The Privacy, Data Protection and Cybersecurity Law Review: India
In the absence of specific legislation for data protection in India, the Information Technology Act 2000 (the IT Act) and a collection of other statutes stand in for this purpose. In 2017, the Indian Supreme Court ruled that Indian citizens have a fundamental right to privacy, guaranteed primarily under Article 21 of the Indian Constitution. The Court specified that this right includes, inter alia, the right to informational privacy. In the wake of this judgment, and in order to give it meaning in the form of comprehensive legislation, a 10-member committee under the chairmanship of former Supreme Court Justice BN Srikrishna was empanelled. The Srikrishna committee published a report examining the current patchwork of relevant laws in India, studying the statutory approach to privacy and data protection in other jurisdictions and laying out detailed rationale for an improved legal framework. The report was accompanied by the draft Personal Data Protection Bill 2018.
The year in review
In December 2019, the Personal Data Protection Bill 2019 was tabled in Parliament.2 This Bill finds basis in the Srikrishna Report and the draft Personal Data Protection Bill 2018, and is modelled mainly on the GDPR. The Personal Data Protection Bill is rooted heavily in the notion of free, specific and informed consent of the individual. It envisages the formation of a data protection authority for its enforcement, places heavy fiduciary duties on data controllers and processors and, if enacted, will apply to a wide range of actors and stakeholders across various sectors. In May 2021, both houses of Parliament granted a fourth successive extension to the joint parliamentary committee to submit its report on the Bill. Parliamentary deliberation on the Bill stands adjourned sine die.
The executive scramble to mitigate the effects of the covid-19 crisis has brought various competing interests to the fore in the context of data privacy. The most conspicuous of these interests is the need for government surveillance in the form of contact tracing, large-scale testing and the maintenance of public health records (symptoms and quarantine regulation) for citizens and non-citizens across the country. India is a quasi-federal nation state. The centre and states are currently acting together through the Integrated Disease Surveillance Programme, which operates through a decentralised state-based surveillance system to monitor information flows on target diseases to compile and analyse data and organise an appropriate response. The centre has also developed and released a mobile application that relies largely on crowd-sourcing self-reported data to identify covid-19 hotspots. This collection and processing of data stands largely unregulated at this time.
On 25 February 2021, the Ministry of Electronics and Information Technology released the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021.3 These Rules replaced the Information Technology (Intermediaries Guidelines) Rules of 2011. A press release from the government4 states that the aim is to provide ordinary users of digital platforms to seek redressal for their grievances and command accountability when their rights are infringed. The Rules, inter alia, distinguish between social media intermediaries and significant social media intermediaries based on user numbers, and place a much heavier burden on significant social media intermediaries in respect of personal data protection. For instance, all social media intermediaries are now required to have a grievance redressal mechanism for users, conduct due diligence if they wish to seek refuge under safe harbour provisions and ensure the safety and dignity of users (especially women) online. However, significant social media intermediaries must institute additional due diligence mechanisms. These include the appointment of a chief compliance officer, who must be resident in India and will be responsible for ensuring compliance with the law and a nodal contact person, who must also be resident in India and available 24/7 for coordination with law enforcement agencies. Significant social media intermediaries must also publish a monthly compliance report, which will include details of any complaints they have received and actions they have taken to address said complaints. Most provisions in these Rules came into effect immediately upon publication on 25 February. The provisions relating to due diligence for social media intermediaries specifically came into effect on 25 May 2021.
i Privacy and data protection legislation and standards
The following statutes deal with data protection and privacy in India.
The Information Technology Act (2000) and the Information Technology (Amendment) Act 2008
The Information Technology Act (2000) (the IT Act)5 contains provisions for the protection of electronic data. The IT Act penalises 'cyber contraventions' (Section 43(a)–(h)), which attract civil prosecution, and 'cyber offences' (Sections 63–74), which attract criminal action.
The IT Act was originally passed to provide legal recognition for e-commerce and sanctions for computer misuse. However, it had no express provisions regarding data security. Breaches of data security could result in the prosecution of individuals who hacked into the system, under Sections 43 and 66 of the IT Act, but the Act did not provide other remedies such as, for instance, taking action against the organisation holding the data. Accordingly, the IT (Amendment) Act 2008 was passed, which, inter alia, incorporated two new sections into the IT Act, Section 43A and Section 72A, to provide a remedy to persons who have suffered or are likely to suffer a loss on account of their personal data not having been adequately protected.
The Information Technology Rules
Under various sections of the IT Act, the government routinely gives notice of sets of Information Technology Rules (the IT Rules) to broaden its scope. These IT Rules focus on and regulate specific areas of collection, transfer and processing of data, and include, most recently, the following:
- the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,6 which require entities holding users' sensitive personal information to maintain certain specified security standards;
- the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, which prohibit content of a specific nature on the internet, and govern the role of intermediaries, including social media intermediaries, in keeping personal data of their users safe online;
- the Information Technology (Guidelines for Cyber Cafe) Rules,7 which require cybercafés to register with a registration agency and maintain a log of users' identities and their internet usage; and
- the Information Technology (Electronic Service Delivery) Rules,8 which allow the government to specify that certain services, such as applications, certificates and licences, be delivered electronically.
The IT Rules are statutory law, and the four sets specified above were notified on 11 April 2011 under Section 43A of the IT Act. Any further references to the IT Rules in this chapter pertain specifically to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, unless otherwise specified.
Penalties for non-compliance are specified by Sections 43 and 72 of the IT Act.
In addition to the legislation described above, data protection may also sometimes occur through the enforcement of property rights based on the Copyright Act (1957). Further, other legislation such as the Code of Criminal Procedure (1973), the Indian Telegraph Act 1885, the Companies Act (1956), the Competition Act (2002) and, in cases of unfair trade practices, the Consumer Protection Act (1986), would also be relevant. Finally, citizens may also make use of the common law right to privacy, at least in theory – there is no significant, recent jurisprudence on this.
Additionally, the Personal Data Protection Bill 2019 is expected to pass into law within the next year, becoming India's first and most comprehensive cross-sectoral data protection legislation.
Under Section 70B of the IT (Amendment) Act 2008, the government constituted CERT-In, which the website of the Ministry of Electronics and Information Technology refers to as the 'Indian Computer Emergency Response Team'. CERT-In is a national nodal agency responding to computer security incidents as and when they occur. The Ministry of Electronics and Information Technology specifies the functions of the agency as follows:
- collection, analysis and dissemination of information on cybersecurity incidents;
- forecast and alerts of cybersecurity incidents;
- emergency measures for handling cybersecurity incidents;
- coordination of cybersecurity incident response activities; and
- issuance of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response to and reporting of cybersecurity incidents.9
Cyber Regulations Appellate Tribunal (CRAT)
Under Section 48(1) of the IT Act 2000, the Ministry of Electronics and Information Technology established CRAT in October 2006. The IT (Amendment) Act 2008 renamed the tribunal Cyber Appellate Tribunal (CAT). Pursuant to the IT Act, any person aggrieved by an order made by the Controller of Certifying Authorities, or by an adjudicating officer under this Act, may prefer an appeal before the CAT. The CAT is headed by a chairperson who is appointed by the central government by notification, as provided under Section 49 of the IT Act 2000.
Before the IT (Amendment) Act 2008, the chairperson was known as the presiding officer. Provisions have been made in the amended Act for CAT to comprise of a chairperson and such a number of other members as the central government may notify or appoint.10
Current legislation does not contain a definition for 'personal data'. The IT Rules define personal information as any information that relates to a natural person that, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.
Further, the IT Rules define 'sensitive personal data or information' as personal information consisting of information relating to:
- financial information, such as bank account, credit card, debit card or other payment instrument details;
- physical, physiological and mental health conditions;
- sexual orientation;
- medical records and history;
- biometric information;
- any details relating to the above clauses as provided to a body corporate for the provision of services; and
- any information received under the above clauses by a body corporate for processing, or that has been stored or processed under lawful contract or otherwise.
Provided that any information is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law for the time being in force, it shall not be regarded as sensitive personal data or information for the purposes of these rules.
The Personal Data Protection Bill 2019 defines 'personal data' as 'data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling'.
The Bill also defines 'sensitive personal data' as such personal data that may reveal, be related to, or constitute, various types of information, including but not limited to financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe and religious or political belief or affiliation. The Bill clarifies that this list is not exhaustive, and that the central government may notify further categories of data as falling within the remit of sensitive personal data.
Unlike the IT Act and Rules, the Personal Data Protection Bill 2019 contains definitions for 'processing', 'data fiduciary', 'data processor', 'data principal' and 'consent'. Importantly, the Bill renames data subjects (i.e., the natural person to whom the personal data relates) as data principals, and any entity that determines the purpose and means of processing personal data is referred to as a data fiduciary. For the remainder of the chapter, references to the provisions of the Bill will retain this new nomenclature consistent with the language of the Bill. References to existing legislation will employ only terms used in the current legislation.
ii General obligations for data handlers
Obligations for data processors, controllers and handlers
Lawful basis for processing
A body corporate (or any person or entity on its behalf) cannot use data for any purpose unless it receives consent in writing from the data subject to use it for that specific purpose. Consent must be obtained before collection of the data. The IT Rules also mandate that sensitive personal information may not be collected unless it is connected to the function of the corporate entity collecting it, and then only if the collection is necessary for that function. It is the responsibility of the body corporate to ensure that the sensitive personal information thus collected is used for no other purpose than the one specified. The Personal Data Protection Bill 2019 defines 'consent' and 'explicit consent' and provides grounds, including the functions of the state, or compliance with a court order, for the lawful processing of personal data as well as sensitive personal data.
The IT Rules state that any information collected by a body corporate or a person on its behalf shall be used for the purpose for which it has been collected. The Personal Data Protection Bill 2019 prescribes that personal data be processed only for specific, clear and lawful purposes. It states that data shall be processed in a fair and reasonable manner that ensures the privacy of the data principal (the person to whom the data relates) and for the purpose consented to by the data principal. Alternatively, the purpose may be incidental to or connected with such purpose, and for which the data principal would reasonably expect that such personal data shall be used. It also limits the collection of personal data to such data that is necessary for the purposes of processing.
Section 67C of the IT Act requires that an intermediary preserve and retain information in a manner and format and for such period of time as prescribed by the central government. The Personal Data Protection Bill 2019 states that a data fiduciary may not retain personal data beyond the period necessary to satisfy the purpose for which it is processed. It also states that such data must be deleted at the end of this period. However, the Bill also allows for longer periods of retention if required by compliance with legal obligations, or if the consent of the data principal has been obtained, and prescribes periodic reviews by data fiduciaries for an ongoing assessment of the continued necessity of the retention of personal data.
India currently does not have any legislative requirements with respect to registration or notification procedures for data controllers or processors. The Personal Data Protection Bill 2019 requires that based on certain criteria, the data protection authority envisaged by the bill shall notify certain data fiduciaries as being 'significant'. Significant data fiduciaries will be required to register with the authority in a manner specified by it, and will also be subject to data protection impact assessments, data audits, etc. The Bill also states that the data protection authority may require registration by other data fiduciaries at its discretion, even if such entities are not 'significant'.
Rights of individuals
Access to data
Rule 5, Subsection 6 of the IT Rules mandates that the body corporate or any person on its behalf must permit providers of information or data subjects to review the information they may have provided. The Personal Data Protection Bill 2019 teases out this right in more detail, providing the option for the data principal to obtain from the data fiduciary in a clear and concise manner, confirmation of whether its personal data is being (or has been) processed and a brief summary of processing activities. The Bill states that the data principal shall also have the right to access in one place the identities of the data fiduciaries with whom their personal data has been shared, along with the categories of such personal data.
Correction and deletion
Rule 5, Subsection 6 of the IT Rules states that data subjects must be allowed access to the data provided by them and to ensure that any information found to be inaccurate or deficient shall be corrected or amended as feasible. Although the Rules do not directly address deletion of data, they state in Rule 5, Subsection 1 that corporate entities or persons representing them must obtain written consent from data subjects regarding the usage of the sensitive information they provide. Further, data subjects must be provided with the option not to provide the data or information sought to be collected.
The Personal Data Protection Bill 2019 provides data principals with the right to correction and erasure of personal data. However, such correction or erasure is subject to the agreement of the data fiduciary. If there is a dispute between the two entities in this regard, the data principal may require the data fiduciary to indicate alongside the relevant personal data that it has been disputed by the data principal.
Objection to processing and marketing
Rule 5 of the IT Rules states that the data subject or provider of information shall have the option to later withdraw consent that may have been given to the corporate entity previously, and the withdrawal of consent must be stated in writing to the body corporate. On withdrawal of consent, the corporate body is prohibited from processing the personal information in question. In the case of the data subject not providing consent, or later withdrawing consent, the corporate body shall have the option not to provide the goods or services for which the information was sought.
The Personal Data Protection Bill 2019 also envisages the right to be forgotten, in that it provides for the data principal's right to restrict or prevent continuing disclosure of personal data by the data fiduciary. However, this right may only be enforced by order of an Adjudicating Officer.
The Supreme Court of India has also identified and clarified that citizens have the right to be forgotten, which exists in physical and virtual spaces such as the internet, under the umbrella of informational privacy.
Right to restrict processing
As mentioned above, the Personal Data protection Bill 2019 provides for a data principal's right to restrict or prevent continuing disclosure of personal data by the data fiduciary, but only if the data protection authority, through an adjudicating officer, determines that any of the listed grounds for restriction or prevention of disclosure have been found.
Right to data portability
The IT Act and Rules do not contain provisions relevant to data portability. However, the Personal Data protection Bill 2019 provides data principals with this right where processing has been performed through automated means. Subject to certain restrictions, the data principal shall have the right to receive in a structured, commonly used and machine-readable format, any personal data provided to the data fiduciary, the data that has been generated in the course of provision of services or use of goods by such fiduciary, or the data that forms part of the profile on the data principal, or that the data fiduciary has otherwise obtained.
Right to withdraw consent
The Personal Data Protection Bill 2019 envisages the right to withdraw consent, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
Disclosure of data
Data subjects also possess rights with respect to disclosure of the information they provide. Disclosure of sensitive personal information requires the provider's prior permission unless either disclosure has already been agreed to in the contract between the data subject and the data controller; or disclosure is necessary for compliance with a legal obligation.
The exceptions to this rule are if an order under law has been made, or if a disclosure must be made to government agencies mandated under the law to obtain information for the purposes of verification of identity; prevention, detection and investigation of crime; or prosecution or punishment of offences.
Recipients of this sensitive personal information are prohibited from further disclosing the information.
Right to complain to the relevant data protection authority
Rule 5, subsection 9 of the IT Rules mandates that all discrepancies or grievances reported to data controllers must be addressed in a timely manner. Corporate entities must designate grievance officers for this purpose, and the names and details of said officers must be published on the website of the body corporate. The grievance officer must redress respective grievances within a month from the date of receipt of said grievances.
The new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 require the appointment of a grievance redressal officer by all intermediaries, including social media intermediaries. The Rules also require that grievance redressal mechanisms be available to all users of social media intermediaries and be prominently published. Finally, the Rules prescribe specific timelines within which relevant action must be taken.
The Personal Data Protection Bill 2019 states that the data fiduciary must provide all data principals with clear information on the procedure for grievance redressal under the Bill. Under the Bill, a data principal may make a complaint of contravention of any provision of the Bill to the data protection officer (in the case of a significant data fiduciary) or any other officer designated for this purpose (in the case of any other data fiduciary). Should such officer fail to resolve the complaint expeditiously and within 30 days of receipt of the complaint, the data principal may file a complaint with the data protection authority.
iii Specific regulatory areas
Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act 198311
Under this Act, public financial institutions are prohibited from divulging any information relating to the affairs of their clients except in accordance with laws of practice and usage.
The Prevention of Money Laundering Act 200212
The Prevention of Money Laundering Act (PMLA) was passed in an attempt to curb money laundering and prescribes measures to monitor banking customers and their business relations, financial transactions, verification of new customers, and automatic tracking of suspicious transactions. The PMLA makes it mandatory for banking companies, financial institutions and intermediaries to furnish to the Director of the Financial Intelligence Unit (under the PMLA) information relating to prescribed transactions, and which can also be shared, in the public interest, with other government institutions or foreign countries for enforcement of the provisions of the PMLA or through exchanges of information to prevent any offence under the PMLA.
Credit Information Companies (Regulation) Act 2005 and The Credit Information Companies Regulations 200613
This legislation is essentially aimed at regulation of sharing and exchanging credit information by credit agencies with third parties. Disclosure of data received by a credit agency is prohibited, except in the case of its specified user and unless required by any law in force.
The regulations prescribe that the data collected must be adequate, relevant, and not excessive, up to date and complete, so that the collection does not intrude to an unreasonable extent on the personal affairs of the individual. The information collected and disseminated is retained for a period of seven years in the case of individuals. Information relating to criminal offences is maintained permanently while information relating to civil offences is retained for seven years from the first reporting of the offence. In fact, the regulations also prescribe that personal information that has become irrelevant may be destroyed, erased or made anonymous.
Credit information companies are required to obtain informed consent from individuals and entities before collecting their information. For the purpose of redressal, a complaint can be written to the Reserve Bank of India.
Payment and Settlement Systems Act 200714
Under this Act, the Reserve Bank of India (RBI) is empowered to act as the overseeing authority for regulation and supervision of payment systems in India. The RBI is prohibited from disclosing the existence or contents of any document or any part of any information given to it by a system participant.
Foreign Contribution Regulation Act 201015
This Act is aimed at regulating and prohibiting the acceptance and utilisation of foreign contributions or foreign hospitality by certain individuals, associations or companies for any activities detrimental to the national interest and, under the Act, the government is empowered to call for otherwise confidential financial information relating to foreign contributions of individuals and companies.
In the present scenario, employers are required to adopt security practices to protect sensitive personal data of employees in their possession, such as medical records, financial records and biometric information. In the event of a loss to an employee due to lack of adequate security practices, the employee would be entitled to compensation under Section 43A of the Information Technology Act 2000. Other than this piece of legislation, there is no specific legislation governing workplace privacy, although, in relation to the workplace, the effect of the Supreme Court judgment on privacy as a fundamental right remains to be seen.
Section 74 of the Juvenile Justice (Care and Protection of Children) Act 2015 mandates that the name, address or school, or any other particular, that may lead to the identification of a child in conflict with the law or a child in need of care and protection or a child victim or witness of a crime shall not be disclosed in the media unless the disclosure or publication is in the child's best interest. The Personal Data Protection Bill 2019 provides for the protection of personal and sensitive data of children by requiring consent of a parent or guardian and imposing various restrictions on data fiduciaries processing such data.
Health and medical privacy
Under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (Code of Ethics Regulations 2002)16 regulations, physicians are obliged to protect the confidentiality of patients during all stages of procedures, including information relating to their personal and domestic lives unless the law mandates otherwise or there is a serious and identifiable risk to a specific person or community of a notifiable disease.
Medical Termination of Pregnancy Act 1971
This Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the state. The register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the final entry.
Ethical Guidelines for Biomedical Research on Human Subjects
These Guidelines require investigators to maintain confidentiality of epidemiological data. Data of individual participants can be disclosed in a court of law under the orders of the presiding judge if there is a threat to a person's life, allowing communication to the drug registration authority in cases of severe adverse reaction and communication to the health authority if there is risk to public health.
iv Technological innovation and privacy law
There are no marketing restrictions on the internet or through email. Because India has no comprehensive data protection regime, issues such as cookie consent have not yet been addressed by Indian legislation. The Personal Data Protection Bill 2019 does prohibit data fiduciaries from profiling, tracking or behaviourally monitoring, or generating targeted advertising at children.
The IT Rules provide reasonable security practices to follow as statutory security procedures for corporate entities that collect, handle and process data, and these also apply to the use of big data. Unfortunately, no specific guidelines exist for the use of big data and big-data analytics in India.
International data transfer and data localisation
India is not yet a member of the Asia-Pacific Economic Cooperation (APEC), and its inclusion on the forum has so far been limited to observer status. APEC rules therefore do not apply in the Indian jurisdiction thus far.
In terms of restrictions on transfer of data, Section 7 of the IT Rules states that bodies corporate can transfer sensitive personal data to any other body corporate or person within or outside India, provided the transferee ensures the same level of data protection that the body corporate maintained, as required by the IT Rules. A data transfer is only allowed if it is required for the performance of a lawful contract between the data controller and the data subjects; or the data subjects have consented to the transfer.
As worded, Section 7 of the IT Rules is already rather restrictive. However, in some ways this is no different from EU data protection legislation, which restricts transfers of personal data outside the EU unless certain measures are taken, such as requiring the data importer to sign up to EU Model Contract Clauses. In addition, the Ministry of Information Technology clarified via a press note released on 24 August 2011 that the rules on sensitive data transfer described above are limited in jurisdiction to Indian bodies corporate and legal entities or persons, and do not apply to bodies corporate or legal entities abroad. As such, information technology industries and business process outsourcing companies may subscribe to whichever secure methods of data transfer they prefer, provided that the transfer in question does not violate any law either in India or in the country the data are being transferred to. Presumably litigation in this sector – so far non-existent – will further clarify matters.
In general, data protection laws in India apply to businesses established in other jurisdictions as well. Section 75 of the IT Act states that the provisions of the Act would apply to any offence or contravention thereunder committed outside India by any person (including companies), irrespective of his or her nationality, if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.
The draft Personal Data Protection Bill 2019 states that, subject to various conditions, including the transfer being made pursuant to a contract or intra-group scheme approval (which makes provisions for protection of the data principal and liability of the data fiduciary), or the approval of the central government, sensitive personal data may be transferred outside India. However, a copy of such data must continue to be stored in India.
Company policies and practices
The general obligations for data handlers elaborated above apply to all companies handling data, and their policies must reflect as much. In addition, the IT Rules contain specific legislation to deal with best practices, particularly in the context of breach and security.
Rule 8 of the IT Rules describes reasonable security practices and procedures as follows:
1. A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
2. The international standard IS/ISO/IEC 27001 on 'Information Technology – Security Techniques – Information Security Management System – Requirements' is one such standard referred to in sub-rule (1).
3. Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule (1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
4. The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resources.
There are no statutory registration or notification requirements for either data processors or data controllers. The Personal Data Protection Bill 2019 provides for various transparency and accountability measures to which the data fiduciary shall be subject. For instance, every data fiduciary uder the Bill shall prepare a privacy by design policy, take any steps necessary to maintain transparency in personal data processing, implement necessary security safeguards, report breaches of personal data to the data protection authority, conduct impact assessments when it contemplates the use of new technology or large-scale profiling and have in place effective procedures and grievance redressal mechanisms for data principals. In addition, if notified by the data protection authority as a significant data fiduciary, such entity must register with the authority, appoint a data processing officer with relevant qualifications and suitable experience, conduct annual audits of its policies and processing and maintain records of its activities, security measures, impact assessments and other aspects of data processing.
Discovery and disclosure
If requests from foreign companies are based on an order from a court of law, and if the country in question has a reciprocal arrangement with India, then an Indian court is likely to enforce the request in India. In the absence of a court order, however, no obligation exists against an Indian company to make any kind of disclosure.
In a Ministry of Communications and Information Technology press release, the government clarified that any Indian outsourcing service provider or organisation providing services relating to collection, storage, dealing or handling of sensitive personal information or personal information under contractual obligations with a legal entity located within or outside India is not subject to the IT Rules requirements with respect to disclosure of information or consent, provided it does not have direct contact with the data subjects when providing services.
Public and private enforcement
i Enforcement agencies
In addition to the security practices and policies outlined in Section V, the Personal Data Protection Bill 2019 envisages the creation of a data protection authority for the enforcement of data protection legislation and to oversee compliance with it. The Bill will likely become the principal data protection legislation if enacted, and in that event, provisions pertaining to the security of personal data that state specifically that every data fiduciary must set appropriate technological, organisational and physical standards for the security of data under its control will also come into force.
ii Recent enforcement cases
As is evident from the above, India has no distinct legislative framework to support litigation in the areas of privacy, cybersecurity and data protection. There has been no significant litigation in this area in the recent past. With the passage of the Personal Data Protection Bill 2019 into law, perhaps a clearer definition of rights will emerge in this sector and the enforcement of rights will become both more active and more stringent.
iii Private litigation
A number of writ petitions have been filed against the new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 before different High Courts by several entities that would be considered either social media intermediaries or significant social media intermediaries under the Rules. LiveLaw Media Private Limited and Other v. Union of India and Others WP(C) 6272/2021 is one of four cases which the Union of India has petitioned the Supreme Court to have transferred before itself from various High Courts. In LiveLaw Media, the High Court of Kerala has already passed a restraining order against the Indian government, restraining the government from taking coercive action against the petitioners for non-compliance with provisions of the new Rules. The Supreme Court did not stay this order, despite listing the transfer petition for hearing.
In another instance, the Bombay High Court, vide an order dated 14 August 2021 passed in Agij Promotion of Nineteenonea Media Pvt Ltd & Others v. Union of India and Others WP (L) 14172 of 2021, has stayed the operation of Rules 9(1) and 9(3) of the new Rules. Rules 9(1) and 9(3) require publishers of news and curated content to adhere to a Code of Ethics, including norms of journalistic conduct, and prescribe a three-tiered structure of regulation.
All these cases are currently sub judice.
Considerations for foreign organisations
Unfortunately, Indian jurisprudence does not touch upon compliance requirements for organisations functioning outside India (see Section IV).
Cybersecurity and data breaches
See Sections V and VI for information on breaches and breach reporting requirements. In addition to the information given in those sections, it is pertinent to note that in the context of a legal requirement to report data breaches to individuals, while the law as it is contains no such provision, the Personal Data Protection Bill 2019 does. According to the Bill, on the report of a breach by the data fiduciary to the data protection authority as mandated, the authority shall determine whether or not the data fiduciary must also notify the data principal in question. This decision will depend on the severity of the harm caused to the data principal and the action required by the data fiduciary to mitigate such harm.
The several agencies performing cybersecurity operations in India, such as the National Technical Research Organisation, the National Intelligence Grid and the National Information Board, require robust policy and legislative and infrastructural support from the Ministry of Electronics and Information Technology, and from the courts, to enable them to do their jobs properly. The Personal Data Protection Bill 2019, as tabled in parliament, is a comprehensive framework for data protection in India. Notwithstanding concerns that the Bill does not perfectly balance the privacy of citizens with the need for occasional government intervention, the Bill, once it is passed into law, is likely to function as a much more effective means of data protection (and the protection of allied interests, such as free speech) than existing legislation.
1 Aditi Subramaniam is an associate principal and Sanuj Das is a managing associate at Subramaniam & Associates.