Cybersecurity

Data Protection And Privacy Laws In India

Editor: Please tell us about your professional background.

Advani: I am a California attorney, and my practice emphasizes complex general civil litigation matters in federal and state trial and appellate courts. I am also licensed to practice law in my native India. In my 25-year practice, I have represented major institutional and individual clients in a variety of civil litigation matters, and I have also been lead counsel in several dozen appellate matters, including cases in the Ninth Circuit Court of Appeals, the California Courts of Appeal and the California Supreme Court. I also currently serve on the advisory board of UBIC North America, a leading provider of cross-border Asian-language e-discovery and forensic solutions globally.

I am the founding president of the original South Asian Bar Association (SABA) in San Francisco, and I have served on the Executive Committee of the North American South Asian Bar Association and recently served as vice president of its 2013 Convention in San Francisco. In addition to my work with the South Asian community, I’ve also served as a member of the California Committee of Bar Examiners, the Ethnic Minority Relations Committee of the State Bar of California and the executive committee of the International Law Section of the State Bar of California. I’ve received many awards, including SABA’s 20th anniversary award at the annual SABA gala this year and Minority Bar Coalition’s award for outstanding service to the community.

Editor: What’s the status of the Asia-Pacific Economic Cooperation forum (APEC) Cross Border Privacy Rules?

Advani: APEC is a group of 21 member economies. The Cross Border Privacy Rules (CBPR) System it developed is a self-regulatory initiative that addresses cross-border data flows between the United States and other APEC member economies through voluntary and enforceable codes of conduct adopted by participating businesses. The U.S. was the first APEC member to be named as an approved participant in the APEC CBPR System, and the Federal Trade Commission is the System’s first enforcement authority. Currently, Mexico is also an APEC-certified economy, and the Japanese government has applied to participate in the APEC CBPR. Each application for certification is reviewed to verify that the economy has the necessary legal mechanisms to ensure that certified companies can be held accountable.

TRUSTe, a global data privacy management company, was recently approved as Accountability Agent for the CBPR system. As such, TRUSTe will review, certify, monitor and enforce the privacy practices of participating companies to ensure compliance with the CBPR System program requirements.

Many jurisdictions in the member economies are developing rules to be consistent with the APEC CBPR. For example, the Philippines enacted the Data Privacy Act 2012, which introduced a data privacy regime in the country for the first time. Under the Act, data transfers from the Philippines will be subject to the accountability principle. The Act contemplates cross-border arrangements and cooperation and allows for future implementation of the APEC CBPR.

Editor: Please outline for our readers India’s Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Advani: On April 11, 2011, India adopted new privacy regulations known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”). The Rules impose wide-ranging obligations on any company that “collects, receives, possesses, stores, deals with or handles” personal information. These obligations require companies to provide privacy policies, restrict the processing of sensitive personal data, restrict international data transfers and require additional security measures. The Rules are similar in many respects to existing EU data protection laws.

An individual must be informed that his or her data is being collected, the purpose for which the data is being collected, the intended recipients of the data and the contact details of both the agency collecting the data and the agency that will retain the data. Further, all data can be processed only for the purpose for which it was collected.

Sensitive personal data includes physical, physiological and mental health conditions, medical records and history, and sexual orientation. The definition also includes biometric data, passwords and financial information such as bank account details and credit and debit card details. It excludes information that is already in the public domain. The prior written consent of an individual is required before his or her sensitive personal data may be processed; this may be obtained by letter or electronically. The provider of personal data must be given the option not to provide any data or withdraw consent at any time. Such data can only be collected for a lawful purpose; it must be necessary for that purpose; and it may not be retained for a longer time period than required for the purpose for which it may lawfully be used. Individuals have the right to review the information to determine accuracy, and such data can be provided to third parties only with their consent. There are exceptions where the disclosure has been agreed to contractually, is required for legal compliance purposes, or where the disclosure is to government agencies mandated to obtain the information for specific purposes. The Rules further mandate companies to have comprehensive and documented security programs.

The Rules provide that a company may transfer sensitive personal data or information to another body (corporate or person) in India or abroad where the same level of data protection is assured. The Rules also stipulate that “the transfer may be allowed only if it is necessary” for the performance of a lawful contract with the provider of the data or with their consent. Finally, under the law, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract, has been also made punishable with imprisonment for a term extending up to three years and a fine extending to INR 5,000,000 (about $8,500).

I should also point out that the courts in India have implicitly read the right of privacy guaranteed by the Indian Constitution in a provision that deals with freedom of speech and expression under Article 19(1).

Editor: How are the Indian courts different from other jurisdictions in the Asia-Pacific region?

Advani: If you look across the Asia-Pacific region, the rules are quite similar. They restrict disclosure of personal and sensitive information without the consent of the person and only under certain specified circumstances. Personal information may not be used for any other purposes or kept for any period longer than needed. There are minor local variations and consequences may be different, but they all provide basically the same type of protection. Consequences of failure to comply with them differ from jurisdiction to jurisdiction and may involve heavy fines and even prison time in some jurisdictions, including in India.

Editor: Have the courts had many opportunities to interpret India’s Information Technology Rules, and, if so, have the Rules been enforced?

Advani: I’m not aware of any significant reported decisions, as the laws are fairly new. The lower court decisions in India are not reported, and we have to wait for a State High Court or Supreme Court of India decision.

Editor: How do the Rules adopted by India affect U.S. companies with outsourcing operations in India?

Advani: The Rules are applicable to all organizations that collect and use sensitive personal data and information in India. These Rules seem to have had a broad impact on India’s outsourcing industry, putting severe limitations on India’s outsourcers in both acquiring and transferring sensitive personal data. These Rules potentially could have proved burdensome to India’s $41 billion dollar outsourcing industry. Before the Rules were adopted, the flow of data between the United States and India has long been unrestricted and largely unregulated. The new Indian Rules are more stringent than the U.S. rules, requiring U.S. companies doing business in India to update their privacy policies. The Rules also seemed quite impractical to the extent that they required written consent from every foreign citizen whose sensitive personal data moved through India’s enormous collection of call centers and other outsourcing operations.

As a result of this confusion, which could severely limit or cripple India’s business processing operations, the Indian government issued an official clarification concerning their new broad privacy regulations and noted that sensitive personal data sent to India by customers outsourcing information technology work will not be covered by the Rules. Rather, the new privacy rules only apply to Indian companies that collect information from “natural persons.” It is the companies collecting and sending the data, as opposed to the outsourcers, who are responsible for protecting the privacy of the data according to the rules of their respective countries. Therefore, U.S. companies sending data for processing to Indian outsourcers will be required to follow the privacy laws of the United States, not India.

Editor: Many e-discovery vendors offer onsite review in foreign jurisdictions. Is this advisable for American companies operating in India?

Advani: Absolutely. It is very important to have local people who are intimately familiar with the culture and practices of a particular jurisdiction to collect data in the jurisdiction that may be responsive to a U.S. discovery request. This applies to all jurisdictions, but it is particularly true in the Asian jurisdictions because of the cultural and language barriers.

Editor: Should a company obtain advance disclosure consent from its employees? Have Indian companies adopted this practice?

Advani: The Rules adopted in India in 2011 expressly require such consent. Employers will need to prepare a privacy policy and obtain the consent of the employees to the privacy policy by fax, letter or email. Most large companies, multinational and Indian, have large compliance and legal departments to make sure the companies comply with all laws of that jurisdiction. Beyond that, it is unclear to what extent these Rules are being followed by Indian employers. The enforcement of such Rules is lax and not a top priority because there are so many other problems to contend with. Also, in the case of an employee, it is always debatable whether consent was voluntarily given. An employee may contend that he or she did not believe they had a choice except to sign on the dotted line. Undoubtedly, all of this will be tested in the courts.

Editor: Can a U.S. court order production of electronic data located in a foreign jurisdiction even though the laws of that jurisdiction prohibit such disclosure?

Advani: A U.S. court has the power to order a party to U.S. litigation to provide documents located in another jurisdiction even if that party is not allowed to do so by laws of the country where the data is located. In fact, the U.S. courts consistently reject such claims. While there is a process to resolve such conflicts, the U.S. courts have consistently sided with the party seeking discovery and ordered productions, sometimes with adverse consequences to the responding party. To successfully resist such discovery, a party has to make a strong showing of serious legal consequences in the jurisdiction where the data is located. Please refer to my white paper for an extensive discussion of that issue, linked here: http://www.ubicna.com/en/marketing/PDFs/WhitePaper_2013-10-15.pdf

Editor: How would you compare Indian and Western attitudes toward privacy?

Advani: I believe people in India have only recently started waking up to privacy rights. For a great majority of population, privacy is not a priority. You see that as an issue in educated middle-class and upper-class people and civil libertarians, but the rest of the population neither understands nor cares.

Editor: What effect, if any, have the recent Snowden/Manning/NSA scandals in the U.S. had on Indian perceptions of privacy?

Advani: As I mentioned, except for certain segments of the population, privacy rights are not that important to people in India. The Indian government, on the other hand, did not find anything wrong with the NSA snooping around the world. It believes that some of the spying on its citizens is essential to preventing serious terrorist attacks, which is not surprising, given the fact that India too is at the center of such a debate. India is set to expand its own surveillance activities through the Centralized Monitoring System, a network that allows intelligence agencies to monitor phone calls, emails and the social networking patterns of telephone and Internet users in the country.

Published .