Data Protection & Its Impact on Technology Service Providers

Monish Panda, Founder and Amit Kumar Bhattacharyya, Associate Advocate, Monish Panda & AssociatesDelhi based Monish Panda & Associates is predominantly a Tax Regulation firm handling complex Commercial, Regulatory, Criminal, Tax and Civil Disputes and Disputes Advisory.

Technology plays a central role in our lives in the 21st century. Today, people constantly feel the need to catalogue and share each and every moment of their lives on the internet. Instagram, facebook and snapchat are more than just applications; they are lifelines. In fact, gravity of the situation is such that the Waldorf School in Silicon Valley, the educational destination for the kids of tech-giants, has decided to limit technological exposure of its students to a certain point. Like every commercial enterprise, technology service providers (TSPs) seek to build a unique selling point (USP) of their own. The model adopted by them is to calibrate their accuracy based on the consumer’s personal data. And therein lays the concern.

Tailor made services are often the key to building a loyal customer base. Therefore, when customers gladly provide consent for their personal information to TSP’s,the duty to protect it automatically falls on the State. The Information Technology Act, 2000(ITA)governs all modes of electronic communication. Section 43A clearly lays down that a body corporate which fails to protect any personal data shall be liable to pay damages. Section 72 mandates that anyone who breaches the confidentiality of any person by accessing his personal information without their consent shall be liable for imprisonment for up to two years or pay a fine up to Rs. 1 lakh or both.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 reinforces the same principle.
Rule 7 provides that no personal data can be published without the consent of such information provider. The Rules also define the term ‘sensitive personal data or information’ as information which is not readily available in the public domain such as passwords, financial information etc. There are various such Regulations, in relation to each Sector. Therefore, where TSP’s are required to maintain customer database for the purpose of its services, they are prohibited from disclosure of the same to third parties without the customer’s consent. Even if customers blindly provide consent to dissemination of personal data, if the manner of such dissemination violates any statutory requirement, the same may not be held to be proper consent.

Risk assessment and vulnerability assessment differs from case to case and though the ultimate control and responsibility for such data lies with the bank only, in certain circumstances other service providers may also become liable.

In addition to this, there are sectorial regulations in place to further tighten the protection mandated by the ITA. For example RBI has issued guidelines for e-banking and risk management thereof. The guideline has a separate chapter on IT outsourcing where in cases of outsourcing, due diligence needs to be exercised as to the vulnerabilities with respect to the protection of customer data. Only after proper risk assessment has been done, such outsourcing can be done by banks. Risk assessment and vulnerability assessment differs from case to case and though the ultimate control and responsibility for such data lies with the bank only, in certain circumstances other service providers may also become liable.

The FDI policy on Telecom Sector 2016 & 2017 (governing telecom and other service providers), provide security conditions that needs to be met by the licensee and the Service Providers. These include clauses 37 and 39.23 of the Unified License Agreement, as well as the National Long Distance Operators License Agreement which prohibits transmission and storage of customers’ personal data in any place outside India, restricting the physical location of Servers. These are in addition to restrictions under the ITA.

TSP’s are dynamic when it comes to the services they provide. The problem that may arise is what happens when operations of the TSP are covered by multiple legislations? Let us take the example of payment gateways which are in vogue. Such payment gateways are simply software that allows its users to make online payment. Now, with advent of Payments Bank the question that arises is, would it suffice for them to comply with the IT Act or do they need to conform to the Banking and Telecom Regulations as well? There is no clear answer to this; it may be difficult to classify such service under one particular head, nor can we prioritize between any of the sectorial regulations and the umbrella legislation i.e. the ITA. It would depend on the services being offered and the business model being operated by the Service Provider, to understand which regulations will apply, in each case.