Clarifying bad law

There is no other way to say this but the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules) which were made by the Department of Information Technology are not a model piece of delegated legislation. Problems are plenty with the rules and last week the DIT released a clarification on 24th August, 2011 to these rules. This is the second time such a clarification has been issued to the Privacy Rules. Going by this itself, it is quite evident that a law which is barely months into existence and requires multiple clarifications will only lead to more problems in its application.

The latest clarification which was released, in my view further muddies the Privacy Rules. The Clarification, titled as, “Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000”, states three material effects which have been explained here.

Concerns as to the Practice of Issuing Clarifications.

I firmly believe that on the basis of precedent and the statutory framework of the IT Act, issuing clarifications/press notes is not the best legislative practice to clarify problematic pieces of law. My objection is on the basis of the following reasons:

Until I am missing something these clarifications do not constitute law. Section 43A only allows rules to me made to substantiate the provisions relating to unauthorized disclosure of information under Sec. 43A. They do not allow such “clarifications” or “press notes”.
In my view rather than these shaky legal clarifications, the DIT should have made amendments to the Rules themselves. They have done this in the past with respect to the Rules made for Certifying Authorities. I am at a loss to explain or even to speculate what prevented them this time around.
Going beyond these pedantic procedural concerns, one must look at the thrust of the clarification. It is not in the nature of a mild guideline for applying the rules, but is in terms of making substantial changes to the entire complexion of the Privacy Rules. These material changes without changes in the rules themselves will lead to a lot of confusion in the days to come.
I restate that the rules go beyond the ambit of Sec. 43A from of the parent statute. Sec. 43A only deals with a peanlty for the negligent disclosure of personal data, it no where contains aspects such as acquisition, processing, use of the data itself. The rules by dealing with such issues, though aim to provide a level of individual privacy, they do so on a weak legal foundation.

The first Clarification to the Privacy Rules, 2011 dated 10th May, 2011 is available here. The latest one dated 24th August, 2011 is available here.

India Exempts Outsourcers From New Privacy Rules (pcworld.com)
Cyber fears (indialawyers.wordpress.com)

Blog

Netflix Summoned by the MIB Over Controversial IC-814 Series

DOT releases Draft Rules under Telecommunications Act, 2023

MEITY to release draft DPDP rules for public consultation after Budget session

Impact of Broadcasting Bill, 2024 on Digital Communications and Media

A licence raj for digital content creators

News

Netflix Summoned by the MIB Over Controversial IC-814 Series

DOT releases Draft Rules under Telecommunications Act, 2023

MEITY to release draft DPDP rules for public consultation after Budget session

ET : Final Draft of the DPDP, Rules to be ready in two weeks

Nigeria FCCPC fines Meta $220 million for violating data laws