India - Data Protection Overview
The Constitution of India ('the Constitution') recognises a fundamental right to privacy. This constitutional right casts a long shadow on Indian law and influences policy and judicial action and acts as a check on legislative and executive action. In addition to the public law implications, this right has influenced the development of a tortious right against the invasion of privacy and the interpretation of rights embodied in laws on consumer protection, health, IT, telecom licences, and the financial sector.
1. GOVERNING TEXTS
In general, Indian data protection requirements are located in multiple diverse sources, including:
- Information Technology Act, 2000 ('the IT Act') and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules');
- Consumer Protection Act, 2019 ('CPA') and Consumer Protection (E-Commerce) Rules, 2020;
- rules made by the Reserve Bank of India ('RBI');
- rules imposed by the Telecom Regulatory Authority of India ('TRAI');
- rules imposed by the Insurance Regulatory and Development Authority of India;
- rules imposed by the Securities and Exchange Board of India ('SEBI');
- various decisions of Indian courts; and
- Unified Licence Agreements issued pursuant to the National Telecom Policy, 2012 by the Department of Telecommunications ('DOT').
The IT Act and the SPDI Rules
Most companies, regardless of sector, are most keenly impacted by the IT Act and the SPDI Rules.
The IT Act mandates that body corporates (e.g. companies, firms, sole proprietorships, and other associations of individuals engaged in commercial or professional activities) that handle sensitive personal data or information are liable to pay damages for any loss caused by their negligence in implementing and maintaining reasonable security practices and procedures.
In this regard, the IT Act also prescribes criminal penalties that include both imprisonment of up to three years and fines for persons that disclose personal information without the consent of the person to whom the data relates, where such disclosure is in breach of a contract or results in wrongful loss or gain (see section 6 below).
Draft legislation and policies
In addition to the above, the following draft laws and policies that regulate data protection principles are at various stages of discussion or implementation:
- Personal Data Protection Bill, 2019 ('the Bill');
- Non-Personal Data Governance Framework ('the NPD Framework'), which is currently being deliberated by the Committee of Experts constituted under the Ministry of Electronics and Information ('MeitY'), whose reports on non-personal data can be accessed here and here;
- Digital Information Security in Healthcare Act, 2017 ('DISHA'); and
- National Digital Health Mission ('NDHM') and Health Data Management Policy issued by the Ministry of Health and Family Welfare.
Some of these draft laws will replace or modify existing laws. In particular, the Bill is a controversial draft law that aims to implement similar provisions as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into data protection law in India. While the Bill is in the process of being finalised by the Lok Sabha of the Parliament of India ('the Parliament'), key features of the Bill are explored in further detail below.
Furthermore, DISHA is a draft law that aims to regulate health data, an area where the constitutional promise of a fundamental right to privacy, as mentioned above, has a large influence. Separately, the Government of India ('the Government') has issued the Electronic Health Record Standards, 2016 for the maintenance of electronic records and has stood up the NDHM, a government initiative that aims to develop digital health infrastructure in India.
See section 1.1. above.
1.3. Case law
Modern Indian case laws on data protection and privacy emanate from the decision by the Supreme Court of India ('the Supreme Court') in Justice K S Puttaswamy and Anr v. Union of India and Ors [Writ Petition (Civil) No. 494 of 2012] ('Puttaswamy'). In Puttaswamy, the Supreme Court unanimously held that the right to privacy was an intrinsic element of the promise of the right to life and personal liberty protected under Article 21 of the Constitution, and that it included, at its core, a negative obligation to not violate the right to privacy and a positive right to take all actions necessary to protect the right to privacy. Puttaswamy changed the contours of Indian privacy law, the interpretation of the existing privacy rules, and raised the spectre of a robust common law tort of violation of privacy, independent of statutory rules.
The Supreme Court went on to clarify that any law that encroached upon the right to privacy would be subject to constitutional scrutiny, and would have to meet the three-fold requirement for:
- necessity; and
Furthermore, the Supreme Court crafted a positive obligation on the Government to enact legislation that adequately protects the right to privacy. Presently, various High Courts are dealing with data protection issues from a post-Puttaswamy perspective. While a clear judicial trend cannot be identified, it is evident that data collection and processing efforts in India must evaluate and anticipate the impact of Puttaswamy on Indian data law.
Other decisions of impact from the Supreme Court include:
- R Rajagopal and Ors v. State of Tamil Nadu [Writ Petition (Civil) No. 422 of 1994], which recognised tortious remedies for breach of privacy and the ability to seek damages for invasions of privacy; and
- Mr X v. Hospital Z [Civil Appeal No. 4641 of 1998] that dealt with privacy-related implications of disclosures of health data. The Court held that in a conflict between the right to privacy and public interest, public interest would override an individual's right to privacy.
In the post-Puttaswamy landscape, different High Courts have been grappling with the exercise of various dimensions of privacy rights. Notably, Subhranshu Rout @ Gugul v. State of Odisha [BLAPL No. 4592 of 2020], Sri Vasunathan v. the Registrar General, High Court of Karnataka and Ors [General Writ Petition No. 62038 of 2016], and Dharamraj Bhanushankar Dave v. State of Gujarat and Ors [SCA No. 1854 of 2015], are recent decisions by different High Courts on the contours of the right to erasure and the right to be forgotten. Varying stances were adopted by each of these courts, and it is safe to assume that until the Bill comes into effect, the scope and impact of these rights will continue to be judicially debated.
In addition, the Competition Commission of India, the country's anti-trust regulator, is presently hearing multiple complaints that involve the misuse of data in connection with arguments on both abuses of dominance and anti-competitive practices among certain companies.
2. SCOPE OF APPLICATION
The SPDI Rules
The SPDI Rules apply with respect to natural persons.
The Bill applies with respect to natural persons.
The SPDI Rules
The SPDI Rules are issued under the IT Act and, in addition to having a territorial application, applies to offences that occur outside India, if the offences involve electronic resources in India.
The Bill is intended to apply in the following scenarios:
- processing of personal data that has been collected, disclosed, shared, or otherwise processed within India;
- processing of personal data by any Indian entity, citizen, or the State (as defined under Article 12 of the Constitution); and
- processing of personal data by data fiduciaries or data processors that are not present within India, if the processing is in connection with either:
- any business carried on in India or any systematic offering of goods or services to data principals within India; or
- profiling data principals within India.
The provisions of the Bill, however, do not apply to the processing of personal data of data principals outside India by data processors incorporated under Indian laws, provided that such processing is pursuant to a contract between the data processor and any person outside India. This exemption shall come into effect upon notification by the Government.
The SPDI Rules
The SPDI Rules apply to body corporates that process sensitive personal data or information, a category of personal data that includes passwords, financial information, physical, physiological, and mental health conditions, sexual orientation, medical records and history, and biometric information.
The Bill applies to personal data and sensitive personal data. It goes further than the existing treatment of sensitive personal data and information under the SPDI Rules and treats identifiable data, with respect to any characteristic, attribute, trait, or other feature of a person's identity, as personal data. It is worth noting that the definition of personal data applies to both online and offline mediums and includes inferences drawn by the profiling of personal data.
Sensitive personal data is a subset of personal data that is subject to enhanced processing requirements. It includes health or financial data, biometric data, sex life, sexual orientation, and religious or political beliefs. The Bill allows the Government to specify further categories of sensitive personal data.
The provisions of the Bill do not apply to the processing of anonymised data. However, the Government has the power to require data fiduciaries to share anonymised or non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies offered by the Government.
3.1. Main regulator for data protection
In general, MeitY is empowered to provide guidance on matters in the realm of electronics and information technology. In matters that involve security incidents, MeitY has constituted the Indian Computer Emergency Response Team ('CERT') which acts as the nodal agency that receives and responds to all breach notifications.
There is no data protection authority under the IT Act or the SPDI Rules. Clarifications on either must be sought from MeitY. MeitY does not have a formal process for seeking clarifications. Breach notifications, under the present law, are sent to CERT.
The Bill provides for the establishment of a data protection authority ('DPA') which has multiple roles, including guidance, supervision, and enforcement.
3.2. Main powers, duties and responsibilities
As mentioned above, MeitY, under the present law, may issue clarifications or guidance to companies, and CERT receives and investigates breach notifications.
Under the Bill, the DPA's primary duty is to issue regulations to practically implement provisions of the Bill, protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the Bill, and promote data protection awareness. In addition, some of its other duties and responsibilities include:
- monitoring the application of and enforcing provisions of the Bill;
- monitoring technological advancements that may impact data protection practices;
- receiving and inquiring into complaints;
- advising governments on data protection aspects, monitoring cross-border transfers, and specifying codes of practices;
- make regulations to enforce provisions of the Bill, including aspects to be covered in privacy notices, retention periods, expanding on the scope of the ground of processing data for 'reasonable purposes,' restrictions on processing sensitive personal data, and classification of data fiduciaries, among other issues;
- taking prompt and appropriate action in response to any personal data breach; and
- issuing certificates of registration to data auditors.
4. KEY DEFINITIONS
However, the Bill refers to a data controller as a 'data fiduciary.' It means any person, including the State, a company, or a legal person or entity who, either alone or with others, determines the purpose and means of processing.
Under the Bill, a 'data processor' is any person who processes data on behalf of a data fiduciary.
Personal data: Under the SPDI Rules, 'personal information' is any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available by a body corporate, is capable of identifying such person.
Under the Bill, 'personal data' is data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and includes any reference drawn from such data for the purpose of profiling.
Sensitive data: Under the SPDI Rules, 'sensitive personal information or data' means passwords, financial information, physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information. However, it does not include any personal data that is freely available or accessible in the public domain, furnished under the Right to Information Act, 2005, or under any other law in force.
Under the Bill, 'sensitive personal data' is defined as personal data which may reveal, be related to, or constitute financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender or intersex status, caste or tribe, or religious or political belief or affiliation. The Government has the right to define additional categories of sensitive personal data.
Under the Bill, 'health data' is data that relates to the physical or mental health state of a data principal and includes records regarding the past, present, or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, and data that associates the data principal to the provision of specific health services.
Biometric data: Under the Bill, 'biometric data' is defined as facial images, fingerprints, iris scans, or any similar personal data that results from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal which allow or confirm the unique characteristics of the data principal. 'Biometrics' are defined under the SPDI as technologies that measure and analyse human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements, and DNAs for authentication purposes.
Data subject: Under the SPDI Rules, there is no definition of 'data subject.'
However, the Bill refers to a data subject as a 'data principal,' which means a natural person to whom personal data relates.
5. LEGAL BASES
Under the SPDI Rules, consent is the only ground for processing data.
In addition, much like the GDPR, and in line with Puttaswamy, the Bill provides for a consent-based approach while processing data. In the absence of consent, the Bill also provides for the following grounds of processing:
- for the necessary functioning of the State, the Parliament, or State Legislatures;
- to comply with orders or judgments of courts or tribunals;
- for purposes related to employment;
- for prompt action, such as in events of medical emergencies, disasters, and breakdowns of law and order; and
- for reasonable purposes, such as whistleblowing, mergers and acquisitions, credit scoring, debt recovery, etc.
We anticipate that the DPA will expend much energy, in its first year of operation, in defining and advising on the grounds of processing.
The SPDI Rules
Under the present law, consent is the primary form of processing data. The nature of consent is not clearly defined, and so businesses commonly rely on general principles of contract law to determine how, when, and through which means consent ought to be obtained. If consent is obtained freely and without undue influence, then there are few limitations on the process and method of obtaining consent. However, if such consent is obtained by virtue of a standard form contract, then the terms of the contract must be reasonable.
Under the SPDI Rules, the provider of data should have an option to opt out of providing the data or information that is being sought by body corporates. Providers of information should have this option at all times while availing themselves of services from body corporates, as well as have an option to withdraw consent that may have been given earlier.
Unlike many other jurisdictions, should providers not consent to the collection of information or otherwise withdraw their consent, the SPDI Rules allow body corporates not to provide goods or services for which the information was sought.
In addition to the right to opt out of sharing information, information providers have the right to review the information they have provided and to seek the correction or amendment of such information if incorrect.
Consent is the primary legal basis for processing personal data under the Bill. To be valid, consent must be free (that is, free from coercion, undue influence, fraud, misrepresentation, or mistakes), informed, specific, clear, and capable of being withdrawn. Further, the provision of goods or services or their quality, the performance of a contract, or the enjoyment of a legal right or claim cannot be conditional on consent for processing of personal data that is necessary.
We expect significant guidance on consent from the DPA.
Under the Bill, personal data may be processed, if such processing is necessary:
- under any law for the time being in force made by the Parliament or any State Legislature; or
- for compliance with any order or judgment of any Court or Tribunal in India.
Under the Bill, personal data may be processed by the State:
- for the provision of services or benefits to individuals, or in connection with the issuance of certificates, licences or permits;
- to respond to medical emergencies that involve a threat to the life or a severe threat to an individual's life;
- to provide health services and medical treatments during an epidemic or other threat to public health; or
- to ensure the safety of individuals during disasters or breakdowns of public order.
The Bill contemplates two additional grounds for processing personal data:
- The processing of personal data that is necessary for the purposes of employment, such as recruitment, termination of employment, provision of employee benefits and services, and employee verification. However, sensitive personal data may not be processed on this ground.
- The processing of personal data for 'reasonable purposes' that take into consideration interests of data principals, whether consent can be reasonably expected to be obtained, public interest in the processing activity, the effect of such processing, and the reasonable expectations of the data principal in relation to the processing. Examples include whistleblowing, mergers and acquisitions, credit scoring, debt recovery, processing of publicly available data, and the operation of search engines. The Government has the right to specify categories of such reasonable purposes and processes in this regard.
Sensitive personal data
Grounds of processing sensitive personal data also differ slightly. For example, one of the grounds includes seeking explicit consent. While the Bill provides certain grounds under which consent will be valid (for example, it must be free, informed, clear, specific, and capable of being withdrawn), it does not provide guidance on how explicit consent is to be sought, and how it varies substantially from regular consent.
The SPDI Rules
Under the SPDI Rules, sensitive personal data or information should only be collected for a lawful purpose connected with a function or activity of the body corporate (or any person on its behalf), and the collection of the data must be necessary for such purpose.
The Bill imposes certain obligations, detailed in section 7 below, on data fiduciaries, who must comply with these obligations as well as be able to demonstrate such compliance. Personal data should be processed in a fair and reasonable manner that respects the privacy of the data principal:
- processing should only be for specific, clear, and lawful purposes, or other incidental purposes for which the data principal would reasonably expect the personal data to be used;
- collection of personal data should be limited to the data that is necessary for processing;
- data should be processed only on the grounds detailed in the Bill;
- data fiduciaries should provide the data principal with adequate notice of data processing;
- data fiduciaries should ensure that the personal data being processed is complete, accurate, not misleading, and updated; and
- personal data should only be retained for as long as is necessary to satisfy the purpose for which it is processed, and thereafter such data should be deleted.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
The SPDI Rules
The SPDI Rules do not contemplate the concepts of or distinguish between controllers and processors. All companies that process personal data must display on their websites privacy policies a notice of their processing activities, the types of data collected and purposes for their collection, any disclosure practices, and descriptions of their security safeguards.
Under the Bill, controllers are referred to as 'data fiduciaries.' A 'data fiduciary' means any person, including the State, a company, any juristic entity, or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. The Bill also creates a class of data fiduciaries called 'significant data fiduciaries.' The DPA will have the right to categorise actors as significant data fiduciaries depending, among other factors, on the volume of personal data they process, turnover, and sensitivity of data that is processed. Separately, the Bill also introduces a class of data fiduciaries termed 'consent managers,' to be registered with the DPA, to facilitate obtaining and managing consent for other data fiduciaries through an accessible, transparent, and interoperable platform.
In addition to complying with the principles of data processing that are described above, data fiduciaries are required to prepare Privacy by Design policies (and can choose to have these certified by the DPA, though presently it is unclear if certifications for these policies is mandatory), maintain transparent records of their processing activities, implement security safeguards, report data breaches that cause significant harm to data principals to the DPA, and have in place effective grievance redressal mechanisms.
The Bill imposes further obligations on significant data fiduciaries. For example, if significant data fiduciaries intend to undertake processing activities that involve new technologies, large scale profiling, use of sensitive personal data, or other processing that carries a risk of harm to data principals, they are required to undertake a Data Protection Impact Assessment ('DPIA') and submit it to the DPA. In turn, the DPA has the power to restrict the activity or impose additional conditions for the proposed processing. Furthermore, significant data fiduciaries will have to maintain records in prescribed forms, conduct audits, and appoint data protection officers ('DPO').
Data processors have a narrower set of obligations under the Bill. Apart from processing personal data solely in accordance with data fiduciaries' instructions, they cannot sub-contract their processing activities without the appointing data fiduciary's' written authorisation. Furthermore, data processors are required to implement security safeguards for their processing activities.
Under the Bill, 'significant data fiduciaries' must be registered with the DPA.
The SPDI Rules
Export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to, and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information.
Unified Licence Agreements
User information and accounting information cannot be transferred by telecom service providers outside India.
RBI localisation requirement
The RBI, India's nodal monetary authority, has directed all companies (whether banks or otherwise) that are involved in the payments sector to process and store all financial information in India. In the case of cross-border transactions with a foreign leg and a domestic leg, the regulator requires mirroring prior to transfer.
Payment transactions may be processed abroad. However, on completing the processing, all data in relation to the processing should be stored only in India and all records outside India should be deleted.
In accordance with the Bill, subject to data localisation requirements, sensitive personal data may be transferred out of India in certain cases. For example, a transfer is permissible if:
- it is in accordance with contractual clauses or intra-group schemes authorised by the DPA;
- it is made to a country, sector within the country, or an international organisation approved by the Government;
- the transfer is necessary, provided the DPA has approved such necessity; and
- in addition to either of the three preceding points, the data principal has explicitly consented to such transfer.
The practical mechanics of obtaining explicit consent are unclear and await clarifications from the yet to be established DPA.
The Bill is silent on the cross-border transfer of personal data that is not sensitive personal data. In the absence of a specific law, we presume that the law intends to not regulate such transfers, subject to such transfers satisfying the general requirements of lawful processing of personal data.
It is worth noting that critical personal data may be transferred outside India in a limited number of situations: for example, if the transfer is to a health or emergency service provider for prompt action, or to a Government-approved country, entity, or organisation. Such transfers will have to be reported to the DPA within prescribed timelines. The Government has the right to prescribe categories of 'critical personal data.' Presently, there is no guidance on the types of personal data that may fall within this category.
Any data transfer of digital health data by a clinical establishment or entity can only occur upon the receipt of the consent of the owner, who has been informed of their rights under DISHA, and is aware of the purposes of the collection of their digital health data.
The Bill requires data fiduciaries to maintain information on processing activities that include the categories of personal data collected and the manner of the collection, purposes of processing, categories of personal data that are processed and which carry a risk of significant harm, procedures for the exercise of rights of data principal, and where applicable, information regarding cross-border transfers of personal data. The DPA will prescribe the format and manner of the maintenance of this information.
Significant data fiduciaries will also have to maintain records in a manner that will be prescribed by the DPA.
Under the Bill, significant data fiduciaries are required to carry out DPIAs when their processing activities involve new technologies, large scale profiling, or use of sensitive data, or any other activity that might carry a significant risk of harm. DPIAs will have to submitted to the DPA that may, in turn, direct the significant data fiduciary to cease such processing activity.
The SPDI Rules
The SPDI Rules require body corporates to appoint a grievance officer who is to redress the grievances that providers of information may have. Any grievances that information providers may have with respect to the processing of information are to be addressed by body corporates in a time-bound manner, and no later than a month from the date of the receipt of the grievance.
The Bill requires significant data fiduciaries to appoint a DPO. In addition to functions that significant data fiduciaries may assign to their respective DPOs from time to time, the Bill details certain functions that the DPO must perform, such as monitoring data fiduciary processing activities to ensure compliance with the Bill, providing advice, assisting and cooperating with the DPA, and acting as points of contact between data principals and data fiduciaries, amongst other activities.
We expect the Government to specify eligibility criteria for DPOs.
In the event a data fiduciary is situated outside India, it must appoint a DPO based in India.
The SPDI Rules
The SPDI Rules are silent on the process or procedure to be followed in the case of data breaches or cybersecurity incidents.
However, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ('the CERT Rules'), provides the framework for breach notifications to CERT.
Mandatory reporting requirements extend to:
- targeted scanning or probing of critical networks or systems;
- compromising critical systems or information; and
- unauthorised access of IT systems or data.
All other data breaches may voluntarily be disclosed to CERT.
In light of recent regulatory trends, it may be advisable to disclose any breach that is not insignificant.
The Bill has adopted a harm-based approach to tackling personal data breaches. For example, in the event of a breach, a data fiduciary would be required to report the breach within specified timelines to the DPA, which will determine, depending on the severity of harm that may be caused, whether such breach should be reported to data principals. Harm includes injury (mental, emotional, or physical), identity theft, loss of employment, discrimination, and loss of reputation or humiliation, amongst others. Precise methods of how harm will be gauged remain unclear. Furthermore, the DPA shall have the right to direct the data fiduciary to take remedial action in the event of breaches and post details of such breaches on its website.
The SPDI Rules
While the SPDI Rules prescribe that collectors of information should not retain information for longer than required, they do not specify a limitation period for how long data can be stored. However, general practice indicates that data is retained for the duration of applicable limitation periods in relation to causes of action that may arise.
In accordance with KYC norms and anti-money laundering standards, banks have been instructed to maintain records of transactions for a minimum of five years from the date of transaction.
Licences issued by TRAI prescribe varying periods of retention, depending on the underlying nature of the data. For example, results of security tests for equipment should be retained for a period of ten years from the procurement of the equipment. Call records should be retained for a minimum of one year, and unless directed otherwise by the regulator, deleted thereafter.
The Bill does not prescribe retention periods; however, data should not be retained for a period that is longer than is necessary to satisfy the purpose for which such data was processed.
The SPDI Rules
Given that one cannot obtain valid consent from minors, companies would be well-advised to obtain consent from parents or guardians when processing children's data.
The Bill requires data fiduciaries to process personal data of a child in a manner that is in the best interest of the child. A child is defined as a person below the age of 18. Data fiduciaries are required to verify the age of the child and obtain the consent of their parent or guardian before processing their personal data.
Separately, data fiduciaries that operate commercial websites or services targeted at children or process large volumes of children's personal data may be classified as a 'guardian data fiduciary' by the DPA. Guardian data fiduciaries are barred from profiling, tracking, monitoring, or directing targeted advertising at children and undertaking any other processing of personal data that can cause significant harm to children.
Under the Bill, sensitive personal data may only be processed upon the explicit consent of the data principal and where obtaining consent is not possible, for reasonable purposes that may be prescribed by the Government. The DPA has the right to prescribe safeguards and restrictions for repeated, continuous, or systematic collection of sensitive personal data for profiling of such personal data. The Bill permits the DPA to exempt data fiduciaries who fulfil certain conditions from specific provisions of the law and place them in a sandbox.
Under the Bill, data fiduciaries may only engage with data processors on the basis of a contract. The Bill presently does not expressly prescribe requirements for such contract. However, it requires any additional appointment by the data processor of sub-processors to be on the terms of this contract and further requires any processing by a data processor to be in accordance with the data fiduciary's instructions.
8. DATA SUBJECT RIGHTS
The SPDI Rules
The Bill requires data fiduciaries to provide notice to data principals, at the time of collection of personal data, or if not collected from the data principal, as soon as reasonably practical, with details of the purposes for which personal data is processed, the nature and categories of personal data collected, the identity and contact details of the data fiduciary and the DPO (if applicable), the rights and procedures for withdrawal of consent, the basis for processing, the source of collection (if the data is not received from the data principal), the individuals and entities with whom personal data may be shared, information regarding any cross-border data transfers, periods of retention, procedures for addressing grievances, and data trust scores (where applicable).
The SPDI Rules
Individuals have the right to review the information that body corporates may have on them.
The Bill permits individuals to seek confirmation on whether their personal data is being processed and a summary of the processing activities that are undertaken. Data principals may request copies or summaries of the personal data processed by the data fiduciaries. All information furnished in this regard must be presented in a clear, concise, and easily comprehensible manner. Data principals should also have the right to access, in one place, the identities of the data fiduciaries with whom personal data have been shared, along with the categories of personal data that have been shared.
The SPDI Rules
Individuals have the right to seek the correction or amendment of inaccurate or deficient information that body corporates may have on them.
Data principals have the right to correct inaccurate or misleading data, complete any incomplete personal data, and update personal data that is outdated.
The SPDI Rules
There is no express right of erasure under the SPDI Rules. However, individuals have the right to withdraw consent for processing their personal data, and recent market practices indicate a growing trend to recognise an implied right to erasure within the exercise of such a right.
Under the Bill, having regard to the purposes for which personal data is processed, the data principal is entitled to request the erasure of personal data that is no longer necessary for the purpose for which it was processed.
The Bill also introduces a right to be forgotten, which allows data principals to prevent the disclosure of personal data if:
- the disclosure is no longer necessary or has served the purpose for which it was made;
- the consent that permitted such disclosure has been withdrawn; or
- the disclosure is made contrary to applicable laws.
The right to be forgotten is exercisable by filing an application with an adjudicating officer appointed by the DPA and on the basis of such officer's order.
The Bill also tries to provide a balancing act between this right and the constitutional guarantee of the freedom of speech and expression and the right to information. However, the practical exercise remains to be seen.
Data principals have the right to withdraw consent both under the SPDI Rules and the Bill.
Under the Bill, a data principal's right to data portability is exercisable with respect to personal data that is processed through automated means. Data principals have the right to receive data that has been provided to the data fiduciary, data that has been generated in the course of the provision of any goods or services, and data that form the part of the data principals profile in a structured, commonly used, and machine-readable format. They also have the right to seek the transfer of such data among data fiduciaries.
The SPDI Rules
A body corporate that is negligent in implementing and maintaining security practices and procedures for protecting sensitive personal data or information may be liable to pay compensation to the person affected. In this regard, the maximum compensation that may be imposed is not specified.
Separately, persons acquiring information under the powers granted by the IT Act or the SPDI Rules may be penalised by up to two years' imprisonment and/or a fine for disclosing information, documents, correspondence, electronic records, or other material to third parties, without the consent of the person disclosing the information. Directors and other persons responsible for the conduct of the business may be liable for offences by companies, unless they prove they did not have knowledge of the contravention or that they exercised diligence to prevent the offence. Any person, including an intermediary, with access to personal information and providing services under a contract, may be subject to imprisonment for up to three years and/or a fine if they disclose personal information to third parties in breach of contract or without the consent of the person to whom the personal information belongs.
To exercise rights under the SPDI Rules, individuals may file a complaint with an adjudicating officer appointed under the IT Act. Provided both parties have consented, appeals from decisions of such officer are heard before the Telecom Disputes Settlement and Appellate Tribunal ('TDSAT'). Appeals from the TDSAT's decisions may be brought before the respective state's High Court.
Unified Licence Agreements
Under the Unified Licence Agreement issued by the DOT, penalties of up to INR 500,000 (approx. €5,560) per occasion may be levied on telecom service providers that breach their security obligations. The DOT may constitute a committee to determine the nature and cause of the breach, and impose penalties on, among other factors, the basis of loss and the gravity of the breach.
Under the CPA, unauthorised disclosures of personal information that is provided in confidence would constitute an unfair trade practice and allows consumers to seek remedies in this regard.
Contravention of different provisions of the Bill would result in different penalties. Similar to the situation under the GDPR, contravention by a data fiduciary of a category of obligations may attract a penalty of up to INR 50 million (approx. €556,000) or 2% of the data fiduciary's total worldwide turnover of the preceding financial year, whichever is higher. A contravention by a data fiduciary of obligations in respect of processing of personal data or sensitive personal data, cross-border transfer of personal data, and adherence to the security safeguards detailed in the Bill may attract a penalty of up to INR 150 million (approx. €1.6 million) or 4% of the data fiduciary's total worldwide turnover of the preceding financial year, whichever is higher.
A person who re-identifies personal data that had previously been de-identified by a data fiduciary or a data processor without the consent of the data fiduciary or data processor may be punished with both imprisonment of a term that may extend to three years and a fine of up to INR 200,000 (approx. €2,225).
A person who breaches an individual's digital health data is liable to pay damages by way of compensation to the owner of the data. In the event of a serious breach, for example, if the breach occurs intentionally or fraudulently, the person committing the breach may be imprisoned for a term between three to five years or may be subject to a minimum fine of INR 500,000 (approx. €5,560).
There has been an uptick in decisions issued by the TDSAT under the SPDI Rules, typically in the context of financial institutions that are negligent in protecting data from fraudulent transactions. Post-Puttaswamy, there are several ongoing cases on the contours of the right to privacy, notable ones including decisions on India's biometric-based social security system, Aadhaar, under the Unique identification Authority of India, and in the context of group transfers and disclosures of data on WhatsApp.
From a financial regulator perspective, several global companies have been questioned by the RBI on issues surrounding the storage of payment data in India (see section 7.2. above).