Let's Build a Responsible Cyber Society




What's New in the Clarifications on Sec 43A

There have been a more than required attention on the recent clarifications issued by the Ministry of Communications and Information Technology (MCIT) on the earlier April 11 guidelines regarding Sec 43A.

Some of the important features of the clarification are discussed here for further clarity.

Clarification 1: Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6

Clarification 2: Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6.

Clarification 3: Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate.

Clarification 4: privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract.

Clarification 5: Rule 5(1) consent includes consent given by any mode of electronic communication.

The clarifications were evident to any person who had studied the Act properly. Some how some scare was created in the international media on irrelevent aspects that made it necessary for this clarification.

It was clear from Section 4 of ITA 2000/8 that any requirement of a document that needs to be given in writing was deemed to be provided when the document is in electronic form. It was therefore clear that though the earlier guideline stated that "Consent" should be in writing by means of a "letter, fax or an e-mail", any electronic communication other than e-mail (such as a form on a website) was also included. Hence clarification 5 was irrelevant.

It is however to be noted that any communication that has to stand a test of judicial acceptance needs to be authenticated in the form acceptable to a Court of law in India. Hence the electronic message if in the form of an e-mail must be digitally signed. Since "Click-Wrap" contracts are not legally recognized as equivalent to digitally signed contract, body corporates relying on "Click-Wrap Contracts" (Where the user clicks on a button- I agree") need to take such additional measures as may be required to provide a supplementary evidentiary base for validating the contracts entered into without digital signatures.

Clarification 1 and 2 state that any body corproate which is functioning under a contractual obligation is exempt from collection and disclosure norms. This was evident from the fact that Sec 43A has given only the third priority to the guidelines of April 11 and the first and foremost instrument that creates a liability under Sec 43A is the "Contract between the parties".

In the BPO scenario the Indian processing house receives information from his principal who in turn collects information from individuals who are protected by "Privacy Rights" either in their own country or in India. Hence an Indian BPO does not directly collect information from  persons protected by Privacy Rights. It was therefore obvious that it is the SLA docuemnt which is most important for an Indian BPO to determine the security liabilities. Clarification 3 corroborates this point and states that the provider of information is a "Natural Person".

It is however necessary for Body Corporate to consider that though they handle data not as a direct "collector of data" they do process "third party data". In the event such data is an instrument of some "Contravention of law" then the liability as an "Intermediary" is yet to be managed. This requires "Due Diligence" anyway. BPOs cannot therefore lower their vigilance on data security even in respect of third party data. Even when the principal data vendor has no cause of action because the body corporate has fulfilled the terms of security as stated in the SLA, the affected individuals may still invoke ITA 2008 and liabilities may arise if not covered under Sec 79.

The need for clarification 4 is slightly hazy. It may be trying to distinguish between "Privacy Policy" normally displayed on websites where information is collected directly from natural persons and an obligation of "Confidentiality" that may arise between the contractual parties such as in a BPO scenario.

Though the clarification is welcome since it dispels the doubts in some part of the industry, Naavi.org reiterates that the department is still holding onto its ego and not reacting to the request for deletion of Sub sections 8(2), 8(3) and 8(4) of the Sec 43A guidelines. These sections relate to the introduction of ISO 27001 as a mandatory compliance requirement through the backdoor with the use of misleading words used in the rules. If the department felt obligated to clarify on some of the provisions of the guidelines it is not clear why it did not feel obligated to clarify that "ISO 27001 audit is not mandatory under the guideline" as it appears on first glance.

Though the department has privately confirmed this to the undersigned in a mail, there has been no attempt to publicly present the clarification though the undersigned has brought it to the notice of the Government that the misconception remains in the market and is being commercially taken advantage of.

Naavi has taken up this matter with the MPs so that the notification can be corrected when presented in the Parliament. However due to the pressure on the Lok Pal business the notification may be slipped through the Parliament. Hence we can presume that there will be a legal battle ahead on the basis of a PIL to get the notification corrected for its open bias towards ISO 27001. (My detailed views in this regard is already available elsewhere on this site)



August 30, 2011

Related Articles:

Changes in Sec 43A Rules Exempt Foreign Companies

Is DIT  misleading the Public?

Sachin Pilot Clarifies on ITA 2008 rules

Sec43A Compliance Framework from Naavi

ITA 2008 Rules to be presented in the Parliament


 Comments are Welcome at naavi@vsnl.com