Franchise businesses obtain record, store and perform operations with data using computers or through physical files, which include personal data of suppliers and customers
Franchisors and franchisees often share personal information between them, which may involve export/transfer of data to a foreign country. There is legislation, in the West, to protect privacy of individuals and prevent misusing of data to commit fraud, identity theft, etc. There are stringent rules on protection, storage, obtaining consents from data subjects (and sometimes from governmental authorities) to share or export data, the breach of which can result in authorities conducting a thorough investigation and imposing heavy fines. There is a growing concern, especially among foreign franchisors, that the same standard of privacy and data protection is not observed in India. When there is a data breach and action is taken against the franchised business, the reputation and trust in the brand is affected.
If the franchisee’s acts in data breach, then the franchisor can terminate the agreement and sue for damages. Sometimes it is difficult to quantify the loss and damage, especially in terms of reputation.
Unlike several other countries, India does not have a statute exclusively dedicated to the data protection and privacy domain. While right to privacy is not a statutorily recognized right, the Supreme Court has interpreted right to privacy as part and parcel of the life and personal liberty granted under Article 21 of the Constitution of India.
The IT Act provides a legal framework for exchange of information electronically and facilitates e-commerce. Rules under Section 43 A of the IT Act 2011 (reasonable security practices and procedures and sensitive personal data) were enacted to provide security practices and implemented by corporate bodies to safeguard sensitive personal data. Section 72 A provides a penalty for disclosure of personal information in breach of a lawful contract, which can result in up to three years’ imprisonment and fines up to Rs 5 lakh.
Furthermore, a corporate body must obtain prior consent from the information provider to use the information, and the information should be collected only if it is necessary and for a lawful purpose connected with the functioning of the body corporate. The information must only be used for the purpose it is collected and not retained for a longer period than is required.
Under these Rules, the corporate body must take reasonable steps to ensure that the provider of the information knows: Further, the information provider must be able to review and amend the sensitive personal data and have the option to withdraw consent to its use at any time. In relation to transfer the data, the corporate body may only transfer it to persons and corporate bodies, who ensure the same level of data protection that is adhered by the corporate body under the rules.
Section 46 empowers the Government of India to appoint Adjudication Officers to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act and to determine the quantum of compensation payable. Accordingly, the government has designated the secretaries of the Department of Information Technology of each of the states or union territories as Adjudication Officers with respect to each of their territories.
Section 78 empowers police officers of the rank of inspectors and above to investigate offences under the Act. Hence, it is necessary that companies concentrate on developing strong data protection system to appreciate the rights of the information provider and prevent information from unauthorised dissemination since the loss occurred will impose liability on the companies under the Act.
In the event of a breach of information security the company would be required to demonstrate to the concerned government agency that such security measures protocols were implemented and in place at the time of the breach. 27001 protocol is one of the recommended standards under the Rules. It is recommended that such security protocols and procedures are in line with the best practices security measures favoured across the world, such as 27001 measures.
As we can see data protection and privacy has been dealt with in the Act but not in an exhaustive manner. A separate piece of legislation is much needed to establish clear and specific standards in relation to data protection and to strike an effective balance between personal liberties and privacy. Data protection and privacy laws in India are in yet in its nascent stage and are not very strictly enforced. Franchisors should be prudent and ensure that their contract with franchisees contain detailed clauses requiring compliance with the data protection and privacy laws and for termination and compensation for breach of those provisions. Indemnity clauses can also be linked to loss and damage caused by data breach. The training and operational manuals provided by the franchisor must also explain the seriousness of data breach and explain clearly the methods for protecting data and privacy to the franchisee to comply with the laws. It is always better to invest in prevention as there may not be an adequate cure.