Spotlight: how are data protection laws enforced in India? (2024)

All questions

Overview

In the absence of specific legislation for data protection in India, the Information Technology Act 2000 (the IT Act) and a collection of other statutes stand in for this purpose. In 2017, the Indian Supreme Court ruled that Indian citizens have a fundamental right to privacy, guaranteed primarily under Article 21 of the Indian Constitution. The Court specified that this right includes, inter alia, the right to informational privacy. In the wake of this judgment, and to give it meaning in the form of comprehensive legislation, a 10-member committee under the chairmanship of former Supreme Court Justice BN Srikrishna was empanelled. The Srikrishna Committee published a report examining the current patchwork of relevant laws in India, studying the statutory approach to privacy and data protection in other jurisdictions and laying out detailed rationale for an improved legal framework. The report was accompanied by the draft Personal Data Protection Bill 2018.

The year in review

In December 2019, the Personal Data Protection Bill 2019 was tabled in Parliament.² This Bill found basis in the Srikrishna Report and the draft Personal Data Protection Bill 2018 and was modelled mainly on the GDPR. It was rooted heavily in the notion of free, specific and informed consent of the individual. It envisaged the formation of a data protection authority for its enforcement, placed heavy fiduciary duties on data controllers and processors and, had it been enacted, would have applied to a wide range of actors and stakeholders across various sectors. In May 2021, both houses of Parliament granted a fourth successive extension to the joint parliamentary committee to submit its report on the Bill. Parliamentary deliberation on the Bill stood adjourned sine die. On 3 August 2022, the Central Government withdrew the Bill from Parliament. Union Minister for Information Technology Ashwini Vaishnaw tweeted that this was because the joint parliamentary committee recommended 81 amendments to the Bill, in addition to 12 major recommendations.³ The Centre has indicated that a new Bill will be presented for public consultation in due course.

The executive scramble to mitigate the effects of the covid-19 crisis has brought various competing interests to the fore in the context of data privacy. The most conspicuous of these interests is the need for government surveillance in the form of contact tracing, large-scale testing and the maintenance of public health records (symptoms and quarantine regulation) for citizens and non-citizens across the country. India is a quasi-federal nation state. The centre and states are currently acting together through the Integrated Disease Surveillance Programme, which operates through a decentralised state-based surveillance system to monitor information flows on target diseases to compile and analyse data and organise an appropriate response. The centre has also developed and released a mobile application that relies largely on crowd-sourcing self-reported data to identify covid-19 hotspots. This collection and processing of data stands largely unregulated at this time.

On 25 February 2021, the Ministry of Electronics and Information Technology released the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021.⁴ These Rules replaced the Information Technology (Intermediaries Guidelines) Rules of 2011. A press release from the government⁵ states that the aim is to provide ordinary users of digital platforms to seek redressal for their grievances and command accountability when their rights are infringed. The Rules, inter alia, distinguish between social media intermediaries and significant social media intermediaries based on user numbers, and place a much heavier burden on significant social media intermediaries in respect of personal data protection. For instance, all social media intermediaries are now required to have a grievance redressal mechanism for users, conduct due diligence if they wish to seek refuge under safe harbour provisions and ensure the safety and dignity of users (especially women) online. However, significant social media intermediaries must institute additional due diligence mechanisms. These include the appointment of a chief compliance officer, who must be resident in India and will be responsible for ensuring compliance with the law and a nodal contact person, who must also be resident in India and available 24/7 for coordination with law enforcement agencies. Significant social media intermediaries must also publish a monthly compliance report, which will include details of any complaints they have received and actions they have taken to address said complaints. Most provisions in these Rules came into effect immediately upon publication on 25 February. The provisions relating to due diligence for social media intermediaries specifically came into effect on 25 May 2021.

Regulatory framework

i Privacy and data protection legislation and standards

The following statutes deal with data protection and privacy in India.

The Information Technology Act (2000) and the Information Technology (Amendment) Act 2008

The Information Technology Act (2000) (the IT Act)⁶ contains provisions for the protection of electronic data. The IT Act penalises 'cyber contraventions' (Section 43(a)–(h)), which attract civil prosecution, and 'cyber offences' (Sections 63–74), which attract criminal action.

The IT Act was originally passed to provide legal recognition for e-commerce and sanctions for computer misuse. However, it had no express provisions regarding data security. Breaches of data security could result in the prosecution of individuals who hacked into the system, under Sections 43 and 66 of the IT Act, but the Act did not provide other remedies such as, for instance, taking action against the organisation holding the data. Accordingly, the IT (Amendment) Act 2008 was passed, which, inter alia, incorporated two new sections into the IT Act, Section 43A and Section 72A, to provide a remedy to persons who have suffered or are likely to suffer a loss on account of their personal data not having been adequately protected.

The Information Technology Rules

Under various sections of the IT Act, the government routinely gives notice of sets of Information Technology Rules (the IT Rules) to broaden its scope. These IT Rules focus on and regulate specific areas of collection, transfer and processing of data, and include, most recently, the following:

1. the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,⁷ which require entities holding users' sensitive personal information to maintain certain specified security standards;
2. the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, which prohibit content of a specific nature on the internet, and govern the role of intermediaries, including social media intermediaries, in keeping personal data of their users safe online;
3. the Information Technology (Guidelines for Cyber Cafe) Rules,⁸ which require cybercafés to register with a registration agency and maintain a log of users' identities and their internet usage; and
4. the Information Technology (Electronic Service Delivery) Rules,⁹ which allow the government to specify that certain services, such as applications, certificates and licences, be delivered electronically.

The IT Rules are statutory law, and the four sets specified above were notified on 11 April 2011 under Section 43A of the IT Act. Any further references to the IT Rules in this chapter pertain specifically to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, unless otherwise specified.

Penalties for non-compliance are specified by Sections 43 and 72 of the IT Act.

Additional legislation

In addition to the legislation described above, data protection may also sometimes occur through the enforcement of property rights based on the Copyright Act (1957). Further, other legislation such as the Code of Criminal Procedure (1973), the Indian Telegraph Act 1885, the Companies Act (1956), the Competition Act (2002) and, in cases of unfair trade practices, the Consumer Protection Act (1986), would also be relevant. Finally, citizens may also make use of the common law right to privacy, at least in theory – there is no significant, recent jurisprudence on this.

It is unclear when a revised Bill to replace the withdrawn Personal Data Protection Bill 2019 will be presented for public consultation, and how it will compare with its predecessor.

Compliance regulatorsCERT-In

Under Section 70B of the IT (Amendment) Act 2008, the government constituted CERT-In, which the website of the Ministry of Electronics and Information Technology refers to as the 'Indian Computer Emergency Response Team'. CERT-In is a national nodal agency responding to computer security incidents as and when they occur. The Ministry of Electronics and Information Technology specifies the functions of the agency as follows:

1. collection, analysis and dissemination of information on cybersecurity incidents;
2. forecast and alerts of cybersecurity incidents;
3. emergency measures for handling cybersecurity incidents;
4. coordination of cybersecurity incident response activities; and
5. issuance of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response to and reporting of cybersecurity incidents.¹⁰

Cyber Regulations Appellate Tribunal (CRAT)

Under Section 48(1) of the IT Act 2000, the Ministry of Electronics and Information Technology established CRAT in October 2006. The IT (Amendment) Act 2008 renamed the tribunal Cyber Appellate Tribunal (CAT). Pursuant to the IT Act, any person aggrieved by an order made by the Controller of Certifying Authorities, or by an adjudicating officer under this Act, may prefer an appeal before the CAT. The CAT is headed by a chairperson who is appointed by the central government by notification, as provided under Section 49 of the IT Act 2000.

Before the IT (Amendment) Act 2008, the chairperson was known as the presiding officer. Provisions have been made in the amended Act for CAT to comprise of a chairperson and such a number of other members as the central government may notify or appoint.¹¹

Definitions

Current legislation does not contain a definition for 'personal data'. The IT Rules define personal information as any information that relates to a natural person that, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.

Further, the IT Rules define 'sensitive personal data or information' as personal information consisting of information relating to:

1. passwords;
2. financial information, such as bank account, credit card, debit card or other payment instrument details;
3. physical, physiological and mental health conditions;
4. sexual orientation;
5. medical records and history;
6. biometric information;
7. any details relating to the above clauses as provided to a body corporate for the provision of services; and
8. any information received under the above clauses by a body corporate for processing, or that has been stored or processed under lawful contract or otherwise.

Provided that any information is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law for the time being in force, it shall not be regarded as sensitive personal data or information for the purposes of these rules.

ii General obligations for data handlersObligations for data processors, controllers and handlersTransparency

The IT Rules state that all data handlers must create a privacy policy to govern the way they handle personal information. Further, the policy must be made available to the data subject who is providing this information under a lawful contract.

In addition, the new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 specifically require all intermediaries, including social media intermediaries, to prominently publish on their websites and mobile applications all rules and regulations, privacy policy and user agreement for access or usage of their online resources by any user. Intermediaries must also publish prominently the name and details of a grievance officer, as well as available mechanisms for grievance redressal.

Lawful basis for processing

A body corporate (or any person or entity on its behalf) cannot use data for any purpose unless it receives consent in writing from the data subject to use it for that specific purpose. Consent must be obtained before collection of the data. The IT Rules also mandate that sensitive personal information may not be collected unless it is connected to the function of the corporate entity collecting it, and then only if the collection is necessary for that function. It is the responsibility of the body corporate to ensure that the sensitive personal information thus collected is used for no other purpose than the one specified.

Purpose limitation

The IT Rules state that any information collected by a body corporate or a person on its behalf shall be used for the purpose for which it has been collected.

Data retention

Section 67C of the IT Act requires that an intermediary preserve and retain information in a manner and format and for such period of time as prescribed by the central government.

Registration formalities

India currently does not have any legislative requirements with respect to registration or notification procedures for data controllers or processors.

Rights of individualsAccess to data

Rule 5, Subsection 6 of the IT Rules mandates that the body corporate or any person on its behalf must permit providers of information or data subjects to review the information they may have provided.

Correction and deletion

Rule 5, Subsection 6 of the IT Rules states that data subjects must be allowed access to the data provided by them and to ensure that any information found to be inaccurate or deficient shall be corrected or amended as feasible. Although the Rules do not directly address deletion of data, they state in Rule 5, Subsection 1 that corporate entities or persons representing them must obtain written consent from data subjects regarding the usage of the sensitive information they provide. Further, data subjects must be provided with the option not to provide the data or information sought to be collected.

Objection to processing and marketing

Rule 5 of the IT Rules states that the data subject or provider of information shall have the option to later withdraw consent that may have been given to the corporate entity previously, and the withdrawal of consent must be stated in writing to the body corporate. On withdrawal of consent, the corporate body is prohibited from processing the personal information in question. In the case of the data subject not providing consent, or later withdrawing consent, the corporate body shall have the option not to provide the goods or services for which the information was sought.

The Supreme Court of India has also identified and clarified that citizens have the right to be forgotten, which exists in physical and virtual spaces such as the internet, under the umbrella of informational privacy.

Right to restrict processing

As mentioned above, the IT Rules allow for withdrawal of consent by the data subject, upon which the corporate body is prohibited from processing the personal information in question.

Right to data portability

The IT Act and Rules do not contain provisions relevant to data portability.

Right to withdraw consent

As previously noted, Rule 5 of the IT Rules states that the data subject or provider of information shall have the option to later withdraw consent given to a corporate entity.

Disclosure of data

Data subjects also possess rights with respect to disclosure of the information they provide. Disclosure of sensitive personal information requires the provider's prior permission unless either disclosure has already been agreed to in the contract between the data subject and the data controller; or disclosure is necessary for compliance with a legal obligation.

The exceptions to this rule are if an order under law has been made, or if a disclosure must be made to government agencies mandated under the law to obtain information for the purposes of verification of identity; prevention, detection and investigation of crime; or prosecution or punishment of offences.

Recipients of this sensitive personal information are prohibited from further disclosing the information.

Right to complain to the relevant data protection authority

Rule 5, subsection 9 of the IT Rules mandates that all discrepancies or grievances reported to data controllers must be addressed in a timely manner. Corporate entities must designate grievance officers for this purpose, and the names and details of said officers must be published on the website of the body corporate. The grievance officer must redress respective grievances within a month from the date of receipt of said grievances.

The new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 require the appointment of a grievance redressal officer by all intermediaries, including social media intermediaries. The Rules also require that grievance redressal mechanisms be available to all users of social media intermediaries and be prominently published. Finally, the Rules prescribe specific timelines within which relevant action must be taken.

iii Specific regulatory areasFinancial privacyPublic Financial Institutions (Obligation as to Fidelity and Secrecy) Act 1983

Under this Act,¹² public financial institutions are prohibited from divulging any information relating to the affairs of their clients except in accordance with laws of practice and usage.

The Prevention of Money Laundering Act 2002

The Prevention of Money Laundering Act (PMLA)¹³ was passed in an attempt to curb money laundering and prescribes measures to monitor banking customers and their business relations, financial transactions, verification of new customers, and automatic tracking of suspicious transactions. The PMLA makes it mandatory for banking companies, financial institutions and intermediaries to furnish to the Director of the Financial Intelligence Unit (under the PMLA) information relating to prescribed transactions, and which can also be shared, in the public interest, with other government institutions or foreign countries for enforcement of the provisions of the PMLA or through exchanges of information to prevent any offence under the PMLA.

Credit Information Companies (Regulation) Act 2005 and The Credit Information Companies Regulations 2006

This legislation¹⁴ is essentially aimed at regulation of sharing and exchanging credit information by credit agencies with third parties. Disclosure of data received by a credit agency is prohibited, except in the case of its specified user and unless required by any law in force.

The regulations prescribe that the data collected must be adequate, relevant and not excessive, up to date and complete, so that the collection does not intrude to an unreasonable extent on the personal affairs of the individual. The information collected and disseminated is retained for a period of seven years in the case of individuals. Information relating to criminal offences is maintained permanently while information relating to civil offences is retained for seven years from the first reporting of the offence. In fact, the regulations also prescribe that personal information that has become irrelevant may be destroyed, erased or made anonymous.

Credit information companies are required to obtain informed consent from individuals and entities before collecting their information. For the purpose of redressal, a complaint can be written to the Reserve Bank of India.

Payment and Settlement Systems Act 2007

Under this Act,¹⁵ the Reserve Bank of India (RBI) is empowered to act as the overseeing authority for regulation and supervision of payment systems in India. The RBI is prohibited from disclosing the existence or contents of any document or any part of any information given to it by a system participant.

Foreign Contribution Regulation Act 2010

This Act¹⁶ is aimed at regulating and prohibiting the acceptance and utilisation of foreign contributions or foreign hospitality by certain individuals, associations or companies for any activities detrimental to the national interest and, under the Act, the government is empowered to call for otherwise confidential financial information relating to foreign contributions of individuals and companies.

Workplace privacy

In the present scenario, employers are required to adopt security practices to protect sensitive personal data of employees in their possession, such as medical records, financial records and biometric information. In the event of a loss to an employee because of a lack of adequate security practices, the employee would be entitled to compensation under Section 43A of the Information Technology Act 2000. Other than this piece of legislation, there is no specific legislation governing workplace privacy, although, in relation to the workplace, the effect of the Supreme Court judgment on privacy as a fundamental right remains to be seen.

Children's privacy

Section 74 of the Juvenile Justice (Care and Protection of Children) Act 2015 mandates that the name, address or school, or any other particular, that may lead to the identification of a child in conflict with the law or a child in need of care and protection or a child victim or witness of a crime shall not be disclosed in the media unless the disclosure or publication is in the child's best interest. The Personal Data Protection Bill 2019 provides for the protection of personal and sensitive data of children by requiring consent of a parent or guardian and imposing various restrictions on data fiduciaries processing such data.

Health and medical privacy

Under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (Code of Ethics Regulations 2002),¹⁷ physicians are obliged to protect the confidentiality of patients during all stages of procedures, including information relating to their personal and domestic lives unless the law mandates otherwise or there is a serious and identifiable risk to a specific person or community of a notifiable disease.

Medical Termination of Pregnancy Act 1971

This Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the state. The register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the final entry.

Ethical Guidelines for Biomedical Research on Human Subjects

These Guidelines require investigators to maintain confidentiality of epidemiological data. Data of individual participants can be disclosed in a court of law under the orders of the presiding judge if there is a threat to a person's life, allowing communication to the drug registration authority in cases of severe adverse reaction and communication to the health authority if there is risk to public health.

iv Technological innovation and privacy law

There are no marketing restrictions on the internet or through email. Because India has no comprehensive data protection regime, issues such as cookie consent have not yet been addressed by Indian legislation. The now withdrawn Personal Data Protection Bill 2019 did prohibit data fiduciaries from profiling, tracking or behaviourally monitoring, or generating targeted advertising at children, but it is unclear whether or not its successor will contain similar provisions.

The IT Rules provide reasonable security practices to follow as statutory security procedures for corporate entities that collect, handle and process data, and these also apply to the use of big data. Unfortunately, no specific guidelines exist for the use of big data and big-data analytics in India.

General obligations for data handlers

International data transfer and data localisation

India is not yet a member of the Asia-Pacific Economic Cooperation (APEC), and its inclusion on the forum has so far been limited to observer status. APEC rules therefore do not apply in the Indian jurisdiction thus far.

In terms of restrictions on transfer of data, Section 7 of the IT Rules states that bodies corporate can transfer sensitive personal data to any other body corporate or person within or outside India, provided the transferee ensures the same level of data protection that the body corporate maintained, as required by the IT Rules. A data transfer is only allowed if it is required for the performance of a lawful contract between the data controller and the data subjects; or the data subjects have consented to the transfer.

As worded, Section 7 of the IT Rules is already rather restrictive. However, in some ways this is no different from EU data protection legislation, which restricts transfers of personal data outside the EU unless certain measures are taken, such as requiring the data importer to sign up to EU Model Contract Clauses. In addition, the Ministry of Information Technology clarified via a press note released on 24 August 2011 that the rules on sensitive data transfer described above are limited in jurisdiction to Indian bodies corporate and legal entities or persons, and do not apply to bodies corporate or legal entities abroad. As such, information technology industries and business process outsourcing companies may subscribe to whichever secure methods of data transfer they prefer, provided that the transfer in question does not violate any law either in India or in the country the data are being transferred to. Presumably litigation in this sector – so far non-existent – will further clarify matters.

In general, data protection laws in India apply to businesses established in other jurisdictions as well. Section 75 of the IT Act states that the provisions of the Act would apply to any offence or contravention thereunder committed outside India by any person (including companies), irrespective of his or her nationality, if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

Company policies and practices

The general obligations for data handlers elaborated above apply to all companies handling data, and their policies must reflect as much. In addition, the IT Rules contain specific legislation to deal with best practices, particularly in the context of breach and security.

Rule 8 of the IT Rules describes reasonable security practices and procedures as follows:

1. A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
2. The international standard IS/ISO/IEC 27001 on 'Information Technology – Security Techniques – Information Security Management System – Requirements' is one such standard referred to in sub-rule (1).
3. Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule (1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
4. The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resources.

There are no statutory registration or notification requirements for either data processors or data controllers.

Discovery and disclosure

If requests from foreign companies are based on an order from a court of law, and if the country in question has a reciprocal arrangement with India, then an Indian court is likely to enforce the request in India. In the absence of a court order, however, no obligation exists against an Indian company to make any kind of disclosure.

In a Ministry of Communications and Information Technology press release, the government clarified that any Indian outsourcing service provider or organisation providing services relating to collection, storage, dealing or handling of sensitive personal information or personal information under contractual obligations with a legal entity located within or outside India is not subject to the IT Rules requirements with respect to disclosure of information or consent, provided it does not have direct contact with the data subjects when providing services.

Public and private enforcement

i Enforcement agencies

See the security practices and policies outlined in Section V.

ii Recent enforcement cases

As is evident from the above, India has no distinct legislative framework to support litigation in the areas of privacy, cybersecurity and data protection. There has been no significant litigation in this area in the recent past. Had the Personal Data Protection Bill 2019 passed into law, a clearer definition of rights may have emerged. The Centre maintains that the legal lacunae will be suitably filled by the revised Bill.

iii Private litigation

A number of writ petitions have been filed against the new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 before different High Courts by several entities that would be considered either social media intermediaries or significant social media intermediaries under the Rules. LiveLaw Media Private Limited and Other v. Union of India and Others WP(C) 6272/2021 is one of four cases which the Union of India has petitioned the Supreme Court to have transferred before itself from various High Courts. In LiveLaw Media, the High Court of Kerala has already passed a restraining order against the Indian government, restraining the government from taking coercive action against the petitioners for non-compliance with provisions of the new Rules. The Supreme Court did not stay this order, despite listing the transfer petition for hearing.

In another instance, the Bombay High Court (see the order dated 14 August 2021 passed in Agij Promotion of Nineteenonea Media Pvt Ltd & Others v. Union of India and Others WP (L) 14172 of 2021) has stayed the operation of Rules 9(1) and 9(3) of the new Rules. Rules 9(1) and 9(3) require publishers of news and curated content to adhere to a Code of Ethics, including norms of journalistic conduct, and prescribe a three-tiered structure of regulation.

These cases are all currently sub judice.

Considerations for foreign organisations

Indian jurisprudence does not touch upon compliance requirements for organisations functioning outside India (see Section IV).

Cybersecurity and data breaches

See Sections V and VI for information on breaches and breach reporting requirements.

Software development and vulnerabilities

Digital governance and convergence with competition policy

Outlook

The several agencies performing cybersecurity operations in India, such as the National Technical Research Organisation, the National Intelligence Grid and the National Information Board, require robust policy and legislative and infrastructural support from the Ministry of Electronics and Information Technology, and from the courts, to enable them to do their jobs properly. While the now withdrawn Personal Data Protection Bill 2019 offered some promise of such support, the government has indicated that the new Bill will be presented in Parliament very swiftly. A note circulated to Members of Parliament indicated that the revised Bill will be a 'comprehensive legal framework' and will be 'designed to address all of the contemporary and future challenges of the digital ecosystem'.¹⁸