Data Advocacy for India

At present, the Information Technology Act, 2000 (the Act) and rules notified thereunder largely govern data protection in India.

On August 24, 2017, a Constitutional Bench of nine judges of the Supreme Court of India in Justice K.S.Puttaswamy (Retd.) v. Union of India [Writ Petition No. 494/ 2012] upheld that privacy is a fundamental right, which is entrenched in Article 21 [Right to Life & Liberty] of the Constitution. This led to the formulation of a comprehensive Personal Data Protection Bill 2019 (the PDP Bill). However, the PDP Bill was withdrawn in August 2022, considering a long list of recommendations for changes tabled by a Joint Parliamentary Committee that provided its report in December 2021. In its place, on November 18, 2022, the Ministry of Electronics and Information Technology (MeitY), Government of India, released a draft of the Digital Personal Data Protection Bill, 2022 (the DPDP Bill.

No requirement.

Every corporate entity collecting sensitive personal information must appoint a Grievance Officer to address complaints relating to the processing of such information and to respond to data subject access and correction requests expeditiously but within one month from receipt of receipt of the request or grievance.

There is no specific requirement that the data protection officer must be a citizen of or resident of India, nor are there any specific enforcement actions or penalties associated with not appointing a data protection officer correctly. However, the appointment of a data protection officer is part of the statutory due diligence process, and it is thus imperative that such an officer should be appointed.

Under the Act, if a corporate entity that possesses, manages or handles any sensitive personal information in a computer resource that it owns, controls or operates is negligent in implementing and maintaining compliance with the Privacy Rules, and its negligence causes wrongful loss or wrongful gain to any person, the corporate entity shall be liable for damages to the person(s) affected.

The Privacy Rules state that any corporate entity or any person acting on its behalf that collects sensitive personal information must obtain written consent (through letter, email, or fax) from the providers of that information. However, the August 2011 Press Note issued by the IT Ministry clarifies that consent may be given by any mode of electronic communication.

The Privacy Rules also mandate that any corporate entity (or any person, who on behalf of such entity) that collects, receives, possesses, stores, deals or handles information shall provide a privacy policy that discloses its practices regarding the handling and disclosure of personal information, including sensitive personal information, and ensure that the policy is available for view, including on the website of the corporate entity (or the person acting on its behalf). Specifically, the corporate entity must ensure that the person to whom the information relates is notified of the following at the time of collection of sensitive personal information or other personal information:

  • The fact that the information is being collected
  • The purpose for which the information is being collected
  • The intended recipients of the information
  • The name and address of the agency that is collecting the information and the agency that will retain the information

The Privacy Rules define “personal information” as any information that relates to a natural person, which, either directly or indirectly, in combination with other information that is available or likely to be available to a corporate entity, is capable of identifying such person.

The Privacy Rules define “sensitive personal data or information” to include the following information relating to:

  • Passwords
  • Financial information e.g. bank account/credit or debit card or other payment instrument details
  • Physical, physiological and mental health conditions
  • Sexual orientation
  • Medical records and history
  • Biometric information
  • Any detail relating to the above clauses as provided to a corporate entity for providing services
  • Any of the information received under the above clauses for storing or processing under lawful contract or otherwise

Biometrics means the technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements and DNA for authentication purposes.

However, any information that is freely available in the public domain is exempt from the above definition.

The data collector must obtain the consent of the provider of the information for any transfer of sensitive personal information to any other corporate entity or person in India or to any other country that ensures the same level of data protection as provided for under the Privacy Rules. However, consent is not necessary for the transfer if it is required for the performance of a lawful contract between the corporate entity (or any person acting on its behalf) and the provider of information or as otherwise specified in the Act.

A corporate entity may not transfer any sensitive personal information to another person or entity that does not maintain the same level of data protection as required by the Act.

The government of India has established and authorized the Indian Computer Emergency Response Team (“Cert-In”) to collect, analyze and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency measures for handling cybersecurity incidents and coordinate cyber incident response activities.

The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“Cert-In Rules”) impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities upon the occurrence of certain cybersecurity incidents.

The Act does not refer to electronic marketing directly. Dishonestly receiving data, computer databases or software is an offense. However, in a related development, the Food Safety and Standards Authority of India (FSSAI) has made it mandatory for E-commerce FBOs (Food Business Operators) to obtain a license from the Central Licensing Authority. E-commerce FBO means any Food Business Operator carrying out any of the activities in section 3(n) of the Food Safety & Standards Act, 2006, through the medium of e-commerce. Interestingly, section 3(n) covers the entire food chain as it defines “food business” as any undertaking, whether for-profit or not, and whether public or private, carrying out any of the activities related to any stage of manufacture, processing, packaging, storage, transportation, distribution of food, import and includes food services, catering services, sale of food or food ingredients. Similarly, another set of legal Rules being referred as “E-commerce & the Legal Metrology (Packaged Commodities) Amendment Rules, 2017,” effective from January 1, 2018, has made it mandatory for an e-commerce entity to ensure mandatory declarations about the commodity displayed on the digital and electronic network used for e-commerce transactions.

The consumer protection regime in India was recently overhauled by way of enactment of the Consumer Protection Act, 2019 (notified in July 2020) (CPA 2019). Under CPA 2019, sellers and service providers have the obligation to, among others, not engage in unfair trade practices including by way of misleading advertisements. Further, Consumer Protection (E-Commerce) Rules, 2020 (E-Commerce Rules) have been notified under the CPA to regulate e-commerce entities in India. An ‘e-commerce entity’ has been defined to mean any person who owns, operates or manages digital or electronic facility or platform for electronic commerce, but does not include a seller offering his goods or services for sale on a marketplace e-commerce entity. E-commerce entities are required to set up a proper grievance redressal mechanism and consumer complaints should be acknowledged by the grievance officer within a stipulated timeline. E-commerce entities are further required to, among others, provide information in relation to refund, exchange, warranty, delivery, mode of payment, fees and charges, grievance process and other relevant information on their platform. The price (total and a break up) of goods or services should be mentioned clearly and misleading advertisements and misrepresentation are prohibited.

The Privacy Rules also provide the right to “opt-out” of email marketing, and the company’s privacy policy must address marketing and information collection practices. Further, the National Do Not Call (NDNC) Registry is effectively implemented by the Telecom Regulatory Authority of India (TRAI). TRAI has also established the Telecom Commercial Communication Customer Preference Portal, i.e., a national database containing a list of the telephone numbers of all subscribers who have registered their preferences regarding the receipt of commercial communications. Telemarketing companies may lose their license for repeated violation of DNC norms.

There is no regulation of cookies, behavioral advertising, or location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.

Civil penalties of up to approximately €570,341.28 (as at December 21, 2022) for failure to protect data, including sensitive personal information, may be imposed by an Adjudicating Officer; damages in a civil suit may exceed this amount.

Criminal penalties of up to three years of imprisonment or a fine up to approximately €5,704.34 (as at December 21, 2022), or both for unlawful disclosure of information.

Separately, the Directions have introduced a penalty of a term of imprisonment extendable to 1 year or a fine up to approximately €1140.68 (as at December 21, 2022), or both, for failure to provide information to CERT-In or non-compliance with the Directions.

No such authority exists.