Derogation by Omission; Disclosure by Default? A Brief Exploration of the Law on Biometric Information Disclosure in India

Introduction

Rules on disclosure of biometric information of citizens by private entities holding such information upon requests or orders from law enforcement and other agencies/ third parties, were first formulated in India in the form of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011(hereafter referred to as “the IT Rules”). Interestingly, these Rules were framed to implement a recent legislative intent (under new amendments in 2008 to the Information Technology Act of 2000—hereafter referred to as “the IT Act”) for reasonable security practices to be followed by private entities to protect sensitive personal data or information from unauthorised disclosure of such information. However, by extending a limited intent of protection of sensitive personal information as expressed by the Indian Legislature in the IT Act, to actually enabling disclosure of sensitive personal information to law enforcement and other agencies/ third parties under the IT Rules, this underlying legislative mandate may have been far exceeded.

As analysed in this paper, the IT Rules also have an unintended effect of bypassing key constitutional protections that may be available to citizens under Article 20(3) of the Indian Constitution and an inherent right to appeal against disclosure decisions made by private entities, as well as an effect of bypassing key legal protections, both substantive and procedural, that are available under the Identification of Prisoners Act (1920), the Code of Criminal Procedure (1973) and in other statutes in India. In addition, the IT Act itself requires stakeholders to respect confidentiality and privacy of information; and from an overall legal perspective. Overall, the IT Rules may therefore be in undesirable conflict with core constitutional guarantees, with rights accorded by important provisions of certain other Acts, and with core protections granted by the underlying IT Act itself.

From a strictly “legal derogation” perspective, it may also be useful to attract attention of the readers to a “Press Note” (hereafter “the Note”) issued shortly after notification of the Rules: one that was issued on behalf of the Ministry of Communications & Information Technology purportedly clarifying that:

(i) Any body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of (IT) Rules 5 & 6;

(ii) Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to (IT) Rules 5 & 6;

(iii) Providers of information, as referred to in these (IT) Rules, are those natural persons who provide sensitive personal data or information to a body corporate;

(iv) Privacy policy, as prescribed in (IT) Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract; and

(v) In (IT) Rule 5(1) consent includes consent given by any mode of electronic communication.

This Note is quite interesting from a legal implications perspective, in that while attempting to “clarify” the position under the IT Rules, it in fact went far beyond clarification as that word is generally understood, virtually nullifying the obligations imposed on body corporates under (IT) Rules 5 & 6 that were earlier notified to carry out the provisions of the IT Act. In this context, it may also be important to note that the IT Act authorises the Central Government to makes rules to carry out the provisions of the Act, and further requires that :  (i) such rules are required to be notified in the Government Gazette; and (ii) every notification containing such rules shall be laid before each House of the Parliament. Similarly, the Act authorises the Central Government to make provisions for removal of difficulties , and further requires that every such order for removal of difficulties shall be laid before each House of the Parliament. A bare reading of the Note shows that it is neither an order for removal of difficulties under the IT Act, nor a rule to carry out the provisions of the Act fulfilling mandatorynotification and presentment requirements prescribed under the IT Act; but rather a “clarification” of duly notified IT Rules: a Note that itself was perhaps never notified in the Gazette or presented to the Indian Parliament. To that extent, while the Note by itself presents an extreme derogation of the IT Rules, it is presumed to be void ab-initio and therefore of no legal consequence for the purposes of subsequent academic analysis and discussions in this short paper. This paper accordingly attempts a brief exploration of the basic law on biometric information disclosure in India, limiting itself to the legal position under the IT Act and the IT Rules, leaving amore comprehensive and a fuller case law analysis for a future point of time for reasons ofmaintaining brevity and focus.

II. Biometric Information under IT Rules: Definitions and Coverage Issues

Obligations of body corporates (including any person acting on their behalf) engaged in collection, receipt, possession, storage, dealing or handling of information (including biometric information)   are contained India’s Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules (2011). For the purposes of application of the IT Rules, “body corporates” are defined (under the principal IT Act) as a company and include a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities; and body corporates could therefore include trusts and societies as well.

The IT Rules define “biometrics” as technologies that measure and analyse human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements and DNA for authentication purposes.   The definitions of “data” and “information” are separately provided under the IT Act, and are somewhat “circular” in the sense that while “data” means a representation of, inter alia, informationor facts prepared for processing in any form in the memory of a computer; “information” as defined in the IT Act includes (Sec. 2(1)(o)  data, text, images etc. To that extent, for the purposes of this paper, the word “information” implies both information and data as defined under the IT Act.

The IT Rules categorise biometric information as “sensitive personal data or information”, at par with passwords, sexual orientation, medical records/ history and financial information such as bank accounts or credit/ debit card details. However, a concession allowed under this definition may be problematic, in that the IT Rules make an exception for any such information that is furnished under the Right to Information Act, 2005 (hereafter “the RTI Act”) or is freely available or accessible in public domain from coverage under the definition of “sensitive personal data or information”. Hence, if a Public Information Officer (PIO), by latent mistake or patent error in deciding an application for release of personal information under the RTI Act, ends up providing any of such information to an applicant, or if any of such information is leaked or otherwise becomes inadvertently available/ accessible in public domain, then such biometric information or financial information may no longer have the protections accorded to “sensitive personal data or information” under the Rules. An even greater problem arises in view of the wide discretion available to PIOs under the RTI Act itself, in that they are at best required to notify an affected person and allow him/ her an opportunity to contest an application for disclosure of their personal information held by public authorities, and the RTI Act itself therefore does not place an absolute bar on the disclosure of personal information, rather leaving this important decision at the discretion of a PIO.

Certain other characteristics of the IT Rules also merit attention from a derogation perspective. As stated earlier, the IT Rules were framed to implement a clear legislative intent under new amendments in 2008 to the IT Act for reasonable security practices to be followed by private entities to protect sensitive personal data or information from unauthorised disclosure of such information. Interestingly enough, while a newly inserted section  of the IT Act imposed an obligation of due care on body corporates for implementing and maintaining reasonable security practices and procedures, and also imposed on them a liability for damages by way of compensation to affected persons for failure to do so, the IT Act itself never defined sensitive personal information to be so protected, leaving it to the Executive to do so by way of subordinate rules.

However, by extending a limited intent of protection of sensitive personal informationas expressed by the Legislature in the IT Act ,to actually enabling disclosureof sensitive personal information to law enforcement and other agencies/ third parties under the IT Rules, the underlying legislative mandate of §43A of the principal (IT) Act appears to have far been exceeded. Further, to the extent that certain provisions of the IT Rules as discussed in this section allow rather open-ended disclosure of sensitive personal information without consent of the affected person, they also seem to contravene consent requirements imposed by the principal Act elsewhere, and while the principalAct itself allows for both imprisonment and fine for non-consensual disclosure of personal information , the IT Rules restrict the liability of body corporates to damages by way of compensation alone, thus whittling down legal liabilities of imprisonment and penalties imposed by the principal Act. The IT Rules, interestingly enough, also converta criminal offense under the principalAct into merely a civil claim under subordinateRules—anextremely significant derogation of the legal framework that was intended to secure sensitive personal information from non-consensual disclosure. This also leads to a rather interesting and counter-intuitive outcome where breach of confidentially of ordinary information leads to higher penalties in the form of imprisonment and fines, while disclosure of sensitive personal information merely invites damages.

III. Biometric Information underIT Rules: Consent and Disclosure Aspects

All body corporates (and persons acting on their behalf) collecting, receiving, possessing, dealing or handling information under the Rules, are mandatorily required to: (i) provide a privacy policy for handling or dealing in personal information (including sensitive personal information); (ii) ensure that such a privacy policy is available for view by providers of such information who provide such information under lawful contract; and (iii) publish such privacy policy on their websites.These privacy policies are required to necessarily include: (i) the purpose of collection and usage of such information; (ii) disclosure procedures for information, including sensitive personal information; and (iii) security practices and procedures followed for handling of such information.

The IT Rules require body corporates to obtain an information provider’s consent prior to the collection of sensitive personal information regarding the purpose of usage of such information [Sec 5(1) and Sec. 5(3)] ; and such consent is required to be “informed” in the sense that the person concerned needs to have knowledge of [Sec. 5(3)] : (i) the fact that sensitive personal information is being collected; (ii) the purpose of collection of such information; (iii) the intended recipients of such information; and (iv) the names and addressed of the agency collecting sensitive information and the agency that will retain sensitive personal information. Sensitive personal information can only be collected in this manner, and can only be used for the purposes for which it has been collected [Sec. 5(4)] .Body corporates are also obligated not to retain such information any longer than required for the purposes for which the information may lawfully be used [Sec. 5(4)]. In addition, body corporates are prohibited from collection of such sensitive personal information unless: (i) the information is collected for a lawful purpose connected with a function or activity of the body corporate; and (ii) the collection of sensitive personal information is considered necessary for that purpose [Sec. 5(2)].

Informed consent [Sec. 5(3)]  therefore needs to obtained by a body corporatein advance of actual collection of sensitive personal information; and should a person not agree to providing his/ her consent or information [Sec. 5(7)] , or should a person subsequently withdraw his/ her consent granted earlier at the time of collection of sensitive personal information, the body corporate can at best deny provisioning of goods or services for which information was sought in the first place.Providers of sensitive personal information have a right, upon request, to review information provided by them; while body corporates are required to ensure that any inaccuracy or deficiency in personal (including sensitive personal) information collected by them are corrected or amended as feasible. It is perhaps for this reason that body corporates are not liable for authenticity of any personal (including sensitive personal) information supplied to them by information providers (Interestingly, liability apportionment is mentioned in IT Rules, rather than being addressed in the principal IT Act as is generally the normal practice. Further, while the Rules state that a body corporate is not liable for inaccuracy or deficiency in biometric information, they are unclear as to who is specifically liable—biometric capture equipment makers, or some other party involved in collection or handling of biometric information. This is important since presumably a person providing biometric information would not be liable for any incorrectness or deficiency in his/ her biometric information). Body corporates are however obligated to keep information secure and not to publish sensitive personal information, and to designate (and to notify on their websites) a Grievance Officer who is required to redress grievances of information providers expeditiously within one month of the receipt of a grievance.

Contrary to the strong requirements contained in a first part of the IT Rules—interms of obtaining informed consent prior to collection of sensitive personal information, provisions for withdrawal of such consent, and use of information strictly for the purposes for which the information was collected in the first place—subsequentparts of the IT Rules significantly dilute these protections. For instance, a body corporate can transfer sensitive personal information to another body corporate or person in India or located in any other country, and the latter is required to provideonly the same level of data protection as is adhered to by the body corporate receiving such information in the first instance. Thus, if a body corporate publishes and promises a strong data protection policy but does not adhere to it, the receiving entity, whether Indian or foreign, would need to only provide the same levels of data protection as were adhered to by the receiving body corporate, and may not need to comply with the levels of data protection promised by the receiving body corporate at the time of collecting sensitive personal information from a person. The purpose of transfer is also subject to differing interpretations at various levels, in that the IT Rules state that transfer may be allowed only if necessary for the performance of a lawful contract between the transferor body corporate and the provider of information.

Other than derogation by allowing subsequent transfer of sensitive personal data to entities outside India or for purposes that may not be specifically known to the information provider at the time of collection of sensitive personal information, the IT Rules also allow significant derogation by permitting rather open-ended disclosure of such information by the receiving entity. For instance, a recipient of sensitive personal information in the first instance can disclose such information to a third-party (in India or outside India), inter alia, where such disclosure may be necessary for compliance of a legal obligation. Thus, if a country where a receiving entity is located imposes a legal obligation on such entities to disclose sensitive personal information of foreign citizens,then in such a case, privacy and confidentiality of sensitive personal information of an Indian information provider can be quickly compromised. A similar derogation can happen in cases where a receiving entity discloses sensitive personal information to a third party simply because of itsinternal impression that it has a contractual obligation (A lawful contractual obligation to disclose would presumably be a sub-set of a legal obligation to disclose) to disclose, whereas the disclosure of sensitive personal information may not be specifically known or be specifically consented to by the information provider in the first instance.

The IT Rules then further permit two even more significant derogations to a body corporate’s obligation not to disclose sensitive personal information without express consent of an information provider: (i) sensitive personal information shall be disclosed by a body corporate to a third party by an order under the law for the time being in force, without clarity on whether a body corporate shall need to mandatorily disclose even if there is a discretional exception allowing it not to disclose (such as certain protections under the RTI Act, 2005or the Code of Criminal Procedure, 1973 as discussed subsequently in this paper); and (ii) sensitive personal information shall be shared with Government agencies mandated under the law to obtain such information for certain purposes, without any need to obtain prior consent or provide any post-facto notice to the provider of information, and without any clarity on whether the Government can be a foreign government operating under its own (foreign) laws, since the phrase “appropriate Government” has not been defined either under the IT At or under the IT Rules.

IV. Confidentiality and Privacy under the IT Act

The IT Rules, while laying down specific legal obligations and applicable liability of body corporates with regard to sensitive personal information, do not provide for any specific offences or penalties for any potentially important violations of such obligations such as: (i) violation or non-publication of privacy policies for handling of sensitive personal information; (ii) illegal, unauthorised or non-consented transfer of such information; (iii) failure to maintain adequate security of such information; and (iv) failure to destroy sensitive personal information upon withdrawal of consent by an information provider. These important aspects could perhaps be covered under a general clause dealing with breach of confidentiality and privacy under the principal (IT) Act, which states that any person having secured access to any electronic information discloses such information without consent of the person concerned shall be liable with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or both (Sec. 72).

Separately, the IT Act recognises other general offences and mentions penalties in regard thereto, such as: (i) penalties for hacking with a computer system (Sec. 66); and (ii) accessing or attempting to access in an unauthorised manner a protected system declared to be such by the Central Government (Sec.70). Provisions of the IT Act apply to any offence or contravention committed outside Indian by a person irrespective of his/ her nationality [Sec. 75(1)], if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India [Sec. 75(2)]. It however appears that a person outside India may not be liable at all under the IT Act, even if he/ she causes breach of confidentiality and privacy in respect of an Indian information provider, if such provider’s sensitive personal information is stored on a computer, computer system or computer network located outside India. This could be a serious gap and consequent derogation of liability in the regulatory framework, sinceIT Rules themselves permit transfer to entities outside India, and also permit storage of sensitive personal information outside India.

Sandeep Verma holds an LLM with highest honours, having specialised in Government Procurement Law from The George Washington University Law School, Washington D.C. In 2009, he established www.BuyLawsIndia.com, a website dedicated to the advancement of public procurement law in India. Views expressed in this policy note are personal and academic; and do not reflect the official position or policy of the government of India or any of her departments or agencies.

This is Part I of the column.