Data Privacy Laws in India
Regulations, Standards & Compliance
Offence & Penalty
|Tampering with computer source documents||Imprisonment up to three years, or/and with fine up to ₹200,000|
|Breach of confidentiality and privacy||Imprisonment up to 2 years, or/and with fine up to ₹100,000|
Personal Data Protection Bill 2019 & IT Act 2000
In India, data protection is principally governed by the Information Technology Act, 2000, and the rules made under it.
In Justice K.S.Puttaswamy (Retd.) v. Union of India [Writ Petition No. 494/ 2012], a Constitutional Bench of nine Supreme Court of India judges upheld that privacy is a basic right enshrined in Article 21 [Right to Life and Liberty] of the Constitution. As a result, a comprehensive Personal Data Protection Bill 2019 was drafted (the PDP Bill) 1. The passage of the PDP Bill will transform India’s personal data protection and regulatory environment. Until then, India’s data privacy is governed by the Act and its provisions. According to a report provided by a Joint Parliamentary Committee designed to analyse the PDP Bill, the bill is currently pending examination by the Indian Parliament and may undergo considerable revisions from its current form. Early in 2022, the PDP Bill is likely to take effect.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules), issued under the Act, were adopted by India’s IT Ministry. Corporate entities collecting, processing, and storing personal information, particularly sensitive personal information, must follow specified procedures, according to the Privacy Rules, which went into effect in 2011. As described below, it distinguishes between ‘personal information’ and ‘sensitive personal information.’
In August 2011, India’s Ministry of Communications and Information issued a ‘Press Note’ Technology (Clarification on the Privacy Rules), which stated that any Indian outsourcing service provider/organization providing services relating to the collection, storage, dealing, or handling of sensitive personal information or personal information under contractual obligation with any legal entity located within or outside India is not subject to the collection and disclosure of sensitive personal information or personal information.
As previously reported, India is revising its personal data protection law. In India, however, a new legislative structure for non-personal data is possible. In the year 2019, the Ministry of Electronics and Information Technology established a committee to offer recommendations to the Central Government on the regulation of non-personal data (NPD) and published its report on the non-personal data governance framework (the NPD Report). NPD is described in the NPD Report as data that is not personal data as defined by the PDP Bill or data that does not contain any personally identifying information. The NPD report, among other things, advises that adequate anonymization criteria for NPD be created in order to avoid/minimize the danger of re-identification. It’s unclear whether NPD would be controlled under the PDP Bill, and how it will affect different stakeholders.
On December 11, 2019, this Bill was introduced in the Lower House of Parliament. It proposes a legal framework to protect individuals’ autonomy in relation to their personal data, to define where the flow and use of personal data is appropriate, to establish a trusting relationship between persons and entities processing their personal data, to define the rights of individuals whose personal data is processed, to establish a framework for implementing organizational and technical measures in processing personal data, and to establish norms for cross-border data transfers.