With a population of 1.3 billion people and a Gross Domestic Product of 2.6 trillion US Dollars, India is a market rich in data, personal and private information. Data protection in India is important because many organisations have a global footprint, conducting business with Indian companies or storing data in India.

The draft Data Protection Bill by India’s Srikrishna Committee named for its head Justice Srikrishna, has been submitted to the Ministry of Electronics and Information Technology. It is to be tabled in Parliament in June of this year.

Though in many ways similar to the GDPR, the bill expands the definition of sensitive personal information, grants a new ground, called prompt action, upon which personal information may be processed and restrains the cross border transfer of sensitive personal information.

It also requires privacy by design, the idea of building data protection into the structure of the entire data processing life-cycle. This means organisations will have to prepare for a higher standard of data protection by instilling its principles at every level and phase of the data stream. However, until the bill is passed by the parliament of India, the previous Act, aimed mostly at cybercrime and e-commerce, the concerns of its time, continues to apply.

Data protection in India is covered by the Information Technology Act 21 of 2000 (also known as the IT Act) and related IT Rules. You need to understand how data protection in India operates and assess whether the data protection in India is sufficient for your needs.

The Information Technology Act (IT Act)

The Information Technology Act states that if any organisation or individual involved in commercial or professional activities is negligent when they are possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates then it will be liable to pay damages to the person affected. So, there are serious consequences for not complying with data protection obligations.

The IT Act states that in order to liable the organisation or individual must have been negligent in maintaining ‘reasonable security practices and procedures’. The IT Act defines ‘reasonable security practices and procedures’ as those that are designed to protect information from unauthorised access, damage or modification. These security practices can be specified in an agreement between the parties, any law in force at the time (currently no specific data protection law). In the absence of an agreement between the parties or a law then these reasonable security practices can be prescribed by the government or government-approved professional bodies.

The IT Act was amended in 2008 to make the owner of an IP address responsible for the content accessed or distributed through it and it makes corporations responsible for implementing effective data security practices and liable for breaches.

There are also Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) which prescribe specific obligations for the data controller, conditions for processing personal information and data protection in India. There are also sector-specific  rules for data protection in India.

Data Protection in India

According to the IT Rules, data controllers have an obligation to ensure that data is processed properly and this should be done through the following means:

Privacy policy

Every data controller that deals with sensitive personal data must have a privacy policy and publish the policy on their website. The privacy policy must describe the type of information collected, the purpose for using the information, who the information will be disclosed to and how it can be disclosed. It must also cover the reasonable security practices and procedures followed to safeguard the information.

A data controller must also appoint a grievance officer whose name and contact details must be published on their website. The grievance officer must act on any complaint within 30 days of receiving the complaint.

Consent and notification

A data controller cannot collect personal information unless they have the prior consent of the data subject. A business must also, before collecting the information, give the data subject the option not to provide such information. The business must make the data subject aware that the information is being collected, the purpose of the information and the name and contact information of the agency collecting the information.

Use, retention and withdrawal

Data controllers can only use personal information for the purpose for which it was collected. They cannot retain personal information for longer than required to fulfil the purpose that it was collected for.

Data subject rights

The data subject has the right to review the information provided and to ask for mistakes to be corrected. The data subject also has the right to withdraw their consent to the collection and use of the personal information.

Disclosure

Disclosure of personal information to a third party is possible if:

  • it has been agreed in a contract with the data subject;
  • it is necessary for compliance with a legal obligation; or
  • prior consent has been given by the data subject.

Consent

The express consent of data subjects is required before collecting or processing sensitive personal data or information. Online consent is acceptable.

There is no regulator responsible for the enforcement of data protection rules. The Ministry of Communication and Information Technology has the power to issue rules under the IT Act.

Actions you can take

  • Ensure that your organisation’s data transfer to or from India or any other country is legal by asking us to advise you with a legal opinion.
  • Find out about data protection law by attending one of our workshops.
  • Audit your organisation for data protection compliance by having us conduct a legal compliance audit.