Contributed By ANA Law Group
The Constitution of India guarantees the right to privacy to all citizens as part of the right to life and personal liberty under Articles 19 and 21, and as part of the freedoms guaranteed by Part III of the Constitution. This right was also upheld by the Supreme Court of India (SCI) in 2017 in its landmark judgment of Justice K S Puttaswamy (Retd) and Another v Union of India and Others (2017) 10 SCC 1 (privacy judgment).
India does not currently have a comprehensive data privacy law. Personal and confidential information is protected under the Information Technology Act 2000 (ITA) and the IT Rules. India’s Central (Federal) Government has ratified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (DP Rules) under the ITA, to govern entities that collect and process sensitive personal information in India.
The DP Rules:
The DP Rules apply only to corporate entities and are restricted to sensitive personal data (SPD), which includes attributes such as sexual orientation, medical records and history, biometric information and passwords.
Pursuant to the privacy judgment, the Indian Ministry of Electronics and Information Technology (MeitY) formed the Justice B N Srikrishna Committee (expert committee), to frame an all-encompassing data protection law in India. The expert committee has submitted a draft Personal Data Protection Bill 2018 along with an expert committee report. The Bill was further amended and a draft Personal Data Protection Bill 2019 (PDP Bill) was introduced. The PDP Bill intends to be applicable to any the processing of personal data by the Government, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law. It also extends to foreign data fiduciaries and data processors processing personal data involving any business carried on in India, offering goods or services to data principals in India or profiling data principals in India.
India now awaits a robust data protection regime with the approval of the PDP Bill based on the expert committee report.
India does not have a data privacy authority as yet. The ITA mandates the central government to appoint an adjudicating officer to conduct an inquiry for injury or damages for claims valued up to INR5 crore (approximately USD700,000). Claims exceeding this amount must be filed before the competent civil court. The inquiry and investigation procedure for the adjudicating officer is provided under the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules 2003. Appeals from the adjudicating officer can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Sector-specific regulators include the following:
The Reserve Bank of India (RBI) governs both public and private sector banks. The RBI’s guidelines allow it to request an inspection, at any time, of any of the banks’ cyber-resilience capabilities. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) Cell of the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the Cyber Security Framework in Banks (CSF) and other regulatory instructions/advisories through on-site examinations and off-site submissions. The RBI has also introduced an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum, and has also proposed to set up an online portal to investigate and address cybersecurity concerns and complaints.
The RBI also released a discussion paper in August 2019, on Guidelines for Payment Gateways and Payment Aggregators, and has directed payment aggregators to put in place adequate information and data security infrastructure as well as systems for the prevention and detection of fraud, and has specifically recommended the implementation of data security standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, transport channel security, etc.
The RBI also obtained ISO 27001 Certification in August 2019 for three of its data centres to ensure administration and protection of key ICT infrastructure in accordance with globally accepted norms.
The RBI regularly conducts audits and enquiries into the banks’ security frameworks. For instance, the RBI has recently imposed monetary penalties of INR3 crore (approximately USD421,000) on SBM Bank (India) Ltd., INR1 crore (approximately USD 140,000) on the Corporation Bank and INR1 crore (approximately USD 140,000) on the Union Bank of India, for non-compliance with certain RBI directions including non-compliance with the CSF.
The Insurance Regulatory and Development Authority (IRDA) conducts regular onsite and offsite inspections of insurers to ensure compliance with the legal and regulatory framework. In addition, the IRDA’s guidelines on Information and Cyber Security for Insurers (IRDA Cyber Security Policy) mandates a separate information security audit plan for insurers covering IT/technology infrastructure and applications. Some other relevant guidelines issued by the IRDA include the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, the IRDAI (Maintenance of Insurance Records) Regulations 2015, and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, which contain a number of provisions and regulations on data security.
Telecoms operators are governed by regulations laid down by regulatory bodies including:
Furthermore, the Unified Access Service Licence (UASL) extends information security to the telecoms networks as well as to third parties of operators. The regulator requires telecom operators to audit their network (internal/external) at least once a year. The regulator, in its National Digital Communications Policy of 2018, seeks to establish a comprehensive data protection regime and assure security for digital communication.
The Securities Exchange Board of India (SEBI) has issued detailed guidelines to Market Infrastructure Institutions (MIIs) to set up their respective Cyber Security Operation Centres (C-SOC) and to have their operations overseen by dedicated security analysts. The cyber-resilience framework has also been extended to stockbrokers and depository participants.
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) imposes patient confidentiality obligations on medical practitioners. In addition, data privacy in the healthcare industry is currently governed under the DP Rules. The Ministry of Health and Family Welfare (Health Ministry) has issued draft legislation known as the Digital Information Security in Healthcare Act (DISH Act), to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Act also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate storage and exchange of health records.
The expert committee report and the PDP Bill prescribe central government to appoint a Data Protection Authority (DPA) to ensure compliance with the data protection laws, register data fiduciaries, conduct inquiries into and adjudication of privacy complaints, issue codes of practice, monitor cross-border transfer of personal data, advise state authorities and promote awareness on data protection. In the case of significant data fiduciaries, the expert committee report and PDP Bill proposes the appointment of a data protection officer (DPO) to address data principals’ grievances.
The ITA provides for the appointment of an adjudicating officer to deal with claims of injury or damages not exceeding INR5 crore (approximately USD700,000). MeitY has appointed the Secretary of the Department of Information Technology of each Indian State or Union Territories as the adjudicating officer under the ITA. A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying the date and time for further proceedings and, based on the parties’ evidence, decides whether to pass orders if the respondent pleads guilty, or to carry out an investigation. If the officer is convinced that the scope of the case extends to offence rather than mere contravention, and entails punishment greater than a financial penalty, the officer will transfer the case to the Magistrate having jurisdiction.
The first appeal from an adjudicating officer’s decision can be filed before the Telecoms Disputes Settlement and Appellate Tribunal (TDSAT), and the subsequent appeal before the High Court.
The PDP Bill prescribes filing the complaint before a data protection officer, which can be appealed before the adjudicating officer of the DPA, who will have the authority to impose penalties on the data fiduciary. The maximum penalty for violation of the PDP Bill’s provisions is INR15 crores (approximately USD2 million) or 4% of the data fiduciary’s total global turnover in the preceding financial year, whichever is higher. PDP also prescribes imprisonment of up to three years and/or a penalty of up to INR200,000 (approximately USD2,800) against any persons who knowingly or intentionally, and without the consent of the data fiduciary, re-identifies personal data which has been de-identified by a data fiduciary/data processor, or re-identifies and processes such personal data. The aforesaid offences under PDP are cognisable (ie, the police have the power to arrest the offender without a court warrant) and non-bailable.
The PDP Bill proposes that the central government establish an appellate tribunal to adjudicate on appeals from the orders of the DPA, and the SCI as the final appellate authority for all purposes under the PDP Bill.
The current data privacy principles under the DP Rules are similar, in many respects, to EU data protection law. However, considering the digital economy, technological advances in India, and the need to protect innovation while protecting the right to privacy, the expert committee has adopted a nuanced approach in drafting the PDP Bill. In several respects, the PDP Bill is aligned with the General Data Protection Regulation (GDPR). For instance, "personal data" is as broadly defined under the PDP Bill it is as in the GDPR and includes any data relating to a natural person, who is directly or indirectly identifiable. The PDP Bill also introduces the concepts of "data fiduciary" and "data principal", similar to that of "data controller" and "data subject" under the EU’s GDPR. The PDP Bill includes similar principles relating to the processing of personal data such as lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy or quality of data, storage limitation, integrity and confidentiality, and accountability. Additionally, it includes the concepts of right to confirmation and access to data, the right to be forgotten, the right to correction or erasure of data, right to data portability, right to withdraw consent and so on, similar to the GDPR.
However, unlike the GPDR, the PDP Bill mandates data localisation – ie, every data fiduciary is required to ensure the storage on a server or data centre located in India of at least one serving copy of the personal data. In addition, the PDP Bill does not grant individual rights in respect of automated decision-making, profiling (except for minors), as prescribed under the GDPR. The PDP does not recognise obligations of joint controllers nor requires the conclusion of a joint controller agreement. However, the concept of joint controllership or joint processing is to some extent recognised in the PDP, such as in the definition of data fiduciary and in connection with the liability provisions.
The PDP Bill does not contain concepts comparable to the GDPR’s “performance of a contract” or “legitimate interests” as the basis for personal data processing, and mandatorily requires consent for processing the personal data, except for grounds such as performance of government authorised functions, for purposes relating to employment/recruitment, and for such reasonable purposes as defined by the government.
The major data privacy non-governmental organisations (NGOs) and industry self-regulatory organisations (SROs) in India include:
Please refer to 1.4 Multilateral and Subnational Issues.
Pursuant to the privacy judgment and the expert committee report, the PDP Bill, which will be the first comprehensive and all-encompassing data protection framework in India, has been introduced into the Indian parliament and is soon expected to be finalised and enacted.
In December 2019, the RBI released a comprehensive cybersecurity framework for primary (urban) co-operative banks (UCBs).
The RBI mandated data localisation for storage of payment system data. The RBI has clarified that in cases of processing of payment transactions overseas, the payment systems data (including end-to-end transaction details) for such transactions could also be stored abroad, but only for a limited period (ie, for the duration of the processing of the transaction).
MEITY released, in September 2019, an office memorandum constituting a new Committee of Experts to study various issues relating to non-personal data, and make specific suggestions for consideration of the Government on non-personal data.
The Ministry of Civil Aviation has taken several initiatives in the past year to regulate and experiment with drones and their potential commercial uses. Some of the initiatives include the release of a Drone Ecosystem Policy Roadmap in January 2019, inviting companies to conduct experimental beyond-visual-line-of-sight operations of remotely piloted aircrafts or drones in Indian airspace in May 2019, the release of National Counter Rogue Drone Guidelines to address the potential national security issues resulting from unregulated and unchecked operation of drones, and the launch of a portal to obtain a "no objection" from the civil aviation regulator (DGCA) to conduct aerial surveys/remote sensing surveys, etc.
The PDP Bill was introduced in the lower house of the Indian Parliament (Lok Sabha) on 11 December 2019, and was immediately referred to a Joint Parliamentary Committee for further debate and examination on 12 December 2019. The Government has directed the Parliamentary Committee to provide its report to the Lok Sabha by February 2020.
Once the Parliamentary Committee submits its report to the Lok Sabha and both houses of the Parliament pass the PDP Bill, it will be sent for the President’s assent followed by its notification as the law.
After the PDP Bill is notified as law, the RBI may strengthen the enforcement of its data localisation mandate for payment related data to be stored within India only.
General requirements under the DP Rules include:
The PDP Bill is not applicable to the processing of anonymised data (personal or non-personal). The principles relating to the processing of personal data include:
The legal bases for processing personal data include:
Notice must be provided to the data principal at the time of collection of the personal data containing the prescribed information.
The data principals’ rights include:
A significant data fiduciary (those notified by the Data Protection Authority) must carry out a data protection impact assessment when it intends to undertake any processing of personal data, which involves:
any other processing which carries a risk of significant harm to data principals.
The DP Rules do not provide for the appointment of DPOs. However, the PDP Bill provide for the appointment of DPOs by data fiduciaries possessing the qualifications prescribed under the regulations for carrying out the functions prescribed in the PDP Bill. The data protection officer must be based in India and must represent the data fiduciary under the PDP. The data fiduciary may assign any other function to the data protection officer, which it may considers necessary.
Authorised Data Collection and Processing
Under the DP Rules, bodies corporate must seek the data provider’s consent before the collection, transfer or disclosure to third parties of his or her SPD, and take reasonable steps to ensure that the individual has knowledge about the personal data or SPD being collected, the purpose of its collection, its intended recipients and the collecting agency’s name and address. However, this requirement is exempted in cases where government agencies require the individual’s SPD for identity verification or for the prevention, detection, investigation, prosecution and punishment of offences.
The legal bases for processing personal data under the PDP Bill include:
Privacy by Design and Default
The concepts of "privacy by design" and "privacy by default" are not defined in current Indian data protection law, but are provided for under the PDP Bill. However, these concepts are reflected in the ITA and the DP Rules, as they incorporate provisions such as:
The PDP Bill specifically provides that data fiduciaries must prepare a privacy design policy, containing:
Subject to the PDP regulations, the privacy by design policy may require certification from the Data Protection Authority.
The certified privacy by design policy must be published on the data fiduciary’s and the Data Protection Authority’s websites.
Privacy Impact Analysis
The current Indian data protection law does not prescribe the need to conduct privacy impact analyses. However, the PDP Bill mandates data protection impact assessment (DPIA) for data fiduciaries prior to undertaking any processing involving new technologies or large-scale profiling or use of sensitive personal data that has a risk of causing significant harm to data principals.
Upon completion of the DPIA, the DPO must review the assessment and submit the assessment report to the DPA.
On receipt of the assessment and its review, if the DPA has reason to believe that the processing is likely to cause harm to the data principals, it may direct the data fiduciary to cease such processing or impose conditions, as it may deem fit.
Data Provider Rights
The DP Rules grant the right to the data providers to review, edit and update their personal data, and to withdraw their consent to personal data provision.
The PDP Bills grants additional rights to data principals including:
Anonymisation, De-identification and Pseudonymisation
The current Indian data protection law does not contain any provisions relating to anonymisation or pseudonymisation. In the absence of a specific provision, technically, the DP Rules will apply to the processing of both anonymised and pseudonymised data.
The PDP is not applicable to the processing of anonymised data (personal or non-personal). However, the PDP will be applicable to anonymised data (personal or non-personal) collected by the central government from a data fiduciary to enable better targeting of services or formulation of evidence-based policies.
The PDP Bill also requires the data fiduciary and data processor to implement appropriate security safeguards for data pseudonymisation (de-identification) and encryption. It proposes that re-identification of de-identified data without the data fiduciary’s consent shall be a punishable offence.
Current Indian law does not address the emerging issues of profiling, automated decision-making, online monitoring or tracking, big data analysis and artificial intelligence. As discussed below, the PDP Bill addresses some of these issues.
Under the DP Rules, SDP consists of personal information relating to:
The PDP Bill expands the scope of SPD to include official identifier, sex life, genetic data, transgender and intersex status, religious/political beliefs and affiliations, caste or tribe and any other category that the DPA may specify. The PDP Bill clarifies that SPD can be processed based on explicit consent; for the function of the government; if mandated by law; or if certain SPD is strictly necessary to respond to any medical emergency, disaster or outbreak of disease that may threaten public health.
The DP Rules recognise financial information, such as that relates to credit cards, debit cards and other payment instrument details as SPD; thus, to an extent regulate its use, collection and disclosure. Furthermore, the key legislation that address data protection in the finance sector include the Credit Information Companies (Regulation) Act 2005 (CIC Act), the Credit Information Companies Regulations 2006 (CIC Regulations) and circulars issued by the RBI.
The CIC Act and CIC Regulations primarily apply to CICs; recognise them as data collectors; require that CICs ensure data security and secrecy; adhere to privacy principles in respect of data collection, use, disclosure, accuracy and protection against loss or unauthorised use, access and disclosure.
The Know Your Customer (KYC) norm categorises the information that banks and financial institutions can seek from their customers. Once such information is collected, banks have an obligation to keep it confidential. Furthermore, multiple RBI circulars, such as the Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Prepaid Card Operations of Banks and Credit Card issuing NBFCs, the Master Circular on Customer Services, and the Code of Banks Commitment to Customers, etc, provide privacy and customer confidentiality obligations that must be complied with by various financial institutions.
The RBI’s recent guidelines on data localisation of payment system data in India will also, to an extent, help protect financial data.
The Public Financial Institutions (Obligations as to Fidelity and Secrecy) Act 1983 prohibits public financial institutions from disclosing a client’s information to third parties, except in accordance with the laws of practice and usage.
The RBI Guidelines on Managing Risks and Code of Conduct in the Outsourcing of Financial Services by Banks prescribe measures maintaining the confidentiality and security of customer data while transferring data to third-party service providers.
The Banking Codes and Standards Board of India prescribes a code of conduct on banking operations, including privacy and confidentiality of customer information.
The SEBI requires securities market intermediaries to maintain client data confidentiality, including personal data.
Data protection laws in respect to health data are inadequate in India. The PDP Bill categorises “health data” as sensitive personal data, and defines “health data” as the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of that data principal; data collected in the course of registration for, or provision of, health services; and data associating the data principal to the provision of specific health services. The health data cannot be processed or transferred without obtaining the data principals’ consent, unless for the exceptional grounds specified under the PDP Bill.
Additionally, the Health Ministry has proposed the DISH Act to ensure electronic health data privacy, security and standardisation in the healthcare sector. The DISH Act is pending government approval and is expected to be notified soon. Currently, the Clinical Establishments (Central Government) Rules 2012 mandate that clinical establishments must store, maintain and provide health information in an electronic format. Further, the DP Rules recognise health information as SPD, and thus, regulate its collection, use and disclosure. However, as the DP Rules apply only to bodies corporate, the public health sector is still unregulated. The PDP Bill proposes applicability of data privacy obligations to both state and non-state entities.
Furthermore, the IMCR prescribes that a patient’s health data must not be disclosed without his or her consent, unless mandated under a law or there is a risk to an individual or community, or the disease is notifiable. In addition, physicians are encouraged to computerise medical records, maintain them for a period of three years, and provide access to a patient upon request. The limited privacy safeguards and absence of an enforcement mechanism renders the MCI Code of Medical Ethics largely inadequate to address health information concerns.
Although there are multiple telecom laws, such as the Indian Telegraph Act 1885 (Telegraph Act), the Indian Wireless Telegraphy Act 1933, the Telecom Regulatory Authority of India Act 1997 (TRAI Act) and various regulations issued thereunder, data protection norms in the telecom sector are primarily governed by the UASL issued to telecoms service providers (TSPs) by the DoT. A TSP has an obligation to take necessary steps to safeguard the privacy and confidentiality of users’ information. Furthermore, customer information can be disclosed only after obtaining the individual’s consent and if the disclosure is in accordance with the terms of such consent.
Some of the key TRAI recommendations concerning TSPs include:
The PDP Bill and the TRAI recommendations propose to regulate data privacy issues relating to the internet in India.
The DP Rules do not regard voice telephony as SPD. However, in October 2017, the TRAI released recommendations on a regulatory framework for internet telephony, recognising internet telephony as an aspect of Voice over Internet Protocol (VoIP), governed by the UASL. The agreement requires the service providers to safeguard communication information privacy and confidentiality and prevent unauthorised interception.
Current Indian data privacy law does not address privacy issues relating to children. Under India’s contract law, a contract executed by a minor (below 18 years) is invalid, and parental or legal guardian consent must be obtained for all online contracts. The PDP Bill recognises a data principal below the age of 18 years as a child, and mandates data fiduciaries to incorporate an appropriate mechanism for the verification of a child’s age and parental consent to the processing of children’s personal data and to protect and advance the child’s rights and best interests. The data fiduciary is barred from profiling, tracking or behaviourally monitoring, or targeting advertising directly at, children and undertaking any other processing of personal data that could cause significant harm to the child.
Currently, India does not have any specific law to deal with workplace privacy or, protection of employee data, etc. However, the PDP Bill proposes that employees’ personal data can be processed if it is necessary for an employee’s recruitment or termination, providing any service or benefit sought by an employee, verifying an employee attendance, or any activity relating to an employee’s performance assessment. An employer need not obtain the employee’s consent where that consent is not appropriate having regard to the employment relationship between them, or would involve a disproportionate effort by the employer due to the nature of the processing activities. Nevertheless, consent is required in cases where an employees’ sensitive personal data is processed.
Internet, Streaming and Video Issues
There are no specific provisions under the current law regarding browsing data, viewing data, cookies and beacons, or location data. The current Indian data protection framework does not provide for any "do not track" mechanisms not does it regulate behavioural advertising; however, the proposed PDP Bill prohibits tracking of personal data of minors by data fiduciaries and categorises behavioural characteristics as SPD, and also prohibits behavioural monitoring and/or advertising in respect of minors.
Social media, search engines and large online platforms
Critical data privacy issues relating to social media, search engines, online platforms and the like are not adequately governed under the current Indian law.
The PDP Bill has incorporated provisions regulating social media intermediaries. The PDP Bill provides that the government can notify a social media intermediary as a “significant data fiduciary” and subject it to additional obligations under the PDP Bill. A social media intermediary with users above such threshold as may be notified by the central government, and whose actions have, or are likely to have, a significant impact on electoral democracy, the security of the state, public order or the sovereignty and integrity of India, can be notified as a significant data fiduciary.
Telecoms and network service providers, such as web-hosting service providers, search engines and online platforms are defined as "intermediaries" under the ITA. Furthermore, the MeitY proposes to include social media companies as intermediaries. The ITA and intermediaries guidelines prescribe certain obligations on intermediaries including:
Addressing hate speech
The publication of hate-speech, abusive material and political manipulation is regarded as an offence under the ITA. The ITA prescribes that if a person sends any information, using the internet or a computer, that is offensive, or any information for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, they must be punished with imprisonment for a term that may extend up to three years, and a fine.
Data subject rights
The DP Rules provide that the data subject must be given the option to not provide their information, or revise or update that information, or withdraw his or her consent at any time.
The PDP Bill Grants the following rights to the data subjects:
Right to be forgotten
The DP Rules do not provide the right to be forgotten to data providers. However, the PDP Bill proposes that a data principal has the right to restrict or prevent continuing disclosure of personal data by a data fiduciary, subject to the adjudicating officer determining that the right to be forgotten does not override the right to freedom of speech and expression and the right to information of any citizen.
Furthermore, the TRAI Recommendations specify regarding the right to be forgotten to all the users of digital services, subject to restrictions under other applicable laws.
The Indian courts have also observed that the right to be forgotten should be safeguarded in sensitive cases involving women in general, and highly sensitive cases affecting the modesty and reputation of the person concerned.
Further, the right was also emphasised in the privacy judgment in which the SCI observed that:
“In the digital world, preservation is the norm and forgetting a struggle. People are not static; they are entitled to re-invent themselves and correct their past actions. It is privacy which nurtures this ability and removes the shackles of unadvisable things which may have been done in the past.”
The current law does not provide for data portability. The PDP Bill only prescribes the right to data portability in the case of automated data processing, and the data principal can demand data transfer to any other data fiduciary in a structured, commonly used and machine-readable format, and also have the personal data transferred to any other data fiduciary in the desired format. Additionally, the TRAI’s recommendations prescribe that users have primary control over their personal data and must have data portability rights.
Right of rectification or correction.
The DP Rules grant the right to the data providers to review, edit and update their personal data. The PDP Bill also provides the data subject with the right to request correction or erasure of their personal data which is no longer necessary for the purpose for which it was initially processed. The data fiduciary must take necessary steps to notify all third parties to whom such personal data is disclosed.
The TRAI has ratified the Telecom Commercial Communication Customer Preference Regulations, restricting unsolicited commercial or marketing communications such as telephone calls and SMSes, based on a customer’s’ preference where they can register themselves under the fully blocked category or partially blocked category. The TRAI has formed a Do-Not-Call Registry where customers can register to prevent any unsolicited calls or SMSes. The Regulations impose penalties of up to INR250,000 (approximately USD3,563) for any non-compliance.
Please refer to 2.2 Sectoral and Special Issues for information on constraints on behavioural advertising.
Currently, India does not have any specific law to deal with workplace privacy or protection of employee data. However, the PDP Bill proposes that employees’ personal data can be processed if it is necessary: (i) for an employee’s recruitment or termination; (ii) to provide any service or benefit sought by an employee: (iii) to verify the attendance of an employee or; (iv) for any activity relating to an employee’s performance assessment. The employers need not obtain the employee’s consent where consent is not appropriate having regard to the employment relationship between them, or would involve a disproportionate effort by the employer due to the nature of the processing activities. Nevertheless, consent is required in cases where employees’ sensitive personal data is processed.
The current Indian law does not prohibit or restrict the camera surveillance, or the monitoring, of employees’ office e-mails, telephone calls and data on office devices provided, such activities are reasonable and do not violate the employees’ privacy. To avoid any risks, many employers obtain employees’ consent, either as part of the employment agreement, company policies, or through separate letters.
The role of labour organisations or works councils with respect to workplace privacy is not covered under the ITA, DP Rules, or the employment laws.
The PDP Bill permits the processing of personal data without consent if such processing is necessary for the purposes of whistle-blowing.
India’s Whistle Blowers Protection Act, 2011, (the Whistle-Blower Act) establishes a mechanism to receive complaints relating to allegations of corruption or wilful misuse of power against any public servant, and to provide adequate safeguards against the victimisation of a whistle-blower. However, a major shortfall is that a whistle-blower must disclose his or her identity in the complaint.
Further, the Companies Act, 2013, mandates that certain publicly listed companies establish a vigil mechanism and an exclusive hotline for directors and employees to report their genuine concerns about unethical behaviour or misconduct, actual or suspended frauds, and violations of the code of conduct.
Additionally, SEBI’s Listing Agreement’s Clause 49 under the Principles of Corporate Governance requires that companies establish a whistle-blower policy to safeguard the identity of an employee who reports instances to the management.
There is no specific legal provision with regard to e-discovery issues and no prohibition against deploying digital loss prevention tools or technologies.
As India currently does not have a specific DPA, data protection issues are adjudicated by an adjudicating officer appointed under the ITA, having the powers of a civil court.
The penalties for data breaches are prescribed under the ITA.
A body corporate (which owns, controls or deals, or handles any SPD in a computer resource) that is negligent in implementing and maintaining reasonable security practices and procedures, and causes wrongful loss or wrongful gain to any person, is liable to pay damages, not exceeding INR5 crores (approximately USD700,000) to the person so affected. Cases involving damages of more than INR5 crores are brought before the competent civil court.
The adjudicating officer can either grant either a penalty or any amount of compensation. For offences for which no separate penalty is prescribed, the amount of compensation is limited to INR25,000 (approximately USD360).
PDP Bill Enforcement Penalties
If a data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal in respect of its rights, that data fiduciary will be liable to a penalty of INR5,000 (approximately USD60) for each day during which that default continues, subject to a maximum of INR1 million (approximately USD14,100) in case of significant data fiduciaries and INR500,000 (approximately USD70,000) in other cases.
The failure of data fiduciary to take prompt and appropriate action in response to data security related breaches is punishable with a penalty of INR50 million (approximately USD704,000) or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.
The penalty for the processing of personal data, the processing of personal data of children, the failure to adhere to security safeguards, and the transfer of personal data outside India will be INR150 million (approximately USD2.1 million) or 4% of its total worldwide turnover in the preceding financial year, whichever is higher.
If a data fiduciary fails to report any information, such as a personal data breach, to the Data Protection Authority, it will be liable to a penalty of INR10,000 (USD140) for each day during which the default continues, subject to a maximum of INR2 million (approximately USD28,000) in the case of a significant data fiduciary and INR500,000 (approximately USD70,000) in other cases.
If any data fiduciary or data processor fails to comply with any direction or order issued by the Data Protection Authority under the PDP, that data fiduciary will be liable to a penalty which may extend to INR20,000 (USD281) for each day during which the default continues, subject to a maximum of INR20 million (approximately USD280,000)
Certain additional offences under the PDP Bill are cognisable and non-bailable.
Other than under the Companies Act, India does not have any laws enabling class action lawsuits. Under the Companies Act, shareholders or depositors can collectively approach the National Company Law Tribunal for redress where, for example, a company’s affairs are not managed in its best interests.
The Indian government (including its law enforcement agencies) has wide powers under various laws for surveillance, monitoring and access to data for investigations of serious crimes, national security and anti-terrorism.
Key legislation includes:
Government agencies can unilaterally authorise, under a lawful order, without judicial approval.
The laws and standards applicable to government access to data are the same as those for law enforcement agencies, such as the Indian Telegraph Act,( ITA) and various rules thereunder including the DP Rules, TRAI’s licence agreements for ISPs, TSPs, UASL, etc and the CMS (not yet fully operational).
A foreign government’s access request is not a legitimate basis to collect and transfer SPD. Providing SPD to a foreign government only becomes mandatory through an Indian court’s order or a mutual national reciprocity arrangement with that country.
The current law does not mandate or prohibit a private organisation from providing SPD to a foreign government, and the transfer is subject to DP Rules.
The PDP Bill mandates data localisation for SPD, and allows for the transfer of personal data outside India, subject to the prescribed conditions.
India has not signed a Cloud Act agreement with the USA and also will not qualify for its criteria until it notifies its PDP Bill and enacts a stronger data privacy regime.
The RBI’s mandatory payment data localisation requirement is the subject of much debate. Similarly, the data localisation provisions under the PDP Bill, which are not present in the GDPR, and their effective enforcement against and impact on multinational companies operating in India, are highly controversial.
Indian laws give expansive powers to the government to access data for reasons including intelligence, anti-terrorism and national security. The SCI has directed the government to make laws to curb fake news and rumours spread on social media that may lead to mob violence and lynching. The SCI and the government have made social media companies liable for incriminating and false content circulated on their platforms. Reportedly, the government has asked WhatsApp to set up a local entity, find a way to trace the origin of fake messages on its platform and deal with sinister developments such as mob lynching and revenge porn.
The proposed amendments to the intermediary guidelines mandate companies to trace and report the origin of messages within 72 hours of receiving a complaint from law enforcement agencies, as well as disable access within 24 hours to content deemed defamatory or a danger to national security. These provisions have also resulted in public debate on the monitoring of users’ social media accounts.
Implementation of the PDP Bill, which will entail stringent compliance with the privacy regulations by data fiduciaries and data controllers, is much awaited.
There are no statutory provisions under the current law prohibiting the overseas transfer of personal information. The DP Rules permit overseas data transfer subject to certain restrictions for SPD, such as:
As regards the PDP Bill, there are restrictions on transfer of personal data outside India (Sections 33 and 34 PDP)
The sensitive personal data may be transferred outside India subject to certain conditions, however, the data should continue to be stored in India.
In addition, critical personal data must only be processed in India, subject to certain conditions. The “critical personal data” is the personal data as may be notified by the central government.
SPD may be transferred outside India for the purpose of processing on the following conditions:
Any critical personal data may be transferred outside India on following conditions:
Any transfer of critical sensitive data in respect of (i) must be notified to the Data Protection Authority within such a period as may be specified by regulations.
Besides the restrictions prescribed under the DP Rules, Indian law currently does not have any mechanism to apply to international data transfers.
Under the DP Rules, there are no government notifications or approvals required under Indian law to transfer data internationally.
However, under the PDP Bill, prior government approval will be required to transfer the sensitive personal data and the critical personal data, in addition to other conditions.
The current Indian law on data privacy does not require data localisation. However, the RBI has mandated that payment system operators store the payment related information of Indian citizens within India only. The RBI has further clarified that although the processing of payment transactions can take place outside India, the data must be deleted from the systems abroad and brought back to India within one business day or 24 hours from the payment processing, whichever is earlier, so that the data is stored only in India.
As regards data localisation under the PDP Bill, a copy of all SPD must be stored in India, although it may be transferred outside India, subject to conditions. Critical Personal Data (which will be defined by the central government) must be processed only in India, with certain exceptions.
There is no mandatory requirement under the current Indian law for the sharing of software code or algorithms or similar technical details with the government.
An organisation can collect and transfer personal data to a foreign government if it complies with the overseas data transfer restrictions under the DP Rules.
India does not have a blocking statute, related to data privacy or otherwise.
There is a lot of debate on the ethical limits of the use of big data, and big data processing poses serious risks to privacy. In the absence of specific regulatory guidance, the legal aspects applicable to big data in India are similar to those in other countries, such as copyright law issues, database breaches, data protection and privacy issues.
India’s proposed law intends to address the accountability and obligations of the data fiduciaries for processing personal data, which may also extend to big data.
The current Indian data privacy law does not deal with automated decision-making. The PDP Bill, however, recognises automated processing and decision making, and defines “data” to include a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.
The PDP Bill further provides that where the processing is carried out by automated means, the data principal shall have the right to receive the personal data in a structured, commonly used and machine-readable format, and the right of data portability of his or her personal data to any other data fiduciary.
The DP Rules do not recognise profiling. The PDP Bill defines profiling as any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal. The PDP Bill prohibits the profiling of minors’ personal data and SPD. Further, the PDP Bill mandates data fiduciaries to carry out a DPIA before undertaking large-scale profiling of SPD that may pose significant harm to data principals.
Artificial intelligence is not dealt with under the current data privacy regime. However, reliance on AI is increasing significantly among organisations wishing to secure their networks and their data.
MEITY has recently constituted four committees for promoting AI initiatives and developing a policy framework. The committees have submitted their first reports on platforms and data on AI; leveraging AI for identifying national missions in key sectors; mapping technological capabilities; key policy enablers required across sectors; and on cybersecurity, safety, legal and ethical issues.
The IoT and related privacy issues are not addressed under the current data protection framework. The data privacy principles under the DP Rules are applicable. MeitY’s draft IoT policy of 2015 (yet to be approved) proposes to appoint a nodal organisation for formalising privacy and security standards, and to create a national expert committee for developing and adopting IoT standards in the country.
Indian data privacy law does not govern data privacy concerns relating to autonomous decision-making, including autonomous vehicles.
There are no specific provisions under Indian data privacy or sectoral laws to address the privacy concerns arising from facial recognition technology. Some of the large amount of emotional and factual data collected from facial recognition technology can be regarded as SPD. The PDP Bill proposes including “facial images” under the definition of biometric data, and thus, including it in the category of SPD.
Biometric data is categorised as SPD under the DP Rules as well as the PDP Bill, and its collection, processing and transfer is subject to the prescribed statutory restrictions. The PDP Bill defines "biometric data" as facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person. The PDP Bill prohibits processing of such biometric data as notified by the central government, unless such processing is permitted by law.
Further, the PDP Bill requires data fiduciaries to carry out a DPIA prior to the processing of any SPD including biometric data, which may carry a risk of significant harm to data principals.
India’s central government enacted the Aadhaar Act for the targeted delivery of financial benefits and subsidies to the underprivileged. The Aadhaar Act establishes an authority, the UIDAI, responsible for the administration of the Aadhaar Act. It also establishes a Central Identities Data Repository (CIDR), which is a database holding Aadhaar numbers and corresponding demographic and biometric information. Aadhaar is currently the largest database of biometrics globally.
Sharing geolocation and the data collected through this technology is not regulated under India’s present data privacy laws.
The use of drones other than by government organisations was prohibited under Indian law prior to December 2018. However, the civil aviation regulator, DGCA, issued the Civil Aviation Requirements (Drone Regulations 1.0) in August 2018 with effect from December 2018 permitting the civil use of drones by non-government agencies, subject to the prescribed restrictions.
The Ministry of Civil Aviation has taken several initiatives in the past year to regulate and experiment with drones and their potential commercial uses. Some of the initiatives include release of a Drone Ecosystem Policy Roadmap in January 2019 with key principles to address further amendments to the Drone Regulations 1.0, inviting companies to conduct experimental beyond-visual-line-of-sight operations of remotely piloted aircrafts or drones in Indian airspace in May 2019, the release of National Counter Rogue Drone Guidelines to address the potential national security issues resulting from unregulated and unchecked operation of drones, and launching a portal to obtain a "no objection" from the DGCA to the conduct of aerial surveys, remote sensing surveys, etc.
The DGCA’s Drone Regulations 1.0 does not address the issue of data privacy with respect to unmanned aerial systems (UAS) or drones.
However, the Drone Ecosystem Policy Roadmap has proposed that the manufacturers should adhere to privacy by design to address the privacy concerns. Privacy principles must be embedded into the functional design of a UAS, by introducing technical measures that enable privacy as the default setting.
There is no statutory requirement to establish protocols for digital governance, or fair data practice review boards, in addition to those measures already required under the DP Rules or sector-specific laws.
Sectoral audits, investigations and penalties are discussed in 1.2 Regulators.
There has been no significant private litigation involving privacy or data protection in the past year although class actions, forms of collective redress and representative actions are permitted in India.
There is no prescribed due diligence procedure with regard to data protection and privacy. The acquiring companies normally demand a target company’s data privacy policies and framework, the annual audit reports on data security compliance, details of any breaches and reporting in that regard.
There is no specific legal provision requiring an organisation's mandatory disclosure of its cybersecurity risk profile or experience.
There are no other major data privacy and protection issues not already addressed in this chapter.