India Data Privacy Law – Its impact on Business Ecosystem

Shivaji Rao,Regional General Counsel,Asia PAC and Sub-Saharan Africa,John Deere.

Data Privacy & Data Security Law in India

Information Technology Act (2000) & (2008)

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Press Note Technology (Clarification on Privacy Rules) August 2011

Credit Information Companies (regulation) Act, 2005

Credit Information Companies Regulations, 2006

Credit Information Companies Rules, 2006

Information Technology Act (2000), (2008) & 2011 Rules

Important Definitions

Personal information

Sensitive personal data

any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a corporate entity, is capable of identifying such person.

(i) password; (ii) financial information e.g. bank account/credit or debit card or other payment

instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to a corporate entity

for providing services; and (viii) any of the information received under the above clauses for storing or

processing under lawful contract or otherwise (a business entity cannot collect SPD unless it obtains the prior consent of the provider of the information. Consent must be provided by letter, fax or email).

Information Technology Act (2000), (2008) & 2011 Rules

Important Provisions

Consent

Disclosure to 3rd Parties

Lawful Purpose

Rule 5 provides that a body corporate or any person on its behalf must obtain consent in writing through letter or fax or email from the provider of sensitive personal data or information regarding purpose of usage before collection.

May not collect sensitive personal data or information unless collected for a lawful purpose connected with a function/activity of the body corporate or a person on its behalf and the collection is considered necessary for that purpose.

Retention, and Opt Out

Not to retain sensitive information for longer than is required for the purposes for which the information may lawfully be used. Providers of information have a right of review to ensure accuracy.

disclosure of sensitive personal data or information by body corporate to any third party requires prior permission from the provider who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed in the contract between the body corporate and provider of information (Rule 6).

Information Technology Act (2000), (2008) & 2011 Rules

Important Provisions

Privacy Policy Required

Contents of Privacy Policy

any entity or person on behalf of an entity that collects, receives, possesses, stores, deals or handles information of a provider of information, must provide a privacy policy for handling of or dealing in personal information (including sensitive personal data or information) and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy must be published on the website of the body corporate or any person on its behalf.

Privacy Policy must contain: (a) clear and easily accessible statements of its practices and policies; (b) type of personal/sensitive personal data or information collected under

Rule 3; (c) purpose of collection and usage of such information; (d) disclosure of information, including sensitive personal data or information

as provided in Rule 6; (e) reasonable security practices and procedures as provided under Rule 8.

Data Protection Information collected must be protected pursuant to Rule 8.

Information Technology Act (2000), (2008) & 2011 Rules

Important Provisions

Data Transfer

Security Practices & Procedures

Rule 7 clearly indicate that ‘…may transfer sensitive personal data or information including any information …’ if any of the following conditions are satisfied: (a) the recipient entity maintains same level of security as mentioned under these

Rules; (b) transfer may be allowed to perform the obligations of lawful contract; or (c) such person has been consented for data transfer.

(i) Body corporate or a person shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and procedures and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control that are adequate to protect the nature of the business;

(ii) Implementation of International Standard IEC 27001 may also fall under the compliance of this rule;

(iii) The Body corporate or a person who have implemented either IEC 27001 Standard or the codes of the best practices for data protection as approved and notified shall be deemed to have been complied with reasonable security practices and procedures provided that the same have been certified or audited on regular basis by entities through independent auditor, duly approved by the Central Government.

Information Technology Act (2000), (2008) & 2011 Rules

Important Provisions

Breach Notification

Govt Audit Rights

The Information Technology (the Indian Computer Emergency Response Team and manner of Performing Functions and Duties) Rules, 2013 denotes that the following Cyber Security incidents need to be notified to CERT-In:

o Targeted scanning / probing of critical systems networks / Systemso Compromise of critical systems / informationo Unauthorized access of IT systems / datao Defacement of website or intrusion into a website and unauthorized changes

such as inserting malicious code, link of external website etc.,o Malicious code attacks such as spreading of virus / worm / Trojan / Botnets /

Spywareo Attacks on servers such as Database, Mail and DNS and network devices such

as Routerso Identify theft, spoofing and phishing attackso Denial of Service (DoS) and Distributed Denial of Services (DDoS) attackso Attacks on critical infrastructure, SCADA systems and wireless networks o Attacks on applications such as E-Governance and E-Commerce etc.

• The appropriate government may cause an audit to be conducted of the affairs of the service providers and authorized agents in the State at such intervals as deemed necessary by nominating such audit agencies. The audit may include security, confidentiality, and privacy of information, as well as many other things.

Information Technology Act (2000), (2008) & 2011 Rules

Important Provisions

Sec 72 of the IT Act, 2000 denotes regarding penalty for breach of confidentiality and privacy - Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees (US$ 1600 approx.), or with both.

Sec 72 A Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees (US$ 8000 approx.), or with both.

Enforcement Mechanism

Information Technology Act (2000), (2008) & 2011 Rules, Ctd.

Important Provisions

Enforcement Mechanism

Sec 43 A Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees (US$ 800000 approx.), to the person so affected.

Sec 66C Punishment for identity theft - shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh (US$ 1600 approx.)

How it impacts on Business Ecosystem in India

Organization

Data collection

Consent

Data use, storage and

Transfer

Data security practices

Privacy Policy and Access

Breach Notification

Collection of Personal

DataConsent Data use, storage

and TransferData security

practicesPrivacy Policy

andBreach

Notification

Collection of ‘personal information’ and ‘sensitive personal data’ in the course in the course of business:

• Procurement - Suppliers, OEMs,

• Sales - Dealers, distributors, Customers, consultants, etc

• HR process – employees

• Commercial Contracts

• Entity Management – BODs, Shareholders etc.

Are we legally allowed to extract the publicly available data?

How do we make sure that such data is legal?

When collecting personal data, do you clearly inform the individual the purpose(s) for which it will be collected, used or disclosed and obtain his/her consent?

Recommendation:

Have an enabling covenant in the contract w.r.t data collection

Data acquisition Consent Data use, storage

and TransferData security

practicesPrivacy Policy

andBreach

Notification

• Consent in writing from the provider of sensitive personal data before collection.;

• Collect sensitive personal data for a lawful purpose and the collection is considered necessary for that purpose.;

• shall not retain sensitive information for longer than it is required for the purposes

Recommendation:

Have an enabling covenant in the contract w.r.t data collection and its purpose

Data acquisition Consent Data use, storage

and TransferData security

practicesPrivacy Policy

andBreach

Notification

• Consent before collection and use,

• For data transfer – o the recipient entity maintains same level of

security;

o transfer may be allowed to perform the obligations of lawful contract; or

o Such person has been consented for data transfer.

• Reasonable security measures for data storage

Recommendation:

Have an enabling covenant in the contract w.r.t data use and transfer

Do you have full visibility & control on – (a) personal data and SPD is collected and why?

(b) who collects it?

(c) how it is stored [ in country or outside country] and

(d) sharing / disclosing (sales team, analytics, service providers)

Data acquisition Consent Data use, storage

and TransferData security

practicesPrivacy Policy

andBreach

Notification

• Comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control ;

• No retention of data longer than needed

• IEC 27001 standards for data security

• Certified or audited on regular basis by entities through independent auditor, duly approved by the Central Government.

Have you reflected on (a) assessed the personal data protection risks (b) classified and secured safely, and span of access and control within your organization and put in place personal data security policies?

Data acquisition Consent Data use, storage

and TransferData security

practicesPrivacy Policy

and accessBreach

Notification

• Any entity or person that collects, receives, possesses, stores, deals or handles information of a provider of information, must provide a privacy policy;

• Privacy Policy must contain: o clear and easily accessible statements of its

practices and policies; o type of personal/sensitive personal data or

information collected o purpose of collection and usage of such

information; o disclosure of information, including sensitive

personal data o reasonable security practices and procedures

Practical example:

Regarding drafting and implementing data privacy policy.

Training to internal stakeholders is a priority

Data acquisition Consent Data use, storage

and TransferData security

practicesPrivacy Policy

andBreach

Notification

Breach notification to Computer Emergency Response Team on occurrence of –

• Targeted scanning of critical systems networks

• Unauthorized access of IT systems / data

• Defacement or intrusion into a website

• Malicious code attacks such as spreading of virus

• Attacks on servers

• Attacks on critical infrastructure

Checklist / FAQs

• How well does your organization protects personal data & sensitive personal data?

• What is the action plan you have?

• Do you have data inventory management in place?

• When collecting personal data, do you clearly inform the individual the purpose(s) for which it will be collected, used or disclosed and obtain his/her consent?

• If you collect personal data from third parties, do you ensure that the third party has obtained consent from the individuals to disclose the personal data to you for your intended purposes?

• • Do you limit the use of personal data collected to only purposes that you have

obtained consent for?

Reference:

Checklist / FAQs• Do you put in place the appropriate contractual arrangements or binding corporate

rules to govern the transfer of personal data overseas?

• Do you limit the disclosure of personal data collected to only purposes that you have obtained consent for?

• Have you established a formal procedure to handle requests for access to personal data?

• Do you have a list of third party organizations to whom personal data was disclosed and for what purposes?

• Have you assessed the personal data protection risks within your organization and put in place personal data security policies?

• Is the personal data kept in a secure manner?

• Do you conduct or schedule regular audits on the data protection processes within your organization?

Reference:

Checklist / FAQs • Have you developed and implemented data protection policies for your organization to

meet its obligations under the IT Rules? Are your organization's data protection policies made available to the public?

• Have the individuals on your marketing list given their clear and unambiguous consent, evidenced in written or other accessible form, to being contacted by you by phone call, text messages (e.g.. SMS/ MMS) or fax for your intended telemarketing purposes?

• In relation to individuals who have not given their clear and unambiguous consent for telemarketing, have you established an internal process for checking with the DNC registry prior to your telemarketing campaigns?

• If you purchase databases of contact information from third parties for your telemarketing activities, do you ensure that the third party has obtained the necessary consents for the collection, use and disclosure of the personal data by you?

Reference:

Thank You