Data protection in India: overview

A Q&A guide to data protection in India.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This Q&A is part of the global guide to data protection. For a full list of jurisdictional Q&As visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The national law regulating the collection and use of personal data is the Information Technology Act 2000 (IT Act). The IT Act applies to the whole of India and also to acts committed outside India, although its extra-territorial effects are not entirely clear.

Any person that is negligent in using reasonable security practices and procedures (RSPPs) in protecting sensitive personal data or information (SPDI) is liable to pay compensation for any wrongful loss or wrongful gain (section 43A, IT Act).

RSPPs means the RSPPs as stated in a law in force or as agreed between the parties, or in the absence of such law or agreement, the rules passed by the central government (section 43A, IT Act). The Government of India has issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules), which cover security procedures and also contain basic rules on privacy.

Therefore, the parties are free to agree on their own rules relating to RSPPs, including any security standards or privacy policy. This generally has the effect of excluding the application of the IT Rules.

Additionally, a person is liable to criminal punishment, if he discloses personal information in breach of contract or without the consent of the concerned party and disclosure is made with the intention to cause, or knowing that disclosure is likely to cause, wrongful loss or wrongful gain (section 72A, IT Act).

A government officer will face criminal penalties if, in pursuance of powers conferred on him under the IT Act, he secures access to and discloses electronic records, books, registers, and so on (section 72A, IT Act). This will be considered in relation to other laws that can grant government officers the right to such disclosure.

Sectoral laws

There are several sectoral laws that deal with confidentiality of information, including laws relating to healthcare, telecommunications, banking and securities.

The Professional Code of Ethics of Doctors requires doctors to keep patient information confidential, although such information can be disclosed if there is a serious and identified risk to a person or community.

Under telecommunications laws, customer accounting and user information (except roaming information) cannot be transferred overseas or accessed remotely from overseas.

Banking laws prescribe certain principles on the basis of which a bank can outsource its functions, where this results in data being processed, stored or accessed overseas. This is permitted provided that the following conditions are met:

  • The offshore regulator does not obstruct the arrangement or prevent inspections by the Reserve Bank of India (RBI) or auditors.

  • The availability of records to the management and RBI is not affected by the liquidation of the offshore provider or the bank in India.

  • The offshore regulator does not have access to the data simply because the data is being processed overseas.

  • The jurisdiction of the courts in the offshore location does not extend to the operations of the bank in India.

The outsourcing regulations also require customer data to be isolated and clearly identified, and prohibit any merging of data.

Additionally, credit information companies and credit institutions (including banks) must, in accordance with the Credit Information Companies (Regulation) Act 2005, adopt principles relating to the collection of information, processing of such information, protection of data and the manner of access to and sharing of data. These principles are not prescribed by law or by the regulator, but must be framed by the relevant credit information companies and institutions.

Scope of legislation

2. To whom do the laws apply?

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) only apply to bodies corporate or persons located in India. This is interpreted as meaning that the IT Rules do not apply to the processing of data in India regarding data subjects located overseas. Some of the rules do not apply to business-to-business relations, but only to the collection of individuals' data by businesses. As the IT Rules and clarifications issued subsequently are not well drafted, the applicability of the Rules is not always entirely clear.

 
3. What data is regulated?

Section 43A of the Information Technology Act, 2000 (IT Act) applies to the use of sensitive personal data or information (SPDI). SPDI refers to:

  • Passwords.

  • Financial information, such as bank account or credit card details.

  • Physical, physiological and mental health condition.

  • Sexual orientation.

  • Medical records and history.

  • Biometric information.

Section 72A of the IT Act applies to all personal information. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 define personal information as any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying such person.

 
4. What acts are regulated?

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 broadly regulate the:

  • Collection, receipt, possession, use, storage, dealing or handling of sensitive personal data or information (SPDI).

  • Transfer or disclosure of SPDI.

  • Security procedures for protecting SPDI.

  • Transfer of SPDI outside India.

  • Disclosure of SPDI to the government.

  • Retention of SPDI.

  • Review and correction of SPDI.

  • Deletion of SPDI on withdrawal of consent.

 
5. What is the jurisdictional scope of the rules?

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) only apply to bodies corporate and persons located in India. Although this is not entirely clear, the authors believe this to mean that the IT Rules do not regulate sensitive personal data or information (SPDI) of data subjects located outside India. SDPI can only be transferred to a person outside India if such person provides the same level of data protection as under Indian law (IT Rules).

 
6. What are the main exemptions (if any)?

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) only apply to India (see Question 5). Some rules only apply to relations between an individual and a body corporate, and not between two body corporates. This means that the IT Rules may only apply to the data collector and not the data processor.

Notification

7. Is notification or registration required before processing data?

Notification or registration is not required before processing data.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Data controllers have the following main obligations to ensure data is processed properly:

  • Privacy policy. Every data controller that deals with sensitive personal data or information (SPDI) must have a privacy policy, and publish such policy on its website. The privacy policy must describe the type of information collected, the purpose of use of the information, to whom or how the information can be disclosed and the reasonable security practices and procedures followed to safeguard the information. A data controller must also appoint a grievance officer, whose name and contact details must be published on its website. The grievance officer must act on any complaint within 30 days of receiving the complaint.

  • Consent and notification. A data controller cannot collect SPDI unless it obtains the prior consent of the data subject. A business must also, before collecting the information, give the data subject the option not to provide such information. If this is the case, the business has the option to cease providing goods and services for which the information is sought. A business must also ensure that the data subject is aware:

    • that the information is being collected;

    • of the proposed use of the information; and

    • of the name and address of the agency collecting or receiving the information.

  • Use, retention and withdrawal. Data controllers can only use personal information for the purpose for which it was collected. They cannot retain SPDI for longer than is required for the purposes for which the information can lawfully be used, or as otherwise required under any other law. The data subject of the SPDI has the right to review the information provided, and to ask for inaccurate or deficient information to be corrected. The data subject also has the right to withdraw his consent to the collection and use of the SPDI.

  • Disclosure. Disclosure of SPDI to a third party is possible if:

    • it has been agreed in a contract with the data subject;

    • it is necessary for compliance with a legal obligation; or

    • prior permission is given by the data subject.

  • Transfer. A data controller can only transfer SPDI to a third party, whether in India or overseas, if the receiving party ensures the same level of protection as that provided under Indian rules. Additionally, SPDI can only be transferred if it is necessary for the performance of a lawful contract with the data subject, or if the data subject has consented to the transfer. The provisions on disclosure and transfer appear to overlap, and the difference between the two provisions is unclear.

 
9. Is the consent of data subjects required before processing personal data?

The express consent of data subjects is required before collecting or processing sensitive personal data or information. Online consent is acceptable.

There are no specific rules on the form of consent. There are also no special rules concerning consent by minors.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

There are no exceptions to the requirement to obtain the consent of the data subject in order to collect or process sensitive personal data or information.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Section 43A of the Information Technology Act 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 only apply in relation to sensitive personal data or information (SPDI). Section 72A of the IT Act deals with personal information. See Questions 1and 3.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

Before the collection of sensitive personal data or information, the data subject must be informed of the:

  • Fact that the information is being collected.

  • Purpose for which it is collected.

  • Intended recipients of the information.

  • Name and address of the agency collecting or retaining the information.

 
13. What other specific rights are granted to data subjects?

There are no other specific rights granted to data subjects.

 
14. Do data subjects have a right to request the deletion of their data?

Before the collection of sensitive personal data or information, data subjects have the option to refuse to provide it. Additionally, data subjects have the right to withdraw consent through notice in writing. On withdrawal of consent, the collecting party has the option not to provide the goods or services for which the information was sought.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) have been issued in accordance with the power of the central government to establish reasonable security practices and procedures (RSPPs) (see Question 1, General laws). The IT Rules provide that security procedures can be either:

  • International Standard IS/ISO/IEC 27001 (Information Technology - Security Techniques - Information Security Management System - Requirements).

  • A code prescribed by an industry association and approved by the central government. To date, no such code has been approved by the central government.

The IT Rules do not set out any mandatory security procedures and the above procedures are merely options that can be followed.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

There is no requirement to notify personal data security breaches to data subjects or the national regulator.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

A third party processor who receives data from a data collector must ensure the level of data protection provided for under the IT Rules. Transfer is only permitted if it is necessary for the performance of the contract with the data subject, or where the provider has consented to the transfer. The obligations relating to disclosure of personal data (whether within or outside India) will also apply to third party processors (see Question 5).

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

Indian law does not expressly regulate the use of cookies or equivalent devices. Under Indian law, a person who downloads, copies or extracts any data, a computer database or information from a computer, computer system or computer network, without the permission of the owner or the person in charge of the computer, computer system or computer network, is liable to compensation and criminal penalties. Therefore, it appears that consent is required for the use of cookies.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Indian law does not regulate spam e-mails, but regulates unsolicited commercial calls and messages.

Under the old section 66A of the Information Technology Act 2000, sending e-mails causing annoyance or inconvenience attracted criminal penalties. However, this provision was struck down as unconstitutional by the Supreme Court of India in 2015.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The transfer of sensitive personal data or information (SPDI) out of India is possible if the person receiving such SPDI agrees to ensure the same level of data protection as provided under the IT Rules. The rules relating to disclosure and transfer also apply (see Question 5 and 17).

 
21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

Under telecommunications laws, all customer accounting and user information (other than roaming information) must be stored in India, and remote access to such data from outside India is prohibited.

India's central bank, the Reserve Bank of India (RBI) has prescribed detailed guidelines on outsourcing by banks. Under these rules, outsourcing of functions by banks to agencies outside India is permitted if the following conditions are met:

  • The offshore regulator does not obstruct the arrangement or prevent inspections by the RBI or auditors.

  • The availability of records to the management and RBI is not affected by the liquidation of the offshore provider or the bank in India.

  • The offshore regulator does not have access to the data simply because the data is being processed overseas.

  • The jurisdiction of the courts in the offshore location does not extend to the operations of the bank in India.

The government has recently indicated that it wishes to adopt data localisation rules that will require data of Indians to be hosted within India. This is mentioned in a draft M2M policy. The government is believed to be discussing this issue with key global providers such as Facebook and Google. However, to date, no law has been passed in this regard.

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Data transfer agreements are not contemplated. No standard forms or precedents have been approved by the authorities.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A data transfer agreement is not sufficient to legitimise transfer. Under the IT Rules, transfer of sensitive personal data or information is only permitted if the rules for transfer have been complied with (see Question 17).

 
24. Does the relevant national regulator need to approve the data transfer agreement?

Indian law does not regulate data transfer agreements.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

There is no national regulator responsible for the enforcement of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Claims for compensation of less than INR50 million made under section 43A of the Information Technology Act 2000 are adjudicated by the Secretary of the Department of Information Technology of the relevant state government. Claims above INR50 million are adjudicated by the civil courts.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

There are two provisions that provide for sanctions and remedies for non-compliance with data protection laws:

  • Any person who is negligent in using reasonable security practices and procedures (RSPPs) to protect sensitive personal data or information is liable to pay compensation for any wrongful loss or wrongful gain (section 43A, Information Technology Act, 2000 (IT Act)). The central government has issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 regarding the RSPPs.

  • A service provider that discloses personal information without the consent of the data subject or in breach of an agreement with such subject, and with the intent to, or knowing that it is likely to cause wrongful gain or wrongful loss, faces three years' imprisonment or a fine of up to INR500,000, or both (section 72A, IT Act).

 

Regulator details

There is no regulator responsible for the enforcement of data protection rules. The Ministry of Communication and Information Technology has the power to issue rules under the Information Technology Act, 2000 (IT Act), in particular section 43A of the IT Act.



Online resources

Department of Electronics and Information Technology

W http://deity.gov.in/

Description. This is the website of the Department of Electronics and Information Technology, which provides access to the text of the Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and all other rules issued under the IT Act.



Contributor profiles

Stephen Mathias, Partner

Kochhar & Co

T +91 80 4030 8000
F +91 80 4112 4998
E stephen.mathias@bgl.kochhar.com
W kochhar.com

Professional qualifications. India, Lawyer

Areas of practice. Corporate; mergers and acquisitions; venture capital; technology and telecommunications.

Non-professional qualifications. BA, LLB (Hons), National Law School of India University

Recent transactions. The firm's technology law practice is the first of its kind in India, and largely represents multinational technology companies doing business in India. Its practice includes areas such as licensing, outsourcing, intellectual property, e-commerce, privacy and telecom. In the last five years, the firm has handled over 100 privacy assignments relating to compliance with India's privacy laws.

Languages. English, Hindi

Professional associations/memberships. Franchise Association of Greece (founder member); International Bar Association; International Tax Planning Association; and Society of Trust and Estate Practitioners.

Publications. International Technology Law Association; International Association of Privacy Professionals.

Naqeeb Ahmed Kazia, Associate

Kochhar & Co

T +91 80 4030 8000
F +91 80 4112 4998
E naqeeb.ahmed@bgl.kochhar.com
W kochhar.com

Professional qualifications. India, Lawyer

Areas of practice. Corporate; mergers and acquisitions; venture capital; technology and telecommunications.

Non-professional qualifications. BBA, LLB (Hons), School of Law, Christ University

Recent transactions. The firm's technology law practice is the first of its kind in India, and largely represents multinational technology companies doing business in India. Its practice includes areas such as licensing, outsourcing, intellectual property, e-commerce, privacy and telecom. In the last five years, the firm has handled over 100 privacy assignments relating to compliance with India's privacy laws.

Languages. English, Hindi, Kannada, Urdu


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247472043235", "objName" : "Data protection in India overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/1-505-9607?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-605a14e:15b15f9ebbb:18e9", "analyticsSessionCookie" : "2-605a14e:15b15f9ebbb:18ea", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }