Data Protected - India

Contributed by Talwar Thakore & Associates

Last updated October 2018

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

India is not a party to any convention on protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognise the right to privacy.

India has also not yet enacted specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information. The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”). The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive. Although these Rules were issued in 2011, there is no example of any enforcement action having been taken under them.

Also relevant to the protection of personal data are indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & another Vs. Union of India) , the Supreme Court of India has recognised the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been recognised as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The court stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognised the right of individuals on their personal data.

Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court recognised that enforcing the right to privacy against private entities may require legislative intervention. The government of India has constituted a committee to consider issues relating to data protection in India and propose a draft statute on data protection. The above judgment is an important milestone in the discourse on privacy and data protection in India. Its ramifications will only be known over time and as it is applied to different fact situations. There are two other cases pending before the Supreme Court, one challenging sharing of user data by WhatsApp with Facebook and the other regarding collection of personal data (including bio metric data) as part of implementing Aadhar, a government project to provide unique identification to all citizens. These cases will now be decided applying the principles enunciated in the Privacy Judgement and will shape the law relating to protection of personal data including enforcing it against private entities.

Entities in regulated sectors such as financial services and telecom sector are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.

UPDATE: The Indian Government is proposing to introduce a comprehensive new data protection law. Details of the proposed Personal Data Protection Bill are available here.

Entry into force

Section 43A and Section 72A of the IT Act came into force on 27 October 2009. The Rules came into force on 11 April 2011.

The Privacy Judgement was delivered on 24 August 2017.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

India does not have a national regulatory authority for protection of data.

The Ministry of Electronics and Information Technology (the “Ministry”) is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The authorities established under the IT Act – i.e. the adjudicating officer and cyber appellate tribunal and, thereafter, the different High Courts and the Supreme Court, are responsible for enforcing the IT Act.

Ministry of Electronics & Information Technology (Government of India), Department of Electronics and Information Technology

Electronics Niketan, 6,
CGO Complex,
Lodhi Road,
New Delhi 110003

http://meity.gov.in/

Notification or registration scheme and timing

There is no requirement to register or provide prior written notification to any authority for processing data.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The Rules issued under Section 43A of the IT Act apply only to a body corporate or any person located within India.

The provisions of the IT Act (except in respect of matters governed by the Rules) are also applicable to any offence committed by a person outside India using a computer, computer system or computer network located in India.

Is there a concept of a controller and a processor?

Indian law does not contain the concepts of controller and processor. Instead, the Rules refer to the concept of a ‘body corporate’ and a ‘provider of information’. A body corporate is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. The ‘provider of information’ is the natural person who provide sensitive personal data or information to a body corporate.

Are both manual and electronic records subject to data protection legislation?

The Rules are issued under the IT Act which applies only to electronic records.

Are there any national derogations?

Under the Rules, any personal data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law in force shall not be regarded as ‘sensitive personal data or information’ (“SPDI”).  Further, SPDI may be disclosed to government authorities mandated under law to obtain information for the purpose of verification of identity or for prevention, detection, investigation without obtaining consent of the ‘provider of information’. 

The fundamental right to privacy recognised under the Privacy Judgment can be enforced only against the state or instrumentalities of the state and not against entities in the private sector.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data under the Indian laws and rules is termed “personal information”.

Personal information has been defined under the Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.

Is information about legal entities personal data?

No. Personal information pertains only to information about a natural person.

What are the rules for processing personal data?

There are no specific rules that govern the processing of personal data.

However, the Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy (see Is there a general accountability obligation? below).

Are there any formalities to obtain consent to process personal data?

No specific formalities to obtain consent for processing personal information have been stated.

Are there any special rules when processing personal data about children?

The Rules do not contain any specific rules when processing personal data about children.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data exists as the concept of sensitive personal data or information under the Rules. It means personal information which consists of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above items provided to a body corporate for providing services; and (viii) any of the information received under above items by a body corporate for processing, that is stored or processed under lawful contract or otherwise.

Sensitive personal data or information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.

A “provider of information” is similar to a data subject and is defined as a natural person who provides sensitive personal data or information to a body corporate.

Are there additional rules for processing sensitive personal data?

The Rules contain specific provisions regarding the collection of sensitive personal data or information. They apply to all body corporates in India other than those providing services related to the processing of sensitive personal data or information to any person under a contract. However, such provisions will also apply to such exempted body corporates if they provide such services directly to the provider of information under a contract.

The key rules on collection are: (i) it is necessary to obtain the consent of the provider of information prior to the collection. The provider of information must be given an option not to provide the requested sensitive personal data or information and to withdraw its consent by informing the body corporate in writing; (ii) sensitive personal data or information can only be collected where necessary for a lawful purpose that is connected with a function or activity of the body corporate or any person on its behalf; and (iii)  the body corporate should provide additional information to the provider of information (see below).

The body corporate must also comply with other general requirements, such as not keeping sensitive personal data or information for longer than is required and ensuring it is kept secure or applying reasonable security practices and procedures which contain managerial, technical, operational and physical security control measures to protect sensitive personal data and information.

Additional rules apply to the disclosure of sensitive personal data and information. The body corporate and any person acting on its behalf are not allowed to publish any sensitive personal data or information. Further, the disclosure of sensitive personal data or information to any third party requires the prior permission of the provider of information. The only two exceptions to this requirement are: (i) when such disclosure has been agreed upon in the contract between the body corporate and the provider of information; or (ii) when it is necessary to disclose the information in compliance with a legal obligation. The third party that receives such sensitive personal data or information shall not disclose it further and must be based in a country offering the same levels of data protection as India. The body corporate is allowed to share information with government agencies mandated under the law to obtain information.

Are there additional rules for processing information about criminal offences?

 

The rules are the same as for sensitive personal data.

 

Are there any formalities to obtain consent to process sensitive personal data?

Consent of the provider of information should be obtained in writing (which includes any mode of electronic communication) regarding the purpose of its usage and before further transfer or disclosure.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Body corporates are required to designate a grievance officer.

What are the duties of a data protection officer?

The grievance officer shall address any discrepancies or grievances of providers of information with respect to processing of information in a time-bound manner. The grievance officer is required to redress the grievance expeditiously, within one month from the date of receipt of such grievance. The body corporate is required to publish the name and contact details of the grievance officer on its website.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy.

This privacy policy should serve to protect the personal information that is provided and the provider of such information should be able to review the policy. The privacy policy is required to be made available on the website of the body corporate and should provide for: (i) clear and accessible statements relating to its practices and policies; (ii) the type of personal information or sensitive personal data or information that is being collected; (iii) the purpose of collecting and using of such information; (iv) the instances in which disclosure of such information may be made under the Rules; and (v) reasonable security practices and procedures required under the Rules.

A privacy policy is required even when no sensitive personal data or information is being processed.

Are privacy impact assessments mandatory?

Under the Rules, a body corporate handling and processing sensitive personal data is required to have its security practices and procedures certified and audited by an independent auditor who is approved by the central government at least once every year, or when there is a significant upgrade in its computer resource.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

A body corporate collecting sensitive personal data or information should keep the provider of information informed about: (i) the fact that the information is being collected; (ii) the purpose for doing the same; (iii) the intended recipients; and (iv) the name and address of the agency collecting and retaining the information. All the requirements applicable to personal data, such as the requirement for a privacy policy (see Is there a general accountability obligation? above), are applicable when processing sensitive personal data.

Rights to access information

A provider of information can access information provided by it upon request.

Rights to data portability

No.

Right to be forgotten

The “right to be forgotten” is not recognised as such in India, and there are no provisions of law that provide for this.

However, there have been judicial precedents wherein various courts have recognised this right, especially in relation to sexual offences against women. The Supreme Court of India has held that anonymity of victims must be maintained as far as possible in cases involving sexual offence (State of Punjab vs Gurmit Singh). The Karnataka High Court, in a recent decision, has recognised that certain information can be erased in sensitive cases involving rape, or affecting the modesty and reputation of the person concerned. However, different high courts have taken a different view in this regard. For example, the Gujarat High Court has rejected a plea to restrain public exhibition of a judgement on public sources (Dharmraj Bhanushankar Dave v. State of Gujarat).

Objection to direct marketing and profiling

The IT Act and Rules do not impose any conditions regarding the usage of sensitive personal data or information for direct marketing. However, where the information is collected from a provider of information (i.e. in a situation in which sensitive personal data or information is collected), the prior consent of the provider of information must be obtained, including the purpose for which the information is being collected.

Other rights

The provider of information has the right to review the information provided and withdraw consent that was previously provided. A body corporate cannot refuse such a request. Additionally, any discrepancies and inaccurate information can be corrected by the provider of information.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The Rules provide that reasonable security practices and procedures need to be maintained by each body corporate. A body corporate or a person acting on its behalf is “considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business”. The Ministry has listed the International Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System -Requirements” as one such standard. Body corporates following other standards are required to get their security practice and standards notified to and approved by the Ministry for effective implementation.

A body corporate is required to have its security practice and procedures certified and audited by an independent auditor who is approved by the central government at least once every year, or when there is a significant upgrade in its computer resource.

Specific rules governing processing by third party agents (processors)

There are no specific rules that govern third party agents acting on behalf of a body corporate. They are governed by the same regime applicable to body corporates.

Notice of breach laws

Certain types of cyber security incidents need to be mandatorily reported to the Indian Computer Emergency Response Team (“CERT-In”) created under Section 70B of the IT Act. These incidents include (i) compromise of critical systems or information; (ii) targeted scanning or probing of critical networks and systems; (iii) identity thefts, spoofing or phishing attacks; (iii) unauthorised access of IT systems or data; (iv) defacement of a website or intrusion into a website; (v) malicious code attacks including attacks on servers; and (viii) Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks.

CERT-In is also authorised to collect or analyse information in relation to cyber security incidents from individuals and organisations. Information that may lead to identification of individuals or organizations that have been affected by cyber security incidents cannot be disclosed without explicit written consent, or through the order of a court.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The Rules provide that transborder dataflows of sensitive personal data or information can be made to any other body corporate or a person in India or located in any other country if the same levels of data protection in India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf and the provider of information or such transfer has been consented to by the provider of information.

There is no restriction under the Rules regarding transborder dataflows of information that is not sensitive personal data or information.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional requirement to notify or obtain the approval of any regulatory authority.

Use of binding corporate rules

Transborder dataflows are only allowed to jurisdictions that require body corporates situated there to provide the same level of data protection as in India. The data protection regime in India is bespoke in nature and may not be similar to the level of protection provided by binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

Section 72A of the IT Act provides for a fine of up to INR 500,000 when there is disclosure of personal information in breach of a lawful contract or without consent.

Criminal liability

Section 72A of the IT Act provides for imprisonment of up to three years when there is disclosure of personal information in breach of a lawful contract or without consent.

Compensation

Section 43A of the IT Act provides that bodies corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource owned, controlled or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information.

Other powers

There are no other enforcement provisions in relation to data protection in the IT Act or the Rules.

Practice

There has been no significant court decisions or regulatory practice on the application of these provisions.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Apart from the Telecom Commercial Communications Customer Preference Regulations, 2010 (“Customer Preference Regulations”) issued by the Telephone Regulatory Authority of India (“TRAI”) to telecom service providers to set up a mechanism to register requests of subscribers not to receive unsolicited commercial calls, there are no specific laws or regulations in India on the use of cookies or direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific laws or regulations in India on the use of cookies.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

There are no specific laws or regulations in India on direct marketing by email.

Conditions for direct marketing by e-mail to corporate subscribers

Not applicable.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

It is not permitted to send unsolicited commercial communication by message, voice or SMS to individual subscribers who are listed in the ‘fully blocked category’ of the National Customer Preference Register (“NCPR”) established under the Customer Preference Regulations.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no separate rules for corporate subscribers, who are governed by the same regime as non-corporate subscribers.

Exemptions and other issues

The NCPR provides customers the option to register under the ‘partially blocked category’ pursuant to which customers can opt for receiving promotional communications under the following categories: (i) banking/insurance/financial products/credit cards; (ii) real estate; (iii) education; (iv) health; (v) consumer goods and automobiles; (vi) communication/broadcasting/entertainment/IT; and (vii) tourism and leisure.

_____________________________________________________________________ Top