Bhumesh Verma, Managing partner and Soumya Shekhar, Associate
The term `General Data Protection Regulations’ or ‘GDPR’ has the world baffled. EU has come up with a new set of data privacy norms which are bound to have far-reaching effects. In the aftermath of its implementation on May 25, 2018, corporates all over are revamping their data privacy policies to mirror the GDPR requirements.
In the wake of data security breaches by big players such as Facebook, Paytm and Google, GDPR appears to be a strong step taken by the EU towards the maintenance of data security. It is high time that Indian lawmakers too evaluate whether our extant data protection regime is adequate to address the challenges posed by the ever-growing transparent world.
The so called ‘Digital India’, the cashless economy towards which India is fast progressing entails the transmission of personal data including sensitive data such as card details, bank account number etc. It is essential to have a robust legal framework designed to prevent data breach in place. India does not have a dedicated data protection legislation.
Currently, it is the Information Technology Act, 2000 along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which deal with data security in India.
In this article, we shall present a comparative analysis of the data protection regime in India vis-à-vis GDPR and would comment on the lessons that we may learn from the way data security is being treated by the more developed legal systems of the world.
Right to Privacy has been recognized as a fundamental right in India, under our Constitution. A recent Supreme Court judgement upheld right to privacy as a fundamental right. While pronouncing its judgement, the Supreme Court talked about how in this digital age information has become essential to protect. Keeping the aforementioned in mind, let us discuss the existing enactments and rules dealing with data security.
Any discussion on data privacy in India has to necessarily stem from the IT Act. It is the nascent point of the data protection regime in India. This Act primarily deals with the collection, storage, dissemination, disclosure and transfer of electronic data.
The IT Act defines data as, “means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer”.
Further, Section 43A of the IT Act prescribes penalties for failure to handle properly sensitive personal data and implement reasonable security practices and procedures while dealing with any sensitive personal data. What such reasonable security practices and procedures would entail is prescribed by the government in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“ SPDI Rules 2011”).
These Rules have been enacted specifically for protection of sensitive personal data. Sensitive personal data under the SPDI Rules 2011 has been defined as:
“…such personal information which consists of information relating to:—
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise”.
Typically, information which is already available in the public domain is outside the scope of sensitive personal data.
The SPDI Rules 2011 impose the following compliances to be undertaken, while dealing with sensitive personal data:
The SPDI RULES 2011 clearly mandate that sensitive personal data collected shall be done only after a prior written consent of the provider of such information has been obtained. Moreover, the provider shall be free to not give his consent or withdraw an earlier provided consent.
The information provider should have knowledge about the purpose for which his information is being collected, intended recipients of the information and details of the agency that would collect or retain the information.
The data collected should not be retained for longer than required.
(i)Statements of its practices and policies. Such statements should not be ambiguous and should be easily accessible.
(ii)Purpose for which data is being collected.
(iii)Type of personal or sensitive personal data being collected.
(iv)Disclosure of information
(v)Reasonable security practices and procedures.
The collectors of data are mandated not to disclose the personal data collected in accordance with the SPDI Rules India to third parties, without the consent of the provider of the data. However, a disclosure mandated under law is outside the scope of this rule.
The data collected can be transferred to a third party with the prior consent. Such third party may be located in India or abroad. Care needs to be taken that such third party is complying with and implementing similar data protection mechanisms as deployed by the transferor of the data.
The collector of data is required under the SPDI Rules India to comply with reasonable security practices and procedures and have documented information pertaining to the same in place. The international standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System - Requirements" is considered as reasonable security practice subject to certification by independent auditors.
India’s lack of a specialised law dealing with data protection has been duly noted by the government. Efforts are being made to enact a data protection rules 2011 which would provide greater data protection. In pursuance of the same a white paper was released in 2017 by the Srikrishna Committee formed for this purpose. The White Paper listed out seven principles on which the proposed data protection bill should be based:
(i)The law should cater to both present and future technologies.
(ii)Should apply to both public and private entities.
(iii)Consent should be informed.
(iv)Data should be processed only for the purpose for which it is collected.
(v)Entities collecting the data should be accountable for the manner of data processing.
(vi)Enforcement of security breaches should be conducted by statutory authorities
(vii)Penalties provided for should act as adequate deterrents
India’s extant data protection regime, though sincere in its efforts is a far cry from being a robust framework addressing the emerging issues in data privacy. Let us now discuss the EU GDPR Regulations at length to assess the departures from the Indian legal regime.
GDPR Regulations were notified in 2016 with the provision of a two-year transition period for companies to comply with the same. The enforcement date was fixed as May 25, 2018. GDPR Regulations are primarily focussed on protecting personal data. Personal data is defined as any information which helps in identifying an individual. Hence, even particulars like name, contact details, addresses etc. would constitute personal data. The party which determines how the data is to be used is the data controller, the party which processes is the data processor and the provider of information is the data subject.
The following are the key features of GDPR Regulations:
(i)Accountability: The GDPR Regulations have introduced a two-pronged accountability system, wherein both the data controllers and the data processor are accountable for any kind of data breach. Both data controllers and processors are required to maintain data processing registers.
(ii)Consent: GDPR takes into account only freely given, specific and unambiguous consent. It also enables the data subject to withdraw his/her consent.
(iii)Breach notification: GDPR Regulations require that any data breach should be notified to the data subject within 72 hours of the occurrence of such breach.
(iv)Access: The Data Subject is entitled to request access to the data and information pertaining to the manner of processing and the purpose for which it is being processed.
(v)Right to be forgotten: Upon data subject’s request, the company is obliged to delete all the data stored. This generally happens when the data is no longer relevant.
Data Protection Officers: The GDPR requires the appointment of data protection officers by companies having 250 or more employees or 5000 or more data subjects.
When one evaluates the Indian data protection regime vis-à-vis the GDPR, a number of loopholes can be witnessed.
Firstly, Indian data protection regime does not have a dedicated legislation towards data security. At best, the IT Act and the SPDI Rules 2011 provide a semblance of data protection but a definite framework is still missing. Further, the jargon of data, personal sensitive data and information as used in the IT Act and the SPDI Rules 2011 create a sense of confusion rather than clearly defining what exactly is protected. The laws at best appear to be ambiguous. Further, the term `data’ as defined under the IT Act primarily refer to computer- based data. With emerging technologies, data is no longer restricted to just computers. If our information is shared with an Uber driver, it is still personal data irrespective of the medium it is shared through. Hence, such archaic definitions need to be revamped in order to address the current challenges of data privacy.
Another issue facing the Indian data regime is the lack of a proper distinction between personal data and sensitive personal data. The definition of sensitive personal data includes certain types of information as indicators of what may be included within sensitive personal data but does not provide a clear demarcation of what may be classified as personal information but not sensitive personal information.
As the title suggests, SPDI rules 2011 typically deal only with sensitive personal data and this reduces their scope tremendously. The allusion to ‘information’ in the Rules does not adequately cover the entire ambit of data which needs protection. One of the major flaws of the data protection regime in the country is the inadequacy of penalties.
The penalties are typically monetary in nature and not sufficient enough to exercise a major deterrent effect. Lastly, the data transfer requirement only imposes the responsibility to implement the same level of data protection. However, the level of data protection required under the SPDI Rules India is itself not adequate.
Moreover, there may be sub-processors of data and the transfer of data provision does not take that into account.
On the other hand, the GDPR is a set of concise and to-the point regulations which directly address the problem and not circumvent it. The framers of GDPR have attempted to plug a lot of possible instances of data breach. The notification requirement is laudable as it keeps the data controller and processor alert and active. Moreover, the consent requirement has been defined to be definite, clear and specific. The term personal data is unambiguously defined. Penalties are imposed even for violations of breach notification and appointment of data protection officers. Penalties are sufficient enough to financially affect the companies, hence ensuring that these regulations are viewed with seriousness. The data subject is provided adequate rights and is allowed to access even the processing of the data.
To sum up, India’s current data protection bill 2011 is inadequate to handle the kinds of threats that plague personal data today. As a first step, a dedicated data protection law should be enacted on the lines of the GDPR Regulations. The term ‘reasonable security practices and procedures’ should be clearly defined and maybe a sample policy mirroring the same may be framed by the government to serve as a reference point to the companies. Penalties should be increased in order to create a better deterrent effect.
The new law should be made in consonance with the present and future technologies. In the present times of massive data breaches, if India lags behind in a sound and secure data protection regime, this would massively hamper its position on the global commercial map. Hence, a rehauling of the data protection regime is very much the proverbial ‘need of the hour’.