In April 2011, the Government of India had notified the “Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011” (“Rules”) under Section 43A of the Information Technology Act, 2000 (“Act”). These Rules were notified in furtherance of Section 43A for protection of individual data. Though these Rules were reformatory in nature, there were quite a few gray areas with respect to its applicability. We had undertaken an analysis of the same vide our hotline¹ dated June 18, 2011,

In view of these gray areas and industry concerns raised with regard to its applicability, the Ministry of Communications and Information Technology on August 24, 2011 issued a Press Note clarifying some of the provisions of these Rules.

· APPLICABILITY:

The Rules are regarding sensitive personal data or information² (“SPDI”) and are applicable to body corporate or any person located in India.

Analysis: The Rules had used the expressions “information”, “personal information” and “Sensitive Data and Information” interchangeably, leading to confusion as to which provisions would apply to what type of information. Section 43A under which the Rules have been issued, relates only to SPDI. The Press Note now clarifies that the Rules apply only in relation to SPDI.

Further, it has also been clarified that the Rules would only apply to body corporates or persons located in India. We have examined below different scenarios in relation to the applicability of these Rules, in view of the clarification issued:

i. In case of the body corporate located in India, the Rules will apply, irrespective of the location of the computer resource (i.e whether in India or abroad) and irrespective of the residential status of individuals;

ii. In case the body corporate is located abroad but a computer resource is located in India, then from a bare reading of Section 43A with Section 75, it appears that the provisions of the Act shall apply but the Press Note seems to suggest that the Rules will not apply to such a body corporate located abroad. Thus it will be interesting to see if the regulators / judiciary interpret the Rules so as to make a non Indian entity liable for contravention of the Act, when the Rules per se are not applicable to such entity.

iii. The Press Note states that the Rules will apply when the person is located in India. However, the Press Note does not clarify whether “person” as used therein in relation to applicability refers to “natural individuals”, or the data collector. Assuming it refers to “natural individuals”, then, even if the body corporate is located abroad handling data of individuals located in India through a computer resource located in India, the Rules may still apply.

· PROVIDER OF INFORMATION:

In the Rules the expression “provider of information” has been used in certain provisions, which had created confusion whether regulators intend to distinguish between the ‘individuals providing SPDI’ and ‘entities that collect such information and provide to another entity’. Now it has been clarified that ‘”provider of information” shall mean those natural persons who provide SPDI to a body corporate.

· COLLECTION & DISCLOSURE:

Rules governing collection and disclosure of SPDI (Rules 5³ & 6⁴) will not apply to any body corporate providing services relating to collection, storage, dealing or handling of SPDI under contractual obligation with any legal entity located within or outside India. The Rules will apply to a body corporate, providing services directly to the provider of information under a contractual obligation.

Analysis: This clarification addresses the concerns of the outsourcing industry, wherein Rules 5 & 6 will not apply to a body corporate that comes into possession of SPDI from another body corporate under a contract for the purpose of rendering services. The obligations under Rule 5 & 6 will only apply to the body corporate which provides services directly to the provider of information under a contract with the provider.

· PRIVACY POLICY:

The privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract.

Analysis: Any body corporate which collects, stores, deals or handles SPDI, irrespective of any contractual obligations, will need to fulfill the obligations as prescribed under Rule 4. The obligation under this Rule seems to be applicable to business processing companies who collect, store, deal or handle SPDI on behalf of third parties.

· CONSENT:

In Rule 5(1) consent includes consent given by any mode of electronic communication.

Analysis: Rule 5(1) had specified that the consent in relation to the purpose for which the SPDI may be collected and used may be obtained by letter, fax or e-mail. Press Note clarifies that the consent may also be obtained via electronic communication. Thus, as mentioned in our earlier hotline, consent obtained via a click through mechanism in an electronic medium should suffice.

The clarification as to the applicability and extent of these Rules, whereby they would apply only to body corporate / person located in India, is a welcome move since there were concerns raised about the consequences in relation to its extra territorial jurisdiction. Additionally, this Press Note also addresses the fears of the Industry as raised by NASSCOM and DSCI⁵ with respect to the adverse effect that the Rules would have had on the BPO industry. The Government’s initiative to issue this Press Note is laudable but its implementation may still raise certain practical challenges for some industry players. Also, companies should tread carefully and revisits their existing practices to determine various levels at which SPDI is collected, received, possessed, stored, dealt or handled, to ensure relevant compliances as specified in the Rules.

- Kartik Maheshwari, Huzefa Tavawalla & Gowree Gokhale