India’s U-Turns on Data Privacy
Privacy Laws & Business International Report, Issues 110-114, 2011
19 Pages Posted: 25 Nov 2011 Last revised: 1 Feb 2014
Date Written: October 24, 2011
India sought an ‘adequacy assessment’ from the EU in 2009/10 (no outcome has been announced), to ease compliance burdens in relation to outsourcing. By late 2010 it had no significant data protection laws in force. The Information Technology Act 2000 covered little of significance to data privacy, and amendments to it in 2008 which could create remedies for disclosure of ‘sensitive’ information depended on Rules yet to be made. A year later, the situation is quite different. India has implemented an extensive data privacy regime (limited to the private sector) through Rules made under s43A of the IT Act (as amended in 2008), which deals with negligence in providing and ‘maintaining reasonable security practices’ (April 2011). The essence of India’s data protection scheme seems to be that the Rules made under s43A comprise part of the obligations on companies to both have in place and to implement a comprehensive information security programme. Whether the whole s43A scheme is ultra vires, or even unconstitutional, may eventually be tested by the Courts, but for now it is the law. The Rules then set out a conventional set of data protection principles, provide data export limitations, and even attempt to control what use foreign recipients make of data from India when they use it in their own countries, an innovation sure to annoy those opposed to effective data protection. Enforcement of complaints is through a special system of investigation by Adjudicating Officers, with a right of appeal to the Cyber Appellate Tribunal (CAT). The whole system is as yet untested, but has the appearance of a serious data privacy regime, except for the absence of a DPA. In August 2011 the relevant Ministry seemed to panic about what it had done with these Rules, and issued a ‘Press Note’ which purported to ‘clarify’ them to the effect that they did not apply to companies in India and overseas involved in outsourcing relationships. The interpretations in the ‘Press Note’ attempt to defy the meaning of the words in the Rules and the legislation, and should be regarded with scepticism.
A draft Privacy Bill, 2011 (India Legislative Department, 2011) also became public, but has not been introduced into Parliament. If enacted, it will create a three person Data Protection Authority of India (DPAI). The Bill will also create a statutory right of privacy (another first for the Asia-Pacific), open-ended in its definition but including rights of confidentiality, freedom from surveillance, and protection of personal data (possibly including the specific rights under the s43A Rules system). The Bill also sets out a detailed data privacy code, somewhat different from that under the s43A Rules. The DPAI will have very extensive functions, including keeping a register of data controllers (a step out of keeping with all other Asia-Pacific laws), and strong powers to investigate the actions of any data controller and issue directions to them. Individuals will be able to lodge complaints against data controllers with the CAT, which would be empowered to make any orders it thinks fit including compensation. A bizarre aspect of the Bill, for a country seeking an EU adequacy finding, is that it limits its protection to Indian citizens. The Bill is very complex, including detailed controls on surveillance as well, but only a draft as yet, and will undoubtedly be modified very considerably before it progresses.
India is therefore one of the few countries to have enacted data privacy laws for its private sector, but not for its public sector. That may not prove to be tenable in the longer run.
Suggested Citation: Suggested Citation