Professional Documents
Culture Documents
India
DataProtection2016
OrdertheBook
OrderChapterasPDF
Published:09/05/2016
ChaptercontentFreeaccess
1 RelevantLegislationandCompetentAuthorities
2 Definitions
3 KeyPrinciples
4 IndividualRights
5 RegistrationFormalitiesandPriorApproval
6 AppointmentofaDataProtectionOfficer
7 MarketingandCookies
8 RestrictionsonInternationalDataTransfers
9 WhistleblowerHotlines
10 CCTVandEmployeeMonitoring
11 ProcessingDataintheCloud
12 BigDataandAnalytics
13 DataSecurityandDataBreach
14 EnforcementandSanctions
15 Ediscovery/disclosuretoforeignLawenforcementagencies
16 TrendsandDevelopments
1 RelevantLegislationandCompetentAuthorities
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 1/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
1.1Whatistheprincipaldataprotectionlegislation?
Intheabsenceofspecificlegislation,dataprotectionisachievedinIndiaonthebasisofthefollowing
legislation,whichappliesalsotootheraspectsofonlineregulations,suchasecommerceand
cybercrime:
TheInformationTechnologyAct(2000),amendedbytheInformationTechnology(Amendment)Act
(2008)henceforthreferredtoastheITActwhichcontainsprovisionsfortheprotectionof
electronicdata.TheITActpenalisescybercontraventionswhichattractcivilprosecutionunder
section43(a)(h)andcyberoffenceswhichattractcriminalactionundersections6374.The
formercategoryincludesgainingunauthorisedaccessto,anddownloadingorextractingdatafrom,
computersystemsornetworks.Thelattercoversseriousoffencesliketamperingwithcomputer
sourcecode,hackingwithintenttocausedamageandbreachofconfidentialityandprivacy.
InApril2011,theIndianMinistryofCommunicationsandTechnologypublishedfoursetsofrules
implementingcertainprovisionsoftheInformationTechnology(Amendment)Act(2008),asfollows:
TheSecurityPracticesRulesrequireentitiesholdingsensitivepersonalinformationofusersto
maintaincertainspecifiedsecuritystandards.
TheIntermediaryGuidelinesRulesprohibitcontentofspecificnatureontheinternet.Anintermediary,
suchasawebsitehost,isrequiredtoblocksuchcontent.
TheCyberCafRulesrequirecybercafstoregisterwitharegistrationagencyandmaintainalogof
identityofusersandtheirinternetusage.
UndertheElectronicServiceDeliveryRules,theGovernmentcanspecifycertainservices,suchas
applications,certificates,licences,etc.,tobedeliveredelectronically.
Ofrelevancetotheissueofdataprotectionisthefirstsetofrulesinthelistabove:
TheInformationTechnology(ReasonableSecurityPracticesandProceduresandSensitivePersonal
DataorInformation)Rules(2011)henceforthreferredtoastheITRuleswhichwereframed
undersection43AoftheInformationTechnologyAct(2000)asamendedin2008.TheITRulesset
outproceduresforcorporateentitieswhichcollect,processorstorepersonaldata(including
sensitivepersonalinformation).TheseRulesalsodistinguishpersonalinformationfromsensitive
personalinformation.
Itmustbepointedoutthatbecausethestatutesinquestionwerenotdraftedspecificallywiththe
protectionofdatainmind,thepatchworkofexistinglegislationcurrentlybeingusedforthispurpose
certainlyleavesalottobedesiredintermsofeffectiveprotectionofdataandevenabasicdefinitionof
scopeandsanctions.
TheGovernmentrecognisesthis,andhasalsoproposedtoenactspecificlegislationonprivacy(the
PrivacyBill)which,ifitcomesintoforce,willoverridetheITRules.ThePrivacyBillrecognisesan
individualsrighttoprivacyandprovidesthatthisrightcannotbeinfringedexceptincertain
circumstancesspecifiedintheBill,whichincludeprotectionofnationalintegrityorsovereignty,national
security,preventionofcrimeandpublicorder.AlthoughthePrivacyBillwasfirstdraftedin2011,and
multiplereviseddraftshavebeenpublishedregularlyeversince,theBillhasnotyetpassedintoLaw.
Currently,twomajorissuesarehinderingsmoothpassageoftheBillintheLegislature:
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 2/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
1)Adisagreementbetweenthejudiciaryandintelligenceagenciesoverwhetherornottheagencies
oughttobeunderthescrutinyofacompetentcourtwithrespecttointerceptionofpersonaldatawhen
theydeemitnecessary.
2)Adebateovertheextensionofprotectiongrantedbythelegislationtoallresidentsofthecountry
(asopposedtoonlythecitizens).
Thebillisexpectedtobecomelawlaterthisyear.Itmustbenotedthatalthoughthelatestdraftofthe
proposedBillwasallegedlycirculatedtotheCommitteeofSecretariesandleakedtotheCentrefor
InternetandSociety(anindependentnonprofitorganisationinDelhiandBangalore)in2014,thislast
draftisnotyetpubliclyavailable.AllreferencestothedraftPrivacyBillinthischapterthereforereferto
thepubliclyavailabledraftfrom2011.
1.2Isthereanyothergenerallegislationthatimpactsdataprotection?
Dataprotectionmayalsosometimesoccurthroughtheenforcementofpropertyrightsbasedonthe
following:
TheCopyrightAct(1957):SincetheActprotectsintellectualpropertyrightsindifferenttypesof
creativeworkincludingliteraryworks,andthetermliteraryworkstatutorilyincludescomputer
databases,copyingacomputerdatabase,orcopyingordistributingadatabasecouldamountto
copyrightinfringementundertheAct.Thisprovidessomescopeforprotectingdifferenttypesof
dataasliteraryworks.Itisimportanttonote,however,thatthereisadifferencebetweendatabase
protectionanddataprotection,bothofwhichserveverydifferentpurposes.Databaseprotection
protectsthecreativeinvestmentincompilation,presentationandverificationofdatabases,whiledata
protectionaimstoprotecttheprivacyofindividualsbylimitingorrestrictingaccesstotheirpersonal
orsensitiveinformation.
TheIndianPenalCode(1860):Thiscouldbeusedtopreventtheftofdata.Theoffencesoftheftand
misappropriationtechnicallyapplyonlytomovablepropertyundertheIndianPenalCode,butthe
termmovablepropertyhasbeendefinedtoincludecorporealpropertyofeverydescriptionexcept
landorpropertythatispermanentlyattachedtotheearth.
TheIndianConstitution:Article21oftheConstitutionprotectsanindividualsrighttolifeand
personalliberty.TheSupremeCourtofIndiahasrepeatedlyheldthattherighttoprivacyisimplicitin
therighttolifeandpersonalliberty.The2014draftofthePrivacyBillrecognisestherighttoprivacy
asbeingunderthescopeofArticle21oftheConstitution.Article300AoftheConstitutionalso
guaranteestherightnottobedeprivedofonespropertyexceptbyauthorityoflaw,soifthedatain
questionisregardedasproperty,thisprovisionmaybereliedupon.Itmustbenoted,however,that
rightsguaranteedbytheConstitutionmaynormallyonlybeusedagainsttheStateorStateowned
enterprises.
Inadditiontotheabove,invasionorbreachofprivacycouldleadtoanactionintort.
1.3Isthereanysectorspecificlegislationthatimpactsdataprotection?
BusinessProcessOutsourcingUnitsimplementselfregulatoryprocesses,suchastheBS7799andthe
ISO17799standards,tostandardiseinformationsecuritymanagementandrestrictthequantityofdata
madeavailabletoemployees.
TheReserveBankofIndiaperiodicallyissuesguidelines,regulationsandcircularstomaintainthe
confidentialityandprivacyofclientinformation,andin2006,inconjunctionwithseveralotherbanks
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 3/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
belongingtotheIndianBanksAssociation,alsoestablishedabodycalledtheBankingCodesand
StandardsBoardofIndiatoevolveasetofvoluntarynormswhichbanksmustenforcethemselves
throughinternalgrievanceredressalmechanismswithineachbank.Thesemechanismsincludea
designatedCodeComplianceOfficerandanOmbudsman.
Similarly,theSecuritiesandExchangeBoardofIndiaisasecuritiesmarketregulatorwhichrequires
securitiesmarketintermediariestomaintainconfidentialityofclientdata,includingpersonaldata.
TheseregulationsapplyinadditiontotheITRules.Whiletheyprovideacertaindegreeofsecurity,the
lackoflegislativeenforcementandforesightmeanthattheyareenforcedinvaryingdegreesbyeach
individualinstitutionanddonotcomewithguaranteedparliamentarysanction.
1.4Whatistherelevantdataprotectionregulatoryauthority(ies)?
TherearenospecificnationalregulatorsdealingwithadministrationofprivacylawsinIndia.However,
thePrivacyBillcontemplatesthecreationofaDataProtectionAuthorityofIndiawhichwillmonitorand
enforcecompliancewiththeBill.
Incaseswherethecompensationamountclaimedforafailuretoprotectconfidentialityofsensitive
personalinformationislessthanINR50,000,000,theITActprovidesfortheGovernmenttoappointan
AdjudicatingOfficer.AllproceedingsbeforetheAdjudicatingOfficeraredeemedtobejudicial
proceedingsandtheofficerhasthepowersofacivilcourt.Thedetailsoftheenquiryprocedurethatthe
AdjudicatingOfficermustuseareprovidedintheInformationTechnology(QualificationandExperience
ofAdjudicatingOfficersandMannerofHoldingEnquiry)Rules(2003).
2 Definitions
2.1Pleaseprovidethekeydefinitionsusedintherelevantlegislation:
PersonalData
Thelegislationdoesnotcontainadefinitionofthetermpersonaldata.However,theITRulesdefine
personalinformationasanyinformationthatrelatestoanaturalperson,which,eitherdirectlyor
indirectly,incombinationwithotherinformationavailableorlikelytobeavailablewithabodycorporate,
iscapableofidentifyingsuchaperson.
TheITActdefinesdataasarepresentationofinformation,knowledge,facts,conceptsorinstructions
whicharebeingpreparedorhavebeenpreparedinaformalisedmanner,andisintendedtobeprocessed
orhasbeenprocessedinacomputersystemorcomputernetwork,andmaybeinanyform(including
computerprintouts,magneticoropticalstoragemedia,punchedcards,punchedtapes)orstored
internallyinthememoryofthecomputer.
ThedraftoftheproposedPrivacyBilldefinespersonaldataasanydatawhichrelatestoaliving,
naturalperson,ifthatpersoncan,eitherdirectlyorindirectly,inconjunctionwithotherdatathatthedata
controllerhasorislikelytohave,beidentifiedfromthatdata.Thisincludesanyexpressionofopinion
aboutsaidperson.
SensitivePersonalData
TheITRulesdefinesensitivepersonaldataorinformationassuchpersonalinformationwhich
consistsofinformationrelatingto:
passwords
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 4/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
financialinformation,suchasbankaccountorcreditcardordebitcardorotherpayment
instrumentdetails
physical,physiologicalandmentalhealthconditions
sexualorientation
medicalrecordsandhistory
biometricinformation
anydetailsrelatingtotheaboveclausesasprovidedtoabodycorporateforprovisionof
servicesand
anyinformationreceivedundertheaboveclausesbyabodycorporateforprocessing,or
whichhasbeenstoredorprocessedunderlawfulcontractorotherwise.
Providedthatanyinformationthatisfreelyavailableoraccessibleinthepublicdomain,orfurnished
undertheRighttoInformationAct(2005)oranyotherlawcurrentlyinforce,shallnotberegardedas
sensitivepersonaldataorinformationforthepurposesoftheserules.
TheproposedPrivacyBillprovidesamorespecificdefinitionofsensitivedataasfollows:
Sensitivepersonaldataofanindividualmeanspersonaldatarelatingto:
1.UniqueIdentifierssuchastheAadharnumberorPAN(PersonalAccountNumber)
2.physicalandmentalhealth,includingmedicalhistory
3.biometricorgeneticinformation
4.criminalconvictions
5.bankingcreditandfinancialdataand
6.narcoanalysisand/orpolygraphtestdata.
Processing
NeithertheITActnortheITRulescontainadefinitionofthetermprocessing.
However,theproposedPrivacyBilldefinesprocessingasanyoperation,orsetofoperations,whether
carriedoutthroughautomaticmeansornot,thatrelateto:
1.theorganisation,collation,storage,update,modification,alterationoruseofpersonaldataor
2.themerging,linking,blocking,degradation,erasureordestructionofpersonaldata.
DataController
NeithertheITActnortheITRulescontainadefinitionofthetermdatacontroller.
However,theproposedPrivacyBilldefinesthetermasanypersonwhoprocessespersonaldata.This
includesbodiescorporate,partnerships,societies,trusts,associationsofpersons,Government
companies,Governmentdepartments,urbanlocalbodies,agenciesorinstrumentsoftheState.
DataProcessor
NeithertheITActnortheITRulescontainadefinitionofthetermdataprocessor.
However,itisgenerallyunderstoodthatbodiescorporatecollectingandprocessingdatafromdata
subjectsarecalleddataprocessors.Thisunderstandingisbroadlyaffirmedbythedefinitionprovidedin
theproposedPrivacyBill,whichstatesthatinrelationtopersonaldata,adataprocessorisanyperson
(otherthananemployeeofthedatacontroller)whoprocessesthedataonbehalfofthedatacontroller.
DataSubject
InAugust2011,theMinistryofCommunicationsandInformationissuedaPressNote(Clarification
onthePrivacyRules)whichstatesthatthetermproviderofinformationreferstothosenatural
personswhoprovidesensitivepersonaldataorinformationtoabodycorporate.Itisgenerally
understoodthatproviderofinformationissynonymouswithdatasubject,althoughthelegislation
containsnodefinitionofeitherterm.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 5/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
AccordingtotheproposedPrivacyBill,adatasubjectisanylivingindividualwhosepersonaldatais
processedbyadatacontrollerinIndia.
Otherkeydefinitionspleasespecify(e.g.,PseudonymousData,DirectPersonalData,
IndirectPersonalData)
PseudonymousData
NeithertheITActnortheITRulescontainadefinitionofthetermpseudonymousdata.
DirectPersonalData
NeithertheITActnortheITRulescontainadefinitionofthetermdirectpersonaldata.
IndirectPersonalData
NeithertheITActnortheITRulescontainadefinitionofthetermindirectpersonaldata.
3 KeyPrinciples
3.1Whatarethekeyprinciplesthatapplytotheprocessingofpersonaldata?
Transparency
UndertheITRules,datacontrollersanddataprocessorsmustprovideaprivacypolicyforthehandling
ofordealinginpersonalinformation,includingsensitivepersonalinformation,andensurethatthis
policyisavailabletothedatasubjectwhohasprovidedsaidinformationbylawfulcontract.Further,the
policyshallbepublishedonthewebsiteofthebodycorporateoranypersononitsbehalf,andshall
provide:
1.clearandeasilyaccessiblestatementsofthepracticesandpoliciesofthedatacontroller
2.typesofsensitiveorpersonaldataorinformationcollectedbythebodycorporateandasdefined
bytheITRules
3.thepurposeofcollectionandusageofsuchinformation
4.disclosureofinformationincludingsensitivepersonaldataorinformationasandwhenitis
requestedbythedatasubjectunderspecifiedconditionsand
5.reasonablesecuritypracticesandproceduresasspecifiedintheRules.
TheproposedPrivacyBill,inChapterIII,section9,furtherprovidesforthefollowingprinciplestobe
adheredtointhetransparentcollectionofpersonaldata:
Personaldatamustbedirectlycollectedfromthedatasubjectexceptif:
1.theinformationispartofthepublicrecordorhasbeenmadepublicbythedatasubjector
2.thedatasubjecthasconsentedtothecollectionofpersonaldatafromanothersource.
Further,theBillalsostatesthatwhenpersonaldataiscollecteddirectlyfromthedatasubject,thedata
controllermust,atanytimebeforethedataisprocessed,takereasonablestepstomakethedatasubject
awareofthefollowing:
1.thedocumentedpurposeforwhichsuchpersonaldataisbeingcollected
2.whetherprovisionofdatabythedatasubjectisvoluntaryormandatoryunderthelaw,orsimply
inordertoavailofanyproductsorservices
3.theconsequencesofthefailuretoprovidesaidpersonaldata
4.therecipientorcategoryofrecipientsofthepersonaldata
5.thenameandaddressofthedatacontrollerandallpersonswhoare,orwillbe,processing
informationonbehalfofthedatacontrollerand
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 6/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
6.ifitisintendedthatthepersonaldatabetransferredoutofthecountry,thendetailsofsaid
transfer.
Lawfulbasisforprocessing
TheITRulesmandatethatthebodycorporate(oranypersononitsbehalf)mustobtainconsentin
writingfromthedatasubjectforthespecificpurposeforwhichthedatawillbeused,beforethe
collectionofthedata.Sensitivepersonalinformationmayonlybecollectedforalawfulpurpose
connectedwithafunctionorpurposeofthecorporateentity,andonlyifsuchcollectionisconsidered
necessaryforthatpurpose.Thecorporateentitymustensurethattheinformationisbeingusedonlyfor
thepurposeforwhichitwascollected.
TheproposedPrivacyBillfurtherprovidesthatpersonaldatashallbecollectedonlywiththeconsentof
thedatasubject,unlesssaidcollectioniseithernecessaryforthedatacontrollerinordertocomplywith
aparticularlaworordinance,orismandatoryundercurrentlaw.However,foranydatasubjectunderthe
ageof18,obtainingconsentfromtheirlegalornaturalguardianismandatory,regardlessofthe
exceptionspreviouslymade.
TheBillalsoprovides,insections9and10ofChapterIII,guidelinesforthelawfulprocessingof
personaldata,specifyingthatpersonaldatamustbeprocessedonlyinafair,appropriateandlawful
mannerandforthedocumentedpurposealone.TheBillstatesthatthedatacontrollershallcollectand
processonlysuchtypeandamountofpersonaldataasisabsolutelynecessarytofulfillthedocumented
purpose.Datacontrollersmustalsoensure,accordingtotheBill,thatallpersonsinvolvedinanystage
oftheprocessingofpersonaldatashalltreatthepersonaldataasconfidential,andshallcommunicate
saiddataonlywithpeoplewhoaredirectlyemployedbythedatacontroller,oranysubcontractorofthe
datacontrollerwhoisunderanobligationtomaintainconfidentiality.
ThedraftersoftheproposedPrivacyBillhavealsoseenfittodrawadistinctionbetweentheguidelines
forthelawfulprocessingofpersonaldataandthosethatgoverntheprocessingofsensitivepersonal
data.ChapterIII,section12oftheBillspecificallyaddressestheprocessingofsensitivepersonaldata,
statingthatitshallnotbecollectedorprocessedunlessauthorisedbyauthority,furtherstatingthat
nosuchauthorisationshallberequiredinaparticularlistofcircumstances,whichinclude,among
otherthings,thatthecollectionorprocessingofsuchdataisrequiredbylaw,thesaiddatahasalready
beenmadepublicbythedatasubject,suchcollectionandprocessingismadeinconnectionwithany
legalproceedingsifsaidprocessingisnecessaryforthepurposesofobtaininglegaladvice,orfor
establishingordefendinglegalrights,andifdatarelatingtocriminalconviction,biometricsandgenetic
informationiscollectedandprocessedbylawenforcementagencies.
Purposelimitation
TheITRulesortheActdonotprovideaspecifictimeframefortheretentionofsensitivepersonal
information.However,theITRulesstatethatabodycorporateoranypersononitsbehalfholding
sensitivepersonaldataorinformationshallnotretainthatinformationforlongerthanisrequiredforthe
purposesforwhichtheinformationmaylawfullybeusedorisotherwiserequiredunderanyotherlawfor
thetimebeinginforce.
Dataminimisation
Thereisnostatutorydefinitionorguidancewithrespecttodataminimisation.
Proportionality
Thereisnostatutorydefinitionorguidancewithrespecttoproportionality.
Retention
Asexplainedabove,neithertheITRulesnortheITActprovidesspecificguidancewithrespecttothe
timeframeforretentionofsensitivepersonalinformation.However,theRulesdonotoverride
provisionsofotherlawsthatmayspecifyamaximumperiodofretentionforsensitivedata.Forexample,
telecomlicencesrequirelicenseestomaintain,forsecurityreasonsandforscrutinybytheDepartmentof
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 7/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
Telecommunication,allcommercialrecordsrelatedtocommunicationsexchangedonthenetworkforat
leastoneyear.
Section67CoftheITActrequiresanintermediarytoretainsuchinformation,andforsuchperiodof
timeasshallbeprescribedbytheCentralGovernment.Intermediaryincludestelecomservice
providers,networkserviceproviders,internetserviceproviders,webhostingserviceproviders,search
engines,onlineauctionsites,onlinemarketplacesandcybercafs.TheCentralGovernmenthasyetto
framerulesimplementingtheretentionprovision,andthereforethenatureofdatatoberetainedandthe
durationofretentionareunclear.
TheproposedPrivacyBillwillclarifythelawonretentionofpersonaldata,statingasitdoesinsection
13ofChapterIIthatpersonaldatashallonlyberetainedforaslongasisnecessarytoachievethe
documentedpurpose,unless:
1.itisrequiredbylawtoberetainedforalongerperiod
2.thedatasubjectconsentstoitsretentionforalongerperiod
3.suchretentionisrequiredbyacontractbetweenthedatasubjectandthedatacontrolleror
4.itisrequiredtobesoretainedforhistorical,statisticalorresearchpurposes.
TheBillfurtherstatesthatallpersonaldatathatneednolongerberetainedinaccordancewiththeabove
shalleitherbedestroyedoranonymised.Duringtheprocessofdestructionoranonymisation,thedata
controllermustensurethatunauthorisedpersonsdonotgainaccesstothepersonaldata.The
destructionofpersonaldatamustbecarriedoutinamannerthatensuresthatitisimpossibletore
identifythepersonaldataonceithasbeendestroyed.
Otherkeyprinciplespleasespecify
Therearenootherkeyprinciplesinparticular.
4 IndividualRights
4.1Whatarethekeyrightsthatindividualshaveinrelationtotheprocessingoftheirpersonal
data?
Accesstodata
Rule5,subsection6oftheITRulesmandatesthatthebodycorporateoranypersononitsbehalfmust
permitprovidersofinformationordatasubjectstoreviewtheinformationtheymayhaveprovided.
However,theRulesdonotexplaintheproceduretobefollowedbydatasubjectsinexercisingtheright
toaccessthedatatheyhaveprovided.Italsodoesnotdetailwhetherthereisatimelimitwithinwhich
thedataprocessormustcomplywitharequestforaccess.
ThissituationwillbeclarifiedsomewhatbytheproposedPrivacyBill,whichstatesthatanydatasubject
shall,providedheorshecanproveheridentity,havetherighttoaskforconfirmationfromthedata
controllerthatitdoeshavecompletecontroloverthepersonaldata,requestdetailswithrespecttowho
elseincludinganythirdpartieshasaccesstothepersonaldata,andrequirethedatacontrollerto
provideinformationaboutthelogicinvolvedintheautomatedprocessofdecisionmakingwherethe
personaldatainquestionisbeingprocessedautomaticallyforevaluationpurposes.
TheBillstatesthatdatacontrollersmustprovidetherequiredinformationtothedatasubjectwithin45
daysofreceivingarequestforit,providedthattherequestwasaccompaniedbytheprerequisitefee,
andthatthedatacontrollerisobligedtoinformthedatasubjectthatthelattermaylegallyaskthedata
controllertomakeanychangestoinaccurateordeficientpersonaldata.Accesstopersonaldatamaybe
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 8/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
deniedonlyiftheinformationcannotbegivenoutwithoutalsodisclosinginformationaboutanother
datasubjectwhocouldbeidentifiedfromthatinformation,unlessthatdatasubjecthasconsentedto
suchdisclosure.
Correctionanddeletion
Rule5,subsection6oftheITRulesstatesthatdatasubjectsmustbeallowedaccesstothedata
providedbythemandensurethatanyinformationfoundtobeinaccurateordeficientshallbecorrected
oramendedasfeasible.AlthoughtheRulesdonotdirectlyaddressdeletionofdata,theystatein
Rule5,subsection1,whichcorporateentitiesorpersonsrepresentingthemmustobtainwrittenconsent
fromdatasubjectsregardingtheusageofthesensitiveinformationtheyprovide.Further,datasubjects
mustbeprovidedwiththeoptionnottoprovidethedataorinformationsoughttobecollected.
TheproposedPrivacyBillaffirmstheabove,andfurtherstatesthatunlessthedatacontrollercan
adduceadequateevidenceofthecompleteaccuracyandcompletenessofthedataandthefactthatitis
entirelyfittingwithrespecttothepurposeofthedatacollectioninquestion,orofthelawfulnessofits
collection,thedatasubjecthastherighttorequestadatacontrollertodestroyanypersonaldatathathe
orsheconsiderseitherexcessiveinrelationtothedocumentedpurposeofcollection,orbasedon
incorrectfacts,orprocessedunlawfully.
Objectiontoprocessing
Rule5oftheITRulesstatesthatthedatasubjectorproviderofinformationshallhavetheoptiontolater
withdrawconsentwhichmayhavebeengiventothecorporateentitypreviouslysuchwithdrawalof
consentmustbestatedinwritingtothebodycorporate.Onwithdrawalofconsent,thebodycorporate
isprohibitedfromprocessingthepersonalinformationinquestion.
Inthecaseofthedatasubjectnotprovidingconsent,orlaterwithdrawingconsent,thebodycorporate
shallhavetheoptionnottoprovidethegoodsorservicesforwhichtheinformationwassought.
Objectiontomarketing
Thisisthesameastheobjectiontoprocessingseeabove.
Complainttorelevantdataprotectionauthority(ies)
Rule5,subsection9oftheITRulesmandatesthatalldiscrepanciesorgrievancesreportedtodata
controllersmustbeaddressedinatimelymanner.CorporateentitiesmustdesignateGrievanceOfficers
forthispurpose,andthenamesanddetailsofsaidofficersmustbepublishedonthewebsiteofthe
bodycorporate.TheGrievanceOfficermustredressrespectivegrievanceswithinamonthfromthedate
ofreceiptofsaidgrievances.
Otherkeyrightspleasespecify
Disclosureofdata
Datasubjectsalsopossessrightswithrespecttodisclosureoftheinformationtheyprovide.Disclosure
ofsensitivepersonalinformationrequirestheproviderspriorpermission,unlesseither:
1.disclosurehasalreadybeenagreedtointhecontractbetweenthedatasubjectandthedata
controlleror
2.disclosureisnecessaryforcompliancewithalegalobligation.
Theexceptionstothisruleareifanorderunderlawhasbeenmade,orifadisclosuremustbemadeto
Governmentagenciesmandatedunderthelawtoobtaininformationforthepurposesof:
1.verificationofidentity
2.prevention,detectionandinvestigationofcrimeor
3.prosecutionorpunishmentofoffences.
Recipientsofthissensitivepersonalinformationareprohibitedfromfurtherdisclosingsaidinformation.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 9/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
5 RegistrationFormalitiesandPriorApproval
5.1Inwhatcircumstancesisregistrationornotificationrequiredtotherelevantdataprotection
regulatoryauthority(ies)?(E.g.,generalnotificationrequirement,notificationrequiredforspecific
processingactivities.)
Therearenostatutoryregistrationornotificationrequirementsforeitherdataprocessorsordata
controllers.
TheproposedPrivacyBillprovidesfortheestablishmentofaDataProtectionAuthorityofIndia,andin
ChapterVII,section43,stipulatesthattheAuthorityshallestablishandmaintainaNationalData
ControllerRegistryanonlinedatabasetofacilitatetheefficientandeffectiveentryofparticularsby
datacontrollers.IftheBillisenacted,datacontrollersshallnotbepermittedtoprocessanydata
belongingtoanydatasubjectforagivendocumentedpurpose,unlesstheyfirstmakeanentryinthe
RegistryinaformattobepreordainedbytheCentralGovernment.
5.2Onwhatbasisareregistrations/notificationsmade?(E.g.,perlegalentity,perprocessing
purpose,perdatacategory,persystemordatabase.)
Asstatedinquestion5.1,Indiahasnocurrentlegislativerequirementswithrespecttoregistrationor
notification.However,thedraftoftheproposedPrivacyBillsuggeststhattheregistrationrequirements
itprescribes,onceenforced,willfunctionasperthedocumentedpurposeofprocessing.
5.3Whomustregisterwith/notifytherelevantdataprotectionauthority(ies)?(E.g.,locallegal
entities,foreignlegalentitiessubjecttotherelevantdataprotectionlegislation,representativeor
branchofficesofforeignlegalentitiessubjecttotherelevantdataprotectionlegislation.)
Asstatedinquestions5.1and5.2above,legislationcurrentlyinforceinIndiacontainsnoinformation
onregistrationrequirementsfordataprocessorsorcontrollers.However,theproposedPrivacyBill
statesthatalldatacontrollerswhowishtoprocessdataforaparticularpurposemustfirstregisterwith
theNationalDataControllerRegistrywithrespecttothatparticulardocumentedpurpose.
5.4Whatinformationmustbeincludedintheregistration/notification?(E.g.,detailsofthe
notifyingentity,affectedcategoriesofindividuals,affectedcategoriesofpersonaldata,processing
purposes.)
Asstatedinquestions5.1,5.2and5.3above,Indiacurrentlydoesnothaveanylegislativerequirements
withrespecttoregistrationornotificationproceduresfordatacontrollersorprocessors.However,the
proposedPrivacyBillprescribesinChapterVII,section43(5)thattheNationalDataControllerRegistry
shallcontainthefollowingdetailsofdatacontrollersinrespectofeachdocumentedpurposeforwhich
thepersonaldataisbeingprocessed:
1.name
2.addressofprincipalplaceofbusinessofthedatacontroller
3.nameandaddressofthenominatedrepresentativeofthedatacontrollerifonehasbeenso
nominated
4.descriptionofthedocumentedpurpose
5.descriptionofthepersonaldatabeingprocessedortobeprocessedbythedatacontroller
6.descriptionoftherecipientsofthepersonaldataoranypersonstowhomthedatacontrollermay
disclosethepersonaldataand
7.descriptionofthecountriestowhichthedatacontrollerdirectlyorindirectlytransfersorintends
totransferthepersonaldata.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 10/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
5.5Whatarethesanctionsforfailuretoregister/notifywhererequired?
SinceIndianlegislationdoesnotcurrentlyspecifyanyparticularregistrationornotificationrequirements
fordataprocessorsorcontrollers,thelawiscorrespondinglysilentonthequestionofsanctionsfor
failuretodothesame.
TheproposedPrivacyBillincludes,withinthefunctionsoftheDataProtectionAuthorityofIndia,the
functionofreceivingandinvestigatingallegedviolationsofdataprotection,aswellasanydatasecurity
breaches,andissuingappropriateordersasmayberequiredtosafeguardsecurityinterestsofthedata
subjectsinquestion.
TheproposedBilldoesstateinChapterX,section60,thatthepenaltyforfailuretoregisterwillbeafine
extendinguptoINR500,000.
5.6Whatisthefeeperregistration(ifapplicable)?
Neitherthecurrentnorproposedlegislationprescriberegistrationfees.
5.7Howfrequentlymustregistrations/notificationsberenewed(ifapplicable)?
Neitherthecurrentnorproposedlegislationprescribeguidelineswithrespecttorenewals.
5.8Forwhattypesofprocessingactivitiesispriorapprovalrequiredfromthedataprotection
regulator?
TheITActandassociatedamendmentsandrulesdonotprescribepriorapprovalrequirements
specificallywithrespecttodataprotectionregulators.However,asstatedinquestion4.1above,data
controllersmustobtaintheconsentofthedatasubjectregardingthepurposeofusebeforecollecting
anysensitivepersonalinformation.Theymustnotcollectanysensitivepersonalinformationunless:
1.theinformationiscollectedforalawfulpurposeandisconnectedwithafunctionoractivityof
thedatacontrollerand
2.thecollectionoftheinformationisconsiderednecessaryforthatpurpose.
Thelegislationbothcurrentandproposeddoesnotaddressrequirementsforanyotherapproval
thatdatacontrollersarerequiredtotake,orwhatactivitieswarrantsaidapproval.
5.9Describetheprocedureforobtainingpriorapproval,andtheapplicabletimeframe.
Thisisnotapplicable.Seetheanswertoquestion5.8above.
6 AppointmentofaDataProtectionOfficer
6.1IstheappointmentofaDataProtectionOfficermandatoryoroptional?
NeithertheITActnortheITRulesmentiontheappointmentorroleofaDataProtectionOfficer.
Accordingtosection46oftheITAct,anAdjudicatingOfficershallbeappointedbyorderoftheCentral
Governmentforthepurposeofdiscerningwhetherornotanypersonhascontravenedanyprovisionof
theITAct.TheAdjudicatingOfficerhasthetrappingsofacivilcourt.
Inaddition,section48oftheActprovidesfortheestablishmentbynotificationofanappellate
tribunalknownastheCyberRegulationsAppellateTribunal.Thetribunalwillhaveanappellate
jurisdictionandisentitledtoexerciseitsjurisdictionbothonfactandlawoveradecisionororder
passedbytheAdjudicatingOfficerortheControllerofCertifyingAuthorities.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 11/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
TheappointmentsofboththeAdjudicatingOfficer,aswellastheCyberRegulationsAppellateTribunal,
areoptionalandentirelyatthediscretionoftheCentralGovernment.TheActdoesnotspecifywhich
circumstancesjustifytheappointmentoftheAdjudicatingOfficerortheAppellateTribunal.Itisalso
unclearwhethersuchappointmentismadesuomotuoronrepresentationbyanotherparty.
6.2WhatarethesanctionsforfailingtoappointamandatoryDataProtectionOfficerwhere
required?
NeithertheITActnortheITRulesaddressthequestionofsanctionsinthecircumstancesthatan
AdjudicatingOfficerisnotappointed.
6.3WhataretheadvantagesofvoluntarilyappointingaDataProtectionOfficer(ifapplicable)?
Thisisnotapplicable.
6.4PleasedescribeanyspecificqualificationsfortheDataProtectionOfficerrequiredbylaw.
SincethelawdoesnotaddresstheappointmentofaDataProtectionOfficerspecifically,thereareno
statutorilyprescribedqualificationsforthisposition.
However,undersection46oftheITAct,theAdjudicatingOfficermustnotbebelowtherankofa
DirectortotheGovernmentofIndia,oranequivalentofficeroftheStateGovernment,andmustpossess
suchexperienceinthefieldofinformationtechnologyandlegalorjudicialexperienceasmaybe
prescribedbytheCentralGovernment.IfmorethanoneAdjudicatingOfficerisappointed,theCentral
Governmentwilldeterminethejurisdictionalpowersoftheofficers.
Undersection48oftheITAct,theCentralGovernmenthasbeengivenamandatetoemploymorethan
oneCyberRegulationsAppellateTribunal,butthelanguageofRule13oftheCyberRegulations
Tribunal(Procedure)Rules(2000)makesitclearthatthereshallbeonlyonetribunal.Thetribunalmust
consistofonepersononly,referredtoinsection49oftheActasthePresidingOfficeroftheCyber
AppellateTribunal.ThequalificationsofthePresidingOfficermustbethefollowing:
1.thatheis,orhasbeen,orisqualifiedtobe,aJudgeoftheHighCourtor
2.heis,orhasbeenamemberoftheIndianLegalServiceandisholdingorhasheldapostinGrade
1ofthatserviceforatleastthreeyears.
TheCentralGovernmenthasnotsofarappointedaPresidingOfficerfortheCyberRegulations
AppellateTribunal.
6.5WhataretheresponsibilitiesoftheDataProtectionOfficer,asrequiredbylawortypicalin
practice?
Section46oftheITActmandatesthatanAdjudicatingOfficerisappointedbytheCentralGovernment
forthepurposesofholdinganinquiryinthemannerprescribedbytheCentralGovernment.
ThissectionfurtherstatesthattheAdjudicatingOfficershall,aftergivingthepersonwhohascommitted
theallegedcontraventionareasonableopportunityformakingrepresentationinthematter,andif,on
suchinquiry,heissatisfiedthatthepersonhascommittedthecontravention,mayimposesuchpenalty
orawardsuchcompensationashethinksfitinaccordancewiththeprovisionsofthatsection.
Section47oftheActstatesthatthefactorstobetakenintoaccountbytheAdjudicatingOfficerin
determiningthequantumofcompensationarethefollowing:
(a)theamountofgainofunfairadvantage,whereverquantifiable,madeasaresultofthedefaultand
(b)theamountoflosscausedtoanypersonasaresultofthedefaultandtherepetitivenatureofthe
default.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 12/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
TheCyberRegulationsAppellateTribunal,beinganappellatebody,hasthepowertoexamine
thecorrectness,legalityorproprietyofthedecisionororderpassedbytheControllerofCertifying
AuthoritiesortheAdjudicatingOfficerundertheITAct.Thispowerisabsolutewhich,byimplication,
barsthejurisdictionofcivilcourtstohearsuchappeals.
TheActgrantsanunconditionalrightofappealtoanyaggrievedpartytoappealanordermadebythe
ControlleroranAdjudicatingOfficerunderthisAct.Further,theappealbeforetheTribunalshallbe
filedwithinaperiodof45daysfromthedateonwhichacopyoftheordermadebytheControllerorthe
AdjudicatingOfficerisreceivedbythepersonsoaggrieved,accordingtosection57oftheAct.
ThejudicialfunctionoftheCyberRegulationsAppellateTribunalistogivethepartiestotheappealan
opportunitytobeheard,andtopasssuchordersthereonasitthinksfit,confirming,modifyingorsetting
asidetheorderappealedagainst.
Undersection57,subsection6oftheAct,theemphasisisonemployingalljudicialmeanstodispose
oftheappealwithinsixmonthsofthedateofreceiptoftheappeal.
TheActfurtherprovidesasecondforumofappealintheformoftheHighCourt(thefirstbeingthe
CyberRegulationsAppellateTribunal)toanypersonaggrievedbyanydecisionororderoftheCyber
RegulationsAppellateTribunal.Anappealistobefiledwithin60daysfromthedateofcommunication
ofthedecisionororderoftheCyberRegulationsAppellateTribunal,onanyquestionoffactorlaw
arisingoutofsaidorder.
6.6MusttheappointmentofaDataProtectionOfficerberegistered/notifiedtotherelevantdata
protectionauthority(ies)?
NeithertheITActnortheITRulesprescribenotification/registrationrequirementsfortheappointment
ofanAdjudicatingOfficer.
7 MarketingandCookies
7.1Pleasedescribeanylegislativerestrictionsonthesendingofmarketingcommunicationsby
post,telephone,email,orSMStextmessage.(E.g.,requirementtoobtainprioroptinconsentorto
provideasimpleandfreemeansofoptout.)
Therearenolegislativeguidelinesorstatutoryregulationsgoverningmarketingcommunications
throughemailorpost.However,theTelecomUnsolicitedCommercialCommunicationsRegulations
(2007)andtheTelecomCommercialCommunicationsCustomerPreferenceRegulations(2010),bothmade
undertheTelecomRegulatoryAuthorityofIndia(TRAI)1997,regulateunsolicitedcommercial
communicationsthroughtelephoneorbytext.TheRegulationsstatethattelemarketersmustregister
themselveswithTRAIbeforetheymaysendoutmarketingcommunicationthroughtelephoneortext
messages.
TheRegulationsalsoprovideforthosewhowishnottoreceiveunsolicitedcommercialcommunication
tooptoutofreceivingsaidtelephonecallsortextmessages.Thisisdonesimplybyregisteringones
preferencewiththeCustomerPreferenceRegistrationFacility,whichisstatutorilyrequiredtobesetup
bythelocalaccessprovider(definedintheRegulationsasincludingthebasictelephoneservice
provider,thecellularmobiletelephoneserviceproviderandtheunifiedaccessserviceprovider)orby
registeringwiththeNationalDoNotCallRegister.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 13/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
TheproposedPrivacyBill,inChapterVI,section30,placesrestrictionsondirectmarketing.Whenthe
Billisenacted,nopersonshallbepermittedtoholdorprocessapersonaldatabaseusedfordirect
marketingservices,unlessheisregisteredwiththeNationalDataRegistryandoneofthepurposesof
registrationisinfactdirectmarketing,hehasarecordstatingthesourcefromwhichheobtainedthe
personaldata,andalltheindividualswhosedataiscontainedinthedatabasehaveconsentedtoreceive
directmarketingcommunicationfromthepersoninquestion.
7.2Istherelevantdataprotectionauthority(ies)activeinenforcementofbreachesofmarketing
restrictions?
Asstatedabove,therearenomarketingrestrictionsontheinternetorthroughmail.However,TRAI
activelyenforcespenaltiesontelemarketerswhoareinbreachofitsregulationsinrespectofcommercial
communicationthroughtelephoneandtextmessages.
7.3Arecompaniesrequiredtoscreenagainstanydonotcontactlistorregistry?
TheTRAIregulationsfortelemarketersprescribethattelemarketersmustdownloaddatafromthe
NationalCustomerPreferenceRegisterandthattheyshallupdatetheirnationalcustomerpreferencedata
withtheupdateddeltadataeveryTuesdayandFriday.Inordertoensureuseofonlyupdated
synchroniseddata,theregulationsstatethatthedeltadataupdatedanddownloadedonTuesdayswill
beusedfrom0000hrsonWednesdaysto2359hrsonFridays,andthedeltadataupdatedand
downloadedonFridayswillbeusedfrom0000hrsonSaturdaysto2359hrsonTuesdays.
Theregulationsfurtherstatethatthetelemarketer,beforesendinganySMSormakingatelemarketing
calltoatelecomsubscriber,shallscrubthetelephonenumberofthesubscriberwiththeupdated
database,downloadedasdescribedabovefromtheNationalCustomerPreferenceRegisterwebsite
atwww.nccptrai.gov.in.
7.4Whatarethemaximumpenaltiesforsendingmarketingcommunicationsinbreachof
applicablerestrictions?
TelemarketersmayapplytoAccessProvidersfortelemarketingresourcesonlyaftertheyhaveregistered
withTRAI.Iftelemarketerscontinuetosendunsolicitedcommercialcommunicationtotelephoneand
mobilenumberswhohaveregisteredthemselveswiththeNationalDoNotCallRegisterorhaveopted
outofreceivingsaidcommunicationwiththeCustomerPreferenceRegistrationFacility,complaintsmay
bemade,tollfree,totheAccessProvider,whothenservesanoticeuponthetelemarketerinbreach.
ChapterIII,Regulation18oftheTelecomCommercialCommunicationsCustomerPreferenceRegulations
(2010)providesfortheblacklistingoftelemarketerswhohavereceivedsaidnoticesixtimesormore.No
AccessProviderispermittedtoprovidetelecomresourcestosaidtelemarketer.
7.5Whattypesofcookiesrequireexplicitoptinconsent,asmandatedbylaworbinding
guidanceissuedbytherelevantdataprotectionauthority(ies)?
DuetothefactthatIndiahasnocomprehensivedataprotectionregime,issuessuchascookieconsent
havenotsofarbeenaddressedbyIndianlegislation.ItisplannedthatthePrivacyBillwillintroduce
dataprotectionlegislationmorespecificallytargetedtoissuesofcybersecurity.
7.6Forwhattypesofcookiesisimpliedconsentacceptable,underrelevantnationallegislation
orbindingguidanceissuedbytherelevantdataprotectionauthority(ies)?
Pleaserefertoquestion7.4above.
7.7Todate,hastherelevantdataprotectionauthority(ies)takenanyenforcementactionin
relationtocookies?
Pleaserefertoquestion7.4above.
7.8Whatarethemaximumpenaltiesforbreachesofapplicablecookierestrictions?
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 14/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
Pleaserefertoquestion7.4above.
8 RestrictionsonInternationalDataTransfers
8.1Pleasedescribeanyrestrictionsonthetransferofpersonaldataabroad?
Section7oftheITRulesstatesthatbodiescorporatecantransfersensitivepersonaldatatoanyother
bodycorporateorpersonwithinoroutsideIndia,providedthatthetransfereeensuresthesamelevelof
dataprotectionwhichthebodycorporatehasmaintained,asrequiredbytheITRules.Adatatransferis
onlyallowedifeither:
1.itisrequiredfortheperformanceofalawfulcontractbetweenthedatacontrollerandthedata
subjectsor
2.thedatasubjectshaveconsentedtothetransfer.
TheproposedPrivacyBill,ifenacted,willplaceslightlymorestringentrestrictionsoninternational
transfersofpersonaldata.TheBillstatesinChapterIII,section22thatcrossbordertransfersof
personaldatabydatacontrollersshallnotbepermittedunless:
1.thetransfereeissubjecttoalaw,codeofconductorcontractwhichbindssaidtransfereeto
principlesofadaptprotectionsubstantiallysimilartothosestipulatedinthePrivacyBill
2.thedatasubjectconsentstothetransferor
3.thetransferisnecessaryinconnectionwithacontracttowhichboththecontrolleraswellasthe
subjectareparties.
8.2Pleasedescribethemechanismscompaniestypicallyutilisetotransferpersonaldataabroad
incompliancewithapplicabletransferrestrictions.
InaPressNotereleasedonAugust24,2011,theMinistryofInformationTechnologyclarifiedthatthe
rulesonsensitivedatatransferdescribedabovearelimitedinjurisdictiontoIndianbodiescorporateand
legalentitiesorpersons,anddonotapplytobodiescorporateorlegalentitiesabroad.Assuch,
informationtechnologyindustriesandbusinessprocessoutsourcingcompaniesascribetosecure
methodsofdatatransferwhichtheyprefer,providedthatthetransferinquestiondoesnotviolateany
laweitherinIndiaorinthecountrytowhichthedataisbeingtransferred.
8.3Dotransfersofpersonaldataabroadrequireregistration/notificationorpriorapprovalfrom
therelevantdataprotectionauthority(ies)?Describewhichmechanismsrequireapprovalor
notification,whatthosestepsinvolve,andhowlongtheytake.
Neitherthecurrentnortheproposedlegislationspecifiesanyrequirementsforregistrationor
notificationsfordatatransfersabroad.Therequirementsarelimitedtothecriteriaspecifiedinquestion
8.1above.
9 WhistleblowerHotlines
9.1Whatisthepermittedscopeofcorporatewhistleblowerhotlinesunderapplicablelawor
bindingguidanceissuedbytherelevantdataprotectionauthority(ies)?(E.g.,restrictionsonthescope
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 15/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
ofissuesthatmaybereported,thepersonswhomaysubmitareport,thepersonswhomareportmay
concern.)
Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.
9.2Isanonymousreportingstrictlyprohibited,orstronglydiscouraged,underapplicablelawor
bindingguidanceissuedbytherelevantdataprotectionauthority(ies)?Ifso,howdocompaniestypically
addressthisissue?
Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.
9.3Docorporatewhistleblowerhotlinesrequireseparateregistration/notificationorprior
approvalfromtherelevantdataprotectionauthority(ies)?Pleaseexplaintheprocess,howlongit
typicallytakes,andanyavailableexemptions.
Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.
9.4Docorporatewhistleblowerhotlinesrequireaseparateprivacynotice?
Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.
9.5Towhatextentdoworkscouncils/tradeunions/employeerepresentativesneedtobenotified
orconsulted?
Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.
10 CCTVandEmployeeMonitoring
10.1DoestheuseofCCTVrequireseparateregistration/notificationorpriorapprovalfromthe
relevantdataprotectionauthority(ies)?
CurrentlegislationdoesnottouchuponquestionsrelatingtoCCTVsurveillance.However,the
proposedPrivacyBillstatesinChapterV,section26thattheinstallationandoperationofCCTV
surveillanceinpublicareasshallbeinaccordancewithprescribedprocedureforlegitimateand
proportionateobjectives,andwillnotaffecthisrighttoprivacy.Therearenoregistrationrequirements
specificallylaidoutinthisproposedlegislation,neitherdoesitelaborateonwhattheprescribed
procedurefortheinstallationandoperationofCCTVwillbe.
10.2Whattypesofemployeemonitoringarepermitted(ifany),andinwhatcircumstances?
NeithercurrentnorproposedlegislationcontainsspecificprovisionsrelatingtoCCTVsurveillanceof
employees.However,theproposedPrivacyBill,wheninforce,willbancovert,intrusiveordirected
surveillanceexceptincertainspecifiedcircumstances,includingobjectivesofnationalsecurityorpublic
safety.TheproposedBillalsostatesthattheprovisionsitcontainsrelatingtothestorage,processing,
retention,sharing,securityanddisclosureofpersonaldataapplyequallytodatacollectedthrough
surveillance.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 16/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
10.3Isconsentornoticerequired?Describehowemployerstypicallyobtainconsentorprovide
notice.
Currentlegislationcontainsnoprovisionsrelatingtorequirementsofconsentfromemployees.
However,theproposedPrivacyBillbanscovertsurveillance,whichsuggeststhatconsentwillhaveto
beobtainedfromemployeesoncethislawcomesintoforce,althoughtheBillissilentondetailsrelating
towhatqualifiesasconsentandhowitmaybeobtained.
10.4Towhatextentdoworkscouncils/tradeunions/employeerepresentativesneedtobenotified
orconsulted?
Neithercurrentnorproposedlegislationcontainsprovisionsonthismatter.
10.5Doesemployeemonitoringrequireseparateregistration/notificationorpriorapprovalfrom
therelevantdataprotectionauthority(ies)?
Neithercurrentnorproposedlegislationcontainsprovisionsonthismatter.
11 ProcessingDataintheCloud
11.1Isitpermittedtoprocesspersonaldatainthecloud?Ifso,whatspecificduediligencemustbe
performed,underapplicablelaworbindingguidanceissuedbytherelevantdataprotection
authority(ies)?
Neithercurrentnorproposedlegislationcontainsprovisionspertainingtocloudbaseddataprocessing.
11.2Whatspecificcontractualobligationsmustbeimposedonaprocessorprovidingcloudbased
services,underapplicablelaworbindingguidanceissuedbytherelevantdataprotection
authority(ies)?
Neithercurrentnorproposedlegislationcontainsprovisionspertainingtocloudbaseddataprocessing.
12 BigDataandAnalytics
12.1Istheutilisationofbigdataandanalyticspermitted?Ifso,whatduediligenceisrequired,
underapplicablelaworbindingguidanceissuedbytherelevantdataprotectionauthority(ies)?
Bigdataandanalyticsareincreasinglybeingrecognisedasessentialforthegrowthofmostindustries,
withthetelecom,retailandecommercesectors,andeventheDepartmentofNationalSecurity,among
others,alreadyemployingeitherorbothtomanageandprocesslargeamountsofdataandtrackdatain
realtime.Indianlegislationdoesnotcurrentlydirectlyaddressissuesofduediligenceorprovide
guidelinesfortheusageofbigdataandanalytics.TheITRulesprovidereasonablesecuritypracticesas
statutorysecurityproceduresforcorporateentitiesthatcollect,handleandprocessdatatofollow,which
alsoapplytotheuseofbigdata.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 17/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
13 DataSecurityandDataBreach
13.1Whatdatasecuritystandards(e.g.,encryption)arerequired,underapplicablelaworbinding
guidanceissuedbytherelevantdataprotectionauthority(ies)?
Rule8oftheITRulesdescribesreasonablesecuritypracticesandproceduresasfollows:
1)Abodycorporate,orapersononitsbehalf,shallbeconsideredtohavecompliedwithreasonable
securitypracticesandproceduresiftheyhaveimplementedsuchsecuritypracticesandstandards,have
acomprehensivedocumentedinformationsecurityprogrammeandinformationsecuritypoliciesthat
containmanagerial,technical,operationalandphysicalsecuritycontrolmeasuresthatarecommensurate
withtheinformationassetsbeingprotectedandwiththenatureofthebusinessinquestion.
2)Intheeventofaninformationsecuritybreach,thebodycorporateorapersononitsbehalfshallbe
requiredtodemonstrate,asandwhencalledupontodosobytheagencymandatedunderthelaw,that
theyhaveimplementedsecuritycontrolmeasuresaspertheirdocumentedinformationsecurity
programmeandinformationsecuritypolicies.TheinternationalstandardIS/ISO/IEC27001on
InformationTechnologySecurityTechniquesInformationSecurityManagementSystem
Requirementsisonesuchstandard.
3)Anyindustryassociationoranentitywhosemembersareselfregulatingbyfollowingcodesother
thantheIS/ISO/IECcodesofbestpracticefordataprotectionasper(1)above,shallgetitscodesofbest
practicedulyapprovedandnotifiedbytheCentralGovernment.
4)Thebodycorporateorapersononitsbehalf,thathasimplementedeithertheIS/ISO/IEC27001
standardorthecodesofbestpracticefordataprotectionasapprovedandnotifiedunderpoint(3)
above,shallbedeemedtohavecompliedwithreasonablesecuritypracticesandprocedures,provided
thatsuchastandardorsuchcodesofbestpracticearecertifiedorauditedonaregularbasisbyan
independentauditor,dulyapprovedbytheCentralGovernment.Thisauditshallbecarriedoutbyan
auditoratleastonceayear,orasandwhenthebodycorporateundertakesasignificantupgradeofits
processandcomputerresources.
InAugust2011,theMinistryofCommunicationsandInformationissuedaPressNote(Clarification
onthePrivacyRules)whichprovidesthatanyIndianoutsourcingserviceprovider/organisation
providingservicesrelatingtocollection,storage,dealingorhandlingofsensitivepersonalinformation
orpersonalinformationundercontractualobligationswithalegalentitylocatedwithinoroutside
Indiaisnotsubjecttocollectionanddisclosureofinformationrequirements,orconsentrequirementas
detailedbytheITRules,provideditdoesnothavedirectcontactwiththedatasubjectswhenproviding
theirservices.
TheproposedPrivacyBill,whichwilloverridetheITRulesifenacted,alsocontainsprovisions
pertainingtothesecurityofpersonaldata,statingspecificallythateverydatacontrollermustset
appropriatetechnological,organisationalandphysicalstandardsforthesecurityofdataunderits
control.InChapterIII,section15oftheproposedBill,itisalsostatedthattheDataProtection
Authority(theestablishmentofwhichisprovidedforinthesameBill)mayprescriberegulationsor
codesofpractice,layingdownstandardsfortechnological,organisationalandphysicalmeasuresfor
protectionofpersonaldata,andthatdifferentstandardsmaybeprescribedfordifferentclassesof
organisation.
13.2Istherealegalrequirementtoreportdatabreachestotherelevantdataprotection
authority(ies)?Ifso,describewhatdetailsmustbereported,towhom,andwithinwhattimeframe.Ifno
legalrequirementexists,describeunderwhatcircumstancestherelevantdataprotectionauthority(ies)
expectsvoluntarybreachreporting.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 18/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
Thecurrentlegislationcontainsnolegalrequirementstoreportdatasecuritybreachestoeither
authoritiesordatasubjects.
TheproposedPrivacyBill,inChapterIII,section16,prescribesthatwhereadatacontrollerhas
reasonablegroundstobelievethatthepersonaldataofanydatasubjectunderitscontrolhasbeen
accessedoracquiredbyunauthorisedpersons,thedatacontrollermust,assoonasisreasonably
possibleafterdiscoveringthebreach,notifyboththedatasubjectandtheDataProtectionAuthority.
Thenotificationshallbeinwriting,andshallbesenteithertothelastknownaddressofthedatasubject
byregisteredpostrequestingdueacknowledgment,orpublishedinatleasttwonationalnewspapers.
Thenotificationmustcontainsufficientinformationasisnecessarytoenablethedatasubjecttotake
stepstomitigatethepotentialconsequencesofthedatasecuritybreach,including,ifpossible,the
identityofthepersonwhomayhavecommittedthebreachandthedateonwhichitoccurred.
13.3Istherealegalrequirementtoreportdatabreachestoindividuals?Ifso,describewhat
detailsmustbereported,towhom,andwithinwhattimeframe.Ifnolegalrequirementexists,describe
underwhatcircumstancestherelevantdataprotectionauthority(ies)expectsvoluntarybreach
reporting.
Thecurrentlegislationdoesnotcontainanysuchrequirement.However,asexplainedinquestion13.2
above,theproposedlegislationdoes.TheonlyexceptiontotherequirementintheproposedPrivacy
BillthatthedatacontrollernotifythedatasubjectintheeventofabreachisiftheDataProtection
Authoritybelievesthatsuchanotificationwillimpedeacriminalinvestigation,oriftheidentityofthe
datasubjectcannotpossiblybeidentified.
13.4Whatarethemaximumpenaltiesforsecuritybreaches?
Aspreviouslyexplained,thelegislationcurrentlyinforcedoesnotdealwithdatabreachesatall,except
asindicatedinquestion13.1above.TheproposedPrivacyBillelaboratesonpenaltiesfordifferent
typesofbreaches,includingviolationofsecurity/secrecy/confidentialitylicences,unauthorised
interceptionofcommunication(anddisclosureofsaidinterceptedcommunication),obtainingpersonal
informationonfalsepremises,disclosure,datatheftandcontraventionofthedirectionsoftheproposed
DataProtectionAuthority.Thepenaltiesimposedareintheformofheavyfines,whichvaryforeach
offencebutwhichdonotextendbeyondINR1,000,000.Theonlyexceptiontothisisapenaltyimposed
forcontraventionofdirectionoftheDataProtectionAuthority,whichmayextendtoINR200,000and,in
thecaseofacontinuingbreach,anadditionalsumwhichmayextendtoINR200,000foreverydaythat
thedefaultcontinues.
14 EnforcementandSanctions
14.1Describetheenforcementpowersofthedataprotectionauthority(ies):
IndianlegislationdoesnotspecificallyprovidefortheestablishmentandfunctionofDataProtection
Authorities,althoughproposedlegislationintheformofthePrivacyBillseekstoalterthis.Pleaserefer
tosections1and6aboveforfurtherinformationoncurrentlegislationwithrespecttoDataProtection
Authorities.
14.2Describethedataprotectionauthoritysapproachtoexercisingthosepowers,withexamples
ofrecentcases.
IndianlegislationdoesnotspecificallyprovidefortheestablishmentandfunctionofDataProtection
Authorities,althoughproposedlegislationintheformofthePrivacyBillseekstoalterthis.Pleaserefer
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 19/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides
tosections1and6aboveforfurtherinformationoncurrentlegislationwithrespecttoDataProtection
Authorities.
15 Ediscovery/disclosuretoforeignLawenforcementagencies
15.1Howdocompanieswithinyourjurisdictionrespondtoforeignediscoveryrequests,or
requestsfordisclosurefromforeignlawenforcementagencies?
Aslongasrequestsfromforeigncompaniesarebasedonanorderfromacourtoflawandifthecountry
inquestionhasareciprocalarrangementwithIndia,thensucharequestmaybeenforcedinIndia,if
necessary,throughanIndiancourt.Absentacourtorder,Indiancompaniesdonothaveanyobligation
torespondtoforeignediscoveryrequestsorrequestsfordisclosure.
15.2Whatguidancehasthedataprotectionauthority(ies)issued?
None.Pleaserefertoquestion14.1above.
16 TrendsandDevelopments
16.1Whatenforcementtrendshaveemergedduringtheprevious12months?Describeany
relevantcaselaw.
TheissueofdataprotectionhasbeenraisedbeforetheIndianHighCourtsinrespectofafewPatent
cases,buttheCourtshavegenerallytakentheviewthatwhatisnotexpresslyprohibitedispermitted.
Onceproperlegislativeenactmentscomeintoforcetoplugtheexistingloopholes,onemayexpecta
seriesofjudicialpronouncementsclarifyingandimplementingthelaw.However,theITActhascome
underjudicialscrutinyforreasonsoutsidethesphereofIntellectualPropertyRights.InShreyaSinghal
vUOI,theSupremeCourtstruckdownsection66AoftheITAct,whichmadeitacriminaloffenceto
sendelectronicallyanyinformationthatisgrosslyoffensive,menacing,causesannoyance,
obstruction,insult,andhatredamongstotherthings.Itneitherdefinedanyofthesewordsnorgave
anyindicationoftheirimport.Thesectionhadlongbeencriticisedbyfreespeechactivistsithad
oftenbeenused,forinstance,againstuserswhohadtakentoFacebooktocriticisethecurrentruling
partyinParliament.TheSupremeCourtstruckitdownspecificallyduetoitschillingeffectonfree
speech,itsvaguenessandwhatthecourtreferredtoasoverbreadth.Thesignificanceofthismovelies
mainlyinthejudicialacknowledgementofthethoroughundesirabilityofextremecensorship.
16.2Whathottopicsarecurrentlyafocusforthedataprotectionregulator?
SeveralimportantamendmentstotheITActarebeingconsideredbytheIndianGovernment.The
proposedamendments,iftheycomethrough,willincreasethescopeforliabilityincaseofanybreachof
dataprotectionrules.Additionally,amendmentsbasedontheEuropeanUniondirectivearebeing
considered.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 20/20