India Unit 3C Enforcement II Flashcards
How much can a data fiduciary be fined if it breaches the data processing principles? / What are the penalties for section 66? Compare the penalties of section 72 vs 72A.
Section 66 is a criminal offence punishable by imprisonment or a fine of up to INR 500,000 (about US$7,000) or both, if a person “dishonestly or fraudulently” breaches Section 43 (e.g. uses password, digital signature, misuse of credit card info).
Additionally, Sections 72 and 72A of the IT Act provides for fine up to INR 500,000 (about US$8,000) or imprisonment of up to three years or both when there is disclosure of personal information in breach of a lawful contract or without consent.
When independent IT auditor audits a data fiduciary, it audits 1) Policies 2) Operational processes. Explain how data audits are conducted.
1) Bring in relevant stakeholders — customer experience-relevant data is likely stored and used across departments. Find and bring in key stakeholders who can speak to the data collection, storage, and use processes.
2) Map out where your data is — find all the places where customer experience-relevant data lives and map out the information architecture for the data, including how it’s stored and who has access.
3) Evaluate accuracy, breadth, and consistency — take a deep dive and evaluate the quality of your data using the principles of accuracy, breadth, and consistency, then brainstorm solutions to any issues you find during the audit.
From: https://www.capterra.com/resources/how-to-conduct-a-data-audit/
IT Act - If complainant is unhappy with Adjudicating Officer’s decision, who can he appeal to?
The orders of the adjudicating officer are appealable before the Cyber Appellate Tribunal (CAT) and, thereafter, to the High Courts and the Supreme Court. Otherwise, the data protection regime in India is enforced by the courts.
Note: CAT stopped functioning in June 2010 and has not restarted. Was merged with Airports Economic Regulatory Authority Appellate Tribunal (AERAAT) with Telecoms Disputes Settlement and Appellate Tribunal (TDSAT).
What are the requirements under the Security Safeguards Principle?
Protected by reasonable security ⇒ India’s Rule 8 - Reasonable Security Practices and Procedures (Standards based).
What is net neutrality? What was the decision in India on net neutrality? Vs in the US and Singapore?
Net neutrality is the principle that an internet service provider (ISP) has to provide access to all sites, content and applications at the same speed, under the same conditions without blocking or preferencing any content.
Free Basics – India (and elsewhere)
- August 2013: Mark Zuckerberg announced that Facebook would get everyone online – everyone should be entitled to free basic internet service. Data was – like food and water – a basic human right, he said. He launched “Internet.org”:
1) where the internet was available but people were not connected, Facebook would strike business deals with phone carriers to make a small number of stripped down web services (including Facebook) available for free via an app – this was later rebranded as “Free Basics” – and
2) where people lived beyond the world’s reach, Facebook would recruit engineers to work on innovative networking technologies such as lasers and drones
TRAI Banning Free Basics / Net Neutrality
- In 2015 in India, “FreeBasics” – then still called “Internet.org” – became controversial.
In April 2015, TRAI published its “Consultation Paper on Regulatory Framework for Over-the-Top (OTT) Services”, including to debate the concept of a free and open Internet, and formulate an official policy on net neutrality.
- In its landmark ruling in February 2016, TRAI had banned discriminatory pricing of data and zero-rating platforms such as Facebook’s Free Basics and Airtel Zero, for violating the principles of net neutrality
- Net neutrality is the concept that all Internet traffic should be treated equal (i.e. customers get unhindered and non-discriminatory access to the Internet)
- India is trying to define net neutrality. The country’s telecom regulator has issued a pre-consultation report that aims to debate the concept of a free and open Internet, and formulate an official policy on the issue.
- In its landmark ruling in February 2016, TRAI had banned discriminatory pricing of data and zero rating platforms such as Facebook’s Free Basics and Airtel Zero, for violating the principles of net neutrality.
Net Neutrality In the US:
- the decision in December 2017 was to set aside net neutrality rules that were implemented in 2015
- ISPs must publicly disclose any blocking or throttling
- if ISPs block or throttle Internet traffic in an anti-competitive way, the Federal Trade Commission can enforce anti-trust laws against them to curb that abusive behaviour
Net Neutrality in Singapore:
In Singapore there is Policy Framework for Net Neutrality, dated back to the 16 June 2011 (originally 11 November 2010), published by IMDA.
- under certain conditions, some form of Internet traffic slowdown is allowed (for example, to manage Internet traffic), but not to the extent that users are practically unable to access websites or the Internet.
- ISPs cannot block “legitimate Internet content”.
- ISPs can offer customised plans – for example, so that services like WhatsApp or Spotify do not count towards a monthly data cap.
What does Section 46 of IT Act say? What are the powers of Adjudicating Officer?
According to section 46 of the IT Act, an Adjudicating Officer (AO) shall be appointed by order of the Central Government for the purpose of discerning whether or not any person has contravened any provision of the IT Act.
The adjudicating officer has jurisdiction over claims only up to a maximum of INR 50,000,000 (about US$700,000). Jurisdiction for all claims exceeding INR 50,000,000 is vested with the competent court.
Powers of the Adjudicating Officer:
- Hear offences of a civil and criminal nature
- Award compensation as damages in a civil remedy
- Impose penalties for the contravention of the Act
What are the penalties for section 43A?
Section 43A of the IT Act provides that “Where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate will be liable to pay damages by way of compensation to the person so affected.
Sections 43(b) and 43(g) provide for civil action by way of compensation to a person affected when
- a person, without permission of a computer system owner or operator “downloads, copies or extracts any data”
- another person provides assistance to unauthorised access to any computer system, etc.
What are the enforcement structure for the IT Act?
There is no national Data Protection Authority in India. The Ministry of Electronics and Information Technology is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act.
The enforcement structure of the IT Act (as amended by the ITAA) is largely the same for both civil remedies (compensation) and for offences and penalties.
The enforcement structure is four-tiered:
– Company “grievance officers”
– State Adjudicating Officers (AOs)
– The Cyber Appellate Tribunal (CAT)
– Appeals and removals to the Courts
How do corporates handle grievances?
Grievance Officers:
Corporate entities that deal with sensitive information must designate Grievance Officers for the purpose of addressing complaints and addressing them in a timely manner (Rule 5, subsection 9 of the IT Rules)
The names and details of the officers must be published on the website of the body corporate. The Grievance Officer must redress respective grievances within a month from the date of receipt of the said grievances.
Under Consumer Protection Act 1986, what can consumer do regarding unfair trade practices? What are the type of complaints?
National Consumer Disputes Redressal Commissions
- Was established under the Consumer Protection Act 1986 to promote and protect the rights of consumers, and to enable ordinary consumers to secure less expensive and often speedy redressal of their grievances.
- Consumers can lodge complaints regarding unfair trade practices
- Cases in District Forums do involve consumer disputes involving privacy issues (unsolicited issuing of credit cards, privacy rights of hospital patients as consumers, and failure to observe direct marketing restrictions)
How should consent be obtained? Is there a right to withdrawal of consent? Must consent be obtained from employees? Is online consent permissible? What about for direct marketing?
How consent should be obtained:
- The IT Rules state that any corporate entity or any person acting on its behalf, which is collecting sensitive personal information, must obtain written consent (through letter, email or fax) from the providers of that information.
- However, the August 2011 ‘Press Note’ issued by the IT Ministry clarifies that consent may be given by any mode of electronic communication.
- The provider of information has to be provided right opt out (that is, they will be able to withdraw their consent) even after consent has been provided.
- However, the corporate entity will not be held responsible for the authenticity of the personal information or sensitive personal information given by the provider of information to such corporate entity or any other person acting on its behalf.
- For consent to be considered valid, it must be voluntary, informed, explicit and unambiguous. It can be express or implied but the appropriate form of consent will depend on the circumstances, expectations of the Data Subject, and sensitivity of the Personal Data.
Right to withdrawal of consent:
- Consent must be obtained prior to or at the time of collection of data. Consent given by a Data Subject can be withdrawn at any time. It does not need to be in the local language, but the Data Subject must understand the language in which consent is given.
Employee Consent:
- Employee consent is required to collect and process an employee’s Personal Data.
- Employee consent is required if his or her sensitive Personal Data or information is being collected, used, handled, stored and/or transferred by the employer (i.e., the body corporate). The requirements for such consent are the same as the general consent requirements.
- Employee consent is also required when an employer decides to implement a BYOD program. There is no specific legislation pertaining to BYOD, however various laws pertaining to the right to individual privacy and collection and storage of Sensitive Personal Data and personally identifiable information would apply.
Online/Electronic Consent:
- Online/Electronic consent is permissible and can be effective if properly structured and evidenced. Hence, electronic consent is enforceable in India.
- The related contract must comply with the requirements of the Indian Contract Act, 1872 to qualify as valid binding contracts.
Direct Marketing:
- An organisation that plans to engage in direct marketing activities with a Data Subject may be required to obtain the Data Subject’s prior consent, which cannot be inferred from a Data Subject’s failure to respond.
- There is no specific legislation in India that governs online direct marketing; however, the general practice is to permit an intended recipient to opt-in/opt-out of receiving any marketing material.
