Data Protection Laws in India

What is data protection?

Individuals, as citizens and consumers need to have the means to exercise their right to privacy and protect themselves and their information from abuse. This is particularly the case when it comes to our personal information. Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international and regional laws and conventions.

Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system. In modern societies, to empower us to control our information and to protect us from abuses, it is essential that data protection laws restrain and shape the activities of companies and governments. These institutions have shown repeatedly that unless rules restrict their actions, they will endeavor to collect it all, mine it all, keep it all, while telling us nothing at all.

Why are data protection laws needed in India?

As we all know that India has emerged as an IT hub of the world and it is extremely important for us to have a proper law dealing with Data protection.

Prior to the passing of the Digital Personal Data Protection Act, 2023 by the Indian Parliament, protecting the Data in India  faced many problems and resentments due to absence of proper legislative frameworks. India being the largest host of outsource data can be an easy target for cyber criminals mainly due to lack of proper law.

Prior to the passing of the Digital Personal Data Protection Act, 2023, the data protection regime was to be found in certain provisions of the Information Technology Act, 2000 and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Further, personal data is also protected by virtue of Article 21 of the Constitution of India. Right to privacy has now been declared to be a facet of the right to life under Article 21 by the Supreme Court of India.

However, before delving into the provisions of the Digital Personal Data Protection Act, 2023 it would also be worthwhile to note the provisions of the IT Act and the relevant IT Rules as well as some of the steps taken by the Government for protection of data.

INFORMATION TECHNOLOGY ACT, 2000

Section 43A of the IT Act provides for compensation payable for failure to protect data. The said section imposes a liability to pay compensation on a body corporate which possesses, deals or handles sensitive personal data or information in a computer resource owned by it and is negligent in implementing reasonable security practices and procedures, which resultantly causes wrongful loss to a person.

Section 66E provides for punishment to someone who intentionally captures, publishes or transmits the image of a private area of any person without his or her consent under such circumstances which violate the privacy of such person.

Section 72 provides for penalty for breach of confidentiality and privacy by a person who has secured access to any electronic book, register, information, etc of any person and who without the consent of such person discloses the such electronic book, information, etc to any other persons.

Section 72A provides for punishment for disclosure of information in breach of a lawful contract.   

INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011

Rule 4 provides for a company who collects, receives, stores information, shall provide for a policy for handling and dealing with such information.

Rule 6(1) provides that disclosure of sensitive personal data by a company to a third person requires prior permission of the provider of such personal data.

SOME STEPS TAKEN BY THE GOVERNMENT FOR PROTECTION OF DATA

Standardization Testing and Quality Certification (STQC) Directorate: Owing to the international demand that Indian firms should have an international security standards accreditation, the Indian government has set up the STQC Directorate (Under the department of Information Technology (DIT).

The Directorate has been able to launch an independent third party certification scheme for the information security management system (ISMS), as per BS 7799 Part 2, and has achieved international recognition in the form of accreditation from the RvA, Netherlands.

The STQC Directorate provides services such as testing hardware and software products certification and also training personnel in quality and security standards and processes.

Computer Emergency Response Team (CERT): Team (CERT-In) was established by the DIT to be a part of the international CERT community. CERT was set up to protect India’s IT assets against viruses and other security threats. It performs the following functions:

• It serves as a central point, responding to computer security incidents and providing a reliable, trusted, 24 hours referral contact for emergencies.
• It disseminates best practices among system administrators and service providers.
• It increases the awareness and understanding of InfoSec and computer security issues among the Indian Cyber user community.
• It alerts the community regarding the latest security threats by publishing advisories, vulnerability notes ad incident notes.
• It serves as a coordinating center among organizations to solve computer security problems.
• It establishes linkages with similar organizations in the international arena.
• It performs R&D activities in collaboration with premier research and educational organizations regarding the security of existing systems and regarding evolving cyber security problems.

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

1.    The Digital Personal Data Protection Act, 2023 (“Act”) received the presidential assent on 11th August 2023 after having been passed by both the Houses of the Parliament.

2.    The primary purpose of the Act is to regulate the processing of digital personal data in a manner that safeguards the rights of the individuals and the need to process the personal data for lawful purposes.

3.    The Act applies to digital personal data which is processed within the territory of India and as well as that which is processed outside India only if such processing is in connection with any activity related to offering of goods or services to the individuals within the territory of India.

4.    The Act, however, does not apply to personal data processed by an individual for any personal or domestic purpose as well as such personal data which is made available publicly by the individual.

5.    It would also be necessary to understand the meaning of “processing” of data.

• Processing means such operations performed on digital personal data which includes collection, recording, storage, retrieval, use, sharing, etc of the data.

6.    The individual to whom the personal data relates in called the “Data Principal” and the person who determines the purpose and means of processing the personal data is called the “Data Fiduciary”.

It is important to note some of the beneficial provisions in the Act:

1.    Processing of personal data can be made only in accordance with the Act and for a lawful purpose (means any purpose not expressly forbidden by law) for which the individual has given her consent or for certain legitimate purposes.

• The consent given by such individual should be free, specific, informed, unconditional and unambiguous.
• The Data Fiduciary shall, while requesting the individual for her consent to process the data, give a proper notice to the individual inter alia informing the type of personal data which will be processed and the purpose behind the same.
• The said Notice should also declare the manner in which the individual may make a complaint to the Board in case of any grievance.
• The request for consent should be in clear and plain language giving the individual to access such request in English or any other language mentioned in the Eight Schedule of the Constitution of India.

2.    The Data Principal has the right to withdraw any consent with such ease as existed at the time when consent was given in the first place.

3.    In case the individual whose data is to be processed is a child (a person below 18 years of age) or a person with disability, then consent of the parent or lawful guardian, as the case may be, has to be obtained.

4.    Certain obligations have been imposed on the Data Fiduciary, such as:

• When would the personal data provided be used to make a decision that affects the individual, then Data Fiduciary to ensure that personal data is complete, accurate and consistent.
• Implementing effective technical and organization measures to ensure due compliance of the Act,
• Duty to ensure protection of the personal data and put in place reasonable security safeguard to prevent breach of personal data,
• Intimate the individual and the Board in case of any breach of personal data.
• Erase the personal data upon the withdrawal of consent by the individual or as soon as it is reasonable to assume that the purpose for which data was being processes is fulfilled, unless such retention is necessary for compliance with any law,
• Have effective mechanism to redress the grievances of the individual.

5.    Certain additional obligations are imposed on Significant Data Fiduciary (“SDF”): A data fiduciary may be categorized as a SDF by the Central Government on certain factors such as volume and sensitivity of data processed; potential impact on sovereignty and integrity of India; risk to electoral democracy; security of the State; public order. The SDF have to-

• Appoint a Data Protection Officer who will represent the SDF, be based in India and be the point of contact for grievance redressal mechanism,
• Appoint an independent data auditor,
• Undertake periodic Data Protection Impact Assessment, periodic audit and such other measures as may be prescribed.

6.    Certain Rights have been bestowed upon the Data Principals such as:

• Right to ask for a summary of the personal data which has been processed by the data fiduciary and the details of all other data fiduciaries with whom the personal data has been shared. However, this would not be applicable if the sharing of personal data by one data fiduciary with the other is for the purpose of prevention or detection of offences or cyber incidents or for prosecution or punishment of offences.
• Right to seek a correction, completion, updation or erasure of personal data. However, erasure of personal data may not be possible if the retention of the data is required for some specified purpose or for compliance with any law.
• Right to have readily available means of grievance redressal in respect of any act or omission by the data fiduciary. The grievances would have to be redressed in a timely manner.

7.    Certain Duties have been bestowed upon the Data Principals such as:

• To not impersonate another person while providing their personal data.
• Not to suppress any material information.
• Not to register false or frivolous grievance.

8.    Data Protection Board of India established under Section 18 of the Act has the following powers and functions:

• To direct any urgent remedial or mitigation measures in case of breach of personal data.
• Inquire into the personal data breach and impose penalties.
• Though the Act contains various beneficial provisions as mentioned above with an intention to protect and safeguard the digital personal data of individuals/companies, etc, however the Act does contain certain provisions which may be of concern:

1.    The Act does not provide for any compensation to be payable to the Data Principal in case of breach of personal data.

2.    Though the Act imposes penalties for breach of the provisions of the Act, however the same are to be credited to the Consolidated Fund of India.

3.    The appointment of the Chairperson and members of the Data Protection Board of India by the Central Government and further a short tenure of 2 years coupled with their eligibility for reappointment may hamper the independent functioning of the Board.

4.    The provisions of the Act would not be applicable in respect of processing of personal data by any notified instrumentality of the State in the interest of sovereignty, integrity of India, security of State, friendly relations, or maintenance of public order. This may result in data collection and retention beyond what is necessary thereby violating the fundamental right to privacy.

5.    Further, the provisions with respect to notice and consent for processing of personal data are not applicable where:

• Personal data is processed for enforcing any legal right or claim,
• Personal data is processed for prevention, detection, investigation, prosecution of any offence.

6.    The erasure of personal data is not unconditional and may not be allowed under certain circumstances.

7.    The Act also allows the transfer of personal data outside India except to the countries as may be notified by the Central Government.

8.    The Act also empowers the Central Government to require the Data Protection Board or any Data Fiduciary to furnish such information as it may call for- There is no guidance given in the Act as to what the nature of such information can be. Presumably, the Data Fiduciary or the Board would have no option but to furnish such information to the Central Government.

It's worth mentioning that while the Act has been approved by the Indian Parliament and has received presidential assent, it has not been put into effect yet. Additionally, the Government will issue rules that will elaborate on how the Act will be implemented. These rules will offer more clarity on various aspects such as notice requirements, the role of consent managers, procedures for data breach notifications, obtaining parental consent for children's data, addressing grievances, exemptions for processing personal data, and procedures for redressal.

It is also important to note that till such time the Act is notified to come into force, the current data protection framework under the Information Technology Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 shall hold the field.

Conclusion

In today's world, our personal data holds significant value to us. The Government is taking steps to safeguard our personal data, ensuring it remains under our control and isn't exploited by others.

However, individuals must also take proactive measures to prevent their personal data from being leaked. The new Data Protection Act tackles many of these concerns, but the specifics of its implementation remain to be seen until the Government establishes the necessary rules.

We can address your concerns related to Data Protection Law. You can get in touch with us by filling the form below.