September 9, 2011
On August 24, 2011, the Ministry of Communications and Information Technology of the Government of India ("IT Ministry"), through the Press Information Bureau, issued a press note ("Press Note") containing certain clarifications to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Privacy Rules") issued earlier in the year[1]. Most significantly, foreign companies are now excluded from the ambit of the obligations imposed by the Data Privacy Rules. Additionally, the scope of the Data Privacy Rules has been narrowed down with respect to Indian companies.
Background
Section 43A of the Information Technology Act, 2000 ("IT Act") required a body corporate that possesses, deals with or handles any "sensitive personal data or information" in a computer resource which it owns, controls or operates, to maintain "reasonable security practices and procedures". The terms "sensitive personal data or information", and "reasonable security practices and procedures" were not sufficiently defined.
The Data Privacy Rules defined the term "sensitive personal data or information" and required "body corporates" to observe certain standards in the collection, maintenance and disclosure of such data or information. Amongst other obligations under the Data Privacy Rules, information could only be collected with the informed consent of the provider, and for a lawful purpose. In addition, information could only be used for the purpose for which it was collected, and retained thereafter only for so long as was required for the purpose for which it was collected. However, the obligations imposed by the Data Privacy Rules applied to "body corporates", a term which did not appear to be limited to Indian companies alone, and there was growing concern that foreign companies would also be subject to the Data Privacy Rules.
Press Note Clarifications
The Press Note clarifies certain provisions of the Data Privacy Rules, which include:
[1] For more information, see Gibson Dunn’s client alert dated May 25, 2011, "Data Privacy Rules Enacted in India".
Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. For further details, please contact the Gibson Dunn lawyer with whom you work or the following lawyers in the firm’s Singapore office:
Jai S. Pathak (+65 6507 3683, [email protected])
Priya Mehra (+65 6507 3671, [email protected])
Please also feel free to contact the following co-chairs of the firm’s Information Technology and Data Privacy Practice Group:
M. Sean Royall – Dallas (214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (213-229-7472, [email protected])
S. Ashlie Beringer – Palo Alto (650-849-5219, [email protected])
Alexander H. Southwell – New York (212-351-3981, [email protected])
© 2011 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.