On August 24, 2011, the Ministry of Communications and Information Technology of the Government of India ("IT Ministry"), through the Press Information Bureau, issued a press note ("Press Note") containing certain clarifications to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Privacy Rules") issued earlier in the year. Most significantly, foreign companies are now excluded from the ambit of the obligations imposed by the Data Privacy Rules. Additionally, the scope of the Data Privacy Rules has been narrowed down with respect to Indian companies.
Section 43A of the Information Technology Act, 2000 ("IT Act") required a body corporate that possesses, deals with or handles any "sensitive personal data or information" in a computer resource which it owns, controls or operates, to maintain "reasonable security practices and procedures". The terms "sensitive personal data or information", and "reasonable security practices and procedures" were not sufficiently defined.
The Data Privacy Rules defined the term "sensitive personal data or information" and required "body corporates" to observe certain standards in the collection, maintenance and disclosure of such data or information. Amongst other obligations under the Data Privacy Rules, information could only be collected with the informed consent of the provider, and for a lawful purpose. In addition, information could only be used for the purpose for which it was collected, and retained thereafter only for so long as was required for the purpose for which it was collected. However, the obligations imposed by the Data Privacy Rules applied to "body corporates", a term which did not appear to be limited to Indian companies alone, and there was growing concern that foreign companies would also be subject to the Data Privacy Rules.
Press Note Clarifications
The Press Note clarifies certain provisions of the Data Privacy Rules, which include:
- Indian Companies Only: The obligations under the Data Privacy Rules apply only to Indian companies. Foreign companies are exempt.
- Exemption For Outsourcing Entities: The obligations under Rules 5 and 6 of the Data Privacy Rules (i.e., relating to the manner in which companies can collect and disclose "sensitive personal data or information") do not apply to Indian companies which collect, store, deal with or handle "sensitive personal data or information" under a contractual obligation with a legal entity. Accordingly, Indian outsourcing companies which deal with information under contract are no longer bound by Rules 5 and 6 of the Data Privacy Rules.
- Natural Persons; Obligations To Natural Persons: "Providers of Information" as referred to in the Data Privacy Rules are limited only to natural persons. Notably, Indian companies that store, deal with or handle "sensitive personal data or information" received from any natural person (whether or not under a contractual obligation to that person) must continue to observe Rules 5 and 6 of the Data Privacy Rules.
- Mode Of Consent: Under the Data Privacy Rules, a body corporate is required to obtain the consent of the provider of "sensitive personal data or information" in writing by letter, fax or email. Accordingly, fax and email were the only recognized electronic forms of communication by which consent could be obtained. The Press Note clarifies that consent may now be obtained by "any mode of electronic communication", and not just by fax or email.