India - Data Protection Overview
1. Governing Texts
The Constitution of India ('the Constitution') recognises a fundamental right to privacy. This constitutional right casts a long shadow on Indian law and influences policy and judicial action and acts as a check on legislative and executive action. In addition to the public law implications, this right has influenced the development of a tortious right against the invasion of privacy and the interpretation of rights embodied in laws on consumer protection, health, IT, telecom licences, and the financial sector.
In general, Indian data protection requirements are located in multiple diverse sources, including:
- Information Technology Act, 2000 ('the IT Act'), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules');
- the Information Technology (The Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013 ('CERT-In Rules');
- Direction No. 20(3)/2022-CERT-In ('the Directions');
- Consumer Protection Act, 2019 ('CPA') and Consumer Protection (E-Commerce) Rules, 2020;
- rules made by the Reserve Bank of India ('RBI');
- rules imposed by the Telecom Regulatory Authority of India ('TRAI');
- rules imposed by the Insurance Regulatory and Development Authority of India;
- rules imposed by the Securities and Exchange Board of India ('SEBI');
- rules imposed by the Pension Fund Regulatory and Development Authority;
- various decisions of Indian courts; and
- Unified Licence Agreements issued pursuant to the National Telecom Policy, 2012 by the Department of Telecommunications ('DOT').
The IT Act and the SPDI Rules
Most companies, regardless of sector, are most keenly impacted by the IT Act and the SPDI Rules.
The IT Act mandates that body corporates (e.g. companies, firms, sole proprietorships, and other associations of individuals engaged in commercial or professional activities) that handle sensitive personal data or information are liable to pay damages for any loss caused by their negligence in implementing and maintaining reasonable security practices and procedures.
In this regard, the IT Act also prescribes criminal penalties that include both imprisonment of up to three years and fines for persons that disclose personal information without the consent of the person to whom the data relates, where such disclosure is in breach of a contract or results in wrongful loss or gain (see section below).
Draft legislation and policies
In addition to the above, the following draft laws and policies that regulate data protection principles are at various stages of discussion or implementation:
- Non-Personal Data Governance Framework ('the NPD Framework'), which is currently being deliberated by the Committee of Experts constituted under the Ministry of Electronics and Information ('MeitY'), whose reports on non-personal data can be accessed here and here;
- Draft National Data Governance Framework Policy;
- Digital Information Security in Healthcare Act, 2017 ('DISHA');
- Framework for the India Digital Ecosystem Architecture 2.0, which is a consultation draft released by Centre for Development of Advanced Computing under MeitY; and
- Ayushman Bharat Digital Mission ('ABDM') and the draft revised Health Data Management Policy issued by the Ministry of Health and Family Welfare.
DISHA is a draft law that aims to regulate health data, an area where the constitutional promise of a fundamental right to privacy, as mentioned above, has a large influence. Separately, the Government of India ('the Government') has issued the Electronic Health Record Standards, 2016 for the maintenance of electronic records and has stood up the ABDM, a government initiative that aims to develop digital health infrastructure in India.
In August 2022, the Government withdrew India's draft data protection law, the Personal Data Protection Bill, 2019 ('the Bill') in light of the industry and political pushback. Instead, the Government intends to introduce a comprehensive legal framework to regulate privacy within the digital ecosystem.
1.3. Case law
Modern Indian case laws on data protection and privacy emanate from the decision by the Supreme Court of India ('the Supreme Court') in Justice K S Puttaswamy and Anr v. Union of India and Ors [Writ Petition (Civil) No. 494 of 2012]. In Puttaswamy, the Supreme Court unanimously held that the right to privacy was an intrinsic element of the promise of the right to life and personal liberty protected under Article 21 of the Constitution, and that it included, at its core, a negative obligation to not violate the right to privacy and a positive right to take all actions necessary to protect the right to privacy. Puttaswamy changed the contours of Indian privacy law, the interpretation of the existing privacy rules, and raised the spectre of a robust common law tort of violation of privacy, independent of statutory rules.
The Supreme Court went on to clarify that any law that encroached upon the right to privacy would be subject to constitutional scrutiny, and would have to meet the three-fold requirement for:
- necessity; and
Furthermore, the Supreme Court crafted a positive obligation on the Government to enact legislation that adequately protects the right to privacy. Presently, various High Courts are dealing with data protection issues from a post-Puttaswamy perspective. While a clear judicial trend cannot be identified, it is evident that data collection and processing efforts in India must evaluate and anticipate the impact of Puttaswamy on Indian data law.
Other decisions of impact from the Supreme Court include:
- R Rajagopal and Ors v. State of Tamil Nadu [Writ Petition (Civil) No. 422 of 1994], which recognised tortious remedies for breach of privacy and the ability to seek damages for invasions of privacy; and
- Mr X v. Hospital Z [Civil Appeal No. 4641 of 1998] that dealt with privacy-related implications of disclosures of health data. The Court held that in a conflict between the right to privacy and public interest, public interest would override an individual's right to privacy.
In the post-Puttaswamy landscape, different High Courts have been grappling with the exercise of various dimensions of privacy rights. Notably, Subhranshu Rout @ Gugul v. State of Odisha [BLAPL No. 4592 of 2020], Sri Vasunathan v. the Registrar General, High Court of Karnataka and Ors [General Writ Petition No. 62038 of 2016], and Dharamraj Bhanushankar Dave v. State of Gujarat and Ors [SCA No. 1854 of 2015], are recent decisions by different High Courts on the contours of the right to erasure and the right to be forgotten. Varying stances were adopted by each of these courts, and it is safe to assume that until a new law comes into effect, the scope and impact of these rights will continue to be judicially debated.
In addition, the Competition Commission of India, the country's anti-trust regulator, is presently hearing multiple complaints that involve the misuse of data in connection with arguments on both abuses of dominance and anti-competitive practices among certain companies.
2. Scope of Application
The SPDI Rules
The SPDI Rules apply with respect to natural persons.
The SPDI Rules
The SPDI Rules are issued under the IT Act and, in addition to having a territorial application, applies to offences that occur outside India, if the offences involve electronic resources in India.
The SPDI Rules
The SPDI Rules generally apply to body corporates that process sensitive personal data or information, a category of personal data that includes passwords, financial information, physical, physiological, and mental health conditions, sexual orientation, medical records and history, and biometric information. However, certain rules apply to the processing of all personal data, such as the rules on the publication of privacy policies, access and rectification rights, grievance redressal, and transfer of information.
3.1. Main regulator for data protection
In general, MeitY is empowered to provide guidance on matters in the realm of electronics and information technology. In matters that involve security incidents, MeitY has constituted the Indian Computer Emergency Response Team ('CERT') which acts as the nodal agency that receives and responds to all breach notifications.
There is no data protection authority under the IT Act or the SPDI Rules. Clarifications on either must be sought from MeitY. MeitY does not have a formal process for seeking clarifications. Breach notifications, under the present law, are sent to CERT.
3.2. Main powers, duties and responsibilities
As mentioned above, MeitY, under the present law, may issue clarifications or guidance to companies, and CERT receives and investigates breach notifications.
4. Key Definitions
Personal data: Under the SPDI Rules, 'personal information' is any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available by a body corporate, is capable of identifying such person.
Sensitive data: Under the SPDI Rules, 'sensitive personal information or data' means passwords, financial information, physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information. However, it does not include any personal data that is freely available or accessible in the public domain, furnished under the Right to Information Act, 2005, or under any other law in force.
Biometric data: 'Biometrics' are defined under the SPDI as technologies that measure and analyse human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements, and DNAs for authentication purposes.
Data subject: Under the SPDI Rules, there is no definition of 'data subject'.
5. Legal Bases
Under the SPDI Rules, consent is the only ground for processing data.
The SPDI Rules
Under the present law, consent is the primary form of processing data. The nature of consent is not clearly defined, and so businesses commonly rely on general principles of contract law to determine how, when, and through which means consent ought to be obtained. If consent is obtained freely and without undue influence, then there are few limitations on the process and method of obtaining consent. However, if such consent is obtained by virtue of a standard form contract, then the terms of the contract must be reasonable.
Under the SPDI Rules, the provider of data should have an option to opt out of providing the data or information that is being sought by body corporates. Providers of information should have this option at all times while availing themselves of services from body corporates, as well as have an option to withdraw consent that may have been given earlier.
Unlike many other jurisdictions, should providers not consent to the collection of information or otherwise withdraw their consent, the SPDI Rules allow body corporates not to provide goods or services for which the information was sought.
In addition to the right to opt out of sharing information, information providers have the right to review the information they have provided and to seek the correction or amendment of such information if incorrect.
The SPDI Rules
Under the SPDI Rules, sensitive personal data or information should only be collected for a lawful purpose connected with a function or activity of the body corporate (or any person on its behalf), and the collection of the data must be necessary for such purpose.
7. Controller and Processor Obligations
The SPDI Rules
The SPDI Rules do not contemplate the concepts of or distinguish between controllers and processors. All companies that process personal data must display on their websites privacy policies a notice of their processing activities, the types of data collected and purposes for their collection, any disclosure practices, and descriptions of their security safeguards.
The SPDI Rules
Export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to, and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information.
Unified licence agreements
User information and accounting information cannot be transferred by telecom service providers outside India.
RBI localisation requirement
The RBI has directed all companies (whether banks or otherwise) that are involved in the payments sector to process and store all financial information in India. In the case of cross-border transactions with a foreign leg and a domestic leg, the regulator requires mirroring prior to transfer.
Payment transactions may be processed abroad. However, on completing the processing, all data in relation to the processing should be stored only in India and all records outside India should be deleted.
Additionally, the Guidelines on Digital Lending released by the RBI in September, 2022 require regulated entities such as commercial banks and non-banking financial companies to (and ensure that any lending service providers or digital lending applications engaged by them), among other obligations, store all data only in servers located within India.
Any data transfer of digital health data by a clinical establishment or entity can only occur upon the receipt of the consent of the owner, who has been informed of their rights under DISHA, and is aware of the purposes of the collection of their digital health data.
The SPDI Rules
The SPDI Rules require body corporates to appoint a grievance officer who is to redress the grievances that providers of information may have (Rule 5(9) of the SPDI Rules). Any grievances that information providers may have with respect to the processing of information are to be addressed by body corporates in a time-bound manner, and no later than a month from the date of the receipt of the grievance.
The SPDI Rules
The SPDI Rules are silent on the process or procedure to be followed in the case of data breaches or cybersecurity incidents.
However, the Directions read with the CERT-In Rules, provide the framework for breach notifications to CERT. Certain cybersecurity incidents must be mandatorily reported to CERT by regulated entities within six hours of noticing or being brought to notice about such incidents.
Mandatory reporting requirements extend to:
- the targeted scanning or probing of critical networks or systems;
- the compromise of critical systems or information;
- the unauthorised access of IT systems or data;
- the defacement of website or intrusion into a website and unauthorised changes including inserting malicious code or links to external websites;
- malicious code attacks such as spreading of virus, worm, trojan, bots, spyware, ransomware, or cryptominers;
- attack on servers such as database, mail, and DNS and network devices such as routers;
- identity theft, spoofing, and phishing attacks;
- denial of service and distributed denial of service attacks;
- attacks on critical infrastructure, SCADA, operational technology systems, and wireless networks;
- attacks on application such as e-governance or e-commerce;
- data breaches;
- data leaks;
- attacks on internet of things ('IoT') devices and associated systems, networks, software, servers;
- attacks or incident affecting digital payment systems;
- attacks through malicious mobile applications;
- fake mobile applications;
- unauthorised access to social media accounts;
- attacks or malicious or suspicious activities affecting cloud computing systems, servers, software, or applications;
- attacks or malicious or suspicious activities affecting systems, servers, networks, software, applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D, and 4D printing, additive manufacturing, drones; or
- attacks or malicious or suspicious activities affecting systems, servers, software applications related to artificial intelligence and machine learning.
All other data breaches may voluntarily be disclosed to CERT.
The SPDI Rules
While the SPDI Rules prescribe that collectors of information should not retain information for longer than required, they do not specify a limitation period for how long data can be stored. However, general practice indicates that data is retained for the duration of applicable limitation periods in relation to causes of action that may arise.
In accordance with KYC norms and anti-money laundering standards, banks have been instructed to maintain records of transactions for a minimum of five years from the date of transaction.
Licences issued by TRAI prescribe varying periods of retention, depending on the underlying nature of the data. For example, results of security tests for equipment should be retained for a period of ten years from the procurement of the equipment. Call records should be retained for a minimum of one year, and unless directed otherwise by the regulator, deleted thereafter.
The SPDI Rules
Given that one cannot obtain valid consent from minors, companies would be well-advised to obtain consent from parents or guardians when processing children's data.
8. Data Subject Rights
The SPDI Rules
The SPDI Rules
Individuals have the right to review the information that body corporates may have on them.
The SPDI Rules
Individuals have the right to seek the correction or amendment of inaccurate or deficient information that body corporates may have on them.
The SPDI Rules
There is no express right of erasure under the SPDI Rules. However, individuals have the right to withdraw consent for processing their personal data, and recent market practices indicate a growing trend to recognise an implied right to erasure within the exercise of such a right.
Data principals have the right to withdraw consent under the SPDI Rules.
The SPDI Rules
A body corporate that is negligent in implementing and maintaining security practices and procedures for protecting sensitive personal data or information may be liable to pay compensation to the person affected. In this regard, the maximum compensation that may be imposed is not specified.
Separately, persons acquiring information under the powers granted by the IT Act or the SPDI Rules may be penalised by up to two years' imprisonment and/or a fine for disclosing information, documents, correspondence, electronic records, or other material to third parties, without the consent of the person disclosing the information. Directors and other persons responsible for the conduct of the business may be liable for offences by companies, unless they prove they did not have knowledge of the contravention or that they exercised diligence to prevent the offence. Any person, including an intermediary, with access to personal information and providing services under a contract, may be subject to imprisonment for up to three years and/or a fine if they disclose personal information to third parties in breach of contract or without the consent of the person to whom the personal information belongs.
To exercise rights under the SPDI Rules, individuals may file a complaint with an adjudicating officer appointed under the IT Act. Provided both parties have consented, appeals from decisions of such officer are heard before the Telecom Disputes Settlement and Appellate Tribunal ('TDSAT'). Appeals from the TDSAT's decisions may be brought before the respective state's High Court.
Unified Licence Agreements
Under the Unified Licence Agreement issued by the DOT, penalties of up to INR 500,000 (approx. €6,000) per occasion may be levied on telecom service providers that breach their security obligations. The DOT may constitute a committee to determine the nature and cause of the breach, and impose penalties on, among other factors, the basis of loss and the gravity of the breach.
Under the CPA, unauthorised disclosures of personal information that is provided in confidence would constitute an unfair trade practice and allows consumers to seek remedies in this regard.
A person who breaches an individual's digital health data is liable to pay damages by way of compensation to the owner of the data. In the event of a serious breach, for example, if the breach occurs intentionally or fraudulently, the person committing the breach may be imprisoned for a term between three to five years or may be subject to a minimum fine of INR 500,000 (approx. €6,000).
There has been an uptick in decisions issued by the TDSAT under the SPDI Rules, typically in the context of financial institutions that are negligent in protecting data from fraudulent transactions. Following the Puttaswamy case, there are several ongoing cases on the contours of the right to privacy, notable ones including decisions on India's biometric-based social security system, Aadhaar, under the Unique identification Authority of India, and in the context of group transfers and disclosures of data on WhatsApp.