Privacy policy

Indian Data Privacy laws and EU GDPR

published on May 24, 2018

📚🕛đŸ“ĸđŸ”Ģ🇮 we don’t give permission to share or download any content shown in this site without our written permission….. ……🇮🕛📚

Starting from 25 May 2018, the new European Union General Data Protection Regulation (GDPR) will become fully applicable. The GDPR will be enforceable not only for EU companies, but also for companies of third countries (including India) processing the data of EU residents, providing goods and services in the EU or monitoring and profiling the data subjects behaviour within the EU. There is a high degree of uncertainty regarding applicability and enforceability of GDPR on Indian companies. However, the legal experts are of the opinion that the award of European court/ adjudicating authority shall be enforceable when filed before the Indian court under provisions of Civil Procedure Code. Due to international reach and the penalties provided under GDPR (up to â‚Ŧ20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher), GDPR compliance is a major concern for MNCs in India.

Unlike the European Union, India does not currently have a separate data protection law for individuals. The Constitution of India does not patently grant the fundamental right to privacy. Recently, in a landmark case, in 2017 however, the constitution bench of the Indian Supreme Court has held Right to Privacy as a fundamental right, subject to certain reasonable restrictions. This has sparked hope and interest in the country with regard to a separate codified law relating to personal data protection within the country, in line with the GDPR.

CURRENT DATA PRIVACY LAWS IN INDIA

AADHAAR CARDS AND RIGHT TO PRIVACY

THE DATA (PRIVACY AND PROTECTION BILL), 2017

CONCLUSION

Current Data Privacy laws in India

When the Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) first came into force on October 17, 2000 it lacked provisions for protection and the procedure to be followed to ensure the safety and security of sensitive personal information of an individual. This led to several other amendments and bills being passed and finally The Information Technology (Amendment) Act, 2008 inserted Section 43A in the IT Act which notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the “2011 Rules”). The key features of 2011 Rules are:

These 2011 Rules only apply to body corporates and persons located in India. Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.

A list of items has been provided which are to be treated as “sensitive personal data” which include passwords, biometric information, sexual orientation, medical records and history, credit/ debit card information, etc. but any information which is freely available or accessible in the public domain is not considered to be sensitive personal data.

Anybody corporate seeking such sensitive personal data must draft a privacy policy which has to be published on the website of the body corporate, containing details of information being collected and the purpose for its use.

The body corporate must establish reasonable security practices for maintenance of confidentiality of such data, obtain consents from persons for collecting such sensitive personal data for lawful and necessary purpose.

The purpose must be clear and information used only for such consent as given and data to be retained only till such time as needed.

The 2011 Rules also provide Grievance Office who shall be responsible to address grievances of information providers within 1 month for resolution of such Grievances. Body corporates must have an audit of the reasonable security practices and procedures implemented by it by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resources.

The punishment for disclosure of information in breach of lawful contract and imprisonment under the IT Act may be for a term not exceeding three years, or with a fine which may be Indian Rupees 5 million or with both.

Thus, as can be seen, Section 43A of the IT Act and the 2011 Rules do provide for many similar provisions as under GDPR but applicable only for residents of India. However, this does mean that most companies already have a privacy policy in place which can now be further developed and extended to include and encompass the stricter regulations of GDPR so that they do not face any penalties for breaches under the GDPR.

Aadhaar cards and right to privacy

Aadhaar system (a nationwide biometric identification system) is being currently challenged in India with the key dispute being whether the norms for compilation of the demographic biometric data by the Government violates the right to privacy.

The Aadhaar card has to be applied for by individuals and in the application requires a person to provide his or her personal data. This card is provided by the Government of India. Recently, the Government has mandated that even foreign residents who are Taxpayers in India must obtain an Aadhaar card along with the already in place PAN (Permanent Account Number). Thus, with the recent GDPR coming into force, the information obtained by the Government of India under the Aadhaar system is impacted, especially for EU citizens currently residing in India.

The Aadhaar scheme which was first introduced as a means of targeted distribution of subsidies, is today being implemented towards a variety of purposes, including the fight against black money, transaction authentication, and ‘know your customer’ requirements for banks and telecom companies. Aspects of Aadhaar Act, such as (i) security of the Aadhaar system, (ii) the inability of the individual to file complaints (for violation under the Aadhaar Act) relating to theft or misuse of their data, and (iii) the inability to withdraw / delete one’s data once registered with the UIDAI (government authority dealing with Aadhaar laws) is under scrutiny in the current pending litigation with the Supreme Court of India.

While the judgement which delivered the decision regarding privacy as a fundamental right of individuals subject to reasonable restrictions was not directly intended to impact the use of Aadhaar card, it will now have a significant impact on the pending litigation. The outcome of this pending litigation will significantly impact data protection policies in India.

The Data (Privacy and Protection Bill), 2017

Recently, a Bill was introduced in Parliament proposing to bring privacy under the ambit of legislation. This is not the first Bill on privacy introduced in Parliament. However, this Bill is different from the previous Bills in the sense that it seeks to make the consent of an individual for collection and processing of personal data mandatory. The Bill states that the individual will have the sole right and the final right to modify or remove personal data from any database, public or private. In the context of sensitive and personal information, the person must provide his or her express and affirmative consent for the collection, use, storage of any such data.

This Bill applies not only to private corporations or body corporate, but is equally applicable to state entities, government agencies or any other persons acting on their behalf. Even the definition of a “third party” under this Bill includes the public authorities. This symbolises a significant change in law from the existing regime under the IT Act and 2011 Rules in India.

However, with respect to sensitive, personal data, Section 20(2) provides that no sensitive data shall be processed for any other purpose apart from its intended use but can be used by welfare schemes and social protection laws. Hence, this would imply that the Aadhaar scheme, as mentioned earlier, would also have access to a person’s personal, sensitive information. This Section is analogous with the present dispute at the Supreme Court and will continue to be subject to debate due the existing privacy concerns.

Although this Bill, which is still pending to be passed into legislation, is much more in line with the stricter GDPR norms it is unlikely to come into force until the pending litigation regarding the Aadhaar scheme comes to a conclusion regarding the use of the Government of the personal, sensitive data of the residents in India.

Conclusion

A keystone of GDPR is the stipulation of ‘adequacy requirements’ which restrict the transfer of personal data to any third country or international organisation that does not “ensure an adequate level of protection.” In doing so, the European Commission will consider whether the legal framework prevalent in India where personal data will be sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data. Since this will directly impact business in India for MNCs that deal with such personal data, it is believed that India will speed up the process of passing a separate codified law on the subject. Therefore, companies taking steps to be GDPR compliant in India are already ahead of the curve with regard to data protection policies and laws in India and timely compliance with GDPR will reduce the risk of possible sanctions and thereby, it will contribute in enhancing the business relations.