Authors: Radha Raghavan and Ramya Ramchandran
The Information Technology Act, 2000, ((Act No. 21 of 2000)) governs the law relating to information technology in India. With the liberal use of internet and processing of electronic data of all forms for a wide range of purposes both within the private and public domain, concerns as to intrusion into one’s privacy has assumed importance and has become a matter of public debate. The raging controversy on the consequences of UID (Unique Identification) Program (Aadhar), an ambitious project of the Government of India on the right to privacy and its intrusion by the Government in the form of data collected, for issue of a UID card, is a point in illustration.
Recently in exercise of the rule making power conferred by Clause (ob) of Sub-section (2) of Section 87 read with Section 43A of the Information Technology Act, 2000, the Central Government promulgated the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These Rules cater to three groups – Body Corporates, Information Providers (or Data subjects) and the Government. These rules address the:
- Obligation of the corporates who collect the sensitive personal data of an individual – the obligations being those pertaining to its use and disclosure; ((Rule 5, 6, 7, 8 – “The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011” ))
- Rights of the information provider, with a view to curb indiscriminate disclosure of such information without the consent of the data subject. ((Rule 5 [3], [6], (7), [9] – “The Information Technology [Reasonable Security Practices and Procedures and Sensitive Personal Data or Information] Rules, 2011”)).
- Right of the Government to access Sensitive Personal Data of individuals in cases of investigation, etc. ((Rule 6 – “The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011”))
This article aims to analyse these rules in the background of the development of privacy and information technology laws along with a discussion on its scope, extent and utility.
BACKGROUND OF THE NEW RULES
India’s first stride to give legal recognition to electronic documents and digital signatures came in the form of the Information Technology Act, 2000. The Act did not address issues of data privacy and protection.
In 2004, the Indian Supreme Court, ((People’s Union for Civil Liberties v. Union of India, AIR 2004 SC 1442))interpreted Article 19(1)(a) of the Constitution of India to include by implication the right to information within the constitutional guarantees of freedom of speech and expression. ((Graham Greenleaf, (2011), Promises and illusions of data protection in Indian Law, 1 (1) Oxford Journal 47-69.))Consequently, the government enacted a national legislation called the Right to Information Act 2005. The character of the Act was broad and covered under its ambit “information held by or under the control of any public authority”. ((Ibid))
By this time, the European Union enacted stringent data protection laws. EU, having the world’s most restrictive law, stated that the member states must cease to send personal data to any ‘third country’ unless such country adhered to similar laws or had other appropriate safeguards in place. A lack of such safeguards and data protection laws was often the reason for preventing the movement of voice processing and BPO work to India ((Mohd. Salman Warris, (2005), Indian Law – A Semblance of data privacy, 6(1) Privacy and Data Protection Journal)). This made the Government of India realize the importance of having in place a distinctive legal regime promoting data protection. A need was felt to create the necessary confidence among investors and foreign companies. ((Ibid))Thus, an amendment was made to the Information Technology Act, 2000 and the Information Technology Amendment Act 2008 (“ITAA”), was enacted.
The ITAA, 2008 inserted Section 43A ((“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damaged by way of compensating to the person so affected”)), a vital beginning to the string of data protection laws in the country. Section 43A provided for the payment of compensation, by a person in possession, etc. of sensitive personal data, who is negligent in maintaining and implementing reasonable security practices and procedures and thus resulted in any wrongful loss or wrongful gain. The Central Government was empowered to prescribe, by promulgation of Rules, the definition and content of “sensitive personal data or information”. It is in the background of Section 43A that the Rules of 2011 were promulgated, seeking to define the content of sensitive personal data or information and “reasonable security practices and procedures” apart from enlisting collection, disclosure and protective measures.
Furthermore, the Information Technology Rules (ITR), 2009 ((The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (hereinafter “Interception Rules, 2009”)), which was a precursor to the current ITR, 2011, provided for a comprehensive and constitutionally sound framework for the disclosure of information. Currently the ITR, 2011 has expanded its reach to higher levels of privacy of personal security information.
With these Rules, India has taken big strides towards bringing about strict measures to safeguard sensitive personal information or data and has attempted to strike a delicate balance between private liberty and public need.
AN OBJECTIVE ANALYSIS OF THE ITR, 2O11
The Rules have been subjected to public scrutiny ever since February 7, 2011, when the draft rules were open to public comment. These rules were finally enacted on April 13, 2011, but disappointingly did not meet the expectations of the public at large. It continues to remain a victim of severe criticism. The Rules suffer from ambiguity vis-à-vis its ambit and extent as discussed infra.
DEFINITION AND SCOPE
The aim here is to briefly look at the definition and scope of phrases which form the foundation of such rules.
Clauses of broad character
The main objective of these Rules, as already mentioned earlier, was to impose restrictions on businesses with regard to handling of personal data. In order for these Rules to meet its end, the term “sensitive personal data” should have been defined more stringently. Instead, only a mere list of the constituents of the term is prescribed under Rule 3. For a better understanding, it is imperative to look at the constituents of “Sensitive personal Data”:
- Password
- Financial information such as Bank account or credit card or debit card or other payment instrument details ;
- Physical, physiological and mental health condition;
- Sexual orientation; medical records and history;
- Biometric information;
- Any detail relating to the above clauses as provided to body corporate for providing service; and
- Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
- Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
It can be observed here that clauses (vii) and (viii) appear to be of a very broad character. It can be interpreted to include, within its ambit, a wide array of information. The importance of a precise definition of ‘sensitive personal information’ is paramount as clauses of such broad interpretation add to the ambiguity of the scope of not only these rules but also of Section 43A. Thus, it seems to follow that, any ambiguity in the definition, fails to serve the very purpose of the rules, to begin with, since the whole enactment deals with the concept of processing of “Sensitive Personal Data or Information”. In order for this clause to be clearer, the definition could be amended to include inter alia, “information which is capable of personally identifying a person, individually or when aggregated” ((Apar Gupta,2011, Comments on Draft Sensitive Personal Information Rules)).
A need for distinction between Personal Data and Sensitive Personal Data
Broad clauses as such, include not only Sensitive Personal Data but also other Personal Information. It, thus, strays away from the purpose of 43A, which only seeks to protect Sensitive Personal information. Hence, a need is felt to make a distinction between Personal data and Sensitive Personal Data ((Supra footnote 12)). An ephemeral distinction of the two concepts has been brought out in Rule 2 (which has defined Personal Information, although it remains silent about its constituents) and Rule 4 (which ensures that Body Corporates should have a privacy policy for “Personal Information” including “Sensitive Personal Information”).
The absence of a distinction between the two concepts seems to be an important point in illustration with respect to the difference between Indian Data Privacy Laws and its UK counterpart, the Data Protection Act, 1998 ((Hereinafter referred to as the DPA)). The latter makes a definite distinction between the two concepts and has prescribed separate rules for handling the two different data. The Indian Rules, on the other hand, fails to recognize different levels of stringency with regard to collection, transfer, disclosure and handling of “Personal Data” and “Sensitive Personal Data”.
Broadening the definition of Sensitive Personal Data or Information
Another improvement within the scope of defining “sensitive personal data or information” would be an extension to include (i) political opinions, (ii) religious beliefs or other beliefs of a similar nature, (iii) whether he is a member of a trade union, (iv) his sexual life, (v) the commission or alleged commission by him of any offence, and (vi) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings as done in the DPA. It should also be extended to include browsing data which is gathered by websites and search engines, which when aggregated, can reveal a person’s detailed profile ((See supra footnote 12)). By implementing these, the definition of “sensitive personal data” is further fine tuned, eliminating any ambiguity with regard to the extent of its ambit.
RETENTION OF DATA
Moving on, it is but reasonable to assume that the Rules should prescribe conditions for a safe disposal of data, after it has been used for the purpose for which it was collected. This is supported by the conditions listed out under Rule 5 of the said Rules. With respect to retention of data, Rule 5 spells out that the information should not be retained for a period longer than what is required to carry out the object for which it was collected and the information should be kept secure. Although it states that the body corporate cannot retain any information for longer than is required ((Rule 5(4)- “Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.”; The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011))it is essential for the rules to include a retention period after which the data is to be destroyed. On a prima facie reading of the rules, the interpreter is rightly under the impression that they were formulated, primarily, for the data collected “virtually” vis a vis online as these rules fall under the “Information Technology Act”. In line with this thought, the above contention of including a retention period is justified because more often than not websites hold archival data. Hence, it is imperative that the rules contain such provisions that would also include a procedure to delete and destroy the data making retrieval impossible. ((See supra footnote 12))
COLLECTION AND DISCLOSURE OF INFORMATION
Collection of Information
Rule 5 deals with the collection of sensitive personal data or information. It states inter alia that a body corporate has to first obtain consent in writing through letter, fax or email, from the provider of such information, regarding purpose of usage, before collection of such information. This rule is conterminous with Article 7 of the EU Directive ((Article 7 – Criteria for making data process legitimate.)), which reflects the same principle as it states that personal data may be processed only if the data subject has unambiguously given his consent to the same. Further, Rule 5 gives “the provider of information” certain privileges of modifying such information as and when necessary and withdrawing the consent given earlier.
But, the rules fail to clearly distinguish between “the provider of information” and “individual to whom the data pertains” which gives rise to a lot of uncertainty on a prima facie reading of the rules.
In addition, Rule 5(3), falling in line with Article 6 ((Article 6 – Principles relating to data quality.))of the EU directive, says that the body corporate or any person on its behalf shall take such steps “as are, in the circumstances, reasonable ” ((Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC ))to ensure that the person concerned is aware of the fact that the information is being collected, the purpose for which it is being collected, the recipients of such information, etc. ((While collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of ― (a) the fact that the information is being collected; (b) the purpose for which the information is being collected; (c) the intended recipients of the information; and (d) the name and address of ― (i) the agency that is collecting the information; and (ii) the agency that will retain the information.))The phrase in Rule 5(3) uses convoluted language instead of using simple phrases like “take reasonable steps” – reasonableness has generally been interpreted by courts contextually. ((Prashant Iyengar, (April 5, 2011), Privacy and the Information Technology Act in India, available at SSRN))The Supreme Court in Water Supply and Sewage Board v. Unique Erectors (Guj) ((AIR 1989 SC 973))has observed that “in law, prima facie meaning of reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know”.
Disclosure of Information
Rule 6 states that prior permission of the provider of information has to be obtained before disclosure is made to a third party and any third party receiving such information is not entitled to disclose it further. ((Rule 6 (4) –“The third party receiving the sensitive personal data or information frombody corporate or any person on its behalf under sub-rule (1) shall not disclose it further.”:The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011))
It is essential to improve the definition of Rule 6 and make its provisions more stringent. By stating that the disclosure of information requires prior consent from the provider of such information, this rule seems to have left the ends open. In cases where the consent is granted online, it cannot be clearly determined whether the person granting the consent is the provider of information, the data subject himself or some other third party.
If the information of a person is being transferred to a third party for a different purpose, it looks to be right to be done only with the knowledge of the data subject. It does not suffice if the provider of information, who may be a party other than the data subject, to grant consent for the same. This may lead to a misuse of information in three party cases. For example, A provides sensitive personal data of X to Company B, upon the consent and knowledge of X, to carry out a particular transaction. Later, Company C approaches A for the personal information of X, to process a separate transaction. In such a situation, it seems unreasonable for A to give out personal information of X without the consent of X. Thus, this rule should be modified to impress upon the consent of the data subject himself. It is pertinent, here, to draw the reader’s attention to Schedule 2 of the Data Protection Act, 1998. It specifies that the consent of the data subject is essential for the transfer of information wherein the “data subject” has been defined as ‘an individual who is the subject of personal data’. This concept must be incorporated into these Rules in question.
Disclosure of Sensitive Personal Data to the Government
Rule 6 enables the government to access any sensitive personal data, maintained by the body corporates under law, for several purposes including detection and investigation of crimes, cyber incidents, prosecution, punishment for offences, etc. ((Rule 6(1) – “Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences”; The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)). It is thus apparent that the government has the power to obtain sensitive personal information of individuals from body corporates without a warrant or the concerned person’s consent. With an enforcement of such a rule, the body corporates may willingly give away such information in order to avoid prosecution. The government has, in this regard, given itself the “master key” and there are no checks on this power despite the fact that the government has to make a written request stating the purpose for seeking such information ((PRS Legislative Research)). Thus, the rule raises issues of personal privacy infringement.
At this point, it is pertinent to look at the interpretation of Right to Privacy by various competent Judicial Institutions so that the importance of adopting procedural safeguards against privacy infringement can be well established. .
In the landmark case of Kharak Singh v. State of UP ((1963 AIR 1295)), the learned judges have recognized the inclusion of Right to Privacy within the ambit of Article 21 of the Constitution, viz. Right to Life. It has been stated that,
“It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty…. The pregnant words of the famous Judge, Frankfurter J., in Wolf v. Colorado (((1949) 338 U.S. 25)), pointing out the importance of the security of one’s privacy against arbitrary intrusion by the police, could have no less application to an Indian home as to an American one.”. Justice Frankfurter said “nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy.”
Courts have repeatedly taken a ‘persons and not places’ emphasis in interpreting the right of privacy ((See supra footnote 5)), rejecting views that privacy is tied to property interests ((District Registrar and Collector, Hyderabad & Anr v. Canara Bank & Ors. (2005) 1 SCC 496)). A clear shift from person to place was enunciated in the American Supreme Court case of Warden v. Heyden (((1967) 387 US 294 (304)))
In the Naz Foundation Case ((Naz Foundation v. Government of NCT of Delhi, 2009 (160) DLT 277)), it was found that the State cannot invade the privacy of citizens based solely on consideration of ‘public morals’. The court also said that the “right to privacy has thus been held to protect a private space in which man may become and remain himself”. ((Ibid, Para 40))
With respect to information in public domain, the Supreme Court, in the case of Rajagopal alias Gopal v. State of Tamil Nadu (((1994) 6 SCC 632))held that there is no protection for personal information in public records, and protection of privacy for persons who have voluntarily placed themselves in the public eye is reduced. Vishwanathan ((Author of “Outsourcing to India: Cross border Legal Issues” (LexisNexis Buttersworths Wadhwa 2008).))considers that the Supreme Court ‘in Rajagopal, for the first time, articulated the twin pillars of privacy law in India’.
From the above, it seems that most of the courts have acknowledged the importance of Right to Privacy. Thus, it is vital that the rules provide for procedural safeguards against unauthorized disclosure of information and maintenance of constitutional levels of privacy even against the Government.
CONCLUSION
The object of any statute or rule is to prevent mischief and promote the object. The virtue of a statute or rule is certainty and clarity as opposed to ambiguity and vagueness. The quality of any statute or rule has to be judged on these yardsticks.
In an attempt to clarify some of the ambiguities arising out of the provisions of these rules, the Indian Government issued a clarification which allays fears as to the Jurisdiction and effect of the rules on companies outsourcing to India. The Ministry has clarified that the Sensitive Personal Data Rules apply only to body corporates or persons located within India. Furthermore, it has provided some clarity regarding the realm of Rules 5 and 6 stating that any “body corporate” located in India, which provide services relating to collection, storage, dealing or handling and processing sensitive personal data or information under contractual obligation with any legal entity (located within or outside India) is not subject to the requirement of the above rules ((Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000)). While the Press Note appears to resolve a few immediate concerns it leaves many questions regarding the handling of sensitive personal information unanswered. ((Deepa Christopher and Praveen Thomas, 20 September 2011, India – Welcome clarification on sensitive personal data rules))
Judging the rules under consideration on these yardsticks, it is unfortunate to conclude that the rules fall short of becoming a model piece of legislation especially while dealing with a progressive and emerging concept like Sensitive Personal Information or Data. The efficacy of the rules depends upon such precise definition and content and if the same is lacking the rules not only fail to serve the purpose or prevent mischief but it in fact becomes a fertile ground for mischief and misuse. Considering India’s pre eminent position as an IT destination in the world, it is imperative that the Government looks at the rules closely yet again with utmost expedition and make it more precise and utilitarian.