Support Centre

India

Summary

Law: The regulation of personal data processing is currently limited to the Information Technology Act, 2000 ('the IT Act') and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') issued thereunder. 

Regulator: There is no general data protection authority.

Summary: Data protection has been of growing concern in India since the Supreme Court of India declared privacy a fundamental right in the Puttaswamy case in 2017. Following the Supreme Court's decision, the Personal Data Protection Bill, 2019 ('the Bill') was formulated by the Ministry of Electronics and Information Technology in 2018 and subsequently referred to the Joint Parliamentary Committee ('JPC') under the Lok Sabha, the lower House of Parliament, for examination and recommendations in 2019.

After much delay, the JPC's report on the Bill was adopted and tabled in December 2021, containing 93 recommendations and a revised version of the Bill to be renamed 'the Data Protection Act, 2021'.

As of 3 August 2022, the Bill was been withdrawn and is no longer being considered in Parliament. However, on 18 November 2022, the new Digital Personal Data Protection Bill, 2022 was published for public consultation.

Insights

The Ministry of Electronics and Information Technology of the Government of India ('MeitY') published the draft Digital Personal Data Protection Bill, 2022 ('the Draft Bill') on 18 November 2022 for public consultation, which was open until 2 January 2023. Aaron Kamath and Varsha Rajesh, from Nishith Desai Associates, discuss the content of the draft Bill and its potential impact on businesses.  

After various legislative predecessors, on 18 November 2022, the Ministry of Electronics and Information Technology ('MeitY') issued the Digital Personal Data Protection Bill, 2022 ('the Bill') for public consultation.

In this Insight article, Supratim Chakraborty, Harsh Walia, Shobhit Chandra, Sumantra Bose, Tashi Gyanee, Sanjuktha Yermal, and Shramana Dwibedi, from Khaitan & Co., discuss key differences and similarities between the Bill and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

On 18 November 2022, the Ministry of Electronics and Information Technology ('MeitY') released a draft of the Digital Personal Data Protection Bill, 2022 ('the 2022 Bill'). The 2022 Bill is the fourth iteration of India's proposed personal data protection framework and is a considerably leaner version compared to the erstwhile versions, including its predecessor, the Data Protection Bill, 2021 ('the 2021 Bill'), introduced by the Joint Parliamentary Committee of the Indian Parliament.

Rachit Bahl, Rohan Bagai, and Archana Iyer, from AZB & Partners, draw comparisons between the 2022 Bill and the 2021 Bill, highlighting key similarities and differences and touching on issues surrounding consent, data transfers, data breach notifications, and the role of the supervisory authority, among others.

Following the withdrawal, in August 2022, of the Personal Data Protection Bill, 2019, the Ministry of Electronics and Information Technology ('MeitY') issued, on 18 November 2022, a new Digital Personal Data Protection Bill, 20221 ('the Bill') marking a new landmark in India's journey towards the adoption of a comprehensive privacy framework.

OneTrust DataGuidance Research provides an overview of the newly presented Bill, which is open for public consultation until 17 December 2022.

The proliferation of digital lending platforms led the Reserve Bank of India ('RBI'), India's banking regulator, to appoint a Working Group on Digital Lending ('the Working Group') to make recommendations for its regulation, especially from the perspective of ensuring data security, privacy, confidentiality, and consumer protection1. Pursuant to the submission of the report by the Working Group on 18 November 20212, the RBI announced, in a press release dated 10 August 20223,  its acceptance of, and intention to implement, certain recommendations made by the Working Group, and consequently released the Guidelines on Digital Lending on 2 September 20224 ('the Guidelines'). Arun Prabhu, Partner at Cyril Amarchand Mangaldas, provides an introduction to the Guidelines, including their scope, applicability, and storage obligations.

In the age of digitisation and the internet, the importance of data has increased to a great extent. Subsequently, the need for comprehensive data protection laws has also been noted across several nations over the past few decades. The easy access to the global market and improved communication due to the borderless nature of the internet plays a major role in the Big Data economy. The free flow of data has resulted in closer integration of the communities across the globe and technological advancements in the corporate entities. AMLEGALS Law Firm discusses the intricacies pertaining to cross-border data transfer in India and the best practices associated with such transfer of data across the globe.

The Indian Computer Emergency Response Team ('CERT-In'), the Government nodal agency that deals with cybersecurity threats in India, issued a direction relating to 'Information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet'1 ('the Direction') to impose stringent requirements for cybersecurity reporting and introduce broader compliance requirements. Subsequently, CERT-In released frequently asked questions2 ('the FAQs') to clarify certain aspects of the Direction. The Ministry for Electronics and Information Technology ('MeitY') has since held a meeting on 10 June 2022 with stakeholders to provide informal clarifications on certain aspects of the Direction and the FAQs. Aaron Kamath, Varsha Rajesh, and Aniruddha Majumdar, from Nishith Desai Associates, discuss the contents of the Direction, as well as its impact on the industry.

On 28 April 2022, the Indian Computer Emergency Response Team ('CERT-In') published Direction No. 20(3)/2022-CERT-In1 ('the Direction'), which detailed six new rules relating to information security. Among these new rules, entities are now required to report certain cybersecurity incidents to CERT-In within six hours of discovery. OneTrust DataGuidance breaks down this new requirement, considering additional guidance from CERT-In's frequently asked questions2 ('the FAQs') issued on 18 May 2022, as well as India's existing legislation.

Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part one of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from Australia, China, India, and Japan.

For insight into handling children's personal data in New Zealand, the Philippines, and Singapore, please see part two here.

The global COVID-19 pandemic has posed, and still poses, many challenges in the context of employment, one of which are the rapidly changing requirements in terms of privacy, data protection, and disclosure of the employees' vaccination status. This Insight series looks across a variety of countries with regards to which information employers can collect, outlining the local requirements in Australia, New Zealand, and Singapore in part one and in China, Japan, India, and Russia in part two.