India: Data Protection & Cyber Security
This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in India.
1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
Current Legal Framework
As on date, the primary legislation governing privacy in India is the Information Technology Act, 2000 (“IT Act”) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”).
Section 43A of the IT Act requires a body corporate1 possessing, dealing or handling ‘sensitive personal data or information’ (“sensitive PII”)2 in a computer resource, to implement and maintain ‘reasonable security practices and procedures’ to prevent such sensitive PII from unauthorized access, use, alteration, disclosure or damage; failing which the body corporate is required to compensate the Data Subject (defined below) for loss caused on account of unauthorized access or disclosure.
It is pertinent to note that: –
(a) Section 43A only deals with sensitive PII, not with personal information (“PII”).3 Having said so, the Privacy Rules (formulated under this Section) regulate both, PII as well as sensitive PII;4
(b) The Privacy Rules only apply to data of natural persons (“Data Subjects”);
(c) The Privacy Rules are agnostic to the sector or activities that the concerned body corporate engages in. Any body corporate possessing, dealing or handling data of Data Subjects in a computer resource is required to comply with these requirements; and
(d) There is no dedicated regulatory authority that enforces the Privacy Rules. These Rules can however be enforced by the nodal ministry viz. the Ministry of Electronics and Information Technology, Government of India (“MeitY”).
The ‘reasonable security practices and procedures’ prescribed under the Privacy Rules include, amongst others: –
(b) requirement to obtain informed consent before collecting sensitive PII;
(c) stipulations regarding purpose6 and storage limitations;7
(d) providing the Data Subjects an opportunity to not provide or withdraw consent;
(e) conditions governing transfer of PII and sensitive PII; and
(f) other reasonable security practices and procedures to be implemented.8
Privacy as a Fundamental Right
In addition to the IT Act and the Privacy Rules, the right to privacy has now also been recognized as a fundamental right by the highest court, i.e. the Supreme Court (“SC”), in India. In Justice K S Puttaswamy (Retd.) and Another v. Union of India and Others,9 the SC held that: –
(a) the ‘right to privacy’ is a fundamental right guaranteed under the Constitution of India (“Constitution”);
(b) privacy is intrinsic to life and personal liberty guaranteed under Article 2110 of the Constitution; and
(c) right to life and personal liberty are inalienable rights inseparable from human existence and hence, similar constitutional safeguards should be applicable to an individual’s right to privacy.
New Privacy Regime
India is in the process of overhauling its data privacy framework and seems to be taking guidance in this regard from principles outlined under the EU General Data Protection Regulation (EU GDPR). As part of this exercise, a draft bill titled ‘Personal Data Protection Bill, 2018’ (“Privacy Bill”) has been submitted to the Government of India.11 The Privacy Bill is presently in the process of finalization and is likely to be introduced in the Parliament after the new Government takes over.12 Wherever relevant, we have identified provisions of the Privacy Bill, as they are presently proposed.13 However, it is likely that the Privacy Bill will undergo further modifications, before being finally notified.
Several other regulators / authorities including the Telecom Regulatory Authority of India, Department for Promotion of Industry and Internal Trade, Central Drugs Standard Control Organization, Reserve Bank of India etc. either presently regulate or are seeking to regulate the data which may fall within their respective domains (such as subscriber data, payments data, e-commerce user data). It is possible that these regulators / authorities may provide inputs for the finalization of the Privacy Bill or for such regulators / authorities to supplement the Privacy Bill with their own respective data protection requirements.
1 – “Body corporate” is defined in IT Act to mean “any company and includes a firm, proprietorship or other association of individuals engaged in commercial or professional activities”.
2 – “Sensitive personal data or information” means personal information which consists of password, financial information (such as bank account or credit card or debit card details), physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information etc.
3 – “Personal information” is defined in the Privacy Rules to mean any information relating to an individual which (either by itself or in combination with other information available with a body corporate) is capable of identifying such individual. This is the Indian equivalent of PI or PII, commonly referred in other jurisdictions.
4 – Under Indian laws, PII and sensitive PII are popularly referred to as PI and SPDI respectively.
6 – In relation to purpose limitation, PII & sensitive PII collected can only be used for the purpose for which they are collected. Any new purpose not initially informed to the Data Subject hence will require a new consent.
7 – In relation to storage limitation, sensitive PII cannot be retained for longer than is required for the purpose for which is was collected.
8 – Details in relation to some of these aspects have been provided in our responses below.
9 – (2017) 10 SCC 1, delivered on August 24, 2017.
10 – Article 21 of the Constitution states that no person shall be deprived of his life or personal liberty except according to procedure established by law.
11 – The Privacy Bill was submitted by a committee of experts under the chairmanship of former Justice B. N. Srikrishna appointed by the Government of India for this purpose.
12 – The Privacy Bill introduces a unique concept of a fiduciary relationship between Data Subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing of personal data). It classifies Data Subjects as ‘data principals’ and data controllers as ‘data fiduciaries’.
13 – The Privacy Bill provides for formulation of codes, rules and regulations. These codes, rules and regulations (once enacted or released in draft form) will provide further clarity in relation to various provisions of the Privacy Bill (such as how consent and explicit consent may be procured for processing of information protected under the Privacy Bill).
2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
The IT Act and the Privacy Rules do not provide for any registration or licensing requirements for body corporates possessing, dealing or handling PII or sensitive PII.
The Privacy Bill introduces the concept of ‘significant data fiduciaries’ – classified on the basis of volume and sensitivity of personal data processed, turnover etc. It is proposed for such significant data fiduciaries to register themselves with the Data Protection Authority (to be set up once the Privacy Bill is enacted, referred as “Authority”). There is no registration requirement for data fiduciaries, which are not significant data fiduciaries.14
14 – Certain provisions of the Privacy Bill will specifically apply to significant data fiduciaries. These include data audits, data protection impact assessment, record-keeping etc.
3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The Privacy Rules define PII and sensitive PII as follows: –
(a) PII – means “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.
(b) Sensitive PII of a person means “such personal information which consists of information relating to:
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
provided that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules”.
The Privacy Bill renames the terms PII and sensitive PII as “personal data” (“PD”) and “sensitive personal data” (“SPD”), respectively. In this guide, any reference to PD and SPD in context of the Privacy Bill will mean PII, and sensitive PII respectively.
No material amendment is proposed in respect of PD;15 however, the scope of SPD is proposed to be enhanced.
SPD has been defined under the Privacy Bill to include passwords, financial data, health data, official identifier, information regarding sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, and any other category of data as may be specified by the Authority.16 Therefore, the proposed definition will bring in new concepts to the definition of SPD such as official identifier,17 information regarding sex life, genetic data,18 transgender status,19 intersex status,20 caste or tribe, and religious or political belief or affiliation.
15 – “Personal data” is defined in the Privacy Bill to mean “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”.
16 – Note that SPD is a sub-set of PD.
17 – Official identifier” is defined in the Privacy Bill to mean “any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal”.
18 – “Genetic data” is defined in the Privacy Bill to mean “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
19 – “Transgender status” is defined in the Privacy Bill to mean “the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure”.
20 – “Intersex status” is defined under the Privacy Bill to mean “the condition of a data principal who is – (i) a combination of female or male; (ii) neither wholly female nor wholly male; or (iii) neither female nor male”.
4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
Processing of PII is subject to the following restrictions: –
(b) Knowledge of the Data Subject – The body corporate is required to take reasonable steps to ensure that the Data Subjects are aware that their information is being collected, the purpose for collection, intended recipient of such information, and names and addresses of agencies collecting & retaining the information.
(c) Purpose limitation – PII collected can only be used for the purpose for which it is collected.
(d) Opportunity to review – Data Subjects are entitled to review the information provided by them and correct any inaccuracy or deficiency.
(e) Opportunity to not provide & withdraw consent – Prior to collecting PII, Data Subjects have an opportunity not to provide such information. They can also withdraw previously given consent.21
Certain other stipulations apply only to sensitive PII. Details in this regard are given in response to Query 6 below.
In relation to PII, the Privacy Bill contains following provisions: –
(a) Consent – Prior consent by the Data Subject for processing of PD.22
(c) Fair and reasonable processing – There is a duty owed by data fiduciaries towards the Data Subjects, for processing of their data in a fair and reasonable manner that respects their privacy.
(d) Purpose limitation – Express recognition of purpose limitation principle, i.e. PD should be processed only for the purpose specified by the data fiduciary or for any other incidental purpose reasonably expected by the Data Subject to be connected to such specified purpose. The test for any incidental usage is from the lens of the Data Subject and what they can reasonably expect. We expect that a widely worded ‘catch-all’ consent may not be valid under the Privacy Bill.
(e) Storage limitation – The data fiduciary can retain PD only until necessary to satisfy the purpose for which it was processed. Data fiduciaries have to conduct periodic reviews to determine whether retention of PD continues to be necessary.
(f) Data quality – Data fiduciary to take reasonable steps to ensure that the PD processed is complete, accurate, not misleading and updated, in view of the intended purpose.23
21 – Body corporates are entitled to not provide goods or services for which any information is sought – in respect of which consent has not been provided or has been withdrawn.
22 – Note that the requirement to procure consent for processing of PII is not present under the existing regime i.e. the Privacy Rules.
23 – While this obligation has been imposed on the data fiduciaries under the Privacy Bill, the actions that may need to be undertaken by the data fiduciaries to comply with this obligation need to be ascertained. This may be important since correction of incorrect data, completion of incomplete data and updating of out of date data is within the domain of the Data Subject. The Data Subject also has the right of correction under the Privacy Bill.
5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
The Privacy Rules require consent of the Data Subjects for collection of sensitive PII. No format has been prescribed. No consent is required for collection of PII.
In India, it is standard practice for companies to obtain a general consent that covers business requirements for sensitive PII and PII. This is achieved through privacy policies, written contracts, or click – wrap ‘I agree’ buttons.
The Privacy Bill proposes that: –
(a) Consent needs to be taken for processing of PD. Such consent should be taken no later than at the time of commencement of processing.
(b) ‘Explicit consent’ needs to be taken for processing of SPD.24
It is expected that the Authority will issue codes / formats for processing of PD and SPD.25
24 – The Privacy Bill provides parameters for when consent will be considered explicit consent, such as, consent should be informed (taking into account that the Data Subjects are made aware that the processing may have significant consequence for the Data Subjects), clear (taking into account that the consent is meaningful and without inference from conduct), and specific (taking into account whether the Data Subjects are given the choice to separately consent to use of different categories of SPD relevant to processing).
25 – While the Privacy Bill does not prescribe the form in which consent and explicit consent may be obtained, once the Authority is set up, it may prescribe guidance in this area.
6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Under the Privacy Rules, prior written consent is required for collection of sensitive PII. For seeking this consent, intended usage must be communicated to the Data Subjects.
With respect to sensitive PII, the Privacy Rules also prescribe:26
(a) Lawful purpose – Sensitive PII can only be collected for a lawful purpose connected with the function / activity of the concerned body corporate and where collection of sensitive PII is necessary for that purpose.
(b) Storage limitation – Sensitive PII cannot be retained for longer than it is required for the purpose for which is was collected.
(c) Conditions for transfer – Prior consent of the Data Subjects needs to be taken before sensitive PII can be disclosed to a third party unless such disclosure is: –
(i) agreed under a contract; or
(ii) necessary for compliance with a legal obligation.
(d) Stipulations for third party recipients – Any third party receiving sensitive PII from a body corporate is restricted from disclosing it further.27
(e) Publishing restriction – Sensitive PII cannot be published.
No category of sensitive PII is prohibited from collection.
Except for the incremental requirement to procure “explicit consent” to process SPD, the PD – related compliances given under the Privacy Bill are equally applicable for processing of SPD. It also does not prohibit any category of SPD from being collected.
26 – Please note that measures applicable for processing of PII (identified in our response at Para 4.1 to Query 4 above) also apply to processing of sensitive PII.
27 – The security requirements to be complied with by third party recipients have been indicated in our response to Query 15 below.
7. How do the laws in your jurisdiction address children’s PII?
The Privacy Rules do not contain specific provision for protection of PII or sensitive PII of children.
These concepts have been proposed under the Privacy Bill, such as: –
(a) requiring data fiduciaries to process PD of children28 in a manner that protects and advances their rights and best interests;
(b) requiring data fiduciaries to incorporate appropriate mechanisms for age verification29 and parental control; and
(c) notification of certain data fiduciaries as ‘guardian data fiduciaries’.30
There are other legislations which protect PII or sensitive PII of children and its usage, such as: –
(a) Indian Penal Code, 1860 – prohibits printing or publishing of the name or other details which may make known the identity of a minor,31 where such minor has been a victim of certain prescribed offences (such as rape, sexual intercourse by a person in authority etc.).
(b) Juvenile Justice (Care and Protection of Children) Act, 2015 – prohibits disclosure of name, address, school or other particulars which may lead to identification of a child32 in need of care or protection, a victim or witness of crime etc.
28 – The term “child” has been defined under the Privacy Bill as a data principal below the age of 18 years.
29 – Appropriateness of age verification mechanisms will be determined on the basis of – volume of PD processed, proportion of such PD likely to be that of children, possibility of harm to children etc. The Authority may prescribe further factors to be considered in this regard.
30 – The Authority may notify the following the following as guardian data fiduciaries – data fiduciaries who operate commercial websites or online services directed at children, or data fiduciaries who process large volume of PD of children. The Privacy Bill prohibits guardian data fiduciaries from carrying out certain activities, namely, profiling, tracking, behavioral monitoring, targeted advertising at children or undertaking any other processing that may cause harm to children.
31 – As per the Indian Majority Act, 1875, broadly, a person is considered to be a minor until such person has attained the age of 18 years.
32 – The term “child” has been defined under this statute to mean a person below 18 years of age.
8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
The Privacy Rules require body corporates to implement reasonable security practices and procedures including having comprehensive & documented information security programme & policies. One standard prescribed in this regard is ISO/IEC 27001 standard “Information Technology – Security Techniques – Information Security Management System – Requirements” (“ISO Code”).33
Therefore, data processor entities operating in India specify compliance with such standards in their privacy policies or notices.
No other specific records or written documentation need to be maintained under the Privacy Rules. Specific circumstances such as occurrence of cyber security incidents, etc. may lead to a data processor being asked by regulatory authorities to maintain / produce necessary records.
The IT Act specifically requires intermediaries to preserve and retain such information and for such duration as may be specified by the Central Government.34
The Privacy Bill proposes for data fiduciaries to maintain up-to date record of important operations in the life cycle of processing of PD, including collection, transfers, and erasure.
33 – We have included more details in this regard in our response to Query 16 below.
34 – The Central Government is yet to notify specific rules on this issue. In other relevant Indian laws, the requirement to retain records is 8 years.
9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
The Privacy Rules do not mention any consultation requirements with MeitY, or any other authority.
We have identified below some scenarios where consultation may be undertaken or where interaction with the authorities will be required: –
(a) In case of information security breach – The Privacy Rules prescribe that the affected body corporate will need to demonstrate that it has implemented security control measures as per its information security programme and policies.35
(b) Prior to introducing a new legislation – MeitY often publishes consultation papers / draft legislations and seeks comments from the public. The private sector, particularly affected entities, exhibit active involvement in this process.36
(c) In case information is requested by authorized Government agencies including CERT (as defined below): In specific events such as prevention and detection of cyber security incidents, emergency measures for handling cyber security incidents, prosecution of offences, national security, etc.
35 – We have provided further details in relation to information security programme and policies in our response to Query 16 below.
36 – Please note that this is not a mandatory legal requirement.
10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
No such requirement has been prescribed under existing laws. From a practical perspective, such risk assessments would depend on the nature of reasonable security practices and procedures implemented by the body corporate.37
The Bill proposes for significant data fiduciaries to undertake data protection impact assessment in specific scenarios, including data processing basis usage of new technologies, large scale profiling or use of SPD, and any other processing activity which could pose significant risk of harm to the Data Subjects.
Such risk assessment must contain: –
(a) description of the processing activity, purpose of processing and nature of PD being processed;
(b) assessment of potential harm to Data Subjects; and
(c) measures for managing / minimizing / mitigating / removing such risk of harm.
37 – Please see our response to Queries 8 and 16 for more details.
11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
The Privacy Rules mandate appointment of a grievance officer by the body corporate. The role of such grievance officer is limited to addressing discrepancies and grievances of Data Subjects relating to processing of their information by the body corporate.38
Under existing laws, there is no provision for appointment of a data protection officer, common in other jurisdictions.
The Privacy Bill, however, does contemplate appointment of a data protection officer (“DPO”) by “significant data fiduciaries”.39 The Bill states that the DPOs need to meet the specific eligibility & qualification criteria (as may be prescribed) and sets out the following responsibilities: –
(a) monitoring processing activities of data fiduciaries to ensure compliance with the Bill;
(b) co-operating with the Authority on compliance with the Bill; and
(c) maintaining an inventory of all records related to processing activities of the data fiduciaries, as prescribed under the Privacy Bill.
38 – The grievance officer is required to redress grievances expeditiously, no later than one month from the date of grievance.
39 – Please see our response to Query 2 for more details in relation to significant data fiduciaries.
12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
The Privacy Bill proposes for Data Subjects to be able to obtain brief activity summary of the processing of their PD undertaken by data fiduciaries.
13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
The Privacy Rules apply directly to body corporates who collect, receive, possess, store etc. PII and sensitive PII.
While such body corporates may transfer information of Data Subjects to third parties (such as to third party service providers for processing), such transfer is permitted subject to the condition that the transferee ensures the same level of data protection that is maintained by the transferor, minimum standards for which are provided under the Privacy Rules.40
Hence, service providers may be statutorily liable for negligence.
The Privacy Bill permits data fiduciaries to appoint data processors41 to process PD on their behalf. These data processors will be authorized to process PD as per instructions of the data fiduciaries. The Privacy Bill contains several provisions that apply directly & equally to data processors and data fiduciaries.
40- Please see our response to Query 15 below in relation to conditions governing transfer of PII and sensitive PII.
41 – “Data processor” is defined in the Privacy Bill to mean “any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary”.
14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
For transfer of PII and sensitive PII, equivalent security standards have to be maintained by the transferee, which would typically be included in the contract between the transferor and the transferee.42 No additional requirements including with respect to minimum contract terms or due diligence of service provider are mandated under the Privacy Rules.
42 – More details relating to transfer are given in our responses to Queries 13 and 15.
15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Transfer of PII outside India is not restricted. The Privacy Rules permit transfer of PII and sensitive PII by a transferor to a transferee, irrespective of whether such transferee is located within or outside India.
Such transfer is subject to the following conditions: –
(a) the transferee ensures the same level of data protection that is maintained by the transferor, minimum standards for which are provided under the Privacy Rules; and
(b) the Data Subject consents to such transfer or the transfer is necessary for performance of a lawful contract between the transferor and the Data Subject.
There is no requirement to notify or seek authorisation from a regulator before transfer of PII or sensitive PII outside India.
Sector Specific Issues
Further to a directive issued by the Reserve Bank of India on April 6, 2018, payment system providers (such as banks, non – bank licensees which operate payment systems, card networks such as Visa, Mastercard, etc.) and payment intermediaries operating in the payments sector in India were mandated to comply with data localization norms. The directive requires all data (i.e. end-to-end transaction details) relating to payment systems to be stored in India. Only the foreign leg of a payment transaction is permitted to be stored outside India.43
The Privacy Bill proposes incremental requirements for cross-border transfer of PD and SPD, such as: –
(a) The transfer will be made in accordance with model contract clauses or intra group schemes to be approved by the Authority, unless some country – specific relaxation has been given by the Authority;
(b) A copy of such transferred PD should be stored by the data fiduciary in a server or data centre located in India; and
(c) ‘Critical personal data’ (which would be a sub-category of PD, to be notified by the Central Government) will be processed in a server or data centre located in India only.
Draft E-Commerce Policy
Lastly, under the Draft National eCommerce Policy (“Draft E-Commerce Policy”),44 the Department of Promotion of Industry and Internal Trade has proposed restrictions on cross – border transfer, storage and use of Indian user data generated from social media, search engines, etc.45
43 – There was a lot of resistance from the industry & industry bodies in terms of difficulty in implementing such segregation, costs involved etc. However, the Reserve Bank of India has still gone ahead and implemented the directive.
44 – The Department of Promotion of Industry and Internal Trade formulated the Draft E-Commerce Policy and had invited comments from stakeholders on the same.
45 – The Draft E-Commerce Policy is also at a draft stage and has been subject matter of significant debate.
16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
The Privacy Rules require body corporates to implement security practices and standards and have comprehensive information security programme & policies (that contain managerial, technical, operational and physical security control measures) that are commensurate with the information being protected. This requirement is applicable for both, PII & sensitive PII.
One such standard prescribed under the Privacy Rules is the ISO Code.
Any body corporate which collects, receives, stores, deals or handles PII and sensitive PII has to ensure these security practices and standards are implemented. As stated above, if any such body corporate intends to transfer the PII and/or sensitive PII, the transferee should ensure the same level of data protection.
The Privacy Bill proposes for the data fiduciaries to: –
(a) implement policies & measures to ensure that the technology used in processing PD is in accordance with commercially accepted or certified standards; and
(b) implement managerial, organizational, business practices & technical systems to anticipate, identify & avoid harm to Data Subjects.
Additionally, data fiduciaries and data processors are required to implement appropriate security safeguards (to protect the integrity of PD, prevent misuse, disclosure) in view of the nature of PD being processed, risks associated with processing and the severity of harm that may result from such processing. It also entitles the Authority to prescribe security safeguard standards, which will apply to data fiduciaries and data processors.
17. Does your jurisdiction impose requirements of data protection by design or default?
The Privacy Rules embody certain principles of data protection by default. These include purpose and storage limitations. Please refer to our response to Query 4 above for more details.
The Privacy Bill, while retaining these principles, also introduces the concept of privacy by design. For example, it proposes that: –
(a) the interest of the Data Subjects be accounted for at every stage of processing of PD;
(b) privacy is protected throughout processing – from the point of collection to deletion of PD; and
(c) legitimate interest of business is achieved without compromising privacy interests.
18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Yes. The Central Government has appointed the Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology (“CERT”) as the national agency to address cyber incidents including cyber security breaches. CERT’s functions include collection, analysis of information on security incidents, forecast and alerts of cyber security incidents, emergency handling measures etc.
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT Rules”) have been issued under the IT Act and define: –
(a) “cyber security breaches” to mean “unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource”; and
(b) “cyber security incident” to mean “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorisation”.
CERT has been authorized to call for information and give directions to service providers, intermediaries, data centres, body corporates and any other person for the purposes of, amongst others, analysis of cyber incidents, alerts of cyber security incidents, emergency measures for handling cyber security incidents etc.
19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Rules under the IT Act
The requirement to report security breaches may flow from various rules formulated under the IT Act. These include: –
(a) CERT Rules – The CERT Rules require certain cyber security incidents to be mandatorily reported by an individual, organisation or corporate entity affected by such incident. These are: –
(i) targeted scanning/probing of critical networks/systems;
(ii) compromise of critical systems/information;
(iii) unauthorized access of IT systems/data;
(iv) defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites etc.;
(v) malicious code attacks such as spreading of virus/worm/trojan/botnets/spyware;
(vi) attacks on servers such as database, mail and DNS and network devices such as routers;
(vii) identity theft, spoofing and phishing attacks;
(viii) denial of service and distributed denial of service attacks;
(ix) attacks on critical infrastructure, SCADA systems and wireless networks; and
(x) attacks on applications such as e-governance, e-commerce etc.
(b) The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines“) – The intermediary Guidelines require intermediaries46 to report cyber security incidents47 and also to share cyber security incidents related information with CERT.
Separately, the Privacy Rules require body corporates to share PII or sensitive PII (without first obtaining consent from the Data Subjects) with authorized Government agencies for the purposes of investigating cyber incidents.48
The Privacy Bill has specific provisions pertaining to reporting of data breach and requires data fiduciaries to notify the Authority of any PD breach (relating to PD processed by the data fiduciary) where such breach is likely to cause harm to any Data Subject. The Authority may thereafter require the data fiduciary to report the breach to the Data Subject taking into account the severity of harm that may be caused or whether some action of the Data Subject is required to mitigate the harm.
46 – The term “intermediary”, with respect to an electronic record, has been defined under the IT Act to mean “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.”
47 – The definition of “cyber security incident” under the Intermediary Guidelines is the same as the one provided under the CERT Rules.
48 – “Cyber incidents” is defined in the Privacy Rules to mean “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation”.
20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
As indicated in our response to Query 4 above, the Privacy Rules provide Data Subjects certain rights. These include – the opportunity to review, the opportunity to not provide and withdraw consent and things that the Data Subject should know. Please see our earlier response for a general description of these rights.
Whilst such rights have been provided to the Data Subjects, the Privacy Rules do not impose any obligation on body corporates to communicate these to the Data Subjects. Even the provision which identifies the components that need to be included in the privacy policies does not require for communication of Data Subjects rights and how these rights may be exercised.
The Privacy Bill, on the other hand, recognises several rights of Data Subjects. These include right to confirmation and access, right to correction, completion and updation of PD, right of portability of PD from one data fiduciary to another, right to be forgotten, right to receive compensation in case of breach of obligations by the data fiduciary etc. The Privacy Bill stipulates that privacy policies should expressly provide for the existence of and procedure by which the Data Subjects can exercise these rights.
21. Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
Individual rights may be exercisable by seeking remedies before regulators or the judicial system, as applicable.
Typically, the initial step is to raise a complaint before the grievance officer of the body corporate. If they fail to respond or adequately address the issue, other remedies may be sought.
Section 43A of the IT Act mandates that any negligence by a body corporate to protect PII or sensitive PII of a Data Subject in accordance with the IT Act or the Privacy Rules, which causes wrongful loss or gain to any person, will render the corporate liable to pay damages by way of compensation.
The Central Government has appointed adjudicating officers (namely the Secretary of the Department of Information Technology of each State) for conducting inquiry into complaints for breach of Section 43A. For claims up to INR 5 crore, the State Secretaries have exclusive jurisdiction, and their orders can be appealed before the Appellate Tribunal constituted under the IT Act.49 For claims above this threshold, the jurisdiction of civil Courts will apply.
While determining the quantum of compensation, the State Secretary is expected to consider the following: –
(a) quantum of unfair advantage, as a result of the default;
(b) amount of loss caused; and
(c) repetitive nature of the default.
As mentioned above, under the IT Act, the State Secretary will consider amount of loss caused, prior to awarding compensation. In India, Courts are conservative in awarding damages, and it is required that damages must be proved for seeking compensation. In cases where it is not possible to prove the precise quantum of damages, the claimant may be entitled to reasonable damages.
49 – The Telecom Disputes Settlement and Appellate Tribunal is the Appellate Tribunal for the purposes of the IT Act. Appeals from decisions of the Appellate Tribunal, on any question of fact or law, lie with the High Courts.
22. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
The laws governing privacy and data protection are enforced by MeitY as well as the Courts. The machinery may be set in motion by filing of complaints by Data Subjects before the grievance officers (appointed pursuant to the Privacy Rules) or by reporting of cyber security incidents by body corporates or regulators requesting information from service providers, intermediaries etc.
Negligence in implementing and maintaining reasonable security practices and procedures which cause wrongful loss or wrongful gain to any person render the concerned body corporate liable to pay damages to the person who is affected.50 Additionally, where any person has access to materials containing personal information of another person (while providing services under a contract) discloses such personal information without the consent or in breach of contract within an intent to cause wrongful loss or wrongful gain, such person is punishable with imprisonment up to 3 years and/or fine up to INR 500,000.
We have not come across any restriction applicable to PII owners from appealing the decisions of regulators (such as MeitY) before Courts in India. The exact nature of action that may be brought will vary basis certain factors, such as the cause of action, the counter party, the remedy prescribed under statute, the relief being sought etc.
Separately, depending upon the nature of contravention by data fiduciaries (such as violation of provisions governing processing of PD, SPD etc.), the Privacy Bill proposes penalties up to INR 150 million (approx. USD 2 million) or 4% of the total worldwide turnover of the preceding financial year of the data fiduciary, whichever is higher. The Privacy Bill also proposes imprisonment and/or fine on persons who intentionally, knowingly or recklessly obtain, disclose, transfer, sell or offer to sell SPD which results in harm to a Data Subject.
50 – This penalty has been prescribed under Section 43A of the IT Act, which only deals with sensitive PII and not PII.
23. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The IT Act, and the rules framed thereunder constitute a Central legislation, which is applicable to the whole of India. The Central Government is exclusively empowered to legislate on matters relating to data protection, hence it is not permitted for States to derogate by passing secondary legislation.
Generally speaking, body corporates are not permitted to derogate from or claim exemptions from the requirements imposed therein, except in specific circumstances, including information access and disclosure requests from authorized Government agencies including CERT for prevention or investigation of cyber security incidents, prosecution and punishment of offences, to name a few.
24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
There is no specific restriction given under the IT Act in respect of use of monitoring / profiling / tracking technologies (such as cookies).
This is typically governed by the conditions of use of websites.
25. Please describe any laws addressing email communication or direct marketing?
The transmission of voice calls and SMS using telecommunication services is governed by the Telecom Commercial Communications Customer Preference Regulations, 2018 (“Regulations”).
The Regulations govern transmission of the following kinds of commercial communications51 – promotional,52 transactional53 and service SMS / calls and unsolicited commercial communications (“UCC”).54
For the present context, the Regulations provide that: –
(a) Any commercial communication sent which is neither as per the consent nor as per the preference(s) of the recipient, as registered pursuant to the Regulations, is considered as UCC. The Regulations prohibit any person from sending UCC.
(b) Notwithstanding the above, a person may send promotional communication only after obtaining registration with an access provider and to such customers who have either provided their consent or have chosen to receive such communications.
The Regulations only govern communications via phone and SMS. They presently do not regulate email communications.
Having said the above, the Draft E-Commerce Policy, amongst other aspects, contemplates consumer protection and for the present purpose provides that: –
(a) unsolicited commercial messages on various platforms including emails need to be regulated; and
(b) a legal framework in this regard will be developed.
51 – “Commercial communication” is defined in the Regulations to mean “any voice call or message using telecommunication services, where the primary purpose is to inform about or advertise or solicit business for
(a) goods or services; or
(b) a supplier or prospective supplier of offered goods or services; or
(c) a business or investment opportunity; or
(d) a provider or prospective provider of such an opportunity”.
52 – “Promotional messages” is defined in the Regulations to mean “commercial communication message for which the sender has not taken any explicit consent from the intended Recipient to send such messages”.
53 – “Transactional message” is defined in the Regulations to mean “a message triggered by a transaction performed by the Subscriber, who is also the Sender’s customer, provided such a message is sent within thirty minutes of the transaction being performed and is directly related to it. Provided that the transaction may be a banking transaction, delivery of OTP, purchase of goods or services, etc.”
54 – “Unsolicited commercial communication or UCC” is defined in the Regulation to mean “any commercial communication that is neither as per the consent nor as per registered preference(s) of recipient, but shall not include:
(i) Any transactional message or transactional voice call;
(ii) Any service message or service voice call;
(iii) Any message or voice calls transmitted on the directions of the Central Government or the State Government or bodies established under the Constitution, when such communication is in Public Interest;
(iv) Any message or voice calls transmitted by or on the direction of the Authority or by an agency expressly authorized for the purpose by the Authority.”
Rachit Bahl, Partner
Aprajita Rana, Partner