Deprecated (16384): The ArrayAccess methods will be removed in 4.0.0.Use getParam(), getData() and getQuery() instead. - /home/brlfuser/public_html/src/Controller/ArtileDetailController.php, line: 150
 You can disable deprecation warnings by setting `Error.errorLevel` to `E_ALL & ~E_USER_DEPRECATED` in your config/app.php. [CORE/src/Core/functions.php, line 311]
Deprecated (16384): The ArrayAccess methods will be removed in 4.0.0.Use getParam(), getData() and getQuery() instead. - /home/brlfuser/public_html/src/Controller/ArtileDetailController.php, line: 151
 You can disable deprecation warnings by setting `Error.errorLevel` to `E_ALL & ~E_USER_DEPRECATED` in your config/app.php. [CORE/src/Core/functions.php, line 311]
Warning (512): Unable to emit headers. Headers sent in file=/home/brlfuser/public_html/vendor/cakephp/cakephp/src/Error/Debugger.php line=853 [CORE/src/Http/ResponseEmitter.php, line 48]
Warning (2): Cannot modify header information - headers already sent by (output started at /home/brlfuser/public_html/vendor/cakephp/cakephp/src/Error/Debugger.php:853) [CORE/src/Http/ResponseEmitter.php, line 148]
Warning (2): Cannot modify header information - headers already sent by (output started at /home/brlfuser/public_html/vendor/cakephp/cakephp/src/Error/Debugger.php:853) [CORE/src/Http/ResponseEmitter.php, line 181]
LATEST NEWS UPDATES | Net check by Rahul Matthan

Net check by Rahul Matthan

Share this article Share this article
published Published on May 17, 2011   modified Modified on May 17, 2011
The recently notified Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, have set the cat among the pigeons. The Rules contain everything one would expect to find in a full-blown privacy legislation, with separate provisions covering the manner in which companies collect, disclose and transfer personal data. There is widespread concern that the Rules will disrupt the way in which companies do business in India and dampen the enthusiasm of overseas corporations seeking to invest in the country.

But will these Rules have the impact that everyone fears?

In 2008, Section 43A was introduced into the IT Act. The section applied specifically to “bodies corporate” that either possessed, dealt with or handled sensitive personal data or information in a computer resource that they owned, controlled or operated. It stated that if, as a result of any negligence in the implementation or maintenance of reasonable security practices and procedures, any person suffered wrongful loss or gain, the body corporate responsible would be liable to pay damages by way of compensation to the person affected.

Some of the terms used in Section 43A such as “sensitive personal data or information” and “reasonable security practices and procedures” were left to be defined later by the Centre. In April 2011, the Central government enacted the Rules under Section 87(2)(ob) — a provision that empowers it to make rules relating to “reasonable security practices and procedures and sensitive personal data or information under Section 43A”. The language of the section makes it clear that the rule-making power of the Centre is limited to two matters: (a) reasonable security practices and procedures and (b) sensitive personal data or information. Even a cursory glance on the provisions of the Rules indicates that they go much further and articulate a privacy framework way beyond the mandate available under Section 87(2)(ob).

In this context, there is an argument to be made that the Rules should be struck down as being in excess of the rule-making power of the Centre. Such an argument will doubtless be successful should it be brought before the courts. However, if the Rules can be read harmoniously with the provisions of Section 43A, it may be possible to present an interpretation that is consistent. Let us take another look at the provisions of Section 43A. The explanation relating to the term “reasonable security practices and procedures” has been reproduced below:

“Reasonable security practices and procedures means those practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures as may be prescribed by the Central government in consultation with such professional bodies or associations as it may deem fit.”

The explanation makes it clear that the Central government has been authorised to prescribe reasonable security practices and procedures. If we can treat the Rules as a set of security practices and procedures in relation to collection, disclosure and transfer of sensitive personal data or information, it may be possible for us to harmoniously construe these Rules with the provisions of Section 43A to ensure that they both remain enforceable. What this means, however, is that the Rules would occupy a slightly less central position in the general scheme of data protection provisions.

If in fact the Rules are just a set of practices and procedures, Section 43A states that the practices and procedures prescribed by the Central government would only apply in the absence of an agreement or a law. If the parties have agreed on the security practices and procedures that would govern the treatment of sensitive personal data or information, this agreement will prevail over the Rules.

From this analysis it is clear that the Rules are not the all-encompassing privacy legislation that they appear to be. At worst they constitute an executive act in excess of the Central government’s administrative power to enact. At best they are no more than government-prescribed practices and procedures that bodies corporate could choose to follow in order to avoid the consequences set out in Section 43A.

The government of India is in the process of preparing a draft Privacy Bill that will set out the legal framework for the country’s data protection regime. Once enacted, the principles established under that legislation would form the benchmark against which privacy provisions of all laws in the country will be tested. As is evidenced by the strong reaction to the Rules, there is a crying need for some clarity on the subject. The sooner the law is passed, the better.

The writer is a Bangalore-based lawyer

The Indian Express, 17 May, 2011, http://www.indianexpress.com/news/net-check/791723/


Related Articles

 

Write Comments

Your email address will not be published. Required fields are marked *

*

Video Archives

Archives

share on Facebook
Twitter
RSS
Feedback
Read Later

Contact Form

Please enter security code
      Close