Under the Indian legal system, the right to privacy was not initially recognised either under the Constitution of India (COI) or any other statute, therefore, protection against its violation was also not available. The right to privacy came to be recognised as a fundamental right only after several years of jurisprudential developments through the Supreme Court of India (SCI) which culminated with Justice KS Puttaswamy v Union of India (the “Puttaswamy Case”). In the Puttaswamy Case, the SCI held that the right to privacy has its origin under Article 21 (Protection of life and personal liberty) of the COI and under the freedoms guaranteed in Part III of the COI, thus, it is a fundamental right of every person. The effect of such legal recognition of the right to privacy means that individuals can now enforce this right against the state or its instrumentalities through the existing constitutional mechanisms (ie, Article 32 and Article 226 of the COI, which confer jurisdiction on the SCI and the high courts, respectively).

The Data Protection Rules

The provisions in relation to data protection were added by way of an amendment to the Information Technology Act, 2000 (IT Act) in the year 2009, which brought about Section 43A. This section of the IT Act provides for damages by way of compensation when a body corporate that is dealing with sensitive personal data or information (SPDI) in a computer resource, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. The aforesaid amendment in the IT Act paved the way for the enactment of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Data Protection Rules”). The Data Protection Rules govern issues in relation to the collecting, receiving, possessing, storing, dealing, and handling of information, including SPDI, by body corporates. However, the Data Protection Rules are silent on the aspect of coverage, but based on the principal provision under which they were notified, Section 43A of the IT Act, it can be argued that the Data Protection Rules should extend in their application only to digital/online data and should not cover the collection of offline data, or the collection of data by natural persons.

The Data Protection Rules are the only set of rules in India, in relation to data protection, which are overarching in nature. Sector/industry-specific regulations have been framed by various regulators over the course of the last few years (see 1.2 Regulators).

In the Puttaswamy Case, the SCI not only recognised the right to privacy, but also directed that a special committee be formed to study the matter in relation to the privacy of individuals and how to protect it through a statutory mechanism.

Pursuant to the recommendations of the SCI, a committee headed by Justice BN Srikrishna (the “Srikrishna Committee”) was formed to study the current laws and to recommend a legal framework in relation to data protection. The Srikrishna Committee formulated its report titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” in July 2018, along with a draft of the Personal Data Protection Bill. Based on this draft bill, the Ministry of Electronics and Information Technology of the government of India (“MeitY”) prepared the Personal Data Protection Bill, 2019 (PDP Bill) and laid the PDP Bill before the parliament of India. The PDP Bill was then referred to a joint parliamentary committee (JPC), which gave its report in December 2021. In this report, the JPC recommended several amendments to the existing bill. One of the most prominent recommendations was to widen the scope of the PDP Bill and include non-personal data as well. The PDP Bill was withdrawn in November 2022 and the government has released the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill).

At present, there is no specific regulator/supervisory authority in the Indian legal regime that deals principally or exclusively with matters related to privacy and data protection under any specific legislation. Therefore, what follows is an overview of certain important sector/legislation-specific regulators:

Financial Sector

Banks and financial institutions in India are governed and regulated by various laws, regulations and guidelines (the “Banking Laws”). The Reserve Bank of India (RBI) is the central bank in India and the regulator for banks and most financial institutions. There is no specific definition of SPDI or its equivalent under the Banking Laws. However, different Banking Laws, based on their subject matter, seek to protect customer information, etc. Furthermore, certain Banking Laws require banks to impose certain obligations on third-party vendors/service providers/consultants/sub-contractors when contractually engaging such third parties.

The RBI has been very active in terms of regulating entities that fall under its regulatory framework in relation to data protection and cybersecurity by issuing several directions and regulations, including but not limited to the Payment and Settlement Systems Act, 2007.

Furthermore, the RBI released the Storage of Payment System Data Directive, 2018, in April 2018 which mandated that the entire data relating to payment systems be stored in a system only in India. This data should include the full end-to-end transaction details, information collected, carried, processed as part of the message, and the payment instruction. This circular exempts data corresponding to the foreign leg of a transaction from this requirement. Afterwards, the RBI released clarifications in the form of FAQs on the circular in June 2019. The FAQs clarified that the directive is applicable to all payment system providers authorised/approved by the RBI to set up and operate a payment system in India. It was also clarified that the end-to-end payments data is to be stored in India.

The RBI regularly conducts audits and enquiries into banks’ security frameworks and has imposed penalties for non-compliance with the RBI’s cybersecurity framework for banks.

Telecommunications

Telecoms operators are governed by regulations laid down by regulatory bodies including:

• the Telecom Regulatory Authority of India (TRAI);
• the Department of Telecom, Government of India (DOT);
• the Telecom Disputes Settlement and Appellate Tribunal (TDSAT);
• the Group on Telecom and IT;
• the Wireless Planning Commission; and
• the Digital Communications Commission.

Furthermore, the Unified Access Service Licence extends information security to the telecoms networks as well as to third-party service providers/equipment providers of operators. The regulator requires telecoms operators to audit their network at least once a year. The DOT, in its National Digital Communications Policy, 2018, seeks to establish a comprehensive data protection regime and assure security for digital communication. The TRAI has also rolled out measures to protect telecoms subscribers and brought out the Telecom Commercial Communications Customer Preference Regulations, 2010, to fine-tune the process for providing telecoms subscribers with an option to record their preferences, and mandates telecoms service providers (TSPs) to implement measures to protect confidentiality and also to take action on complaints.

Capital Markets

The Capital Markets industry is regulated in India by the Securities and Exchange Board of India (SEBI). SEBI has enacted a framework for cybersecurity for certain regulated entities called the Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories Circular CIR/MRD/DP/13/2015 dated 6 July 2015, and Circular CIR/MRD/CSC/148/2018 dated 7 December 2018 (the “SEBI Circular”). The SEBI Circular is only applicable to Clearing Corporations, Depositories and Stock Exchanges, which are also referred to as Market Infrastructure Institutions (MIIs).

The SEBI Circular extensively covers the obligations of the MIIs as far as maintaining their IT infrastructure is concerned, such as the need to establish a Cyber Security and Cyber Resilience Policy, maintain a Cyber Security Operation Center which may be maintained by the MII concerned or may be outsourced (subject to conditions in the SEBI Circular), formulate an actionable Cyber Crisis Management Plan along with confidentiality and privacy requirements to be followed by the MIIs, and alert the Indian Computer Emergency Response Team (“Cert-In”) in case of any cyber-attack.

Cert-In

Cert-In has been created under Section 70B of the IT Act to serve as a national agency for responding to cybersecurity incidents. It has been conferred with the power to give directions to service providers, intermediaries, data centres, bodies corporate and any other person. See 3.4 Key Privacy Issues, Conflicts and Public Debates for an overview of the directions issued by Cert-In.

Insurance

The Insurance Regulatory and Development Authority of India (IRDAI) conducts regular on-site and off-site inspections of insurers to ensure compliance with the legal and regulatory framework. In addition, the IRDAI’s guidelines on Information and Cyber Security for Insurers was updated in December 2020, requiring vulnerability assessments and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by the IRDAI include the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, the IRDAI (Maintenance of Insurance Records) Regulations 2015, and the IRDAI (Protection of Policyholders’ Interests) Regulations 2017, which contain a number of provisions and regulations on data security.

Furthermore, the IRDAI has issued guidelines to insurers on structuring cyber-insurance for individuals and the gaps that need to be filled. As per the guidelines, cyber-insurance should provide cover against theft of funds and identity, unauthorised online transactions, and e-mail spoofing, among others.

Healthcare

The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 impose patient confidentiality obligations on medical practitioners.

The Electronic Health Record Standards, 2016 (EHR Standards) have been notified by the Ministry of Health and Family Welfare, Government of India (MOHFW) for adoption by hospitals across India, however, these are merely guidelines and, as such, are not enforceable. EHR Standards differentiate between (i) protected health information; and (ii) individually identifiable health information.

The Health Data Management Policy, 2020 (HDM Policy), released by the MOHFW, is largely based on the PDP Bill to govern data in the national digital health mission ecosystem. The HDM policy, like the PDP Bill, recognises entities such as data fiduciaries and data processors and establishes a consent-based data-sharing framework.

Telemedicine Practice Guidelines, 2020 released by the MOHFW, stipulate that registered medical practitioners (registered under the Indian Medical Council Act, 1956) while providing telemedicine (through audio, video, etc) must abide by the relevant provisions of the IT Act, data protection, and privacy laws or any applicable rules notified from time to time for protecting patient privacy and confidentiality, and regarding the handling and transfer of such personal information regarding the patient.

Under the New Drugs and Clinical Trials Rules, 2019, the investigator responsible for conducting clinical trials at the clinical trial site should undertake to keep the identification of all participants who take part in clinical trials confidential, and ensure security and confidentiality of study data. 

Consumer Protection Act, 2019

The Consumer Protection Act, 2019 (“CA 2019”) is applicable to consumers of goods or any services. As per CA 2019, a service provider has to ensure protection of information disclosed by the consumer in confidence. Any disclosure of the same, except in accordance with applicable laws, would amount to unfair trade practice, and the consumer in such circumstances may make a claim against the service provider under CA 2019 before a consumer forum or may even lodge a complaint with the Central Consumer Protection Authority.

As outlined in 1.2 Regulators above, there is currently no overarching privacy regulator or data protection authority in India. Some of the extant laws, such as the IT Act, allow redress to affected individuals or entities.

Police officers, not below the rank of inspector, may carry out investigations in relation to any of the offences under the IT Act, including Section 43A and Section 72A, which imposes punishment for disclosure of information in breach of lawful contract.

Under the IT Act, Section 46 provides for the appointment of an adjudicating officer in relation to the adjudication of offences under the IT Act, or any rule, regulation, direction or order made thereunder. The jurisdiction of such adjudicating officer extends to injury or damage of up to INR5,00,00,000 (five crore Indian rupees) and beyond this amount, jurisdiction is vested with the competent court under the IT Act.

MeitY has notified the secretary of the Department of Information Technology of each Indian state or union territory as the adjudicating officer under the IT Act. A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying them of the date and time for further proceedings and, based on the evidence, decides whether to pass order(s) if the respondent pleads guilty, or to carry out an investigation. If the officer is convinced that the scope of the case extends to an offence rather than a mere contravention, and entails punishment greater than a financial penalty, the officer will transfer the case to the magistrate having jurisdiction.

The first appeal based on an adjudicating officer’s decision can be filed before the TDSAT and from the order of the TDSAT, an appeal can be filed before the High Court of the state in India that has jurisdiction.

India does not currently appear to be part of any binding multinational system on data protection or privacy. However, certain similarities and contrasts between India’s Data Protection Rules and the General Data Protection Regulation, 2016 (GDPR) are evident.

• Extra-territorial application: although the Data Protection Rules are applicable only to body corporates located in India, Section 1(2) read with Section 75 of the IT Act extends the applicability of the IT Act to persons resident in countries outside India, where such persons possess a computer system/network in India. Therefore, in case of violation of the Data Protection Rules by an entity outside India, said entity may be subject to enforcement action under the IT Act, similar to that of the GDPR.
• Purpose limitation: similar to the GDPR, the Data Protection Rules provide for collected information to be used only for a specified purpose, which should be legal.
• Data minimisation: unlike the GDPR, the Data Protection Rules do not have an express principle in this regard. However, it is stipulated that information should be collected only if it is necessary for the original purpose.
• Informed consent: the Data Protection Rules are worded differently to the GDPR in relation to this. However, it is necessary to obtain consent before collecting information and even for the purpose of disclosing or transferring collected information to any third party.
• Storage limitation: like the GDPR, the Data Protection Rules do not specify storage times for personal information, which can be stored until completion of the purpose for which the personal information was collected.
• Integrity and confidentiality of personal data: unlike the GDPR, which expressly defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Data Protection Rules do not have a clear definition of data breach. However, data breach in India is one of the cybersecurity incidents required to be mandatorily reported to Cert-In within six hours, as per Cert-In directions. However, Cert-In directions also do not define a data breach.

Some of the major NGOs and self-regulatory organisations (SROs) working in India, which also address data protection and privacy, are mentioned below.

• Internet Freedom Foundation: a non-profit organisation that conducts advocacy on digital rights and liberties.
• Data Security Council of India: a non-profit organisation specifically focusing on data-centric industries, which has been set up by the National Association of Software and Service Companies (NASSCOM).
• Cellular Operators Association of India: this represents the Indian telecoms industry and interacts directly with ministries, policy makers, regulators, financial institutions and technical bodies.
• National Cyber Safety and Security Standards: a non-profit organisation that carries out research in cybersecurity and provides comprehensive training programmes in relation to the same.
• Internet and Mobile Association of India: a non-profit organisation set up with the purpose of representing the interests of diverse players in the digital ecosystem of India, including various start-ups.
• Internet Service Providers Association of India: a non-profit organisation that represents the interests of internet service providers in India across various fronts.
• Sahamati: a non-profit organisation representing the interests of account aggregators in India.
• Indian Software Products Industry Round Table (ISPIRT): a non-profit think tank working extensively in policy-making in relation to digital ecosystems in Indian data-focused industries.

The Indian legal regime related to data protection and privacy is currently undergoing an overhaul and although it already has certain elements in common with the GDPR, it is yet to attain the level of maturity and detail in terms of regulation as contemplated under the GDPR. This is something which is expected of the draft DPDP Bill which is presently undergoing public consultation, and it is likely that this draft will be amended meticulously and will benefit from the practical nuances of the GDPR, towards which the Indian legal regime appears to be inclined.

See 1.8 Significant Pending Changes, Hot Topics and Issues.

Certain impactful changes in the regulation of data protection under Indian law are specified below. 

• The draft DPDP Bill is undergoing public consultation and will comprehensively change the overarching framework in relation to data governance in India.
• The Non-Personal Data Governance Framework Policy, 2022 is currently being deliberated by the committee of experts constituted under MeitY.
• The Digital Information Security in Healthcare Bill, 2017, which is yet to be passed by parliament, has been framed with the purpose of standardising and regulating the processes related to collection, storage, transmission and use of digital health data.
• The Draft National Data Governance Framework Policy, 2022, published by MeitY, seeks to enhance the use of, access to, and quality of data, and align it with the current technological developments in the country, so as to standardise and improve the government’s data collection and management while enabling a start-up ecosystem based on AI and data-based research.
• The India Digital Ecosystem Architecture 2.0 (InDEA 2.0) is a framework that enables governments and private sector enterprises to design IT architecture that can extend beyond their organisational boundaries and enable delivery of holistic and integrated services to customers.

The Data Protection Rules

The legal framework currently addressing data protection is the Data Protection Rules. As per the Data Protection Rules, whenever a body corporate collects or manages personal information, the body corporate should have a privacy policy in place and the same should be made available on the body corporate’s website. The privacy policy should include the type of personal data collected, the purpose of collecting the data, any disclosure of the personal information collected, and reasonable security policies that have been developed by the body corporate. Consent of the individuals providing personal data should be obtained for the specific purpose before using any personal data. Data providers should also be given the option to not provide consent for the collection of personal data. However, these rules are not comprehensive with respect to privacy and data protection and there is a need to have a more detailed omnibus law.

The DPDP Bill

The Ministry of Electronic and Information Technology has solicited all relevant stakeholders to make suggestions and comments on the draft DPDP Bill. This bill applies to digital data and offline data that is converted to digital form. However, it doesn’t include data that remains in offline physical form. 

The DPDP Bill is drafted on the basis of the following principles. Personal data collected by organisations:

• must be used in a fair and transparent way;
• must be for a specific purpose;
• may be stored only until the purpose is served;
• must be accurate and up to date;
• may not be collected or processed unless this is authorised; and
• must be processed by the organisation accountable for deciding the purpose and means of processing. 

Requirement for Appointment of an Officer

The current law does not have any mandatory requirement that every organisation that handles data should appoint an officer to ensure compliance with general obligations. In some instances, however, the appointment of an officer is mandated. For example, the Data Protection Rules mandate that a grievance officer who is responsible for handling grievances from the end users should be designated, and the appointment of a grievance officer under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, who will be responsible for receiving any grievances relating to the code of ethics as described under said rules, is required. 

The DPDP Bill discusses appointing a “data fiduciary” whenever personal data is being collected from individuals. This data fiduciary is responsible for:

• the personal data received by their organisation being compliant with the DPDP Bill;
• taking reasonable security measures to protect personal data;
• ensuring data is complete in the event that it is used to make a decision that affects the individual;
• ensuring compliance with regard to erasing personal data;
• informing the regulator of the Data Protection Board of India in the event of a data breach;
• developing mechanisms to redress the grievances of data providers; and
• ensuring additional compliance where children’s personal data is collected. 

Criteria Necessary to Authorise the Collection and Processing of Personal Data

The Data Protection Rules differentiate between personal data and SDPI. SPDI means information relating to a password; a bank account, credit card or debit card or other financial information; physical, physiological or mental health conditions; sexual orientation; medical records or history; and biometric data. SPDI can be collected only after the SPDI provider is informed of the purpose for collecting their personal data and gives consent to its collection. SPDI can be disclosed to a third party only after permission for such disclosure has been given by the data provider. However, consent is not required in exceptional circumstances, such as disclosure to a government agency mandated under law. 

The DPDP Bill does not differentiate between personal data and SPDI and only specifies that personal data should only be collected after obtaining consent for a specific purpose. However, the DPDP Bill does talk about deemed consent in cases of voluntary disclosure, performance of an obligation under any law or judgement, providing medical treatment or assistance in a disaster, or other purposes as specified in the DPDP Bill. 

Application of “Privacy by Design” or “by Default”

Privacy by design or by default is not defined under current law or the DPDP Bill. However, the Data Protection Rules mandate that when a body corporate is collecting information, it should have a privacy policy on the handling of personal information.

Impact Analysis

Current law does not talk about impact analysis, but the DPDP Bill says that the central government may require data fiduciaries to assess the risk or harm to the individual while processing their personal data and, in some situations, also determine the potential impact on the sovereignty and integrity of the country.

Data fiduciaries who are responsible for collecting personal data undertake impact assessments and periodic audits to ensure compliance with the DPDP Bill. 

Need for Internal or External Policies

As per the Data Protection Rules, the body corporate collecting information should formulate a privacy policy and the policy should provide details of the purpose for collecting data, what information will be collected and what safeguards have been undertaken to protect the data. 

The Individual’s Right to Control the Use of Personal Data

The Data Protection Rules provide a right to give consent, withdraw consent, edit or update the personal data provided. 

Under the DPDP Bill, similar rights are provided – for example, the individual providing the personal data has the right to withdraw their consent for collecting their personal data, and the right to correct or erase their data, and the data fiduciary must comply with the request of the individual. The data provider should be informed of the purpose for collecting their data, and how the data will be processed and transferred to another data fiduciary after obtaining consent for the transfer. 

Data Anonymisation, De-identification, Pseudonymisation

The current law and DPDP Bill are silent on the use of data pursuant to data anonymisation, de-identification or pseudonymisation. The DPDP Bill scheme includes rules about notification, however, and there is a possibility that these issues could be addressed therein.

Restricting or Permitting of Profiling, Automated Decision-Making or Big Data Analysis or Other Technologies

The current law does not recognise technologies such as profiling or big data analysis. However, the DPDP Bill applies to data processing performed outside India if the profiling or offering of goods and services is for data providers in India. At the same time, the DPDP Bill does not specifically mention any restrictions or permitting of any activities where micro-targeting, big-data analysis, AI or algorithms can be applied. 

Concept of “Injury” or “Harm”

The DPDP Bill mentions that a data fiduciary should assess the risk or harm that may result from processing the data of a data provider. 

Some of the regulators in India have recognised the sensitive nature of personal data and have formulated measures, which are discussed below. 

Financial Data

Under the Banking Regulation Act 1949, no banking company can be compelled to disclose information that the banking company believes to be confidential. Under the Credit Information Companies (Regulation) Act, 2005 and its respective regulations, before collecting confidential information, every credit institution must implement a privacy policy for collecting, sharing and using the credit information. This privacy policy should contain the purpose, obligations implemented to check accuracy, and measures for protection. Under the Payments and Settlement Systems Act 2007, the operator should maintain confidentiality with respect to any document or information provided by a bank or individual using the payment system. 

The RBI is ensuring the data protection of individuals by means of notifications. Through its master circular on customer service in banks, the RBI identified that there is a contractual relationship between a banker and a customer which also includes the obligation of secrecy. For more details on the measures taken by the RBI, see “Financial Sector” in 1.2 Regulators.

SEBI has also recognised the importance of data protection. Through its notification process, SEBI has mandated that its confidential KYC registration agency should keep client information confidential and not divulge the information to anybody without the consent of its clients. 

Measures undertaken by the IRDAI are discussed in “Insurance” under 1.2 Regulators. 

Health Data

In the health sector, the government has come up with the HDM Policy, which is designed to protect the personal data of individuals and provide privacy. Details of the HDM Policy are provided in “Healthcare” under 1.2 Regulators. 

Additionally, the Mental Healthcare Act 2017 provides persons with mental health illness the right to confidentiality in respect of their mental health details. 

Communications, Voice Telephone and Text Messaging Data

Telecoms service providers are governed by several regulations for the protection of personal data, such as the IT Act, the Data Protection Rules, the Indian Telegraph Act 1885, the Indian Telegraph Rule, the Unified Licence Condition, and the guidelines and notifications released by DOT and TRAI. 

The Indian Telegraph Act 1885 and corresponding Rules state that a telegraph officer or any person who has been delegated such duties should not secretly obtain or divulge information which is being transmitted. As per the relevant Rules, if there is any violation of license conditions pertaining to maintenance of secrecy and confidentiality, the service providers will be held responsible. 

The Unified Licence Condition mandates that all licensees providing telecoms services take sufficient measures to observe the confidentiality of customer information, protect the privacy of communication and ensure that there is no unauthorised interception of messages. 

DOT has also issued a notification to TSPs that there should be a security policy for managing their assets by implementing a security risk management system. Refer to “Telecommunications” under 1.2 Regulators.

Content of Electronic Communication

A huge amount of data is transmitted through electronic communication. Ensuring the safety of this data is a difficult but necessary task. Several regulators such as SEBI, the RBI and DOT have stipulated encryption standards to secure electronic communication data. To ensure end-to-end encryption of the data in electronic communication, the Unified Licence Condition recommends encrypting electronic communications in transit as well as in storage in digital ecosystems. Decryption should be allowed only on a needs basis and the consent of the end user should be requested before decrypting their communications. Use of bulk encryption by licensees is not allowed. Providers of electronic communication, such as email, messaging apps, etc, fall under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. 

Children’s or Students’ Data

There is no specific law in India to protect children’s or students’ data. However, under the Indian Contract Act, 1872, a child or a minor cannot be a valid party to a legal contract. Therefore, the issue of a minor providing consent for a privacy policy in a contract in a gaming app is not considered as valid consent. 

The DPDP Bill imposes additional obligations regarding the personal data of children. It says that before processing children’s data, the person collecting the data should obtain parental consent to do so, and the monitoring of children’s behaviour and employment of targeted advertising towards children are not permitted. 

Employment Data

Protection of personal data in employment is discussed in 2.4 Workplace Privacy. 

Social Media Platforms

Social media platforms (“Platforms”) are regulated by the IT Act and Data Protection Rules. This law and the respective rules provide for comprehensive security measures, formulating a privacy policy that regulates Platforms, including giving the reason for the collection of personal data, and display the same on their Platforms. 

Internet, Streaming and Video Issues

Laws and relevant rules discussed in Social Media Platforms apply to this section as well. 

There are no provisions specific to browsing data, viewing data, cookies, beacons or location data. The DPDP Bill provides a prohibition on behavioural or targeted advertising for children. 

Addressing Hate Speech, Abusive Material and Other Content

Under the IT Act, punishment is provided for sending offensive messages, cheating by impersonation using a computer resource, sending pictures of the private parts of a person without their consent, and cyber-terrorism. 

The Information Technology (procedure and safeguard for monitoring and collecting traffic data or information) Rules, 2009 state that the intermediary or person in charge of computer resources should have effective internal checks to ensure that unauthorised monitoring or collection of traffic data does not take place, that the secrecy of traffic data is maintained, and that the utmost care and precautions are taken. 

Other Issues

Data subject rights

The Data Protection Rules provide that the data subject has the right to not give consent to provide data, edit or withdraw data at any point in time. 

The DPDP Bill also provides the right to provide data, edit or correct data, and remove data, as well as the right to enquire if a data fiduciary has the data. In addition, there should be a platform to raise any grievances. 

Right to be forgotten

The Data Protection Rules and DPDP Bill do not per se provide the right to be forgotten to the user. However, the person providing the data has the right to have their information erased from the database. 

The TRAI recommended through a press release that service providers should offer the option to be forgotten to its telecommunication consumers. 

Data portability

The Data Protection Rules do not provide for data portability. However, through its press release, the TRAI has recommended that telecommunication users should have control over their personal data and should have the right to choose portability of services. 

The TRAI has specifically provided sectors where users can block communications like advertisements by registering their preference with the National Customer Preference Right. Once the user chooses to block the services, they should not receive any unsolicited commercial communication or marketing communication.

The Central Consumer Protection Authority constituted under the Consumer Protection Act, 2019 is responsible for handling any false or misleading advertisements. 

The Advertising Standards Council of India also monitors advertisements and ensures that they are truthful and do not mislead consumers. 

Also see Children’s or Students’ Data in 2.2 Sectoral and Special Issues.

The scope for protection of privacy in the workplace in India is very limited. There are no special laws regulating the workplace privacy of employees. Data protection stems from the IT Act and Data Protection Rules which ensure safety measures for personal data collected from employees and inform them if there is any personal data breach. 

The DPDP Bill mentions deemed consent for purposes related to employment, such as corporate espionage, trade secrets, intellectual property, classified information, recruitment, termination of employment, or for the provision of any service or benefit sought by the employee. 

Regarding workplace communications, the law is silent on cybersecurity tools, insider threat detection and prevention programmes. 

Whistle-Blowing

The Whistle Blowers Protection Act, 2014, addresses concealing the identity of the whistle-blower and documents provided by the whistle-blower, and also discusses the protection to be given to a whistle-blower against victimisation. However, this law applies only to government bodies and public sector employees. 

The DPDP Bill does not specifically mention whistle-blowers. 

As per Section 177 of the Companies Act, 2013 and SEBI (Listed Obligations and Disclosure Requirements) Regulations, every listed company should have a vigil mechanism for whistle-blowers that allows directors and employees to report concerns about fraud or violation of policies in the company. 

Legal Standard for Breach of Data Protection

Breach of data protection or privacy is addressed both by civil and criminal remedies in India. Under the general common law principles, the standard of proof required is different in both of these. While “preponderance of probability” may suffice in the case of a civil remedy, the “beyond reasonable doubt” standard prevails in criminal remedies. Some of the general remedies include: imposition of penalties based on the sensitivity of the data, being barred from collecting data until revised safety policies have been put in place, imprisonment in criminal cases, fines, etc.

Currently, penalties for breach of data and other offences are provided in the IT Act. These include identity theft, publishing or sending obscene material in electronic form, and other related offences.

One of the leading cases in India regarding data privacy is Justice KS Puttaswamy v Union of India, as discussed in 1.1 Laws.

The Enforcement Directorate recently brought a case against the National Stock Exchange (NSE) for illegally intercepting the telephone lines of a few employees at the NSE without gaining permission from the required authority and without the consent of the NSE employees. The case is currently pending in the district court. 

There are also several other instances where data protection has been compromised. One example was a ransomware attack on one of the most prestigious hospitals in India, the AIIMS Delhi, where reportedly 40 million records were compromised.

During Covid-19, as working from home became more prevalent, moonlighting (working on two or more parallel jobs) also became prevalent, sometimes without the consent of employers. This increased concerns about breaches of data privacy. 

Class Actions

There is no legislation that authorises class actions or collective redress specifically for privacy or data protection. However, the courts have evolved what is called a “public interest litigation” jurisprudence (PIL). A PIL allows a petitioner without any locus (ie, personal interest in the matter) to approach the SCI or the High Court in matters of greater public interest. It is wholly at the discretion of the court to permit the PIL.

Under the Civil Procedure Code, 1908 a representation suit can be filed by one person on behalf of numerous persons having the same interest in the suit. 

Law enforcement agencies can obtain access to data in an organisation under various legislation, some of which are special laws and some general laws. 

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, allow law enforcement agencies (LEAs) to seek data on users of intermediaries, and prescribe the procedure for this. LEAs can seek the data without a judicial order under Rule 3(1)(j) of these rules.

The Information Technology (Procedure & Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, allow LEAs to direct interception, monitoring or decryption of information and outline the procedures for these.

The Criminal Procedure (Identification) Act, 2022, allows police officers or prison officers to collect biometric information such as fingerprints, iris and retina scans, photographs, etc, and behavioural attributes including the signature and handwriting of a person arrested or convicted of offences punishable with imprisonment for a period of at least seven years, or offences committed against women or children, and the same can be retained in digital or electronic form for a period of 75 years. However, all biometric information and behavioural attributes are required to be erased from the records (unless specifically directed by the court) if a person is released without trial or discharged or acquitted by the court, after exhausting all legal remedies.

The Indian government (including its LEAs) has wide powers under various laws for surveillance, monitoring and access to data for investigations of serious crimes, national security, and anti-terrorism. Most of these specify a process and allow the LEA to unilaterally access data as per that process.

Key legislation, rules and regulations related to this are set out below. 

• The Indian Telegraph Act 1885 governs interception of telephone conversations in the case of a public emergency or in the public interest, and requires the disclosure of call data records to LEAs.
• The IT Act and Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 (“Interception Rules”) allow for the interception, monitoring and decryption of digital information in any computer resource in the interest of the sovereignty, integrity and defence of India. Moreover, the Interception Rules also permit any government agency to monitor and collect traffic in any computer resource for the purposes stated under the IT Act.
• The Data Protection Rules permit the disclosure of personal data to government agencies without obtaining the data provider’s consent.
• The IT (Intermediaries Guidelines) Rules 2011 and IT (Guidelines for Cyber Cafe) Rules 2011 require intermediaries to provide any information to government agencies under lawful order within 72 hours.
• The TRAI’s various license agreements for ISPs, TSPs and UASLs (unified access services licences) provide for surveillance of communications, monitoring telecommunications traffic in every node or in any other technically feasible point in the network, and prohibit bulk encryption and encryption that exceeds 40 bits.
• The Income Tax Act 1961 allows state tax authorities to process personal data in respect of an assessee’s financial information for enquiry and investigation purposes made in compliance with the law.
• The Central Monitoring System (CMS), operated by the government’s telecommunications technology development centre’s Telecom Enforcement Resource and Monitoring cells, empowers the government to intercept any and all communications deemed “necessary or expedient” for purposes such as national sovereignty, integrity and state security.

India has signed Mutual Legal Assistance Treaties with several countries, by which law enforcement officials seek and receive information for domestic investigations from other jurisdictions and vice versa. Although this mechanism has been highly debated across the world, it can be a basis for the collection of personal information, and such information may be shared with the law enforcement agencies of other countries.

Handling of “data” is currently governed by the contract between the parties (data provider and data recipient). It may be argued that there is no general prohibition on an organisation sharing data with a foreign government, if the contract does not prohibit it. However, sectoral guidelines have a role to play, for example, information supplied to a credit rating agency may not be shared with any third party, except as outlined in the Securities and Exchange Board of India (Credit Rating Agencies) Regulations, 1999.

As per the RBI rules, the data can be shared with foreign regulators only if there is a requirement for such a transaction, and with prior approval of the RBI.

The Cert-In Directions

Cert-In Direction No 20(3)/2022 dated 24 April 2022 (the “Cert-In Directions”) mandates data centres, virtual private server providers, cloud service providers, and virtual private network service providers (“VPN providers”) to mandatorily collect and retain certain subscriber-related information in an accurate manner, for a minimum period of five years after the subscriber is no longer using the underlying services. This has led to several VPN providers exiting the Indian market, such as NordVPN, ExpressVPN, ProtonVPN, TunnelBear, and Surfshark.

The Cert-In Directions, particularly the requirement in relation to the maintenance of logs of information and communications technology systems and the requirement to maintain these securely for a rolling period of 180 days and maintain the same within the Indian jurisdiction, along with the directions in relation to the storage of user data of VPN service users, are under challenge before the Delhi High Court in SnTHoldings v Union of India.

The Draft DPDP Bill

A recent point of controversy under the DPDP Bill is Section 18, which empowers the central government to exempt from application of the provisions of this bill, the processing of personal data:

• by any instrumentality of the state in the interests of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these; and
• necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a data principal and such processing is carried on in accordance with the standards specified by the board under the said bill.

Various concerns have been raised against such provision of wider powers to the central government and these have been causing a stir in privacy-related public discussions.

The Data Protection Rules place restrictions on the international transfer of SPDI. As per the Data Protection Rules, when the SPDI is transferred from India, the transferee located outside the country should maintain the same level of protection for the data as that applicable in India. The transfer should also only happen if it is necessary for the performance of a lawful contract between a body corporate or individual, and the SPDI provider has given their consent. 

One of the other examples of restrictions on international transfer emanates from the RBI. Restrictions emanating from the RBI related to international transfers are discussed in 1.2 Regulators under the heading Financial Sector. 

In one of its cases, the Kerala High Court directed the Kerala government to obtain consent from individuals whose data was shared with a foreign third party so that it could be used in data analysis on Covid-19 patients. 

In addition to the above restrictions, the DPDP Bill also includes a provision broadly covering the transfer of personal data outside the country. As per the DPDP Bill, personal data may be transferred to certain countries according to the procedure formulated. The list of countries and the procedures for the transfer have not yet been issued. 

There are no mechanisms or derogations for international data transfer under current law, apart from the restrictions mentioned in 4.1 Restrictions on International Data Issues. 

Different regulators or government bodies may issue notifications from time to time regarding restrictions on the transfer of personal data to entities governed by them (eg, the RBI guidelines discussed in 1.2 Regulators). However, no government approvals or notifications are required before a general international transfer.

As mentioned earlier, there are currently no general data localisation requirements, and data may be maintained as per each organisation’s policies (see 4.1 Restrictions on International Data Issues).

Currently, there are no legal provisions that mandate a general sharing of software codes, algorithms or similar technical details with the government. However, sector-specific guidance and frameworks need to be examined. The National Security Directive on the Telecommunication Sector has created a list of trusted sources to which telecoms service providers can connect only those devices that are designated as “trusted products”, and the process for getting the certification could include access to the code, etc.

The DPDP Bill is also silent on the requirement to share technical details with the government. 

See 3.3 Invoking Foreign Government Obligations.

It appears that there are presently no Indian statutes that seek to block the operation of the statutes of a foreign country in relation to data privacy or otherwise.

The current legal framework does not directly address big data, AI, profiling or micro-targeting, automated decision-making, and the internet of things. There may be a few guidelines governing specific sectors, but the legal framework is still nascent regarding these domains and is currently undergoing development at policy level (eg, the RBI mandates that banks should ensure that credit cards are offered to the visually challenged without any discrimination).

Furthermore, facial recognition and biometric data are classified as SPDI under the Data Protection Rules, and therefore, the collection, use, etc, of these have to comply with every requirement under such rules for processing. In addition, biometric data in the form of Aadhaar is subject to the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the rules thereunder, which provide for the manner in which Aadhar data can be used and stored by entities that have collected the same.

Drones

The Ministry of Civil Aviation of the government of India has notified the Drone Rules, 2021, which comprehensively govern the use of drones (unmanned aerial vehicles in India), prescribing compulsory certification, licensing of users, standardisation, etc.

Geolocation

Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps, 2021 notified by the Department of Science and Technology have been framed for the regulation of geolocation data.

Disinformation, Deepfakes and Other Online Harm

At present, there is no specific legislation that deals with such issues. The general criminal and civil law is taken as a recourse in such instances.

There is no general legal requirement for organisations to establish a digital governance or fair data practice review board or committee. 

Generally, every company is required to comply with Sec 134(5)(f) of the Companies Act, 2013, which requires directors to confirm every year that they have devised proper systems to ensure compliance with all the applicable laws, and that such systems are operating effectively​. 

In addition, sector-specific requirements may need to be met.

WhatsApp LLC is under investigation by the Competition Commission of India (CCI) due to its privacy policy, which requires users to consent to the sharing and integration of user data with other Meta Group companies as a precondition for using WhatsApp services. The SCI has upheld the decision of the CCI to continue this investigation.

For further details, see 2.5 Enforcement and Litigation. 

Compliance is usually checked based on the industry in which a target company is engaged, since data protection laws differ from industry to industry (see 1.2 Regulators). Therefore, there will be more scrutiny in the case of a company engaged in the financial sector as compared to a company that is engaged in the infrastructure sector, as the financial sector is more heavily regulated by the RBI in terms of data protection through several directions and regulations.

There is no specific legal provision requiring an organisation’s mandatory disclosure of its cybersecurity risk profile or experience.

As per the Data Protection Rules, organisations are required to display their privacy policy on their website (see 2.1 Omnibus Laws and General Requirements). Furthermore, entities are required to report cybersecurity incidents to Cert-In within six hours of the same occurring or being brought to notice.

A data breach at a listed company may in certain circumstances be considered a significant incident that needs to be reported to the stock exchange, as per the listing norms of SEBI.

Trends in the progression of legal frameworks and judicial views show that there may be cross-diffusion of concepts. However, the current approach in India seems to be sector-specific in relation to general policy. There appears to be some traction by regulators broadening their horizons, eg, the CCI has been proactive in terms of checking various data-driven companies, such as Meta, which have a blend of both competition and consumer protection implications in India. However, there is currently no omnibus legislation that seeks to address the same.

There do not appear to be any other significant issues which have not been covered.