Publication
Publication
Contacts
Talwar Thakore & Associates
Kunal Thakore
Deepa Christopher
Tel: +(91) 22 6613 6900
Supervisory Authority
Department of Electronics and Information Technology
National Legislation
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Contributed by Talwar Thakore & Associates
Last updated May 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
The key data protection laws in India will be the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”).
When the DPDP Act and DPDP Rules come into force, they will repeal the current key data protection laws in India, namely Section 43A and Section 72A of the Information Technology Act (2000) (“IT Act”) which give a right to compensation for improper disclosure of personal information.
The DPDP Act will also repeal the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) issued under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”). The SPDI Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.
There are also various other laws which protect personal data in India. For example, India has a biometric-based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder which includes provisions in relation to the protection of Aadhaar (including the biometric information collected from individuals), the grounds for its use and processing. Entities in regulated sectors (e.g., financial services, insurance and telecom) are also subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use such information only for prescribed purposes or in the manner agreed with the customer.
Personal data is also protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S. Puttaswami & another vs. Union of India), the Supreme Court of India has recognised the right to privacy as a fundamental right (which is part of the right to life and personal liberty) under Article 21 of the Indian Constitution. “Informational privacy” was also recognised as being a facet of the right to privacy and the Court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The Court stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. The Privacy Judgment was the first express recognition of the right of individuals over their personal data.
However, fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognised that enforcing the right to privacy against private entities may require legislative intervention. The Privacy Judgment was thus the impetus for the DPDP Act.
Entry into force
Section 43A and Section 72A of the IT Act came into force on 27 October 2009. The SPDI Rules came into force on 11 April 2011. The Aadhaar Act came into force on 12 September 2016.
The Privacy Judgment was delivered on 24 August 2017.
The DPDP Act was enacted on 11 August 2023 and the DPDP Rules were enacted on 13 November 2025. On 13 November 2025, the Indian Government also notified certain provisions of the DPDP Act and provided the implementation time for enforcement of the DPDP Act and DPDP Rules. However, the substantive provisions of the DPDP Act and DPDP Rules will not come into force until 13 May 2027.
Details of the competent national supervisory authority
The Ministry of Electronics and Information Technology (the “Ministry”) of the Government of India is responsible for administering the IT Act and SPDI Rules and issuing the rules and other clarifications under the IT Act. The authorities established under the IT Act – i.e., the adjudicating officer and the Telecom Disputes Settlement and Appellate Tribunal (“Appellate Tribunal”) and, thereafter, the different High Courts and the Supreme Court of India, are responsible for enforcing the IT Act.
Ministry of Electronics and Information Technology (Government of India), Department of Electronics and Information Technology
Electronics Niketan,
6, CGO Complex,
Lodhi Road,
New Delhi 110003
The DPDP Act and DPDP Rules provide for the establishment of the Data Protection Board of India (“Board”) as an independent quasi-judicial administrative authority responsible for administering and implementing the DPDP Act and DPDP Rules. Provisions of the DPDP Act relating to constitution and functioning of the Board came into force on 13 November 2025. However, as set out above, the substantive provisions of the DPDP Act and DPDP Rules will not come into force until 13 May 2027. The Appellate Tribunal will also function as the appellate authority under the DPDP Act.
Notification or registration scheme and timing
There is currently no requirement to register or provide a prior written notification to any authority for processing data. There are obligations to notify specific events, such as data breaches, which are addressed later in the note. Depending on the sector where data is processed, entities processing personal data may be required to retain the data being processed for a certain time period.
Exemptions to notification
Not applicable.
What is the territorial scope of application?
The SPDI Rules issued under Section 43A of the IT Act apply only to a body corporate or any person located within India.
The provisions of the IT Act (except in respect of matters governed by the SPDI Rules) are also applicable to any offence committed by a person outside India involving a computer, computer system or computer network located in India.
The DPDP Act will be applicable to the processing of digital personal data: (i) within the territory of India; and (ii) extra-territorially outside the territory of India, in connection with any activity related to offering of goods or services to individuals in India.
Is there a concept of a controller and a processor?
Indian law does not have the concepts of controller or processor at present. Instead, the SPDI Rules refer to the concept of a ‘body corporate’ and a ‘provider of information’. A body corporate is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. The ‘provider of information’ is the natural person who provides sensitive personal data or information to a body corporate.
The DPDP Act recognises the concept of a data fiduciary (which is broadly similar to the concept of controller under the GDPR) and data processor. A data fiduciary is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
A data processor is defined as any person who processes personal data on behalf of a data fiduciary. A data processor may only process data on behalf of the data fiduciary under a valid contract. The data fiduciary is responsible for ensuring that the data processor is compliant with the provisions of the DPDP Act and is liable for the actions of the data processor.
The DPDP Act also introduces the concept of significant data fiduciaries (“SDF”). SDFs are classes or categories of data fiduciaries that the Government will designate considering, among others, factors like the volume and sensitivity of personal data processed, risk to the rights of data principals (analogous to data subjects), potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State and public order. SDFs will be subject to more stringent requirements in respect of data processing, including the obligation to conduct annual data protection impact assessments and audits, data localisation requirements and due diligence requirements in relation to the use of algorithmic software.
Are both manual and electronic records subject to data protection legislation?
The SPDI Rules are issued under the IT Act which applies only to electronic records. The requirements under the Aadhaar Act are applicable to both manual and electronic records.
The DPDP Act will only be applicable to the processing of digital personal data which is either collected digitally or collected in a non-digital form and subsequently digitised.
Are there any national derogations?
Under the SPDI Rules, any data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law in force is not regarded as ‘sensitive personal data or information’ (“SPDI”). Further, SPDI may be disclosed to governmental authorities mandated under law to obtain information for the purpose of verification of identity or for prevention, detection or investigation without obtaining the consent of the ‘provider of information’.
The fundamental right to privacy recognised under the Privacy Judgment can be enforced only against the state or instrumentalities of the state and not against entities in the private sector.
The DPDP Act will not apply to personal data processed by an individual for personal or domestic purposes or to personal data made or caused to be made publicly available by the data principal to whom the data relates or by any other person who is under an obligation to make such data publicly available under any law in force in India. It also will not apply to processing of personal data: (i) by certain state instrumentalities notified by the Government; or (ii) necessary for research, statistical or archiving purposes, if the personal data processed is not used to take any decision specific to the data principal and the processing is carried on in accordance with standards prescribed under the DPDP Rules.
The DPDP Act also makes various provisions inapplicable in relation to: (i) personal data processed in the interest of prevention, detection, investigation or prosecution of any contravention of any Indian law in force; (ii) personal data processed by courts, tribunals or other bodies in pursuit of a judicial, quasi-judicial, regulatory or supervisory aim entrusted to them; (iii) processing necessary to enforce a legal right or claim; (iv) processing of personal data of data principals outside the territory of India pursuant to a contract entered into between a person in India and a person outside India; (v) processing necessary for a scheme of compromise, merger or arrangement between two companies; and (vi) processing necessary to ascertain the financial status of a person who has defaulted on a loan or advance taken from a financial institution, subject to compliance with other laws on information disclosure.
What is personal data?
Personal data is termed as “personal information” under the IT Act and SPDI Rules. The SPDI Rules define personal information as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.
Under the DPDP Act, personal data means “any data about an individual who is identifiable by or in relation to such data”.
Is information about legal entities personal data?
No. Personal information pertains only to information about a natural person.
What are the rules for processing personal data?
There are presently no general rules in force that govern the processing of personal data.
However, the SPDI Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy (see Is there a general accountability obligation? below), including information on purpose of collection and usage of such personal information. The SPDI Rules also restrict the relevant body corporate (or the person processing SPDI on behalf of such body corporate) from collection of SPDI unless such information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and such collection is necessary for the defined purpose. There is also a requirement to obtain written consent from the information provider regarding the purpose of usage of SPDI prior to collection of such information (see Are there any formalities to obtain consent to process personal data? below).
Once the substantive provisions of the DPDP Act are in force, processing of personal data will need to be done for a lawful purpose in accordance with the DPDP Act and the DPDP Rules. The DPDP Act and DPDP Rules have detailed provisions in relation to various aspects of processing personal data, including grounds for processing, privacy and consent notice, special conditions relating to processing the personal data of children and persons with disabilities and rules relating to several other significant matters.
In relation to the grounds for processing, note that the DPDP Act is primarily a consent-based regime. Processing of all personal data will need to be on the basis of consent obtained from the data principal, unless it can be justified as being for a ‘legitimate use’ (of which very few are recognised). The DPDP Act provides for the following legitimate uses: (i) for specified purposes for which the data principal has voluntarily provided her personal data, and has not indicated her objection to use such personal data for that purpose; (ii) for the provision of, inter alia, subsidies, benefits, certificates, licences or permits by the State / State Instrumentalities where such data is already digitally maintained by the State or its instrumentalities or processing of the same has been consented to by the data principal (and subject to further requirements under the DPDP Rules); (iii) to fulfil any legal obligation in relation to disclosure of information to the State / State instrumentalities; (iv) to comply with any judgment, decree or order, including orders relating to contractual or civil claims under laws outside India; (v) for medical emergencies (involving a threat to the life/ health of the data principal or another individual) and health services (during an epidemic, outbreak of disease, threat to public health), breakdown of public order (including services provided during any disaster); and (vi) for employment or related to safeguarding the employer from loss or liability such as maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a data principal who is an employee.
Are there any formalities to obtain consent to process personal data?
Presently, there are no general formalities to obtain consent for processing of personal information.
However, under the SPDI Rules, consent must be obtained in writing regarding the purpose of usage of information prior to collection of SPDI. The person from whom SPDI is being collected should be informed of: (i) the fact the SPDI is being collected; (ii) the purpose of collection of SPDI; (iii) intended recipients of the SPDI; and (iv) the address of the agency collecting or retaining the SPDI.
The DPDP Act will require an individual’s free, specific, informed, unconditional and unambiguous consent accompanied by a clear affirmative action, unless such processing is for certain legitimate uses. Processing will be limited to the specified purpose for which consent has been given, A request to obtain consent will need to be accompanied or preceded by a notice informing the individual about: (i) the personal data and the proposed purpose for its processing; (ii) the manner in which the individual’s rights under the DPDP Act may be exercised; and (iii) the manner in which the data principal may make a complaint to the Board.
Every request for consent under the DPDP Act will need to be provided in clear language, with an option to access the request in English or the vernacular languages specified in the Eighth Schedule to the Indian Constitution. It must be accompanied with contact information of the relevant data protection officer, if applicable (see When must a data protection officer be appointed? below). The DPDP Rules also set out some very detailed and prescriptive requirements that a request for consent should satisfy, including that the notice must be presented and understandable independently of other information that is made available by the data fiduciary, give sufficient information for the data principal to give specific and informed consent, which information, at the minimum, should be an itemized list of personal data being collected, and specified goods, services or purposes for which the personal data is proposed to be processed.
Upon enforcement of the DPDP Act, data fiduciaries will also need to provide the consent notice described above to all data principals whose personal data is being processed on the basis of consent given prior to commencement of the DPDP Act. Data fiduciaries can continue to process such personal data until and unless the relevant data principal withdraws consent.
Note also that the DPDP Act introduces the concept of ‘consent managers’. Consent managers will be registered entities which will act as a single point of contact to enable a data principal to manage, give, review and withdraw consent. Such entities will be accountable to the data principal. The substantive provisions and obligations relating to consent managers will be effective on 13 November 2026.
The DPDP Rules propose the manner of and conditions for registration of consent managers. They also specify the obligations applicable to consent managers, including obligations to: (i) ensure that the data is not readable by the consent manager; (ii) maintain records of consents, notices and disclosures; (iii) implement reasonable security safeguards; and (iv) avoid conflicts of interest. Data fiduciaries and data principals should prepare to engage with consent managers, to ensure compliance with, and exercise their rights under, the DPDP Act.
Are there any special rules when processing personal data about children?
The SPDI Rules do not contain any specific rules on processing personal data about children.
Under the DPDP Act, data fiduciaries may process personal data of children or persons with disability (who have lawful guardians) only after obtaining ‘verifiable consent’ of the parent or lawful guardian (as the case may be). Consent in the case of persons with disability who have lawful guardians must be obtained from a lawful guardian appointed by a court of law, designated authority or local level committee, under the law applicable to guardianship and the data fiduciary will have to undertake due diligence to ensure the same. The DPDP Rules set out detailed requirements in relation to obtaining such consent for children, including with illustrations on obtaining this consent in various scenarios. Data fiduciaries will need to verify the age and identity of parents of children who consent to the processing of such children’s personal data.
In addition, processing of personal data is prohibited if it is likely to cause any detrimental effect on the well-being of a child. Tracking or behavioural monitoring of or targeted advertising towards children is also disallowed. A child is defined as anyone under the age of 18 years. It is not clear from the DPDP Rules whether this is restricted to children identified through the means set out above or if data fiduciaries will be required to undertake additional due diligence on all the users of their website and/or app.
Specified data fiduciaries such as healthcare providers and educational institutions are exempt from obligations regarding processing of children’s data for identified purposes, which are linked to the main objects of those institutions, as set out in the Fourth Schedule to the DPDP Rules. To illustrate, a clinical health establishment, mental health establishment or healthcare professional is exempted from obtaining consent if the purpose of processing the personal data is for the provision of health services by such establishment, to the extent necessary for the protection of the health of such child. Such obligations also do not apply to processing of data when it is done for: (i) actions in the interests of the child under any law, (ii) provision of subsidies, benefits, etc, (iii) creation of a user account for communicating by email, (iv) determination of real-time location of a child, (v) ensuring that information likely to cause a detrimental effect on the well-being of a child is not accessible to the child, (vi) confirmation that the data principal is not a child; and (vii) undertaking due diligence for verifiable consent. Processing under these exemptions must be restricted to the extent necessary for the above purposes.
Are there any special rules when processing personal data about employees?
The IT Act and the SPDI Rules do not prescribe any specific requirements with respect to processing personal data about employees.
Under the DPDP Act, processing of personal data for purposes related to employment is considered a legitimate use and is exempt from consent requirements. Other than that, there are no other specific rules relating to processing of personal data of employees under the DPDP Act.
What is sensitive personal data?
Sensitive personal data exists as the concept of “SPDI” under the SPDI Rules. It means personal information which consists of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above items provided to a body corporate for providing services; and (viii) any of the information received under the above items by a body corporate for processing, that is stored or processed under lawful contract or otherwise.
SPDI does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.
The DPDP Act applies uniformly to all types of digital personal data and does not categorise data under different heads depending on the sensitivity of such data. There are no additional controls on processing personal data that may be considered ‘sensitive’ in nature and all processing of personal data must comply with the same set of requirements.
Are there additional rules for processing sensitive personal data?
The SPDI Rules contain specific provisions regarding the collection of SPDI. They apply to all body corporates or any person within India other than those providing services related to the collection, storage, dealing or handling of SPDI to any legal entity under a contract. However, such provisions will also apply to such exempted body corporates if they provide such services directly to the information provider under a contract.
The key rules on collection are: (i) it is necessary to obtain the consent of the provider of information prior to the collection. The provider of information must be given an option not to provide the requested SPDI and to withdraw its consent by informing the body corporate in writing; (ii) SPDI can only be collected where necessary for a lawful purpose that is connected with a function or activity of the body corporate or any person on its behalf; and (iii) the body corporate should provide additional information to the provider of information (see below).
The body corporate must also comply with other general requirements, such as not keeping SPDI for longer than is required and ensuring it is kept secure or applying reasonable security practices and procedures which contain managerial, technical, operational and physical security control measures to protect SPDI.
Additional rules apply to the disclosure of SPDI. The body corporate and any person acting on its behalf are not allowed to publish any SPDI. Further, the disclosure of SPDI to any third party requires the prior permission of the provider of information. The only two exceptions to this requirement are: (i) when such disclosure has been agreed upon in the contract between the body corporate and the provider of information; or (ii) when it is necessary to disclose the information in compliance with a legal obligation. The third party that receives such SPDI is required not to disclose it further. The body corporate is also allowed to share information with government agencies mandated under the law to obtain information or to a third party by an order under law.
SPDI can be transferred to any other body corporate or a person in India or located in any country that offers the same levels of data protection as India.
As stated above, the DPDP Act does not make a distinction between personal data and sensitive personal data and the same rules apply to processing of all categories of personal data.
Are there additional rules for processing information about criminal offences?
Under the SPDI Rules, data about criminal offences must be processed in the same way as SPDI.
The DPDP Act does not impose additional rules for processing of information about criminal offences. However, most provisions of the DPDP Act (including obligations relating to consent and legitimate use and in relation to the rights and duties of data principals) do not apply where personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any Indian law in force (including those relating to criminal offences).
Are there any formalities to obtain consent to process sensitive personal data?
Under the SPDI Rules, consent of the provider of information should be obtained in writing (which includes any mode of electronic communication) regarding the purpose of its usage. Such consent is also required before further transfer or disclosure.
As set out previously, the DPDP Act has very stringent requirements in respect of obtaining consent for processing personal data and no distinction is made between personal data and sensitive personal data.
When must a data protection officer be appointed?
Under the SPDI Rules, body corporates are required to designate a grievance officer and there is no general requirement to appoint a data protection officer.
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties), 2013 (“CERT-In Rules”) (enacted pursuant to Section 70B of the IT Act) set out the manner in which the Indian Computer Emergency Response Team (“CERT-In”) should operate. Entities, including body corporates offering services to Indian users, are mandated to designate a point of contact to interface with CERT-In. The details of the point of contact are to be shared with CERT-In in a specified format and are to be updated from time to time.
The DPDP Act only requires SDFs (and not all data fiduciaries) to appoint a data protection officer. The data protection officer must be a person based in India and data fiduciaries must publish the business contact information of such officer. In case of data fiduciaries which are not SDFs, a person must be appointed to answer questions raised by data principals about the processing of their personal data. Information relating to such person must be published on the website and/or app of the data fiduciary and included in every response to a communication for the exercise of data principal rights.
What are the duties of a data protection officer?
The grievance officer under the SPDI Rules is required to address any discrepancies or grievances of information providers with respect to processing of information in a time-bound manner. The grievance officer is required to redress the grievance expeditiously, within one month from the date of receipt of such grievance. The body corporate is required to publish the name and contact details of the grievance officer on its website.
Under the DPDP Act, as stated above, the data protection officer must be an individual based in India who represents the SDF and is responsible to the governing body of the SDF. The data protection officer serves as the point of contact for the grievance redressal mechanism under the Act. Contact information of the data protection officer must be published by the significant data fiduciary such that the officer can answer questions raised by the individual regarding their personal data.
Is there a general accountability obligation?
The SPDI Rules state that a body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information including SPDI of a provider of information, should provide a privacy policy.
This privacy policy should serve to protect the personal information that is provided, and the provider of such information should be able to review the policy. The privacy policy is required to be made available on the website of the body corporate and should provide for: (i) clear and accessible statements relating to its practices and policies; (ii) the type of personal information or SPDI that is being collected; (iii) the purpose of collecting and using of such information; (iv) the instances in which disclosure of such information may be made under the SPDI Rules; and (v) reasonable security practices and procedures required under the SPDI Rules.
The DPDP Act and DPDP Rules impose strict, prescriptive conditions for processing of personal data. As stated above, the regime is largely consent-based, with derogations permissible only where processing is based on a legitimate use. Accountability obligations include the provision of consent notices and various data principal rights (see below). SDFs are subject to additional obligations, including data protection impact assessments, data audits, and various due diligence obligations. Data fiduciaries are also responsible for complying with the provisions of the DPDP Act in respect of processing of personal data undertaken by it or any data processors on behalf of it.
Are privacy impact assessments mandatory?
Under the SPDI Rules, a body corporate handling and processing SPDI is required to have its security practices and procedures certified and audited by an independent auditor who is approved by the Central Government at least once every year, or when there is a significant upgrade in its computer resource.
Under the DPDP Act, only SDFs are required to conduct a data protection impact assessment and audit on an annual basis. A report with significant observations is then required to be submitted to the Board. There are no mandatory requirements imposed on other data fiduciaries to conduct such impact assessments or audits.
Privacy notices
A body corporate collecting SPDI should keep the provider of information informed about: (i) the fact that the information is being collected; (ii) the purpose for doing the same; (iii) the intended recipients; and (iv) the name and address of the agency collecting and retaining the information. All the requirements applicable to personal data, such as the requirement for a privacy policy (see Is there a general accountability obligation? above), are applicable when processing SPDI.
Under the DPDP Act, every request made to an individual to obtain their consent for processing of their personal data must be accompanied or preceded by a notice informing: (i) the personal data to be collected and the purpose for which the same is proposed to be processed; (ii) the manner in which the data principal may exercise its rights; and (iii) the manner in which the data principal may make a complaint to the Board. The DPDP Rules set out obligations in respect of the form and manner of such notices (see Are there any formalities to obtain consent to process personal data? above).
Rights to access information
Under the SPDI Rules, an information provider can access information provided by them upon request to the relevant body corporate.
The DPDP Act introduces a formal right to access information (similar to the right provided to data subjects under the GDPR). Data principals have the right to obtain from data fiduciary access to information such as a summary of the personal data and processing activities and the names of other data fiduciaries and data processors with whom such data has been shared. Note that the data fiduciary is not required to provide data principals with information regarding the identity of other data fiduciaries with whom personal data has been shared, if such data has been shared with a data fiduciary who is authorised by law to obtain such information for the purpose of preventing, detecting, investigating, prosecuting or punishing offences.
Further, under the DPDP Rules, in order to facilitate exercise of data principal rights, data fiduciaries and consent managers (where applicable) are required to publish on their website / or app: (i) details of the means using which a data principal may make a request for the exercise of her rights; and (ii) particulars, if any, such as the user name or other identifier of the data principal, which may be required to identify her under the terms of service of the data fiduciary.
Rights to data portability
No.
Right to be forgotten
Indian law does not presently recognise a “right to be forgotten”.
There have been judicial precedents wherein various courts have recognised this right, especially in relation to sexual offences against women. The Supreme Court of India has held that anonymity of victims must be maintained as far as possible in cases involving sexual offences (State of Punjab vs Gurmit Singh). The Karnataka High Court has recognised that certain information can be erased in sensitive cases involving rape, or affecting the modesty and reputation of the person concerned. However, other High Courts have taken a different view in this regard. For example, the Gujarat High Court has rejected a plea to restrain public exhibition of a judgment on public sources (Dharmraj Bhanushankar Dave v. State of Gujarat).
However, under the DPDP Act, data principals will have the right to erasure of data. Upon receipt of such a request, the data fiduciary will be required to erase the data principal’s personal data unless retention of the data is necessary for the specified purpose or for compliance with law.
Separately, the provisions of the DPDP Act and DPDP Rules in relation to data retention are also relevant to erasure of personal data. The DPDP Act provides that once it is reasonable to assume that the specified purpose for which personal data is collected is no longer being served, data fiduciaries must erase the data, subject to requirements of applicable law.
The DPDP Rules further provide that very specific retention obligations apply to identified categories of data fiduciaries, namely, e-commerce entities, online gaming intermediary and social media enterprises (each, with a prescribed number of users).
Objection to direct marketing and profiling
The IT Act and Rules do not impose any explicit conditions regarding the usage of SPDI for direct marketing. However, where the information is collected from a provider of information (i.e., in a situation in which SPDI is collected), the relevant body corporate will need to comply with the following requirements: (i) obtain prior consent from the information provider to process SPDI; (ii) notify information providers of the purpose of collecting information and the intended recipients of such information; (iii) permit information providers to opt out of providing information / withdraw consent at a later stage; and (iv) unless disclosure is agreed to contractually, obtain prior consent from information providers prior to disclosure of SPDI to third parties.
Additional obligations under telecommunications and consumer protection laws may also be applicable in respect of direct marketing and telemarketing.
Under the DPDP Act, data fiduciaries will be required to obtain consent for the purpose of processing personal data for direct marketing. Accordingly, all obligations relating to notices and consent set out above will be applicable. Further, the DPDP Act prohibits behavioural monitoring of or targeted advertising directed at children.
Other rights
Under the SPDI Rules, the information provider has the right to review the information provided and withdraw consent that was previously provided. A body corporate cannot refuse such a request but can choose not to provide the services for which consent was sought. Additionally, any discrepancies and inaccurate information can be corrected by the information provider.
Under the DPDP Act, data principals will have the right to withdraw consent previously provided to the data fiduciary at any time, where consent was the basis of the processing at hand. The ease of withdrawing consent must be comparable to the ease with which consent was given. Upon withdrawal of consent, the data fiduciary (and its data processors) is required to cease processing such personal data, unless processing is required or authorised by law. However, withdrawal of consent does not affect the legality of processing prior to withdrawal of consent.
Data principals will also have the right to have a readily available, timely means of grievance redressal and the right to nominate other individuals to exercise their rights in the event of the data principal’s death or incapacity.
Security requirements in order to protect personal data
The SPDI Rules require each body corporate to maintain reasonable security practices and procedures. A body corporate or a person acting on its behalf is “considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business”. The Ministry has listed the International Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System - Requirements” as one such standard. Bodies corporate following other standards are required to get their security practices and standards notified to and approved by the Central Government for effective implementation.
In addition, a body corporate is required to have its security practices and procedures certified and audited by an independent auditor who is approved by the Central Government at least once every year and when there is a significant upgrade in its computer resources.
Under the DPDP Act, data fiduciaries are responsible for protecting personal data under their possession or control (including in respect of processing done by a data processor) by undertaking reasonable security safeguards to prevent a personal data breach. The DPDP Rules, without prescribing any specific technical standards, have prescribed the minimum controls that a body corporate needs to implement to prevent personal data breach. In addition to data security measures (such as securing data through encryption, obfuscation or masking, use of virtual tokens, etc.), access controls, implementation of backups, and detection of unauthorised access, data fiduciaries are obliged to include appropriate provisions in their contracts with data processors to ensure that such data processors also implement reasonable security measures.
Specific rules governing processing by third party agents (processors)
The SPDI Rules do not provide for a specific regime to govern third party agents acting on behalf of a body corporate. They are governed by the same regime applicable to bodies corporate in general.
Under the DPDP Act, a data fiduciary will be responsible for complying with the provisions of the DPDP Act in respect of any processing undertaken on its behalf by a data processor.
Notice of breach laws
The IT Act requires certain types of cyber security incidents be mandatorily reported to CERT-In by filling in the prescribed forms on CERT-In’s website. These incidents include (i) compromise of critical systems or information; (ii) targeted scanning or probing of critical networks or systems; (iii) identity thefts, spoofing or phishing attacks; (iv) unauthorised access of IT systems or data; (v) defacement of a website or intrusion into a website; (vi) malicious code attacks; (vii) Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks; (viii) data breach; (ix) data leak; (x) attacks through malicious mobile apps; (xi) attacks on servers; and (xii) unauthorised access to social media accounts.
Such incidents must be mandatorily reported within a 6 hour timeframe if they are of the following nature: (i) cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, spread of computer contaminant including Ransomware) on any part of the public information infrastructure (including backbone network infrastructure); (ii) data breaches or data leaks; (iii) large-scale or most frequent incidents such as intrusion into computer resource, websites etc.; or (iv) cyber incidents impacting safety of human beings.
Entities may report information to the extent available within the 6 hours timeframe and additional information can be reported later within ‘reasonable time’.
CERT-In is also authorised to collect or analyse information in relation to cyber security incidents from individuals and organisations. Information that may lead to identification of individuals or organisations that have been affected by cyber security incidents cannot be disclosed without explicit written consent or through the order of a competent court.
Note that the above obligations under IT Act will continue to subsist even after enforcement of the DPDP Act. However, under the DPDP Act, in the event of a personal data breach, the data fiduciary must also notify the Board and each affected data principal. The DPDP Rules set out detailed requirements on the manner of making such notification, both to the affected data principals and to the Board. While notifications to both the affected data principals and the Board have to be made ‘without delay’, more detailed information (such as information on cause of breach, events leading up to the breach, remedial measures taken to prevent recurrence and report regarding intimation made to the affected data principals) has to be submitted to the Board within 72 hours (or the extended period, if an extension is provided). Please also note that there is no quantitative or qualitative threshold for making notifications to data principals or the Board and each and every personal data breach will be subject to the same notification requirements regardless of severity.
Restrictions on transfers to third countries
The SPDI Rules provide that cross—border data flows of SPDI can be made to any other body corporate or a person in India or located in any other country if the same levels of data protection in India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf and the provider of information or such transfer has been consented to by the provider of information.
There is no restriction under the SPDI Rules regarding cross-border data flows of information that is not SPDI.
The Reserve Bank of India (“RBI”), through a notification issued on 6 April 2018 read with RBI’s FAQs on storage of payment system data, has made it mandatory for all banks, intermediaries and other third parties to store all information pertaining to payments data in India. In case of international transactions, the data on the foreign leg of the transaction can be stored in a foreign location, if required.
The DPDP Act allows cross-border transfers of personal data unless specifically prohibited by the Government of India and the Central Government – which have the authority to, by notification, restrict the transfer of personal data to any country outside India. Since the notification of the DPDP Act, the Central Government has not provided any particular indication on which (if any) countries may be implicated and the DPDP Rules do not provide further clarity on this issue.
However, the DPDP Rules seem to give the Central Government significant flexibility on cross-border data transfers, and to take a view on transfers on a case-to-case basis, enhancing the scope of the provision as originally contemplated in the DPDP Act. The DPDP Rules provide that any processing of personal data within India or outside India, if it is in connection with the offering of goods or services to data fiduciaries in India, is subject to the general restriction that the data fiduciary shall comply with requirements imposed by the Government (through a general or special order), in respect of making such personal data available to any foreign state, or to any person or entity under the control of, or any agency of such state. This suggests that: (a) the restriction on transfer is not specific to any territory but is based on ensuring that a particular state (and its agencies) do not have access to the personal data; and (b) the Government can determine the list of states (or its agencies) to whom access should not be given, at any time, by means of an order. In relation to (a), it is unclear on the extent of measures that a data fiduciary is expected to take to prevent access, especially where dependency on cloud-based services (which allows access from various geographies through the internet) are increasing. The drafting suggests that the Government will have significant flexibility on determining the state(s) (and its agencies) that should be prohibited from having access to personal data, including at short notice, which adds further uncertainty while determining data storage and processing solutions.
A separate data localisation obligation is also applicable to SDFs. Such entities must ensure that while processing identified categories of personal data (to be determined by a committee constituted by the Central Government), such personal data and the traffic data (more commonly known as metadata) relating to its flow is not transferred outside India. The Ministry has previously informally noted that this process will be driven by sectoral needs, allowing sectoral regulators to propose specified data which should be localised in India to the committee, following which the committee will review the relevant requirements, hold consultations, and issue final recommendations.
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no additional requirement to notify or obtain the approval of any regulatory authority.
Use of binding corporate rules
Cross-border dataflows are only allowed to jurisdictions that require body corporates situated there to provide the same level of data protection as in India. The data protection regime in India is bespoke in nature and may not be similar to the level of protection provided by binding corporate rules.
Fines
Section 72A of the IT Act provides for a fine of up to INR 500,000 when there is disclosure of personal information in breach of a lawful contract or without consent.
Section 70B(7) of the IT Act read with the directions issued by CERT-In on 28 April 2022 (“CERT-In Directions”) provides for a fine of up to INR 100,000 where there is a failure to furnish information to CERT-In and in case of non-compliance with CERT-In’s reporting requirements.
The DPDP Act provides for varying levels of fines for different offences as follows: (i) failure of data fiduciary to take reasonable security safeguards to prevent personal data breach - up to INR 2,500,000,000 (approximately EUR 22,300,000); (ii) failure to notify the Board or affected data principals about personal data breach - up to INR 2,000,000,000 (approximately EUR 17,850,000); (iii) failure to observe the special rules relating to processing of data of children – up to INR 2,000,000,000 (approximately EUR 17,850,000); (iv) failure to observe additional obligations applicable to a significant data fiduciary – up to INR 1,500,000,000 (approximately EUR 13,400,000); (v) failure of data principals to adhere to duties specified under the DPDP Act – up to INR 10,000 (approximately EUR 90); and (vi) failure to adhere to any other provisions of the DPDP Act – up to INR 500,000,000 (approximately 4,500,000).
Criminal liability
Section 72A of the IT Act provides for imprisonment of up to three years when there is disclosure of personal information in breach of a lawful contract or without consent.
Section 70B(7) of the IT Act read with the CERT-In Directions provides for imprisonment of up to one year where there is a failure to furnish information to CERT-In and in case of non-compliance with CERT-In’s reporting requirements.
The DPDP Act does not provide for criminal liability.
Compensation
Section 43A of the IT Act provides that bodies corporate possessing, dealing with or handling any SPDI in a computer resource owned, controlled or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect SPDI, thereby causing wrongful loss or wrongful gain to any person.
The DPDP Act does not provide for compensation to affected persons in the event of a personal data breach or otherwise.
Other powers
There are no other enforcement provisions in relation to data protection in the DPDP Act, IT Act or the SPDI Rules.
Practice
There have been a number of judgments in the courts on privacy matters, including the Privacy Judgment. However, there is no significant court regulatory practice on the application of these provisions.
ePrivacy laws
There is no single law governing direct marketing in India and the regulatory regime currently comprises multiple pieces of legislation, as set out below:
SPDI Rules
The SPDI Rules impose a number of obligations which impact direct marketing operations. These include: (i) obtaining prior consent for processing of SPDI from the provider of such information; (ii) notifying information providers of, inter alia, the purpose for collection of information and the intended recipients of such information; (iii) permitting information providers to opt out of providing the information sought to be collected or withdraw consent to processing at a later stage; and (iv) obtaining prior consent from information providers for disclosure of SPDI to third parties, unless such disclosure has been agreed to in a contract between the relevant body corporate and the information provider. This implies that information providers must: (i) opt into receiving direct marketing communications or having their information be provided to direct marketers; (ii) be notified that their information may be used for direct marketing; and (iii) have the right to opt-out of receiving direct marketing communications.
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”)
Significant social media intermediaries are required to clearly disclose information as being advertisements or marketing material, if applicable, under the Intermediary Rules.
Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCP Regulations”)
Telemarketing is governed by the TCCCP Regulations. Any entity sending promotional communication must be registered with an access provider and any communications sent by an unregistered sender will be considered unsolicited commercial communication. For sending promotional communication, the customer’s explicit consent has to be obtained through the digital consent mechanism established under the regulations. Promotional messages must provide an opt-out mechanism (i.e., option to stop receiving further promotional communication) to the customer, in a manner that may be specified by the Telecom Regulatory Authority of India. Note that promotional messages may only be sent by senders from the special series (of mobile numbers) assigned for the purpose of sending commercial communications.
Consumer Protection Act, 2019 (“CPA”)
Under the CPA, service providers have the obligation to refrain from engaging in unfair trade practices, including misleading advertising. The Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022 (“Misleading Advertising Guidelines”), issued under the CPA, lay down the conditions for an advertisement to be considered non-misleading and valid, and provisions on bait advertisements and free claims advertisements. The Misleading Advertisements Guidelines also set out certain conditions for advertisements targeted at children and lay down the duties of service providers, manufacturers, advertisers and advertising agencies. The Central Consumer Protection Authority has also issued the Guidelines for Prevention and Regulation of Dark Patterns in 2023 (“Dark Patterns Guidelines”). The Dark Patterns Guidelines prohibit platforms from using dark patterns, such as false urgency, confirm shaming, nagging and interface interference.
Upon enforcement of the DPDP Act, consent will need to be sought for use of personal data for direct marketing purposes. Accordingly, all provisions of the DPDP Act relating to notices, consent and withdrawal of consent will be applicable to direct marketing efforts. Further, data fiduciaries are specifically prohibited from engaging in tracking, behavioural monitoring and targeting advertisements at minors.
Conditions for use of cookies
There are no specific laws or regulations in India on the use of cookies. However, if: (i) the cookie is linked to other personal information/data which the website operator (or a third party) may have about a person; or (ii) personal information/data is collected from using cookies, the provisions relating to the collection, disclosure, transfer, use, storage and processing of personal information/data in the SPDI Rules and upon enforcement, the DPDP Act will apply. Additionally, any data breach in relation to the information collected from cookies will be subject to data breach reporting guidelines (see Notice of Breach Laws above).
Regulatory guidance on the use of cookies
Not applicable.
Conditions for direct marketing by e-mail to individual subscribers
There are no specific laws or regulations in India on direct marketing by email.
Conditions for direct marketing by e-mail to corporate subscribers
Not applicable.
Exemptions and other issues
Not applicable.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Marketing by telephone to individual subscribers without their consent is expressly prohibited with the telecom service providers being responsible to ensure that such a prohibition is enforced. Telecom service providers are required to establish a Customer Preference Registration Facility (“CPRF”) under which customers can provide or revoke their consent with regard to the category, the mode (whether voice calls or text messages) and the time slot of such marketing.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
There are no separate rules for corporate subscribers, who are governed by the same regime as non-corporate subscribers.
Exemptions and other issues
The CPRF provides customers the option to register under the ‘partially blocked category’ pursuant to which customers can opt in or opt out from receiving promotional communications under the following categories: (i) banking/insurance/financial products/credit cards; (ii) real estate; (iii) education; (iv) health; (v) consumer goods and automobiles; (vi) communication/broadcasting/entertainment/IT; (vii) tourism and leisure; and (viii) food and beverages.