As provided in the preceding questions, India has enacted a bespoke data protection law for digital personal data, known as the Digital Personal Data Protection Act, 2023. Although it is notified in the Official Gazette as ‘law’, the DPDPA has not been officially implemented. Rules to implement the act are currently being framed by the Government and some progress is likely in the coming months. Once implemented, the DPDPA will regulate the processing of ‘digital’ personal data in India. The term ‘processing,’ defined similarly to the European Union’s General Data Protection Regulation (GDPR), includes the collection of personal data. The DPDPA identifies data fiduciaries (entities that determine the purpose and means of processing personal data, akin to ‘data controllers’ under the GDPR), data processors (entities that process personal data, including on behalf of data fiduciaries), and data principals (individuals to whom the personal data relates). It outlines their obligations, rights, and duties. Furthermore, the DPDPA grants the Indian government the authority to regulate the transfer of personal data outside India, which is crucial for cross-border investigations.
The DPDPA upon its implementation will replace the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules 2011), which were established under the Information Technology Act 2000 (IT Act), and currently serve as the primary data privacy law in India. The SPDI Rules 2011 set out guidelines for the collection, processing, storage, and transfer of sensitive personal data or information in India. These Rules define sensitive personal data to include information such as passwords, financial information, medical information, sexual orientation, and biometric data.
In addition to the above, there also exist certain sector-specific laws in fields such as banking, insurance, medicine or healthcare, and telecoms, which also regulate processing of certain types of personal data. There are also subordinate rules and regulations framed under the IT Act (other than SPDI Rules 2011) relating to data protection or privacy in specific scenarios. These will continue to apply, provided they do not conflict with the provision(s) of the DPDPA or are expressly repealed. If a sectoral law provides for higher obligation(s) than the DPDPA, then the obligations under the specific sectoral law may have to be met. These sectoral laws would similarly be relevant depending on the nature and/or scope of a given cross-border investigation. Some of these are:
- RBI’s direction on ‘Storage of Payment System Data’ dated April 6, 2018 – the RBI has issued a direction to all banks and Payment System Operators to store all payment data in systems located in India only, except in the case of cross-border transactions where a copy of the payment data, including the domestic component, may also be stored abroad.
- Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations, 2015 – This requires that all insurers are to maintain records of their issued policies and claims, and these records, whether maintained electronically or otherwise, are to be maintained in India only.
- RBI’s PSO Master Directions 2024 – These mandate that PSOs shall prepare a Cyber Crisis Management Plan to detect, contain, respond and recover from cyber threats and cyber-attacks and follow guidelines of agencies such as Cert-In.
Other than these, the IT Rules 2021 & CERT-In Directions, discussed in the software section, also apply. For instance, the Cert-In Directions mandate that cybersecurity incidents (including data breaches) are to be reported to CERT-In within six hours of becoming aware of the incident, and a contravention of this directive carries with it penal provisions. Taking its cue from Cert-In, the RBI in its PSO Master Directions 2024 has mandated that in addition to reporting to Cert-In, incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall also be reported to the RBI within 6 hours of detection.