Data Protection & Privacy 2022

Last Updated March 10, 2022

India

Law and Practice

Authors



ANA Law Group is a full-service law firm based in Mumbai, with a team of experienced professionals who have broad industry knowledge and who specialise in a wide spectrum of business areas. It has significant experience in counselling international clients on issues related to data protection and privacy in India, and regularly represents clients from industries such as banking and insurance, online gaming, finance, consumer goods, healthcare, payroll-processing, pharmaceuticals, telecommunications, credit research and employee screening. The firm also assists international companies with global privacy law involving Indian projects, the drafting and negotiating of contracts with Indian counterparts, and the preparation of data protection and privacy policies for international companies operating in India and their Indian subsidiaries. More specifically, it advises clients on permitted data processing; consent requirements; data collection, retention and disclosure; regulatory requirement compliance; transfers of sensitive personal data within and outside India; security breaches and drafting security breach policies; international compliance projects; and prosecutions and offences.

The Constitution of India guarantees the right to privacy to all citizens as part of the right to life and personal liberty under Articles 19 and 21, and as part of the freedoms guaranteed by Part III of the Constitution. This right was also upheld by the Supreme Court of India (SCI) in 2017 in its landmark judgment of Justice K S Puttaswamy (Retd) and Another v Union of India and Others (2017) 10 SCC 1 (the Privacy Judgment).

India does not currently have a comprehensive data privacy law. Personal and confidential information is protected under the Information Technology Act 2000 (ITA) and the IT Rules. India’s central (federal) government has ratified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (DP Rules) under the ITA, to govern entities that collect and process sensitive personal information in India.

The DP Rules apply only to corporate entities and are restricted to sensitive personal data (SPD), which includes attributes such as sexual orientation, medical records and history, biometric information and passwords.

Pursuant to the Privacy Judgment, the Indian Ministry of Electronics and Information Technology (MeitY) formed the Justice B N Srikrishna Committee (expert committee), to frame an all-encompassing data protection law in India. Consequently, the draft Personal Data Protection Bill 2019 (PDP Bill) was introduced. The PDP Bill was intended to be applicable to any processing of personal data by the government, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law. It was also intended to extend to foreign data fiduciaries and data processors processing personal data involving any business carried on in India, offering goods or services to data principals in India or profiling data principals in India.

In December 2021, the Joint Parliamentary Committee (JPC) presented a revised version of the PDP Bill, the Data Protection Bill, 2021 (DPB) in the Parliament. The revised bill expands the scope of the law to cover non-personal data as well. The other amendments introduced are stringent data breach reporting requirements (within 72 hours), regulation of hardware manufacturers and enabling a certification mechanism for all digital and IoT devices to mitigate data breaches. The draft bill also provides for a phased implementation of the provisions. The DPB may be further amended by MeitY.

India now awaits a robust data protection regime with the approval of the DPB based on the JPC report.

India does not have a data protection authority as yet. The ITA mandates the central government to appoint an adjudicating officer to conduct an inquiry for injury or damages for claims valued up to INR5 crore (approximately USD700,000). Claims exceeding this amount must be filed before the competent civil court. The inquiry and investigation procedure for the adjudicating officer is provided under the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules 2003. Appeals from the adjudicating officer can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Some of the sector-specific regulators are set out below

Banking Sector

The Reserve Bank of India (RBI) governs both public and private sector banks. The RBI’s guidelines allow it to request an inspection, at any time, of any of the banks’ cyber-resilience capabilities. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) Cell of the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the Cyber Security Framework in Banks (CSF), and other regulatory instructions/advisories, through on-site examinations and off-site submissions. The RBI has also introduced an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum.

RBI also issued Guidelines on Regulation of Payment Aggregators and Payment Gateways, directing payment aggregators to put in place adequate information and data security infrastructure as well as systems for the prevention and detection of fraud, and has specifically recommended the implementation of data security standards and best practices such as PCI-DSS, PA-DSS, latest encryption standards, transport channel security, etc. Payment aggregators must establish a mechanism for the monitoring, handling and following-up of cybersecurity incidents and breaches, and are obliged to report incidents to RBI and the Indian Computer Emergency Response Team (Cert-In).

The RBI regularly conducts audits and enquiries into banks’ security frameworks, and has imposed penalties on banks for non-compliance with the RBI’s cybersecurity framework for banks.

With regard to data leaks, the RBI has also recently introduced Guidelines on Regulation of Payment Aggregators and Payment Gateways to license and regulate payment intermediaries facilitating and handling payments between users and merchants using electronic payment modes. Under these guidelines, the RBI has restricted payment aggregators and merchants from storing card and card-related data, and all such data previously stored should be deleted.

The RBI has provided tokenisation of card data as a solution to comply with the card storage restrictions. The RBI has widened the existing limited device-based tokenisation framework to all devices and also permitted card-on-file tokenisation.

The RBI has also issued a first-of-its-kind framework to enable digital payments with poor or no internet connectivity in offline mode.

Furthermore, in August 2021, the RBI released Master Directions on Prepaid Payment Instruments, 2021 (PPI Regulations) under the Payment and Settlement Systems Act, 2007. The PPI Regulations consolidate various circulars on pre-paid instruments (PPIs). The PPI Regulations impact products such as e-wallets, gift cards and vouchers, money transfer wallets, meal vouchers, metro/travel rail cards, etc. PPI Regulations do not allow any form of paper PPIs.

Insurance Sector

The Insurance Regulatory and Development Authority of India (IRDAI) conducts regular onsite and offsite inspections of insurers to ensure compliance with the legal and regulatory framework. In addition, the IRDAI’s guidelines on Information and Cyber Security for Insurers (IRDAI Cyber Security Policy) was updated in December 2020, requiring vulnerability assessments and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by the IRDAI include the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, the IRDAI (Maintenance of Insurance Records) Regulations 2015, and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, which contain a number of provisions and regulations on data security.

Furthermore, the IRDAI has issued guidelines to insurers on structuring cyber-insurance for individuals and gaps that need to be filled. As per the guidelines, cyber-insurance should provide cover against theft of funds and identity, unauthorised online transactions, e-mail spoofing among others.

Telecoms Sector

Telecoms operators are governed by regulations laid down by regulatory bodies including:

  • the Telecom Regulatory Authority of India (TRAI);
  • the Department of Telecoms (DoT);
  • the Telecoms Disputes Settlement and Appellate Tribunal (TDSAT);
  • the Group on Telecom and IT (GOTIT);
  • the Wireless Planning Commission (WPC); and
  • the Digital Communications Commission) (DCC).

Furthermore, the Unified Access Service Licence (UASL) extends information security to the telecoms networks as well as to third parties of operators. The regulator requires telecom operators to audit their network (internal/external) at least once a year. The regulator, in its National Digital Communications Policy of 2018, seeks to establish a comprehensive data protection regime and assure security for digital communication.

The TRAI released its recommendations on cloud services in relation to creation of a regulatory framework for cloud services, and constituting an industry-led body of all cloud service providers (CSP).

Securities

The Securities Exchange Board of India (SEBI) has issued detailed guidelines to market infrastructure institutions to set up their respective cybersecurity operation centres and to have their operations overseen by dedicated security analysts. The cyber-resilience framework has also been extended to stockbrokers and depository participants.

The SEBI signed a formal Memorandum of Understanding with the Central Board of Direct Taxes (CBDT) for data exchange between the two organisations, on an automatic and regular basis. SEBI and the CBDT will also exchange any information available in their respective databases, for the purpose of carrying out their functions under various laws.

Health Sector

The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) impose patient confidentiality obligations on medical practitioners. In addition, data privacy in the healthcare industry is currently governed under the DP Rules. The Ministry of Health and Family Welfare (Health Ministry) has issued draft legislation known as the Digital Information Security in Healthcare Act (DISH Act), to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Act also provides for the establishment of a National Digital Health Authority as a statutory body to enforce privacy and security measures for health data and to regulate storage and exchange of health records.

The Ministry of Health and Family Welfare has also approved a health data management policy (HDM policy) largely based on the proposed data privacy law to govern data in the national digital health ecosystem. The HDM policy, similarly to the DPB, recognises entities such as data fiduciaries and data processors and establishes a consent-based data sharing framework.

The ITA provides for the appointment of an adjudicating officer to deal with claims of injury or damages not exceeding INR5 crore (approximately USD700,000). MeitY has appointed the Secretary of the Department of Information Technology of each Indian state or union territory as the adjudicating officer under the ITA. A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying the date and time for further proceedings and, based on the parties’ evidence, decides whether to pass orders if the respondent pleads guilty, or to carry out an investigation. If the officer is convinced that the scope of the case extends to offence rather than mere contravention, and entails punishment greater than a financial penalty, the officer will transfer the case to the Magistrate having jurisdiction.

The first appeal from an adjudicating officer’s decision can be filed before the Telecoms Disputes Settlement and Appellate Tribunal (TDSAT), and the subsequent appeal before the High Court.

The DPB prescribes filing the complaint before a data protection officer, which can be appealed before the adjudicating officer of the DPA, who will have the authority to impose penalties on the data fiduciary. The maximum penalty for violation is INR15 crores (approximately USD2 million) or 4% of the data fiduciary’s total global turnover in the preceding financial year, whichever is higher. It also prescribes imprisonment of up to three years and/or a penalty of up to INR200,000 (approximately USD2,600) against any persons who knowingly or intentionally, and without the consent of the data fiduciary, re-identify personal data which has been de-identified by a data fiduciary/data processor, or re-identify and process such personal data. The aforesaid offences under the DPB are cognisable (ie, the police have the power to arrest the offender without a court warrant) and non-bailable.

The DPB proposes that the central government establish an appellate tribunal to adjudicate on appeals from the orders of the DPA, and the SCI as the final appellate authority for all purposes under the DPB.

The current data privacy principles under the DP Rules are similar, in many respects, to EU data protection law. However, the expert committee has adopted a nuanced approach in drafting the DPB. In several respects, the DPB is aligned with the General Data Protection Regulation (GDPR). For instance, "personal data" is as broadly defined under the DPB and includes any data relating to a natural person, directly or indirectly identifiable. The DPB also includes the concepts of "data fiduciary" and "data principal", similar to "data controller" and "data subject" under the EU’s GDPR. The DPB includes similar principles relating to the processing of personal data such as lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy or quality of data, storage limitation, integrity and confidentiality, and accountability. Additionally, it includes the concepts of right to confirmation and access to data, the right to be forgotten, the right to correction or erasure of data, right to data portability, right to withdraw consent and so on, similar to the GDPR.

However, unlike the GPDR, it has some unique provisions such as combining personal and non-personal data under the same legislation, data localisation, provisions for hardware devices, managing social media platforms, etc.

The DPB contains concepts comparable to the GDPR’s “legitimate interests” as a basis for personal data processing. The processing of non-sensitive personal data for the purposes of employment now includes scenarios where such processing is necessary or can reasonably be expected by the data principal. Legitimate interest is now explicitly named as a basis for processing personal data if “the processing is necessary for reasonable purposes as may be specified by regulations”, balancing the interests of both the data principal and data fiduciary, and mandatorily requires consent for the processing the personal data, except for grounds such as performance of government-authorised functions, for purposes relating to employment/recruitment, and for other government-defined purposes.

The major data privacy non-governmental organisations (NGOs) and industry self-regulatory organisations (SROs) in India include:

  • the Data Security Council of India (DSCI), a not-for-profit industry body, set up by the National Association of Software and Services Companies (NASSCOM);
  • the National Cyber Safety and Security Standards (NCSSS), a self-governing body to protect critical information infrastructure (CII) from cyber-related issues;
  • the Internet and Mobile Association of India (IAMAI), a not-for-profit industry body that addresses the issues, concerns and challenges of the internet and mobile economy;
  • the Cellular Operators Association of India (COAI), an industry association of mobile service providers, telecom equipment producers, and internet service providers (ISPs) in India, which interacts directly with ministries, policymakers, regulators, financial institutions and technical bodies;
  • the Internet Service Providers Association of India (ISPAI), the recognised apex body of Indian ISPs worldwide; and
  • the Centre for Internet and Society (CIS), a non-profit organisation that undertakes interdisciplinary research on the internet and digital technologies from policy and academic perspectives.

Please refer to 1.4 Multilateral and Subnational Issues.

Leading Cases

The SCI passed a significant judgment in October 2021 in the Pegasus Spyware issue, recognising the need to assess the impact of the Pegasus spyware on the right to privacy and freedom of speech. The court formed a three-member committee to make recommendations on enactment or amendment of the existing surveillance laws to ensure an improved right to privacy and cybersecurity and threat assessment measures. The committee has not as yet submitted its recommendations.

The Madras High Court passed an order in August 2021 dismissing a petitioner’s request to have his name redacted from court orders in criminal proceedings wherein he was finally acquitted. Recognising an individual’s right to privacy and anonymity as held in the Privacy Judgment, the court also noted that without a precise framework or objective criteria for redaction of accused’s name in India’s criminal justice system, it would be more appropriate to await the new data protection law to exercise such right to be forgotten.

The Competition Commission of India (CCI), India’s antitrust regulator, initiated an investigation against WhatsApp, Inc. and Facebook, Inc. (now Meta Platforms, Inc.) assessing the impact of WhatsApp’s update requiring the users to agree to data sharing with Facebook to continue using the WhatsApp. The CCI noted that WhatsApp’s unilateral terms violated the users’ voluntary agreement and appeared to be unfair and unreasonable for its users. Facebook, Inc. and WhatsApp, Inc. filed petitions before the Delhi High Court challenging the CCI’s order, but the court dismissed these petitions.

General Data Developments

The JPC on December 16 2021 presented a revised version of the bill, the DPB in the Parliament. The draft bill introduces a number of significant changes as discussed through 1. Basic National Regime.

MeitY notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 replacing the Information Technology (Intermediaries guidelines) Rules, 2011. The new intermediary rules provide an obligation for internet intermediaries to retain users’ information collected upon registration for 180 days even after any cancellation or withdrawal of such registration. The rules also recognise certain intermediaries as “significant social media intermediaries” if the total registered users cross a certain threshold (subsequently notified as 5 million registered users) and require them to enable the identification of the first originator of the any information that is transmitted through such intermediary. This traceability obligation was challenged before the court on the ground of violation of the fundamental rights to privacy.

The RBI introduced Guidelines on Regulation of Payment Aggregators and Payment Gateways introducing a restriction on payment aggregators and merchants from storing card and card-related data. In September 2021, the RBI issued a circular mandating that no entity other than card issuers or card networks is allowed to store card data, and all such data previously stored should be deleted.

The Department of Science and Technology issued Guidelines for acquiring and producing geospatial data and geospatial data services including maps. Under these guidelines, there is no restriction on, and no requirement for any approval, clearance, licence, etc, on the collection, generation, preparation, dissemination, storage, publication, updating and/or digitisation of geospatial data and maps within the territory of India, subject to certain restrictions. The guidelines also restrict foreign entities from creating and/or owning, or hosting geospatial data other than the prescribed threshold values.

The Bureau of Indian Standards issued standards for data privacy assurance; ie, the IS 17428. The standard seeks to provide a privacy assurance framework for organisations to establish, implement, maintain and continually improve their data privacy management system.

MeitY published its National Strategy on Blockchain in December 2021 with strategies and recommendations for creating a trusted digital platform using blockchain. The ministry recommends that data localisation should be enabled for blockchain-based systems in the country and may be achieved by hosting the blockchain infrastructure, data and smart contracts within the country.

The RBI’s working group on digital lending activities issued its report on Digital Lending including Lending through Online Platforms and Mobile Apps in November 2021. The working group noted privacy lapses across digital lending apps in addition to inadequate transparency, lack of users’ choice to manage or delete their data after a loan has been paid, non-disclosure of partner banks or non-banking financial companies, and misuse of borrowers’ sensitive data. The working group provided recommendations, such as data should be stored in servers locally in India and should only be collected from the borrower/prospective borrower with prior information on the purpose, usage and implication of such data and with explicit consent of the borrower in an auditable way. The RBI is yet to take a final view on the proposed regime.

The Parliamentary Standing Committee presented its 233rd report on Atrocities and Crimes against Women and Children identifying virtual private network (VPN) services as a technological challenge and security threat. It recommended the development of a co-ordination mechanism with international agencies to ensure that these VPNs are blocked. Currently, there are no statutory or other restrictions prohibiting or regulating the use of VPNs by individuals.

The RBI recently issued a regulatory framework for non-bank payment system operators/providers for outsourcing of payment and settlement-related activities to third-party service providers. The framework prescribes minimum standards to manage risks in outsourcing of payment and settlement-related activities by the system operators.

In 2021, India introduced the draft DNA Technology (Use and Application) Regulation Bill, 2019 for consideration by the Parliament. The bill seeks to regulate the use of DNA technology for identifying persons for specific purposes such as solving crimes. It also prescribes DNA collection procedures, establishment of DNA data banks, a regulatory board, accreditation mechanisms, etc. The bill was, however, not taken up in the Parliament. As the bill allows collection of DNA samples without consent in certain circumstances (such as for offences with imprisonment terms of above seven years), one’s right to privacy will have to be a serious consideration.

The DPB

The PDP Bill was introduced in the lower house of the Indian Parliament (Lok Sabha) on 11 December 2019, and was immediately referred to the JPC for further debate and examination on 12 December 2019. The government had directed the Parliamentary Committee to provide its report to the Lok Sabha by February 2020.

In December 2021, the JPC presented a revised version of the PDP Bill, the DPB in the Parliament. The revised bill expands the scope of the law to cover non-personal data as well. The draft bill also provides for a phased implementation and government may notify different dates for enactment of different provisions.

After the DPB is notified as law, the RBI may strengthen the enforcement of its data localisation mandate for payment-related data to be stored within India only.

The government will soon be releasing the draft e-commerce policy that proposes to set up an e-commerce regulator with broad powers over e-commerce entities and platforms. The draft policy contains proposals on sharing source codes, algorithms and other data with the government; use of non-personal data of consumers; anti-piracy; cross-border data transfers; etc.

Data Security and Tech Giants

The SCI has issued notices to the RBI, Google LLC, Amazon.com, Inc., WhatsApp Inc., and Facebook, Inc. in a petition requiring the tech companies ensure data security and implement data localisation measures before using the Unified Payments Interface (UPI) over data security concerns. It will be interesting to note the apex court’s view on the applicability of the RBI’s data localisation requirements on these tech companies and the data security mandates imposed on them.

Spam, Malware, Etc

India has continued to witness a tremendous increase in cybercrime and data breach incidents in 2021. Reportedly, some government websites were hacked leaking COVID-19 lab test results of thousands of Indian citizens. A cyberattack on an airline data service provider in May 2021 resulted in the data leak of 4.5 million passengers of the airline. In the same month, personally identifiable information and test results of 190,000 candidates for the 2020 common admission test were leaked and put up for sale. In April 2021, a million credit card records and details of 180 million pizza orders were leaked, including customers’ names, phone numbers, and e-mail addresses. This exponential rise may deepen concerns about potential data breach risks for consumers and businesses, as well as new kinds of data security breaches. Additionally, with remote working becoming a norm, such risks may continue until combined efforts are taken by stakeholders, users, and the government.

Government Policy

The government’s e-commerce policy that proposes the setting up of an e-commerce regulator with broad powers over e-commerce entities and platforms.

The government is working towards updating its national cybersecurity strategy to improve its position in cyberspace. The updated policy may be issued soon.

The government's health data management (HDM) policy will have a significant impact on the medical and pharmaceutical industry once implemented, as healthcare institutions will have increased compliance obligations. However, as the HDM policy has significant overlaps with the DPB, it may cause a conflict and it remains to be seen which will prevail.

DP Rules

General requirements under the DP Rules include the following.

  • A company handling personal data or sensitive personal data (SPD) must provide a privacy policy on its website, accessible to data providers.
  • Companies must obtain express prior consent from data providers regarding the purpose and use of their information.
  • A company can only collect SPD for a lawful purpose connected with a company’s business.
  • Data providers must be made aware of the purposes for which information is collected, the intended recipients of that information, the agency collecting and retaining the information, etc (furthermore, the data provider must be given the option to not provide the information, or revise or withdraw the information).
  • Entities holding SPD should not retain the information for longer than is required for the purpose for which it was collected or lawfully used.
  • The transfer of SPD within or outside India is only permitted with restrictions, such as that:
    1. the recipient entity ensures adherence to the same level of data protection and that the transfer is necessary to comply with a lawful contract; or
    2. the data provider has given prior consent.
  • Companies must have “reasonable security practices and procedures”.
  • Companies must appoint a grievance officer and address complaints in a timely manner.

DPB

The DPB is not applicable to the processing of anonymised data (personal or non-personal). The principles relating to the processing of personal data include:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy or quality of data;
  • storage limitation;
  • integrity and confidentiality;
  • accountability;
  • notice; and
  • consent.

The legal bases for processing personal data include the following.

  • Consent (Sections 5(b) and 11).
  • Performance of any state-authorised function.
  • Compliance with any law currently in force.
  • Compliance with any order or judgment of any court or tribunal in India.
  • Purposes related to employment (excluding the matter related to sensitive personal data).
  • The reasonable purposes as notified by the government or the DPA, including:
    1. prevention and detection of any unlawful activity including fraud;
    2. whistle-blowing;
    3. mergers and acquisitions;
    4. network and information security;
    5. credit scoring;
    6. recovery of debt;
    7. processing of publicly available personal data; or
    8. the operation of search engines.

Notice must be provided to the data principal at the time of collection of the personal data containing the prescribed information.

The data principals’ rights include:

  • the right to confirmation and access;
  • the right to correction;
  • the right to erasure;
  • the right to data portability;
  • the right to be forgotten; and
  • the right to withdrawal of consent – the data principal may give or withdraw their consent to the data fiduciary through a consent manager (appointed by the data fiduciary and registered with the DPA).

A significant data fiduciary (those notified by the DPA) must carry out a data protection impact assessment when it intends to undertake any processing of personal data, which involves:

  • new technologies;
  • large scale profiling;
  • use of sensitive personal data, such as genetic data or biometric data; or
  • any other processing which carries a risk of significant harm to data principals.

DPOs

The DP Rules do not provide for the appointment of data protection officers (DPOs). However, the DPB provide for the appointment of DPOs by data fiduciaries possessing the qualifications prescribed under the regulations for carrying out the functions prescribed in the DPB. The DPO must be based in India and must represent the data fiduciary under the DPB. The data fiduciary may assign any other function to the DPO that it may consider necessary.

Authorised Data Collection and Processing

Under the DP Rules, bodies corporate must seek the data provider’s consent before the collection, transfer or disclosure to third parties of their SPD, and take reasonable steps to ensure that the individual has knowledge about the personal data or SPD being collected, the purpose of its collection, its intended recipients and the collecting agency’s name and address. However, this requirement is exempted in cases where government agencies require the individual’s SPD for identity verification or for the prevention, detection, investigation, prosecution and punishment of offences.

The legal bases for processing personal data under the DPB include the following.

  • Consent – it must be free, informed and specific to the purpose of processing as well as clear and capable of being withdrawn.
  • Performance of any state-authorised function.
  • Compliance with any law currently in force.
  • Compliance with any order or judgment of any court or tribunal in India.
  • Purposes related to employment (excluding the matter related to sensitive personal data).
  • Reasonable purposes as notified by the government or DPA, such as the following:
    1. prevention and detection of any unlawful activity including fraud;
    2. whistle-blowing;
    3. mergers and acquisitions;
    4. network and information security;
    5. credit scoring;
    6. recovery of debt;
    7. processing of publicly available personal data; and
    8. the operation of search engines.

Privacy by Design and Default

The concepts of "privacy by design" and "privacy by default" are not defined in current Indian data protection law, but are provided for under the DPB. However, these concepts are reflected in the ITA and the DP Rules, as they incorporate provisions such as:

  • provision of a privacy policy and disclosure of information;
  • collection of information for lawful purposes with a data provider’s consent;
  • use of information for the purpose for which it was collected; and
  • retention of information only so long as that purpose gets fulfilled. 

The DPB specifically provides that data fiduciaries must prepare a privacy design policy, containing the following.

  • The managerial, organisational and technical systems (as well as business practices) designed to anticipate, identity and avoid harm to the data principal.
  • The obligations of data fiduciaries.
  • The technology used in the processing of personal data in accordance with commercially accepted or certified standards.
  • Provisions and procedures ensuring:
    1. that the legitimate interests of businesses, including any innovation, are achieved without compromising privacy interests;
    2. the protection of privacy throughout the processing, from the point of collection to deletion, of personal data;
    3. the processing of personal data in a transparent manner; and
    4. that the interest of the data principal is accounted for at every stage of processing.

Subject to the PDP regulations, the privacy by design policy may require certification from the DPA.

The certified privacy by design policy must be published on the data fiduciary’s and the DPA’s websites.

Privacy Impact Analysis

The current law does not prescribe the need to conduct privacy impact analyses. However, the DPB mandates data protection impact assessment (DPIA) for data fiduciaries prior to undertaking any processing involving new technologies or large-scale profiling or use of SPD that has a risk of causing significant harm to data principals.

Upon completion of the DPIA, the DPO must review the assessment and submit the assessment report to the DPA.

On receipt of the assessment and its review, if the DPA has reason to believe that the processing is likely to cause harm to the data principals, it may direct the data fiduciary to cease such processing or impose conditions, as it may deem fit.

Privacy Policies

The DP Rules mandate that data controllers publish a privacy policy on their website, accessible to the data providers, based on the prescribed privacy principles.

Data Provider Rights

The DP Rules grant the right to the data providers to review, edit and update their personal data, and to withdraw their consent to personal data provision.

The DPBs grants additional rights to data principals including:

  • the right to confirmation and access;
  • the right to correction;
  • the right to erasure;
  • the right to data portability;
  • the right to be forgotten; and
  • the right to withdrawal of consent – the data principal may give or withdraw their consent to the data fiduciary through a consent manager (appointed by the data fiduciary and registered with DPA).

Anonymisation, De-identification and Pseudonymisation

The current data protection law does not contain any provisions relating to anonymisation or pseudonymisation. In the absence of a specific provision, technically, the DP Rules will apply to the processing of both anonymised and pseudonymised data.

The PDP is not applicable to the processing of anonymised data (personal or non-personal). However, the PDP will be applicable to anonymised data (personal or non-personal) collected by the central government from a data fiduciary to enable better targeting of services or formulation of evidence-based policies.

The DPB also requires the data fiduciary and data processor to implement appropriate security safeguards for data pseudonymisation (de-identification) and encryption. It proposes that re-identification of de-identified data without the data fiduciary’s consent shall be a punishable offence.

Emerging Technologies

Current Indian law does not address the emerging issues of profiling, automated decision-making, online monitoring or tracking, big data analysis and artificial intelligence. As discussed in 2.2 Sectoral and Special Issues, the DPB addresses some of these issues.

Harm

The current Indian data protection law does not define the concepts of injury or harm. However, the DPB defines harm as well as significant harm, and imposes obligations on data fiduciaries to design technical systems and privacy policy to avoid any harm to the data principal, to conduct a DPIA to minimise or mitigate any potential harm to the data principal, and provide remedies for unauthorised and harmful processing, etc.

Under the DP Rules, SDP consists of personal information relating to:

  • passwords;
  • financial information such as bank accounts, credit cards, debit cards or other payment instrument details;
  • physical, physiological and mental health conditions;
  • sexual orientation;
  • medical records and history;
  • biometric information;
  • any details relating to the above, as provided to a body corporate for providing a service; and
  • any of the information received under the above by a body corporate for processing, stored or processed under lawful contract or otherwise.

The DPB expands the scope of SPD to include official identifiers, sex life, genetic data, transgender and intersex status, religious/political beliefs and affiliations, caste or tribe and any other category that the DPA may specify. The DPB clarifies that SPD can be processed based on explicit consent; for the function of the government; if mandated by law; or if certain SPD is strictly necessary to respond to any medical emergency, disaster or outbreak of disease that may threaten public health.

Financial Data

The DP Rules recognise financial information – such as that relating to credit cards, debit cards and other payment instrument details – as SPD; and thus, to an extent, regulate its use, collection and disclosure. Furthermore, key legislation that address data protection in the finance sector includes the Credit Information Companies (Regulation) Act 2005 (CIC Act), the Credit Information Companies Regulations 2006 (CIC Regulations) and circulars issued by the RBI.

The CIC Act and CIC Regulations primarily apply to credit information companies; recognise them as data collectors; require that they ensure data security and secrecy; and require that they adhere to privacy principles in respect of data collection, use, disclosure, accuracy and protection against loss or unauthorised use, access and disclosure.

The Know Your Customer (KYC) norm categorises the information that banks and financial institutions can seek from their customers. Once such information is collected, banks have an obligation to keep it confidential. Furthermore, multiple RBI circulars provide privacy and customer confidentiality obligations on various financial institutions.

The RBI’s guidelines on data localisation of payment system data in India will also, to an extent, help protect financial data.

The Public Financial Institutions (Obligations as to Fidelity and Secrecy) Act 1983 prohibits public financial institutions from disclosing a client’s information to third parties, except in accordance with the laws of practice and usage.

The RBI Guidelines on Managing Risks and Code of Conduct in the Outsourcing of Financial Services by Banks prescribe measures maintaining the confidentiality and security of customer data while transferring data to third-party service providers.

The Banking Codes and Standards Board of India prescribes a code of conduct on banking operations, including privacy and confidentiality of customer information.

The RBI recently issued a regulatory framework for non-bank payment system operators/providers for the outsourcing of payment and settlement-related activities to third-party service providers. The framework prescribes minimum standards to manage risks in the outsourcing of payment and settlement-related activities by the system operators.

The Bureau of Indian Standards issued standards for data privacy assurance; ie, the IS 17428, to provide a privacy assurance framework for organisations.

RBI introduced Guidelines on Regulation of Payment Aggregators and Payment Gateways introducing restriction on payment aggregators and merchants from storing card and card-related data.

SEBI requires securities market intermediaries to maintain client data confidentiality, including personal data.

Health Data

Data protection laws in respect to health data are inadequate in India. The DPB categorises “health data” as sensitive personal data, and defines it as the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of that data principal; data collected in the course of registration for, or provision of, health services; and data associating the data principal to the provision of specific health services. Health data cannot be processed or transferred without obtaining the data principals’ consent, unless for the exceptional grounds specified under the DPB.

Additionally, the Health Ministry has proposed the DISH Act to ensure electronic health data privacy, security and standardisation in the healthcare sector. The DISH Act is pending government approval and is expected to be notified soon. Currently, the Clinical Establishments (Central Government) Rules 2012 mandate that clinical establishments must store, maintain and provide health information in an electronic format. Further, the DP Rules recognise health information as SPD, and thus, regulate its collection, use and disclosure. However, as the DP Rules apply only to bodies corporate, the public health sector is still unregulated. The DPB proposes applicability of data privacy obligations to both state and non-state entities.

Furthermore, the IMCR prescribes that a patient’s health data must not be disclosed without their consent, unless mandated under a law or where there is a risk to an individual or community, or the disease is notifiable. In addition, physicians are encouraged to computerise medical records, maintain them for a period of three years, and provide access to a patient upon request. The limited privacy safeguards and absence of an enforcement mechanism renders the MCI Code of Medical Ethics largely inadequate to address health information concerns.

The HDM policy discussed in 1.2 Regulators (Health Sector) will have a significant impact on the medical and pharmaceutical industry once implemented, as healthcare institutions will have increased compliance obligations. However, as the HDM policy has significant overlaps with the DPB, it may cause a conflict and it remains to be seen which will prevail.

Communications Data

Although there are multiple telecoms laws, data protection norms in the telecoms sector are primarily governed by the UASL issued to telecoms service providers (TSPs) by the DoT. A TSP has an obligation to take necessary steps to safeguard the privacy and confidentiality of users’ information. Furthermore, customer information can be disclosed only after obtaining the individual’s consent and if the disclosure is in accordance with the terms of such consent.

Some of the key TRAI recommendations concerning TSPs include:

  • the user being the owner of their data, and data processors being mere custodians;
  • entities in the digital ecosystem refraining from using metadata to identify users;
  • until the DPB is enforced, all entities in the digital ecosystem must be governed under the licence conditions of TSPs;
  • privacy by design, along with data minimisation, should apply to all entities in the digital ecosystem;
  • telecoms users must have rights to notice, consent, data portability, and the right to be forgotten;
  • data controllers should be prohibited from using pre-ticked boxes to gain users’ consent;
  • data should be encrypted during processing and storage; and
  • privacy breach information should be shared for greater transparency.

The TRAI’s UASL regime for internet service providers governs data privacy issues relating to the internet, to some extent. The current DP Rules require data controllers to provide a privacy policy on their website that is accessible to data providers.

The DPB and the TRAI recommendations propose to regulate data privacy issues relating to the internet in India.

Voice Telephony

The DP Rules do not regard voice telephony as SPD. However, in October 2017, the TRAI released recommendations on a regulatory framework for internet telephony, recognising internet telephony as an aspect of Voice over Internet Protocol (VoIP), governed by the UASL. The agreement requires service providers to safeguard communication information privacy and confidentiality and prevent unauthorised interception.

Children’s Data

Current Indian data privacy law does not address privacy issues specifically relating to children. Under India’s contract law, a contract executed by a minor (below 18 years) is invalid, and parental or legal guardian consent must be obtained for all online contracts. The DPB recognises a data principal below the age of 18 years as a child, and mandates data fiduciaries to incorporate an appropriate mechanism for the verification of a child’s age and parental consent to the processing of children’s personal data and to protect and advance the child’s rights and best interests. The data fiduciary is barred from profiling, tracking or behaviourally monitoring, or targeting advertising directly at, children and undertaking any other processing of personal data that could cause significant harm to the child. Furthermore, the DPB requires data fiduciaries exclusively dealing with children's data to register with the DPA. The data fiduciary must inform the child three months before the child attains majority, so they may choose to provide consent again, and the data fiduciary must continue providing the services to the child unless the child withdraws consent.

Employment Data

Currently, India does not have any specific law to deal with workplace privacy or, protection of employee data, etc. Please refer to 2.4 Workplace Privacy for further discussion.

Internet, Streaming and Video Issues

The DP Rules mandate that bodies corporate provide a privacy policy on their website accessible to their data providers, containing the body corporate’s practices and policies; the type, purpose and usage of the personal data or SPD collected; the disclosure of personal data or SPD; and the company’s security practices.

There are no specific provisions under the current law regarding browsing data, viewing data, cookies and beacons, or location data. The current Indian data protection framework does not provide for any "do not track" mechanisms nor does it regulate behavioural advertising; however, the proposed DPB prohibits tracking of personal data of minors by data fiduciaries and categorises behavioural characteristics as SPD, and also prohibits behavioural monitoring and/or advertising in respect of minors.

Social media, search engines and large online platforms

Critical data privacy issues relating to social media, search engines, online platforms and the like are not adequately governed under the current Indian law.

The DPB has incorporated provisions regulating social media intermediaries. The DPB provides that the government can notify a social media intermediary as a “significant data fiduciary” and subject it to additional obligations under the DPB. A social media intermediary with users above such threshold as may be notified by the central government – and whose actions have, or are likely to have, a significant impact on electoral democracy, the security of the state, public order or the sovereignty and integrity of India – can be notified as a significant data fiduciary. 

Telecoms and network service providers, such as web-hosting service providers, search engines and online platforms are defined as "intermediaries" under the ITA. Furthermore, the MeitY proposes to include social media companies as intermediaries. The ITA and intermediaries' guidelines prescribe certain obligations on intermediaries, including:

  • compliance with all the data privacy principles prescribed by the DP Rules;
  • compliance with government directions relating to blocking data access to the public;
  • monitoring and collecting data through any computer resource;
  • publishing the rules and regulations, privacy policy and user agreement for access or usage of the computer resource by any person;
  • not hosting or publishing any information or initiating the transmission of restricted content;
  • informing its users of non-compliance consequences; and
  • promptly reporting cybersecurity incidents to the CERT-In.

Addressing hate speech

The publication of hate speech, abusive material and political manipulation is regarded as an offence under the ITA, and punishable with imprisonment extending up to three years, and/or a fine.

Other Issues

Data subject rights

The DP Rules provide that the data subject must be given the option to not provide their information, or revise or update that information, or withdraw their consent at any time.

The DPB Grants the following rights to the data subjects:

  • the right to confirmation and access;
  • the right to correction;
  • the right to erasure;
  • the right to data portability;
  • the right to be forgotten; and
  • the right to withdrawal of consent.

Right to be forgotten

The DP Rules do not provide the right to be forgotten to data providers. However, the DPB proposes that a data principal has the right to restrict or prevent continuing disclosure of personal data by a data fiduciary, subject to the adjudicating officer determining that the right to be forgotten does not override the right to freedom of speech and expression and the right to information of any citizen.

Furthermore, the TRAI Recommendations specify regarding the right to be forgotten to all the users of digital services, subject to restrictions under other applicable laws.

The Indian courts have also observed that the right to be forgotten should be safeguarded in sensitive cases involving women in general, and highly sensitive cases affecting the modesty and reputation of the person concerned.

Data portability

The current law does not provide for data portability. The DPB only prescribes the right to data portability in the case of automated data processing, and the data principal can demand data transfer to any other data fiduciary. Additionally, the TRAI’s recommendations prescribe that users have primary control over their personal data and must have data portability rights. Under the DPB, for data portability, trade secrets can no longer be grounds to deny data portability, and porting of data can only be denied on the ground of technical feasibility.

Right of rectification or correction

The DP Rules grant the right to the data providers to review, edit and update their personal data. The DPB also provides the data subject with the right to request correction or erasure of their personal data which is no longer necessary for the purpose for which it was initially processed. The data fiduciary must take necessary steps to notify all third parties to whom such personal data is disclosed.

The TRAI has ratified the Telecom Commercial Communication Customer Preference Regulations, restricting unsolicited commercial or marketing communications such as telephone calls and SMSs, based on a customers’ preferences where they can register themselves under the fully blocked category or the partially blocked category. The TRAI has formed a Do-Not-Call Registry where customers can register to prevent any unsolicited calls or SMSs. The Regulations impose penalties of up to INR250,000 (approximately USD3,600) for any non-compliance.

Under the DPB, the data principal will be able to decide how their data will be handled in the case of casualty or death by nominating a legal heir or representative.

Please refer to 2.2 Sectoral and Special Issues (Internet, Streaming and Video Issues) for information on constraints on behavioural advertising.

Currently, India does not have any specific law to deal with workplace privacy or protection of employee data. However, the DPB proposes that employees’ personal data can be processed if it is necessary:

  • for recruitment or termination;
  • to provide any service or benefit;
  • to verify employee attendance; or
  • to accurately assess an employee’s performance.

The need for employee consent can be dispensed with if it involves a disproportionate effort by the employer considering the nature of the processing activities. Nevertheless, consent is required to process employees’ sensitive personal data.

The current Indian law does not prohibit or restrict the camera surveillance, or the monitoring, of employees’ office e-mails, telephone calls and data on office devices provided, such activities are reasonable and do not violate the employees’ privacy. To avoid any risks, many employers obtain employees’ consent, either as part of the employment agreement, company policies, or through separate letters.

The role of labour organisations or works councils with respect to workplace privacy is not covered under the ITA, DP Rules, or the employment laws.

Whistle-Blowing

The DPB permits the processing of personal data without consent if such processing is necessary for the purposes of whistle-blowing.

India’s Whistle Blowers Protection Act, 2011, (the Whistle-Blower Act) establishes a mechanism to receive complaints relating to allegations of corruption or wilful misuse of power against any public servant, and to provide adequate safeguards against the victimisation of whistle-blowers.

However, the Act has not as yet been made effective, although notified in May 2014. Also, it applies only to government and public sector employees.

Furthermore, the Companies Act, 2013, mandates that certain publicly listed companies establish a vigil mechanism and an exclusive hotline for directors and employees to report their genuine concerns about unethical behaviour or misconduct, actual or suspended frauds, and violations of the code of conduct.

Additionally, SEBI’s Listing Agreement’s Clause 49, under the Principles of Corporate Governance, requires that companies establish a whistle-blower policy to safeguard the identity of an employee who reports instances to the management.

There is no specific legal provision with regard to e-discovery issues and no prohibition against deploying digital loss prevention tools or technologies.

There have been no significant reported private litigations involving data security incidents/breaches in India in the past year.

India witnessed a tremendous increase in cybercrime and data-breach incidents in 2021. Reportedly, some government websites were hacked leaking COVID-19 lab test results of thousands of Indian citizens. A cyberattack on an airline data service provider in May 2021 resulted in the data leak of 4.5 million passengers of the airline. In the same month, personally identifiable information and test results of 190,000 candidates for the 2020 common admission test were leaked and put up for sale. In April, details of 180 million pizza orders were leaked, including customers’ names, phone numbers, and e-mail addresses.

Indian trading platform Upstox openly acknowledged a breach of customers’ know-your-customer (KYC) data stored in a third-party data warehouse.

Personally identifiable information of 500,000 Indian police personnel was put up for sale on a database sharing forum. An intelligence firm traced the data back to a police exam conducted in 2019.

Details of close to 35 million customer accounts of Juspay, including masked card data and card fingerprints, were taken from a server using an unrecycled access key.

As India currently does not have a specific DPA, data protection issues are adjudicated by an adjudicating officer appointed under the ITA, having the powers of a civil court.

The penalties for data breaches are prescribed under the ITA.

A body corporate (which owns, controls or deals, or handles any SPD in a computer resource) that is negligent in implementing and maintaining reasonable security practices and procedures, and that causes wrongful loss or wrongful gain to any person, is liable to pay damages, not exceeding INR5 crores (approximately USD700,000) to the person so affected. Cases involving damages of more than INR5 crores are brought before the competent civil court.

The adjudicating officer can either grant either a penalty or any amount of compensation. For offences for which no separate penalty is prescribed, the amount of compensation is limited to INR25,000 (approximately USD360).

DPB Enforcement Penalties

A data fiduciary’s non-compliance with a data principal’s request can attract a penalty of INR5,000 (approximately USD60) for each day, subject to a maximum of INR1 million (approximately USD14,100) in the case of "significant" data fiduciaries and INR500,000 (approximately USD70,000) in other cases.

A data fiduciary’s failure to take prompt and appropriate action against breaches is punishable with a penalty of INR50 million (approximately USD704,000) or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.

The penalty for wrongful data processing or for breach of security safeguards, and unauthorised transfer will be INR150 million (approximately USD2.1 million) or 4% of its total worldwide turnover in the preceding financial year, whichever is higher.

Failure to report a data breach to the DPA will attract penalty of INR10,000 (USD140) for each day, subject to a maximum of INR2 million (approximately USD28,000) in the case of a significant data fiduciary and INR500,000 (approximately USD70,000) in other cases.

Non-compliance with the DPA’s directions will trigger a penalty of up to INR20,000 (USD281) for each day, subject to a maximum of INR20 million (approximately USD280,000).

Certain additional offences under the DPB are cognisable and non-bailable.

Class Actions

Other than under the Companies Act, India does not have any laws enabling class action lawsuits. Under the Companies Act, shareholders or depositors can collectively approach the National Company Law Tribunal for redress where, for example, a company’s affairs are not managed in its best interests.

The Indian government (including its law enforcement agencies) has wide powers under various laws for surveillance, monitoring and access to data for investigations of serious crimes, national security and anti-terrorism.

Key legislation includes: 

  • the Indian Telegraph Act 1885, which governs interception of telephone conversations in the case of a public emergency or in the public interest, and requires the disclosure of call data records to law enforcement agencies;
  • the ITA and IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, which allow for the interception, monitoring and decryption of digital information in any computer resource in the interest of the sovereignty, integrity and defence of India;
  • the IT (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules 2009, which permit any government agency to monitor and collect traffic in any computer resource for the purposes stated under the ITA;
  • the DP Rules, which permit the disclosure of personal data to government agencies without obtaining the data provider’s consent;
  • the IT (Intermediaries Guidelines) Rules 2011 and IT (Guidelines for Cyber Cafe) Rules 2011, which require intermediaries to provide any information to government agencies under lawful order within 72 hours;
  • the TRAI’s various licence agreements for ISPs, TSPs and UASL, which provide for surveillance of communications, monitoring telecommunications traffic in every node or in any other technically feasible point in the network, and prohibits bulk encryption and encryption that exceeds 40 key bits;
  • the Income Tax Act 1961, which allows state tax authorities to process personal data in respect of an assessee’s financial information for enquiry and investigation purposes made in compliance with the law;
  • the Central Monitoring System (CMS), operated by the government’s telecommunications technology development centre’s Telecom Enforcement Resource and Monitoring (TERM) cells, which empowers the government to intercept any and all communications deemed "necessary or expedient" for purposes such as national sovereignty, integrity and state security; and
  • the DPB.

Government agencies can unilaterally authorise, under a lawful order, without judicial approval.

The laws and standards applicable to government access to data are the same as those for law enforcement agencies, such as the Indian Telegraph Act (ITA) and various rules thereunder including the DP Rules, TRAI’s licence agreements for ISPs, TSPs, the UASL, etc, as well as the CMS (not yet fully operational).

A foreign government’s access request is not a legitimate basis to collect and transfer SPD. Providing SPD to a foreign government only becomes mandatory through an Indian court’s order or a mutual national reciprocity arrangement with that country.

The current law does not mandate or prohibit a private organisation from providing SPD to a foreign government, and the transfer is subject to the DP Rules.

The DPB mandates data localisation for SPD, and allows for the transfer of personal data outside India, subject to the prescribed conditions.

India has not signed a Cloud Act agreement with the USA and also will not qualify for its criteria until it notifies its DPB and enacts a stronger data privacy regime.

The RBI’s mandatory payment data localisation requirement is the subject of much debate. Similarly, the data localisation provisions under the DPB, which are not present in the GDPR, and their effective enforcement against and impact on multinational companies operating in India, are highly controversial.

Indian laws give expansive powers to the government to access data for reasons including intelligence gathering, anti-terrorism and national security. The SCI has directed the government to make laws to curb fake news and rumours on social media that may lead to mob violence and lynching. The SCI and the government have made social media companies liable for incriminating and false content circulated on their platforms.

The proposed amendments to the intermediary guidelines mandate companies to trace and report the origin of messages within 72 hours of receiving a complaint from law enforcement agencies, as well as to disable access within 24 hours to content deemed defamatory or a danger to national security. Intermediaries with above 50 lac (5 million) users must be incorporated in India and have a permanent, registered, physical address in India. These provisions have also resulted in public debate on the monitoring of users’ social media accounts.

Implementation of the DPB, which will entail stringent compliance with the privacy regulations by data fiduciaries and data controllers, is much awaited.

There are no statutory provisions under the current law prohibiting the overseas transfer of personal information. The DP Rules permit overseas data transfer subject to certain restrictions for SPD, such as:

  • the recipient entity ensuring adherence to the same level of data protection (reasonable security practices are prescribed under the Rules) and only if the transfer of information is necessary to comply with a lawful contract; or
  • with the prior consent of the data provider.

As regards the DPB, there are restrictions on transfer of personal data outside India (Sections 33 and 34).

The sensitive personal data may be transferred outside India subject to certain conditions, however, the data should continue to be stored in India.

In addition, critical personal data must only be processed in India, subject to certain conditions, and any transfer must be reported to the DPA. The “critical personal data” is the personal data as may be notified by the central government.

Besides the restrictions prescribed under the DP Rules, Indian law does not currently have any mechanism to apply to international data transfers.

Under the DP Rules, there are no government notifications or approvals required under Indian law to transfer data internationally.

However, under the DPB, prior government approval will be required to transfer sensitive personal data and critical personal data, in addition to other conditions.

The current Indian law on data privacy does not require data localisation. However, the RBI has mandated that payment system operators store the payment-related information of Indian citizens within India only. The RBI has further clarified that although the processing of payment transactions can take place outside India, the data must be deleted from the systems abroad and brought back to India within one business day or 24 hours from the payment processing, whichever is earlier, so that the data is stored only in India.

As regards data localisation under the DPB, a copy of all SPD must be stored in India, although it may be transferred outside India, subject to conditions. Critical personal data (which will be defined by the central government) must be processed only in India, with certain exceptions.

There is no mandatory requirement under the current Indian law for the sharing of software code or algorithms or similar technical details with the government.

An organisation can collect and transfer personal data to a foreign government if it complies with the overseas data transfer restrictions under the DP Rules.

In this regard, in April 2020, the Kerala High Court restricted the government from sharing citizens’ sensitive personal data with a foreign aggregator, unless the data was anonymised. The court had also recognised the importance of the data subjects' informed consent prior to collecting their personal data and the safeguards to ensure confidentiality of the data collected.

India does not have a blocking statute, related to data privacy or otherwise.

Big Data

There is a lot of debate on the ethical limits of the use of big data, and big data processing poses serious risks to privacy. In the absence of specific regulatory guidance, the legal aspects applicable to big data in India are similar to those in other countries, such as copyright law issues, database breaches, data protection and privacy issues.

India’s proposed law intends to address the accountability and obligations of data fiduciaries for processing personal data, which may also extend to big data. 

Automated Decision-Making

The current Indian data privacy law does not deal with automated decision-making. The DPB, however, recognises automated processing and decision-making, and defines “data” to include a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.

The DPB further provides that where the processing is carried out by automated means, the data principal shall have the right to receive the personal data in a structured, commonly used and machine-readable format, and the right of data portability of their personal data to any other data fiduciary.

Profiling

The DP Rules do not recognise profiling. The DPB defines profiling as any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal. The DPB prohibits the profiling of minors’ personal data and SPD. Further, the DPB mandates data fiduciaries to carry out a DPIA before undertaking large-scale profiling of SPD that may pose significant harm to data principals.

Artificial Intelligence

Artificial intelligence (AI) is not dealt with under the current data privacy regime. However, reliance on AI is increasing significantly among organisations wishing to secure their networks and their data.

MEITY has constituted four committees for promoting AI initiatives and developing a policy framework. The committees have submitted their first reports on platforms and data on AI; leveraging AI for identifying national missions in key sectors; mapping technological capabilities; key policy enablers required across sectors; and on cybersecurity, safety, legal and ethical issues.        

Internet of Things (IoT)

The IoT and related privacy issues are not addressed under the current data protection framework. The data privacy principles under the DP Rules are applicable. MeitY’s draft IoT policy of 2015 (yet to be approved) proposes to appoint a nodal organisation for formalising privacy and security standards, and to create a national expert committee for developing and adopting IoT standards in the country.

The DPB has introduced a certification mechanism for all digital and IoT devices to mitigate data breaches.

Autonomous Decision-Making

Indian data privacy law does not govern data privacy concerns relating to autonomous decision-making, including autonomous vehicles.

Facial Recognition and Biometrics

There are no specific provisions under Indian data privacy or sectoral laws to address the privacy concerns arising from facial recognition technology. Some of the large amount of emotional and factual data collected from facial recognition technology can be regarded as SPD. The DPB proposes including “facial images” under the definition of biometric data, and thus, including it in the category of SPD.

Biometric data is categorised as SPD under the DP Rules as well as the DPB, and its collection, processing and transfer is subject to the prescribed statutory restrictions. The DPB prohibits processing of biometric data as notified by the central government, unless such processing is permitted by law.

Furthermore, the DPB requires data fiduciaries to carry out a DPIA prior to the processing of any SPD including biometric data, which may carry a risk of significant harm to data principals.

India’s central government enacted the Aadhaar Act for the targeted delivery of financial benefits and subsidies to the underprivileged. The Aadhaar Act establishes an authority, the UIDAI, responsible for the administration of the Aadhaar Act. It also establishes a Central Identities Data Repository (CIDR), which is a database holding Aadhaar numbers and corresponding demographic and biometric information. Aadhaar is currently the largest database of biometrics globally.

Geolocation Data and Drones

The Department of Science and Technology issued Guidelines for acquiring and producing geospatial data and geospatial data services including maps. Under these guidelines, there is no restriction on, and no requirement for any approval, clearance, licence, etc, on the collection, generation, preparation, dissemination, storage, publication, updating and/or digitisation of geospatial data and maps within the territory of India, subject to certain restrictions. The guidelines also restrict foreign entities from creating and/or owning, or hosting geospatial data other than the prescribed threshold values.

The use of drones other than by government organisations was prohibited under Indian law prior to December 2018. However, the civil aviation regulator issued the Civil Aviation Requirements (Drone Regulations 1.0) in August 2018 with effect from December 2018 permitting the civil use of drones by non-government agencies, subject to the prescribed restrictions.

There is no statutory requirement to establish protocols for digital governance, or fair data practice review boards, in addition to those measures already required under the DP Rules or sector-specific laws.

Sectoral audits, investigations and penalties are discussed in 1.2 Regulators.

There has been no significant private litigation involving privacy or data protection in the past year although class actions, forms of collective redress and representative actions are permitted in India.

There is no prescribed due diligence procedure with regard to data protection and privacy. The acquiring companies normally demand a target company’s data privacy policies and framework, the annual audit reports on data security compliance, details of any breaches and reporting in that regard.

There is no specific legal provision requiring an organisation's mandatory disclosure of its cybersecurity risk profile or experience.

There are no other major data privacy and protection issues not already addressed in this chapter.

ANA Law Group

303 Madhava Premises
Bandra Kurla Complex
Bandra East
Mumbai – 400 051
India

+91 22 6112 8484

+91 22 6112 8485

mailbox@anaassociates.com www.anaassociates.com
Author Business Card

Trends and Developments


Authors



Trilegal is a full-service law firm with offices in Bengaluru, Delhi, Gurugram and Mumbai, with 71 partners and 500-plus lawyers. It has been consistently recognised as the best Indian law firm for the quality of its services and client satisfaction. Trilegal's technology media and telecom (TMT) practice is a pioneer in India and provides the most comprehensive coverage of the full range of issues in the sector. The team brings a unique understanding of the issues that lie at the intersection of technology, business and the law to advise clients on a range of issues from mergers and acquisitions, and regulatory and commercial advice, to policy advice and dispute resolution. The team is widely regarded for its ability to evaluate new and complex technology business models to help clients identify the most viable ways to commercialise these models while staying compliant with the law.

India’s Data Protection Bill: Review from a GDPR perspective

The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution” – the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v Union of India.

On 24 August 2017, the apex court of India declared the right to privacy as a fundamental right protected under the Indian Constitution. As India witnessed this historic moment, the government set up a committee of experts to study various issues relating to data protection in India and make specific suggestions on principles to be considered, along with a draft data protection bill (Expert Committee). In July 2018, the Expert Committee submitted its report along with a draft bill and public comments were invited until October 2018.       

On 11 December 2019, a revised draft of the Personal Data Protection Bill (PDP Bill) was introduced in the lower house of the Indian Parliament. Notably, the PDP Bill substantially modified the version submitted by the Expert Committee, introducing new constructs such as consent managers and social media intermediaries, and conferred greater powers upon the government. Shortly after it was introduced, the PDP Bill was referred to a Joint Parliamentary Committee (JPC) of both houses for further debate and examination. For almost two years since 2019, the JPC sought views and suggestions from relevant stakeholders and carried out a clause-by-clause consideration and consultation process of the PDP Bill.

On 16 December 2021, the JPC tabled its report before the Parliament, along with a revised version of the bill – the Data Protection Bill, 2021 (DP Bill). When passed as law, this will become India’s very own privacy legislation and have the potential to change the way data is used by businesses. While the DP Bill is largely modelled after its global counterparts such as the European Union’s General Data Protection Regulation (GDPR) and adopts many concepts and requirements that are similar to those of the GDPR, there are some notable differences between the two. In this article, we touch upon some of these deviations and discuss their impact on businesses which are otherwise compliant with the GDPR. 

The stakeholders – data fiduciary and data principal

As outlined, the DP Bill introduces various deviations from global data protection regimes such as the GDPR, and this manifests in the way certain key terms are defined. The DP Bill defines key stakeholders in the data protection regime as the "data principal" (similar to a data subject), the "data fiduciary" (similar to a data controller) and the data processor. A data principal is the natural person to whom the personal data relates to, while the data fiduciary is any legal or natural person, including the state, a company, any juristic entity or any individual who determines the purpose and means of processing personal data. This was a conscious deviation from the GDPR to ensure that the idea of a data fiduciary’s relationship with a data subject being built on trust is adequately captured.

The idea of a data fiduciary – in the context of an Indian data protection framework, and as also outlined in the Expert Committee’s report – is built on trust. In the same vein, the Expert Committee also noted that individuals are more appropriately recognised as data principals – since they are the focal actors who must have complete autonomy over the processing of their personal data. It recognised that the relationship between data principals and data fiduciaries is rooted in the fundamental expectation of trust, where the individuals expect their personal data to be used fairly, in a manner that fulfils their interests and is reasonably foreseeable.

While the obligations on a data fiduciary are largely in line with those of a data controller under the GDPR, the distinction in terminology and the intent behind it may lead to Indian courts viewing and interpreting it through a different lens. The Indian apex court, for instance, has interpreted a fiduciary relationship to mean "a situation where one person places complete confidence in another person (fiduciary) in regard to his affairs, business or transactions […] and where the fiduciary is expected to act in confidence and for the benefit and advantage of the beneficiary". It has also, in other judgments, held that there must be, inter alia:

  • no conflict of interest between a beneficiary and a fiduciary;
  • undivided loyalty of the fiduciary towards the beneficiary; and
  • a duty of confidentiality owed by the fiduciary to the beneficiary.

Regulation of non-personal data

In an unprecedented move, the DP Bill proposes to regulate both personal and non-personal data (NPD) and appoint the Data Protection Authority (DPA) as the sole regulator for both sets of data. The decision to include NPD within the scope of the DP Bill stems from the JPC’s understanding that (i) it may not always be possible to differentiate between personal data and NPD, and (ii) enacting a single law and regulator to oversee all data (including NPD) is more feasible given grey areas that may arise from anonymisation and re-identification.

This is a significant departure from previous drafts of this bill, which had excluded NPD and anonymised data from their scope. In fact, the Expert Committee, while formulating its report on personal data, had specifically refrained from making any recommendations regarding NPD and left all issues in this respect to be considered separately. Following this, the government appointed a new committee, the NPD Committee, to examine NPD governance, which recommended that: (i) references pertaining to NPD in the PDP Bill must be deleted, in order to keep both frameworks mutually exclusive yet harmonious; and (ii) a separate authority must be established to regulate NPD. The DP Bill does not seem to take into consideration these recommendations and instead proposes to regulate NPD and personal data under the same legislation and regulatory body.

The DP Bill defines NPD to include all data other than personal data. This will therefore potentially also include anonymised data (personal data which has undergone anonymisation). Anonymisation is defined as an irreversible process of transforming or converting personal data to a form in which the data principal cannot be identified, as per the standards of irreversibility laid down by the DPA. Accordingly, until the DPA specifies the technical threshold for anonymisation, it will not be possible to categorically stipulate what constitutes anonymised data.

Unlike in relation to personal data, the DP Bill does not clarify whether there are any territorial limits to the applicability of its provisions in respect of NPD. However, the provisions of the current draft regulate such data only to the extent of (i) data breaches, and (ii) the government's ability to issue directions to data fiduciaries and processors to provide such data for targeted delivery of services or evidence-based policy formulation. This is likely to have a broad impact on all entities that process NPD and therefore specifying and restricting the scope under the DP Bill is important.

Notably, the regulation of both personal data and NPD under the same legal framework is unprecedented. The GDPR only applies to personal data and excludes NPD or anonymised data from its ambit. It is only when NPD and the personal data components in a mixed dataset are "inextricably linked" that the rights and obligations under the GDPR apply to such a mixed dataset. In all other instances, only the personal data part of a dataset is subject to the GDPR. Across the globe, NPD is governed or regulated under separate legislations such as the EU's "free flow of non-personal data regulation" which imposes a general prohibition against localising NPD within the EU and promotes its free flow within member states.

The requirement on data fiduciaries to share NPD processed by them with the government for certain use cases is also unprecedented, the far-reaching consequences of which, if implemented, are yet to be seen. For instance, the DP Bill does not currently have any accountability measures, neither does it specify details such as modalities of transfer, or safeguards against sharing of data with third parties. These provisions of the DP Bill may affect the adequacy assessment of India as per the decision in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems-II) for cross-border data transfer and increased compliances for entities within India.

This mandatory requirement to share NPD does not make an exemption of data processors, which include cloud service providers, online storage service and BPOs, for whom it would be impractical and legally untenable to share such data with third parties, especially in the absence of any clear guidelines and safeguards around its subsequent use. The sharing requirement being made applicable to data processors also goes against the NPD Committee’s recommendations, which stated that data processors have a unique role and must not be mandated to share the data belonging to their clients.

Consent managers

The DP Bill also introduces a novel concept of "consent managers", which is not present in the GDPR. The framework for consent managers has been inspired by India’s recent work on developing digital public infrastructure to facilitate easier sharing of data through the use of accountable intermediaries.

Over the past decade, the government has increasingly recognised the wealth of data at its disposal and pushed for establishing its digital sovereignty in various ways. This includes exploring new ways to generate economic value out of such data to further facilitate India's growth. At the forefront of these efforts has been its collaboration to develop “India Stack” – a set of application programming interfaces (APIs) created to utilise a unique digital infrastructure and deliver services in an easy and accountable manner. India Stack is made up of four distinct technology layers: (i) a presenceless layer, (ii) a paperless layer, (iii) a cashless layer and (iv) a consent layer, each of which operate independently of one another.

The presenceless layer is aimed at introducing a unique biometric government ID for every individual, to enable digital authentication of a person for availing certain services without requiring the individual's physical presence. The implementation of Aadhaar as the unique identity number by the government was pursuant to this layer.

The paperless layer was introduced to reduce red tape and over-reliance on physical documentation, and has been implemented in various forms such as eKYC (digital/electronic know-your-customer processes), DigiLocker (online storage of digital documents) and Esign (Aadhaar-based digital signatures).

The cashless layer aims to reduce reliance on cash transactions and democratise digital payments in India. The Unified Payments Interface (UPI) developed by the National Payments Corporation of India is an example of the cashless layer.

The consent layer seeks to democratise consent and make it more meaningful through its data-sharing protocol, the Data Empowerment and Protection Architecture (DEPA).

The objective of DEPA is to enable free and individual-centric sharing of user data with service providers for specific purposes, through an accountable and qualified intermediary, such as a consent manager. It also aims to decrease closed loop systems and instead promote inclusive ecosystems which encourage newer players to enter the market.

The DEPA framework is also proposed to be implemented under the DP Bill, in the form of consent managers. A consent manager is defined as a data fiduciary which enables a data principal to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform. A similar framework was also recommended in the form of consent dashboards by the Expert Committee to mitigate consent fatigue. Under the DP Bill, data principals can choose to exercise the rights to confirmation, access, correction, erasure and portability of their data through consent managers. Consent managers will be registered with the Data Protection Authority (DPA) and be subject to technical, operational, financial and other conditions specified by the regulations.

A consent manager is likely to operate as a third party agency acting on behalf of the data principal, and as a data fiduciary. The DEPA framework also treats consent managers as independent intermediaries whose incentives align more closely with the individuals, who are "data blind" and do not see or use the personal data themselves. 

Significant data fiduciaries

Under the DP Bill, certain entities can be notified as "significant data fiduciaries" (SDFs) on the basis of certain parameters – such as volume and sensitivity of personal data processed by them, their turnover, risk of harm, use of new technologies, and any other factor that may be relevant in causing harm to any data principal as a result of such processing. Such entities are required to be mandatorily registered and are subject to heightened obligations and accountability mechanisms. There is no such classification under the GDPR.

SDFs are subject to additional compliance obligations, which include mandatory external audits, submitting a data protection impact assessment before launching new technologies or large-scale profiling, seeking the DPA’s approval for transferring data outside India, publication of trust scores and registering with the DPA. This could increase compliance costs for large businesses and start-ups alike.

Unlike the GDPR, where additional obligations are subject to a data controller meeting certain objective criteria (such as designating a data protection officer only if the processing involves systematic processing on a large scale), the DPA retains the power to notify entities as SDFs based on broad grounds such as any "other factor causing harm from such processing", thereby making the onus of additional obligations more discretionary than the GDPR. The DPA can also notify social media platforms having a certain prescribed user threshold as SDFs. Given this, GDPR-compliant entities being classified as SDFs are expected to attract additional compliance costs and greater scrutiny from the DPA under the DP Bill, and will be subject to regulations prescribed by the DPA under various provisions. This may also impact the day-to-day operations of such entities.

The DPA can also notify entities processing children's data or providing services to them as SDFs. Unlike the GDPR – which on default treats persons below the age of 16 years as children, with leeway for member states to reduce the age to 13 years – the age threshold in the DP Bill is 18 years. 

The right to data portability

Both the GDPR and DP Bill recognise certain rights of data principals (or data subjects). Under the GDPR, data subjects have the right to receive the personal data they have provided to a controller in a structured, commonly used and machine-readable format or to direct the controller to transmit their PD to another data controller directly. This applies where the processing has been done on the basis of consent and through automated means. The DP Bill also provides a similar right to a data principal; however, "automated means" is defined as any equipment capable of operating automatically in response to instructions given, or otherwise for the purpose of processing data.

Given this, while data portability requirements under the GDPR extend only to personal data that has been provided to the controller, the DP Bill extends this right to a larger set of data, including inferred data and data obtained from other sources.

Cross-border transfers

The DP Bill places no restrictions on the cross-border transfer and processing of personal data per se. This data may be transferred across borders if one of the purposes of processing are met. However, certain subcategories of personal data are subject to specific transfer restrictions.

Requirement to store a local copy of sensitive personal data

The DP Bill requires all sensitive personal data to be stored in India, even if it is transferred outside the country. Sensitive personal data is personal data that reveals, is related to, or constitutes financial data, health data, official identifiers, sex life and sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious, political belief or affiliation, and any other category as may be notified. Unlike the GDPR, the DP Bill includes financial data and official identifiers as sensitive personal data.

The DP Bill also empowers the government to notify certain categories of personal data as critical personal data that shall only be processed in India. At present, the term "critical personal data" remains undefined. A hard localisation requirement such as this appears to be far more restrictive than several existing data protection regimes, including the GDPR.

Cross-border transfer of sensitive personal data

Where sensitive personal data is required to be transferred outside the country, a data fiduciary may only transfer such data if it obtains the explicit consent of the data principal and additionally meets any of the following conditions:

  • if the transfer is being made subject to a contract or intra-group schemes, such schemes should have been approved by the DPA in consultation with the government;
  • there has been an adequacy determination made by the government in respect of transfers to a country or to an entity or class of entities in a country – such an adequacy determination will have to include the finding that the data being transferred will not be shared with any foreign government or agency unless such sharing is approved by the government;
  • if the transfer of sensitive personal data or a class of sensitive personal data is approved by the DPA in consultation with the government for a specific purpose.

Prohibition on cross-border transfer of critical personal data

There is a general prohibition on the transfer of critical personal data outside the territory of India. The DP Bill allows exceptions to this general prohibition by permitting critical personal data to be transferred outside the country for certain limited purposes such as for health or emergency services, or to a country, with adequacy determination. In addition, the government must also be satisfied that such a transfer would not prejudicially affect the security and strategic interest of the nation.

The GDPR does not make any distinction between types of personal data in this regard and treats all personal data similarly within its grounds for transfer. The DP Bill has emulated the GDPR to an extent by permitting transfers under intra-group schemes and standard contractual clauses in a similar manner.

Non-consensual grounds for processing

The DP Bill recognises certain grounds under which personal data can be processed without the consent of the data principal; unlike the GDPR, these grounds do not include processing that is necessary for the performance of a contract to which the data principal is a party, or for the purposes of legitimate interests pursued by the controller or by a third party. Given this, the only non-consensual grounds that can be relied by a data fiduciary are those specifically mentioned under the DP Bill, such as whistle-blowing, mergers and acquisitions and the operation of search engines, which are narrowly defined and specifically allowed by the DPA.

This may have an impact on businesses which rely on grounds under the GDPR, or where it is not possible to take consent each time data needs to be processed, such as for payment transactions. It may also result in "consent fatigue" for data principals who will be required to provide valid, meaningful and informed consent for processing each time.

Government exemption

The DP Bill gives the government the power to exempt its agencies from any provisions of the DP Bill by executive action. By comparison, the exemption powers under the GDPR are only applicable when necessary and proportionate to safeguard:

  • national security, defence or public security;
  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  • other important objectives of general public interest of the member state or EU.

Further, these exemptions can only be notified in respect of certain provisions relating to notice, exercise of rights of data principals, principles of processing, etc. Under the GDPR, the exemption must be backed by a legislative measure of the EU or member state. The GDPR clarifies that such restrictions must be necessary and proportionate.

Under the GDPR, cross-border data transfers are permitted to third countries that ensure adequate level of data protection, as per the Schrems-II criteria. Relevant to this determination is whether the third country offers essential guarantees for law enforcement and national security access to limit interferences to fundamental rights such as:

  • processing based on clear, precise and accessible rules;
  • demonstrable necessity and proportionality with regard to the legitimate objectives independent oversight mechanism; and
  • availability of effective remedies to the data subject.

Since these exemptions to the government are far wider than the corresponding exemptions under the GDPR, this may impact adequacy determinations that are made under the GDPR in relation to India.

Conclusion

In light of the differences in the DP Bill and the GDPR, it is important to note that compliance with GDPR will not suffice to meet compliance with the upcoming Indian data protection regime as well. However, considering the broad similarities, GDPR compliance will provide a baseline which will assist businesses in complying with the DP Bill by making some incremental changes in their data protection policies and practices.

Finally, with the introduction of new concepts such as consent manager, the DP Bill offers innovative solutions to issues of data transfer and provides a new perspective in India's approach to data privacy.

Trilegal

Prestige Poseidon
139, Residency Road
Bangalore – 560025
India

+91 80 4343 4646

+91 80 4343 4699

Nikhil.Narendran@trilegal.com www.trilegal.com
Author Business Card

Law and Practice

Authors



ANA Law Group is a full-service law firm based in Mumbai, with a team of experienced professionals who have broad industry knowledge and who specialise in a wide spectrum of business areas. It has significant experience in counselling international clients on issues related to data protection and privacy in India, and regularly represents clients from industries such as banking and insurance, online gaming, finance, consumer goods, healthcare, payroll-processing, pharmaceuticals, telecommunications, credit research and employee screening. The firm also assists international companies with global privacy law involving Indian projects, the drafting and negotiating of contracts with Indian counterparts, and the preparation of data protection and privacy policies for international companies operating in India and their Indian subsidiaries. More specifically, it advises clients on permitted data processing; consent requirements; data collection, retention and disclosure; regulatory requirement compliance; transfers of sensitive personal data within and outside India; security breaches and drafting security breach policies; international compliance projects; and prosecutions and offences.

Trends and Development

Authors



Trilegal is a full-service law firm with offices in Bengaluru, Delhi, Gurugram and Mumbai, with 71 partners and 500-plus lawyers. It has been consistently recognised as the best Indian law firm for the quality of its services and client satisfaction. Trilegal's technology media and telecom (TMT) practice is a pioneer in India and provides the most comprehensive coverage of the full range of issues in the sector. The team brings a unique understanding of the issues that lie at the intersection of technology, business and the law to advise clients on a range of issues from mergers and acquisitions, and regulatory and commercial advice, to policy advice and dispute resolution. The team is widely regarded for its ability to evaluate new and complex technology business models to help clients identify the most viable ways to commercialise these models while staying compliant with the law.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.