India Adopts New Privacy and Security Rules for Personal Information

India Adopts New Privacy and Security Rules for Personal Information

By Scott M. Hobby, Charles F. Hollis III, Derek C. Johnston, John B. Miller Jr. and Peter C. Quittmeyer and Timothy R. Dodson

Excerpt: 2011 Emerging Issues 5837

SUMMARY: The Indian government recently adopted new information technology rules. The Rules impose India's first significant personal information privacy and data security regime. These Rules have spawned widespread concern and debate regarding interpretation, as, literally read, they impose extremely burdensome obligations regarding collection of personal information by companies with no other contacts with India other than use of outsourcing services.

New Rules Present Potential Compliance Challenges to Outsourcing Customers

As written, the Rules are more restrictive than those prescribed by the Gramm-Leach-Bliley Act and the EU Privacy Directive and can extend beyond India to any contravention of the IT Act committed outside of India by any person if a computer, computer system or computer network located in India is involved. 3 There is no transition period for implementing the Rules, nor is there any "grandfathering" of prior practices with respect to the personal information collected prior to the date the Rules became effective.

The Rules apply not only to companies collecting and handling personal information in India, but also potentially to companies collecting personal information outside of India and either sending it to India for hosting, processing or other handling or permitting it to be accessed by computer systems located in India. Where "sensitive personal data or information" (as defined by the Rules and discussed further below) is involved, enhanced notice and consent safeguards are required. The mandates of the Rules fall into the categories of: (1) providing notice to and obtaining consent from the information provider regarding (a) the fact that the information is being collected,(b) the purposes for which the information is being collected, (c) the intended use of the information, and (d) the disclosure and/or transfer of the information to third parties; (2) establishment of and compliance with grievance resolution procedures; and (3) compliance with prescribed security practices and procedures to protect personal information. The consequences of the failure to comply with the Rules at present appear to be those prescribed under the IT Act. The "teeth" under the IT Act are contained in Sections 43A, 72 and 72A, which are described in greater detail below. These sections provide for a private cause of action for damages resulting from the negligent failure to maintain "reasonable security practices and procedures" to protect "sensitive personal data or information" (Section 43A) and penalties (fines and/or imprisonment) for unauthorized disclosure of personal information (Sections 72 and 72A).

Lexis.com subscribers can access the complete commentary, India Adopts New Privacy and Security Rules for Personal Information. Additional fees may be incurred. (approx. 13 pages)

If you do not have a lexis.com ID, you can purchase this commentary on the LexisNexis Store or you can access this commentary and additional Emerging Issues Commentaries on the Store.

Lexis.com subscribers can access the complete set of Emerging Issues Analysis for Cyberlaw & E-Commerce.

Lexis.com subscribers can access the enhanced PDF: Emerging Issues Analysis at no additional charge

For more information about LexisNexis products and solutions connect with us through our corporate site.