< Back

Share |

Data protection in India

May 2015

By virtue of being one of the world's more popular outsourcing destinations, huge volumes of data are transferred across Indian borders on a daily basis for processing and storage. Despite this, India does not, as yet, have a comprehensive piece of legislation dealing with data privacy or personal data protection. Instead, general obligations for the collection, transfer and use of personal information have been provided for in the Information Technology Act, 2000 (IT Act), a nationally applicable piece of legislation which also regulates several other aspects of information technology including e-commerce and cybercrime.

Section 43-A of the IT Act requires a corporation to compensate an individual for any negligence in failing to implement and maintain reasonable security practices and procedures in relation to his/her sensitive personal data or information (SPDI) which it either controls or processes.  A company cannot limit its liability in relation to its breach of the S43-A requirements which can give rise to a claim for damages from an affected individual who must demonstrate wrongful gain or wrongful loss as a consequence of the company's negligence.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) framed under Section 43-A, describe reasonable security practices and procedures that companies are required to adopt. The Privacy Rules set out obligations in respect of two classes of information: "Personal Information", which includes any information that relates to a natural person, which directly or indirectly, is capable of identifying a person; and a smaller subset of Personal Information known as SPDI, which is information relating to passwords, financial information, health information, sexual orientation, medical records and biometric information. The Privacy Rules set out various obligations in privacy definitionrespect of these classes of data, including mandatory consent and disclosure requirements for data collection, usage, processing, storage and transfer, and requirements for appointment of a grievance officer. In relation to security practices and procedures, the Privacy Rules require every company to have in place such information security practices, standards, programmes and policies which are commensurate with the information assets being protected. For this purpose, the Privacy Rules have stipulated, as a benchmark, the International Standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System – Requirements".

In addition to the civil liabilities prescribed under Section 43-A, the IT Act also provides for criminal sanctions of up to three years in prison and/or a fine of up to INR 500,000 in respect of intentional or negligent disclosure of an individual's personal information, obtained under a contract, where such disclosure is made without the consent of the concerned individual or in breach of the concerned contract.

These obligations and penalties assume greater significance when read with Section 75 of the IT Act, which gives India jurisdiction in relation to offences or contraventions under the IT Act committed outside India by any person, provided the act constituting the offence or contravention involves a computer or computer network located in India. Therefore, any collection, processing, storage, use or transfer of Personal Information or SPDI which takes place through a computer or computer network located in India would have to comply with the the IT Act and Privacy Rules. As such, the penalties and liability prescribed under Section 43A and 72A of the IT Act, have also been given extra-territorial applicability and would apply to contraventions committed by non-Indian companies, irrespective of the nationality of the data subject whose information is collected, processed or transferred. While the practical enforcement of penalties against a company is unlikely where such company has no presence in India, authorities may resort to other means, including blocking access to servers or networks located in India in the event of repeated and significant contraventions or failures by a company to comply with obligations under the Privacy Rules.

person typing on keyboardIn addition, the Department of Electronics and Information Technology (DeitY), the arm of the government empowered to administer the IT Act, periodically publishes rules to supplement its provisions for the regulation of data privacy and personal data protection. In this regard, the DeitY notified and brought into force the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (Cert-In Rules). The Cert-In Rules define "Cyber Security Incidents" as "any real or suspected adverse events, in relation to cyber security, that violate any explicitly or implicitly applicable security policy, resulting in:

  • unauthorised access, denial or disruption of service;
  • unauthorised use of a computer resource for processing or storage of information; or
  • changes to data or information without authorisation."

The Cert-In Rules impose mandatory notification requirements on service providers, intermediaries, data centres and corporate entities in the event of certain types of cyber security incidents, including the unauthorised access of IT systems / data.

Upon the occurrence of any of these events, companies are now required to notify the Computer Emergency Response Team (CERT-In), a government body established to collect, analyse and disseminate information on cyber incidents, provide forecasts and alerts about cyber security incidents, provide emergency measures for handling cyber security incidents and coordinate cyber incident response activities. Such notifications are required to be made within a reasonable time, so as to leave scope for appropriate action by the authorities. The format and procedures for reporting cyber security incidents are set out by Cert-In on its official website.

exclamation markWhile the Cert-In Rules have introduced another fundamental element into India's data protection regime by imposing breach notification obligations on data controllers and processors, the implementation of these requirements are likely to prove challenging. Further, the use of generic language in the Cert-In Rules is likely to create ambiguity as to the circumstances or events which trigger notification obligations.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

phone data diagnostic
Probir Roy Chowdhury

Probir Roy

Soumya Patnaik



Probir and Soumya (of J. Sagar Associates) look at the patchwork of key laws in India covering data protection and cyber security.

"India does not, as yet, have a comprehensive piece of legislation dealing with data privacy or data protection."