Chinese app ban – Data security in “Light” again
In a recent move, the Ministry of Electronics and Information Technology, Government of India (“Government”) banned fifty nine (59) Chinese mobile applications (“apps”), including TikTok, Helo, WeChat, ShareIT, UC browser and Clubfactory. This move was taken by the Government stating it was for prevention and security of data which it felt was illegally being transferred to China. However, it is more a response to the rising tensions between India and China following clashes at the border two (2) weeks ago after twenty (20) Indian Army personnel were killed in a violent clash. The apps were said to be prejudicial to the sovereignty and integrity of India, the defence of India, the security of state and public order by the Ministry of Information Technology.
The step taken by the Government is in line with Section 69A Information Technology Act (2000) (“IT Act”) under Procedure and Safeguards for Blocking of Access of Information by Public, Rules 2009.
Now, even other mobile applications and entities involved in data transfer and data storage, including social media content websites appear to be apprehensive about when their website or applications may face a ‘ban’ from the Government. Hence, it is important to understand the data security perspective in India.
Data privacy and security
Current scenario under Indian law
The aspects of data protection in India are included in the IT Act. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) provide security to sensitive personal data or information (“SPDI”). SPDI amongst others includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. However, any information is freely available or accessible in the public domain is not considered to be SPDI under the IT Act.
Section 43A and Section 72A of the IT Act; give a right to compensation for improper disclosure of personal information.
Treaties and foreign laws
India is not a party to any convention on protection of personal. However, India has also adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which amongst others recognizes the right to privacy. Hence security of storage and transfer of data becomes essential.
Apart from that, Indian entities in certain cases need to follow the principles and applicable laws to provide services abroad as is the case of General Data Protection Regulation (“GDPR”) in the EU.
Judicial precedent for safeguarding data
Personal data is protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In the landmark judgment of Justice K.S Puttaswami & another vs. Union of India (Writ Petition (Civil) No. 494 of 2012) delivered in August 2017, the Supreme Court of India ("SC") recognised the right to privacy as a fundamental right under Article 21 of the Constitution of India, 1950. Informational privacy has been recognised as a facet of the right to privacy and SC held that information about a person and the right to access that information also needs to be given the protection of privacy. SC stated that every person should have the right to control commercial use of his or her identity and that the right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes emanates from this right. SC also recognised that enforcing the right to privacy against private entities may require legislative intervention.
Data security mechanisms in India
Addressing data security and shortfall in the IT Act
The IT Act was amended in the year 2008 to bring in new provisions such as Section 43-A and Section 72-A. Section 43-A of the IT Act primarily deals with the compensation for negligence in implementing and maintaining ‘reasonable security practices and procedures’ in relation to SPDI while Section 72-A of the IT Act mandates punishment for disclosure of ‘personal information’ in breach of lawful contract or without the information provider’s consent. On April 13, 2011, the Rules were issued under Sub Section (2) of Section 87 read with Section 43-A of the IT Act. The Rules only apply to body corporates and persons located in India and in few cases the rules only apply to relations between an individual and a body corporate. Further, currently, keeping in mind the plethora of data breach incidents in the recent past, the IT Act and the Rules in their current form have not fully addressed and set out technical and legislative standards for data storage and security either viz. encryption standards or data storage or security procedures. It is only various government bodies, ministries, organizations, agencies etc. that do set out safety and security guidelines for data and security
RBI on payment data and servers
The Reserve Bank of India (RBI) issued a directive dated April 6, 2018 on ‘Storage of Payment System Data’ advising all system providers to ensure that, within a period of six (6) months, the entire data relating to payment systems operated by them is stored in a system only in India. The directions are applicable to all payment system operators (PSO) authorised by the RBI to set up and operate a payment system in India under the Payment and Settlement Systems Act, 2007. RBI has clarified that all payments-related data has to be stored within India and in cases where data gets processed outside the country, it needs to be brought back into the country within twenty four (24) hours. There was no bar on processing of payments transactions outside India if so desired by the PSOs. However, the data shall be stored only in India after the processing is completed outside the country.
Defence and data security
The Ministry of Defence issued a Security Manual for Licensed Defence Industries detailing the guidelines for computer and cyber security. The companies are to follow guidelines under ISO 27001. ISO 27001 is the comprehensive evaluation of the technical and non-technical security features of an information system, made as part of and in support of the accreditation process, to establish the extent to which a particular design and implementation meet a specified set of security requirements. The compliance process subjects the system to appropriate verification that protection measures have been correctly implemented. The internal system shall review that all systems have the appropriate protection measures in place and validate that they provide the protection intended.
SEBI guidelines for internet banking and services
The Securities and Exchange Board of India (SEBI) prescribes a sixty four (64)-bit/ one hundred twenty eight (128)-bit encryption for standard network security and mandates the use of encryption technology for security, reliability and confidentiality of data. .
RBI guidelines for internet banking
RBI recommends public key infrastructure, as the most-favoured technology for secure internet banking services. In order to carry out secure internet banking transactions, the banks should use one twenty eight (128)-bit encryption secured socket layer for securing the browser to web server communications and encryption of sensitive data such as passwords in transit within the enterprise itself.
Lack of legislation/policy/guidelines covering data security and data storage
India does not have a comprehensive policy for encryption and data storage nor is there specific legislation governing the use of encryption techniques to secure electronic communication. IT Act is also silent on the level and type of encryption that a person or organisation can deploy to protect electronic communication and data. The Department of Telecommunications (DoT) in the ‘Guidelines for the grant of Licence for Operating Internet Service’ (“ISP Guidelines”) and in the ‘Licence Agreement for the Provision of Internet Service’ (“ISP Licence Agreement”) that is entered into between the DoT and the Internet Service Provider (ISP) for the provision of internet services in India states that corporates are permitted to use up to forty (40)-bit key length in the symmetric key algorithms or its equivalent in other algorithms without having to obtain permission from the DoT, but for use of any encryption equipment higher than this limit, the same can be done only with the prior approval of the DoT. In addition to the ISP Guidelines and the ISP Licence Agreement, there are various sectoral or industry-specific regulations already in place in India that prescribe a higher level of encryption but strangely, a lack of legislation covering “private entities”.
EU – GDPR – a ‘somewhat’ model law for data security
The GDPR is the most prevalent law regarding data protection and cyber security in the world. There has been cooperation amongst countries with regard to GDPR and the countries not only a part of EU are a part of it but its territorial arm-length extends to even other countries. Many countries have to comply with GDPR as some of the obligations of GDPR extends beyond the territorial limits of EU. Article 32 of the GDPR requires data processors to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. It specifies that the data processor must take steps to ensure that any natural person with access to personal data does not process the data except on instruction of the controller, processor, European Union law, or member state law. Article 34 states that when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Article 83 of GDPR states the penalty applicable in case of the violation of these rules which extends upto a fine up to ten million Euros (€10 million) or up to two per cent (2%) of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
However, strangely enough, location of data servers, as per the GDPR remains in the hand of the entities and they are free to have their servers located outside the EU.
Personal Data Protection Bill 2019 – India’s future to secure and protect data
The Government of India constituted a committee to propose a draft statute on data protection. The committee proposed a draft law and the Government of India has issued the Personal Data Protection Bill 2019 (“PDP Bill”). The PDP Bill was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. This will be India’s first law on the protection of personal data and after its enactment will repeal Section 43A of the IT Act.
The PDP Bill amongst other aspects proposes creating a ‘Data Protection Authority of India’. The Authority will be responsible for protecting the interests of data principals, preventing misuse of personal data and ensuring compliance with the new law.
The PDP Bill sets out certain rights of the individual. These include the right to:
(i) obtain confirmation from the fiduciary on whether their personal data has been processed;
(ii) seek correction of inaccurate, incomplete, or out-of-date personal data;
(iii) have personal data transferred to any other data fiduciary in certain circumstances; and
(iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
In terms of data transfer, the PDP Bill provides that sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the Government can only be processed in India.
One the key aspects of the PDP Bill are section 40 which aims to restrict cross-border transfer of data. In this regard aforesaid section requires that – (i) people dealing with such data store data on a server or data centre located in India or mirror such data in India; and (ii) “critical personal data” as notified by Central Government shall only be stored and processed in India. Further, section 41 of the Bill states the conditions for cross - border transfer of personal data, which is subject to prior consent of concerned individual/corporate person is amongst others, based on the said parameters, i.e. - (i) standard contractual clauses or intra-group schemes; and (ii) with the permission of the Government personal data can be transferred to a country, a sector within a country or an international organization.
However, strangely section 41 of the PDP Bill is not applicable to critical personal data. One of the important aspects of the Bill is that it speaks for localisation of the data within the territory of India to protect the personal data of the citizens and organizations in the interest of national security.
While the world at large and India grapple with hackers and data stealers, it is a bit strange that data security standards and framework have taken a backseat and legislators are not as concerned with data security when compared to other issues. With the recent announcements in COVID-19 packages of opening up of the Indian markets in various sectors, including defence and space, data security acquires “prime importance”. Not only will data be transferred from the Government, private bodies will also be involved. Aspects in defence and space technologies ‘Transfer of Technology’ need adequate protection to not be impended by data breaches. Further, Government entities and data storage and data transfer providers need to adopt technologies at a much faster pace which amongst others include “Blockchain”.
Hence, it is advisable it that rather than waiting for a legislation to implement security standards, and for avoidance of having your website or mobile application banned, ‘self regulatory standards/mechanisms/procedures’ (“Standards”) are adopted by the industry. The standards should include appropriate levels and guidance in writing for self regulation, a proper framework with regard to appropriate organizational, administrative, physical and technical safeguards and detailed procedural guidelines as to be implemented for protection of security of personal data, including against or from unauthorized or accidental access, damage, loss or other risks presented through data processing. Such self regulation should also be reviewed from time to time and appropriate measures taken to modify the regulations. This would help the industry in the long term where rather than waiting for compliance through legislation it allays fears of security and storage of data through self monitoring.
This update is by Shambhavi Singh, Advocate & Associate at Agarwal Jetley & Co., Advocates & Solicitors. Contact: Email: firstname.lastname@example.org or Mob: (+91) - 9650424966