Until recently, India did not have a dedicated law on data protection and privacy, relying instead on specific provisions on privacy found in the Information Technology Act, 2000 (the “IT Act”) and the rules framed thereunder – specifically the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”). However, in the 2017 decision in Justice K.S. Puttaswamy (Retd.) v Union of India, the Supreme Court of India recognised the right to informational privacy as a “fundamental right” arising from the right to life and personal liberty under Article 21 of the Constitution of India.

Around the same time, the central government set up an expert committee to draft India’s first dedicated law on data privacy; after multiple iterations, the Digital Personal Data Protection Bill was placed before the Parliament in August 2023 and was passed as the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act replaces the privacy provisions under the IT Act and the SPDI Rules as a standalone data protection legislation. It is not yet in force, but the Indian government is expected to enforce it in the next few months.

The key enforcement provisions under the IT Act are as follows.

• Section 43A – a body corporate processing sensitive personal data or information (SPDI) that is negligent in implementing reasonable security practices and procedures (RSPP) or that is non-compliant with SPDI Rules and the data processing principles thereunder (ie, notice, consent, purpose limitation, data accuracy and grievance redressal) can be held liable for compensation if such negligence results in wrongful gain or wrongful loss. SPDI is defined as personal information that consists of information relating to passwords, financial information (such as bank account, credit card, debit card or other payment instrument details), medical records, biometric information, physical, physiological and mental health condition, sexual orientation, etc.
• Section 72A – a service provider that discloses personal information without consent or in breach of its contractual obligations, with the intention of or knowing that such disclosure is likely to result in wrongful gain or wrongful loss, can be held criminally liable with imprisonment or a fine, or both. Personal information is defined as information relating to a natural person that directly or in combination with other information is capable of identifying such person.

The DPDP Act on the other hand is a comprehensive and landmark piece of legislation that will regulate the processing of digital personal data in India. It is designed to protect individuals' fundamental right to privacy, and to give them more control over their personal data. The DPDP Act provides for the following, among other matters.

• Applicability to digital personal data – the DPDP Act applies to the processing of personal data (ie, data about an individual who is identifiable by or in relation to such data) in digital form or that is digitised after collection, or that is in connection to any activity related to the offering of goods or services to “data principals” in India. It is relevant to note that the DPDP Act further categorises personal data into sensitive/critical personal data and provides same degree of protection to all personal data.
• Consent and notice – any processing of personal data will be subject to consent. The consent needs to be freely given (through a clear affirmative action), specific, informed and unconditional, and should unambiguously indicate the data principal’s affirmation of the processing of his/her personal data for the specified purpose. At the time of or prior to seeking consent, the data fiduciary is also required to provide a privacy notice to the data principal, in clear and plain language.
• Legitimate uses – the DPDP Act stipulates certain “legitimate uses” for which a data fiduciary can process the personal data of data principals without obtaining their explicit consent.
• Data retention – the data fiduciaries must cease to retain personal data upon the withdrawal of consent or as soon as the specified purpose for which the personal data was collected is no longer being served, whichever is sooner, unless an applicable law requires a longer data retention period.
• Personal data breach – data fiduciaries are required to implement reasonable security safeguards along with appropriate technical and organisational measures to prevent personal data breaches. The data fiduciary is required to notify any data breach to the Data Protection Board (DPB), and to the data principals concerned.
• Significant data fiduciaries – the central government can notify any data fiduciary or class of data fiduciaries as significant data fiduciaries, based on the volume and sensitivity of personal data processed, risk of harm, security of the state, etc. The DPDP Act imposes certain additional obligations on such significant data fiduciaries.
• Rights of a data principal – the DPDP Act provides certain rights to data principals, including the right to erasure, the right to correction, the right to grievance redressal, the right to nomination and the right to withdraw consent for the processing of personal data.
• Penalty for violation of the DPDP Act –penalties of up to INR250 crore (~USD30 million) may be imposed for non-compliance with provisions of the DPDP Act by “data fiduciaries”. It is important to note that the DPDP Act also imposes a penalty of up to INR10,000 (~USD120) on “data principals” for failure to comply with their duties under the DPDP Act. However, no criminal liability has been envisaged under the DPDP Act.
• Processing of children’s data – the DPDP Act requires data fiduciaries to obtain verifiable consent from the parent or legal guardian of a child before processing the personal data of children. A data fiduciary also has to ensure that such processing does not have a detrimental effect on the well-being of a child and that they do not undertake tracking, behavioural monitoring or targeted advertising directed at children.

In essence, by giving individuals more control over their personal data and preventing its misuse, the DPDP Act creates a more transparent and accountable framework for the processing of personal data.

Separately, there are several sectoral regulations in sectors such as banking, insurance, telecoms, etc, that prescribe data protection requirements for entities regulated under those sectors; see 2.2 Sectoral and Special Issues for more detail.

The IT Act provides for the appointment of an adjudicating officer to decide if a person has contravened any of its provisions or the rules framed thereunder, where the claim for injury or damage does not exceed INR5 crores (~USD600,000). Any other claims would be decided by the civil court. The adjudicating officer has the power of a civil court, and the government has designated the Secretary to the Ministry of Information Technology in each state as the adjudicating officer.

However, the DPDP Act provides for the creation of India’s first data protection authority, the DPB, which would function as an enforcement agency, a digital office and an independent body. As per the DPDP Act, the DPB will be responsible for addressing and resolving disputes, complaints and cases related to data breaches, privacy violations and other data-related concerns. Please see 1.3 Administration and Enforcement Process for the enforcement process and investigative powers and procedures of the DPB.

Separately, there are sector-specific regulators in the banking, securities, insurance and telecommunications sectors. The regulations flowing from each of these sectoral regulators also have certain data-specific and compliance requirements that may have an impact on data privacy and protection.

The adjudicating officer appointed under the IT Act has the same powers as vested in a civil court (such as summoning the attendance of persons and examining them on oath, requiring the discovery or production of documents and other electronic records, receiving evidence on affidavits and issuing commissions for the examination of witnesses or documents) and is required to follow the general procedural laws applicable to civil courts in deciding matters. Furthermore, while determining the quantum of compensation, the adjudicating officer is required to have regard to the following factors:

• the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
• the amount of loss caused to any person as a result of the default; and
• the repetitive nature of the default.

The DPB to be established pursuant to the DPDP Act also has the same powers as vested in a civil court. The DPB’s primary function is to issue directions, conduct inquiries into breaches of obligations by data fiduciaries and impose monetary penalties. It can initiate proceedings in the following circumstances:

• upon receipt of an intimation of a personal data breach – the DPB may direct any urgent remedial or mitigation measures, inquire into the matter and impose a penalty;
• upon a complaint made by a data principal – a data principal may make a complaint to the DPB in case of a personal data breach, or a data fiduciary’s failure to observe its obligations in relation to their personal data or exercise of their rights under the DPDP Act;
• upon a reference made by the government or a state government, to inquire into a breach by the data fiduciary; and
• upon directions of any court, to inquire into a breach by the data fiduciary.

Prior to initiating an inquiry, the DPB would have to determine if there are sufficient grounds for such inquiry. Upon determining such grounds, which are recorded in writing, the DPB would have to adhere to the rules of natural justice in conducting such inquiry. Furthermore, while determining the quantum of penalty, the DPB is required to have regard to:

• the nature, gravity and duration of the breach;
• the type and nature of the personal data affected by the breach;
• the repetitive nature of the breach;
• whether the person has realised a gain or avoided any loss as a result of the breach;
• whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
• whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breaches of the provisions of the DPDP Act; and
• the likely impact of the imposition of the monetary penalty on such person.

Any appeals from orders of the DPB would lie before the Telecom Disputes Settlement and Appellate Tribunal and thereafter before the Supreme Court of India.

As a member of the United Nations, India adopted the Model Law on Electronic Commerce adopted by UNCITRAL via resolution A/RES/51/162, dated 30 January, 1997. This framework laid the foundation for India’s first information technology law: the IT Act.

The DPDP Act does not adopt nor relate to any multinational systems/multilateral obligations. While influence has clearly been drawn from other privacy legislation, the DPDP Act was enacted by the Parliament of India after consultation with relevant stakeholders and is designed as a unique Indian legislation. Please see 1.6 System Characteristics regarding similarities between the DPDP Act and the GDPR.

When it comes to technology policy, India is home to a wide ecosystem of stakeholders, including think tanks, NGOs and industry self-regulatory organisations (SROs). The government regularly consults with SROs and NGOs regarding a widely dynamic technology ecosystem. For the DPDP Act, the Indian government constituted a committee of experts to examine and prepare draft legislation governing data privacy which, following multiple stakeholder consultations and iterations, was eventually passed in Parliament as law.

Prominent industry bodies and NGOs active in the Indian privacy and data protection landscape include IAMAI, NASSCOM, the Centre for Communication Governance, the Centre for Internet and Society, the Internet Freedom Foundation, etc.

The Constitution of India gives the central government power to legislate on matters that have not been allocated specifically to the state governments or where the power to legislate has not been shared between the central and state governments. Data protection and privacy is one such matter, where the central government enacted the IT Act and the DPDP Act to apply to the whole of India.

Privacy and data protection laws in India are at a very nascent stage compared to the EU’s GDPR. The DPDP Act is similar to the GDPR in many ways – for instance, the GDPR's fiduciary relationship between a “data subject” and a “data controller” is reflected in the DPDP Act between a “data principal” and a “data fiduciary”. Another similarity is the explicit codification of the (broadly similar) rights of individual data principals.

Both the DPDP Act and the GDPR adopt a consent-centric approach as grounds for the processing of personal data. The DPDP Act is also similar to the GDPR in its general applicability to all categories of entities that deal with digital personal data, regardless of the sector in which such entity operates or the type of digital personal data involved. The DPDP Act’s territorial applicability is also akin to the GDPR.

This being said, the DPDP Act and the GDPR are also divergent in many ways – for instance, the DPDP Act’s introduction of “legitimate uses” for the processing of digital personal data without consent (which is an exhaustive list) is different from the GDPR’s processing for purposes of “legitimate interests” (which is subjective). The DPDP Act requires a data principal to exhaust the opportunity of redressing grievances before approaching the DPB, but there is no such requirement under the GDPR. The DPDP Act provides for a penalty of up to INR10,000 (~USD120) to be imposed on “data principals” for failure to comply with certain prescribed obligations, but no such penalty on data principals exists under the GDPR.

With the introduction of the DPDP Act, 2023 was widely seen as the starting point for an imminent sea change in IT governance in India. The Indian government is in the process of formulating a Digital India Act (DIA), which is intended to overhaul and replace the existing IT Act and the rules made thereunder. The DIA is intended to be future-ready legislation by the Indian government, covering provisions that will safeguard and enable innovations in disruptive technologies such as artificial intelligence (AI), machine learning, intermediaries and safe harbour, Web 3.0, autonomous systems, internet of things, blockchain, etc, and it will also have provisions similar to the Digital Services Act and the Digital Markets Act in the EU.

Another key development on the horizon is the introduction of rules under the DPDP Act by the Ministry of Electronics and Information Technology (“MeitY”), along with the timelines for the implementation of the DPDP Act itself. These rules are expected to provide vital clarifications and procedures for the implementation of the DPDP Act, potentially enhancing its robustness and comprehensiveness.

Please see 2.5 Enforcement and Litigation regarding key privacy-related litigation over the past 12 months.

As mentioned in 1.7 Key Developments, the introduction of the DIA and the rules under the DPDP Act are the most anticipated changes that may be introduced in the near future.                

Overview

Currently, the omnibus law applicable to data privacy in India is the IT Act and the rules thereunder – specifically the SPDI Rules; please see 1.1 Laws for a brief outline of both.

The DPDP Act is yet to be enforced and is intended to be overarching personal data protection legislation that will govern the manner in which the digital personal data of users is processed through the whole data life cycle. Please see 1.1 Laws, 1.2 Regulators, 1.3 Administration and Enforcement Process and 1.6 System Characteristics for an overview of the DPDP Act.

Requirement to appoint privacy or data protection officers

Under the currently prevailing SPDI Rules, every body corporate collecting SPDI is required to appoint a “Grievance Officer” to address any discrepancies and grievances raised by the person providing such SPDI. The SPDI Rules also require the name and contact details of the Grievance Officer to be provided on the website of the body corporate collecting such information. The DPDP Act outlines a data principal’s right for grievance redressal, but it remains silent on the appointment of a grievance redressal officer. It is yet to be seen whether further clarity will be provided under the rules to be prescribed under the DPDP Act.

Under the DPDP Act, every significant data fiduciary (ie, a data fiduciary that is classified as “significant” by the central government based on several identified factors) is required to appoint a resident individual as a “data protection officer”. This data protection officer is intended to represent the significant data fiduciary under the provisions of the DPDP Act and to be the point of contact for the grievance redressal mechanism under the DPDP Act.

Criteria necessary to authorise collection, use or other processing

Under the SPDI Rules, a body corporate can only collect SPDI if:

• the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
• the collection of the SPDI is considered necessary for that purpose.

The body corporate or any person on its behalf must obtain consent from the data principal in writing through letter, email or other mode of electronic communication, and inform them of the purpose of usage before the collection of such information.

The DPDP Act allows for the processing of personal data for a “lawful purpose”, either:

• if the data principal has given their consent for such processing; or
• if the processing is done for certain “legitimate uses”.

Data fiduciaries can process the personal data of data principals by obtaining their free, specific, informed, unconditional and unambiguous consent provided through a clear affirmative action. Separately, a data fiduciary may process the personal data of a data principal for specified legitimate uses without obtaining the specific consent of the data principal, such as:

• for specified purposes where data principals have voluntarily provided their personal data and have not objected to the use of their personal data;
• for purposes of employment or for safeguarding an employer from loss or liability;
• for responding to a medical emergency involving a threat to life or an immediate threat to public health;
• for fulfilling an existing legal obligation to disclose any information to the state or any of its instrumentalities; and
• for compliance with any judgment, decree or order issued under any law in force.

“Privacy by design” or “by default”

While the concept of privacy by design was included in an earlier iteration of the bill that led to the passage of the DPDP Act, the DPDP Act as it currently stands has no explicit provisions for privacy by design or default. However, the rules under the DPDP Act may prescribe processes that may emulate these concepts.

Privacy, fairness or legitimate impact analyses

The DPDP Act requires significant data fiduciaries to undertake periodic “data protection impact assessments” (DPIAs). A DPIA involves assessment of:

• the description of the manner in which the personal data is processed;
• the purpose of processing personal data;
• the harm in relation to the processing of personal data and the measures for managing the risk of such harm; and
• such other matters with respect to the processing of personal data as may be prescribed by the central government.

That said, it may be important for all data fiduciaries to conduct periodic internal audits and compliance checks to avoid the risk of incurring penalties.

Internal or external privacy policies

Under the SPDI Rules, every body corporate that processes or handles the personal information of its users is required to publish a privacy policy conspicuously on its website containing statements of its practices and policies, the type of personal information collected, the purpose of collection and usage, the manner and reasons for its disclosure, and the reasonable security practices and procedures adopted by it to safeguard the personal information.

While the DPDP Act does not explicitly warrant the adopting of internal or external privacy policies, the privacy notice, consent, rights of data principals and grievance redressal would need to be documented. which would mostly be done in the form of a data principal-facing privacy policy. Similarly, the technical and organisation measures, security practices, etc, to be implemented pursuant to the DPDP Act would need to be documented, which would be done in the form of internal policies on data governance and handling.

Data subject access rights

The SPDI Rules give data principals the right to review the information they have provided to a body corporate and to ensure that any SPDI found to be inaccurate or deficient is corrected or amended as feasible. The SPDI Rules also oblige body corporates or anyone acting on their behalf to provide data principals with the option not to provide the data or information sought to be collected, and to withdraw the consent previously given at any time while availing the services or otherwise. Please see 1.1 Laws regarding data subject rights provided under the DPDP Act.

Use of data pursuant to anonymisation, de-identification or pseudonymisation

There is no explicit provision under the extant data protection laws nor any dedicated legislation that governs non-personal data (NPD). However, MietY has undertaken policy initiatives to regulate this facet of data protection. For instance, India introduced the “Data Accessibility & Use Policy” (DAU Policy) in February 2022 to regulate the usage of NPD, and MeitY released the Draft National Data Governance Framework Policy in May 2022 for public consultation. It aims to ensure that NPD and anonymised data from both the central government and private entities is made accessible for research and innovation. This draft policy is still under consultation.

Separately, it is anticipated that the DIA might provide some guidance on the standards of ownership for anonymised personal data collected by internet intermediaries.

Restrictions on profiling, microtargeting, automated decision-making, online monitoring, big data analysis, AI and algorithms

The DPDP Act explicitly prohibits the behavioural tracking of children (ie, persons under the age of 18), as well as the directing of targeted advertisements towards them. It does not impose any general restriction on profiling/targeted marketing, provided the processing of personal data for such purposes is in compliance with the DPDP Act.

The relevance of “injury or harm” to national privacy and data protection law

As mentioned in 1.3 Administration and Enforcement Process, the IT Act provides that a data fiduciary that fails to implement reasonable security practices and procedures for the protection of personal information and sensitive personal data may be required to compensate an aggrieved data subject for any “injury or harm” caused to them on account of such failure. In addition, the IT Act states that the following have to be accounted for when determining the quantum of compensation to be provided to data principals:

• the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
• the amount of loss caused to any person as a result of the default; and
• the repetitive nature of the default.

The DPDP Act does not use the terms “injury” or “harm” in its definition of “personal data breach”. However, as mentioned in 1.3 Administration and Enforcement Process, as per the DPDP Act, when determining the quantum of penalty to be levied on a data fiduciary, the DPB is required to have regard to factors such as the nature, gravity and duration of the breach, the repetitive nature of the breach, loss caused, etc.

It is also pertinent to note that the DPDP Act, while dealing with the processing of children's data, prohibits data fiduciaries from undertaking the processing of personal data “that is likely to cause any detrimental effect on the well-being of a child”, although the term “detrimental effect” is not defined.

As mentioned in 1.1 Laws, the SPDI Rules recognise the protection of two sets of data: “personal data” and SPDI. Currently, any protection accorded to data sets that are perceived as “sensitive” stems from the SPDI Rules and is specifically only applicable to information that is covered under the definition of SPDI as outlined in 1.1 Laws. This protection is regardless of the source or use case of the SPDI.

The DPDP Act now provides uniform protection for all personally identifiable data, and has removed the classification of SPDI. It is yet to be seen if any special protection will be accorded to data sets considered “sensitive” in the rules to be issued under the DPDP Act or under the DIA.

AI data

There is currently no overarching law that governs the use and disclosure of AI-related data in India; AI data continues to be regulated under the extant IT Act and the SPDI Rules.

Financial data

As mentioned in 1.1 Laws, financial data forms part of SPDI and is accorded protection under the SPDI Rules, while no special protection has been accorded under the DPDP Act as mentioned hereinabove. That said, certain sector-specific legislation does provide the following additional obligations with regard to financial data, among others:

• an obligation to ensure the confidentiality of customer data and the localisation of payments data under the Payment and Settlement Systems Act, 2007;
• an obligation for banks to maintain the confidentiality of customer data under the Banking Regulation Act, 1949;
• an obligation to maintain the confidentiality of credit information by credit institutions under the Credit Information Companies (Regulation) Act, 2005;
• explicit consent requirements and restrictions on the collection, storage and use of certain data sets of the customer, such as location data or biometric data in the context of digital lending; and
• specific know-your-customer (KYC) and anti-money laundering requirements prescribed by the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) and other financial sector regulators.

Health data

Being considered SPDI, health data is also currently accorded protection under the SPDI Rules and is also covered under the DPDP Act to the extent it constitutes personally identifiable information. That said, India does not currently have specific legislation governing the use of health data.

It may be relevant to note that the Ministry of Health and Family Welfare released a policy in 2017, known as the “National Digital Health Mission: Health Data Management Policy”, which aimed to digitise the entire healthcare ecosystem of India. However, compliance with this policy is not legally mandated under any prevailing law.

The Ministry of Health and Family Welfare also introduced draft legislation in 2018, called the “Digital information Security in Healthcare Act, 2018”, to enforce privacy and security measures for electronic health data, and to regulate the storage and sharing of electronic health records. However, the draft law has not yet been notified.

Communications data

The licence agreement executed between the licensed telecom service provider (TSP) and the Department of Telecommunications imposes a data localisation requirement on the TSP with respect to accounting information and user information relating to the telecom subscriber. Apart from this, there are no specific laws addressing communications data, which is regulated under the IT Act and the SPDI Rules (if applicable). Such data will be governed under the DPDP Act once it comes into force.

Children’s or student data

The DPDP Act defines a child as an individual who has not reached the age of 18 years, and imposes certain additional obligations and restrictions on the processing of personal data relating to children. Please see 1.1 Laws for more details.

Employment data

Under the SPDI Rules, since employee data may include data relating to the individual such as their passwords, bank account details, biometric information, etc, employers who collect and process employees' SPDI would be required to comply with the obligations under the SPDI Rules.

The DPDP Act provides certain “legitimate use” exceptions for the processing of personal data for the purposes of employment or for safeguarding an employer from loss or liability, such as the prevention of corporate espionage, the maintenance of confidentiality of trade secrets, intellectual property, classified information or the provision of any service or benefit sought by a data principal who is an employee. Given the wide nature of this “legitimate use” and in the absence of any clarifications in this regard, it appears that employers have been provided a blanket exemption from obtaining consent from their employees so long as the employer can justify that the collection and storage of such personal information fall under the aforesaid legitimate use.

Other categories of sensitive data

Sexual orientation has been identified as a category of SPDI, so any body corporate handling data in relation to the sexual orientation of an individual must comply with the obligations under the SPDI Rules. Union memberships, political beliefs and philosophical beliefs have not been accorded any additional protection under the SPDI Rules. That said, data sets including sexual orientation would be protected under the provisions of the DPDP Act to the extent that they are capable of personally identifying the individual to whom such data belongs.

Browsing data, viewing data, cookies and beacons

There are no specific laws or provisions in existing laws that govern the processing of browsing data, viewing data, cookies or beacons in particular. Since the majority of such data constitutes non-personal or anonymised data, it falls outside the purview of the extant personal data protection laws in India. In the event such data constitutes any personal data, its processing will be regulated under the SPDI Rules (if applicable), and will be governed under the DPDP Act once it comes into force.

Location data

Section 69B of the IT Act empowers the central government to monitor and collect “traffic data” or information generated, transmitted, received or stored in any computer resource, in order to enhance cybersecurity, for identification, or for the analysis and prevention of intrusion or the spread of computer contaminants in the country. Traffic data has been defined as any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted, and includes communications origin, destination, route, time, data, size, duration or type of underlying service and any other information. In addition, under the Digital Lending Guidelines issued by the RBI, entities regulated by RBI – such as banks and other financial institutions and lending service providers engaged by such entities – are allowed to access location data only on a one-time basis for KYC or onboarding purposes alone.

Tracking technology and targeted advertising

The Ministry of Consumer Affairs through the Central Consumer Protection Authority (CCPA) has issued the Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022, which lay down the conditions for non-misleading and valid advertisement, bait advertisements and free claims advertisements, among other things. The CCPA has also issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023, which prohibit the use of “dark patterns” that mislead or trick users into doing something they originally did not intend or want to do, by subverting or impairing the autonomy or decision-making ability of the user.

These regulations together govern behavioural tracking and targeted advertising in India, with the focus being on the protection of consumer rights rather than on data privacy. The data protection laws in India do not currently cover tracking technology and behavioural or targeted advertising, with the exception of the DPDP Act, which explicitly prohibits the behavioural tracking of and targeted advertising towards children.

Content of electronic communications, social media, search engines, large online platforms and intermediary liability for user-generated content

Internet intermediaries are regulated under the IT Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”). Section 79 of the IT Act provides safe harbour protection to intermediaries against content liability, provided they satisfy certain due diligence obligations, including:

• prominently publishing the rules and regulations, privacy policy and user agreement on its website, mobile-based application or both;
• not hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating or sharing any information that belongs to another person, or that is defamatory, obscene, pornographic, paedophilic, invasive of another's privacy (including bodily privacy) or harmful to a child, or that infringes any patent or violates any law;
• periodically informing its users, at least once every year, that in case of non-compliance by the user with rules and regulations, privacy policy or user agreement, the intermediary has the right to terminate the access or usage rights of the users to the computer resource immediately or remove non-compliant information or both;
• complying with the reasonable security practices and procedures as prescribed in the SPDI Rules; and
• reporting cybersecurity incidents and sharing related information with the Indian Computer Emergency Response Team.

The IT Rules, 2021 also recognise intermediaries that have more than 5 million registered users on their platform as “significant social media intermediaries”. The IT Rules, 2021 also recognise online gaming intermediaries, which are defined as intermediaries that enable users to access one or more games offered on the internet. The IT Rules, 2021 prescribe additional due diligence obligations for both these special classes of intermediaries to comply with, in addition to the obligations imposed on all categories of intermediaries.

Separately, the Ministry of Consumer Affairs has issued the Consumer Protection (E-commerce) Rules, 2020 (“E-Commerce Rules”), which apply to “e-commerce entities” – ie, entities that own, operate or manage a digital or electronic facility or platform for electronic commerce (excluding sellers on market-place e-commerce platforms). Among other things, the E-commerce Rules prescribe different duties for different categories of e-commerce entities, focused on the protection of consumer rights.

Data principal rights

As mentioned in 1.1 Laws, the DPDP Act gives data principals the following rights:

• the right to access information, including the right to obtain a summary of the personal data processed, the processing activities undertaken, the identities of parties with whom the personal data is shared and other information related to the personal data and its processing;
• the right to correction and erasure, including the right to correct, complete, update and seek erasure of personal data;
• the right of grievance redressal, including the right to access readily available means of grievance redressal in respect of any act or omission by the data fiduciary; and
• the right to nominate another individual to exercise the above rights of the data principal in the event of his/her death or incapacity.

That said, the DPDP Act does not provide the data subject with a data portability right. Separately, while there is no explicit right to object to the sale of data, tracking, etc, the data principal has a right to withdraw his/her consent at any time.

While not explicitly regulated by the IT Act and the DPDP Act, commercial or marketing communications will be subject to the consent, notice and purpose limitation requirements prescribed thereunder. Separately, the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR) regulate communications made using phone calls or through SMS. Under the TCCCPR, one may opt to list their telephone number on the “do not call” registry maintained by the telecom regulator. Upon such registration, unsolicited commercial communications through calls and SMS cannot be made/sent to such person. However, it may be noted that the TCCCPR focuses on the rights of a customer rather than on data protection.

Please see 2.2 Sectoral and Special Issues regarding constraints on behavioural and targeted advertising.

The DPDP Act provides for certain exception situations or special conditions where the personal data can be processed without compliance with the notice, consent and several other requirements prescribed under said Act. These situations include processing for enforcing any legal right or claim, or for the prevention, detection, investigation or prosecution of any offence or contravention. Accordingly, employers and employees may be able to utilise the above exemptions in processing personal data for workplace monitoring, whistle-blower complaints, internal investigations or disciplinary proceedings on the contravention of laws (eg, proceedings before an internal complaints committee in light of sexual harassment at the workplace), etc.

For more information on the processing of employment data, please see 2.2 Sectoral and Special Issues.

Please see 1.3 Administration and Enforcement Process for an outline of the administration and enforcement of the IT Act and the DPDP Act, including instances in which action may be initiated by the regulator. The potential enforcement penalties are covered briefly under 1.2 Regulators and 1.3 Administration and Enforcement Process.

Among several instances where the “right to privacy” as mentioned in 1.1 Laws was sought to be enforced, including through writ petitions before the judiciary, leading developments include the following:

• the order of the Supreme Court of India directing WhatsApp to allow its users to continue using its services without accepting the amendments made to its privacy policy in 2021 regarding the sharing of personal data with group companies;
• the writ petition before the Delhi High Court on privacy concerns reading the central government’s COVID-19 contact tracing application, Aarogya Setu; and
• the writ petition before the Madras High Court against the use of facial recognition technologies by law enforcement agencies.

Class actions are not specifically recognised under the IT Act or the DPDP Act, but Indian courts do allow “public interest litigation” (PIL) – ie, litigation initiated by a person or by a group acting on behalf of the public good, rather than for their own personal interests.

PIL is also filed for the enforcement of fundamental rights under the Indian Constitution. The right to “informational privacy” is one such fundamental right, so individuals may approach the judiciary for the enforcement of the right to privacy through PIL.

Section 69 of the IT Act empowers MeitY to intercept, monitor or decrypt any information generated, stored, transmitted or received on any computer resource on grounds such as:

• being in the interest of the sovereignty or integrity of India;
• the defence of India or the security of the state;
• friendly relations with foreign states;
• being in the interest of public order;
• preventing incitement to the commission of any cognisable offence; or
• being for the investigation of any offence.

The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 issued under the IT Act lay down the procedure to be adhered to while passing an order for the interception, monitoring or decrypting of any information. Such activities must comply, inter alia, with the following:

• it must contain the reasons for passing the order and must be forwarded to a review committee;
• before issuing such an order, the authorised government authority must consider the possibility of acquiring the necessary information by other means, and only issue such an order when it is not possible to acquire the information by any other reasonable means; and
• it must specify the name and designation of the officer of the authorised agency to whom the intercepted, monitored, decrypted or stored information shall be disclosed, and also specify the use of such intercepted, monitored or decrypted information.

Separately, Indian courts have laid out safeguards against the violation of the right to privacy through judicial precedents. Most prominently, in the landmark case of K.S. Puttaswamy v Union of India, the Supreme Court of India identified the right to privacy as a “fundamental right” and laid down a four-pronged approach to identifying a legitimate intrusion of one’s privacy. In this case, the court made the following statements:

• any action intending to encroach on privacy must be sanctioned by law, and must be necessary in a democratic society for a legitimate aim;

• the extent of such interference must be proportionate to the need for such interference; and
• there must be procedural guarantees against the abuse of such interference.

Subsequently, in the case of Gujarat Mazdoor Sabha v State of Gujarat, the Supreme Court of India held that a state action that could infringe on fundamental rights must pass the following conditions to determine its validity:

• interfering with the fundamental rights must have a state purpose;
• said rights-infringing measure must be based on a rational nexus between the interference and the state aim;
• the measures must be necessary to achieve the state aim;
• the restrictions must be necessary to protect the legitimate objective; and
• the state should provide sufficient safeguards for the possibility of an abuse of such rights-infringing interference.

Please see 3.1 Laws and Standards for Access to Data for Serious Crimes regarding the government’s right to access data for intelligence, anti-terrorism or other national security purposes and safeguards against such activities. Furthermore, the Indian Telegraph, 1885, allows the central government, state government or any other officer especially authorised in this respect to intercept or detain messages in the event of a public emergency or if doing so is in the interest of public safety, in accordance with the procedure established by law. It may be relevant to note that the recently enacted Telecommunications Act, 2023 (which is yet to be enforced) provides identical grounds for the interception of messages.

India is not a signatory of the OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities.

The DPDP Act permits the processing of personal data under legitimate use for:

• the performance by the Indian government of any function under any law for the time being in force in India or in the interest of the sovereignty and integrity of India or the security of the State; or
• compliance with any judgment, decree or order issued under any law for the time being in force in India, or with any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India.

Accordingly, foreign governments' access requests that may fall within the purview of the above legitimate uses may be processed by the data fiduciary. The transfer of personal data, if any, will be subject to the transfer restrictions imposed under the DPDP Act.

Separately, please note that India has not signed a Cloud Act agreement with the USA.

The collection of sensitive personal information for the Aadhaar programme was one of the trigger points for the discussion on Indian citizens' right to privacy. While the matter was sub-judice before the Supreme Court of India, the central government felt that it was time to address the need of the hour: a dedicated data protection law. This led to the formation of the expert committee that later culminated in the passage of the DPDP Act by the Parliament.

That said, the DPDP Act excludes from its regulatory ambit the processing of personal data by the government in the interests of sovereignty and the integrity of India, the security of the state, friendly relations with foreign states, the maintenance of public order or the prevention of incitement to any offence. This has been heavily debated ever since the earlier iterations of the bill on personal data protection were made public.

Under the SPDI Rules, a body corporate that collects and processes SPDI may transfer such SPDI to any other body corporate or a person located outside India that ensures the same level of data protection as provided under the SPDI Rules. Such transfer may be allowed only if it is necessary for the performance of a contract between the body corporate and the data principal, or where the data principal has consented to such data transfer.

The DPDP Act enables the central government to restrict the transfer of personal data to certain jurisdictions through notification. At present, no such notification has been issued. The DPDP Act further clarifies that if any law in India provides for a higher degree of restriction on the transfer of personal data to foreign jurisdictions (such as data localisation requirements prescribed by sectoral regulators), the applicability of the latter will not be prejudiced by the DPDP Act.

Separately, it should be highlighted that data transfers between the EU and India are currently undertaken through data processing agreements based on standard contractual clauses prescribed by the EU.

Please see 4.1 Restrictions on International Data Issues.

Government approvals or notification to the government are not required for the purposes of transferring data internationally under the extant data protection laws in India. The position under the DPDP Act has been clarified in 4.1Restrictions on International Data Issues.

Neither the SPDI Rules nor the DPDP Act impose any data localisation obligations.

There are, however, sector-specific regulations (in insurance, payments, digital lending, telecommunications, etc) that impose data localisation obligations restricting the free transfer of certain data sets outside India.

There are no requirements under the extant data protection laws in India on sharing software code algorithms, encryption or similar technical details. That said, if an order is issued under Section 69 of the IT Act as mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, the recipient of such order would be obliged to provide access to such data.

The DPDP Act does not stipulate any specific requirements in relation to the sharing of algorithms or technical details with the government. However, the central government may ask any data fiduciary to furnish any information as deemed necessary for the purposes of the DPDP Act.

As it has powers akin to a civil court in India, the DPB has the power to order the discovery and production of documents and the inspection of any data, book, document, register, books of account or any other document.

Please see 3.3 Invoking Foreign Government Obligations regarding the transfer of personal data pursuant to foreign government access, and see 2.4 Workplace Privacy regarding internal investigations.

Section 69A of the IT Act empowers MeitY to ask an intermediary or a government agency to block access to websites in Indi, on the following grounds:

• in the interest of the sovereignty and integrity of India;
• for the defence of India;
• for the security of the State;
• for friendly relations with foreign States;
• for public order; or
• for preventing incitement to the commission of any cognisable offence relating to the above.

The Information Technology (Procedure and Safeguards for Blocking for access of information by public) Rules 2009 (“Blocking Rules”) under the IT Act empower other government ministries to request MeitY to issue blocking orders to intermediaries. Even a natural or legal person in India can make a complaint to the relevant government ministries and request the blocking of a URL; such complaints are forwarded to MeitY for consideration, and thereafter blocked upon MeitY’s review and satisfaction of the existence of the aforesaid grounds.

Separately, in India all TSPs are bound by the unified licensing agreement (ULA) executed with the Indian government, which prescribes the conditions applicable to TSPs while providing telecommunication services to the public. Among other things, the ULA states that: “In the interest of national security or public interest, the Licensee shall block Internet sites/Uniform Resource Locators (URLs)/Uniform Resource Identifiers (URIs) and/or individual subscribers, as identified and directed by the Licensor from time to time.”

Under the DPDP Act, the DPB can advise the central government that it is in the interest of the general public to block public access to a data fiduciary’s application, website or platform upon providing the central government intimation of the imposition of a monetary penalty by the DPB in two or more instances. Once such advice is received, the central government may issue a blocking order after giving the data fiduciary the opportunity of a hearing.

Under the extant data protection laws, there are no specific stipulations surrounding the regulation of big data analytics, automated decision-making, IoT, autonomous decision-making, geolocation, drones and deep-fakes; as mentioned in 1.7 Key Developments, the DIA is intended to regulate such emerging technologies.

Drones fall under the larger ambit of data privacy regulations, but the Ministry of Civil Aviation has also prescribed the Drone Rules, 2021, which govern the classification, certification and usage of drones in India.

As for disinformation, deepfakes or other online harms, as mentioned in 2.2 Sectoral and Special Issues, the IT Rules, 2021 provide safe harbour protection to intermediaries, subject to certain compliance around the nature of information communicated. Separately, given the rising instances of deepfakes being misused, MeitY issued an advisory that such intermediaries should strictly comply with the requirements of the IT Rules, 2021.

There are currently no laws that govern AI but, as mentioned in 1.7 Key Developments, the DIA intends to cover the regulation of AI in a detailed manner. Furthermore, the Indian Computer Emergency Response Team (“CERT-In” – India’s nodal cybersecurity agency under the IT Act) has issued an advisory highlighting the risks involved in the use of AI-based applications and the safety measures that may be adopted to mitigate such risks.

It should also be noted that the DPDP Act in its entirety is based on the cornerstone of the “data principal – data fiduciary” relationship wherein a data controller (ie, a person or entity that determines the purposes and means of the processing of personal data) is seen as a “fiduciary” who is expected to handle the personal data of the data principal fairly.

In India, organisations with IT and data-centric businesses typically have internal policies involving data governance, handling and management. Such entities also have established committees to oversee the implementation of and compliance with such policies. Such committees are also typically entrusted with the responsibility of reviewing and updating such policies from time to time.

Sectoral regulators such as the RBI and SEBI also prescribe specific IT governance, cybersecurity and cyber-resilience requirements, which are followed by entities operating in the respective domains of such regulators.

There have been multiple large-scale data breaches, data thefts and cyber-attacks in recent times. However, in most cases no penalties have been imposed on the data fiduciaries – ie, the entities affected by the cybersecurity incident. While the IT Act imposes penalties for cyber offences such as hacking, unauthorised access to computer resources, etc, the number of prosecutions has been minimal.

The due diligence process for corporate transactions in the context of data protection includes:

• analysing the data sets collected and processed by the entity in question;
• reviewing internal and customer-facing policies and contracts that deal with data processing and IT governance;
• reviewing consent-related compliance; and
• analysing the entity’s product offerings and user interface (where applicable) in light of the IT Act, SPDI Rules and the IT Rules, 2021, along with a review of the entity’s compliance with the DPDP Act.

A relevant point to note in the context of processing personal data for the purpose of mergers and acquisitions (M&A) is that the DPDP Act provides an exemption on all compliances except:

• the requirement for maintaining reasonable security safeguards to prevent personal data breaches; and
• ensuring that no personal data is transferred to a jurisdiction that has been notified to be restricted by the Indian government.

However, these exemptions seem to be accorded only to M&A that are approved by relevant courts/tribunals, and do not extend to non-court-driven M&A – this has been widely seen as a miss under the DPDP Act.

Where the entity in question is also regulated by a sectoral regulator, the due diligence process also involves a deep-dive analysis of the applicable sectoral regulations, especially in the context of data protection and cybersecurity.

While there are no disclosure requirements with regard to an entity’s cybersecurity risk profile or experience under extant data protection laws, sectoral regulators such as the RBI, SEBI and the Insurance Regulatory and Development Authority of India (IRDAI) do prescribe the evaluation of cybersecurity risks and the cyber-resilience capabilities of entities regulated by them. Furthermore, SEBI requires publicly traded companies to disclose the purposes and means of the processing of personal data in its quarterly compliance report to recognised stock exchanges.

As mentioned in 1.7 Key Developments, the government is in the process of formulating the DIA, which is intended to be a coherent code factoring in aspects of competition, consumer protection and privacy. The government intends to promote an open internet wherein key competition-related metrics such as protecting the availability of choices and ensuring online diversity and fair market access have been considered. Likewise, it is also the intention of the DIA to bring about online safety and trust by bringing about the moderation of fake news and enhanced requirements for grievance redressal, among other things. The DIA also incorporates aspects of data privacy, such as the rights of data principals, protection for minors, privacy from invasive devices and securing cyberspace.

There are no other significant issues that have not already been covered.