India: Privacy

Key statutes, regulations and adopted international standards

Key statutes and regulations

Privacy has been a continuously evolving concept in India, both legally and practically, and has been subject to increasing judicial scrutiny over time. The Supreme Court of India has come a long way from its earlier opinions in the 1950s to 1960s to its historic 2017 judgment in the case of Justice K S Puttaswamy (Retd.) v. Union of India and Ors.,[1] upholding the right to privacy as a fundamental right. In its judgment, the Court also recognised informational privacy as a facet of the right to privacy and recommended that the Indian government come up with a robust data protection regime.

While dedicated legislation titled the Personal Data Protection Bill (the PDP Bill) had been tabled in parliament – and went through several revisions, including a change in scope and title to the Data Protection Bill (the DP Bill) – it was recently withdrawn in its entirety. As of now, India does not have stand-alone, dedicated privacy or data protection legislation, although it can be expected in the near future. Without the definitive boundaries and judicial interpretations of an overarching data protection law, the patchwork of regulations that currently govern and impact privacy and data protection in India therefore suffer from serious gaps, and these regulatory gaps can – and often do – become vulnerable to arbitrary enforcement and state overreach. While we have not gone into detail about the PDP Bill’s specific provisions given its recent withdrawal, we have touched on the PDP Bill and the DP Bill at various points in this chapter to give readers an idea of what to expect from a potential legislative framework for privacy in India.

For now, facets of data protection are governed by the Information Technology Act 2000 (the IT Act) and the rules framed thereunder, particularly, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the SPDI Rules). The IT Act is umbrella legislation covering several matters relating to IT activities, data protection, cybercrimes, cybersecurity, etc. The SPDI Rules, more specifically, are the key Indian regulation currently dealing with personal data; they govern the collection, processing, disclosure, retention, transfer and security of sensitive personal data or information (SPDI), which has been defined under the SPDI Rules (scope discussed in subsequent sections of this chapter).

Other significant sets of rules and regulations framed under the IT Act that may have a bearing on data protection and privacy are:

  • the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (the Intermediary Rules 2021); and
  • cybersecurity directions issued by the Indian Computer Emergency Response Team (CERT-In; CERT-In Directions), applicable to service providers, intermediaries, companies, firms and government organisations and specifying various ‘cybersecurity directions’ that are required to be mandatorily reported to CERT-In.

In addition to the above, several sector-specific regulations detailed below carry provisions regarding privacy, data protection and cybersecurity as well.

  • Finance and banking: The Reserve Bank of India (the RBI, India’s central bank and regulator) released a Directive (RBI/2017-18/153) on Storage of Payment System Data, which mandates that data relating to payment systems operated by payment service providers be stored in India. The RBI also released the Guidelines on Regulation of Payment Aggregators and Payment Gateways in 2020, wherein it seeks to restrict payment aggregators that facilitate payments in the online space from storing customer card credentials (eg, card number, CVV, expiry date). Merchant sites are also prevented from saving complete customer card and related data other than in tokenised form.
  • Securities and exchange: The Securities and Exchange Board of India (SEBI) has also issued circulars on cybersecurity in the securities and exchanges space (eg, the Cyber Security Resilience framework for Stockbrokers/Depository Participants, and the Cyber Security Resilience framework for Mutual Funds/Asset Management Companies, which may be pertinent.
  • Insurance: The Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which must be followed in addition to the general framework under the IT Act. These include:
    • IRDAI (Maintenance of Insurance Records) Regulations 2015, wherein the insurers shall ensure that the data collected is kept in data centres that are maintained and located in India;
    • IRDAI (Health Insurance Regulations) 2016, which mandate that third-party administrators and network providers (like hospitals) comply with data-related matters and settlement of claims through electronic means as per the guidelines prescribed by the IRDAI;
    • Insurance Regulatory and Development Authority of India (Third Party Administrators – Health Services) Regulations 2016, which restrict the sharing of policy and claims-related data and personal information; and cases where government data is involved;
    • IRDAI (Protection of Policyholders’ Interests) Regulations 2017, which mandates that insurers maintain total confidentiality regarding policyholder information, unless the law requires disclosure; and
    • IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, which imposes a duty on the insurer to ensure that data or information given to any outsourcing service provider remains confidential and, in the case of termination of services of the outsourcing service provider, the customer data is retrieved from the service provider, to ensure there is no further use of the customer data by the service provider.

National and international standards

The Bureau of Indian Standards (BIS), India’s national standards body, issued new standards for data privacy, IS 17428[2] in 2020, to provide a privacy assurance framework for organisations to establish, implement, maintain and continually improve their data privacy management system. The standards have two parts – one is the requirement of engineering design and information management and the other is guidelines that provide detailed practices that aid in implementing the requirements. As at the time of writing, these standards have to be read with the SPDI Rules to develop secure privacy practices. Additionally, the SPDI Rules also expressly include the International Standard (IS/ISO/IEC 27001) as an appropriate standard for ensuring best practices for data security.

Regulatory bodies and their powers

In the absence of comprehensive legislation, India lacks a dedicated privacy or data protection authority. At the moment, therefore, several regulators, bodies and forums may possess varying degrees of power in framing and enforcing privacy-related obligations, as detailed below.

  • The Ministry of Electronics and Information Technology is generally in charge of enforcing the IT Act and issuing rules and other clarifications thereunder.
  • The IT Act establishes certain regulatory and enforcement positions (called adjudicating officers) to ensure compliance and adjudicate violations of its provisions. The adjudicating officers appointed under the IT Act are deemed to have powers of the civil courts in India and can also order compensation to data subjects against failure to protect sensitive personal data or information by bodies corporate.
  • The IT Act also establishes an appellate authority (the Telecom Disputes Settlement and Appellate Tribunal) to which any order issued by the adjudicating officers may be appealed.
  • The IT Act also establishes CERT-In as a national agency for incident response in the area of cybersecurity.
  • Sectoral enforcers including RBI, SEBI and IRDAI, namely, the agencies responsible for framing and enforcing the respective sectoral laws and rules.
  • Courts of law.

The DP Bill envisaged the establishment of a dedicated data protection authority, and it is reasonable to expect that any future legislation in the field will include a similar authority.

Effect of local laws on foreign businesses

Territorial extent

While the IT Act may be applicable to foreign entities doing business in India, its application on foreign business operations remains a grey area. The IT Act contemplates limited extraterritorial jurisdiction to the extent that it is applicable to any offence or contravention committed outside India by any person irrespective of their nationality, wherein the act involves a computer, computer system or computer network located in India. Furthermore, the SPDI Rules are applicable to bodies corporate, which are simply defined as ‘any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities’.

The DP Bill proposed a broader application and also sought to include any data fiduciary or processor outside India that handles personal data in connection with business conducted in India. It is likely that a similar provision would be added in any future legislation as well.

Data localisation

Under the IT Act or the Rules thereunder

The recent CERT-In Directions mandate data storage in India. All service providers, intermediaries, data centres, bodies corporate and government organisations must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction.

The CERT-In Directions have specific mandates for data centres, virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN service) providers, who are required to keep accurate information records for five years or longer as required by law. The records relate to name of the customer; period of hire including dates; IPs allotted; email address; IP address; time stamp of registration; purpose of hiring; validated address and contact number; and ownership pattern of customer, and may be required to be preserved even after a customer has cancelled their subscription. Self-evidently, this appears to go against both data minimisation and purpose limitation, especially considering that providers may also be required to hand over customer data in the event of cyber incidents.

Further, virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for five years. The KYC details include SPDI of customers.

Under sectoral laws

RBI’s directive on Storage of Payment System Data (RBI/2017-18/153) provides that payments data that includes customer data (such as name, mobile number, address and PAN), bank account details, payment credentials (such as PIN, passwords and one-time pins) and transaction data (such as reference number, amount and timestamp) all have to be stored in India. It is possible that a payment transaction is processed outside India, but the RBI mandates that data be deleted from foreign systems and ‘brought back’ to India within 24 hours. Similar requirements for data storage are also applicable in the insurance sector under the IRDAI (Maintenance of Insurance Records) Regulations 2015. These regulations apply to all insurers.

The DP Bill envisaged some data localisation requirements for certain categories of data (which categorisation itself was introduced in the PDP/DP Bill), like sensitive personal data and critical personal data.

Core principles

Types of data

The SPDI Rules define ‘personal information’ as any information that relates to a natural person and that, directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying a ‘natural person’.[3] The repeated and express reference to ‘natural person’ in this definition makes it clear that data or information belonging to legal persons such as companies may not be considered as personal information within the regulations.

The SPDI Rules, as the title suggests, mostly cater to a subset of ‘personal data or information’ – sensitive personal data or information – that includes passwords; financial information (bank account and credit card details, etc); health conditions and medical records; sexual orientation; biometric information; and any other details relating to the preceding (unless the information is freely available or accessible in the public domain). The SPDI is understandably subject to a higher degree of care and protection and is thus currently regulated stringently. It has yet to be seen how other kinds of personal data or information, including non-personal data or information, are treated once dedicated legislation comes about.

The DP Bill kept some of the current classifications, but also went a step further and introduced a third category of data within its scope, in addition to personal data and sensitive personal data: ‘critical personal data’. While both ‘personal data’ and ‘sensitive personal data’ were defined in the DP Bill, ‘critical personal data’ (which would entail the strictest obligations in terms of data localisation and other factors) was a wildcard category that was not exhaustively defined. Any personal data may be notified as critical personal data by the Indian government. The amended DP Bill added another limb by introducing non-personal data (including anonymised personal data) as a fourth type of data within its scope. It remains to be seen how this categorisation is carried over to any new legislative framework that India may adopt.

Collection, handling and processing of personal data

The SPDI Rules provide information on the collection, processing, use, retention, etc, of the SPDI – as mentioned before, there are currently no robust legislation or regulations governing the collection, handling or processing of other categories of data, including personal data.

Collection of SPDI

The SPDI Rules mandate that the collector (the body corporate or any person on its behalf) of the SPDI must obtain consent in writing from the provider of the SPDI. The SPDI can only be collected for a lawful purpose connected with a function or activity of the collector, and collection of SPDI is necessary for that purpose. The collector must ensure that the provider of the SPDI has knowledge of the fact that information is being collected; purpose of collection; intended recipients of the information; and the name and address of the agency collecting or retaining the information.

The SPDI Rules mandate that the information secured by a body corporate or collector of information is kept secure per the reasonable security practices and procedures, including IS/ISO/IEC 27001 on Information Technology – Security Techniques - Information Security Management System – Requirements, which is expressly referenced in the SPDI Rules. The SPDI Rules further state that a body corporate shall be deemed to have complied with reasonable security practices and procedures provided that the standard or the codes of practices implemented have been certified or audited on a regular basis by entities, through an independent auditor duly approved by the central government.

Retention of SPDI

The collector cannot retain the information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law in force.

Disclosure of SPDI

Any disclosure of the SPDI to a third party can only be done with the prior permission of the provider of the information, unless the disclosure has been agreed to in a contract between the collector and provider, or where the disclosure is necessary under a legal obligation. Disclosures may be made without prior permission from the provider of the SPDI to government agencies mandated under the law to obtain information including SPDI for the purpose of verification of identity, or for prevention, detection, investigation, prosecution and punishment of offences (including cyber incidents). Towards this, the concerned government agency may send a request in writing to the body corporate possessing the sensitive personal data or information clearly stating the purpose of seeking such information and also agreeing to not publish or disclose it further.

Under the Intermediary Rules 2021, there is a mandate for an intermediary to comply with an order from the authorised government agency for information for the purposes of identity verification, etc. It might thus be helpful for a body corporate to assess if it qualifies as an intermediary under the applicable laws in India, and whether there are any safe harbour provisions applicable to it that might impact regulatory requirements.

Transfer of SPDI

Currently, there is no blanket prohibition on the transfer of personal data within or outside India, provided certain conditions are met. The conditions include obtaining the data subject’s consent, or having an underlying contract with the data subject that necessitates such a transfer; and the transferee ensuring the same degree of data protection as the transferor. Sectoral laws may also have some bearing on the transfer of data; for example, the IRDAI restricts the sharing of policy and claims-related data and personal information.

Any upcoming privacy or data legislation is likely to continue allowing cross-border flow of data but with more checks and balances.

Publication of privacy policy

Bodies corporate collecting, receiving, possessing, storing, dealing or handling the information of data subjects must have a policy for handling of or dealing in personal information including SPDI, and also ensure that the same is available for viewing by data subjects by way of publication on their website. The privacy policy should include clear and accessible statements of the body corporate’s practices and policies; types of personal information or SPDI collected; purpose of collection and usage of such information; disclosure of information including SPDI and reasonable security practices and procedures implemented by the body corporate.

Appointment of a grievance officer

Bodies corporate are required to address any discrepancies and grievances of the data subjects with respect to the processing of information in a time-bound manner, for which, they are required to designate a grievance officer whose name and contact details must be published on the former’s website.

Penalties

Penalties for non-compliance with data protection laws are currently governed under the IT Act. These include compensation for failure to protect SPDI by a collector; if the collector fails to implement or maintain reasonable security practices and procedures and in doing so causes wrongful loss or gain to anyone, it will be liable to compensate the affected person.

The IT Act also penalises wrongful disclosure of information (ie, without the consent of the person concerned) in breach of a lawful contract, by providing for imprisonment up to three years or a fine up to 500,000 rupees.

The DP Bill had proposed its own set of penalties for contraventions – with penalties up to 150 million rupees or 4 per cent of the total worldwide turnover of the preceding financial year on data fiduciaries, in line with similar provisions across data protection frameworks in other jurisdictions. It is likely that the position on such penalties carries over to any subsequent law India adopts in this sector as well, although it remains to be seen what form the penalties ultimately take.

Individuals’ rights

The rights of individuals or data subjects are primarily governed by the IT Act and the SPDI Rules.

The DP Bill provided that a significant data fiduciary must appoint a data protection officer who must be based in India. Similar requirements may be carried forward in any new legislation as well.

Right to review and seek correction or amendment

The data subject has the right to seek review of the information provided by them to the collector at any time. If the data is found to be incorrect or deficient, the data subject has the right to seek correction or amendment of the same. Having said that, there is no obligation on the collector of data to ensure the authenticity of the personal information supplied by the provider of the information.

Right to not provide information and withdraw consent

The collector must provide the data subject with an option to not provide the information sought to be collected. Further, at any time while availing the services or otherwise, the data subject has an option to withdraw its consent (in writing). In turn, the collector has the option to not provide goods or services for which the information was sought.

Right to compensation

As discussed above, a data subject has the right to compensation in the case of a collector’s failure to protect the SPDI, and also for wrongful disclosure of information.

Procedure for and consequences of data protection breaches

Definition of data breach or cybersecurity incident

There is currently no formal definition of ‘data breach’, but the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 define a ‘cybersecurity incident’ as ‘any real or suspected adverse event in relation to cybersecurity that violates an explicit or implied security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation’.[4]

Until early 2022, the regime for reporting of data protection breaches was fairly vague and the availability of requisite information with the service providers and companies was a challenge. The situation has now changed with the CERT-In Directions. As discussed above, CERT-In is the nodal agency for reporting and dealing with cybersecurity incidents in India, including data breaches. The CERT-In Directions now mandate that any service provider, intermediary, data centre, body corporate and government organisation, as well as VPS providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers and custodian wallet providers, shall mandatorily report cyber incidents, including data breaches, to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents. The types of cybersecurity incidents to be mandatorily reported include not only data breaches and data leaks but also include compromise of critical systems or information; identity theft; spoofing and phishing attacks; unauthorised access to social media accounts; malicious code attacks such as spreading of virus, worm, Trojan, bots, spyware, ransomware, cryptominers, etc.

Failure to report cybersecurity incidents or non-compliance with the CERT-In Directions may invite punitive action of imprisonment for a term that may extend to one year or with a fine that may extend to 100,000 rupees.

Surveillance laws

Surveillance of communication is primarily governed by two laws: the Telegraph Act 1885 and the IT Act. The Telegraph Act deals with interception of calls while the IT Act deals with surveillance of all electronic communication.

The Telegraph Act gives the government the power to intercept, detain and prevent transmission of calls. The IT Act gives the government the power to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

The Acts above restrict the power to certain conditions, for example, interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to the above or for investigation of any offence. The latter considerations are quite open-ended, leading to arbitrary enforcement of these provisions.

Proposed changes in the current regime

The Indian government recently released a draft Indian Telecommunication Bill 2022, which seeks to replace the Telegraph Act. The Bill now seeks to regulate telecommunication services through modern age technologies such as over-the-top (OTT) communication services (eg, WhatsApp, Facebook, Facetime and Zoom), internet-based communications services, inflight and maritime connectivity services, and so on. According to the proposed law, all telecommunications service providers will now be required to obtain a licence from the government to operate in India. This will put these services on a par with the licence requirement of traditional telecom operators. Concerning surveillance, the bill carries forward the provisions of the Telegraph Act, allowing interception, detention and prevention of transmission. The Bill allows for an even more liberal and arbitrary application of these restrictions by allowing their use in the event of a public emergency and in the interest of public safety, both of which are undefined terms. It will be interesting to see how this Bill will affect those telecommunications services that use the end-to-end encryption format (for example, WhatsApp). The Bill gives a good idea of the Indian government’s intention to cover and regulate all such services in the country.

Communications and marketing

Marketing and commercial communication to customers in India is governed by the Telecom Commercial Communications Customer Preference Regulations 2018[5] and is regulated by the Telecom Regulatory Authority of India. The purpose of the regulations is to curb unsolicited commercial communications.

The regulations define ‘commercial communication’ as any voice call or message using telecommunication services for informing, advertising or soliciting business for goods or services or supplier of goods or services, business or investment opportunity or provider or prospective prover of such opportunity. ‘Unsolicited commercial communication’, excluding certain exceptions, is defined to mean any commercial communication that is neither as per the consent nor as per the registered preference of the recipient.

Consent is key under these regulations. For any commercial communication, there should be a voluntary permission given by the customer to the sender to receive commercial communication related to a specific purpose, product or service (eg, healthcare, entertainment, hospitality, etc). It is important to note that consent includes ‘inferred consent’, which can be reasonably inferred from the customer’s conduct or the relationship between the recipient and the sender.

Proposed changes in the current regime

The draft Telecommunication Bill 2022 also seeks to regulate and protect users and consumers from unsolicited communication and seeks to give the users the right to control the communication. The Bill states that the government can prescribe measures for the protection of users by:

  • mandating the prior consent of users for certain messages;
  • introducing a ‘do not disturb’ register to ensure users do not receive certain messages without prior consent; and
  • enable users to report messages in contravention of the said provision.

The Bill also provides that the identity of a person using telecommunication services shall be available to the user receiving the message. The Bill has penal provisions to ensure compliance with its provisions.

Recent trends and updates

Data protection and privacy have recently become major points of debate in India, in the legal sector as well as in civil society – especially as the ruling government continues to table and notify multiple regulations that involve no prior discussion with stakeholders or technical experts, and that have significant privacy and surveillance implications. Many of these draft regulations receive significant criticism and are subsequently clarified, revised or withdrawn entirely.

Issues relating to privacy have cropped up across sectors such as healthcare and hospitality. For instance, the Indian government issues a unique identity called ‘Aadhaar’ to residents of India, similar to a social security number. To get an Aadhaar card, a person needs to share their demographic details (name, date of birth, gender, address, mobile number and email) and biometric information (10 fingerprints, iris scans and facial photograph). Naturally, the government is a repository of this huge information database (over 1.3 billion Aadhaar cards have been issued to date) and there have been widespread concerns over its implications on right to privacy and data safety. There has been a push from the authorities to link Aadhaar with bank accounts, voter IDs, etc, and use it for many other government schemes, raising further fears for data privacy. In fact, there have already been numerous reports of data breaches linked to Aadhaar – mostly prior to the issuance of the CERT-In Directions, which are now applicable to government organisations as well. Although the issue of Aadhaar and privacy has ostensibly been settled by the courts in India, it will be interesting to see how the landscape evolves with the developments in privacy law.


Notes

Unlock unlimited access to all Global Data Review content