Introduction to Data Privacy Laws in India

Introduction to Data Privacy Laws in India

India currently does not have a specific legislation governing data protection and data privacy, but rather, broadly follows the consent-based regime (akin to other developed jurisdictions) concerning collection and processing of information which includes personal information as well, subsumed into the applicable rules of the Information Technology Act, 2000.

The Constitution of India does not expressly grant or recognize the right to privacy as a fundamental right, however, the Supreme Court, in the landmark judgement of Justice K. S. Puttaswamy v. Union of India[1] held that right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution

The relevant laws governing data protection and the principle of privacy in India broadly are the Information Technology Act, 2000 (“IT Act”) and its corresponding rules under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). A legislative data protection framework, The Personal Data Protection Bill, 2019 is yet to be notified by the Government of India.

1. Scope and Applicability

The SPDI Rules and Section 43A of the IT Act apply only to a body corporate[2] and individuals acting on behalf of body corporate. The provisions of the IT Act (including in respect of matters governed by the applicable rules) are required to be complied with by entities in or outside of India that process personal data either: (i) in India, or (ii) have a computer, computer system, or computer network located in India, as defined in the IT Act. A point to note is that the SPDI Rules issued under the IT Act applies only to electronic records and excludes the purview for maintenance of manual records.

Personal Data under SPDI Rules

“Personal Information” has been defined under the SPDI Rules as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.[3]

Rule 3 of the SPDI Rules further stipulates that sensitive personal data or information of a person means personal information that consists of information relating to:

• Passwords;
• Financial information such as bank account or credit card or debit card or other payment instrument details;

• Physical, physiological, and mental health condition;

• Sexual orientation;
• Medical records and history;
• Biometric information;

• Any detail relating to the above clauses as provided to body corporate for providing service; and
• any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.[4]

2. Exceptions

Section 69 of the IT Act acts as an exception to the general rule of maintenance of privacy and secrecy of the information, wherein the appropriate governmental body may monitor, intercept, or decrypt any information transmitted, generated, received, or stored in any computer system under the following grounds:

• the sovereignty or integrity of India;
• defence of India;

• security of the state;

• friendly relations with foreign states; or
• public order; or
• for preventing incitement to the commission of any cognizable offence relating to above; or

• for investigation of any offence.

Further, the SPDI Rules also exempt any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.[5]

3. Key Compliance Obligations

The key compliance obligations are as follows:

• Privacy policy.[6] A body corporate, while collecting, receiving, storing, processing, and handling personal information must make available a comprehensive privacy policy which includes, a clear and easily accessible statement on its practices and policies, the type of information collected, the purpose of collection and use, the disclosure policy for the information and the security practices and procedures followed by the body corporate. The privacy policy must be published prominently on the body corporates website and must be readily available to a user.
• Consent and notification.[7] Body corporates must obtain of the provider of personal information prior to the collection of the data. The provider of information must be given the option to review, amend or revise the personal information[8] as well as the option to not to provide the requested personal information and to withdraw its consent by informing the body corporate in writing[9];While collecting such personal information, the body corporate must ensure that the provider of the personal information has been notified that the personal information is being collected; purpose for which the information is being collected; intended recipients of the personal information; name and address of the agency that is collecting the information; and the agency that will retain the information.[10]
• Purpose. Personal information may be collected only if it’s essential and for a lawful purpose that is connected with a function or activity of the body corporate[11]. The body corporate may use the personal information only for the purpose for which it was collected and should not retain it for a period longer than required.[12]
• Grievance redressal. To address any discrepancies and grievances of the provider of the personal information with respect to processing of such information, the body corporate shall designate a Grievance Officer and publish the name and contact details on its website. Any grievance raised must be resolved within one (1) month from date of receipt of grievance.[13]
• Disclosure of personal information.[14] A body corporate may disclose personal information collected with prior consent of the provider only if (i) a government agency seeks the information to verify, identity, or to prevent, detect, or investigate a crime, including cyber incidents, or to prosecute and punish offenses and the agency request clearly states the purpose in writing, (ii) it is necessary to comply with a legal obligation; (iii) the provider of the personal information agrees to the disclosure in a contract.
• Transfer of personal information.[15] A body corporate can transfer personal information to a third party, whether in India or overseas, only if the transfer of personal information is necessary to perform a lawful contract with the provider of such information or where the provider of information has consented to the transfer, provided that the party receiving the personal information ensures the same level of protection as that provided under the SPDI Rules.
• Reasonable security practices.[16] A body corporate must implement reasonable security practices, procedures, and standards to handle sensitive personal data or information with policies that contain managerial, technical, operational, and physical security control measures that are proportionate to the information assets that it seeks to protect.To comply with this requirement, the SPDI specify that a body corporate must implement either IS/ISO/IEC 27001 on “Information Technology-Security Techniques-Information Security Management System-Requirements” (“IS Standards”) or other standards set by self-regulating industry associations or entities formed under these associations if the Central Government or an independent auditor certifies or approves the standard[17].A body corporate is required to have its security practice and procedures certified and audited by an independent auditor who is approved by the Central Government at least once every year, or when there is a significant upgrade in its computer resource[18].

  In December 2020 the Bureau of Indian Standards (“BIS”) published new standards for data privacy assurance, the IS 17428 to assist organizations possessing personal information of individuals in creating a better understanding of such privacy needs, incorporating their framework, and maintaining privacy assurance, in addition to offering a certain level of assurance to consumers on data privacy. This standard is however not a substitute to the regulatory compliances under the applicable law. Currently, apart from the IS/ISO/IEC 27001 standard which is prescribed under the SPDI Rules to deem compliance with the reasonable security practices and procedures requirement, there are no other standards stipulated. It could be evaluated whether implementation of the IS 17428 by organizations could deem them compliant with such requirement. However, given that the SPDI Rules and the IS 17428 fall short of explicitly specifying that implementation of the IS Requirements is deemed compliance with the reasonable security practices and procedures requirement, the onus may be on the organizations to demonstrate that implementation of the IS Requirements meets the reasonable security practices and procedures requirement.

• Certain types of cyber security incidents need to be mandatorily reported to the Indian Computer Emergency Response Team (“CERT-In”) created under Section 70B of the IT Act. These incidents include:

1. compromise of critical systems or information;
2. targeted scanning or probing of critical networks and systems;
3. identity thefts, spoofing or phishing attacks;
4. unauthorised access of IT systems or data;
5. defacement of a website or intrusion into a website;
6. malicious code attacks including attacks on servers; and
7. Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks.

  4. Penalties under IT Act

• Breach of Confidentiality and Privacy[19]: The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act, Rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to INR 1,00,000/- (Rupees One Lakh) or with both.
• Breach by Intermediary[20]: Any person or intermediary who while providing services under terms of lawful contract has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to 5,00,000 (Rupees Five Lakh Rupees), or with both.

• Breach of personal data[21]: A body corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource owned, controlled, or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information.
• Failure to Cooperate[22]: Any subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

    5. Sector Specific Data Privacy Regulations

Apart from the IT Act and the SPDI Rules, there are certain sectoral regulations and guidelines which also address various aspects of data privacy and data protection in India. For example:

• The Reserve Bank of India mandates all system providers to store the payments data in India.[23]
• Insurance Regulatory and Development Authority of India in April 2017 has issued guidelines[24] on cyber security of insurers which are binding on all insurance companies.

6. Personal Data Protection Bill, 2019

A Joint Parliamentary Committee is currently considering the Personal Data Protection (“PDP”) Bill and a revised draft of the PDP Bill is expected to be issued during 2021. The PDP Bill would then have to be passed by both houses of Parliament and notified in the official gazette before it becomes law. Even after enactment, the law is likely to be implemented in a phased manner. Currently, there is no information about the implementation timeline.

The Committee of Experts on Non-Personal Data (“NPD”) Governance Framework headed by Kris Gopalakrishnan, constituted by the Ministry of Electronics and Information Technology had released its draft version of the report in July 2020 for public consultation. Based on the comments received from the various stakeholders, the committee released a revised report on December 16, 2020. We shall be covering the NPD framework in depth once there is better clarity on the contours of the framework vis-à-vis the proposed personal data protection framework.

If you have any questions about the above mentioned, please contact Christopher L. Rasmussen, Managing Partner, Inventus Law, PC., at chris@inventuslaw.com or Vivek Balakrishnan, Principal Associate, Inventus Law, India at vivek@inventuslaw.in.

Disclaimer: This Memo is being provided for information purposes only and is drafted entirely on the bases of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation, or counselling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent advocate licensed to practice in your jurisdiction for your particular business.

[1] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1

[2] Section 43A; IT Act, 2000

[3] Rule 2(i); SPDI Rules, 2011

[4] Rule 3; SPDI Rules, 2011

[5] Rule 3; SPDI Rules, 2011

[6] Rule 4; SPDI Rules, 2011

[7] Rule 5(1); SPDI Rules, 2011

[8] Rule 5(6); SPDI Rules, 2011

[9] Rule 5(7); SPDI Rules, 2011

[10] Rule 5(3); SPDI Rule, 2011

[11] Rule 5(2); SPDI Rules, 2011

[12] Rule 5(4); SPDI Rules, 2011

[13] Rule 5(9); SPDI Rules, 2011

[14] Rule 6; SPDI Rules, 2011

[15] Rule 7; SPDI Rules, 2011

[16] Rule 8; SPDI Rules, 2011

[17] Rule 8(2), 8(3); SPDI Rules, 2011

[18] Rule 8(4); SPDI Rules, 2011

[19] Section 72; IT Act, 2000

[20] Section 72A; IT Act, 2000

[21] Section 43A; IT Act, 2000

[22] Section 69(4); IT Act, 2008

[23] The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).

[24] Guidelines on Information and Cyber Security for Insurers dated 07.04.2017.