Understanding Data Protection Laws in India

Bar & Bench May 5 2018

By Srishti Ojha and Trisha Dasgupta 


There is no independent legislation for privacy laws in India. Yet there clearly does exist an express code for data protection laws. This is set out in the Information Technology Act, 2000 (“IT Act”) and particularly in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011(“Privacy Rules”) notified under the IT Act. Popular perception may indicate a privacy code embedded in a legislation such as the IT Act is more relevant to the technology sector. This is not necessarily correct: it is critical to emphasize here that data protection principles and compliances in the IT Act apply equally to all operations irrespective of usage of technology.

This note demystifies data privacy laws in India. It also lists mandatory data protection compliances by linking these to the relevant rules.

Data Subject, Data Controller And Data Processor

Using global terminology, broadly: (1) a “data subject” is an entity the data of which is being protected; (2) a “data processor” is an entity that collects, stores, transfers and/or discloses data of the data subject; and (3) a “data controller” is an entity that decides the purpose for which data is collected and its manner of usage.

This is a useful lens as Indian privacy laws employ similar concepts while not using the exact terms. In terms of purpose, it is clear that Privacy Rules protect the data-subject from (i) collection; (ii) usage; and (iii) disclosure of its information without its consent.

The base for triggering the Privacy Rules is collection, possession, handling/dealing or transfer of “personal” information as defined under rule 2(1)(i) of the Privacy Rules which states: “personal information means any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.

It is therefore clear that the data subject in Indian privacy laws is primarily an individual. On a fine reading, this is with a couple of gray areas in rules 5 and 7 of the Privacy Rules). In other words, broadly, the data between corporates is not protected-except to the extent it relates to individuals (for e.g. banking data of overseas personnel).

Indian privacy laws do distinguish between storage, possession and dealing/handling data in the sense that the terms find place in the law- however what is critical to note is that there is no material legal distinction in terms of obligations between a data controller and a data processor.

Personal Information V. Sensitive Personal Information

The pool of information protected is (with a couple of exceptions) is not all personal information but only “sensitive” personal data or information (“SPDI”). In effect, the threshold of what is “sensitive” is fairly low and there is no gradation of obligations depending on the level of sensitivity of data. Certain information is deemed to be sensitive and this critically includes financial information such as details of an individual’s bank account, debit and credit card information or any other information related to payment instruments used by the individual (as per rule 3(ii) of the Privacy Rules). Therefore, employee and even business visitor information will automatically become SPDI.

It is important to note that the Privacy Rules are in addition to parallel rules relating to confidentiality of information that apply to providers of specific services (such as for doctor-patient, lawyer-client or telecom). Such service providers must be compliant with both the parallel industry rules relating to data protection in addition to the Privacy Rules. For instance, intermediaries (as defined under section 2(1)((w) of the IT Act) shall have to comply with both the Information Technology (Intermediaries Guidelines) Rules 2011 as well as the Privacy Rules.

Key Mandatory Compliance Requirements

The obligations regarding data protection are imposed on a “body corporate”- this term is a misnomer as its definition includes a firm, a commercial or professional sole proprietorship besides a company. Extra-territorial application of the law is limited by S. 75 of the IT Act to offences which involve a computer, computer system or network is located in India.

The key mandatory compliances are analyzed below:

Creation of a privacy policy

Rule 4 of the Privacy Rules require issuing of a privacy policy. It is interesting that this requirement is not limited to SPDI because the relevant rule mentions “personal information or sensitive personal data or information”. As next leg, the content of the privacy policy, in accordance with Rule 4 of the Privacy Rules, should (i) be published on the website; and (ii) include the following:

  • Statements of its privacy policies and practices;
  • The type of personal information has is being collected;
  • The purpose and usage of such information;
  • The circumstances in which such information may be disclosed to third parties; and
  • The reasonable security practices and procedures adopted by the body corporate for handling of such information.

There is no prescribed format in connection with such disclosures.

Collection of information

For information generally, the only obligation is to inform the data subject that its information is being collected. “Information” is defined broadly in section 2(1)(r) of the IT Act. The above disclosure is required by Rule 5, to include the following:

  • The fact that information is being collected;
  • The purpose of collection;
  • The people who may receive such collected information and;
  • Details of the persons collecting and storing the information

Further, all data subjects are required to be able to review, later alter- or not provide such information.

The bar of compliance is higher for SPDI. In this case, written consent “in writing though letter or fax or e-mail” is required. The two key areas the data subject should be provided information with is (i) usage of data and (ii) purpose of collection. The data subject can revoke all such consent by intimation “in writing”.

Additionally, rules 5(2) and 5(4) address a principle of global best practices known as “data minimization”. As per these rules, the sensitive personal data or information collected must be (i) necessary for achieving the purpose for which it is collected and (ii) such information must be retained only for as long as is necessary to achieve the purpose for which the information is collected. This ensures that data subjects do not disclose excessive sensitive information and creates a strict obligation on collectors of data to obtain only such information as is absolutely necessary. It appears from a joint reading of Rule 5(1) and 5(2) that this right cannot be contracted out by the data subject.

Transfer of information: consent v. necessary for performance

Rule 7 gives data subjects the right to consent to transfer of information as well as the right for no greater information than “necessary” to be transferred. Similar to collection, it appears that the consent has to be restricted to “necessary” purpose. In contrast to collection, for transfer there is compliance for the entire pool of “information” i.e. not restricted to SPDI. Additionally, such information can be transferred to a third party only if the following conditions have been satisfied:

  • The third party has the same level of data protection as under the IT Rules; and
  • The transfer is pursuant to and necessary for performance of an existing contract with the data subject; or
  • The transfer is with the consent of the person providing information.

At present, there is no list of countries notified as deemed to have the same data protection level. Notably, India is still not on the list in similar data protection laws in jurisdictions such as the European Union.

Rule 6 requires consent of data subjects for “disclosure” of SPDI unless such disclosure is required by law.

Grievance Officer

A grievance officer must be appointed to address the grievances of a data subject within one month of receiving the complaint. At the moment, the law is not clear on minimal qualifications of this officer.

Reasonable Security Practices and Procedures

Rule 8 requires implementation as well as documentation of reasonable security practices and procedures (“RSPPs”). In effect, the IS/ISO/IEC 2011 standards must be followed with regard to RSPPs as the government has till date not notified any other standards for the same.

An annual audit of the RSPPs standards must be carried out by a “government approved” auditor.

This may be the most onerous obligation of Indian data protection laws. While Rule 8 only elaborates what RSPPs constitute, section 43A of the IT Act provides for punishment in case of negligence in maintenance and implementation of RSPPs. Here it is important to note that the IT Act skips a reference to the ISO standards and simply defines RSPPs to mean RSPPs decided by agreement between the parties involved and in the absence of such agreement, the definition that may be prescribed by rules formulated by the government. This is an important gap which is worth considering during documentation.

Penalties for Non Compliance and Judicial Pronouncements

A cluster of penalties exists under the IT Act for contravention of privacy and confidentiality obligations under the IT Act and rules framed thereunder. These are as follows:

  • Section 43A, which provides compensation for failure to protect data including sensitive personal data or information.
  • Section 72 which provides penalty for breach of confidentiality and privacy
  • 72A which provides punishment for disclosure of information in breach of lawful contract when such disclosure is done intentionally or knowingly

Separately, there have been several judicial developments in the field of data protection and privacy in India. Notably, in Karmanya Singh v. Union of India [2016 (68) PTC 486 (Del)] the Supreme Court has considered the issue of breach of privacy caused by ‘Whatsapp’ sharing the data of its subscribers with Facebook following Whatsapp’s acquisition by Facebook. In August 2017, the Indian Supreme Court in K.S Puttaswamy v. Union of India [Writ Petition (Civil) No 494 of 2012] declared that the right to privacy is to be elevated to the status of a fundamental right in India. A committee of experts constituted by the government has prepared a white paper on “a data protection framework for India” which contains detailed proposals on various aspects of data protection. This is not effective law yet.

Given the global attention to data protection, the recent Supreme Court judgment on the right to privacy as well as on Whatsapp's privacy policy as well as the high-level paper on data protection- this area of law is coming of age in India.

Srishti Ojha is a Partner and Trisha Dasgupta is an associate at Verist Law.

(To download the full article, click on the ‘Download Briefing’ button given below.)