with No Comments

Data Protection and Privacy Laws in India


India is yet to take a legislative step to enact a specific act to enforce the protection of data. India has not yet issued an act for the protection of personal data, which is equivalent to the General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”).

The Information Technology Act, 2000 (“IT Act”) was amended to include Sections 43A and 72A, which provide an individual the right to seek compensation from corporate bodies for improper disclosure of personal information (“Personal Information”).

Subsequently in 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”), were enacted under Section 43A of the IT Act. The Rules have imposed additional prerequisites on commercial businesses in India identifying with the collection and disclosure of sensitive personal data or information (“Sensitive Personal Data or Information”) which have some similarities with the GDPR or CCPA.

Under the Rules, Personal Information is defined as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.” It pertains only to information about natural persons. There are no specific rules that govern the processing of such Personal Information. No specific formalities have been stated to obtain consent for processing Personal Information have been stated. Also, the Rules do not contain any specific rules to be adhered to when processing personal data about children or employees.

However, the Rules state that a body corporate or any person who processes Personal Information on behalf of the body corporate should provide a privacy policy. This privacy policy should serve to protect the Personal Information that is provided, and the provider of such information should be able to review the policy.

The privacy policy is required to be made available on the website of the body corporate and should provide for: (i) clear and accessible statements relating to its practices and policies; (ii) the type of Personal Information or Sensitive Personal Data or Information that is being collected; (iii) the purpose of collecting and using of such information; (iv) the instances in which disclosure of such information may be made under the Rules; and (v) reasonable security practices and procedures required under the Rules. A privacy policy is required even when no Sensitive Personal Data or Information is being processed. A body corporate collecting Sensitive Personal Data or Information should keep the provider of information informed about: (i) the fact that the information is being collected; (ii) the purpose for doing the same; (iii) the intended recipients; and (iv) the name and address of the agency collecting and retaining the information.

The fundamental right to privacy has been developed by the courts in India through a series of decisions over the past 60 years. The question of whether or not privacy is a fundamental right arose in 2015 before a three-judge bench which was later referred to a constitutional bench of nine judges to pronounce authoritatively on the status of the ‘Right to Privacy’ which reaffirmed it as a fundamental right in Indian jurisprudence. In a landmark judgment delivered on 24 August 2017 (Justice K.S Puttaswamy & another vs. Union of India), the Supreme Court of India recognized the right to privacy as a Fundamental Right under Article 21 of the Indian Constitution as a part of the right to “life” and “personal liberty.”

“Informational privacy” has been recognized as being a facet of the right to privacy and the Court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The Court held that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognized the right of individuals over their personal data.

This Privacy Judgment calls for the government to create a data protection regime to protect the privacy of the individual. It recommends a robust regime to balance individual interests and legitimate concerns of the state. Therefore in 2019, the Government of India issued the Personal Data Protection Bill 2019. Once enacted, this will repeal Section 43A of the IT Act and be India’s first data protection law.

If you have any questions about this memo, please contact Christopher L. Rasmussen, Managing Partner, Inventus Law, PC., at chris@inventuslaw.com or Samhitha Shastry, Associate, Inventus Law, PC., at samhitha@inventuslaw.com.

Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business.


2024 Inventus Law. All rights reserved. | Website Designed By Blue Astral