SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
There is currently no dedicated data protection legislation in India. Data, in general, is governed by the Information Technology Act 2000 (IT Act), which is the umbrella legislation covering several matters relating to IT activities, cybercrimes and security and the like, and under which rules such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) have been framed. The IT Act, among other things, imposes an obligation on entities dealing with sensitive personal data to adopt ‘reasonable security practices and procedures’, and provides for compensation in cases of harm to data subjects. The SPDI Rules, on the other hand, are the most comprehensive Indian regulation dealing with personal data for the moment. Apart from providing the operating definition of ‘sensitive personal data or information’ (SPDI), the SPDI Rules regulate the collection, processing, disclosure, transfer and security of SPDI – all of which can be relevant for cross-border investigations. The SPDI Rules will thus, for the most part, be the focus of this chapter.
Certain sector-specific laws in fields such as banking, insurance, medicine/healthcare and telecom (which will be discussed later in this chapter) also impose obligations regarding the confidentiality of personal data and its use for limited, pre-agreed or prescribed purposes. These sectoral laws would similarly be relevant depending on the nature and/or scope of a given cross-border investigation.
Apart from legislative mandates, Indian legal jurisprudence also provides additional safeguards that could include personal data within their ambit. In what is now popularly known as the Puttaswamy judgment, the Supreme Court of India for the first time recognised the right to privacy as a fundamental right. While analysing the various facets of privacy and the allied issues it would impact, the Puttawamy judgment engaged with the concept of ‘informational privacy’ and acknowledged an individual’s right to ‘control the dissemination of personal information’.
Dedicated legislation and framework for data protection has long been pending in India, and while a Personal Data Protection Bill (PDP Bill) has been tabled in parliament, it is yet to become law. In its most recent iteration, the PDP Bill, inter alia, seeks to make three broad categories (ie, personal data, sensitive personal data and critical personal data) with gradient obligations applying to each. The PDP Bill has, however, been heavily debated and has rightly come under criticism from various quarters, on issues ranging from protectionism, arbitrariness, governmental overreach and surveillance implications.
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
As things stand, there is no blanket prohibition on the transfer of personal data outside India under the SPDI Rules. SPDI may be freely transferred outside India, provided certain conditions are met, which include obtaining the data subject’s consent, or having an underlying contract with the data subject that necessitates such a transfer; and the transferee ensuring the same degree of data protection as the transferor.
Apart from the SPDI Rules, which primarily govern personal data, various other regulations also impose obligations that could potentially impact data sharing in the context of a cross-border investigation. This might include situations where data subjects involved in an investigation, or the investigation itself, are in the realm of sectors such as banking or fintech, telecoms or digital health.
For instance, in the banking sector, the storage and transfer of financial data are separately regulated. The Reserve Bank of India (RBI), Indian’s central bank and regulator, mandates that data related to payments (such as customer information and identification numbers, account details, passwords or transaction details) be stored on systems within India; for cross-border transactions, a ‘copy’ of the domestic leg of the transaction may be stored overseas, which nonetheless means that the mandate of storage in India still applies. In cases where payments are processed overseas, the RBI mandates that data be deleted from foreign systems and ‘brought back’ to India within 24 hours. This can be important in the context of a cross-border investigation because if an overseas regulator is involved in the process, data sharing with that regulator requires RBI approval.
Other sectoral examples include the Insurance Regulatory and Development Authority of India (Third Party Administrators – Health Services) Regulations 2016, which restrict the sharing of policy and claims-related data and personal information; and cases where government data is involved. The latter is especially relevant where an investigation involves Indian government departments or a third-party storing government data, since such data is required to be stored in India.
3. What constitutes personal data for the purposes of data protection laws?
Under the SPDI Rules, ‘personal information’ is any information that, directly or indirectly, in combination with other information available or likely to be available with a body corporate, can identify a ‘natural person’. The explicit reference to ‘natural person’ in this definition implies that data belonging to legal persons such as companies may not be considered ‘personal data’ within the regulations. Under the same Rules, SPDI is a subset of personal data that includes passwords; financial information (bank account and credit card details); health conditions and medical records; sexual orientation; biometric information; and any other details relating to the preceding. Understandably, SPDI is subject to a higher degree of care and protection, and is thus regulated more stringently, than non-personal data or personal information.
The PDP Bill, in its most recent iteration, retains some of the current categorisation but goes a step further. It divides such data into three heads – personal data, sensitive personal data, ‘critical personal data’. While both ‘personal data’ and ‘sensitive personal data’ are defined within the PDP Bill, ‘critical personal data’ (which would entail the strictest obligations in terms of data localisation and other factors) is a wildcard category; any personal data may be notified by the Indian government as critical personal data.
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
Data protection provisions under the IT Act may get triggered in cases such as misuse of personal data, failure to implement reasonable security practices, wrongful disclosure and violation of contractual terms involving personal data. The SPDI Rules, on the other hand, apply to all entities (or their representatives) involved in collecting, storing, processing, transferring, disclosing or dealing with personal information (including SPDI).
Unlike more mature legislation such as the GDPR, the SPDI Rules do not define or delineate data controllers, data processors or data subjects. The two primary distinctions under the SPDI Rules are ‘body corporate’ (which includes any association of individuals engaged in commercial or professional activities, and effectively covers both controllers and processors) and ‘provider’ (ie,’, the data subject). The PDP Bill proposes to adopt a more nuanced application, with ‘data fiduciaries’ (similar to data controllers), ‘data processors’ and ‘data principals’ (ie, data subject) all separately defined.
In terms of jurisdiction, the IT Act extends not just to the territory of India but also applies to offences committed by any person – regardless of nationality – outside India, so long as the offence was committed using a computer, network or system located within India. The PDP Bill proposes an even broader application and seeks to also include any data fiduciary or processor outside India that handles personal data in connection with a business conducted in India.
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
The SPDI Rules set out certain minimum requirements wherever the collection and processing of personal data is involved, and the IT Act penalises companies for improper disclosures and failure to implement security standards. In the context of cross-border investigations – especially post covid-19, with investigations going almost entirely remote – these obligations become especially relevant, since the initial collation and review of electronically stored information (ESI) such as emails will invariably involve a transfer of data outside India. Such ESI will often include employees’ personal information and, depending on the nature of business a client and/or target are involved in, could also include SPDI or other regulated data belonging to customers.
Assuming that the transferor is compliant with the law, a cross-border data transfer entails two fundamental requirements: (i) that the transferee practices the same level of data protection as the transferor; and (ii) that the consent of the data subject be obtained (blanket consent for lawful transfers are sometimes already included in contracts with employees).
Companies typically have internal policies in place to restrict or minimise the use of office email and computers for personal purposes, since the privacy or protection of personal information stored on office assets cannot always be guaranteed. However, covid-19 and indefinite remote-work arrangements have created new challenges that often make such policies difficult to monitor and implement. Therefore, where the ESI or other data being collected for the purpose of an investigation includes (or could conceivably include) SPDI, organisations can consider having data subjects specifically provide their consent – simple email confirmations can be enough as well. Once the data is transferred, the recipients – this could include a foreign parent company, external counsel, forensic auditors – are also under an obligation to not disclose the data any further.
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
Although parties assisting with an investigation – such as external law firms, auditors etc. – will always be the transferees in a data transfer, the company carrying out an internal investigation could either be a transferor or transferee depending on the situation. The principal obligations under the SPDI Rules are on the entity that collected data directly from the data subject, as it would be their responsibility to obtain consent and keep the data subject fully informed about the purpose of collection and other particulars in the first instance. In a cross-border investigation, however, the target entity in India will typically be the one that collected and possess the SPDI, while the foreign parent, affiliate or entity will usually be the one commissioning the investigation and will thus be the transferee. Nonetheless, under the SPDI Rules, the transferee is also expected to practice the same degree of data protection as the transferor, so the obligations to that extent will apply. In so far as requirements may apply differently to the transferor (ie, the company carrying out the investigation) and the transferee (foreign entities, external counsel), please refer to the immediately preceding discussion under question 5.