A simplified primer for startups on data protection

1. Data Protection 101 for Startups
Data protection law is concerned with questions of who can collect and use personal information and
the conditions under which it should be done. Prior to 2017, a large part of the Indian law on this
subject could be found in the Information Technology (Reasonable Security Practices and Procedures
and Sensitive Personal Data or Information) Rules, 2011 (“Data Protection Rules”) under the
Information Technology Act, 2000 (“IT Act”). Today, the Constitution of India, a plethora of cases and
sectoral regulations all must be read together for a comprehensive understanding of India’s data laws.
The Data Protection Rules and the IT Act
The Data Protection Rules impose general obligations on body corporates including companies, firms,
sole proprietorships, and other associations of individuals engaged in commercial or professional
activities, which handle sensitive personal data or information, or any persons who process personal
information on their behalf.
“Processing”
“Processing” is the broad term that includes collecting, receiving, possessing, storing, dealing, or
handling personal data. While these rules apply only to entities located in India, even those Indian
entities that process sensitive or personal information or the data of individuals situated outside India
are bound by their requirements.
“Sensitive personal data or information”
“Sensitive or personal data or information” means passwords, financial information, physical,
physiological and mental health conditions, sexual orientation, medical records and history, and
biometric information. It does not include any personal data that is freely available or accessible in
the public domain or furnished under the Right to Information Act, 2005 or under any other law.
Consent, “opt-out”, withdrawal of consent
In general, consent is the foundation of the scheme of the Data Protection Rules. If consent for
processing data or information is obtained through a standard form contract, then the terms of that
contract must be reasonable.
Any person who provides data should have at all times, while availing services from body corporates,
an option to opt out of providing the data or information. They should also have the option to
withdraw consent that might have provided earlier. However, if they do not consent or withdraw their
consent, the Data Protection Rules allow body corporates to deny the goods or services for which the
information was sought. People who provide data or information also have the right to review the
information they have provided and have it corrected if it is wrong.

2. Cross-border transfers
The export of sensitive personal data or information within or outside India is permissible, provided
that the same standards of data protection required in India are adhered to and that transfer is
necessary for the performance of a lawful contract or has been consented to by the provider of the
information.
Data retention
Apart from some financial sector entities that have to retain data for a certain period of time, there is
no prescribed limit to the period for which data can be stored. So even though the general principle
is that information should not be retained for longer than required, it is commonly retained until
limitation precludes any cause of action that may arise.
Complaints
Any complaints that the people who provide information may have with respect to the processing of
that information have to be addressed in a time-bound manner, and no later than a month from the
date of receiving the grievance. All companies that deal with data have to appoint a “Grievance
Officer” to redress such grievances.
Data Breaches
Some types of cyber security incidents, such as the targeted scanning or probing of critical networks
or systems, compromise of critical systems or information, and unauthorised access of IT systems or
data, have to be reported to the Indian Computer Emergency Response Team (“CERT-In”). It is an
organization set up under the IT Act, which has a duty to remain ethical and maintain “reasonable
controls and internal checks” to ensure the confidentiality of information relating to cyber security
incidents collected from individuals, organisations, and computer resources. All other data breaches
may be voluntarily disclosed to CERT-In.
Penalties
For negligence in implementing and maintaining security practices and procedures for protecting
sensitive personal data or information, a body corporate may be liable to pay compensation to the
people affected. No ceiling has been specified for the compensation that may have to paid in this
fashion, which is separate from other penalties.
The penalty for disclosing information, documents, correspondence, electronic records, or other
material to third parties, without the consent of the person disclosing the information, can extend to
imprisonment for up to two years and fines. Directors and others responsible for the conduct of the
business may be liable for the offences of companies unless they prove they did not have knowledge
of the contravention or that they exercised diligence to prevent the offence. A larger penalty -

3. imprisonment for up to three years and a fine, may be imposed on people, including intermediaries,
if they disclose personal information to third parties in breach of contract or without the consent of
the person to whom the personal information belongs.
Authority
In the absence of a data protection authority, clarifications on the IT Act and the Data Protection Rules
must be sought from the Ministry of Communications and Information Technology (“MCIT”), which
does not have a formal process for it.
Sectoral Guidelines
In addition to the general obligations placed by the IT Act and the Data Protection Rules, more specific
regulations apply in the finance, telecom, and insurance sectors.
Banks have to, under the regulations of the Reserve Bank of India (“RBI”), preserve the confidentiality
and availability of personal and sensitive information through suitable systems and processes.
Information obtained by banks and non-banking financial institutions through “know your customer”
schemes should remain confidential. Banks need to ensure while considering requests for data from
the government or other agencies, that the disclosure of information does not violate laws relating to
secrecy in banking transactions. Banks also have to obtain consent from customers before revealing
any information about credit cards. The RBI even recommends board-approved information security
policies and information security committees .
Under the Unified Licence Agreements issued by the Department of Telecommunications, telecom
service providers (“TSPs”) have to safeguard the privacy and confidentiality of the information they
receive while providing services to customers. It can only be disclosed with the prior consent of the
owner of the information and all subsequent disclosure has to be in accordance with the consent
obtained. They also have to maintain records of call details, exchange details, and internet provider
details for at least one year.
Under regulations issued by the Insurance Regulatory and Development Authority of India (“IRDA”),
insurers have to ensure that the service providers to whom they outsource insurance activities to,
maintain the confidentiality and security of policyholders’ information even after their contract
terminates. If an outsourcing agreement is terminated, insurers should ensure that they retrieve the
information from service providers and that customer information is not used further by service
providers.
Europe’s GDPR
The GDPR, or the General Data Protection Regulation, is the European Union's comprehensive data
protection regime. In some circumstances, it applies even to entities that process personal
information in India.
v
v
v

4. They are:
(1) if the processing is related to the offering of goods or services to people located in the European
Union, or
(2) if the processing is related to the monitoring of any part of their behaviour that happens in the
European Union.
Two types of entities have obligations under the GDPR –
(1) controllers, which are the entities that determine the means and purposes of processing data, and
(2) processors, which are the entities that process data on behalf of the controllers.
Th GDPR may apply to a vast majority of companies providing Software-As-A-Service, to outsourcing
companies, and to multinational companies that have subsidiaries in India.
Controller’s obligations
A controller's general obligation is to consider (a) the nature, scope, context, and purposes of
processing, and (b) the risks to the rights and freedoms (mainly privacy) of people, and implement
“appropriate technical and organisational measures” to comply with the GDPR.
To comply with the GDPR, a controller can implement data protection policies and adhere to codes of
conduct or certification mechanisms. They are obliged to consider the impact of processing on the
personal information of data subjects, at the time it determines the means of processing and then
throughout all its processing operations. This is called data protection by design. The GDPR also
requires a controller to ensure that the processing of personal data is ordinarily kept to the minimum
required for each specific purpose of processing. This is called data protection by default.
Data controllers should only process personal information lawfully. The GDPR lists the sets of
conditions, including the informed consent of data subjects, under which the processing of personal
information is lawful. For some types of information that are particularly sensitive, processing is only
lawful if an additional set of conditions are satisfied.
Controllers also have to adopt appropriate technical and organisational measures to ensure the
security and privacy of the personal data that they are processing. To determine what measures are
appropriate, they may have to first assess the risk to the privacy of data subjects. They may also have
obligations to limit the damage caused by threats to the privacy of data subjects, such as obligations
to notify data breaches.
Controllers are only allowed to use processors that guarantee technical and organisational measures
that meet GDPR standards under a written contract that establishes the terms of their relationship
and the obligations and rights of the controller.
v

5. The GDPR also lists the rights of data subjects over the data that is being processed, including the
rights to data portability and the right to erasure. These rights may place corresponding obligations
on controllers once they receive a request from a data subject. For instance, a data subject has a right
to receive from a controller, personal data in their control, in a commonly used format. Once a data
subject makes such a request to a data controller, the latter is obliged to make that information
available within a specified time period.
Processor’s obligations
A processor's most important obligation is to not process any personal information without
documented instructions from the controller. In addition to their contractual obligations to their
processors, they also have obligations in relation to security, record-keeping, and data breach
notifications.
Penalties
Non-compliance with the GDPR can attract administrative fines of up to 4% of the annual global
turnover of a controller or processor entity or €20 million – whichever is greater. It also provides
people the right to compensation for damage resulting from an infringement of the GDPR.
Impact of Puttaswamy
After many weeks of arguments, nine judges of the India’s Supreme Court unanimously held in August
of 2017 that the right to privacy was an intrinsic element of the fundamental right to life and personal
liberty. Puttaswamy, as the judgment came to be known, changed the contours of privacy law. It has
affected the interpretation of privacy rules and given birth to what may become a robust common law
tort of violation of privacy, independent of the statutory rules.
Any law that encroached upon the right to privacy would be subject to constitutional scrutiny, the
Supreme Court said. Such a law would have to be (a) legal, (b) necessary, and (c) proportional. As such,
the decision changed the prism through which India’s data laws are to be viewed.
The Supreme Court also instructed the government of India to put in place a law to protect the privacy
of the personal information of Indian citizens from state and non-state actors. Some of the recent
efforts at lawmaking need to be seen in that context.
Data Localisation for Payment Systems
A notification issued by the RBI in April, 2018 has serious implications for the data management
measures taken by payment system operators, whether operating from within or outside India. They
have to ensure that all the data related to their payment systems, including the complete end-to-end
transaction details and information collected, carried, and processed as part of a message or payment
instruction, should be stored only in systems located in India. The notification refers not only to data
v
v
v

6. stored with the system providers, but also with their service providers, intermediaries and third-party
vendors, and other entities in the payment ecosystem. The data relating to the foreign leg of an
international transaction can also be stored in the foreign country.
Apart from banks and NBFCs, this notification has fairly serious implications for Fin-tech companies.
DISHA
The Ministry of Health & Family Welfare has published a draft Digital Information Security in
Healthcare Act (“DISHA”), which addresses the collection, storage, treatment, ownership, and
transmission of and access to “digital health data” by “clinical establishments”. It provides for the
rights of the owners of data through concepts such as “informed consent” and the rectification of
incorrect data. The privacy and confidentiality obligations of clinical establishments include physical
and technical measures and processes, procedures for data breaches, and training and oversight of
personnel.
Punishments for serious offences under DISHA can include a minimum fine of INR 500,000 and
imprisonment that can extend from three years up to five years.
Do reach out to us if you have any comments or question.
Mathew Chacko Ankita Hariramani
mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com
Aadya Misra Aishwarya Todalbagi
aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.com