A Q&A guide to data protection in India.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The right to protection of personal data is a civil and constitutional right. Article 21 of the Constitution of India provides for the right to life and personal liberty, which includes the right to privacy.
The main laws regulating data privacy are the:
Information Technology (Amendment) Act 2008 (IT Act)).
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules 2011 (IT RSPPSPI Rules). The IT RSPPSPI Rules widen the scope of section 43A of the IT Act and regulates the collection, disclosure and transfer of sensitive personal data (see Question 11).
The following laws also regulate data privacy:
Indian Telegraph Act 1885.
Credit Information Companies (Regulations) Act 2005.
Indian Contract Act 1872.
Specific Relief Act 1963.
Consumer Protection Act 1986.
Indian Copyright Act 1957.
Indian Penal Code 1860.
The laws relating to protection of personal data apply to all sectors. There are no sector-specific laws.
The laws apply to any person, including an intermediary, who under the terms of a lawful contract has access to materials containing personal information about another person.
The IT RSPPSPI Rules apply to:
A body corporate. This is defined as a company and includes any firm, sole proprietorship or other association of individuals, among others, engaged in commercial or professional activities (clause (i), explanation to section 43A, IT Act).
Every person who on behalf of a body corporate collects, receives, possesses, stores, deals with, handles or provides information.
The IT RSPPSPI Rules regulate sensitive personal data or information (see Question 11).
However, section 72A of the IT Act widens the meaning of the term data to include any material containing personal information.
Data has also been defined under section 2(o) of the IT Act as a representation of information, knowledge, facts, concepts or instructions which are both:
Formally prepared or being prepared.
Intended to be processed, are being processed or have been processed in a computer system or computer network.
This data may be in any form (including computer printouts, magnetic or optical storage media, punched cards and punched tapes, or stored internally in the memory of the computer).
Collecting, storing, processing, disclosing, handling and transferring information are regulated acts (see Questions 1 to 3).
The IT Act applies in the whole of India. It also applies to:
Any offence under or contravention of the provisions of the IT Act committed by any person outside India.
All persons, irrespective of nationality, in relation to an offence or contravention committed outside India where the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India (section 75, IT Act).
The IT Act does not provide for exemptions.
Concerned authorities can intercept messages for transmission, transmitted or received by telegraph, in the interests of national sovereignty (section 5 (2), Indian Telegraph Act 1885). Telegraph means any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature by (Indian Telegraph Act 1885):
Visual or other electro-magnetic emissions.
Galvanic, electric or magnetic means.
However, in People's Union of Civil Liberties v Union of India, the Supreme Court of India gave certain directives relating to intercepting messages:
Tapping telephones is prohibited without an authorising order from the Home Secretary, Government of India or the Home Secretary of the concerned State Government.
The order only remains in force for two months from the date of issue, unless it is renewed (for a maximum of six months).
Telephone tapping or interception of communications must be limited to the telephone numbers at the address specified in the order or to telephone numbers likely to be used by a person specified in the order.
All copies of the intercepted material must be destroyed as soon as their retention is not necessary (section 5 (2), Indian Telegraph Act 1882).
In an urgent case, this power can be delegated to an officer of the Home Department, Government of India or the Home Department of the State Government. This officer must not be below the rank of Joint Secretary. A copy of the order must be sent to the concerned Review Committee within one week of the order being passed.
The Review Committee must independently investigate the passing of the order to review whether the relevant interception in necessary in the interests of national sovereignty (section 5 (2), Indian Telegraph Act 1882). The Review Committee assesses whether there has been a contravention of section 5(2) and if there has, direct that the copies of the intercepted material be destroyed.
See also Question 3.
For the rules relating to sensitive data, see Question 11.
Notification or registration is not required before processing data.
The IT Act does not define the term data controller or provide any specific obligations to ensure that the data is processed properly. However, the disclosure of personal information about another person without the consent of the person concerned or in the case of a breach of contract is prohibited (section 72A, IT Act) (see Question 2).
For the rules relating to sensitive data, see Question 11.
A body corporate or a person acting on its behalf must obtain the data subject's written consent before collection of information (Rule 5, IT RSPPSPI Rules). The consent should relate to the specific purpose of the use of the information, but there are no rules regarding the form or content of the consent. The consent can be given by letter, fax or e-mail, and must be obtained before disclosure or transfer of data.
For information regarding consent under section 72A of the IT Act to disclosure of personal information, see Question 8.
Consent must be given without coercion, undue influence, fraud, misrepresentation or by mistake. Consent can be implied or inferred.
There are no specific rules relating to consent obtained from a minor. However, minors are not competent to enter into contracts and therefore consent from a minor is not enforceable (section 11, Indian Contract Act 1872).
For information relating to authorised orders to intercept telecommunications, see Question 6.
There are no specific grounds on which processing can be justified without the data subject's consent.
See also Question 9.
The IT RSPPSPI Rules, enacted under section 87(2) of the IT Act, regulate sensitive personal data, which includes the following:
Financial information such as bank account, credit or debit card, or other payment instrument details.
Information regarding physical, physiological and mental health.
Medical records and history.
Any detail relating to the above bullet points provided to the body corporate for providing a service or for processing or storing under a lawful contract, or otherwise.
Any information that is freely available or accessible in the public domain, or provided under the Right to Information Act 2005 or any other law in force, is not regarded as sensitive personal data or information (Rule 3, IT RSPPSPI Rules).
The data processor must maintain reasonable security practices and procedures in relation to sensitive personal data or information. The IT RSPPSPI does not provide for any specific practices and procedure. However, the IT RSPPSPI Rules recognise International Standard ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" (ISO/IEC 27001). The IT RSPPSPI Rules must be read in conjunction with section 42A of the IT Act.
Clear and easily accessible statements of the body corporate's practices and policies.
The type of personal or sensitive personal data collected under Rule 3 of the IT RSPPSPI Rules.
The purpose of collection and use of the information.
Details regarding the restriction on publishing sensitive personal data or information under Rule 6(3) of the IT RSPPSPI Rules.
Reasonable security practices and procedures as provided under Rule 8 of the IT RSPPSPI Rules.
Consent to disclosure is usually required (see Question 9). However, information collected can be shared, without obtaining prior consent from the data subject, with government agencies mandated under the law to either (Rule 6, IT RSPPSPI Rules):
Obtain information including sensitive personal data or information to verify identity.
Prevent, detect and investigate in relation to cyber incidents, prosecution and punishment of offences, among other things.
The IT RSPPSPI Rules do not require any information to be provided to data subjects at the point of collection of the personal data.
There are no relevant provisions under the IT Act.
The IT RSPPSPI Rules do not provide data subjects with the right to request the deletion of their data. However, the data subject can withdraw consent previously given to a body corporate (Rule 5 (7), IT RSPPSPI Rules). In addition, the body corporate or any person on its behalf must not retain the information obtained for longer than required either (Rule 5(4), IT RSPPSPI Rules):
For the purpose for which the information may lawfully be used.
Under any other law for the time being in force.
Rule 8 of the IT RSPPSPI Rules requires a body corporate (or any person acting on its behalf) to comply with reasonable security practices and procedure. Reasonable security practices and procedures means those designed to protect personal data from unauthorised access, damage, use, modification, disclosure or impairment. These may be specified in an agreement between the parties or in any relevant law in force (or, if there is no agreement or relevant law, by the central government in consultation with professional bodies or associations) (section 43A, IT RSPPSPI Rules).
The IT RSPPSPI Rules recognise ISO/IEC 27001. Annex A of ISO/IEC 27001 provides implementation advice and guidance on best practice, including in relation to:
Asset management security.
Human resources security.
Physical and environmental security.
Communications and operations management.
Information system acquisition.
Development and maintenance.
Information security incident management.
The IT RSPPSPI Rules do not provide a requirement to notify personal data security breaches to data subjects or the national regulators.
See also Question 15.
No additional requirements apply where a third party processes the data on behalf of the data controller. However, any person working on behalf of a body corporate must comply with any applicable IT RSPPSPI Rules.
The IT Act does not specifically enable data controllers to store cookies or equivalent devices on the data subject's terminal equipment. However, any person who does any of the following without the consent of the owner or user of the computer, computer system or computer network is subject to a penalty (section 43, IT Act):
Accesses or secures access to the computer, computer system or computer network or computer resource.
Downloads, copies or extracts any data, computer database or information from the computer, computer system or computer network, including information or data held or stored in any removable storage medium.
Steals, conceals, destroys or alters, or causes any person to steal, conceal, destroy or alter, any computer source code used for a computer resource with an intention to cause damage.
Under the Telecom Commercial Communications Customer Preference Regulations 2010 (TCCCP Regulations), the Telecom Regulatory Authority of India regulated unsolicited commercial telecommunication. The TCCCP Regulations provide for the establishment of a National Customer Preference Register, through which telephone users can opt for complete or partial blockage of commercial calls (Schedule I, TCCCP Regulations).
There are no restrictions or requirements relating to sending unsolicited electronic commercial communications by e-mail.
There are no specific rules regulating the transfer of data outside India. Data can be transferred outside India by way of a data transfer agreement with one of the parties outside India, along with a specific consent from the data subject to the transfer of data (see Question 21).
See also Question 5.
Data transfer agreements are not contemplated under the IT Act or the IT RSPPSPI Rules. There are no standard forms of or precedents for data transfer agreements. However, a data transfer agreement must comply with the Indian Contract Act 1872, the IT Act and the IT RSPPSPI Rules.
A data transfer agreement is sufficient to legitimise transfer. However, it is advisable to obtain a consent letter from the transferor before transferring data, as there are restrictions under the IT RSPPSPI Rules on the transfer of data to a third person (see Question 9).
There is no requirement to obtain the national regulator's approval for a data transfer agreement.
See also Question 9.
The IT Act does not provide for the appointment of a national regulator. However, section 46 of the IT Act provides for the appointment of an adjudicating officer to hold inquiries into data protection issues. Every adjudicating officer has the powers of a civil court (sub-section 5, section 46, IT Act). These powers are conferred on the Cyber Appellate Tribunal (Tribunal) (sub-section 2, section 58, IT Act) and:
All proceedings before it are deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code.
The Tribunal is deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure 1973.
The Tribunal is deemed to be a civil court for purposes of order XXI of the Civil Procedure Code 1908.
The remedies available for breach of data protection laws vary depending on the nature of the contravention. The penalty for non-compliance with the provisions of the IT RSPPSPI Rules is INR25,000 (section 45, IT Act). Penalties under the IT Act can extend up to INR50 million.
Specific penalties include the following:
Tampering with computer source documents (section 65, IT Act): imprisonment up to three years and/or a fine of up to INR200,000.
Offences as provided in section 43 of the IT Act (section 66, IT Act): imprisonment up to three years and/or a fine of up to INR500,000.
Dishonestly receiving stolen computer resources or communication devices (section 66 (B), IT Act): imprisonment for a term up to three years and/or a fine of up to INR100,000.
Identity theft (section 66 (C), IT Act): imprisonment for a term of up to three years and a fine of up to INR100,000.
Violation of privacy (section 66 (E), IT Act): imprisonment of up to three years and/or a fine of up to INR200,000.
Qualified. India, 1999
Areas of practice. M&A; private equity; corporate restructuring; commercial contract.
Qualified. India, 2007
Areas of practice. M&A; private equity; commercial contract.