actual terms, Indian Cyber law and rules and regulations made thereunder concerning data protection are being complied in breach rather than in observance. However, corporates have to quickly realise that there are immense reputational risks for not complying with the law. Corporates have to ensure that they have documented compliances with the law in order to protect themselves from any unforeseen exigency that could land at their doors unannounced. Further, in the context of privacy, the law does not talk much about privacy. Indian cyber law has adopted a somewhat primitive approach to personal privacy. Issues of data privacy have not been elaborated in detail. There has been some talk for coming up with a dedicated law on privacy in the country. However, that has not seen much light of the day. The Justice AP Shah Committee recommended to the Government, various steps that need to be taken for ensuring privacy. However, the said recommendations currently have not been implemented.

Seen from an overall perspective, companies today have to realise that they are not just intermediaries but also data repositories in the sense that they are dealing with huge volumes of data of employees, business partners, associates as also third parties. In such a scenario, such companies as intermediaries must ensure compliance with the law in order to be on the right side of the law. Failure to comply with law, could expose the company to unnecessary civil and criminal consequences. It should be the topmost priority of any company to protect its top management as also the legal interests. Compliance with the existing law, howsoever deficient or inadequate, is the only way going forward for corporates for the purposes of protecting and preserving their legal interests.

Disclaimer – The author Pavan Duggal, Advocate, Supreme Court of India, is Asia’s & India’s leading expert and authority on Cyberlaw & Mobile Law and has been acknowledged as one of the top four cyber lawyers in the world.