1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
India has no specific legislation on data protection. At present, data privacy in India is governed by the Information Technology Act, 2000 (‘IT Act') and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘Privacy Rules').
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
While there are no special regimes, certain sector-specific regulations and directions that govern data privacy in certain sectors. They include the following:
- Reserve Bank of India (RBI): The RBI is India's central banking authority. The RBI has issued directions that require all banks and payment system providers to localise payment transaction data in India. It has also issued directions that regulate how banks and non-banking financial companies (NBFCs) may safeguard customer information and the arrangements that banks and NBFCs may enter into with outsourcing partners, such as a cloud service providers or data processors.
- Insurance Regulatory and Development Authority of India (IRDAI): The IRDAI is the principal regulator of the Indian insurance industry. In 2017 the IRDAI published regulations that govern all outsourcing arrangements entered by Indian insurers. It has also issued guidelines on the implementation of a uniform framework for cybersecurity and information protection by insurers. In 2015 the IRDAI further issued regulations requiring insurers to ensure that records of all policies issued and claims made in India are held in data centres in India only. Similarly, the IRDAI's guidelines on information and cybersecurity for insurers require insurers to host all ‘core business records' exclusively in India.
- The Securities and Exchange Board of India (SEBI): SEBI is the regulator for the securities market in India. SEBI has issued various circulars and directions from time to time, to regulate information security in the securities market. Notably, SEBI issued regulations in 2015 to govern the cybersecurity and cyber resilience frameworks of stock exchanges, clearing corporations and depositories. These regulations prescribe mandatory security breach notification requirements that cover instances of data theft or breach.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
At present, there is no specific data protection authority that is responsible for enforcing the Privacy Rules. The Ministry of Electronics and Information Technology (MeitY) operates as the nodal agency for information technology in India. However, MeitY's role has hitherto been restricted to the formulation of policy; it has not extended to the implementation of the IT Act or the imposition of penalties.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
As India does not have a robust legal framework for data protection, industry players – especially multinational companies – try to implement data protection policies and frameworks based on industry standards and best practices. However, such implementation is typically voluntary and not for the purposes of compliance.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
All ‘bodies corporate' – including companies, firms and other associations of persons engaged in commercial or professional activities – are subject to the requirements and restrictions prescribed under the Privacy Rules.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
The Privacy Rules do not regulate the collection or processing of data by individuals. As discussed above, only bodies corporate are subject to the Privacy Rules. Further, although the Privacy Rules do not define or distinguish between a data controller and a data processor, the government has clarified that several obligations prescribed under the Privacy Rules do not apply to a data processor that does not collect personal information or sensitive personal data or information (SPDI) from a data subject, but merely receives such information from a data collector on a principal-to-principal basis. Among other things, a data processor is not required to:
- obtain a data subject's consent to receive his or her SPDI; or
- give the data subject the ability to access and rectify his or her information.
The government has clarified that these obligations fall on the data collector only, and not the data processor.
2.3 Does the data privacy regime have extra-territorial application?
The IT Act has extra-territorial applicability in certain cases. As per Section 75, the provisions of the IT Act extend to any offence or contravention committed outside India by any person, irrespective of his or her nationality, if the act or conduct constituting the offence or contravention involves a computer or computer system located in India. Therefore, in the context of data protection, the provisions of the IT Act and Privacy Rules will apply if the collection or processing of personal information or SPDI involves a computer or computer system located in India.
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
The IT Act and the Privacy Rules do not define ‘data processing'.
(b) Data processor
The IT Act and the Privacy Rules do not define ‘data processor'. However, the government distinguishes between:
- an entity that merely processes personal information and sensitive personal data or information (SPDI) on behalf of another body corporate, on the one hand; and
- an entity that actually collects personal information and SPDI from a data subject, on the other.
Please see question 2.2 for more details.
(c) Data controller
The IT Act and the Privacy Rules do not define ‘data controller'. However, the government distinguishes between:
- an entity that merely processes personal information and sensitive personal data or information (SPDI) on behalf of another body corporate, on the one hand; and
- an entity that actually collects personal information and SPDI from a data subject, on the other.
Please see question 2.2 for more details
(d) Data subject
The IT Act and the Privacy Rules do not define ‘data subject'. Instead, the Privacy Rules refer to the concept of ‘provider of information'. A ‘provider of information' is a natural person who provides sensitive personal data or information to a body corporate.
(e) Personal data
The Privacy Rules define ‘personal data' or ‘personal information' as any information that relates to a natural person and that either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying that person.
(f) Sensitive personal data
The Privacy Rules define ‘sensitive personal data or information' (SPDI) as personal information relating to a data subject's:
- financial information, such as bank account, credit card, debit card or other payment instrument details;
- physical, physiological and mental health conditions;
- sexual orientation;
- medical records and history; or
- biometric information.
There is no specific definition of ‘consent' under the IT Act and Privacy Rules.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
As per the Information Technology (Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 issued under the IT Act, a ‘cyber incident' is any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy, resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for the processing or storage of information or unauthorised changes to data or information.
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
No, the IT Act and Privacy Rules do not require data collectors or data processors to be registered in India.
4.2 What is the process for registration?
4.3 Is registered information publicly accessible?
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
The IT Act and Privacy Rules do not prescribe any lawful bases for processing ordinary personal data. At present, such information may be freely collected and processed. However, a data collector may collect and process a data subject's sensitive personal data or information (SPDI) only if:
- the SPDI is collected for a lawful purpose connected with a function or activity of the data collector; and
- the collection of the SPDI is considered necessary for that purpose.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Under the IT Act and Privacy Rules, the disclosures, actions and compliances applicable to the data collector will vary, depending on the nature of information it collects, stores, processes and/or transfers.
Collection: When collecting personal information or SPDI from a data subject, the data collector must take reasonable steps to ensure that the data subject has knowledge of:
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information; and
- the name and address of agency that is collecting the information and the agency that will retain the information.
Additionally, to collect SPDI, the data collector must obtain the prior written or electronic consent of the data subject. Notably, no such consent is required for the collection of ordinary personal data (which does not contain or consist of SPDI).
Grievance officer: A data collector must appoint a ‘grievance officer' and publish his or her name and contact details on its website. The grievance officer will be responsible for the redressal of grievances with respect to the processing of a data subject's personal information.
Restrictions on use: A data collector must use personal information and SPDI only for the purpose for which it was collected.
Review and opt-out: The Privacy Rules require data collectors to allow data subjects to:
- review the information they provide and ensure that any personal information or SPDI found to be inaccurate or deficient is corrected or amended as feasible; and/or
- withdraw consent to use the information (where applicable).
- the types of data collected by the data collector;
- the purpose for the collection and processing;
- the circumstances for the disclosure of such information; and
- the security practices and procedures implemented by the data collector.
The data collector must ensure that this policy is available for review by data subjects and is published on its website.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
When a data collector is processing personal information, it should provide detailed disclosures on the mechanisms used for data processing. For instance, the data collector may consider outlining whether the processing is done manually or whether the process is automated. The data collector may also consider maintaining detailed records of the third parties with which data is shared with for the purpose of processing and activities involved during processing.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
The Privacy Rules permit personal information to be freely transferred to third-party recipients within and outside India. Sensitive personal data or information (SPDI), on the other hand, may be transferred only if:
- the transfer:
- is necessary for the performance of a lawful contract between the data controller and the data subject; or
- has been expressly consented to by the data subject; and
- the transferee provides the same or a greater level of data protection than what is provided by the transferor.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Subject to the restrictions in relation to transfer of SPDI (discussed in question 6.1), there are no further obligations that apply to the transfer of data abroad.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
There are no other restrictions or requirements imposed under Indian law when transferring personal information within or outside India. However, it is now fairly standard for medium and large corporations, and particularly multinational companies, to execute inter-company (or intra-group) data processing agreements and data transfer agreements when transferring or disclosing personal information to each other. Such agreements usually prescribe the minimum information security standards and safeguards that a transferee or processor must implement.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Data subjects enjoy the following rights under Indian law with respect to the processing of their personal information:
- Access and review: The data collector must permit a data subject (if requested) to access and review the information shared by him or her, and to correct or update any inaccurate or incorrect information;
- Opt-out of sharing sensitive personal data or information (SPDI): The data collector must provide a data subject with the option not to provide any SPDI sought to be collected; and
- Withdrawal of consent: The Privacy Rules also allow a data subject to withdraw the consent previously provided to the data collector.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
The Privacy Rules requires a body corporate to address all grievances of a data subject with respect to the processing of personal data or SPDI. For this, the body corporate must appoint a grievance officer to address all grievances of the data subject on behalf of the body corporate.
Accordingly, in the event that a data subject is unable to exercise his or her rights, a grievance can be raised with the grievance officer, who must redress such grievances within one month of the date of receipt of such grievance.
7.3 What remedies are available to data subjects in case of breach of their rights?
The IT Act provides for civil and criminal remedies for breach of a data subject's privacy rights where such breach results in harm or injury to the individual.
Section 72(A) of the IT Act prescribes the punishment applicable for the disclosure of information in breach of a lawful contract. As per Section 72(A) of the IT Act, an individual may be punished by imprisonment for up to three years or a fine of up to INR 500,000, or both, if he or she:
- secures access to any material containing personal information about another person pursuant to a lawful contract;
- discloses such information to a third party without the consent of person concerned or in breach of the terms of the contract; and
- intends to cause wrongful loss or wrongful gain, or knows that he or she is likely to cause such wrongful loss or wrongful gain.
Further, as per Section 43A of the IT Act, a body corporate that fails to implement reasonable security practices and procedures for the protection of personal information and SPDI may be required to compensate an aggrieved data subject for any injury or harm caused to him or her on account of such failure.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Under the Privacy Rules, the appointment of a data protection officer is not mandatory in India. In fact, there is no concept of a data protection officer under the current law.
8.2 What qualifications or other criteria must the data protection officer meet?
8.3 What are the key responsibilities of the data protection officer?
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
8.5 What record-keeping and documentation requirements apply in the data privacy context?
The Privacy Rules impose no specific obligations on a body corporate in relation to record keeping or documentation when dealing with personal data or sensitive personal data or information (SPDI). However, as per the Privacy Rules, any personal information or SPDI collected from an individual data subject may be retained only for so long as necessary to fulfil the purpose disclosed to the data subject at the time of collection.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
There are no other overarching requirements or restrictions that must be considered. However, entities in specific regulated industries must comply with sector-specific regulations regarding data storage and record keeping. For instance, insurers must comply with the Insurance Regulatory and Development Authority of India's regulations on the storage of insurance records.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
A data collector must implement such security practices and procedures as are commensurate with the personal information and sensitive personal data or information that is being collected and stored.
This requirement includes implementing a documented information security programme and information security policies containing managerial, technical, operational and physical security control measures.
Notably, the Privacy Rules prescribe International Standard IS/ISO/IEC 27001 on Information Technology-Security Techniques-Information Security Management System-Requirements as a recommended data security standard.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
In India, as per the Information Technology (Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules'), all bodies corporate must report certain cybersecurity incidents, including any incidents of unauthorised access to IT systems/data, to CERT-In. Such reporting must be done as soon as possible, to allow CERT-In to take or suggest corrective actions. However, Indian companies do not ordinarily report cybersecurity incidents to CERT-In where no third-party actor (eg, a hacker) is involved.
CERT-In is not a data protection authority and only:
- prescribes suggested remedial actions;
- warns stakeholders; and
- coordinates responses to incidents.
Further, no sanctions or penalties have been prescribed in the CERT-In rules for a failure to report cybersecurity incidents to CERT-In.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
No, there is no mandatory requirement under Indian law to notify the affected data subjects.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
While it is not mandatory for data collectors to report every data breach incident to CERT-In, if the data collector believes that there has been a data breach (even though there is no involvement of a third-party hacker), it must report such incidents to CERT-In. Further, data collectors must also make it a practice to inform the data subjects if the data they have shared has been compromised and keep them informed of the remedial measures adopted to overcome such breach.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
The IT Act and the Privacy Rules do not prescribe any specific requirements with respect to processing personal data about employees.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Yes, so long as personal information or sensitive personal data or information collected for the purpose of surveillance is collected and processed in the manner as provided under the Privacy Rules, surveillance of employees is allowed.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Although there are no additional restrictions/requirements under law when collecting and processing employee data, it is recommended that certain best practices be adopted. For instance, before monitoring employees in the workplace, the employer must have a robust monitoring policy in place, setting out the purpose of the monitoring of employees and their work devices. Further, employers must take best efforts to ensure that no personal data of an employee is collected; and if the employer collects any personal data (which is not related to work), immediate measures must be taken to remove such data and keep the employee informed about the same.
It is always recommended that the employer adopt a robust employee data privacy and retention policy. An employer must not retain any personal data of an employee after he or she ceases to be employed with the organisation, except where there is a requirement to do so, which must be adequately justified by the employer.
11 Online issues
India has no specific legislation on cookies or similar technologies. While the IT Act addresses information technology, cybersecurity and cybercrimes, it does not prescribe any specific restrictions or compliance requirements with respect to cookies. That said, since cookies and similar technologies are tools to collect and process personal data, they must comply with Indian personal data protection laws and regulations.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
There are no specific requirements or restrictions that apply to cloud computing services in India. An entity using a cloud computing service will need to determine the applicable sector-specific compliance requirements and restrictions that apply to it (if any), depending on its business operations.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
An aggrieved person may bring a private right of action against a body corporate which has contravened provisions of the IT Act or the Privacy Rules which render it liable to pay a penalty or compensation.
In this regard, if the amount of compensation for loss claimed by an aggrieved person is less than or equal to the upper limit prescribed under the applicable provisions, then the aggrieved person must approach the adjudicating officer appointed under the IT Act for initiating proceedings and seek the relief provided under the IT Act. The secretary of the Department of Information Technology for each state in India is the adjudicating officer appointed for this purpose.
However, if the amount of compensation for loss claimed by the aggrieved person is more than the upper limit prescribed under the applicable provisions, then the aggrieved person may approach a jurisdictional civil court and file suit against the body corporate.
12.2 What issues do such disputes typically involve? How are they typically resolved?
As yet, there have been no reported cases of an aggrieved data subject bringing an action against a body corporate for its failure to comply with Section 43A of the IT Act and the Privacy Rules.
12.3 Have there been any recent cases of note?
As yet, there have been no instances in which an individual has initiated a private action against a body corporate for data privacy issues.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The Indian Parliament is in the process of overhauling India's data privacy regime. In December 2019 the government released the Personal Data Protection Bill, 2019 for consultation. If enacted, the bill would repeal the Sensitive Personal Data or Information Rules and would significantly alter the compliances and restrictions applicable to data controllers and processors operating in India. The bill is modelled on the EU General Data Protection Regulation and seeks to regulate the processing of personal information by Indian entities and, in certain specific circumstances, offshore entities. The Indian Parliament referred the bill to a joint select committee for further review in December 2019. At present, there is no clear timeline for the enactment of the bill. However, it is not expected that the bill will be enacted into law before December 2020.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Every body corporate should work towards building a robust data protection and security framework. Ideally, they should try to adopt policies and practices which have been adopted by organisations in EU member states and other countries with strict data protection laws. They should also consider implementing some of the following practices to ensure data protection:
- encrypting personal data and sensitive personal data or information which is stored on servers or in data centres, or which is transferred to other parties within or outside India;
- adequately training all personnel who are involved in processing the personal data of individuals on how to handle and safeguard personal data;
- implementing a data retention policy and ensuring, as far as possible, that no data is retained once the purpose for which it was collected has been achieved; and
- building a strong system to overcome any data breach or data loss within a short timeframe.
Acknowledgement: Yajas Setlur co-authored this Guide.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.