India’s privacy non-law
For the longest time, India had the unfortunate distinction of being one of the last remaining countries in the world without a privacy statute. While various concepts of privacy do run through our laws and the notion of a right to privacy has been established time and again by the judiciary, in this age of digital data, where personal information is being collected from us by virtually every service we subscribe to, Indian privacy jurisprudence lacked the detail and the regulatory scaffolding that most countries have.
In 2008, the government tried to fix this problem by inserting Section 43A into the Information Technology Act. Under this new provision, any corporate entity that was found to be negligent in implementing or maintaining reasonable security practices and procedures in dealing with sensitive personal data was liable to pay compensatory damages to anyone who suffered wrongful loss or gain as a result. But one isolated section does not a privacy jurisprudence make—and much as the legislature might have, at that time, thought this sufficient, it soon became clear that a more substantial law was required.
In 2011, the government issued eight rules under Section 43A that enacted concepts and principles that privacy lawyers normally expect to see in a data protection law—definitions of “personal information” and “sensitive personal information”, the obligation for prior consent and the requirement to limit the purpose for which data was collected, to whom it could be transferred restrictions and for how long it needed to be retained.
This was more like it. Finally, we had a regulation that had the sorts of concepts that privacy laws were expected to have. Global corporations with operations in India were already used to complying with privacy provisions in the other jurisdictions and it was relatively easy for them to adapt to this new regulatory regime. They began to put in place workflows to obtain consent before collecting the information from customers and employees and took pains to ensure that once collected, the data wasn’t transferred to jurisdictions with laws that offered inadequate data protection.
For the most part, they had to make assumptions as to what they needed to do as the rules themselves were sketchy on the details. They resorted to obtaining broad consent, trying to cover all possible future uses of the data, in an attempt to ensure that the purpose limitation restrictions could not be invoked.
But while the focus has been to interpret the rules in the specific context of a given business, few companies thought to question the legislative basis of the rules, or more particularly, whether the manner in which they were brought into force was legitimate.
The power of the government to enact subordinate legislation is carefully circumscribed by principles of administrative law. The legislature cannot abdicate its legislative power by delegating essential legislative functions to the executive. Most statutes have a separate section that sets out the issues on which the government is empowered to make rules. Broadly speaking, delegated legislation must be limited to clarifying statutory provisions that have already been set out in the law and must stop short of introducing new legislative concepts.
The list of the items in respect of which the central government can make rules has been set out in Section 87 of the IT Act. Sub-section (2)(ob) relates to Section 43A of the Act and states that the central government can only make rules relating to “reasonable security practices and procedures and sensitive personal data or information under Section 43A”. The IT Act, therefore, makes it clear that the rule-making power of the government under that section must be limited to elaborating on what would amount to reasonable security practices and procedures and articulating the definition of sensitive personal data or information.
It is obvious, even to a layperson, that the privacy rules go much further than that. For reasons not entirely clear to me, the government saw fit to introduce through subordinate legislation, legislative concepts that have no corresponding mention in the mother statute—without going through the mandated legislative process. Articulated in administrative law terms, the privacy rules have been enacted in excess of the rule making authority granted to the government loosely relying on the provisions of a solitary section in the IT Act that was, itself, inserted as an afterthought.
It is hard to explain why the government chose this route. Perhaps it felt that there was an urgent need to introduced a privacy law and was looking to avoid the debates and discussions that would inevitably accompany a legislative exercise. Whatever the reason, these new legislative concepts should never have been issued in this manner. The government would do well to recall the privacy rules and actually enact a formal law.
The old-fashioned way.
Rahul Matthan is a partner at Trilegal. Ex Machina is a column on technology, law and everything in between.