India Data Privacy Law – Its impact on Business Ecosystem Shivaji Rao, Regional General Counsel, Asia PAC and Sub-Saharan Africa, John Deere.

Data Privacy & Data Security Law in India Information Technology Act (2000) & (2008) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Press Note Technology (Clarification on Privacy Rules) August 2011 Credit Information Companies (regulation) Act, 2005 Credit Information Companies Regulations, 2006 Credit Information Companies Rules, 2006

Information Technology Act (2000), (2008) & 2011 Rules Important Definitions Personal information Sensitive personal data any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a corporate entity, is capable of identifying such person. (i)password; (ii)financial information e.g. bank account/credit or debit card or other payment instrument details; (iii)physical, physiological and mental health condition; (iv)sexual orientation; (v)medical records and history; (vi)biometric information; (vii)any detail relating to the above clauses as provided to a corporate entity for providing services; and (viii) any of the information received under the above clauses for storing or processing under lawful contract or otherwise (a business entity cannot collect SPD unless it obtains the prior consent of the provider of the information. Consent must be provided by letter, fax or ).

Information Technology Act (2000), (2008) & 2011 Rules Important Provisions Consent Disclosure to 3 rd Parties Lawful Purpose Rule 5 provides that a body corporate or any person on its behalf must obtain consent in writing through letter or fax or from the provider of sensitive personal data or information regarding purpose of usage before collection. May not collect sensitive personal data or information unless collected for a lawful purpose connected with a function/activity of the body corporate or a person on its behalf and the collection is considered necessary for that purpose. Retention, and Opt Out Not to retain sensitive information for longer than is required for the purposes for which the information may lawfully be used. Providers of information have a right of review to ensure accuracy. disclosure of sensitive personal data or information by body corporate to any third party requires prior permission from the provider who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed in the contract between the body corporate and provider of information (Rule 6).

Information Technology Act (2000), (2008) & 2011 Rules Important Provisions Privacy Policy Required Contents of Privacy Policy any entity or person on behalf of an entity that collects, receives, possesses, stores, deals or handles information of a provider of information, must provide a privacy policy for handling of or dealing in personal information (including sensitive personal data or information) and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy must be published on the website of the body corporate or any person on its behalf. Privacy Policy must contain: (a)clear and easily accessible statements of its practices and policies; (b)type of personal/sensitive personal data or information collected under Rule 3; (c)purpose of collection and usage of such information; (d)disclosure of information, including sensitive personal data or information as provided in Rule 6; (e)reasonable security practices and procedures as provided under Rule 8. Data Protection Information collected must be protected pursuant to Rule 8.

Information Technology Act (2000), (2008) & 2011 Rules Important Provisions Data Transfer Security Practices & Procedures Rule 7 clearly indicate that ‘…may transfer sensitive personal data or information including any information …’ if any of the following conditions are satisfied: (a)the recipient entity maintains same level of security as mentioned under these Rules; (b)transfer may be allowed to perform the obligations of lawful contract; or (c)such person has been consented for data transfer. (i)Body corporate or a person shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and procedures and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control that are adequate to protect the nature of the business; (ii) Implementation of International Standard IEC may also fall under the compliance of this rule; (iii) The Body corporate or a person who have implemented either IEC Standard or the codes of the best practices for data protection as approved and notified shall be deemed to have been complied with reasonable security practices and procedures provided that the same have been certified or audited on regular basis by entities through independent auditor, duly approved by the Central Government.

Information Technology Act (2000), (2008) & 2011 Rules Important Provisions Breach Notification Govt Audit Rights The Information Technology (the Indian Computer Emergency Response Team and manner of Performing Functions and Duties) Rules, 2013 denotes that the following Cyber Security incidents need to be notified to CERT-In: o Targeted scanning / probing of critical systems networks / Systems o Compromise of critical systems / information o Unauthorized access of IT systems / data o Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, link of external website etc., o Malicious code attacks such as spreading of virus / worm / Trojan / Botnets / Spyware o Attacks on servers such as Database, Mail and DNS and network devices such as Routers o Identify theft, spoofing and phishing attacks o Denial of Service (DoS) and Distributed Denial of Services (DDoS) attacks o Attacks on critical infrastructure, SCADA systems and wireless networks o Attacks on applications such as E-Governance and E-Commerce etc. The appropriate government may cause an audit to be conducted of the affairs of the service providers and authorized agents in the State at such intervals as deemed necessary by nominating such audit agencies. The audit may include security, confidentiality, and privacy of information, as well as many other things.

Information Technology Act (2000), (2008) & 2011 Rules Important Provisions Sec 72 of the IT Act, 2000 denotes regarding penalty for breach of confidentiality and privacy - Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees (US$ 1600 approx.), or with both. Sec 72 A Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees (US$ 8000 approx.), or with both. Enforcement Mechanism

Information Technology Act (2000), (2008) & 2011 Rules, Ctd. Important Provisions Enforcement Mechanism Sec 43 A Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees (US$ approx.), to the person so affected. Sec 66C Punishment for identity theft - shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh (US$ 1600 approx.)

How it impacts on Business Ecosystem in India Organization Data collection Consent Data use, storage and Transfer Data security practices Privacy Policy and Access Breach Notification

Collection of Personal Data Consent Data use, storage and Transfer Data security practices Privacy Policy and Breach Notification Collection of ‘personal information’ and ‘sensitive personal data’ in the course in the course of business: Procurement - Suppliers, OEMs, Sales - Dealers, distributors, Customers, consultants, etc HR process – employees Commercial Contracts Entity Management – BODs, Sha reholders etc. Are we legally allowed to extract the publicly available data? How do we make sure that such data is legal? When collecting personal data, do you clearly inform the individual the purpose(s) for which it will be collected, used or disclosed and obtain his/her consent? Recommendation: Have an enabling covenant in the contract w.r.t data collection

Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and Breach Notification Consent in writing from the provider of sensitive personal data before collection.; Collect sensitive personal data for a lawful purpose and the collection is considered necessary for that purpose.; shall not retain sensitive information for longer than it is required for the purposes Recommendation: Have an enabling covenant in the contract w.r.t data collection and its purpose

Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and Breach Notification Consent before collection and use, For data transfer – o the recipient entity maintains same level of security; o transfer may be allowed to perform the obligations of lawful contract; or o Such person has been consented for data transfer. Reasonable security measures for data storage Recommendation: Have an enabling covenant in the contract w.r.t data use and transfer Do you have full visibility & control on – (a) personal data and SPD is collected and why? (b) who collects it? (c) how it is stored [ in country or outside country] and (d) sharing / disclosing (sales team, analytics, service providers)

Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and Breach Notification Comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control ; No retention of data longer than needed IEC standards for data security Certified or audited on regular basis by entities through independent auditor, duly approved by the Central Government. Have you reflected on (a) assessed the personal data protection risks (b) classified and secured safely, and span of access and control within your organization and put in place personal data security policies?

Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and access Breach Notification Any entity or person that collects, receives, possesses, stores, deals or handles information of a provider of information, must provide a privacy policy; Privacy Policy must contain: o clear and easily accessible statements of its practices and policies; o type of personal/sensitive personal data or information collected o purpose of collection and usage of such information; o disclosure of information, including sensitive personal data o reasonable security practices and procedures Practical example: Regarding drafting and implementing data privacy policy. Training to internal stakeholders is a priority

Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and Breach Notification Breach notification to Computer Emergency Response Team on occurrence of – Targeted scanning of critical systems networks Unauthorized access of IT systems / data Defacement or intrusion into a website Malicious code attacks such as spreading of virus Attacks on servers Attacks on critical infrastructure

Checklist / FAQs How well does your organization protects personal data & sensitive personal data? What is the action plan you have? Do you have data inventory management in place? When collecting personal data, do you clearly inform the individual the purpose(s) for which it will be collected, used or disclosed and obtain his/her consent? If you collect personal data from third parties, do you ensure that the third party has obtained consent from the individuals to disclose the personal data to you for your intended purposes? Do you limit the use of personal data collected to only purposes that you have obtained consent for? Reference:

Checklist / FAQs Do you put in place the appropriate contractual arrangements or binding corporate rules to govern the transfer of personal data overseas? Do you limit the disclosure of personal data collected to only purposes that you have obtained consent for? Have you established a formal procedure to handle requests for access to personal data? Do you have a list of third party organizations to whom personal data was disclosed and for what purposes? Have you assessed the personal data protection risks within your organization and put in place personal data security policies? Is the personal data kept in a secure manner? Do you conduct or schedule regular audits on the data protection processes within your organization? Reference:

Checklist / FAQs Have you developed and implemented data protection policies for your organization to meet its obligations under the IT Rules? Are your organization's data protection policies made available to the public? Have the individuals on your marketing list given their clear and unambiguous consent, evidenced in written or other accessible form, to being contacted by you by phone call, text messages (e.g.. SMS/ MMS) or fax for your intended telemarketing purposes? In relation to individuals who have not given their clear and unambiguous consent for telemarketing, have you established an internal process for checking with the DNC registry prior to your telemarketing campaigns? If you purchase databases of contact information from third parties for your telemarketing activities, do you ensure that the third party has obtained the necessary consents for the collection, use and disclosure of the personal data by you? Reference:

Thank You