Indian Government Clarifies Application of Privacy and Security Rules

Posted

With the same lack of fanfare that accompanied the April 13 release of the Reasonable Security Practices and Procedures and Sensitive Personal Information rules , today the Indian government released a clarification to those rules to address the most serious concerns arising from ambiguities in the original provisions.

As we noted in our previous post on the new rules, Pillsbury does not provide legal advice on Indian law, but we have been in contact with the Indian legal community and service providers with regard to the new rules.

The Press Note provided on the Indian government’s web site states:

The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).

These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.

The clarification appears to confirm the general view expressed to us by Indian service providers and attorneys that the rules were unlikely to have extra-territorial application (i.e., application to data imported into India).

The clarification appears to limit the application of the new rules to companies in India (“These rules … are applicable to the body corporate or any person located within India”). It appears to exempt companies providing outsourced services to companies within and outside of India from Sections 5 (Collection of information) and 6 (Disclosure of information) of the rule (“Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6.”).

However, companies within India providing services directly to data subjects who are also in India appear to be still required to comply with Sections 5 and 6 of the rules (“Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate.”)

The clarification also specifies that the privacy policy requirement in Section 4 applies to companies as a whole (i.e., a company that is subject to the rules must have a privacy policy that complies with the requirements of Section 4, but the obligations of Section 4 to not apply specifically to particular contracts).

Finally, the clarification specifies that the consent required under Section 5(1) can be electronic. Section 5(1) originally stated, “Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.” Thus, the method of consent was a significant concern in the initial draft of the rules, since obtaining via letter or fax prior to the collection of sensitive information could be virtually impossible.

This clarification, provided reasonably quickly on government time scales, appears to address many of the concerns for non-Indian companies raised by the initial version of the new rules.

Despite this clarification, however, we continue to recommend that outsourcing contracts between US clients and Indian service providers that involve sensitive personal information should clearly put the burden on the Indian provider to comply with the rules to the extent applicable. The outsourcing contracts should also be clear on which party must bear the additional compliance costs resulting from these new rules and any future changes.