What's New in the Clarifications on Sec 43A
There have been a more than required attention on the
recent clarifications issued by the Ministry of Communications and
Information Technology (MCIT) on the earlier April 11 guidelines
regarding Sec 43A.
Some of the important features of the clarification
are discussed here for further clarity.
Any such body corporate providing services relating to collection,
storage, dealing or handling of sensitive personal data or
information under contractual obligation with any legal entity
located within or outside India is not subject to the requirement of
Rules 5 & 6
Body corporate, providing services to the
provider of information under a contractual obligation directly with
them, as the case may be, however, is subject to Rules 5 & 6.
Providers of information, as referred to in
these Rules, are those natural persons who provide sensitive
personal data or information to a body corporate.
corporate and is not with respect to any particular obligation under
Rule 5(1) consent includes consent given by any mode of electronic
The clarifications were evident to any person who had
studied the Act properly. Some how some scare was created in the
international media on irrelevent aspects that made it necessary for
It was clear from Section 4 of ITA 2000/8 that any
requirement of a document that needs to be given in writing was deemed
to be provided when the document is in electronic form. It was therefore
clear that though the earlier guideline stated that "Consent" should be
in writing by means of a "letter, fax or an e-mail", any electronic
communication other than e-mail (such as a form on a website) was also
included. Hence clarification 5 was irrelevant.
It is however to be noted that any communication
that has to stand a test of judicial acceptance needs to be
authenticated in the form acceptable to a Court of law in India. Hence
the electronic message if in the form of an e-mail must be digitally
signed. Since "Click-Wrap" contracts are not legally recognized as
equivalent to digitally signed contract, body corporates relying on
"Click-Wrap Contracts" (Where the user clicks on a button- I agree")
need to take such additional measures as may be required to provide a
supplementary evidentiary base for validating the contracts entered into
without digital signatures.
Clarification 1 and 2 state that any body corproate
which is functioning under a contractual obligation is exempt from
collection and disclosure norms. This was evident from the fact that Sec
43A has given only the third priority to the guidelines of April 11 and
the first and foremost instrument that creates a liability under Sec 43A
is the "Contract between the parties".
In the BPO scenario the Indian processing house
receives information from his principal who in turn collects information
from individuals who are protected by "Privacy Rights" either in their
own country or in India. Hence an Indian BPO does not directly collect
information from persons protected by Privacy Rights. It was
therefore obvious that it is the SLA docuemnt which is most important
for an Indian BPO to determine the security liabilities. Clarification 3
corroborates this point and states that the provider of information is a
It is however necessary for Body Corporate to
consider that though they handle data not as a direct "collector of
data" they do process "third party data". In the event such data is an
instrument of some "Contravention of law" then the liability as an
"Intermediary" is yet to be managed. This requires "Due Diligence"
anyway. BPOs cannot therefore lower their vigilance on data security
even in respect of third party data. Even when the principal data vendor
has no cause of action because the body corporate has fulfilled the
terms of security as stated in the SLA, the affected individuals may
still invoke ITA 2008 and liabilities may arise if not covered under Sec
The need for clarification 4 is slightly hazy. It may
websites where information is collected directly from natural persons
and an obligation of "Confidentiality" that may arise between the
contractual parties such as in a BPO scenario.
Though the clarification is welcome since it dispels
the doubts in some part of the industry, Naavi.org reiterates that the
department is still holding onto its ego and not reacting to the request
for deletion of Sub sections 8(2), 8(3) and 8(4) of the Sec 43A
guidelines. These sections relate to the introduction of ISO 27001 as a
mandatory compliance requirement through the backdoor with the use of
misleading words used in the rules. If the department felt obligated to
clarify on some of the provisions of the guidelines it is not clear why
it did not feel obligated to clarify that "ISO 27001 audit is not
mandatory under the guideline" as it appears on first glance.
Though the department has privately confirmed this to
the undersigned in a mail, there has been no attempt to publicly present
the clarification though the undersigned has brought it to the notice of
the Government that the misconception remains in the market and is being
commercially taken advantage of.
Naavi has taken up this matter with the MPs so that
the notification can be corrected when presented in the Parliament.
However due to the pressure on the Lok Pal business the notification may
be slipped through the Parliament. Hence we can presume that there will
be a legal battle ahead on the basis of a PIL to get the notification
corrected for its open bias towards ISO 27001. (My detailed views in
this regard is already available elsewhere on this site)
August 30, 2011
Changes in Sec 43A Rules Exempt Foreign Companies
DIT misleading the Public?
Sachin Pilot Clarifies on ITA 2008 rules
Sec43A Compliance Framework from Naavi
2008 Rules to be presented in the Parliament
Comments are Welcome at