The protection of sensitive data stored at a third party location requires

India is not a party to any convention on protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognise the right to privacy.

India has also not yet enacted a specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information. The Indian Central Government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”). The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.  

India has introduced a biometric based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder. Entities in regulated sectors such as financial services and telecom sector are also subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.

Finally, personal data is protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & another Vs. Union of India), the Supreme Court of India has recognised the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been recognised as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The court stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognised the right of individuals over their personal data.

Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognised that enforcing the right to privacy against private entities may require legislative intervention.

The Government of India had therefore constituted a committee to propose a draft statute on data protection. Multiple versions of the draft data protection law have been issued with the most recent one being the Data Protection Bill, 2021 (“Bill”). The Bill was quite controversial and was criticized by technology corporations and start-ups for the associated high cost of compliance. The Bill was withdrawn by the Government on 3 August 2022. The Government has stated that the Bill will be replaced by a new data protection bill, which is expected to be presented to the Parliament for its approval in the winter session of the Parliament scheduled for December 2022.

Entry into force

Section 43A and Section 72A of the IT Act came into force on 27 October 2009. The Rules came into force on 11 April 2011. The Aadhaar Act came into force on 12 September 2016.

The Privacy Judgment was delivered on 24 August 2017.

The new data protection bill is expected to be issued in late December 2022. It will have to be passed by both houses of Parliament and notified in the official gazette before it becomes law. Even after enactment, based on the previous versions of the data protection bill, it is likely to be implemented in a phased manner over a 2 year period.

_____________________________________________________________________

National Supervisory Authority

Details of the competent national supervisory authority

India does not have a national regulatory authority for protection of personal data.

The Ministry of Electronics and Information Technology (the “Ministry”) is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The authorities established under the IT Act – i.e., the adjudicating officer and Telecom Disputes Settlement and Appellate Tribunal (“Appellate Tribunal”) and, thereafter, the different High Courts and the Supreme Court, are responsible for enforcing the IT Act.

Ministry of Electronics & Information Technology (Government of India), Department of Electronics and Information Technology

Electronics Niketan, 6,
CGO Complex,
Lodhi Road,
New Delhi 110003

http://meity.gov.in/ 

Notification or registration scheme and timing

There is currently no requirement to register or provide prior written notification to any authority for processing data. 

Exemptions to notification

Not applicable.

_____________________________________________________________________

Scope of Application

What is the territorial scope of application?

The Rules issued under Section 43A of the IT Act apply only to a body corporate or any person located within India.

The provisions of the IT Act (except in respect of matters governed by the Rules) are also applicable to any offence committed by a person outside India involving a computer, computer system or computer network located in India. 

Is there a concept of a controller and a processor?

Indian law does not contain the concepts of controller and processor. Instead, the Rules refer to the concept of a ‘body corporate’ and a ‘provider of information’. A body corporate is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. The ‘provider of information’ is the natural person who provide sensitive personal data or information to a body corporate. 

Are both manual and electronic records subject to data protection legislation?

The Rules are issued under the IT Act which applies only to electronic records. The requirements under the Aadhaar Act are applicable to both manual and electronic records.

Are there any national derogations?

Under the Rules, any data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law in force shall not be regarded as ‘sensitive personal data or information’ (“SPDI”). Further, SPDI may be disclosed to government authorities mandated under law to obtain information for the purpose of verification of identity or for prevention, detection, investigation without obtaining the consent of the ‘provider of information’. 

The fundamental right to privacy recognised under the Privacy Judgment can be enforced only against the state or instrumentalities of the state and not against entities in the private sector. 

_____________________________________________________________________

Personal Data

What is personal data?

Personal data under the Indian laws and rules is termed as “personal information”. Personal information has been defined under the Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. 

Is information about legal entities personal data?

No. Personal information pertains only to information about a natural person.

What are the rules for processing personal data?

There are no specific rules that govern the processing of personal data.

However, the Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy (see Is there a general accountability obligation? below). 

Are there any formalities to obtain consent to process personal data?

No specific formalities to obtain consent for processing personal information have been stated. 

Are there any special rules when processing personal data about children?

The Rules do not contain any specific rules when processing personal data about children. 

Are there any special rules when processing personal data about employees?

The IT Act and the Rules do not prescribe any specific requirements with respect to processing personal data about employees.

_____________________________________________________________________

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data exists as the concept of sensitive personal data or information under the Rules. It means personal information which consists of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above items provided to a body corporate for providing services; and (viii) any of the information received under the above items by a body corporate for processing, that is stored or processed under lawful contract or otherwise.

Sensitive personal data or information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.

Are there additional rules for processing sensitive personal data?

The Rules contain specific provisions regarding the collection of sensitive personal data or information. They apply to all body corporates or any person within India other than those providing services related to the relating to collection, storage, dealing or handling of sensitive personal data or information to any legal entity under a contract. However, such provisions will also apply to such exempted body corporates if they provide such services directly to the provider of information under a contract.

The key rules on collection are: (i) it is necessary to obtain the consent of the provider of information prior to the collection. The provider of information must be given an option not to provide the requested sensitive personal data or information and to withdraw its consent by informing the body corporate in writing; (ii) sensitive personal data or information can only be collected where necessary for a lawful purpose that is connected with a function or activity of the body corporate or any person on its behalf; and (iii) the body corporate should provide additional information to the provider of information (see below).

The body corporate must also comply with other general requirements, such as not keeping sensitive personal data or information for longer than is required and ensuring it is kept secure or applying reasonable security practices and procedures which contain managerial, technical, operational and physical security control measures to protect sensitive personal data and information.

Additional rules apply to the disclosure of sensitive personal data and information. The body corporate and any person acting on its behalf are not allowed to publish any sensitive personal data or information. Further, the disclosure of sensitive personal data or information to any third party requires the prior permission of the provider of information. The only two exceptions to this requirement are: (i) when such disclosure has been agreed upon in the contract between the body corporate and the provider of information; or (ii) when it is necessary to disclose the information in compliance with a legal obligation. The third party that receives such sensitive personal data or information shall not disclose it further. The body corporate is also allowed to share information with government agencies mandated under the law to obtain information or to a third party by an order under law.

Sensitive personal data or information can be transferred to any other body corporate or a person in India or located in any country that offers the same levels of data protection as India. 

Are there additional rules for processing information about criminal offences?

The rules are the same as for sensitive personal data.

Are there any formalities to obtain consent to process sensitive personal data?

Consent of the provider of information should be obtained in writing (which includes any mode of electronic communication) regarding the purpose of its usage and before further transfer or disclosure. 

_____________________________________________________________________

Data Protection Officers

When must a data protection officer be appointed?

Under the Rules, body corporates are required to designate a grievance officer and there is no general requirement to appoint a data protection officer. The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties), 2013 (“CERT-In Rules”), lay down the operations of the Indian Computer Emergency Response Team (“CERT-In”), created under Section 70B of the IT Act. Entities, including body corporates offering services to Indian users are mandated to designate a point of contact to interface with CERT-In. The details of the point of contact are to be shared with CERT-In in the specified format and are to be updated from time to time.

What are the duties of a data protection officer?

The grievance officer shall address any discrepancies or grievances of providers of information with respect to processing of information in a time-bound manner. The grievance officer is required to redress the grievance expeditiously, within one month from the date of receipt of such grievance. The body corporate is required to publish the name and contact details of the grievance officer on its website. 

_____________________________________________________________________

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The Rules state that a body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information including sensitive personal data or information of a provider of information, should provide a privacy policy.

This privacy policy should serve to protect the personal information that is provided, and the provider of such information should be able to review the policy. The privacy policy is required to be made available on the website of the body corporate and should provide for: (i) clear and accessible statements relating to its practices and policies; (ii) the type of personal information or sensitive personal data or information that is being collected; (iii) the purpose of collecting and using of such information; (iv) the instances in which disclosure of such information may be made under the Rules; and (v) reasonable security practices and procedures required under the Rules. 

Are privacy impact assessments mandatory?

Under the Rules, a body corporate handling and processing sensitive personal data is required to have its security practices and procedures certified and audited by an independent auditor who is approved by the Central Government at least once every year, or when there is a significant upgrade in its computer resource. 

_____________________________________________________________________

Rights of Data Subjects

Privacy notices

A body corporate collecting sensitive personal data or information should keep the provider of information informed about: (i) the fact that the information is being collected; (ii) the purpose for doing the same; (iii) the intended recipients; and (iv) the name and address of the agency collecting and retaining the information. All the requirements applicable to personal data, such as the requirement for a privacy policy (see Is there a general accountability obligation? above), are applicable when processing sensitive personal data. 

Rights to access information

A provider of information can access information provided by it upon request. 

Rights to data portability

No. 

Right to be forgotten

The “right to be forgotten” is not recognised as such in India, and there are no provisions of law that provide for this.

There have been judicial precedents wherein various courts have recognised this right, especially in relation to sexual offences against women. The Supreme Court of India has held that anonymity of victims must be maintained as far as possible in cases involving sexual offence (State of Punjab vs Gurmit Singh). The Karnataka High Court, in a recent decision, has recognised that certain information can be erased in sensitive cases involving rape, or affecting the modesty and reputation of the person concerned. However, other High Courts have taken a different view in this regard. For example, the Gujarat High Court has rejected a plea to restrain public exhibition of a judgement on public sources (Dharmraj Bhanushankar Dave v. State of Gujarat). 

Objection to direct marketing and profiling

The IT Act and Rules do not impose any conditions regarding the usage of sensitive personal data or information for direct marketing. However, where the information is collected from a provider of information (i.e., in a situation in which sensitive personal data or information is collected), the prior consent of the provider of information must be obtained, including the purpose for which the information is being collected.

Other rights

The provider of information has the right to review the information provided and withdraw consent that was previously provided. A body corporate cannot refuse such a request. Additionally, any discrepancies and inaccurate information can be corrected by the provider of information. 

_____________________________________________________________________

Security

Security requirements in order to protect personal data

The Rules provide that reasonable security practices and procedures need to be maintained by each body corporate. A body corporate or a person acting on its behalf is “considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business”. The Ministry has listed the International Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System -Requirements” as one such standard. Body corporates, that are self-regulating by following other standards are required to get their security practice and standards notified to and approved by the Central Government for effective implementation.

A body corporate is required to have its security practice and procedures certified and audited by an independent auditor who is approved by the Central Government at least once every year, or when there is a significant upgrade in its computer resource. 

Specific rules governing processing by third party agents (processors)

There are no specific rules that govern third party agents acting on behalf of a body corporate. They are governed by the same regime applicable to body corporates. 

Notice of breach laws

Certain types of cyber security incidents need to be mandatorily reported to the CERT-In created under Section 70B of the IT Act by filling in the prescribed forms on CERT-In’s website. These incidents include (i) compromise of critical systems or information; (ii) targeted scanning or probing of critical networks or systems; (iii) identity thefts, spoofing or phishing attacks; (iv) unauthorised access of IT systems or data; (v) defacement of a website or intrusion into a website; (vi) malicious code attacks; (vii) Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks; (viii) data breach; (ix) data leak; (x) attacks through malicious mobile apps; (xi) attacks on servers; and (xii) unauthorised access to social media accounts.

These cyber security incidents have to be mandatorily reported within a 6 hour timeframe if they meet the following criteria: (i) cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, spread of computer contaminant including Ransomware) on any part of the public information infrastructure including backbone network infrastructure; (ii) data breaches or data leaks; (iii) large-scale or most frequent incidents such as intrusion into computer resource, websites etc.; (iv) cyber incidents impacting safety of human beings.

Entities may report information to the extent available within the 6 hours timeframe and additional information can be reported later within ‘reasonable time’.

CERT-In is also authorised to collect or analyse information in relation to cyber security incidents from individuals and organisations. Information that may lead to identification of individuals or organisations that have been affected by cyber security incidents cannot be disclosed without explicit written consent, or through the order of a competent court.

_____________________________________________________________________

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The Rules provide that transborder dataflows of sensitive personal data or information can be made to any other body corporate or a person in India or located in any other country if the same levels of data protection in India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf and the provider of information or such transfer has been consented to by the provider of information.

There is no restriction under the Rules regarding transborder dataflows of information that is not sensitive personal data or information.

The Reserve Bank of India (“RBI”), through a notification issued on 6 April 2018 read with RBI’s FAQs on storage of payment system data has made it mandatory for all banks, intermediaries and other third parties to store all information pertaining to payments data in India. In case of international transactions, the data on the foreign leg of the transaction can be stored in a foreign location, if required.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional requirement to notify or obtain the approval of any regulatory authority. 

Use of binding corporate rules

Transborder dataflows are only allowed to jurisdictions that require body corporates situated there to provide the same level of data protection as in India. The data protection regime in India is bespoke in nature and may not be similar to the level of protection provided by binding corporate rules.

_____________________________________________________________________

Enforcement

Fines

Section 72A of the IT Act provides for a fine of up to INR 500,000 when there is disclosure of personal information in breach of a lawful contract or without consent.

Section 70B(7) of the IT Act read with the directions issued by CERT-In on 28 April 2022 (“CERT-In Directions”) provides for a fine up to INR 100,000 where there is a failure to furnish information to CERT-In and in case of non-compliance with CERT-In’s reporting requirements. 

Criminal liability

Section 72A of the IT Act provides for imprisonment of up to three years when there is disclosure of personal information in breach of a lawful contract or without consent.

Section 70B(7) of the IT Act read with the CERT-In Directions provides for imprisonment of up to one year where there is a failure to furnish information to CERT-In and in case of non-compliance with CERT-In’s reporting requirements. 

Compensation

Section 43A of the IT Act provides that bodies corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource owned, controlled or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information, thereby causing wrongful loss or wrongful gain to any person. 

Other powers

There are no other enforcement provisions in relation to data protection in the IT Act or the Rules.

Practice

There have been a number of judgments in the courts on privacy matters, including the Privacy Judgment. However, there is no significant court regulatory practice on the application of these provisions.

_____________________________________________________________________

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Apart from the Telecom Commercial Communications Customer Preference Regulations, 2018 (“Customer Preference Regulations”) issued by the Telecom Regulatory Authority of India (“TRAI”) to telecom service providers to set up a mechanism to register requests of subscribers not to receive unsolicited commercial calls, there are no specific laws or regulations in India on the use of cookies or direct marketing.

_____________________________________________________________________

Cookies

Conditions for use of cookies

There are no specific laws or regulations in India on the use of cookies.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

There are no specific laws or regulations in India on direct marketing by email.

Conditions for direct marketing by e-mail to corporate subscribers

Not applicable.

Exemptions and other issues

Not applicable.

_____________________________________________________________________

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Marketing by telephone to individual subscribers without their consent is expressly prohibited with the telecom service providers being responsible to ensure that such a prohibition is enforced. Telecom service providers are required to establish a Customer Preference Registration Facility (“CPRF”) under which customers can provide or revoke their consent with regard to the category, the mode (whether voice calls or text messages) and the time slot of such marketing.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no separate rules for corporate subscribers, who are governed by the same regime as non-corporate subscribers.

Exemptions and other issues

The CPRF provides customers the option to register under the ‘partially blocked category’ pursuant to which customers can opt in or opt out from receiving promotional communications under the following categories: (i) banking/insurance/financial products/credit cards; (ii) real estate; (iii) education; (iv) health; (v) consumer goods and automobiles; (vi) communication/broadcasting/entertainment/IT; (vii) tourism and leisure; and (viii) food and beverages.

What is the most important item to be included in an information security policy?

What are the three types of security policies?

What are the 5 elements of security?

Which of the following is most likely to be responsible for establishing the information security requirements over an application?