Final India Privacy Rules Do Little to Contain Potential Wide Scope of Business Mandates
India data security and privacy final rules “may have a significant effect on any company doing business in India or outsourcing business activities to India,” Miriam Wugmeister, chair of the Global Privacy and Data Security Group at Morrison & Foerster LLP, in New York City, told BNA May 4.
“The scope of the law appears to cover all companies operating in India, whether they are handling information relating to individuals in India and whether they are data controllers or merely service providers,” Wugmeister said.
The final version of the rules, which took effect April 13, include significant changes to the draft data security rules released in February, such as taking a far less expansive approach in defining “sensitive personal data” that requires special handling by businesses in the country. But overall, companies with interests in India still face an expansive set of new requirements.
Concerns about the scope of the law’s ability to sweep in a broad range of businesses were not ameliorated by the final rules, Cynthia J. Rich, Morrison & Foerster senior policy analyst, in Washington, told BNA May 5.
Rich and Wugmeister May 4 issued a detailed client alert analyzing the new final rules and the overall impact of the data protection laws they implement.
Separate rules implementing the country’s data protection law, which were also published April 13, cover internet and other service providers’ due diligence requirements for posted content and set customer identification and data retention rules for Cyber Cafes.
Final Rules Rein in Sensitive Data Definition
The 2008 amendments to the Information Technology Act 2000, brought the concept of “personal” data into Indian law for the first time. But the data protection provisions of the 2008 law requiring protection of “sensitive personal data” did not define the term (8 PVLR 248, 2/9/09).
The draft rules released in February by the Ministry of Communications and Information Technology’s Department of Information Technology presented an expansive definition of sensitive personal data covering any personal “information received by [a business] for processing” (10 PVLR 336, 2/28/11).
At the time the draft rules were released, Wugmeister told BNA that “sensitive information is defined so expansively that it would effectively cover any personal information. No other country has defined sensitive information to include information that is clearly non-sensitive in nature.”
The final rules limit the need for businesses to comply with special data subject consent and other data handling restrictions to a “sensitive personal data” list of defined financial and health data, sexual orientation information, and passwords. In the final rules, call data was removed from the list of sensitive information that was set forth in the draft rules.
Written Consent Before Collection Added
Under the final rules, businesses are required in advance to obtain the written consent of data subjects for the collection of their data and inform them of the intended uses of their data, limit the use of collected data to its intended lawful purpose, and allow data subjects to review and correct their collected data.
“The scope of the law appears to cover all companies operating in India,whether they are handling information relating to individuals in India and whether they are data controllers or merely service providers.”
Miriam Wugmeister, Chair Global Privacy and Data Security Group, Morrison & Foerster LLP, New York City
The draft rules would only have required consent by any means to be obtained from data subjects and did not specify that such consent had to be given in advance of data collection.
The final rules also added a provision to allow data subjects to withdraw their earlier consent. In another addition in the final rules, businesses are now required to designate a grievance officer to address data subject complaints about consent and other information handling issues.
A wholly new provision was added in the final rules on transfer of sensitive personal data. Under the new provision, businesses in India may transfer sensitive information to other businesses or individuals in India or outside of the country only if the originating company ensures that the business or individual receiving the data provides “the same level of data protection” as required by the final rules…