Tracking the Data Protection Regime in India

Abhishek Tripathy, a 4th year student at the Institute of Law, Nirma University


The Personal Data Protection Bill, 2019 as introduced in Lok Sabha has been referred to a Joint Parliamentary Committee of both the Houses, under the Chairperson of Smt. Meenakshi Lekhi for further evaluation. It has to be noted that this bill is not the same as the Draft Personal Data Protection Bill, 2018 which was made public by the Srikrishna Committee last year. The bill which is most likely to be placed in the winter session is expected to have certain changes especially with regards to the data localization norms. The bill will mark the way for a new data protection regime in India.


The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules which was released on 18th April, 2011 by power conferred under Section 87 (2)(ob) read with Section 43A of the Information Technology Act is the only existing law on data privacy in India. The SPDI Rules is currently the only existing law that ensures the safety and security of sensitive personal data or information. The IT Act defines sensitive personal data or information as such personal information which should be protected by the government with due consultation of professional and experts. According to Section 43A of the Act, a corporate body has to be accountable to the possession of any sensitive personal data or information, and any wrongful use of the same will make it liable to pay damages to the person aggrieved. 

The 2011 rules which specifically deal with body corporates and persons illustrate certain fundamental principles on data privacy. The rules define personal information as any information that directly or indirectly assists in the identification of an individual. A body corporate thus in case of usage of any information should provide a clear and accessible statement of its policies, the type of information and the purpose of such collection. Such Information collected must be necessary and shall not be retained for longer than required. Consent is the cornerstone of privacy laws around the world and the use, transfer or processing of personal data is impossible without prior permission. Obtaining consent is a prerequisite for the collection of information and an option of non-participation must be provided prior to the collection of information. 

The SPDI rules also allow for a right to review to the providers of information with an option to amend or change any data that is inaccurate. Moreover, the data collected cannot be used in any other manner than for the purpose for which it is collected. Security of information is the sole responsibility of the body corporate which acts as a data fiduciary in the entire process. Any kind of grievance should be dealt with by an officer (appointed by the body corporate) within a month of receipt of such grievances. Consent can also be withdrawn by the provider if it is sent in writing to the concerned corporate/person. Disclosure of SPDI to third parties is not prohibited if a similar level of data protection is provided and such disclosure is necessary for the performance of a contract between the three parties. A body corporate is said to comply with reasonable security practices and procedures, if they have implemented such security practices and standards such as either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved. In cases of a breach, a body corporate can be mandated to prove the requisite practices followed. The absence of effective enforcement machinery, therefore, raises concerns about the implementation of the SPDI Rules.

The SPDI Rules recognise financial information, health information, etc as “sensitive personal data” and thus regulate its collection, use and disclosure. The other primary legal instruments that address data protection in the financial sector include the Credit Information Companies (Regulation) Act, 2005 (CIC Act), the Credit Information Companies Regulation, 2006 (CIC Regulations) and circulars issued by the Reserve Bank of India (RBI). According to the CIC Act, credit information companies (CICs) are identified as collectors of information and have to adhere to privacy principles at the stage of collection and use of such credit information. Maintenance of data secrecy along with adherence to a large number of recognised data protection principles is mandated by the CIC Act. As per RBI regulations, information collected through KYC and various other information collected therein should be kept secure and in utmost confidentiality. Data protection norms for personal information collected under the Aadhaar Act are found in the Aadhaar (Data Security) Regulations, 2016 (Aadhaar Security Regulations). The Aadhaar Security Regulations mandates UIDAI to have a security policy encapsulating varied measures adopted to keep information secure such as maintenance of confidentiality and controlling access to data collected. 

The Data Protection Bill, 2019

The bill is expected to have major changes with regard to the data localisation norms. The draft e-commerce policy was received with a lot of backlashes as it advocated that data of all kinds should be localized from India. The cost of maintenance, investment and trade were supposed to get adversely affected due to the government’s stance on data localisation. The bill of 2019 addresses this concern by differentiating varied kinds of data. The differentiation will be on the basis of “Sensitive Personal Data” and “Critical Data”. The sensitive personal data can be processed with consent outside the country but cannot be stored. The Critical Data, which is to be defined by the government (mostly on security and defence matters), will have to be mandatorily processed and stored in India. Whereas the general data can be processed and stored outside India. The entities will be given up to 2 years to make changes in their structure to adhere to the provisions of the Act. For the purpose of the investigation, certain agencies will be exempted from the bill. The penalty from a gross violation can go up to 15 Crore or 4% of the global turnover, whichever is higher. Minor violations can attack penalty up to 5 Crores or 2%, whichever is higher. The data protection bill will establish a much needed rigid and full-fledged data protection framework in India. 

Leave a Reply

Your email address will not be published. Required fields are marked *