Tag Archives: Data Protection laws in India

Data Localisation: India’s policy framework

The Personal Data Protection Bill, 2018 (“Bill”) and the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018) contains the framework and the policymakers’ insight on protection of personal data in India. The recent Draft e-commerce policy indicates Government’s thought process on storing data in India. The Reserve Bank of India (RBI) in April this year mandates that all data generated by the payment systems in India, is to be stored in India. The Ministry of Health and Welfare has published the draft legislation called Digital Information Security in Healthcare Act, to safeguard e-health records and patients’ privacy.  Thus, all these new rules/policies/regulations (collectively referred as “the Data Protection Framework”) indicate a very strong direction that the Government wishes to undertake on data localisation, which helps in enforcing data protection, secure nation’s security and protect its citizen’s data, better control on transmission of data outside the country and more.

We believe initial steps were taken when under the Companies Act, 2013, the maintenance of books of account in electronic form, required copies to be kept in servers physically located in India.

Many questions abound that the Government take fast paced measures in enabling the infrastructure to build data-centres, which in-turn requires land clearance, electricity etc., ability to keep the operational costs for SMEs low, jump-starting initiatives on artificial intelligence, delicate balance to be maintained on surveillance and protection.  On a positive note, this provides entrepreneurial opportunities in building data centres, alternative energy/ solar grids etc.

Data Localisation under the Data Protection Committee’s Report and the Bill

Chapter 6 of Committee’s Report provides compelling arguments on ‘Transfer of Personal Data Outside India’, where the Committee notes Laissez Faire economy of data, i.e. where free flow of data is the norm and to restrict as an exception. It also recognizes that an embargo on data crossing borders as curbing personal liberty of people. The Committee recommended that even if the intended destination is across borders, all data to which Indian laws would apply would need to be stored locally as well. The Central Government may decide that certain data may not be permitted to be taken out of the country and requiring its processing to be done locally. To highlight sections 40 and 41:

  • The Central Government shall determine categories of sensitive personal data which are ‘critical’ in nature having regard to strategic interests and enforcement, this personal data can only be processed in India.
  • Transfer of other non-critical personal data will be allowed subject to one serving copy of it being stored in India.
  • Cross border transfers of personal data, other than critical personal data will be through model contract clauses with the data transferor being directly liable to the data principal.

Mandatory Data Localisation being prescribed under different aspects

Localisation of Payment Systems Data mandated by RBI: Even before the release of the Committee’s Report and the Bill, data localisation was touched upon by RBI in its Notification of 9 April 2018, where it directed all payment system providers to ensure that all data relating to the payment systems are to be stored in systems situated only in India. Under the said notification, the RBI includes ‘full end-to-end transaction details’, ‘payment instructions’ and other information collected, processed, carried, etc. to be within the ambit of data which is required to be stored. The maintained are to be annually audited and reported to RBI.

Localisation of Data under the National E-Commerce PolicyThe Draft National Policy Framework (the “National e-commerce Policy”) concerning the ‘Digital Economy’ seeking to regulate the ‘e-commerce’ sector in India, proposes localisation of several categories of data involved in e-commerce. The intent stated is to create a ‘facilitative eco-system’ to promote India’s digital economy through measures such as, data generated by users in India from sources such as e-commerce platforms, social media, search engines, etc., and all community data collected by Internet of Things (IoT) devices in public spaces are to be stored exclusively in India and sharing of such data within the country is proposed to be regulated.

The localisation of data is not absolute and cross-border flow is allowed for a handful of cases, such as for software and cloud-computing services involving technology related data-flow (which are free of any personal or community implications) and other standard exceptions consistent with the views expressed in the Committee’s report.

Localisation under the draft amendment to Drugs and Cosmetics Rules, 1945

The recent draft amendment proposed to the Drugs and Cosmetics Rules, 1945, for regulating e-pharmacies, makes it clear that e-pharmacies web-portals have to be established in India for conducting its business in India and data generated to be stored locally. The draft rules states that under no means the data generated or mirrored through e-pharmacy portal shall be sent or stored by any means outside India.  

Data Centres in India

For the data to be stored locally, data centres need to be established, regulated and function under the law. The demand for companies to host their data in India stemmed from  security perspective. The major issues with data localisation is not only of cyber security but also jurisdiction. Cloud computing softwares have taken advantage of the economies of scale and an infrastructural architecture across the world. Thus when there is a threat presumed in one part of the world, the algorithm would move the data to another location or even in multiple locations. In addition to this the Cyber Security Report, 2017 released by Telstra have reported that businesses in India were most at risk to cyber security attacks. Further the organisation in India have experienced the highest number of weekly security incidents of all Asian countries surveyed.

The Privacy Bill provides that the Central Government to notify categories of personal data for which the data centres have to be established in India and the Authority to be established under the legislation to be responsible for the compliances.  Further for achieving its goal of facilitating India’s ‘Digital Economy’, the National e-Commerce Policy purports to grant “infrastructure status” to data centres and server farms in India. An infrastructure status by getting listed under the Harmonized Master List of Infrastructure Sub-sectors by the Department of Industrial Policy and Promotion (DIPP) entails that it’ll be easier to get credit to enter into these operations. This would be accompanied by tax-benefits, custom duties rebates and also 2-year sunset period before localisation becomes mandatory. However, these incentives are only being considered and not promised as of yet.

Cost-Benefit Analysis on Data Localisation

In Chapter 6 of its report, the Committee takes up a detailed analysis of the benefits and repercussions of adopting mandatory data localisation in India. Benefits as stated in the report include:

  • Reduction in the costs of enforcement of India’s own laws because of easier availability of data within its jurisdiction, the cost and time spent on co-ordinating with foreign agencies for access to requisite data being reduced.
  • Overseas transactions of data involve reliance on fibre optic cable networks spread around the world, which are vulnerable to attacks and perhaps localisation of data may reduce this security risk.
  • Having copies of all data collected in India will be a huge boost to the digital infrastructure as the domestic industry will now be able to harness a lot of data. For instance, the report points out that developments in Artificial Intelligence will see a great boost from this.
  • As a matter of national security, the complete localisation of critical data prevents any foreign surveillance of India’s internal affairs.

The report also states that the localisation of data can have its costs too, however it severely downplays them. The report recognizes that to make storing of data mandatory in India, will result in a burden on the domestic enterprises which use foreign infrastructure like cloud computing for running their businesses. The implications include the increased costs of doing business for small and medium businesses, also there may be the danger of monopolization in the digital infrastructure because only a few firms would have the expertise and capital to invest in creating huge data centres in India. However, the Committee states that they are not persuaded by this argument and are confident that the potential of the Indian market will adequately trump the additional cost of setting up the infrastructure.

 Our observations

Digital India and building a thriving Digital Economy in India, building strong competencies in artificial intelligence, protecting nation’s security and data of its citizens are very critical and is now becoming mandatory for India. Establishing a strong domestic infrastructure is a big commitment for the Government, which includes making available vast tracts of land, uninterrupted power supply to the data centres and such other pre-requisites. It is to be seen how India can harvest the long term benefits.

Important reading material:

https://economictimes.indiatimes.com/news/economy/policy/draft-ecommerce-policy-champions-india-first/articleshow/65206404.cms

https://economictimes.indiatimes.com/news/economy/policy/as-ministries-argue-draft-ecommerce-policy-lands-with-pmo/articleshow/65495585.cms

https://inc42.com/features/draft-indian-ecommerce-bill-favouring-domestic-players-at-the-cost-of-the-ecosystem/

DISHA – The future direction of digital health information in India

The Ministry of Health and Welfare in the year 2015 published a note on establishing a National eHealth Authority (“NeHA”) to regulate the emerging usage of electronic mediums in healthcare, especially for maintenance of e-Health records and digital health information across India. The goal of NeHA is “to ensure development and promotion of eHealth ecosystem in India for enabling, the organization, management and provision of effective people-centred health services to all in an efficient, cost-effective and transparent manner”.

The Ministry Health and Welfare (“Ministry”), eHealth Department has been working on developing international standards for creating, maintaining and storing of eHealth records. There were circulars in 2013 and 2016 providing guidelines and specific standards to be adopted and implemented by hospitals, medical professionals and other stakeholders in the healthcare industry, which were not mandatory, but definitely a step forward in digitising health care records.

Innovations in integrating healthcare and technology is helping a large population to access healthcare. Acting on its vision for NeHA, the Ministry had introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA” or “Draft Bill”).

DISHA’S main purpose, as per the pre-amble is to (i) establish NeHA, State eHealth Authorities (“SeHA”) and Health Information Exchanges; (ii) standardise and regulate the process related to collection, storing, transmission and use of digital health data; (iii) and to ensure reliability, data privacy, confidentiality and security of digital health data”.

DISHA aims to have a national as well state level implication and aims to regulate the digital health data in a federal structure i.e. NeHA being a central and an apex authority under the Bill established by the Central Government as per the provisions of this Bill and SeHA being a state level authority established by the respective State Governments. Further the Central Government shall establish as many Health Information Exchanges as necessary. Further under the act there has to be National level and State level executive committees which will aid and assist NeHA and SeHAs in the performance of their functions under DISHA.

DISHA, is applicable to clinical establishments which includes medical institutions and individuals performing and providing any kind or form of medical and healthcare services excluding hospitals owned and operated by the army, navy and the air force. However, it includes clinical establishments which are owned and operated by government or a department of government.

Further these clinical establishments can only collect digital health information for certain particular purposes which are more or less related to providing medical and healthcare services to owners of the digital health information. DISHA makes clear that digital health in any form i.e. whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for commercial purposes.

The Draft Bill enumerates the functions of NeHA and SeHA (“Authorities”) which are to:

  • formulate standards, guidelines and protocols for generation, collection, storage and transmission of the digital health data.
  • define protocols to safeguard the data from any theft or breach and to provide for data security measures at each level of processing of data, which shall at least include access controls, encryption and audit trails.
  • lay down protocols for transmission of digital health data to and receiving it from other countries.
  • provide for standards for establishing necessary norms and standards for certifying digital healthcare data systems and stakeholders.
  • conduct regular checks and investigations to ensure compliance with law.

One of the key aspects of DISHA is to establish Digital Health Exchanges; digital health information exchange (“DHIE”) allows doctors, nurses, pharmacists, other health care providers and patients to access and securely share a patient’s vital medical information electronically—improving the speed, quality, safety and cost of patient care. Any and all transmission of digital health information will happen through these exchanges. The intention under DISHA is to store and keep all the digital health data in these DHIEs located across India. This can only be possible if the digital health information is standardised i.e. it is maintained in same format by all and therefore the Ministry primarily introduced the eHealth record standards and now through DISHA wants to integrate the eHealth records and provide the whole digital healthcare system a proper structure under these DHIEs. It would be good if the Government can aggressively promote data centres across India.

Under the Draft Bill, DHIEs will be monitored and controlled by their respective Chief Health Information Executive whose duties primarily will be to take care of the DHIEs day to day affairs, to access and further transmit the digital health information appropriately as transmitted by clinical establishments, notify the data breach to a data owner and store the data appropriately.

At the outset this looks like a fairly centralised system of data storage and therefore the same may be vulnerable to cyber threats and data breaches. One of the ideas that can be considered is to store eHealth records using block-chain technology to make the DHIEs more secure.

DISHA elaborates ways to protect the data and has brought in the concept of “data ownership” i.e. digital health data under the Draft Bill is explicitly owned by the person of whose digital health data is generated and processed. Section 31 of the Draft Bill, states that individuals are the owners of the digital health data and clinical establishments and DHIEs are custodians of the digital health information and have a duty of trust to maintain confidentiality and security of such data.

The Draft Bill explicitly describes the roles and responsibilities at the time of collection of data, transmission, anonymisation and de-identification of data. The data owner has to provide explicit consent to various actions that can be taken on the data. The Bill also provides individuals with a right to rectify their digital health data which might be inaccurate and incomplete, a right to have obtain explicit consent in each and every instance of transmission of data, right to be notified, right to prevent disclosure of digital health data under certain circumstances, right to not to be refused of any health services.

A breach under DISHA is of two types, (i) breach of digital health data and (ii) Serious breach of digital health data. Serious breaches are detailed to include cases where a person or an entity or a clinical establishment breaches digital health data intentionally or if digital health data is used for commercial purposes, or breach occurs where the digital health data was not in de-identified or anonymized form.

Punishment for a breach of digital health data is that “A person shall be liable to pay damages by way of compensation to the owner of the digital healthcare data in relation to which the breach took place”. Serious breaches are punishable with imprisonment as well.

While DISHA appears to be conceived with the right intent, there are certain aspects which has to be thought through in more depth.

  • The many mobile apps which collects huge amounts of health data in order to provide tracking/monitoring for the users or apps which are aggregators of medical practitioners and providers or apps which are market-places for medical practitioners, pharmacists etc. or apps which connect medical practitioners with patients. These apps are not part of the definition of “Clinical Establishment” to whom the law applies.
  • With India proposing new legislation for data protection and privacy, it has to be seen how this Draft Bill inter-relates.
  • It is believed that block-chain technology might help in keeping the data secure. This is already being used in Estonia.
  • DISHA prohibits the use of digital health information for commercial purpose, whether in anonymized or de-identifiable form. However, operationalizing of collection and transmission should be more robust and India has seen “Aadhar” related mis-use of personal data.
  • Sharing of data on “need to know basis” seems wide and it would be essential to perhaps either through the Rules under the Draft Bill can make it more specific.
  • Compensation for data breaches, including adjudication has to have some specific and strict timelines.

DISHA is definitely a right direction but should have to maintain the fine balance in enabling innovation in health-care, government’s requirement of data, protecting the data-owners’ rights in a swift and efficient manner, making it easy for the medical practitioners and other stakeholders in the healthcare industry to make this robust.

Over the next blog, we will detail the consent, information that can/ cannot be collected etc.

Author: Manas Ingle

Breach Notification – A right to be informed

In November 2017, reports confirming a massive data hack at Uber compromising data of almost 57 million users surfaced online. It is pertinent to note that these reports surfaced almost one year after the actual breach occurred. Uber had not intimated when the incident occurred. This incident is an example to understand, why under GDPR providing a breach notification within 72 hours of any such breach has been mandatory if such a breach is directly going result in a risk to the rights and freedoms of natural persons.

The General Data Protection Regulation (“GDPR”) which will be effective from May 2018, will transform the way personal data of users/ individuals/ data subjects will be treated. Given the wide territorial scope of GDPR the Regulation applies to the processing of personal data of a person (data subject) who are in the EU, regardless of where the data is processed, ie. in EU or outside of EU. We believe that GDPR is setting a gold-standard for data security, across the world.

The concept of breach notification was seen under the security breach notification law enacted by the State of California in the year 2002. The security breach notification law was enacted to increase public awareness with regards security issues and risks that the internet and data industry faces.

  • Article 33(1) of GDPR mandates data controllers to “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  • Article 33(2) mandates data processors to “notify the data controller without undue delay after becoming aware of a personal data breach.”

In light of the requirements prescribed under GDPR, it is a pre-requisite to have in place an effective data security incident reporting mechanism including data breach response procedures to enable notifications to be made to data subjects “without undue delay” in the plain language in such circumstances.

GDPR prescribes that every breach notice should describe the exact nature of the personal data breach including the nature, extent and likely factors that may have resulted in breach based on preliminary assessment, where possible, the categories and approximate number of data subjects concerned and nature of data under threat or compromised, including and the categories and approximate number of personal data records concerned with an aim of charting out an effective mechanism to address the breach and resolve the issue without delay.

All entities dealing with personal data should comply with the requirements of reporting breaches in a timely manner. Every “notice of breach” should clearly indicate the cause of breach (Accident / negligent/malicious attack) due to (a) internal factors or (b) external factors and the estimated intensity and consequences of such attack. Such notices should promptly be followed by a detailed report indicating causes, consequences, action taken, including actions taken as preventive mechanism adopted to avert such instances in future.

To be compliant with GDPR, it is recommended for all data controllers and processors to have extensive internal policies within the company, including a breach notification policy addressing the procedures to be followed should there be a security breach. For ease of understanding, think of this security breach policy as a fire safety plan that has to be followed in case a fire breaks out. A fire safety plan will clearly indicate the do’s and don’ts, evacuation plan to follow, reporting mechanism, who should what, emergency numbers, internal training and all other necessary steps to be followed so as to contain and reduce the harm caused due to such an accident to the extent possible.

Similarly, a security breach policy will aid an organization to respond to such a data breach within a matter of minutes and enable them to take necessary actions so as to contain and reduce the harm. Additionally, such a policy will enable an organization to comply with the provisions of Article 33 (1) of GDPR, i.e. to report a data breach within a time frame of 72 hours.

In reference to Article 33 of GDPR data controllers may consider following points while considering the implementation of policy in their organization:

  1. Scope and intent of the policy will define how it will be implemented. There are two ways to define a scope, either you can have policy document regulating each and every aspect of GDPR to be followed all across the organization or there can be a series of policies implemented, for example, a policy specifically for security breach and notification thereunder. The second option will allow you to focus and concentrate on minute details of processes, controls, and compliances to be made at each level.
  2. Setting goals for the policy will provide you with accountability and definitive purpose for the whole organization. While setting goals for the policy do think about:
    • Practicality: Ensure that goals that you make are approachable and are ordinary in nature. At the same time keep in mind that these goals are solving the purpose of their implementation, including a way to maintain an internal log, audit trail of how data is used.
    • Risk Management: Focus on what kind of data is at risk? this may be dependent on the industry you might be doing business in. Focus on how a data breach can occur? What are the weaknesses of your system?
    • Flexibility: Try to keep your policy adaptive in nature i.e. it should be able to safeguard you in all sort of data breach situations.
    • Compliance: It should be compliant with law and aid in efficient compliance.

Data controllers, in particular, shall implement processes to identify and respond to data breaches as soon as the event occurs, to have evidence in place to show that where, when and how did data breach occur. Demonstrating that adequate security procedures were in place is essential in order to claim reduced penalties as well.

Status of data protection in India:

Information Technology Act, 2000 and Rules thereunder, ie. Rule 8 of Reasonable Security Practices and Procedures and Sensitive Personal Data or Information, Rules 2011, provides that in case of information security breach, the body corporate shall be able to demonstrate that it has implemented security control measures as per their documented information security programme and information security policies. It would be beneficial if the Rules also provided for notification of breach as well. If personal data is a Fundamental Right of the Indian citizen, then, citizens should have a right to know if such personal data has been subject to a data breach.

If an Indian company is processing data of an EU resident, then GDPR compliances become mandatory. In other cases, Indian companies can adopt best practices such as having detailed policies covering above aspects, periodical audit and availability of audit report to be shared to an external party, maintaining a log of what, how, who, why, where, data is processed. Currently, Government is not included under the ambit.

ISO 27001 certification for data security is also useful.

India would do well in having these gold-standards for data protection and it would augur well if even Government is included to follow the compliance requirements.

Author: Technology Practice Group @ NovoJuris Legal