India as a flourishing data economy is making its optimum efforts to safeguard data protection and privacy. The establishment and ongoing implementation of the Digital Personal Data Protection Act, 2023 (hereinafter referred as “DPDPA”) strengthens the framework around of data privacy and will also act as a building block for the prevention of data breach in the country.
Since 2021, India has been plagued with major data breaches majorly in the sectors of finance, healthcare, e-commerce and public sectors which makes stringent data protection compliances for body corporates the need of the hour.
CURRENT LEGAL FRAMEWORK IN INDIA
Data protection in the country has been majorly governed and regulated by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the “SPDI Rules”) published under the Information Technology Act, 2000 (hereinafter referred to as the “IT Act”).
Section 43A of the IT Act deals with the implementation of ‘reasonable data security practices’, procedures and standards and the SPDI rules primarily safeguard the data collection, processing, transfer and retention by the body corporates. In the absence of a dedicated legal framework for data privacy for all these years, such in-house implementation of security practices has been the primary way for corporations and corporate overseeing government authorities to ensure security is maintained by corporations that collect data of its users and employees.
Rule 8 of the SPDI Rules gives a brief about the reasonable security practices, procedures and standards to be complied with by the body corporates. It mandates the implementation of comprehensively documented data safety policies including managerial, technical, operational and physical security control measures.
Further, sub-rule (2) expressly prescribes the adoption and implementation of the International Standard IS/ISO/IEC 27001 for establishing, implementing and maintaining information security management system. These practises and standards must be complied as they would be regularly audited by the government-appointed auditor.
In 2021, the Bureau of Indian Standards (hereinafter referred as “BIS”) issued new framework for data privacy assurance vide IS 17428 which is applicable on Indian as well as non-Indian organisations established in the territory of India. It is in line with the present international standards IS/ISO/IEC 27001. BIS’s IS 17428 specifies the requirement of publishing privacy notice, free consent, limitation of use and storage, periodic privacy impact statement and audits, and grievance redressal mechanism for establishing a personal data security system.
MAJOR COMPLIANCES AND PENALTIES
The following are the major compliances for the body corporates in the Indian legal framework:
1. As stated earlier, Rule 8 of SPDI Rules provides that the corporations would be considered to have complied with the requirement to impose reasonable security practices and procedures if such practices are in line with IS/ISO/IEC 27001 or equivalent standards such as BIS’s IS 17428. However, Rule 8(3) of the SPDI Rules also allows the industry association/entity to self-regulate and formulate their own data protection practices and compliances which needs to be approved by the central government.
2. Privacy Notice: Publishing a privacy notice to the user/consumer in order to inform the mode and reason of collection, processing and retention of their data.
3. Consent: Free, specific and informed consent should be ensured by the body corporate at every stage of collecting sensitive personal information.
4. Usage Limitation: The usage should be limited to “consented usage” of the sensitive personal data of the user/consumer.
5. Retention/Storage Limitation: The retention and storage of data are bound by the purpose for which the sensitive personal information has been collected. As the purpose lapses such information must be removed. The data must be removed by the body corporate upon the request of user.
6. Periodic Privacy Impact Assessment: Regular privacy impact assessments must be performed by the body corporates to acknowledge the changes and impact on data privacy.
7. Periodic Audits: The body corporate must ensure to conduct the audit report of data privacy and establish a management system by an independent authority.
8. Grievance Redressal: Establish and document the procedure for grievance redressal system and publish the contact information of the grievance redressal officer/data protection officer.
The body corporate is held responsible for any data breach and negligence in establishing and maintaining security standards for the protection of sensitive personal information and to pay damages to the affected person(s) under section 43A of the IT Act.
Statutory fines are applicable for the breach of the above-mentioned procedure. Section 72A of the IT Act prescribes imprisonment of up to three years or with a fine up to 5,00,000 or both for breach of information at the end of the data collector. Whereas the latest DPDPA prescribes a penalty up to 250 crores for the breach of reasonable security safeguards.
India has successfully formulated and launched DPDPA as a data protection mechanism which awaits its implementation, thus presently, the most comprehensively implemented data protection legislation is the IT Act and the SPDI Rules which provides the compliances with the practices, procedure and standards for establishing functional framework for data privacy.
The international and BIS standards for data privacy mandated by IT Rules provides a guide to establish a sensitive personal data management system for the body corporates which are consistent with the DPDPA. The integration of these would make a strong data protection umbrella for the processing of sensitive personal information in the country.
-Team AMLEGALS, assisted by Ms. Khanak Sharma (Intern)
For any query or feedback, please feel free to get in touch with firstname.lastname@example.org or email@example.com