-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
The Constitution of India guarantees the right to privacy (which includes the right to data security) to all citizens as part of the right to life and personal liberty under Articles 19 and 21 and as part of the freedoms guaranteed by Part III of the Constitution. This was also upheld by the Supreme Court of India (SCI) in 2017 in its landmark judgment of Justice K S Puttaswamy (Retd) and Another v. Union of India and Others (2017) 10 SCC 1 (the “Privacy Judgment”).
The Indian Government enacted the country’s first comprehensive legislation on data privacy, The Digital Personal Data Protection Act, 2023 (DPDP Act) in August 2023. This was based on an increased effort by the Indian Government to provide a legislative framework for data protection and privacy laws in the country. However, the DPDP Act is expected to be implemented and enforced in 2024, and the rules under the DPDP Act are still pending with the drafting committee. However, the stakeholders are preparing themselves for the new legislation, as the DPDP Act provides a principal-based framework for data protection compliances.
While the DPDP Act is implemented, the current data protection and privacy framework is still governed under the existing provisions of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). The DPDP Act once notified will replace the existing framework under the IT Act and the SPDI Rules. Until such time, cybersecurity, data breach notification and incident response are governed under IT Act and the IT Act rules in India. The IT Act defines “cybersecurity” as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction”.
Under the IT Act, the Indian government has established the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity, to carry out the following functions:
- collection, analysis, and dissemination of information on cyber incidents;
- forecast and alerts of cybersecurity incidents;
- emergency measures for handling cybersecurity incidents;
- coordination of cyber incidents response activities;
- issue of guidelines, advisories, vulnerability notes, and white papers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents;
- such other functions relating to cybersecurity as may be prescribed.
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-In Rules”) prescribe that CERT-In will be responsible for responding to cybersecurity incidents and will assist cyber-users in the country in implementing measures to reduce the risk of cybersecurity incidents. CERT-In also has the power to issue directions to service providers, intermediaries, data centres, body corporates, etc, for enhancing cybersecurity infrastructure in the country. The CERT-In Rules mandate CERT-In to operate an incident response help desk on a 24-hour basis on all days, including government and other public holidays, to facilitate reporting of cyber-authority incidents.
Further, it is mandatory for the service providers, intermediaries, data centres, and body corporates that handle sensitive personal data (SPDI) to report all cybersecurity incidents to CERT-In “as early as possible”. In April 2022, the CERT-In issued a new directive modifying obligations under the 2013 CERT-In Rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. CERT-In has also set up sectoral CERTs to implement cybersecurity measures at a sectoral level. The details regarding the methods and formats for reporting cybersecurity accidents, vulnerability reporting and remediation, incident response procedures, and dissemination of information on cybersecurity are published on CERT-In’s website and are updated from time to time.
For critical sectors, the government has set up the National Critical Information Infrastructure Protection Centre (NCIIPC) under the IT Act, as the nodal agency, and has framed the NCIIPC Rules and guidelines to protect the nation’s critical information infrastructure (CII) from unauthorised access, modification, use, disclosure, and disruption to ensure a safe, secure and resilient information infrastructure for critical sectors in the country.
Other relevant rules framed under the IT Act include the following.
- The SPDI Rules prescribe reasonable security practices and procedures to be implemented for collecting and processing personal or sensitive personal data.
- The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, prescribe security measures for protected systems, as defined under the IT Act. Under the IT Act, the government may notify any computer resource that affects the facility of CII to be a “protected system”.
- The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 require intermediaries to implement reasonable security practices and procedures to secure their computer resources and information, maintaining safe harbour protections. Intermediaries are also mandated to report cybersecurity incidents to CERT-In.
Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860 (Indian Penal Code), which deals with criminal offences, including those committed in cyberspace. However, the criminal laws in India are undergoing regulatory changes to be in line with the new age technologies. In particular, the IPC will be changed to Bhartiya Nyaya Sanhita 2023 (BNS), the Code of Criminal Procedure 1973 will be changed to Bhartiya Nagarik Suraksha Sanhita 2023, and the Indian Evidence Act 1872 will be changed to Bhartiya Sakshya Adinyam 2023 (BSA). The changed provisions will be made effective from July 2024. Under the BNS, continued cyber-crimes and economic offences are referred to as ‘organised crime’. The BSA specifies that electronic records will be considered primary records, which calls for a strong foundation to be laid to protect the data online. The BNS prescribes forging false electronic documents as an offence and lays an imprisonment punishment of seven years and a fine. Additionally, the Companies Act 2013 (Companies Act), requires companies to implement security systems to ensure that electronic records are secured from unauthorised access.
The IT Act prescribes that any service provider, intermediary, data centre, body corporate, or person who fails to provide the information called for by CERT-In or comply with CERT-In’s direction will be punishable with imprisonment for a term which may extend to one year or a fine which may extend to INR100,000 or both.
The IT Act also prescribes deterrence in terms of compensations, penalties, and punishments for offences such as damage to computer systems, failure to protect data, computer-related offences, theft of computer resources or devices, SPDI leak, identity theft, cheating by impersonation, violation of privacy, cyberterrorism, online pornography (including child pornography), breach of confidentiality and privacy, and breach of contract.
Regulators
In addition to the Ministry of Electronics and Information Technology (MeitY) and NCIIPC, the government has established the National Security Council Secretariat (NSCS) as the central coordinating body for cybersecurity and internet governance. NSCS has developed a draft cybersecurity strategy to address the issue of security of national cyberspace, and the aim is to improve the audit quality relating to cybersecurity to aid the organizations in conducting a better review of their cybersecurity knowledge and architecture. However, currently, there is no implementation date for this strategy.
The Ministry of Home Affairs (Home Ministry) has set up the Cyber and Information Security Division (C&IS) to deal with matters relating to cybersecurity, cybercrime, the National Information Security Policy & Guidelines (NISPG), and its implementation. C&IS comprises a cybercrime wing, a cybersecurity wing, an information security wing, and a monitoring unit.
Further, the Home Ministry has established the Indian Cybercrime Co-ordination Centre (I4C), which is a nodal point in the fight against cybercrime and coordinates the implementation of mutual legal assistance treaties (MLAT) with other countries.
The government has also set up the National Technical Research Organisation (NTRO) as a technical intelligence agency under the National Security Advisor in the Prime Minister’s office. Its primary role is to develop technology capabilities in aviation and remote sensing, data gathering and processing, cybersecurity, strategic hardware, and strategic monitoring. NCIIPC comes within NTRO’s ambit.
The IT Act mandates the central government to appoint an adjudicating officer to conduct inquiries, and adjudicate matters (ie, contravention of any of the provisions of the IT Act or any rule, regulation, direction, or order made thereunder, including non-compliance of CERT-In’s direction), with claims for injury or damages valued up to INR50 million. Claims that exceed this amount must be filed before the competent civil court. Where more than one adjudicating officer is appointed, the IT Act mandates the central government to specify the matters and places of jurisdiction of each adjudicating officer.
The inquiry and investigation procedure for the adjudicating officer is provided under the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003. Any decision of the adjudicating officer can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Under the DPDP Act, the Central Government has the power to establish the Data Protection Board of India (DPB). The DPB is the primary regulatory body responsible for enforcing the legislation. data principals are required to comply with applicable laws while exercising their rights under the act. Breach of the duties by data principals may result in penalties of up to INR10,000 (USD120 approximately). The maximum penalty for violation of the DPDP Act’s provisions by a data fiduciary is INR2.5 billion (USD30 million approx.), for failure to take reasonable security safeguards to prevent a personal data breach if the non-compliance is regarded as significant by the DPB.
The DPDP Act also prescribes specific penalties of INR2 billion (USD25 million approx.) for failure to notify the DPB and affected data principals of data breaches; and non-compliance with additional obligations while processing children’s data.
Under the DPDP Act, the TDSAT established under section 14 of the Telecom Regulatory Authority of India Act, 1997 adjudicates on appeals from the orders of the DPB, and the SCI is the final appellate authority for all purposes under the DPDP Act.
There are various sector-specific regulators engaged in supervising their relevant intermediaries on the progress of implementation and robustness of cybersecurity frameworks. They regularly conduct cybersecurity and system audits of the intermediaries, which are reported to the relevant regulators.
Sector-Specific Regulators
Banking sector
The Reserve Bank of India (RBI) governs both public and private sector banks. The RBI’s guidelines prescribe that the RBI can request an inspection at any time of any of the banks’ cyber-resilience. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) cell under the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the cybersecurity framework (CSF), and other regulatory instructions and advisories through on-site examinations and off-site submissions. The RBI has an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum and has also issued guidelines on information security, electronic banking, technology risk management, and cyber fraud. CERT-In and the RBI jointly carry out a cybersecurity awareness campaign on “Beware and be aware of financial frauds” through the Digital India Platform.
RBI also issued guidelines on Regulation of Payment Aggregators and Payment Gateways, directing payment aggregators to put in place adequate information, data security infrastructure, and systems for prevention and detection of frauds, and has specifically recommended implementation of data security standards and best practices such as PCI-DSS, PA-DSS, the latest encryption standards and transport channel security. Payment aggregators must establish a mechanism for monitoring, handling, and follow-up of cybersecurity incidents and breaches, and mandatorily report incidents to RBI and CERT-In.
RBI regularly conducts audits and inquiries into banks’ security frameworks and imposes penalties on the banks for non-compliance with RBI’s cybersecurity framework. RBI has also formulated an integrated scheme, The Reserve Bank – Integrated Ombudsman Scheme, 2021 (the “RB-IOS, 2021”) to simplify the grievance redress process at RBI by enabling the customers of all regulated entities to register their complaints at one centralised reference point. Through this portal, RBI also spreads cyber-crime awareness including frauds using mobile apps/UPI/QR codes, etc.
Recently, in November 2023, the RBI issued the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices which addresses the Regulated Entities (REs) as defined in the directions, to put in place a Cyber Security Policy and Cyber Crisis Management Plan (CCMP). Under the directions of the Information Security Committee (ISC) under the supervision of the ITSC (Board-level IT Strategy Committee) for the management of cyber/information security. Some of the ISC’s responsibilities include the development of information/cybersecurity policies and reviewing cyber incidents. The direction lays the onus on the REs to tackle cyber attacks, which include spoofing and phishing so that their adverse effects are mitigated. The Master Direction came into effect on April 1, 2024.
Insurance sector
The Insurance Regulatory and Development Authority (IRDA) is the nodal agency for the governance and regulation of the insurance sector in India. The IRDA conducts regular on-site and off-site inspections of insurers to ensure compliance with the legal and regulatory framework. The IRDA also has guidelines on Information and Cyber Security for Insurers (IRDA Cyber Security Policy), requiring vulnerability assessment and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by IRDA are the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; IRDAI (Maintenance of Insurance Records) Regulations, 2015; and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, which contain several provisions and regulations on data security. Additionally, IRDAI has recently issued guidelines to insurers on structuring cyber insurance for individuals and identifying gaps that need to be filled. As per the guidelines, cyber insurance should provide cover against theft of funds and identity, unauthorised online transactions, email spoofing, etc.
Telecom sector
Telecom operators in India are governed by regulations laid down by the following regulatory bodies:
- the Telecom Regulatory Authority of India (TRAI);
- the Department of Telecom (DoT);
- the TDSAT;
- the Group on Telecom and IT (GOTIT);
- the Wireless Planning Commission (WPC); and
- the Digital Communications Commission (DCC).
Further, the Unified Access Service Licence (UASL) extends information security to telecom networks as well as to third-party operators. The regulator requires telecom operators to audit their network (internal/external) at least once a year.
TRAI has released its recommendations on cloud services concerning the creation of a regulatory framework for cloud services and constituting an industry-led body of all cloud service providers (CSP).
DoT regularly conducts cybersecurity workshops and cyber drills for better awareness.
Securities
The Securities Exchange Board of India (SEBI) was established in 1988 and is the regulatory body for commodity and security markets in India. SEBI keeps in check the interest of investors, and market intermediaries and ensures that the issuers of securities are protected, including safeguarding their customer data, data, and transactions.
In April 2022, SEBI appointed six committee members to oversee the guidance regarding the cybersecurity initiatives for the Indian economy and advise SEBI to maintain and develop cybersecurity requirements keeping in mind the global industry standards.
SEBI has issued detailed guidelines to market infrastructure institutions (MIIs) to set up their respective Cyber Security Operation Centre (C-SOC) and to oversee their operations through dedicated security analysts. The cyber-resilience framework also extends to stockbrokers and depository participants.
SEBI also works and communicates along with agencies such as the National Cyber Cyber Coordination Centre (NCSC), CERT-In, MeitY, and DoT.
Health sector
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) impose patient confidentiality obligations on medical practitioners. The Ministry of Health and Family Welfare introduced draft legislation in 2017, known as the Digital Information Security in Healthcare Act (the “DISH Act”), to regulate the generation, collection, storage, transmission, access, and use of all digital health data. The DISH Act also provides for the establishment of a National Digital Health Authority as the statutory body to enforce privacy and security measures for health data, and to regulate storage and exchange of health records.
The expert committee report and the DPDP Act prescribe central government appoint the DPB to ensure compliance with the data protection laws, register data fiduciaries, conduct inquiries and adjudication of privacy complaints, issue codes of practice, monitor cross-border transfer of personal data, advise state authorities and promote awareness on data protection.
The DPDP Act prescribes that the data fiduciary should appoint a Data Protection Officer who shall report to the Board of Directors or a similar governing body and be the point of contact for the grievance redressal mechanism.
The Ministry of Health and Family Welfare had approved a Health Data Management Policy (the “HDM Policy”) largely based on the DPDP Act to govern data in the National Digital Health Ecosystem. The HDM Policy recognizes entities such as data fiduciaries and data processors similar to the DPDP Act and establishes a consent-based data-sharing framework.
Under the DPDP Act, health data can be processed by the data fiduciary for legitimate use, in case there is a medical emergency that involves a threat to life or an immediate threat to the health of a data principal or any other person or if there is a situation like an epidemic, an outbreak of a disease, or any other threat to public health.
Administration and Enforcement Process
The IT Act provides for the appointment of an adjudicating officer to deal with claims of injury or damages not exceeding INR50 million (USD600,000 approximately). The claims exceeding this amount must be filed before the competent civil court. MeitY has appointed the Secretary of the Department of Information Technology of each Indian state or union territory as the adjudicating officer under the IT Act.
A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying the date and time for further proceedings and based on the parties’ evidence, decides whether to pass orders (if the respondent pleads guilty) or to carry out an investigation. If the officer is convinced that the scope of the case extends to the offence instead of contravention, and entails punishment greater than a mere financial penalty, the officer will transfer the case to the magistrate having jurisdiction.
The first appeal from the adjudicating officer’s decisions can be filed before the TDSAT and the subsequent appeal before the High Court.
The DPDP Act prescribes filing the complaint by the data principal before the DPB after the data principal has exhausted all means of redressal related to approaching the data fiduciary or the consent manager. The DPB will have the authority to impose penalties on the data fiduciary.
The maximum penalty for violation of the DPDP Act’s provisions by an individual is INR2.5 billion (USD30 million approx.), for failure to take reasonable security safeguards to prevent a personal data breach if the non-compliance is regarded as significant by the DPB. The DPDP Act also prescribes specific penalties of INR2 billion (USD25 million approx.) for failure to notify the DPB and affected data principals of data breaches, and non-compliance with additional obligations when it comes to the processing of personal data of children. The penalty for breach of additional obligations on behalf of a significant data fiduciary is INR1.5 billion (USD17 million approx). The penalty for breach of duties of data principal is INR10,000 (USD120 approx) and lastly the penalty for contravention of any other provision of the DPDP Act is INR500 million (USD6 million approx.).
The DPDP Act prescribes that the central government establish an appellate tribunal, TDSAT to adjudicate on appeals from the orders of the DPB, and the SCI as the final appellate authority for all purposes under the DPDP Act.
Further, if the DPB believes that the complaint filed can be resolved by mediation, it can direct the parties to appoint a mediator through mutual agreement and resort to mediation as a form of alternate dispute resolution.
The DPDP Act also provides for a voluntary undertaking from a person. The DPB may accept the voluntary undertaking outlining such action that will be taken by the data fiduciary within such time as prescribed. The DPB, after varying the terms of the undertaking, with due consent of the person, shall put a bar on the proceedings as per the DPDP Act.
Besides, the DPDP Act also requires a valid contract when data processing is being carried out by the data processor on behalf of the data fiduciary.
However, if there is a failure to comply with the terms of the undertaking, such non-compliance will be treated as a breach as per the provisions of DPDP Act, and such person shall be liable to pay a monetary penalty for the breach as per the DPDP Act after being allowed to be heard.
The Indian government has established the CERT-In under the IT Act as the national nodal agency for cybersecurity. CERT-In has also set up sectoral CERTs to implement cybersecurity measures at a sectoral level. The details regarding the methods and formats for reporting cybersecurity accidents, vulnerability reporting and remediation, incident response procedures, and dissemination of information on cybersecurity are published on CERT-In’s website and are updated from time to time.
-
Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2024–2025 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments (together, “data protection laws”))?
- MeitY introduced a draft Bill, the DPDP Bill, on 18 November 2022, which adopts a more simplified approach to handling “personal data” in comparison to the previous versions, which were published for public consultation. The gazetted DPDP Act was based on the 2022 Bill but with certain new provisions. The DPDP Act allowed for the processing of personal data either collected online or offline but later digitised. The DPDP Act is also applicable to data that would be processed outside India, in respect of the goods and services offered within India.
- Under the DPDP Act, the data principal is given a broader meaning. It includes both persons with disabilities and represented by their lawful guardian. The DPDP Act specifies that consent should be specific, free, unconditional, unambiguous, and informed. Withdrawal of consent should also be permitted. The Consent Manager should be managing the data principals. The scope of processing the data should be “wholly or partly” which allows for processing to be completely automated or includes a combination of manual and automated operations. However, as the DPDP Act is yet to be notified by the Central Government the stakeholders have asked the MeitY to grant a 12 to 24-month period so they can comply with the provisions of the DPDP Act.
- On March 5, 2024, MeitY released a notification for project proposals for Research & Development in Cyber Security where a proposal could be submitted by research professionals/scientists/ engineers/ academicians highlighting technology developments and prototype models on brief areas such as:
- recovery of deleted or overwritten data,
- preserving privacy and digital forensic investigations,
- Privacy and accidental leakage prevention and,
- Next-generation hashing, encryption, and applications in network security and Zero Trust, Privacy, and security in cloud and networks.
- On March 20, 2024, MeitY’s notification confirmed that a Fact Check Unit has been notified by the Central Government under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which governs privacy policies published by the intermediaries.
- On February 12, 2024, MeitY notified a cyber security roadmap that suggests work on dark web forensics, social media analytics tools, deepfake detection tools, and real-time fraud detection tools in the next five years.
- The February 2024 IoT Security roadmap suggested that in the next five years, AI-enabled privacy and data protection systems would be introduced.
- In April 2022, CERT-In issued a new directive modifying obligations under the 2013 CERT-In Rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. This applies to all service providers, intermediaries, data centres, body corporate, virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers, and government organisations. Individual citizens are not covered by these directions.
- MeitY notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022 replacing the Information Technology (Intermediaries Guidelines) Rules, 2021. The amendments have come into effect immediately and have introduced significant obligations on intermediary platforms including prompt resolution of grievances, and acting as a protector of fundamental rights. It also provides for the constitution of the Grievance Appellate Committees to address appeals from decisions of an intermediary’s Grievance Officer.
- In October 2022, IRDAI introduced an improved cybersecurity framework focused on the insurers’ security concerns, which aims to encourage insurance firms to establish and maintain a robust risk assessment plan, improve mitigation methods of internal and external threats, prevent ransomware attacks and other types of fraud, and implement a robust business continuity.
- RBI through a notification has mandated that no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store Card-on-File (CoF) data, and any such data stored previously shall be purged.
- The Department of Science and Technology issued guidelines for acquiring and producing geospatial data and geospatial data services including maps. Under these guidelines, there is no restriction, and no requirement of any approval, clearance, license, etc, on the collection, generation, preparation, dissemination, storage, publication, updating, and/or digitisation of geospatial data and maps within the territory of India, subject to certain restrictions. The guidelines also restrict foreign entities from creating /or owning, or hosting geospatial data other than the prescribed threshold values.
- The Bureau of Indian Standards issued standards for data privacy assurance, the IS 17428. The standard seeks to provide a privacy assurance framework for organisations to establish, implement, maintain, and continually improve their data privacy management system.
Significant Pending Changes, Hot Topics and Issues
- The Indian government is working towards updating its National Cybersecurity Strategy in order to improve its position in cyberspace. The updated National Cybersecurity Policy may be issued this year.
- The validity of the CERT-In Directions has been challenged by several entities across Indian courts alleging that certain provisions of the CERT-In Directions are ultra vires. Reportedly, one of the provisions challenged includes the collection of details like name, IP address, address, contact information, and the purpose of using a VPN and keeping it for five years even after the user’s relationship with the VPN service provider has ended. Although the CERT-In Directions are currently in force, the court’s approach to the pending cases will be noteworthy.
- The government will soon be releasing the draft e-commerce policy that proposes to set up an e-commerce regulator with broad powers over e-commerce entities and platforms. The draft policy contains proposals on sharing source codes, algorithms, and other data with the government, use of non-personal data of consumers, anti-piracy, cross-border data transfers, etc. This is an important development, and it will be interesting to monitor the final policy in view of the provisions under the pending DPDP Bill, and, thereafter, the policy’s feasibility and enforceability.
- The Jan Vishwas (Amendment of Provisions) Bill 2023 received the President’s assent in August 2023. It will come into effect as soon as the Central Government notifies it in the official gazette. The provisions that have been amended are sections 33, 44, 67 C, 68, 69 B, 70 B, 72, and 72A of the IT Act. Under section 69B, the intermediaries not providing the government with technical assistance are now liable for imprisonment for 1 year with an INR10 million (USD1.2 million) maximum fine. Similarly, the above-amended provisions either reduce or remove the imprisonment and increase the fine amount instead.
-
Are there any registration or licensing requirements for entities covered by these data protection laws, and if so what are the requirements? Are there any exemptions?
The IT Act and its rules do not contain such a requirement. The DPDP Act only provides that the Central Government may notify any data fiduciary or class of data fiduciaries as significant data fiduciaries (SDFs) based on an assessment of relevant factors, including the volume and sensitivity of personal data processed; risk of harm to the data principal; potential impact on the sovereignty and integrity of India; risk to electoral democracy; the security of the State; public order; and such other factors as it may consider necessary. Further, it provides that the SDF is to appoint a DPO to represent the SDF that is based in India. The DPO will serve as the point of contact for the grievance redressal mechanism. The SDF is to also perform periodic audits and undertake a Data Protection Impact Assessment. Such SDF may be required to register with the DPBI in the prescribed manner.
-
How do these data protection laws define “personal data,” “personal information,” “personally identifiable information” or any equivalent term in such legislation (collectively, “personal data”) versus special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction?
The DPDP Act defines “data” and “personal data” as follows:
- Data – means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.
- Personal data – means any data about an individual who is identifiable by or with such data.
Additionally, the following key definitions are set forth under the DPDP Act:
- Data controller – The Act refers to ‘data fiduciary’ as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.
- Data processor – Any person who processes data on behalf of a data fiduciary.
- Data subject – The Act refers to ‘data principal’ as the individual to whom the personal data relates, and in the case of a child or a person with a disability, includes their parent or lawful guardian.
- Significant data fiduciary – Any data fiduciary or class of data fiduciaries as may be notified by the Government, based on an assessment of such relevant factors as it may determine, including the volume and sensitivity of personal data processed; the risk to rights of data principals; the potential impact on the sovereignty and integrity of India; the risk to electoral democracy; the security of the State; and public order.
- Consent manager – A person registered with the DPB, who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.
-
What are the principles related to the general processing of personal data in your jurisdiction? For example, must a covered entity establish a legal basis for processing personal data, or must personal data only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The DPDP Act imposes certain obligations, detailed in the section on controller and processor obligations below, on data fiduciaries, who must comply with these obligations as well as be able to demonstrate such compliance.
- Data fiduciaries are responsible for compliance with the act concerning any processing undertaken by them or on their behalf, irrespective of any agreement to the contrary.
- Processing should only be for a lawful purpose, i.e., any purpose which is not expressly forbidden by law; Personal data should be processed only on the grounds detailed in the act;
- Data fiduciaries should provide the data principal with adequate notice when relying on consent for processing;
- Data fiduciaries should implement appropriate technical and organizational measures to ensure compliance with the DPDP Act;
- Data fiduciaries should implement reasonable security safeguards to prevent a personal data breach to protect personal data in their possession or under their control;
- Data fiduciaries should ensure that the personal data being processed is complete, accurate, and consistent when such data is likely to be disclosed to another data fiduciary or used to make a decision that affects the data principal;
- Personal data should only be retained for as long as consent remains valid or as long as is necessary to satisfy the purpose for which it is processed, whichever is earlier, and thereafter such personal data should be deleted.
-
Are there any circumstances for which consent is required or typically obtained in connection with the general processing of personal data?
The DPDP Act prescribes that the consent obtained from the data principal must be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of the subject’s personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Consent need not be sought for legitimate uses which include processing for (i) specified purposes for which the data principal has voluntarily shared personal information without objecting to such processing; (ii) for purposes of employment; (ii) for responding to medical emergencies; (iv) for performing any function under law or the State providing any service or benefit to the data principal; (v) for compliance with any judgment or order issued under any law; and (vi) for taking measures to ensure safety during breakdown of public order, etc.
Other than consent, the DPDP Act provides for processing based only on the ground of ‘certain legitimate uses,’ which include:
- specified purposes for which a data principal voluntarily provides data, given that the data principal has not indicated denial of consent for such processing;
- processing by the State to provide or issue a subsidy, benefit, service, certificate, license, or permit; performance of any legal functions of the State;
- fulfilling any legal obligation to disclose data to the State; compliance with orders or judgments, either under any Indian law or under any foreign law when relating to claims of a contractual or civil nature;
- responding to a medical emergency involving a threat to life or immediate threat to health;
- providing medical treatment or health services during any threat to public health;
- ensuring safety or providing assistance or services during any disaster or breakdown of public order; and for purposes related to employment or safeguarding employers from loss or liability.
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
Consent is the primary legal basis for processing personal data under the DPDP Act. To be valid, consent must be free, informed, specific, unconditional, unambiguous with a clear affirmative action, capable of being withdrawn, for a specified purpose, and limited to such personal data as is necessary for such specified purpose.
-
What special requirements, if any, are required for processing sensitive personal data? Are any categories of personal data prohibited from collection or disclosure?
The DPDP Act does not distinguish between personal data categories or provide special obligations for specific categories of personal data. The DPDP Act will impose additional restrictions on processing the personal data of children under 18 years of age or disabled persons, including:
- Obtaining the consent of the child or disabled person’s parent or lawful guardian in a manner to be prescribed.
- Not conducting processing is likely to cause any detrimental effect on a child’s well-being.
- Not tracking or monitoring children or directing targeted advertising at children.
- (Section 9(1) to (3), DPDP Act.) The obligations in the first and third bullets above will not apply to certain prescribed classes of data fiduciaries (Section 9(4), DPDP Act). The Indian government may exempt certain data fiduciaries from complying with these obligations if it ensures that they process personal data in a verifiably safe manner (Section 9(5), DPDP Act).
- Section 43A of the Information Technology Act 2000 as amended by the Information Technology (Amendment) Act 2008 (IT Act and IT Amendment Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules) apply to sensitive personal data or information (SPDI).
The Privacy Rules define SPDI to mean personal information which consists of information relating to a person’s:
- passwords,
- financial information, including information relating to bank accounts, credit cards, debit cards, and other payment card information.
- physical, physiological, or mental health.
- sexual orientation.
- medical records and history.
- biometric information.
- SPDI also includes any details relating to the above categories even if the person provides the data to a body corporate to provide a service or for processing under a lawful contract. (Rule 3, Privacy Rules.)
A body corporate handling SPDI must implement:
- Reasonable security practices, procedures, and standards to handle sensitive personal data or information (SPDI);
- A comprehensive documented information security program; and
- Policies that contain managerial, technical, operational, and physical security control measures that are proportionate to the information assets it seeks to protect. (Rule 8, Privacy Rules; Section 43A, IT Act, as amended by Section 22, IT Amendment Act.)
A body corporate should collect SPDI only if it is essential and required for a lawful purpose connected with the organization’s functions (Rule 5(2), Privacy Rules). The body corporate should use the information only for the purpose for which it was collected and should not retain the information for a period longer than what is required (Rule 5(4), Privacy Rules).
Under the Privacy Rules, a body corporate collecting SPDI from a data subject must obtain the subject’s prior written consent (Rule 5(1), Privacy Rules). When collecting information from the data subject, the body corporate must also take reasonable steps to inform the data subject:
- That the body corporate is collecting the information;
- The collection’s purpose;
- The intended recipients; and
- The name and address of the organizations collecting and retaining the information. (Rule 5(3), Privacy Rules.)
The body corporate must allow the data subject the right to review or amend the SPDI and provide an option to retract consent at any point in time. If consent is withdrawn, the body corporate may stop providing the goods or services for which the information was sought. (Rules 5(6) and 5(7), Privacy Rules.)
-
How do the data protection laws in your jurisdiction address health data?
Under the DPDP Act, health data can be processed by the data fiduciary for legitimate use, in case there is a medical emergency that involves a threat to life or an immediate threat to the health of a data principal or any other person or if there is a situation like an epidemic, an outbreak of a disease, or any other threat to public health.
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) impose patient confidentiality obligations on medical practitioners. The Ministry of Health and Family Welfare introduced draft legislation in 2017, known as the Digital Information Security in Healthcare Act (the “DISH Act”), to regulate the generation, collection, storage, transmission, access, and use of all digital health data. The DISH Act also provides for the establishment of a National Digital Health Authority as the statutory body to enforce privacy and security measures for health data, and to regulate storage and exchange of health records.
The expert committee report and the DPDP Act prescribe central government appoint the DPB to ensure compliance with the data protection laws, register data fiduciaries, conduct inquiries and adjudication of privacy complaints, issue codes of practice, monitor cross-border transfer of personal data, advise state authorities and promote awareness on data protection.
The Ministry of Health and Family Welfare had approved a Health Data Management Policy (the “HDM Policy”) largely based on the DPDP Act to govern data in the National Digital Health Ecosystem. The HDM Policy recognises entities such as data fiduciaries and data processors similar to the DPDP Act and establishes a consent-based data-sharing framework.
-
Do the data protection laws in your jurisdiction include any derogations, exclusions or limitations other than those already described? If so, please describe the relevant provisions.
The DPDP Act provides for exemptions from the application of certain provisions, which are available to data fiduciaries in certain circumstances:
Exemptions for certain data fiduciaries or classes of data fiduciaries, including startups
The Government of India will issue a notification exempting certain data fiduciaries or classes of data fiduciaries, including startups, from certain provisions of the DPDP Act. This notification will be based on the volume and nature of personal data processed.
Such data fiduciaries will not be required to comply with the following obligations: issuing a notice before seeking consent of a data principal; ensuring the accuracy and completeness of personal data; erasing personal data after the purpose for which it was collected is served; obtaining verifiable parental consent before processing children’s data and no behavioral tracking of children or targeted advertising directed at children; the obligations applying to SDFs; and providing a data principal with the right to information about their personal data.
Exemptions where personal data is processed for certain specified uses
The DPDP Act exempts entities from complying with the provisions pertaining to obligations of data fiduciaries, rights and duties of data principals, and transfer of personal data outside India in cases where:
- the processing of personal data is necessary for enforcement of any legal right or claim;
- the processing of personal data is necessary to perform judicial or quasi-judicial, regulatory or supervisory functions by a court, tribunal, or any other such body entrusted by the law to perform such functions;
- the processing of personal data is necessary in the interest of prevention, investigation, or prosecution for offences or contraventions of any law;
- personal data of data principals who are not within the territory of India is processed by any person based in India, pursuant to a contract with any person outside the territory of India;
- the processing of personal data is necessary for carrying out mergers, acquisitions, and other such transactions between two or more companies which have been approved by a court, tribunal, or any other competent authority; or
- the processing of personal data is done in relation to debt-recovery activities.
Exemptions for research and statistical purposes
The DPDP Act will not apply to the processing of personal data that is necessary to carry out research, archiving, or statistical activities, provided that the personal data is not being used to take any decision specific to a data principal. The Government of India will prescribe the standards in accordance with which such processing is to be carried out.
Exemptions for the Government of India
The DPDP Act will not apply to certain instrumentalities of the Government of India in the interest of sovereignty and integrity of India, security, friendly relations with foreign countries, and maintenance of public order. The Government of India will notify the instrumentalities to which this exemption is available.
The Government of India may notify additional exemptions from the provisions of the DPDP Act for any data fiduciary or class of data fiduciaries in the following five years.
-
Do the data protection laws in your jurisdiction address children’s and teenagers’ personal data? If so, please describe how.
The Indian law defines a ‘child’ as an individual who has not completed eighteen years of age. Data fiduciaries may not undertake processing of personal data that is likely to cause any detrimental effect on the well-being of a child. Before processing any personal data of a child (or a person with a disability who has a lawful guardian), data fiduciaries must obtain verifiable consent of the parent or lawful guardian of such child or person with a disability, in a manner as may be prescribed by the Government. Additionally, data fiduciaries cannot undertake any tracking or behavioral monitoring of children, or targeted advertising directed at children. However, certain classes of data fiduciaries or processing for certain purposes may be exempted from these requirements by the Government. Additionally, with respect to compliance with these requirements, the age threshold may be lowered for certain data fiduciaries, if the Government is satisfied that the processing is ‘verifiably safe.’ The DPDP Act prohibits the processing of personal data which is likely to cause a detriment to the well-being of a child. Also, behavioral monitoring and tracking of children or targeted advertisements made for children are prohibited under the DPDP Act.
The DPDP Act also prescribes specific penalties of INR2 billion (USD25 million approx.) for failure to notify the DPB and affected data principals of data breaches; and non-compliance with additional obligations while processing children’s data. The DPDP Act also prescribes specific penalties of INR2 billion (USD25 million approx.) for failure to notify the DPB and affected data principals of data breaches, and non-compliance with additional obligations when it comes to the processing of personal data of children
-
Do the data protection laws in your jurisdiction address online safety? Are there any additional legislative regimes that address online safety not captured above? If so, please describe.
At present, there is no over-arching cybersecurity agency for India. However, in addition to CERT-In and NCIIPC, the government has established the National Security Council Secretariat as the central coordinating body for cybersecurity and internet governance.
As part of the government’s Digital India initiative, MeitY has set up Cyber Swachhta Kendra as a botnet cleaning and malware analysis centre. The Ministry of Home Affairs has set up a Cyber and Information Security Division (C&IS) to deal with matters relating to cybersecurity, cybercrime, National Information Security Policy & Guidelines (NISPG) and its implementation. C&IS comprises a cybercrime wing, a cybersecurity wing, an information security wing, and a monitoring unit.
Further, the Home Ministry has established the Indian Cybercrime Co-ordination Centre (I4C), which is a nodal point in the fight against cybercrime and coordinates the implementation of Mutual Legal Assistance Treaties (MLAT) with other countries. The government has also set up the National Technical Research Organisation (NTRO) as a technical intelligence agency under the National Security Advisor in the Prime Minister’s office. The primary role is to develop technology capabilities in aviation and remote sensing, data gathering and processing cybersecurity, strategic hardware, and strategic monitoring. NCIIPC comes within NTRO’s ambit.
The Ministry of External Affairs has set up a New Emerging and Strategic Technologies Division (NEST) to engage in technology diplomacy and deal with the foreign policy and international legal aspects of new and emerging technologies.
Similar to world CERTs, CERT-In is the national nodal agency for responding to computer security incidents as and when they occur. CERT-In operates on similar principles as other CERTs, such as:
- collection, analysis, and dissemination of information on cyber incidents;
- forecast and alerts of cybersecurity incidents;
- emergency measures for handling cybersecurity incidents;
- co-ordination of cyber incident response activities; and
- issue of guidelines, advisories, vulnerability notes, and white papers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents; and
- such other functions relating to cybersecurity as may be prescribed.
The CERT-In is responsible for responding to cybersecurity incidents and assisting in implementing measures to reduce the risk of cybersecurity incidents. The CERT-In has powers to issue directions to service providers, intermediaries, data centres, body corporates, etc., for enhancing cybersecurity infrastructure in India. The CERT-In is also responsible for operating an incident response help desk on a 24-hour basis on all days including government and other public holidays to facilitate reporting of cyber-authority incidents.
As regards critical information, NCIIPC is set up under the IT Act as the nodal agency to ensure a safe, secure, and resilient information infrastructure for critical sectors in India.
Additionally, MeitY is in the process of establishing a similar authority in India, known as the National Cyber Coordination Centre (NCCC), which will be implemented by CERT-In.
As regards the CII, the guidelines for the protection of the national critical information infrastructure provide for security certifications by third-party agencies (government or private agencies) to protect the assets for smooth and error-free operation. The certifications must also deal with enforcing or implementing any international security standards available globally for the protection of critical assets working in the CII by respective organizations. Each CII must list the certifications needed to be implemented for the protection of their assets and the areas.
As the recent attacks on cyber infrastructure indicate increasing targeting of SCADA systems and supporting infrastructure widely used in almost all critical industrial set-ups (oil, gas, nuclear, aviation, etc), there is an increased need to implement the strategic controls recommended in the guidelines.
-
Is there any regulator in your jurisdiction with oversight of children’s and teenagers’ personal data, or online safety in general? If so, please describe, including any enforcement powers. If this regulator is not the data protection regulator, how do those two regulatory bodies work together?
The newly to-be-constituted Data Protection Board (DPB) under the DPDP Act possesses the jurisdiction required to address complaints regarding a breach of personal data concerning children.
The DPDP Act specifies that if the Central Government is satisfied with how the data fiduciary has been processing children’s data, then it may prescribe an age above which the data fiduciary can be exempted from certain obligations such as:
- permission for only processing data with verifiable consent from a lawful guardian;
- no data should be processed that is detrimental to the well-being of the child; and
- behavioral monitoring of the child should not be conducted by the data fiduciary.
-
Are there any expected changes to the online safety landscape in your jurisdiction in 2024–2025?
The Indian government is working towards updating its National Cybersecurity Strategy to improve its position in cyberspace. The updated National Cybersecurity Policy may be issued this year.
The validity of the CERT-In Directions has been challenged by several entities across Indian courts alleging that certain provisions of the CERT-In Directions are ultra vires. Reportedly, one of the provisions challenged includes the collection of details like name, IP address, address, contact information, and the purpose of using a VPN and keeping it for five years even after the user’s relationship with the VPN service provider has ended. Although the CERT-In Directions are currently in force, the court’s approach to the pending cases will be noteworthy.
The government also has plans to release the draft e-commerce policy that proposes to set up an e-commerce regulator with broad powers over e-commerce entities and platforms. The draft policy contains proposals on sharing source codes, algorithms, and other data with the government, use of non-personal data of consumers, anti-piracy, cross-border data transfers, etc.
-
Does your jurisdiction impose ‘data protection by design’ or ‘data protection by default’ requirements or similar? If so, please describe the requirement(s) and how businesses typically meet such requirement(s).
The ‘privacy by design’ and ‘privacy by default’ are reflected in the IT Act and the DPDP Act, as they incorporate provisions such as:
- provision of a privacy policy and disclosure of information;
- collection of information for lawful purposes with a data provider’s consent;
- use of information for the purpose for which it was collected; and
- retention of information only so long as that purpose gets fulfilled.
Data fiduciaries
Under the DPDP Act, controllers are referred to as ‘data fiduciaries.’ The legislation also creates a class of data fiduciaries called ‘significant data fiduciaries.’ The government will have the right to categorize actors as significant data fiduciaries depending, among other factors, on the volume and sensitivity of personal data they process, the risk to rights of data principals, the potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. Further, the act also introduces a class of entities termed ‘consent managers,’ to be registered with the DPB, which will act as a single point of contact to enable a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. In addition to complying with the principles of data processing discussed above, data fiduciaries should involve a data processor only under a valid contract in case of any activity related to:
- offering of goods or services to data principals;
- reporting data breaches to data principals as well as the DPB;
- establish effective grievance redressal mechanisms; and
- publish the details of such person who may answer data principals, on behalf of the data fiduciary, regarding the processing of personal data.
The act imposes the following enhanced obligations on significant data fiduciaries:
- appointing a data protection officer (DPO);
- appointing an independent data auditor to carry out data audits, who shall evaluate the compliance of the significant data fiduciary in accordance with the act;
- undertaking periodic Data Protection Impact Assessments (‘DPIA’);
- undertaking periodic audits; and
- undertaking such other measures as may be prescribed.
Data processors
Data processors have no direct obligations under the act. Data fiduciaries are responsible for compliance by data processors processing personal data on their behalf.
Data transfers
Under the DPDP Act, personal data may be transferred to third countries, provided that the transfer is not prohibited by the Government. The government will notify a list of jurisdictions that personal data may not be transferred. However, any stricter localization requirements imposed under other Indian laws will continue to apply.
Data protection impact assessment
Under the act, significant data fiduciaries are required to carry out periodic DPIA, which shall be a process comprising a description of the rights of data principals and the purpose of processing their personal data, assessment, and management of the risk to the rights of the data principals, and such other matters regarding such process as may be prescribed by the Government.
Data Protection Officer appointment
The Act requires significant data fiduciaries to appoint a DPO, based in India, to be the point of contact for the grievance redressal mechanism under the act. The DPO will represent the significant data fiduciary and is responsible to the board of directors of such significant data fiduciary. A data fiduciary is required to appoint a person authorized to respond to communications from the data principals for exercising their rights under the act. Such a person, unlike a DPO, need not be based within India or report directly to the board of directors of the data fiduciary.
Data breach notification
In the event of a personal data breach, the data fiduciary shall provide the DPB, and each affected data principal, intimation of such breach in such form and manner as may be prescribed by the Government.
Data retention
The Act does not prescribe retention periods; however, data should be erased as soon as it is reasonable to assume that the specified purpose of processing is no longer being served, or upon withdrawal of the data principal’s consent, whichever is earlier. Additionally, the Government may prescribe retention periods for different classes of data fiduciaries and different purposes of processing.
Children’s data
The Act defines a ‘child’ as an individual who has not reached eighteen years of age. Data fiduciaries may not undertake processing of personal data that is likely to cause any detrimental effect on the well-being of a child. Before processing any personal data of a child (or a person with a disability who has a lawful guardian), data fiduciaries must obtain verifiable consent of the parent or lawful guardian of such child or person with a disability, in a manner as may be prescribed by the Government. Additionally, data fiduciaries cannot undertake any tracking or behavioral monitoring of children, or targeted advertising directed at children. However, certain classes of data fiduciaries or processing for certain purposes may be exempted from these requirements by the Government. Additionally, with respect to compliance with these requirements, the age threshold may be lowered for certain data fiduciaries, if the Government is satisfied that the processing is ‘verifiably safe.’
Controller and processor contracts
Under the act, a data fiduciary may engage, appoint, use, or otherwise involve a data processor only under a valid contract, for processing concerning any activity related to offering of goods or services to data principals.
-
Are controllers and/or processors of personal data required to maintain any internal records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).
Besides providing a privacy policy, data principal’s consent, and security practices and procedures (explained in our response to query no. 5), the IT Act and the DPDP Act do not require personal data processors to maintain any internal records of their data processing activities.
However, CERT-In directives require all service providers, intermediaries, data centres, body corporate, virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations to maintain security logs in India and store certain additional customer information as prescribed under the directive.
-
Do the data protection laws in your jurisdiction require or recommend data retention and/or data disposal policies and procedures? If so, please describe such requirement(s).
The DPDP Act provides that the data fiduciaries must not retain the personal data longer than is required for the purpose for which it was collected. No specific duration has been specified.
The DPDP Act mentions that the data fiduciary should only retain personal data in case to comply with any law in force. Other functions of the data fiduciary should include the following.
- Erasure of personal data in case consent is withdrawn by the data principal or after the fulfilment of specified purpose.
- Causing the data processor to erase data that was made available by the data fiduciary for processing.
MeitY notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 replacing the Information Technology (Intermediaries Guidelines) Rules, 2011. The new intermediary rules provide an obligation for internet intermediaries to retain users’ information collected upon registration for 180 days even after any cancellation or withdrawal of such registration.
-
Under what circumstances is a controller operating in your jurisdiction required or recommended to consult with the applicable data protection regulator(s)?
Under the act, controllers are referred to as ‘data fiduciaries.’ Under the DPDP Act, in the event of a personal data breach, the data fiduciary is required to inform each affected data principal and the DPB. Personal data breach is broadly defined under the DPDP Act as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data. Therefore, data fiduciaries are required to report all types of personal data breaches, regardless of the sensitivity of the breach or its impact on the data principal. Under the DPDP Act, neither materiality thresholds nor express timelines have been prescribed for the reporting requirement. The DPDP Act is not the sole regulation imposing reporting requirements for data breaches. The existing cybersecurity framework also mandates reporting of cybersecurity incidents, which may include personal data breaches, to the CERT-In. In the absence of any conflicting information, both sets of regulations will be applicable. The Government of India has established and authorized the CERT-In to collect, analyze, and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency measures for handling cybersecurity incidents, and coordinate cyber incident response activities. The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) along with the Cyber Security Directions impose mandatory notification requirements on service providers, intermediaries, data centers, and corporate entities, upon the occurrence of certain cybersecurity incidents.
Under the Cyber Security Directions, the occurrence of the following types of cybersecurity incidents are to be reported:
- Targeted scanning/probing of critical networks/systems;
- Compromise of critical systems/information; unauthorized access of IT systems/data;
- Defacement of a website or intrusion into a website and unauthorized changes such as inserting malicious Code, links to external websites, etc;
- Malicious code attacks such as spreading virus / worm / trojan/bots / spyware / ransomware / crypto miners;
- Attack on servers such as databased, mail, and DNS and network devices such as routers;
- Identity theft, spoofing, and phishing attacks;
- Denial of service and distributed denial of service attacks;
- Attacks on critical infrastructure, SCADA and operation technology systems, and wireless networks;
- Attacks on applications such as e-governance, e-commerce, etc;
- Data breach;
- Data leak;
- Attacks on Internet of Things devices and associated systems, networks, software and servers;
- Attacks or incidents affecting digital payment systems; attacks through malicious mobile applications;
- Fake mobile applications; unauthorized access to social media accounts;
- Attacks or malicious / suspicious activities affecting cloud computing systems / servers / software / applications;
-
Do the data protection laws in your jurisdiction require or recommend risk assessments in connection with data processing activities and, if so, under what circumstances? How are these risk assessments typically carried out?
Under the DPDP Act, Significant data fiduciaries are required to appoint an independent data auditor who will undertake periodic Data Protection Impact Assessments. The ‘Data Protection Impact Assessment’ is defined as a process comprising description, purpose, assessment of harm, measures for managing the risk of harm, and such other matters concerning the processing of personal data, as may be prescribed. It also includes an assessment and management of the risks to the rights of data principals. The Government of India will elaborate on the process of conducting Data Protection Impact Assessments in subsequent legislations. Under the act, significant data fiduciaries are required to carry out periodic DPIA, which shall be a process comprising of a description of the rights of data principals and the purpose of processing their personal data, assessment, and management of the risk to the rights of the data principals, and such other matters regarding such process as may be prescribed by the Government.
The RBI mandates banks to have periodical vulnerability assessment and penetration testing exercises for all critical systems. The IRDAI also has a cybersecurity policy that recognises the need for testing programs, vulnerability assessments, and penetration tests. In October 2022, IRDAI introduced an improved cybersecurity framework focused on the insurers’ security concerns, which aims to encourage insurance firms to establish and maintain a robust risk assessment plan, improve mitigation methods of internal and external threats, prevent ransomware attacks and other types of fraud, and implement a robust business continuity.
-
Do the data protection laws in your jurisdiction require a controller’s appointment of a data protection officer, chief information security officer, or other person responsible for data protection, and what are their legal responsibilities?
The DPDP Act requires significant data fiduciaries to appoint a DPO, based in India, to be the point of contact for the grievance redressal mechanism under the act. The DPO will represent the significant data fiduciary and is responsible to the board of directors of such significant data fiduciary. A data fiduciary is required to appoint a person authorized to respond to communications from the data principals for exercising their rights under the act. Such a person, unlike a DPO, need not be based within India or report directly to the board of directors of the data fiduciary.
The DPDP Act prescribes that the data fiduciary should appoint a Data Protection Officer who shall report to the Board of Directors or a similar governing body and be the point of contact for the grievance redressal mechanism.
The DPB is the central data privacy authority as per the provisions of the DPDP Act. The DPB is currently in the process of being set up. The DPDP Act specifies that before a matter reaches the Data Protection Officer (DPO), it should be heard by the data fiduciary or the consent manager. A consent manager is a person who is registered with the DPB and serves as a point of contact for the data principal. If the individual is aggrieved by the decision of the DPO, then he/she can approach the appellate tribunal for appeal.
-
Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s).
Under the current Indian law, there is no such statutory requirement concerning employee training related to data protection.
-
Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).
Consent and notification
Under the Privacy Rules, body corporates collecting SPDI from a data subject must obtain the subject’s prior written consent. When collecting information from the data subject, the body corporate must also take reasonable steps to inform the data subject:
- that the body corporate is collecting the information;
- the collection’s purpose;
- the intended recipients; and
- the name and address of the body corporate, or an entity or person acting on its behalf, that is collecting and retaining the information.
The body corporate must allow the data subject the right to review or amend the SPDI and provide an option to retract consent at any point in time. If consent is withdrawn, the body corporate may stop providing the goods or services for which the information was sought.
The DPDP Act specifies that consent should be specific, free, unconditional, unambiguous, and informed. Withdrawal of consent should also be permitted. The Consent Manager should be managing the data principals. The scope of processing the data should be “wholly or partly” which allows for processing to be completely automated or includes a combination of manual and automated operations. However, as the DPDP Act is yet to be notified by the Central Government the stakeholders have asked the MeitY to grant a 12 to 24-month period so they can comply with the provisions of the DPDP Act.
Under the DPDP Act, the processing of personal data can only happen by way of consent of the data principal. A notice must be provided to the data principal before seeking consent. The notice should contain details about the personal data to be collected, the purpose of processing, as well as how the data principal may withdraw its consent, avail the grievance redressal mechanism, and make a complaint to the DPB.
The DPDP Act prescribes that the consent obtained from the data principal must be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of the subject’s personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
-
Do the data protection laws in your jurisdiction draw any distinction between the controllers and the processors of personal data, and, if so, what are they?
The primary distinction between a data controller and a data processor lies in their roles, responsibilities, and connections to data subjects. the provisions under the DPDP Act distinguish the data fiduciary (controllers) and the Data Processors of personal data.
As per the DPDP Act, data fiduciary means, “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”
On the other hand, a data processor means, “any person who processes personal data on behalf of a data fiduciary.”
Besides, the DPDP Act also provides for the existence of a valid contract, necessary when data processing is being done by the data processor on behalf of the data fiduciary. Such a contractual relationship establishes a distinction between the data fiduciary and the Data Processor.
-
Do the data protection laws in your jurisdiction place obligations on processors by operation of law? Do the data protection laws in your jurisdiction require minimum contract terms with processors of personal data?
Although the term ‘processing,’ as defined in the DPDP Act, involves automated operations, such operations can be either fully or partially automated. Besides, the definition includes any activity among a wide range of operations that businesses routinely perform on data, including the collection, storage, use, and sharing of information. Thus, even those business operations that involve some amount of human intervention and/or stem from human prompts will be covered under the definition of ‘processing,’ and thus, the DPDP Act will remain applicable in all such cases.
The terms and conditions governing the contract between the data fiduciary and the data processor should be carefully defined in written data processing agreements (DPA) and vetted by the data fiduciary’s legal counsel for legal effect and enforceability. Each DPA should address the risks and the strategies for mitigation. The agreement should also be sufficiently flexible to allow the data fiduciary to retain adequate control over the delegated activity and the right to intervene with appropriate measures to meet legal and regulatory obligations. In situations where the primary or initial interface with data principals lies with data processors (e.g., where data processors are made responsible for collecting personal data on behalf of data fiduciaries), the nature of the legal relationship between the parties, including in respect of agency or otherwise, should also be made explicit in the contract.
-
Are there any other restrictions relating to the appointment of processors (e.g., due diligence, privacy and security assessments)?
The DPDP Act attributes sole responsibility upon the main custodians of data vis-à-vis the individuals related to such data, as opposed to a mechanism of ‘joint and several’ or shared liability with contracted data processors. This is the case even when the actual processing may be undertaken by the latter pursuant to a contract or other processing arrangement. Such liability may also be invoked when an event of non-compliance arises on account of the negligence of a data processor. While processing tasks can be delegated to a third party, such delegation and/or outsourcing needs to be made under a valid contract in specified cases.
Given that data fiduciaries may be ultimately responsible for the omissions of data processors, contracts between such entities need to be negotiated carefully.
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these terms defined, and what restrictions on their use are imposed, if any?
The current law does not specify any restrictions on or define the terms “monitoring”, “profiling”, “tracking technologies” or “cookies”.
-
Please describe any restrictions on targeted advertising and/or cross-contextual behavioral advertising. How are these terms or any similar terms defined?
The DPDP Act prohibits the tracking or behavioral monitoring of children or targeted advertising directed at children by the data fiduciaries. Further, the Telecom Commercial Communication Customer Preference Regulations, 2010 (TCCCPR) was issued by the TRAI to address unregulated and endless telemarketing communications to customers. TCCCPR restricts sending of unsolicited commercial communication to any subscriber who is not registered with any access provider.
-
Please describe any data protection laws in your jurisdiction addressing the sale of personal data. How is the term “sale” or such related terms defined, and what restrictions are imposed, if any?
There is no such statutory provision to address the sale of personal data.
-
Please describe any data protection laws in your jurisdiction addressing telephone calls, text messaging, email communication, or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
TCCCPR addresses unregulated and endless telemarketing communications to customers in India. The TCCCPR defines ‘commercial communication’ as any voice call or message using telecommunication services, where the primary purpose is to inform about, advertise, or solicit business for goods or services, a supplier or prospective supplier of offered goods or services, a business or investment opportunity, or a provider or prospective provider of such an opportunity.
The TCCCPR defines “promotional messages” as commercial communication messages for which the sender has not taken any explicit consent from the intended recipient to send such messages. Further, the TCCCPR defines “unsolicited commercial communication (UCC)” as any commercial communication that is neither as per the consent nor as per registered preference(s) of the recipient. Any transactional/service message or transactional/service voice call transmitted on the directions of the Central/State Government or bodies established under the Indian Constitution and any message or voice calls transmitted by or on the direction of the TRAI or by its authorised agency does not constitute UCC in case such communication is in the public interest. The TCCCPR prescribes that a subscriber, who is not registered with any access provider to send commercial communications under the TCCCPR, cannot make UCC.
-
Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined, and what restrictions are imposed, if any?
There are no specific provisions under Indian data privacy or sectoral laws to address the privacy concerns arising from facial recognition technology. Some of the large amount of emotional and factual data collected from facial recognition technology can be regarded as SPDI. Biometric data is categorized as SPDI under the DPDP Act, and its collection, processing, and transfer are subject to the prescribed statutory restrictions.
India’s central government enacted the Aadhaar Act for the targeted delivery of financial benefits and subsidies to the underprivileged. The Aadhaar Act establishes an authority, the UIDAI, responsible for the administration of the Aadhaar Act. It also establishes a Central Identities Data Repository (CIDR), which is a database holding Aadhaar numbers and corresponding demographic and biometric information. Aadhaar is currently the largest database of biometrics globally.
-
Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (“AI”).
Presently, India does not have a legislative framework that expressly regulates the development and use of artificial intelligence (AI) and machine learning (ML) tools/technologies. It is expected that this sector will be governed by the Digital India Act, which may be released for public consultation by July 2024. This law is expected to facilitate AI development by ‘safeguarding’ innovation in AI, ML, and other emerging technologies. The Government of India has indicated that while it will support monetization of AI/ML technology in India, this process should be regulated by specific compliances for high-risk use cases, including human intervention and oversight, and ethical use of AI/ML tools and technology.
In the meantime, the Ministry of Electronics and Information Technology (“MeitY”) has issued advisories to ‘intermediaries’ and ‘platforms’ that develop and make available AI tools and/or technologies to Indian users, asking them to comply with additional requirements specific to AI tools, as part of the due diligence obligations imposed upon such ‘intermediaries’ under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”), framed under the Information Technology Act, 2000. While these advisories do not have legislative backing, it appears that the private sector is working with the Government to address their concerns, to the extent feasible.
-
Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)
Under the DPDP Act, personal data may be transferred to other countries, provided that the transfer is not prohibited by the Government. The Government will notify a list of jurisdictions that personal data may not be transferred to. However, any stricter localization requirements imposed under other Indian laws will continue to apply.
Under the DPDP Act, transfer of personal data for processing is permitted to any country or territory outside India, except to countries which have been specifically blacklisted by the Government of India. The list of countries to which cross-border data transfers are not permitted will be notified by the Government of India. Further, data fiduciaries may transfer personal data to another data fiduciary or Data Processor only under a valid contract. While the DPDP Act does not provide any guidelines or requirements concerning the contract regulating the data transfer, such data transfer agreements may contain adequate indemnity provisions for a third-party breach and may specify a mode of transfer that is adequately secured and safe.
-
What security obligations are imposed on data controllers and processors, if any, in your jurisdiction?
Under the DPDP Act, data fiduciaries are required to protect the personal data under their control, concerning any processing undertaken by them or on their behalf by a Data Processor, by taking reasonable security safeguards to prevent any kind of personal data breach. Notably, the highest quantum of financial penalty prescribed under the DPDP Act, INR250 Crores, is for failure on the part of a data fiduciary to take reasonable security safeguards to prevent personal data breach. Under the DPDP Act, there are no such prescribed standards or codes of best practices regarding security practices that have been recommended or mandated by the Government of India. These standards and codes of best practice may be prescribed in due course. In the absence of any guidance under the DPDP Act, reasonable security practices and procedures may comply with the IS/ISO/IEC 27001 standard.
The IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’ is one of the standards prescribed under the Privacy Rules. A body corporate that is following other than IS/ISO/IEC codes of best practices for data protection, must get its codes of best practices duly approved and notified by the central government for effective implementation.
Further, companies must ensure that electronic records and security systems are protected against unauthorised access and tampering, in accordance with the Companies (Management and Administration) Rules 2014, which was created under the Companies Act, 2013. In case of any information security breach, such corporations are required to show to the authorities that the prescribed security control measures have been implemented. Any lapse on the part of such bodies corporate shall attract charges under Section 43A of the IT Act and they will be required to compensate all those affected because of such breach.
India’s Whistle Blowers Protection Act, 2011 (the “Whistle Blowers Act”) establishes a mechanism to receive complaints relating to allegations of corruption or willful misuse of power against any public servant and to provide adequate safeguards against the victimisation of a whistle-blower. However, a major shortfall is that a whistle-blower must disclose their identity in the complaint.
Further, the Companies Act, 2013, mandates that certain publicly listed companies establish a vigil mechanism and an exclusive hotline for directors and employees to report their genuine concerns about unethical behaviour or misconduct, actual or suspended frauds, and violations of the code of conduct.
Additionally, SEBI’s Listing Agreement’s Clause 49 under the Principles of Corporate Governance requires that companies establish a whistle-blower policy to safeguard the identity of an employee who reports instances to the management.
-
Do the data protection laws in your jurisdiction address security breaches and, if so, how do such laws define a “security breach”?
Personal data breach is broadly defined under the DPDP Act as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data. Therefore, data fiduciaries are required to report all types of personal data breaches, regardless of the sensitivity of the breach or its impact on the data principal. Under the DPDP Act, neither materiality thresholds nor express timelines have been prescribed for the reporting requirement. The DPDP Act is not the sole regulation imposing reporting requirements for data breaches. The existing cybersecurity framework also mandates reporting of cybersecurity incidents, which may include personal data breaches, to the CERT-In. In the absence of any conflicting information, both sets of regulations will be applicable. The Government of India has established and authorized the CERT-In to collect, analyze, and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency measures for handling cybersecurity incidents, and coordinate cyber incident response activities. The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) along with the Cyber Security Directions impose mandatory notification requirements on service providers, intermediaries, data centers, and corporate entities, upon the occurrence of certain cybersecurity incidents.
The CERT-In Rules define a cyber-incident as “any real or suspected adverse event that is likely to cause or causes an offence or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality integrity, or availability, of electronic information, systems, services or networks resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource, changes to data or information without authorisation; or threatens public safety, undermines public confidence, have a negative impact on the national economy, or diminishes the security posture of the nation”.
The CERT-In Rules also define cybersecurity incident as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, and information without authorisation”.
A cybersecurity breach is also defined under the CERT-In Rules as “unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource”.
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecom, infrastructure, AI)?
The relevant laws in India that govern network monitoring and cybersecurity defensive measures are:
- the IT Act;
- the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (the “Interception Rules”);
- the DPDP Act;
- the CERT-In Rules and the new directives issued thereunder in April 2022;
- the NCIIPC Rules; and
- the Sectoral Cyber Security Framework Policies.
The IT Act provides a legal framework to address hacking and security breaches of IT infrastructure and prescribes penalties for negligently handling SPDI. Furthermore, to the extent that the data intercepted and monitored by a body corporate includes the SPDI of its customers or employees, the body corporate must comply with the rules under the DPDP Act.
The Interception Rules prescribe that no person shall carry out any interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource unless authorised by India’s central or state governments. There is a lack of clarity on whether a company’s interception and monitoring of its internal servers will conflict with the above restriction.
The sectoral cybersecurity policies for banks, insurance companies, telecom companies and CII permit body corporates, including banks, to monitor the secure status of each system and network, mobile and home-working procedures, and critical systems. These may include third-party providers. The UASL obliges telecom companies to monitor all intrusions, attacks and fraudulent activity on its technical facilities and report to the DoT.
Key legislations that address data protection in the finance sector include the Credit Information Companies (Regulation) Act 2005 (CIC Act), the Credit Information Companies Regulations 2006 (CIC Regulations) and circulars issued by the RBI.
The CIC Act and CIC Regulations primarily apply to credit information companies; recognise them as data collectors; require that they ensure data security and secrecy; and require that they adhere to privacy principles in respect of data collection, use, disclosure, accuracy and protection against loss or unauthorised use, access, and disclosure.
The RBI’s guidelines on data localisation of payment system data in India will also, to an extent, help protect financial data.
As regards the protection of health data, the Ministry of Health has proposed the DISH Act to ensure electronic health data privacy, security, and standardization in the healthcare sector. The DISH Act is pending government approval and is expected to be notified soon.
Although there are multiple telecoms laws, data protection norms in the telecoms sector are primarily governed by the UASL issued to telecoms service providers (TSPs) by the DoT. A TSP must take necessary steps to safeguard the privacy and confidentiality of users’ information. Furthermore, customer information can be disclosed only after obtaining the individual’s consent and if the disclosure is in accordance with the terms of such consent.
Artificial intelligence (AI) is not dealt with under the current data privacy regime. However, reliance on AI is increasing significantly among organisations wishing to secure their networks and their data.
MEITY has constituted four committees for promoting AI initiatives and developing a policy framework. The committees have submitted their first reports on platforms and data on AI; leveraging AI for identifying national missions in key sectors; mapping technological capabilities; and key policy enablers required across sectors; and on cybersecurity, safety, legal, and ethical issues.
-
Under what circumstances must a business report security breaches to regulators, impacted individuals, law enforcement, or other persons or entities? If breach notification is not required by law, is it recommended by the applicable regulator in your jurisdiction, and what is customary in this regard in your jurisdiction?
Under the DPDP Act, in the event of a personal data breach, the data fiduciary is required to inform each affected data principal and the DPB. The specific format and method of reporting are yet to be prescribed. The personal data breach is broadly defined under the DPDP Act as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data. The data fiduciaries are required to report all types of personal data breaches, regardless of the sensitivity of the breach or its impact on the data principal. Under the DPDP Act, neither materiality thresholds nor express timelines have been prescribed for the reporting requirement. The DPDP Act is not the sole regulation imposing reporting requirements for data breaches. The existing cybersecurity framework also mandates reporting of cybersecurity incidents, which may include personal data breaches, to the CERT-In. In the absence of any conflicting information, both sets of regulations will be applicable. The Government of India has established and authorized the CERT-In to collect, analyze, and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency measures for handling cybersecurity incidents, and coordinate cyber incident response activities. The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) along with the Cyber Security Directions impose mandatory notification requirements on service providers, intermediaries, data centers, and corporate entities, upon the occurrence of certain cybersecurity incidents. Cybersecurity incidents have been defined to mean any real or suspected adverse events, concerning cybersecurity, that violate any explicitly or implicitly applicable security policy, resulting in unauthorized access, denial, or disruption of service; unauthorized use of a computer resource for processing or storage of information; changes to data or information without authorization.
Under the Cyber Security Directions, the occurrence of the following types of cybersecurity incidents are to be reported, targeted scanning / probing of critical networks / systems; compromise of critical systems / information; unauthorized access of IT systems / data; defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.; malicious code attacks such as spreading virus / worm / trojan / bots / spyware / ransomware / crypto miners; attack on servers such as databased, Mail and DNS and network devices such as routers; identity theft, spoofing and phishing attacks; denial of service and distributed denial of service attacks; attacks on critical infrastructure, SCADA and operation technology systems and wireless networks; attacks on applications such as e-governance, e-commerce, etc.; data breach; data leak; attacks on internet of things devices and associated systems, networks, software and servers; attacks or incident affects digital payment systems; attacks through malicious mobile applications; fake mobile applications; unauthorized access to social media accounts; attacks or malicious / suspicious activities affecting cloud computing systems / servers / software / applications; attacks or malicious / suspicious activities affecting systems / servers / networks / software / applications related to Big Data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; attacks or malicious / suspicious activities affecting systems / servers / software / applications related to artificial intelligence and machine learning
-
Does your jurisdiction have any specific legal requirements or guidance for dealing with cybercrime, such as in the context of ransom payments following a ransomware attack?
Currently, there are no regulations restricting the payment of ransomware. However, legal experts have been advising companies against making ransomware payments, as the remittance is likely to trigger implications under the foreign exchange and money laundering laws.
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
CERT-In is the national nodal agency for cybersecurity, to carry out the following functions:
- collection, analysis, and dissemination of information on cyber incidents;
- forecast and alerts of cybersecurity incidents;
- emergency measures for handling cybersecurity incidents;
- co-ordination of cyber incident response activities;
- issue guidelines, advisories, vulnerability notes, and white papers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents; and
- such other functions relating to cybersecurity as may be prescribed.
The CERT-In is responsible for responding to cybersecurity incidents and assisting in implementing measures to reduce the risk of cybersecurity incidents. The CERT-IN has the power to issue directions to service providers, intermediaries, data centres, body corporates, etc., for enhancing cybersecurity infrastructure in India. The CERT-IN is also responsible for operating an incident response help desk on a 24-hour basis on all days including government and other public holidays to facilitate reporting of cyber-authority incidents.
As regards critical information, NCIIPC is set up under the IT Act as the nodal agency to ensure a safe, secure, and resilient information infrastructure for critical sectors in India.
-
Do the data protection laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, any exceptions and any other relevant details.
The DPDP Act recognizes individual data privacy rights. The DPDP Act prescribes right to the data principal has the right to correct, complete, update, erase, and withdraw their consent to personal data.
Right to access
When processing is based on consent or voluntary provision of data, the act allows data principals to seek from a data fiduciary: a summary of the personal data and processing activities undertaken concerning such personal data; the identities of all other data fiduciaries and data processors with whom the personal data has been shared, along with a description of such personal data; and any other information related to the personal data of such data principal and its processing, as may be prescribed by the Government.
Right to be informed
The Act does not provide for an explicit right to be informed to the data subject. However, when processing is based on consent, data fiduciaries must inform the data principal of the personal data and the purpose for which it will be processed; how the data principals may withdraw their consent; the data fiduciary’s grievance redressal mechanism; and how the data principals may make a complaint to the DPB. Such notice should either accompany or precede every request for consent. When consent has been collected before the implementation of the act, such notice should be provided as soon as is reasonably practicable.
Right to rectification
When processing is based on consent or voluntary provision of data, data principals have the right to correct inaccurate or misleading personal data, complete incomplete personal data, and update their personal data, in accordance with any requirement or procedure under any law. Data fiduciaries are consequently obligated to correct, complete, and update personal data pursuant to data principals’ requests.
Right to erasure
When processing is based on consent or voluntary provision of data, data principals have the right to erasure of their personal data, in accordance with any requirement or procedure under any law. A data principal may make an erasure request to a data fiduciary in such manner as may be prescribed by the Government, and upon receipt of such a request, the data fiduciary is obligated to erase the personal data unless its retention is necessary for the specified purpose of processing or compliance with any law.
Right to object/opt-out
In case of processing based on consent, data principals have the right to withdraw their consent to the processing of their personal data.
Other rights
The data principal also has the right of grievance redressal and the right to nominate, and the data principals also have obligations to refrain from impersonating other data principals; suppressing material information while providing personal information for government identifiers; registering false or frivolous complaints; and providing only verifiably authentic information when exercising the right to correction or erasure.
-
Are individual data privacy rights exercisable through the judicial system, enforced by a regulator, or both?
Individual data privacy rights are exercisable and enforced through the judicial system in India.
Further, the DPB is the primary regulatory body as per the provisions of the DPDP Act. The Act provides for the establishment of the DPB, which is envisaged to have multiple roles, including maintaining a register of consent managers, conducting inquiries, issuing directions, and enforcement. The Board’s primary duty is to ensure compliance with the act and protect the interests of data principals. To discharge its functions under the act, the DPB shall have the same powers as are vested in a civil court, in respect of matters relating to summoning and enforcing the attendance of any person and examining them on oath; receiving evidence of affidavits requiring the discovery and production of documents; inspecting any data, book, document, register, books of account, or any other document; and such other matters as may be prescribed.
-
Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?
As the right to privacy in India is considered a fundamental right under the Indian Constitution, the right to privacy can be enforced by filing a writ petition in the competent High Court. The affected party can also claim monetary damages under the IT Act.
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual damage to have been sustained, or is injury to feelings, emotional distress or similar sufficient for such purposes?
The individuals are entitled to monetary damages for the personal data breach. The IT Act prescribes the appointment of an adjudicating officer to conduct an inquiry for injury or damages for claims valued up to INR50,000,000 (USD600,000 approximately). The claims exceeding this amount must be filed before the competent civil court. The appeals from the adjudicating officer can be filed before the Appellate Tribunal and the second appeal can be filed before the High Court.
Under the DPDP Act, in the event of a personal data breach, the data fiduciary must notify the DPB and each affected data principal. It provides no explicit mention of any ‘actual damage’ to have been sustained by the principal in terms of emotional distress or injury to feelings. Therefore, it may be presumed that an actual breach of personal data itself will form grounds to notify CERT-IN and the (to be notified) DPB.
-
How are data protection laws in your jurisdiction enforced?
A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying the date and time for further proceedings and, based on the parties’ evidence, decides whether to pass orders (if the respondent pleads guilty) or to carry out an investigation. If the officer is convinced that the scope of the case extends to the offence instead of contravention, and entails punishment greater than a mere financial penalty, the officer will transfer the case to the magistrate having jurisdiction.
The first appeal from the adjudicating officer’s decisions can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and the subsequent appeal before the High Court.
The DPDP Act prescribes filing the complaint before the data protection officer, which can be appealed before the adjudicating officer of the DPB, who will have the authority to impose penalties on the data fiduciary.
The DPDP Act proposes that the central government establish an appellate tribunal to adjudicate on appeals from the orders of the DPA, and the SCI as the final appellate authority for all purposes under the DPDP Act.
The Data Protection Board of India is the supervisory authority with the power to:
- Direct any urgent remedial or mitigation measures for reported personal data breaches, investigate these breaches, and impose penalties under the DPDP Act;
- Investigate data principals’ complaints and impose penalties under the DPDP Act regarding personal data breaches and data fiduciaries’ breach of their obligations relating to personal data or data principals’ rights; and consent managers’ breaches of their obligations regarding personal data or registration conditions; and
- Investigate matters referred by the central government or a state government or pursuant to a court order and impose penalties under the DPDP Act.
As regards cybersecurity, the Indian government has established the CERT-In under the IT Act as the national nodal agency for cybersecurity. CERT-In has also set up sectoral CERTs to implement cybersecurity measures at a sectoral level. The details regarding the methods and formats for reporting cybersecurity accidents, vulnerability reporting and remediation, incident response procedures, and dissemination of information on cybersecurity are published on CERT-In’s website and are updated from time to time. For critical sectors, the government has set up the NCIIPC under the IT Act, as the nodal agency.
In addition to IT Act, cybersecurity-related provisions are included in the IPC 1860, which deals with criminal offences, including those committed in cyberspace, and the Companies Act, which requires companies to implement security systems to ensure that electronic records are secured from unauthorized access.
-
What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?
The Digital Personal Data Protection Act 2023 (DPDP Act) will impose certain penalties for violations, including:
- Up to INR2,500,000,000 for failure of data fiduciaries to implement reasonable security safeguards to prevent personal data breaches under Section 8(5).
- Up to INR2,000,000,000 for failure to notify the Data Protection Board of India or affected data principals of a personal data breach under Section 8(6).
- Up to INR2,000,000,000 for breach of obligations related to children under Section 9.
- Up to INR1,500,000,000 for breach of significant data fiduciary obligations under Section 10.
- Up to INR500,000,000 for breach of any other DPDP Act provision or rules to be issued thereunder.
- Up to INR10,000 for a data principal’s breach of their duties under Section 15.
- Up to the extent applicable for the relevant breach for violating any term of voluntary undertaking that the DPB accepted under the act.
Violations of the Information Technology Act 2000 as amended by the Information Technology (Amendment) Act 2008 (IT Act and IT Amendment Act) may trigger the following penalties:
- Damages to compensate an affected individual for a body corporate’s negligence in implementing and maintaining ‘reasonable security practices and procedures’ to secure SPDI or personal information (Section 43A, IT Act). Damages are uncapped and may vary from case to case.
- Imprisonment for not more than three years, an INR500,000 fine, or both, for disclosing personal information in breach of lawful contract or without the data subject’s consent (Section 72A, IT Act, as amended by Section 37, IT Amendment Act).
- Imprisonment for not more than one year, an INR100,000 fine, or both for a body corporate’s failure to provide information to the Computer Emergency Response Team (CERT-In), or comply with CERT-In’s directions (Section 70B(7), IT Act, as amended by Section 36, IT Amendment Act).
-
Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?
There are no rules or guidelines published regarding the calculation of fines or thresholds for the imposition of sanctions.
However, the DPDP Act prescribes that when determining the amount of monetary penalty, the DPB shall note the following:
- the nature, gravity, and duration of the breach;
- the type and nature of the personal data affected by the breach;
- repetitive nature of the breach;
- whether the person, as a result of the breach, has realized a gain or avoided any loss;
- whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
- whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
- the likely impact of the imposition of the monetary penalty on the person.
-
Can controllers operating in your jurisdiction appeal to the courts against orders of the regulators?
The DPDP Act prescribes filing the complaint before the data protection officer, which can be appealed before the adjudicating officer of the DPB, who will have the authority to impose penalties on the data fiduciary.
The DPDP Act proposes that the central government establish an appellate tribunal to adjudicate on appeals from the orders of the DPA, and the SCI as the final appellate authority for all purposes.
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
India saw a rising trend of writ petitions filed across various High Courts seeking the right to be forgotten and the right to erasure. A world-renowned doctor in the case of Dr. Ishwarprasad Gilda v. Union of India & Others, was charged under the provisions of the IPC for causing death by negligence, cheating, and impersonation of a public servant. The doctor was accused of procuring medicines from abroad and administering them to patients in India. The doctor was arrested in April 1999 and received bail in May 1999. In 2023, the doctor approached the Delhi High Court for the ‘right to be forgotten’, asking for all news and journal articles to be erased against him as they were causing a grave injury to his reputation.
As the IT Act and the SPDI Rules do not expressly mention the ‘right to be forgotten’, the court relied on Article 21 of the Constitution of India, which includes the right to privacy, and the court recognized the right to be forgotten and the held that individuals have the right to silence past events in their lives which are no longer in occurrence. This right allows the individual to get videos, information, and photographs of themselves deleted from the internet records. The court allowed for an affidavit to be filed that allowed de-indexing, so the concerned URLs do not appear in the search results.
In general, in the petitions that involved family matters including matrimony, divorce, custody of a child, etc., the court had allowed the right to privacy and directed the removal of aggrieved persons’ details from online records.
In another landmark case, Balu Gopalakrishnan v. State of Kerala and Ors (Kerela High Court) W.P. (C). Temp No. 84 of 2020, which involved the collection and transfer of citizens’ personal data for COVID-19 tracking purposes by the Government of Kerala to a US-based data analysis company, the Kerala High Court had restricted the government from sharing citizens’ sensitive personal data, unless the data was anonymised. The court also recognised the importance of the data subjects’ informed consent before collecting their personal data and laid down the safeguards to ensure the confidentiality of the data collected.
-
Are there any proposals for reforming data protection laws in your jurisdiction currently under review? Please provide an overview of any proposed changes and the legislative status of such proposals.
India saw its first comprehensive, general data protection law introduced last year through notification of the DPDP Act. The Indian government is working towards updating its National Cybersecurity Strategy to improve its position in cyberspace. The updated National Cybersecurity Policy may be issued this year. The validity of the CERT-In Directions has been challenged by several entities across Indian courts alleging that certain provisions of the CERT-In Directions are ultra vires. Reportedly, one of the provisions challenged includes a collection of details such as name, IP address, address, contact information, and the purpose of using a VPN and keeping it for five years even after the user’s relationship with the VPN service provider has ended. Although the CERT-In Directions are currently in force, the court’s approach to the pending cases will be noteworthy.
The government will soon be releasing the draft e-commerce policy that proposes to set up an e-commerce regulator with broad powers over e-commerce entities and platforms. The draft policy contains proposals on sharing source codes, algorithms, and other data with the government, use of non-personal data of consumers, anti-piracy, cross-border data transfers, etc. This is an important development, and it will be interesting to monitor the final policy in view of the provisions under the pending DPDP Bill, and, thereafter, the policy’s feasibility and enforceability.
With the continuous increase in digitization including digital payments and remote working becoming the norm, such risks may continue until combined efforts are taken by the stakeholders, users, and the government.
RBI, in co-ordination with CERT-In, has issued over ten advisories to supervised entities on various cyber threats and best practices to be adopted. Additionally, a series of video conferences were conducted regarding cybersecurity preparedness and broad cyber/IT threats to sensitize the supervised entities.
There is already higher awareness and focus on data privacy and cybersecurity. The government and other organizations have been working on developing policies and frameworks in respect of machine learning and AI for cybersecurity solutions, anomaly detection and response, and IoT infrastructure for automation and efficiency, specifically for the CII. Governments and corporations will have to further secure the cloud-based model and the data stored in the cloud. Concepts such as blockchain to prevent data theft may also be in demand.
India: Data Protection & Cybersecurity
This country-specific Q&A provides an overview of Data Protection & Cybersecurity laws and regulations applicable in India.
-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
-
Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2024–2025 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments (together, “data protection laws”))?
-
Are there any registration or licensing requirements for entities covered by these data protection laws, and if so what are the requirements? Are there any exemptions?
-
How do these data protection laws define “personal data,” “personal information,” “personally identifiable information” or any equivalent term in such legislation (collectively, “personal data”) versus special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction?
-
What are the principles related to the general processing of personal data in your jurisdiction? For example, must a covered entity establish a legal basis for processing personal data, or must personal data only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
-
Are there any circumstances for which consent is required or typically obtained in connection with the general processing of personal data?
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
-
What special requirements, if any, are required for processing sensitive personal data? Are any categories of personal data prohibited from collection or disclosure?
-
How do the data protection laws in your jurisdiction address health data?
-
Do the data protection laws in your jurisdiction include any derogations, exclusions or limitations other than those already described? If so, please describe the relevant provisions.
-
Do the data protection laws in your jurisdiction address children’s and teenagers’ personal data? If so, please describe how.
-
Do the data protection laws in your jurisdiction address online safety? Are there any additional legislative regimes that address online safety not captured above? If so, please describe.
-
Is there any regulator in your jurisdiction with oversight of children’s and teenagers’ personal data, or online safety in general? If so, please describe, including any enforcement powers. If this regulator is not the data protection regulator, how do those two regulatory bodies work together?
-
Are there any expected changes to the online safety landscape in your jurisdiction in 2024–2025?
-
Does your jurisdiction impose ‘data protection by design’ or ‘data protection by default’ requirements or similar? If so, please describe the requirement(s) and how businesses typically meet such requirement(s).
-
Are controllers and/or processors of personal data required to maintain any internal records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).
-
Do the data protection laws in your jurisdiction require or recommend data retention and/or data disposal policies and procedures? If so, please describe such requirement(s).
-
Under what circumstances is a controller operating in your jurisdiction required or recommended to consult with the applicable data protection regulator(s)?
-
Do the data protection laws in your jurisdiction require or recommend risk assessments in connection with data processing activities and, if so, under what circumstances? How are these risk assessments typically carried out?
-
Do the data protection laws in your jurisdiction require a controller’s appointment of a data protection officer, chief information security officer, or other person responsible for data protection, and what are their legal responsibilities?
-
Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s).
-
Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).
-
Do the data protection laws in your jurisdiction draw any distinction between the controllers and the processors of personal data, and, if so, what are they?
-
Do the data protection laws in your jurisdiction place obligations on processors by operation of law? Do the data protection laws in your jurisdiction require minimum contract terms with processors of personal data?
-
Are there any other restrictions relating to the appointment of processors (e.g., due diligence, privacy and security assessments)?
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these terms defined, and what restrictions on their use are imposed, if any?
-
Please describe any restrictions on targeted advertising and/or cross-contextual behavioral advertising. How are these terms or any similar terms defined?
-
Please describe any data protection laws in your jurisdiction addressing the sale of personal data. How is the term “sale” or such related terms defined, and what restrictions are imposed, if any?
-
Please describe any data protection laws in your jurisdiction addressing telephone calls, text messaging, email communication, or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined, and what restrictions are imposed, if any?
-
Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (“AI”).
-
Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)
-
What security obligations are imposed on data controllers and processors, if any, in your jurisdiction?
-
Do the data protection laws in your jurisdiction address security breaches and, if so, how do such laws define a “security breach”?
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecom, infrastructure, AI)?
-
Under what circumstances must a business report security breaches to regulators, impacted individuals, law enforcement, or other persons or entities? If breach notification is not required by law, is it recommended by the applicable regulator in your jurisdiction, and what is customary in this regard in your jurisdiction?
-
Does your jurisdiction have any specific legal requirements or guidance for dealing with cybercrime, such as in the context of ransom payments following a ransomware attack?
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
-
Do the data protection laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, any exceptions and any other relevant details.
-
Are individual data privacy rights exercisable through the judicial system, enforced by a regulator, or both?
-
Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual damage to have been sustained, or is injury to feelings, emotional distress or similar sufficient for such purposes?
-
How are data protection laws in your jurisdiction enforced?
-
What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?
-
Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?
-
Can controllers operating in your jurisdiction appeal to the courts against orders of the regulators?
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
-
Are there any proposals for reforming data protection laws in your jurisdiction currently under review? Please provide an overview of any proposed changes and the legislative status of such proposals.