SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
There is currently no dedicated data protection legislation in India. Data in general is governed by the Information Technology Act, 2000 (IT Act), which is the umbrella legislation covering several matters relating to IT activities, cybercrimes and security and the like, and under which rules such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) have been framed. The IT Act, among other things, imposes an obligation on entities dealing with sensitive personal data to adopt ‘reasonable security practices and procedures’, and provides for compensation in cases of harm to data subjects. The SPDI Rules, on the other hand, are the most comprehensive Indian regulation dealing with personal data for the moment. Apart from providing the operating definition of ‘sensitive personal data or information’ (SPDI), the SPDI Rules regulate the collection, processing, disclosure, transfer and security of SPDI – all of which can be relevant for cross-border investigations. The SPDI Rules will thus, for the most part, be the focus of this chapter.
Certain sector-specific laws in fields such as banking, insurance, medicine or healthcare, and telecom (which will be discussed later in this chapter) also impose obligations regarding the confidentiality of personal data and its use for limited, pre-agreed or prescribed purposes. These sectoral laws would similarly be relevant depending on the nature and/or scope of a given cross-border investigation.
Apart from legislative mandates, Indian legal jurisprudence also provides additional safeguards that could include personal data within their ambit. In what is now popularly known as the Puttaswamy Judgment, the Supreme Court of India for the first time recognized the right to privacy as a fundamental right. While analysing the various facets of privacy and the allied issues it would impact, the Puttawamy Judgment engaged with the concept of ‘informational privacy’ and acknowledged an individual’s right to ‘control the dissemination of personal information’.
A dedicated legislation and framework for data protection has long been pending in India, and while a Personal Data Protection Bill (PDP Bill) had been tabled in parliament – and had gone through several revisions as well – it has very recently been withdrawn entirely. This development came after the PDP Bill was referred to a Joint Parliamentary Committee for recommendations, following which 81 amendments to the PDP Bill [including changing the title of the PDP Bill to The Data Protection Bill, 2021 (DP Bill)] were recommended. As the change in title suggests, the DP Bill sought to include both personal and non-personal data in its scope. These recommendations or amendments were yet to be formally accepted and elevated to the status of law before the PDP Bill was withdrawn. As things stand, India remains without a comprehensive legislative framework surrounding data protection.
The DP Bill (as was the case with the PDP Bill) contained some provisions dealing with cross-border transfer of data, but it is too premature to discuss these in detail at the moment. We have, however, included provisions from the PDP Bill and/or the DP Bill at certain places in this questionnaire to give readers an idea of what can be expected from a dedicated legislation in India (whenever one is tabled or enforced).Answer contributed by Disha Mohanty, Arjun Khurana, Manavi Jain and Meghna Arora
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
As things stand, there is no blanket prohibition on the transfer of personal data outside India under the SPDI Rules. SPDI may be transferred outside India, provided certain conditions are met, which include obtaining the data subject’s consent, or having an underlying contract with the data subject that necessitates such a transfer; and the transferee ensuring the same degree of data protection as the transferor.
Apart from the SPDI Rules, which primarily govern personal data, various other regulations also impose obligations that could potentially impact data sharing in the context of a cross-border investigation. This might include situations where data subjects involved in an investigation, or the investigation itself, are in the realm of sectors such as banking or fintech, telecom or digital health.
For instance, in the banking sector, the storage and transfer of financial data are separately regulated. The Reserve Bank of India (RBI), India’s central bank and regulator, mandates that data related to payments (such as customer information and identification numbers, account details, passwords or transaction details) be stored on systems within India; for cross-border transactions, a ‘copy’ of the domestic leg of the transaction may be stored overseas, which nonetheless means that the mandate of storage in India still applies. In cases where payments are processed overseas, the RBI mandates that data be deleted from foreign systems and ‘brought back’ to India within 24 hours. This can be important in the context of a cross-border investigation because if an overseas regulator is involved in the process, data sharing with that regulator requires RBI approval. Recently, towards protecting 'card data', the RBI also issued a circular mandating ‘tokenisation’ of credit card and debit card information of data subjects that would replace saving (collection) of actual card details.
Other sectoral examples include the Insurance Regulatory and Development Authority of India (Third Party Administrators – Health Services) Regulations 2016, which restrict the sharing of policy and claims-related data and personal information; and cases where government data is involved. The latter is especially relevant where an investigation involves Indian government departments or a third-party storing government data, since such data is required to be stored in India.Answer contributed by Disha Mohanty, Arjun Khurana, Manavi Jain and Meghna Arora
3. What constitutes personal data for the purposes of data protection laws?
Under the SPDI Rules, ‘personal information’ is any information that, directly or indirectly, in combination with other information available or likely to be available with a body corporate, can identify a ‘natural person’. The explicit reference to ‘natural person’ in this definition implies that data belonging to legal persons such as companies may not be considered ‘personal data’ within the regulations. Under the same Rules, SPDI is a subset of personal data that includes passwords; financial information (bank account and credit card details); health conditions and medical records; sexual orientation; biometric information; and any other details relating to the preceding (unless such information is freely available or accessible in the public domain). Understandably, SPDI is subject to a higher degree of care and protection, and is thus regulated more stringently, than non-personal data or personal information.
While the erstwhile PDP Bill retained some of the current categorisation, it went a step further. It divided data into three heads – personal data, sensitive personal data and ‘critical personal data’. While both ‘personal data’ and ‘sensitive personal data’ were defined within the PDP Bill, ‘critical personal data’ (which would entail the strictest obligations in terms of data localisation and other factors) was a wildcard category and was not exhaustively defined; any personal data may be notified by the Indian government as critical personal data. The amended DP Bill had additionally introduced non-personal data (including anonymised personal data) as a fourth category of data. It remains to be seen how this categorisation transfers to any new legislative framework, whenever India adopts one.Answer contributed by Disha Mohanty, Arjun Khurana, Manavi Jain and Meghna Arora
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
Data protection provisions under the IT Act may get triggered in cases such as misuse of personal data, failure to implement reasonable security practices, wrongful disclosure, and violation of contractual terms involving personal data. The SPDI Rules, on the other hand, apply to all entities (or their representatives) involved in collecting, storing, processing, transferring, disclosing, or dealing with personal information (including SPDI).
Unlike more mature pieces of legislation such as the GDPR, the SPDI Rules do not define or delineate data controllers, data processors, data subjects. The two primary distinctions under the SPDI Rules are ‘body corporate’ (which includes any association of individuals engaged in commercial or professional activities, and effectively covers both controllers and processors) and ‘provider’ (ie, the data subject). The erstwhile PDP Bill (as well as the amended DP Bill) proposed to adopt a more nuanced application, with ‘data fiduciaries’ (similar to data controllers), ‘data processors’ and ‘data principals’ (ie, data subject) all separately defined, and it is likely that any future legislation will make these distinctions as well.
In terms of jurisdiction, the IT Act extends not just to the territory of India but also applies to offences committed by any person – regardless of nationality – outside India, so long as the offence was committed using a computer, network or system located within India. The erstwhile PDP Bill had proposed an even broader application and had sought to also include any data fiduciary or processor outside India that handles personal data in connection with a business conducted in India.Answer contributed by Disha Mohanty, Arjun Khurana, Manavi Jain and Meghna Arora
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
The SPDI Rules set out certain minimum requirements wherever the collection and processing of personal data are involved, and the IT Act penalises companies for improper disclosures and failure to implement security standards. In the context of cross-border investigations – especially post covid, with investigations going almost entirely remote – these obligations become especially relevant, since the initial collation and review of electronically stored information (ESI) such as emails will invariably involve a transfer of data outside India. Such ESI will often include employees’ personal information and, depending on the nature of business a client and/or target are involved in, could also include SPDI or other regulated data belonging to customers.
Assuming that the transferor is compliant with the law, a cross-border data transfer entails two fundamental requirements: (i) that the transferee practices the same level of data protection as the transferor; and (ii) that the consent of the data subject be obtained (blanket consent for lawful transfers are sometimes already included in contracts with employees).
While no specific conditions (other than the ones identified above) were outlined in the DP Bill for cross-border transfer of data for investigations, there was a provision in the DP Bill titled ‘conditions for transfer of sensitive personal data and critical personal data’, under which, in addition to such data being considered transferable with explicit consent of the data subject, the central government could allow transfer of sensitive personal data to another country or international organisation, subject to certain conditions. This followed a trend across several new and proposed legislation – including those around data protection – of exemptions, exclusions and arbitrary powers being given to the government and its agencies, which rightly received significant criticism from various quarters. It remains to be seen whether these trends carry forward into any subsequent legislative frameworks, though it seems likely given recent history.
Companies typically have internal policies in place to restrict or minimise the use of office email and computers for personal purposes, since the privacy or protection of personal information stored on office assets cannot always be guaranteed. However, covid-19 and indefinite remote-work arrangements have created new challenges that often make such policies difficult to monitor and implement. Therefore, where the ESI or other data being collected for the purpose of an investigation includes (or could conceivably include) SPDI, organisations can consider having data subjects specifically provide their consent – simple email confirmations can be enough as well. Once the data is transferred, the recipients – this could include a foreign parent company, external counsel, forensic auditors – are also under an obligation to not disclose the data any further.Answer contributed by Disha Mohanty, Arjun Khurana, Manavi Jain and Meghna Arora
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
Although parties assisting with an investigation – such as external law firms, auditors, etc – will always be the transferees in a data transfer, the company carrying out an internal investigation could either be a transferor or transferee depending on the situation. The principal obligations under the SPDI Rules are on the entity that collected data directly from the data subject, as it would be their responsibility to obtain consent and keep the data subject fully informed about the purpose of collection and other particulars in the first instance. In a cross-border investigation, however, the target entity in India will typically be the one that collected and possess the SPDI, while the foreign parent, affiliate or entity will usually be the one commissioning the investigation and will thus be the transferee. Nonetheless, under the SPDI Rules, the transferee is also expected to practice the same degree of data protection as the transferor, so the obligations to that extent will apply. In so far as requirements may apply differently to the transferor (ie, the company carrying out the investigation) and the transferee (foreign entities, external counsel), please refer to the immediately preceding discussion under question 5.Answer contributed by Disha Mohanty, Arjun Khurana, Manavi Jain and Meghna Arora