September 9, 2011
On August 24, 2011, the Ministry of Communications and Information Technology of the Government of India ("IT Ministry"), through the Press Information Bureau, issued a press note ("Press Note") containing certain clarifications to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Privacy Rules") issued earlier in the year. Most significantly, foreign companies are now excluded from the ambit of the obligations imposed by the Data Privacy Rules. Additionally, the scope of the Data Privacy Rules has been narrowed down with respect to Indian companies.
Section 43A of the Information Technology Act, 2000 ("IT Act") required a body corporate that possesses, deals with or handles any "sensitive personal data or information" in a computer resource which it owns, controls or operates, to maintain "reasonable security practices and procedures". The terms "sensitive personal data or information", and "reasonable security practices and procedures" were not sufficiently defined.
The Data Privacy Rules defined the term "sensitive personal data or information" and required "body corporates" to observe certain standards in the collection, maintenance and disclosure of such data or information. Amongst other obligations under the Data Privacy Rules, information could only be collected with the informed consent of the provider, and for a lawful purpose. In addition, information could only be used for the purpose for which it was collected, and retained thereafter only for so long as was required for the purpose for which it was collected. However, the obligations imposed by the Data Privacy Rules applied to "body corporates", a term which did not appear to be limited to Indian companies alone, and there was growing concern that foreign companies would also be subject to the Data Privacy Rules.
Press Note Clarifications
The Press Note clarifies certain provisions of the Data Privacy Rules, which include:
Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. For further details, please contact the Gibson Dunn lawyer with whom you work or the following lawyers in the firm’s Singapore office:
Please also feel free to contact the following co-chairs of the firm’s Information Technology and Data Privacy Practice Group:
M. Sean Royall – Dallas (214-698-3256, email@example.com)
Debra Wong Yang – Los Angeles (213-229-7472, firstname.lastname@example.org)
S. Ashlie Beringer – Palo Alto (650-849-5219, email@example.com)
Alexander H. Southwell – New York (212-351-3981, firstname.lastname@example.org)
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.