India Unit 3B Section 43A, IT Rules 2011 II

Question 1

What does IT Rules 2011 regulate?

Answer 1

The IT Rules broadly regulate the:
- Collection, receipt, possession, use, storage, dealing or handling of sensitive personal data or information (SPDI)
- Transfer or disclosure of SPDI
- Security procedures for protecting SPDI
- Transfer of SPDI outside India
- Disclosure of SPDI to the government
- Retention of SPDI
- Review and correction of SPDI
- Deletion of SPDI on withdrawal of consent

Question 2

What are one of the complications with the IT Rules 2011?

Answer 2

The complication is that some rules do not apply directly to data subjects, only to “providers” of information
- This means that in the case of outsourced processing, the data controller, not the data processor, is liable, provided the data subject has someone against whom to take action
- This can also mean that where the data subject is not the “provider” of the information to the data controller (e.g. collection of personal data from third parties, by observation or from documentary sources), none of these data protection rules will apply

Question 3

What are the rules 4 to 8 of Section 43A and IT Rules 2011?

Answer 3

Under Section 43A, “bodies corporate” can be liable if they are negligent in implementing and maintaining “reasonable security practices and procedures” to protect “sensitive personal data or information” and that negligence causes
wrongful loss or wrongful gain to any person.

Rule 4 Privacy policies required
Rule 5 Data protection principles
- Consent and purpose limitation
- Lawful purpose and minimal collection
- Notice and purpose limitation
- Retention
- Use
- Subject access and correction
- Option to refuse or withdraw consent
- Security
- Complaint handling
Rule 6 Disclosure limitations and exceptions
Rule 6* Data processing
Rule 7 Data export restriction
Rule 8 Reasonable security

Question 4

Rule 4 - Provide Privacy Policy. What must body corporate do?

Answer 4

Every body corporate that deals with sensitive personal data or information (SPDI) must have a privacy policy with:
– Clear and easily accessible statements of its practices and policies
– Type of personal or sensitive personal data or information collected
– Purpose of collection and usage of such information
– Disclosure of information including sensitive personal data or information
– Reasonable security practices and procedures

Question 5

Rule 5(1) - Consent and Purpose Limitation. What does body corporate do before collecting SPDI?

Answer 5

Rule 5(1) - Consent and Purpose Limitation
- A body corporate cannot collect SPDI unless it obtains the prior consent of the provider of the information
- The consent has to be provided by letter, fax or email
- Applies only to sensitive data and to “Provider of information” dealing directly with the data subject

Question 6

Rule 5(2) Lawful purpose and minimal collection. For what purpose can body corporate collect SPDI?

Answer 6

• Collected for lawful purposes “connected with a function or activity of the agency” and only necessary for that purpose
• Applies to sensitive data only
• Prior to collecting the information, give the option to the provider of the information to not provide such information. (In such case, the body corporate can cease providing goods and services for which the information is sought).

Question 7

Rule 5(3) Notice and Purpose Limitation. What must body corporate ensure?

Answer 7

• The body corporate should ensure that the provider of the information is aware that the information is being collected, the purpose of use of the information, the recipients of the information and the name and address of the agency collecting the information
• Prior consent is required for disclosure of the information to any party other than the government
• Applies to all personal information
• Note: Does not apply when personal data is collected from third parties

Question 8

Rule 5(4) Retention and 5(5) Use. Under what circumstances can SPDI be retained? How can information be used?

Answer 8

• The body corporate cannot retain the SPDI for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law
• Does not include or cover when the purpose of collection expires
• Applies to controllers
• The body corporate can use personal information only for the purpose for which it was collected

Question 9

Rule 5(6) Access and Correction. What must body corporate when they receive an access request?

Answer 9

• The body corporate should permit the provider of the information the right to review that information and should ensure that any information found to be inaccurate or deficient be corrected
• Provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to such body corporate or any other person acting on behalf of such body corporate.

Question 10

Rule 5(7) Option to reuse, withdraw consent. What must body corporate provide before collection of information?

Answer 10

• The body corporate must provide an option to the provider of the information not to provide the data or information sought to be collected
• The provider of the information also has the right to withdraw its consent to the collection and use of the information

Question 11

Rule 5(8) Security. What is Rule 5(8)?

Answer 11

The body corporate must “keep the information secure”

Question 12

Rule 5(9) Complaint handling. Who must body corporate designate and how long must complaints or grievances be redressed?

Answer 12

• The body corporate must address complaints by the provider of the information
• Note: may not have the obligation to address and respond to any complaints by data subjects
• For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ‘ from the date of receipt of grievance.

Question 13

Rule 6 Disclosure limitation and exceptions. What must body corporate do before disclosing information. What are the exceptions?

Answer 13

• Prior permission is required if disclosing personal data or information to any third party
• Exception: performance of contract, compliance to legal obligation, request from government agencies
• Sensitive personal data or information cannot be published

Question 14

Rule 7 transfer of info. When can body corporate transfer information overseas?

Answer 14

• Transnational transfer. A body corporate can only transfer the SPDI or information to a party overseas if the overseas party ensures the same level of protection provided for under the Indian rules
• Information can be transferred only if it is necessary for the performance of a lawful contract between the body corporate and the information provider or where the information provider has provided his consent to such transfer

Question 15

Rule 8 - RSPP. What is Rule 8 about? What procedures and stds? What type of audit must be done?

Answer 15

• The IT Act requires reasonable security procedures to be maintained in order to escape liability.
• Reasonable security procedures needed — either (a) the IS/ISO/IEC27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements; or (b) a code developed by an industry association and approved and notified by the government.
• The security procedure has to be audited on a regular basis by an independent auditor, who has been approved by the Government of India.
• Such audit should be carried out at least once year or as and when the body corporate has undertaken a significant upgradation of its computer resource.

Question 16

What is the issues of negligent vs failure to implement?

Answer 16

Section 43A and the Rules are clearly intended to impose liability on
- Business Processing Outsourcing (BPO)
- Information Technology Enabled Services (ITES)
- Other outsourced providers.

Note that this section imposes liability only if the body corporate has been negligent in implementing its security practice and procedures and that negligence causes wrongful loss or wrongful gain to any person.

“Negligent” vs “Failure to implement”
Issues of causation and measurement of loss or gain

Question 17

Why was the IT Rules 2021 enacted?

Answer 17

These Rules substantially empower the ordinary users of digital platforms to seek redressal for their grievances and command accountability in case of infringement of their rights.
- Supreme Court in suo-moto writ petition (Prajjawala case) vide order (11/12/2018) observed that Government of India may frame necessary guidelines to eliminate child pornography, rape and gangrape imageries, videos and sites in content hosting platforms and other applications.
- Supreme Court vide order (24/09/2019) directed MEITY to apprise timeline in respect of completing the process of notifying the new rules.
- Calling Attention Motion on misuse of social media and spread of fake news in Rajya Sabha and the Minister had conveyed to the house (26/07/2018), the resolve of Government to strengthen the legal framework and make the social media platforms accountable under the law. He had conveyed this after repeated demands from the Members of the Parliament to take corrective measures.
- Ad-hoc committee of Rajya Sabha laid its report (03/02/2020) after studying the alarming issue of pornography on social media and its effect on children and society as a whole and recommended for enabling identification of the first originator of such contents.
- Rules published on 25 February 2021.
- Suit filed against the Indian Government by WhatsApp on 25 May 2021 asking the Delhi High Court to declare the rules to be a violation of the constitutional right to privacy (because they require social media companies to identify who posted information, if government authorities require them to do so).
- 16 August 2021, the Bombay High Court ordered part of the rules be put on hold because they restrict the freedom of speech and expression by the media.
- 31 August 2021: in the Delhi High Court the government defended the Rules on the basis that they prevent the misuse of the freedom of the press and protect citizens from fake news.

Question 18

What must intermediaries do under IT Rules 2021?

Answer 18

Due Diligence to be followed by Intermediaries:
- Grievance Redressal Mechanism
- Ensure Online Safety and Dignity of Users, especially women users
- 2 categories of Social media intermediaries (SMI) – SMI and Significant SMI (based on no. of users on social media platform (Govt to notify threshold of user base)

Question 19

What must significant social media intermediaries do under IT Rules 2021?

Answer 19

For Significant Social Media Intermediary:
- Appoint Chief Compliance Officer (resident in India)
- Appoint Nodal Person (for 24x7 coordination with regulators, resident in India)
- Appoint Resident Grievance Officer (resident in India)
- Publish monthly compliance report
- Identify first originator of information
- Voluntary user verification mechanism
- Giving users an opportunity to be heard
- Removal of unlawful information

Question 20

What are in the Digital Media Ethics Code?

Answer 20

Digital Media Ethics Code Relating to Digital Media and OTT Platforms to Be Administered by Ministry of Information and Broadcasting

The Rules establish a soft-touch self-regulatory architecture and a Code of Ethics and three tier grievance redressal mechanism for news publishers and OTT Platforms and digital media.

• Code of Ethics for online news, OTT platforms and digital media
• Self-Classification of Content
• Publishers of news on digital media observe Norms of Journalistic Conduct of the Press Council of India and the Programme Code under the Cable Television Networks Regulation
• Three-level grievance redressal mechanism

Question 21

What are the 3 level of grievance redressal mechanism of IT rules 2021?

Answer 21

Three-level grievance redressal mechanism

1) Self-regulation by the Publisher: appoint a Grievance Redressal Officer based in India responsible for redressal of grievances received. Decision on every grievance received within 15 days.

2) Self-Regulatory Body: one or more self-regulatory bodies of publishers. Such a body shall be headed by a retired judge of the Supreme Court, a High Court or independent eminent person and have not more than six members. Body to register with Ministry of Information and Broadcasting. This body oversee adherence by publisher to Code of Ethics and address grievances not resolved by the publisher within 15 days.

3) Oversight Mechanism: Ministry of Information and Broadcasting shall formulate an oversight mechanism. It shall publish a charter for self-regulating bodies, including Codes of Practices. It shall establish an Inter-Departmental Committee for hearing grievances.

Question 22

Why is India’s Data Protection Framework considered not adequate in the EU?

Answer 22

Article 25 EU Data Protection Directive on Data Transfer

In 2012, the India government demanded that the EU designate her as a data secure country “We have made adequate changes in our domestic data protection laws to ensure high security of data that flows in”

EU Analysis of India:
- No general right to personal data protection in India
- Indian concept of privacy different from European one. Right to privacy also used to protect women’s rights as well as to protect the home from the police
- India IT Act 2000 does not give adequate protection. More an act related to e-commerce and cybercrime (vs DPA)
- CICRA 2005 – which contains certain data protection provisions is limited in scope