Data Protected - India

Contributed by Talwar Thakore & Associates

Last updated March 2020

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

India is not a party to any convention on protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognise the right to privacy.

India has also not yet enacted specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information. The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”). The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.  

India has introduced a biometric based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder.  Entities in regulated sectors such as financial services and telecom sector are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.

Finally, personal data is protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & another Vs. Union of India), the Supreme Court of India has recognised the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been recognised as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The court stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognised the right of individuals over their personal data.

Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognised that enforcing the right to privacy against private entities may require legislative intervention.

The Government of India therefore constituted a committee to propose a draft statute on data protection. The committee proposed a draft law and the Government of India has issued the Personal Data Protection Bill 2019 (“PDP Bill”) based on the draft proposed by the committee. This will be India’s first law on the protection of personal data and will repeal S. 43A of the IT Act. Brief details of the likely requirements of the Bill are set out below.

Entry into force

Section 43A and Section 72A of the IT Act came into force on 27 October 2009. The Rules came into force on 11 April 2011. The Aadhaar Act came into force on 12 September 2016.

The Privacy Judgment was delivered on 24 August 2017.

A joint Parliamentary Committee is currently considering the PDP Bill and a revised draft of the PDP Bill is expected to be issued during 2020. The PDP Bill would then have to be passed by both houses of Parliament and notified in the official gazette before it becomes law. Even after enactment, the law is likely to be implemented in a phased manner. Currently, there is no information about that implementation timeline.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

India does not have a national regulatory authority for protection of personal data.

The Ministry of Electronics and Information Technology (the “Ministry”) is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The authorities established under the IT Act – i.e. the adjudicating officer and cyber appellate tribunal and, thereafter, the different High Courts and the Supreme Court, are responsible for enforcing the IT Act.

Ministry of Electronics & Information Technology (Government of India), Department of Electronics and Information Technology

Electronics Niketan, 6,
CGO Complex,
Lodhi Road,
New Delhi 110003

http://meity.gov.in/

The PDP Bill proposes creating a Data Protection Authority of India (the “Authority”). The Authority will be responsible for protecting the interests of data principals, preventing misuse of personal data and ensuring compliance with the new law.

Notification or registration scheme and timing

There is currently no requirement to register or provide prior written notification to any authority for processing data.

The PDP Bill proposes that ‘significant’ data fiduciaries will have to register with the Authority. The assessment of whether a data fiduciary is ‘significant’ will depend on several factors including the volume or sensitivity of personal data processed and risk of harm.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The Rules issued under Section 43A of the IT Act apply only to a body corporate or any person located within India.

The provisions of the IT Act (except in respect of matters governed by the Rules) are also applicable to any offence committed by a person outside India using a computer, computer system or computer network located in India.

The PDP Bill proposes a broader reach. It will not only apply to persons in India but also to persons outside India in relation to businesses carried on in India, the offering of goods or services to individuals in India or the profiling of individuals in India.

Is there a concept of a controller and a processor?

Indian law does not contain the concepts of controller and processor. Instead, the Rules refer to the concept of a ‘body corporate’ and a ‘provider of information’. A body corporate is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. The ‘provider of information’ is the natural person who provide sensitive personal data or information to a body corporate.

The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor’. A ‘data fiduciary’ and a ‘data processor’ are equivalent to the concept of controller and processor under the GDPR.

Are both manual and electronic records subject to data protection legislation?

The Rules are issued under the IT Act which applies only to electronic records. The requirements under the Aadhaar Act are applicable to both manual and electronic records.

The PDP Bill proposes a broader law, applying to both manual and electronic records.

Are there any national derogations?

Under the Rules, any personal data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law in force shall not be regarded as ‘sensitive personal data or information’ (“SPDI”).  Further, SPDI may be disclosed to government authorities mandated under law to obtain information for the purpose of verification of identity or for prevention, detection, investigation without obtaining the consent of the ‘provider of information’. 

The fundamental right to privacy recognised under the Privacy Judgment can be enforced only against the state or instrumentalities of the state and not against entities in the private sector.

The PDP Bill proposes a number of exemptions. It would not apply to anonymised data or non-personal data. The Government can also exempt the processing of personal data of individuals not based in India by data processors in India where that processing is under a contract with a company incorporated outside India. Further, the PDP Bill identifies a number of exemptions including processing of personal data for reasons such as security of state, law enforcement, during legal proceedings, for research and archiving purposes or where processing is by small entities.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data under the Indian laws and rules is termed “personal information”. Personal information has been defined under the Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.

The PDP Bill proposes a similar definition but extends it to include any inference drawn from such data for the purpose of profiling.

Is information about legal entities personal data?

No. Personal information pertains only to information about a natural person.

What are the rules for processing personal data?

There are no specific rules that govern the processing of personal data.

However, the Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy (see Is there a general accountability obligation? below).

The PDP Bill proposes that the processing of personal data must comply with seven principles for processing, namely: (i) processing of personal data has to be fair and reasonable; (ii) it should be for a specific purpose; (iii) only personal data necessary for the purpose should be collected; (iv) it should be lawful; (v) adequate notice of the processing should be provided to the individual; (vi) personal data processed should be complete, accurate and not mis-leading; and (vii) personal data can be stored only as long as reasonably necessary to satisfy the purpose for which it is processed.

Are there any formalities to obtain consent to process personal data?

No specific formalities to obtain consent for processing personal information have been stated.

The PDP Bill proposes a number of requirements to obtain consent to the processing of personal data. The requirements are more stringent if the personal data is sensitive personal data and information.

Are there any special rules when processing personal data about children?

The Rules do not contain any specific rules when processing personal data about children.

The PDP Bill proposes that the personal data of a child should be processed such that the rights and the best interests of the child are protected. Further, such processing can be done only after verifying the age of the child and obtaining consent from the parent or guardian. Entities which process the personal data of children, or provide services directed at children will be categorised as ‘guardian’ data fiduciaries and will be prohibited from profiling, tracking or processing the data such that it may cause significant harm to the child.

Are there any special rules when processing personal data about employees?

The IT Act and the Rules do not prescribe any specific requirements with respect to processing personal data about employees.

The PDP Bill proposes that processing of personal data of employees will be justified in situations where it would be inappropriate to obtain consent from the employee given the relationship between the employee and the employer.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data exists as the concept of sensitive personal data or information under the Rules. It means personal information which consists of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above items provided to a body corporate for providing services; and (viii) any of the information received under the above items by a body corporate for processing, that is stored or processed under lawful contract or otherwise.

Sensitive personal data or information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.

The PDP Bill proposes a broad definition of sensitive personal data and also identifies financial data, data about caste, tribe, religious and political belief or affiliation as sensitive personal data.

Are there additional rules for processing sensitive personal data?

The Rules contain specific provisions regarding the collection of sensitive personal data or information. They apply to all body corporates in India other than those providing services related to the processing of sensitive personal data or information to any person under a contract. However, such provisions will also apply to such exempted body corporates if they provide such services directly to the provider of information under a contract.

The key rules on collection are: (i) it is necessary to obtain the consent of the provider of information prior to the collection. The provider of information must be given an option not to provide the requested sensitive personal data or information and to withdraw its consent by informing the body corporate in writing; (ii) sensitive personal data or information can only be collected where necessary for a lawful purpose that is connected with a function or activity of the body corporate or any person on its behalf; and (iii)  the body corporate should provide additional information to the provider of information (see below).

The body corporate must also comply with other general requirements, such as not keeping sensitive personal data or information for longer than is required and ensuring it is kept secure or applying reasonable security practices and procedures which contain managerial, technical, operational and physical security control measures to protect sensitive personal data and information.

Additional rules apply to the disclosure of sensitive personal data and information. The body corporate and any person acting on its behalf are not allowed to publish any sensitive personal data or information. Further, the disclosure of sensitive personal data or information to any third party requires the prior permission of the provider of information. The only two exceptions to this requirement are: (i) when such disclosure has been agreed upon in the contract between the body corporate and the provider of information; or (ii) when it is necessary to disclose the information in compliance with a legal obligation. The third party that receives such sensitive personal data or information shall not disclose it further and must be based in a country offering the same levels of data protection as India. The body corporate is allowed to share information with government agencies mandated under the law to obtain information.

The PDP Bill proposes similar stringent requirements with respect to the processing of sensitive personal data and information including requiring explicit consent, imposing additional conditions for cross-border transfers and requiring a copy to be stored in India.

Are there additional rules for processing information about criminal offences?

 

The rules are the same as for sensitive personal data.

Are there any formalities to obtain consent to process sensitive personal data?

Consent of the provider of information should be obtained in writing (which includes any mode of electronic communication) regarding the purpose of its usage and before further transfer or disclosure.

The PDP Bill proposes specific requirements for the consent to processing sensitive personal data. It has to be an explicit consent obtained after informing the individual of the purpose and giving the choice of separately consenting to the processing of different categories of sensitive personal data.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Under the Rules, body corporates are required to designate a grievance officer and there is no general requirement to appoint a data protection officer.

The PDP Bill proposes that a significant data fiduciary must appoint a data protection officer.

What are the duties of a data protection officer?

The grievance officer shall address any discrepancies or grievances of providers of information with respect to processing of information in a time-bound manner. The grievance officer is required to redress the grievance expeditiously, within one month from the date of receipt of such grievance. The body corporate is required to publish the name and contact details of the grievance officer on its website

The PDP Bill proposes that a data protection officer has a number of responsibilities including providing information and advice to the data fiduciary, monitoring data processing activities, advising on data protection impact assessments, providing assistance to the Authority and acting as the point of contact for the data principals.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy.

This privacy policy should serve to protect the personal information that is provided and the provider of such information should be able to review the policy. The privacy policy is required to be made available on the website of the body corporate and should provide for: (i) clear and accessible statements relating to its practices and policies; (ii) the type of personal information or sensitive personal data or information that is being collected; (iii) the purpose of collecting and using of such information; (iv) the instances in which disclosure of such information may be made under the Rules; and (v) reasonable security practices and procedures required under the Rules.

A privacy policy is required even when no sensitive personal data or information is being processed.

The PDP Bill proposes that data fiduciaries take a number of measures to ensure transparency and accountability. The measures include adopting ‘privacy by design’, maintaining transparency regarding its general practices on processing of personal data, implementing appropriate security safeguards and implementing procedures and mechanisms to address grievance of data principals.

Are privacy impact assessments mandatory?

Under the Rules, a body corporate handling and processing sensitive personal data is required to have its security practices and procedures certified and audited by an independent auditor who is approved by the central government at least once every year, or when there is a significant upgrade in its computer resource.

The PDP Bill proposes that a significant data fiduciary undertake data protection impact assessments in specific circumstances. 

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

A body corporate collecting sensitive personal data or information should keep the provider of information informed about: (i) the fact that the information is being collected; (ii) the purpose for doing the same; (iii) the intended recipients; and (iv) the name and address of the agency collecting and retaining the information. All the requirements applicable to personal data, such as the requirement for a privacy policy (see Is there a general accountability obligation? above), are applicable when processing sensitive personal data.

The PDP Bill proposes similar obligations.

Rights to access information

A provider of information can access information provided by it upon request.

The PDP Bill proposes similar obligations.

Rights to data portability

No.

However, the PDP Bill does propose a right to data portability. 

Right to be forgotten

The “right to be forgotten” is not recognised as such in India, and there are no provisions of law that provide for this.

There have been judicial precedents wherein various courts have recognised this right, especially in relation to sexual offences against women. The Supreme Court of India has held that anonymity of victims must be maintained as far as possible in cases involving sexual offence (State of Punjab vs Gurmit Singh). The Karnataka High Court, in a recent decision, has recognised that certain information can be erased in sensitive cases involving rape, or affecting the modesty and reputation of the person concerned. However, other high courts have taken a different view in this regard. For example, the Gujarat High Court has rejected a plea to restrain public exhibition of a judgement on public sources (Dharmraj Bhanushankar Dave v. State of Gujarat).

The PDP Bill proposes an express right to be forgotten pursuant to which data subjects have the right to restrict continuing disclosure of personal data.

Objection to direct marketing and profiling

The IT Act and Rules do not impose any conditions regarding the usage of sensitive personal data or information for direct marketing. However, where the information is collected from a provider of information (i.e. in a situation in which sensitive personal data or information is collected), the prior consent of the provider of information must be obtained, including the purpose for which the information is being collected.

Other rights

The provider of information has the right to review the information provided and withdraw consent that was previously provided. A body corporate cannot refuse such a request. Additionally, any discrepancies and inaccurate information can be corrected by the provider of information.

The PDP Bill proposes similar obligations.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The Rules provide that reasonable security practices and procedures need to be maintained by each body corporate. A body corporate or a person acting on its behalf is “considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business”. The Ministry has listed the International Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System -Requirements” as one such standard. Body corporates following other standards are required to get their security practice and standards notified to and approved by the Ministry for effective implementation.

A body corporate is required to have its security practice and procedures certified and audited by an independent auditor who is approved by the central government at least once every year, or when there is a significant upgrade in its computer resource.

The PDP Bill proposes that both the data fiduciary and data processor have to implement appropriate security safeguards. 

Specific rules governing processing by third party agents (processors)

There are no specific rules that govern third party agents acting on behalf of a body corporate. They are governed by the same regime applicable to body corporates.

The PDP Bill proposes that data fiduciaries must have a written agreement with their data processors.

Notice of breach laws

Certain types of cyber security incidents need to be mandatorily reported to the Indian Computer Emergency Response Team (“CERT-In”) created under Section 70B of the IT Act. These incidents include (i) compromise of critical systems or information; (ii) targeted scanning or probing of critical networks and systems; (iii) identity thefts, spoofing or phishing attacks; (iv) unauthorised access of IT systems or data; (v) defacement of a website or intrusion into a website; (vi) malicious code attacks including attacks on servers; and (vii) Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks.

CERT-In is also authorised to collect or analyse information in relation to cyber security incidents from individuals and organisations. Information that may lead to identification of individuals or organisations that have been affected by cyber security incidents cannot be disclosed without explicit written consent, or through the order of a court.

The PDP Bill proposes a new regime under which a breach has to be notified to the Authority, who will then assess whether a notification to the individual is needed.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The Rules provide that transborder dataflows of sensitive personal data or information can be made to any other body corporate or a person in India or located in any other country if the same levels of data protection in India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf and the provider of information or such transfer has been consented to by the provider of information.

There is no restriction under the Rules regarding transborder dataflows of information that is not sensitive personal data or information.

The Reserve Bank of India (“RBI”), through a notification issued on 6 April 2018 has made it mandatory for all banks, intermediaries and other third parties to store all information pertaining to payments data in India. In case of international transactions, the data on the foreign leg of the transaction can be stored in a foreign location.

The PDP Bill proposes a new regime for cross-border transfer of personal data. There would be separate requirements for sensitive personal data and critical personal data. Sensitive personal data could be transferred outside India only with the express consent of the individual and in compliance with standard contractual clauses or intra group schemes approved by the Authority. Critical personal data could be transferred only to a person or entity providing emergency health services if such transfer is necessary for prompt action. The Central Government would define what constitutes critical personal data.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional requirement to notify or obtain the approval of any regulatory authority.

The PDP Bill proposes that any transfer of critical personal data should be notified to the Authority within a prescribed time.

Use of binding corporate rules

Transborder dataflows are only allowed to jurisdictions that require body corporates situated there to provide the same level of data protection as in India. The data protection regime in India is bespoke in nature and may not be similar to the level of protection provided by binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

Section 72A of the IT Act provides for a fine of up to INR 500,000 when there is disclosure of personal information in breach of a lawful contract or without consent.

The PDP Bill proposes penalties linked to worldwide turnover. Those penalties can range from 2% or 4% of the worldwide turnover, depending on the type of breach.

Criminal liability

Section 72A of the IT Act provides for imprisonment of up to three years when there is disclosure of personal information in breach of a lawful contract or without consent.

The PDP Bill proposes imprisonment of three years for re-identifying personal data or sensitive personal data without the consent of the concerned individual.

Compensation

Section 43A of the IT Act provides that bodies corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource owned, controlled or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information.

The PDP Bill proposes that data principals who have suffered harm as a result of any violation of the requirements of the PDP Bill can seek compensation from the data fiduciary or the data processor.

Other powers

There are no other enforcement provisions in relation to data protection in the IT Act or the Rules.

Practice

There have been a number of judgments in the courts on privacy matters, including the Privacy Judgment. However, there is no significant court regulatory practice on the application of these provisions.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Apart from the Telecom Commercial Communications Customer Preference Regulations, 2018 (“Customer Preference Regulations”) issued by the Telephone Regulatory Authority of India (“TRAI”) to telecom service providers to set up a mechanism to register requests of subscribers not to receive unsolicited commercial calls, there are no specific laws or regulations in India on the use of cookies or direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific laws or regulations in India on the use of cookies.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

There are no specific laws or regulations in India on direct marketing by email.

Conditions for direct marketing by e-mail to corporate subscribers

Not applicable.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Marketing by telephone to individual subscribers without their consent is expressly prohibited with the telecom service providers being responsible to ensure that such a prohibition is enforced. Telecom service providers are required to establish a Customer Preference Registration Facility (“CPRF”) under which customers can provide or revoke their consent with regard to the category, the mode (whether voice calls or text messages) and the time slot of such marketing.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no separate rules for corporate subscribers, who are governed by the same regime as non-corporate subscribers.

Exemptions and other issues

The CPRF provides customers the option to register under the ‘partially blocked category’ pursuant to which customers can opt for receiving promotional communications under the following categories: (i) banking/insurance/financial products/credit cards; (ii) real estate; (iii) education; (iv) health; (v) consumer goods and automobiles; (vi) communication/broadcasting/entertainment/IT; (vii) tourism and leisure; and (viii) food and beverages.

_____________________________________________________________________ Top