The Digital Personal Data Protection Act, 2023 (“DPDP Act”) seeks to establish a new legal framework governing the collection and processing of digital personal data  (“PD”). It is set to replace the existing data protection regime in India, i.e., Section 43A of the Information Technology Act, 2000 (“IT Act”), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”). While the DPDP Act has been enacted by the Indian Parliament, it is yet to be enforced. It will become operational once its provisions are notified by the Central Government of India and different provisions of the statute may be notified on different dates. Further, the provisions of the DPDP Act will be supplemented by subordinate legislation thereunder. However, until the notification of the DPDP Act, the Privacy Rules remain the prevailing data protection law in India. 

DPDP Act Note:

• The DPDP Act applies to the processing of PD where such processing is carried out within the territory of India, regardless of whose PD is being processed or where the individual to whom the PD relates (and where such individual is a child or a person with disability, their parents or lawful guardian acting on their behalf) (“Data Principals”) is located. The DPDP Act also has extra-territorial applicability and applies to the processing activities carried out outside the territory of India if such processing is in connection with offering goods or services to Data Principals “within” the territory of India. 
• A ‘data fiduciary’ (“DF”) is an entity that determines the means and purpose of processing PD, similar to a ‘data controller’ under the General Data Protection Regulation (“GDPR”). Further, a ‘data processor’ (“Processor”) is any person who processes PD on behalf of a DF. The DPDP Act places various ongoing obligations for data protection on DFs. Please note that the substantive obligations under the DPDP Act are not directly placed on a Processor. The DF remains responsible for ensuring that the Processors engaged by them comply with the provisions of the statute.

Privacy Rules Note:

• The IT Act extends to the whole of India. It is also applicable to any offense or contravention committed outside India by any person, irrespective of their nationality, if the act or conduct constituting the offense or contravention involves a computer, computer system or computer network located in India. 
• The Privacy Rules contain detailed provisions relating to the protection of personal information. This includes the requirement to be undertaken by bodies corporate collecting or processing personal information under the Privacy Rules to implement reasonable security practices and procedures for protecting the personal information in their possession.  This includes:
  
  1. Having in place comprehensive documented information security programmes and policies that are commensurate with the information assets being protected;
  2. Implementing either the IS/ISO/IEC 27001 security standard or the codes of practice of an industry association which has been approved and notified by the Central Government; and
  3. Ensuring that such standards or codes are certified/audited on a regular basis through independent auditors approved by the Central Government.
• Additionally, bodies corporate are required to undertake certain consent-related obligations at the time of collecting or processing sensitive personal data or information (“SPDI”) (if any) under the Privacy Rules are as follows:
  
  1. Prior written consent: Prior to the collection of SPDI, obtain written consent from the SPDI provider regarding the purpose of usage of such SPDI. 
  2. Disclosure: Take prior permission from the SPDI provider for the disclosure of SPDI to any third party unless: (a) such disclosure has been agreed to in the contract between the body corporate and the SPDI provider, or (b) the disclosure is necessary for compliance with a legal obligation. Further, the body corporate must not publish the SPDI and the third party receiving the SPDI must not disclose it further. 
  3. Transfer: Transfer SPDI to a body corporate / person in India or located in another country subject to the following conditions: (a) the receiving person must ensure the same level of data protection that is adhered to by the body corporate itself under the SPDI Rules, and (b) the transfer can take place only if it is either necessary for the performance of a lawful contract between the body corporate and the SPDI provider or if the SPDI provider has consented to the same. 
  4. Option to withdraw consent: Provide an option to the SPDI provider to withdraw consent given earlier to the body corporate with respect to their SPDI. The SPDI provider should be able to exercise this option at any time while availing the service. 

General Note:

• Various other Indian statutes, such as (i) the Indian Contract Act, 1872 ; (ii) the Bharatiya Nyaya Sanhita, 2023 ; (iv) the Specific Relief Act, 1963; and (v) the Copyright Act, 1957, etc., also contain provisions that directly or indirectly protect against breaches of confidentiality and unauthorized disclosure of personal information / PD.

• The right to privacy has been recognized by numerous decisions of the Supreme Court of India as well as various High Courts. On August 24, 2017, a nine-judge bench of the Supreme Court of India examined these cases and reaffirmed that “right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.  The Supreme Court laid down that any invasion of the fundamental right to privacy must meet the threefold requirement of: 
  
  • legality, which postulates the existence of law;
  • need, defined in terms of a legitimate State aim; and
  • proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them.
• A five-judge bench of the Supreme Court also reiterated this test. 
• Therefore, the principles laid down in such tests need to be taken into consideration when interpreting any Indian laws involving privacy, including the DPDP Act and Privacy Rules.

DPDP Act

• The DPDP Act regulates the processing of PD, which is defined to include “any data about an individual who is identifiable by or in relation to, such data”, which is in digital form or is subsequently digitized.  However, the DPDP Act does not apply to PD made or caused to be made publicly available by the Data Principal, or by any other person under a legal obligation. As such, the DPDP Act does not presently envisage more “sensitive” categories of PD, although stricter restrictions have been set out with respect processing of children’s PD. 

Privacy Rules

• The Privacy Rules, which are presently in force provide for the protection of – “personal information” and SPDI.
• “Personal information” is defined as: “any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying that person.” It is to be noted that this definition specifically applies to natural persons and not corporate entities or other legal persons. 
• “SPDI” is defined as: “personal information that consists of information relating to passwords; financial information such as Bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical history and records; biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.” 

Privacy Rules Note: Any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, shall not be regarded as SPDI.

DPDP Act

• The DPDP Act contains detailed provisions relating to the protection of PD. Please find below a list of data protection obligations applicable to DFs:
  1. Processing for lawful purpose: DF has to ensure that it processes PD only for a lawful purpose and limits such processing to the specified purpose for which it was collected. 
  2. Determining the grounds for processing PD: Under the DPDP Act, consent of the Data Principal is the preliminary grounds of processing PD. However, an entity may be able to process PD without consent for certain purposes specified as “legitimate uses” under Section 7 of the DPDP Act. For example, processing PD for “employment purposes” is a legitimate use. Accordingly, the DF will need to identify the purposes for any processing of PD to determine whether it needs to seek the concerned Data Principals’ consent.
  3. Seeking valid consent: To the extent that the DF processes PD on the grounds of a Data Principal’s consent, the DF would need to ensure that such consent must be freely given, specific, informed, unambiguous and provided through a clear affirmative action.  
  4. Providing notice: Where consent forms the basis of processing PD – on or before requesting the Data Principals for their consent to process their PD, DF must provide a notice to the Data Principals in clear and plain language containing information on: (a) the PD sought to be collected; (b) the purpose of processing such PD; (c) the manner in which the Data Principals may exercise their right to withdraw consent and seek grievance redressal; and (d) the manner of making a complaint to the Data Protection Board of India (“Board”) in such manner and form as prescribed by the Central Government. 
  5. Providing legacy notice: If any Data Principal has given their consent to the processing of their PD before the commencement of the DPDP Act, then the DF must, as soon as reasonably practicable: (a) give such Data Principal a fresh notice (informing them of the same contents as in the case of a fresh notice); and (b) provide them with the right to withdraw their consent to the continued processing of their PD. 
  6. Providing notice in different languages: The DF must provide Data Principals with access to the consent notice in English or any of the 22 languages specified in the 8th Schedule to the Indian Constitution, upon the Data Principals’ request. 
  7. Enabling withdrawal of consent: The DF must ensure that a Data Principal can withdraw their consent at any time and by means that are as easy as those for providing consent. Upon withdrawal of consent by any Data Principal, the DF must – within a reasonable time – cease and cause its Processors to cease processing of the Data Principal’s PD (unless retention of PD is required under any applicable law). 
  8. Effecting rights of Data Principals: The DF must institute mechanisms to give effect to the statutory rights of Data Principals under the DPDP Act, i.e., the right to: (a) access information about the processing of their PD ; (b) correct/complete / update / erase PD ; (c) nominate another person to exercise their rights upon their death/incapacity; and (d) grievance redressal. 
  9. Ensuring accuracy and completeness of PD: The DF must undertake reasonable efforts to ensure that PD processed by or on behalf of the DF is accurate, consistent and complete if the PD may be used to make a decision about Data Principals or disclosed to another DF. 
  10. Implementing technical and organizational measures: The DF must implement appropriate technical and organizational measures to ensure adherence to the provisions of the DPDP Act. 
  11. Implementing reasonable security safeguards: The DF must implement ‘reasonable security safeguards’ to protect the PD in its possession/control and to prevent PD breaches. 
  12. Reporting PD breaches: In the event that there is a PD breach, the DF will need to notify: (a) the Board; and (b) each affected Data Principal, of such breach, in the form and manner that may be prescribed through subordinate legislation. 
  13. Instituting grievance redressal mechanisms: The DF must establish an effective mechanism to redress the grievances of Data Principals. It will need to: (a) appoint a person/data protection officer to answer – on behalf of the DF – the Data Principal’s questions about the processing of their PD; and (b) publish such persons’/ data protection officer’s business contact information. 
  14. Implementing mechanisms for retention and erasure of PD: The DF must cease to retain any PD and erase such PD as soon as it is reasonable to assume that – (a) the Data Principal has withdrawn their consent for processing; or (b) the purpose for which the PD was collected is no longer being served, whichever is earlier; unless retention is necessary for legal purposes. 
  15. Undertaking cross-border transfers of PD: The DF cannot transfer any PD to any jurisdiction to which such outward transfers may be prohibited by the Central Government or otherwise restricted under any sectoral laws. That said, please note that presently, there are no such ‘blacklisted’ jurisdictions notified under the DPDP Act. 
  16. Entering into valid data processing contracts: The DF may engage, appoint, use, or otherwise involve a Processor to process PD on its behalf only under a valid contract. 
  17. Processing children’s PD: To the extent that the DF processes any children’s PD, or the PD of a person with disability, it will need to: (a) obtain verifiable consent of the parent or legal guardian for processing such PD, in such manner as may be prescribed by subsequent rules under the DPDP Act; and (b) adhere to prohibitions on behavioural monitoring, tracking and targeted advertising for children. 
  18. Significant DF (“SDF”): Incremental obligations may also be imposed on entities that are designated as “significant data fiduciaries” by the Central Government, based on an assessment of factors such as the volume of PD processed, the risks to Data Principals, etc. These are requirements for: (i) appointing a data protection officer based in India and a data auditor; (ii) undertaking periodic data impact assessments and audits; and (iii) undertaking any other measures that may be prescribed.  

Privacy Rules

• The Privacy Rules contain detailed provisions relating to the protection of personal information. Please find below a list of data protection obligations to be undertaken by bodies corporate collecting or processing personal information under the Privacy Rules:
  
  • Privacy policy: Provide a clear and easily accessible privacy policy setting out prescribed contents such as the type of PI (including SPDI) collected by the body corporate, the purpose of such collection and usage, practices regarding the disclosure of SPDI, and reasonable security practices and procedures. The body corporate must publish the privacy policy on its website / mobile application and must ensure that it can be viewed by the individuals who provide the personal information. 
  • Purpose limitation: Use the personal information for the purpose for which it has been collected. 
  • Right to review/correct/amend personal information: Permit personal information providers (as and when requested by them) to review the personal information provided and ensure that any personal information found to be inaccurate or deficient is corrected or amended as feasible. 
  • Option not to provide personal information: Provide an option to the personal information provider – prior to the collection of personal information – to not provide the personal information sought to be collected. 
  • Reasonable security practices and procedures: Implement reasonable security practices and procedures for protecting the personal information in its possession.  This includes:
    
    • Having in place comprehensive documented information security programmes and policies that are commensurate with the information assets being protected;
    • Implementing either the IS/ISO/IEC 27001 security standard or the codes of practice of an industry association which has been approved and notified by the Central Government; and
    • Ensuring that such standard or codes of are certified / audited on a regular basis through independent auditors approved by the Central Government.   
• Grievance officer: Designate a grievance officer and publish their name and contact details on its website. Such officer must redress the grievances of the personal information provider within 1 month from the date of receipt. 

The additional compliances that must be undertaken by bodies corporate at the time of collecting or processing SPDI (if any) under the Privacy Rules are as follows:

1. 1. Prior written consent: Prior to the collection of SPDI, obtain written consent from the SPDI provider regarding the purpose of usage of such SPDI. 
   2. Lawful and necessary purpose: Collect SPDI only if it is for a lawful purpose which is connected with a function/activity of the body corporate and the collection of SPDI is considered necessary for that purpose. 
   3. Retention limitation: Not retain SPDI for longer than required for lawful purposes or for longer than required under applicable law in India. 
   4. Disclosure: Take prior permission from the SPDI provider for the disclosure of SPDI to any third party unless: (a) such disclosure has been agreed to in the contract between the body corporate and the SPDI provider, or (b) the disclosure is necessary for compliance with a legal obligation. Further, the body corporate must not publish the SPDI and the third party receiving the SPDI must not disclose it further. 
   5. Transfer: Transfer SPDI to a body corporate / person in India or located in another country subject to the following conditions: (a) the receiving person must ensure the same level of data protection that is adhered to by the body corporate itself under the SPDI Rules, and (b) the transfer can take place only if it is either necessary for the performance of a lawful contract between the body corporate and the SPDI provider or if the SPDI provider has consented to the same. 
   6. Option to withdraw consent: Provide an option to the SPDI provider to withdraw consent given earlier to the body corporate with respect to their SPDI. The SPDI provider should be able to exercise this option at any time while availing the service. 

DPDP Act Note: Section 17 of the DPDP Act provides exemptions to certain entities from compliance with several substantial provisions of the DPDP Act. For example, processing PD for: (i) the enforcement of legal rights; (ii) for merger, amalgamation, scheme, compromise arrangement, or reconstruction of a company; or (iii) for research, archiving or statistical purposes not used to take decisions specific to the Data Principal, subject to standards that may be specified, etc. As such, the DF will need to identify the purposes for processing PD to determine whether it may avail of any exemptions for such processing activities.

DPDP Act

• As explained above, the DPDP Act applies to any entity processing of PD where such processing is carried out: (i) within the territory of India; or (ii) outside the territory of India if such processing is in connection with offering goods or services to Data Principals “within” the territory of India.  That said, please note that the DPDP Act does not apply to PD: (i) processed by an individual for any personal or domestic purpose;  or (ii) made or caused to be made publicly available by the Data Principal, or by any other person under a legal obligation.  
• Notably, Section 17 of the DPDP Act provides exemptions to certain entities from compliance with several substantial provisions of the DPDP Act. For example, processing PD for: (i) the enforcement of legal rights; (ii) for merger, amalgamation, scheme, compromise arrangement, or reconstruction of a company; or (iii) for research, archiving or statistical purposes not used to take decisions specific to the Data Principal, subject to standards that may be specified, etc. As such, the DF will need to identify the purposes for processing PD to determine whether it may avail of any exemptions for such processing activities.

Privacy Rules

• The Privacy Rules only apply to bodies corporate or persons located in India as per the August 24, 2011, press note (“Press Note”) issued by the Ministry of Communications and Information Technology.  Please note that while there is widespread industry practice of relying on this Press Note (such as in the business process outsourcing industry), its legal weight remains untested before Indian judicial and regulatory authorities.
  Privacy Rules Note: 
• Bodies corporate and persons located in India are subject to privacy obligations under the Privacy Rules. A body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. 
• The Press Note clarifies that the body corporate which provides services relating to the collection, storage, dealing, or handling of SPDI under a contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6 of the Privacy Rules.

DPDP Act

• Under the DPDP Act, “processing” in relation to PD “means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. 

Privacy Rules

• While the Privacy Rules do not set out a definition for “processing” personal information or SPDI per se, the Privacy Rules apply to processing activities with respect to personal information, including the collection, receipt, possession, storage, dealing, and handling. 

DPDP Act

• As explained above in the response concerning “How is the defined data protected?”, among other requirements under the DPDP Act, DFs processing PD must: 
  
  1. process PD only for lawful purposes and limit such processing to the purpose for which PD was collected;  
  2. ensure that any consent from a Data Principal must be freely given, specific, informed, unambiguous and provided through a clear affirmative action, to the extent that the DF processes their PD on the grounds of consent;  
  3. undertake reasonable efforts to ensure that PD processed by or on behalf of the DF is accurate, consistent, and complete if the PD may be used to make a decision about Data Principals or disclosed to another DF; 
  4. cease to retain any PD and erase such PD as soon as it is reasonable to assume that – (a) the Data Principal has withdrawn their consent for processing or (b) the purpose for which the PD was collected is no longer being served, whichever is earlier; unless retention is necessary for legal purposes. 

Privacy Rules

• As explained above, among other requirements under the Privacy Rules, the body corporate that seeks to use personal information must:
  
  1. limit its use of personal information to the purpose for which it was collected;  
  2. collect any SPDI only for lawful purposes and if it is considered to be necessary for such purpose;  and 
  3. not retain SPDI for longer than the purpose for which it was collected, subject to legal requirements.  

DPDP Act:

• Any DF processing PD under the DPDP Act must do so in accordance with the obligations set out in the statute, as explained above in the response concerning “How is the defined data protected?”. For instance, subject to specific exceptions, a DF may only process PD for the lawful purpose for which it was collected. Further, DFs must adhere to prohibitions on behavioural monitoring, tracking and targeted advertising for children. 

Privacy Rules:

• Similarly, any entity processing PD under the Privacy Rules must do so in accordance with the obligations set out in the rules as explained above. For instance, subject to specific exceptions, a body corporate may only use or disclose personal information/SPDI for the purpose for which it was collected.
  

Privacy Rules Note:

• The Privacy Rules disallow the disclosure of any SPDI collected to a third party without the prior permission of the SPDI provider, except when the disclosure is: 
  
  1. made pursuant to a contract between the body corporate and the provider of the information;
  2. necessary for compliance with a legal obligation; or
  3. to Government agencies mandated under law to obtain information for the purposes of verification of identity, prevention, detection, investigation of cyber incidents, prosecution, and punishment of offenses.
• A third party that receives any SPDI through the above-explained mechanism is disallowed from disclosing it further.

DPDP Act

• With respect to storage and retention requirements under the DPDP Act, a DF must cease to retain any PD and erase such PD as soon as it is reasonable to assume that – (i) the Data Principal has withdrawn their consent for processing or (ii) the purpose for which the PD was collected is no longer being served, whichever is earlier; unless retention is necessary for legal purposes.  
• Furthermore, with respect to security requirements under the DPDP Act, DFs must implement: (i) appropriate technical and organizational measures to ensure adherence with the provisions of the DPDP Act;  and (ii) ‘reasonable security safeguards’ to protect the PD in its possession/control and to prevent PD breaches. 

Privacy Rules

• With respect to storage and retention requirements under the Privacy Rules, bodies corporate holding SPDI must not retain such information for longer than is required for the lawful purpose for which the use of such information. 
• Further, with respect to security requirements under the Privacy Rules, the body corporate is required to comply with reasonable security practices and procedures.  A body corporate is deemed to be compliant with reasonable security practices and procedures if:
  
  1. It has in place comprehensive documented information security programmes and policies that are commensurate with the information assets being protected;
  2. Implements either the IS/ISO/IEC 27001 security standard or the codes of practice of an industry association which has been approved and notified by the Central Government; and
  3. Ensures that such standards or codes are certified/audited on a regular basis through independent auditors approved by the Central Government.

Privacy Rules Note:

• The entity that seeks to use SPDI cannot store it for longer than is required for any lawful use, or as otherwise required under any other law.  The IT Act also prescribes the manner in which documents or records are to be retained in electronic form if the same is required by any other applicable law. It requires that: 
  
  1. The information retained should be accessible for any subsequent reference;
  2. The record should be retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately, the information originally generated, sent or received; and
  3. The information regarding the origin, destination, date and time of dispatch or receipt of the electronic record are available in the electronic record.

DPDP Act

• Under the DPDP Act, Data Principals (which is a construct similar to data subjects in the GDPR) have the right to: 
  
  1. access information about the processing of their PD;  
  2. correct / complete / update / erase PD;  
  3. nominate another person to exercise their rights upon their death/incapacity;  and 
  4. grievance redressal. 
  5. withdraw their consent given earlier to the DF with respect to having their PD processed. 

Privacy Rules

• As per the Privacy Rules, providers of the personal information, including SPDI must have: 
  
  1. the right to review the personal information provided to the body corporate and to ask for inaccurate or deficient information to be corrected, as feasible;  
  2. the option not to provide personal information,  and 
  3. the option to withdraw consent given earlier to the body corporate with respect to their SPDI. 

DPDP Act Note:

• Where a DF has processed a Data Principal’s PD on the grounds of a legitimate use provided under Section 7 of the DPDP Act, such Data Principals would not be entitled to rights to: (i) access information about the processing of their PD; (ii) correct/complete/update/erase PD; or (iii) withdraw consent. 

General Note: 
In each of the cases mentioned above, unless otherwise mentioned, DFs under the DPDP Act and bodies corporate under the Privacy Rules must effect the rights of Data Principals and personal information providers, respectively.

DPDP Act

• As per the DPDP Act, consent of the Data Principal is the preliminary grounds of processing PD. However, as explained above in the response concerning “How is the defined data protected?”, an entity may be able to process PD without consent for certain purposes specified as “legitimate uses” under Section 7 of the DPDP Act. To the extent that a DF processes a Data Principal’s PD on the grounds of their consent, such consent must be freely given, specific, informed, unambiguous and provided through a clear affirmative action.  
• Furthermore, the request for such consent must be accompanied by or preceded by an itemized notice as explained above, informing the Data Principal of various aspects, inter alia, the types of PD processed, the purpose of such processing, and the manner in which certain rights may be exercised.  Additionally, such consent must be capable of being withdrawn by means that are as easy as those for providing consent. 

Privacy Rules

• As per the Privacy Rules, any body corporate collecting SPDI is required to obtain the written consent of the provider of such SPDI with respect to the purpose of its usage.  Additionally, such consent must be capable of being withdrawn at any time while availing the service.  

DPDP Act

• As explained above in our response concerning “How is the defined data protected?”, under the DPDP Act, to the extent that a DF processes PD of a Data Principal on the grounds of their consent, they must restrict the scope of their processing to the purposes specified therein.  
• Additionally, such Data Principal may withdraw such consent following which the DF must – within a reasonable time – cease and cause its Processors to cease processing of the Data Principal’s PD (unless its retention is required under any applicable law). 

Privacy Rules

• Similarly, as explained above, a body corporate may collect the SPDI of any person only after seeking their prior written consent with respect to the purpose of its usage.  
• Further, such body corporate may disclose such persons’ SPDI to third parties only after taking their prior permission unless: (i) such disclosure has been agreed to in the contract between the body corporate and the concerned person, or (ii) the disclosure is necessary for compliance with a legal obligation.  
• Additionally, any transfer of such persons’ SPDI by such body corporate to third parties can take place only if such person has consented to the same, unless it is necessary for the performance of a lawful contract between the body corporate and the person. 
• Furthermore, such personal information provider must have the option to withdraw their consent at any time while availing the concerned service. 

DPDP Act

• Under the DPDP Act, PD cannot be transferred by DFs to any jurisdictions to which such outward transfers may be prohibited by the Central Government or otherwise restricted under any sectoral laws. However, there are no such ‘blacklisted’ jurisdictions notified under the DPDP Act as of date. 

Privacy Rules

• Under the Privacy Rules transfer of SPDI is permitted to other jurisdictions for the performance of a lawful contract between the body corporate or any person on its behalf and the provider of information or in cases where the SPDI provider has consented to the transfer.  As such, there are no restrictions with respect to cross-border transfers of personal information (unless it qualifies as SPDI).
   

DPDP Act Note: 

Entities wishing to undertake cross-border data transfers are advised to review and map the jurisdictions where it may be transferring such PD, such that if the Central Government notifies the list of blacklisted countries, appropriate measures can be taken.

Privacy Rules Note:

• At present, there are no specific restrictions or requirements under Indian law for cross-border transfers of personal information/SPDI. Similarly, onward transfers of the data will continue to be governed by the contractual provisions between the parties. Unless the contract otherwise specifies, the transfer of SPDI including any information is subject only to two restrictions  -
  
  1. The entity receiving the SPDI must ensure the same level of data protection, as provided under the Privacy Rules.
  2. The transfer should be necessary for the performance of a lawful contract between the body corporate and the provider of SPDI or the provider should have consented to such transfer.

CERT-In Framework

• The Central Government has been empowered by Section 70B of the IT Act to appoint an agency called the Indian Computer Emergency Response Team (“CERT-In”).
• The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) define ‘cybersecurity incidents’ as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorization”.  On April 28, 2022, CERT-In issued directions (“Directions”) supplementing the existing CERT-In Rules, which will come into force starting June 28, 2022. 
• CERT-In provides forecast and alerts of cybersecurity incidents, provide emergency measures for handling such incidents, coordinate cyber incident response activities, and collect, analyze and disseminate information on cyber incidents. 
• The occurrence of the following types of cybersecurity incidents (“Trigger Incidents”) will trigger the incident-reporting requirements under the CERT-In Rules read with the Directions:
  1. targeted scanning/probing of critical networks/systems;
  2. compromise of any critical information/systems;
  3. unauthorized access to IT systems/data;
  4. defacement of websites or intrusion into websites & unauthorized changes such as inserting malicious codes links to external websites;
  5. malicious code attacks such as spreading viruses, worms/trojans/botnets/spyware;
  6. attacks on servers such as databases, mail and DNS & network devices such as routers;
  7. identity theft, spoofing and phishing attacks;
  8. denial of service (DoS) & distributed denial of service (DDoS) attacks;
  9. attacks on critical infrastructure, SCADA systems and wireless networks;
  10. attacks on applications such as e-governance and e-commerce etc.
  11. data breach; 
  12. data leak; 
  13. attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; 
  14. attacks or incidents affecting digital payment systems; 
  15. attacks through malicious mobile apps; 
  16. fake mobile apps; 
  17. unauthorized access to social media accounts; 
  18. attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications; 
  19. attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; 
  20. attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to artificial intelligence and machine learning.
• The FAQs clarify that the entities may provide information to the extent available at the time of reporting. Additional information may be reported later within a reasonable time to CERT-In. As per the FAQs, any incident as stated in Annexure-I of the Directions and meeting the following criteria should be reported within the stipulated 6-hour time period:
  1. cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, the spread of computer contaminants including ransomware) on any part of the public information infrastructure including backbone network infrastructure;
  2. data breaches or data leaks;
  3. large-scale or most frequent incidents such as intrusion into computer resources, websites, etc.;
  4. cyber incidents impacting the safety of human beings.

However, given that the legal weight of the FAQs is uncertain, it is recommended that all such incidents identified in Annexure-1 to the CERT-In Directions be reported to CERT-In within the stipulated time period of 6 hours. The FAQs additionally clarify that it is imperative for intermediaries to report the incidents that do not fall within 20 types identified in Annexure-I, depending on the nature, severity, and impact of the incident. 

DPDP Act

• Further, as per the DPDP Act, a “personal data breach” (PD breach) means any unauthorised processing of PD or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to PD, that compromises the confidentiality, integrity or availability of PD. 

CERT-In Framework

•    Service providers, intermediaries, data centers, body corporates and government entities are required to mandatorily notify the occurrence of certain ‘cybersecurity incidents’ (namely, the Trigger Incidents), under the CERT-In Rules and Directions to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents.

DPDP Act

•    Under the DPDP Act, in the event that there is a PD breach, the DF will need to notify: (i) the Board; and (ii) each affected Data Principal, of such breach, in the form and manner that may be prescribed through subordinate legislation. 

CERT-In Framework Note

•    The CERT-In serves as a national agency and performs the functions listed in Section 70B(4) of the IT Act. These functions are:
(i)    the collection, analysis, and dissemination of information on cyber incidents;
(ii)    the forecast and alerts of cybersecurity incidents;
(iii)    the emergency measures for handling cybersecurity incidents;
(iv)    the coordination of cyber incidents response activities;
(v)    to issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, presentation, response and reporting of cyber incidents; and
(vi)    Other functions relating to cybersecurity as may be prescribed.
•    The CERT-In functions at the Department of Information Technology, Ministry of Electronics and Information Technology (“IT Ministry”) and is located at “Electronics Niketan”, 6, CGO Complex, Lodhi Road, New Delhi – 110003.
•    Rule 3(1)(l) of the Information Technology (Intermediaries guidelines and Digital Media Ethics Code) Rules, 2021 requires intermediaries to report cybersecurity incidents and share information related to such incidents with CERT-In.
•    CERT-In is required to operate an incident response help desk on a 24 hours basis every day, including government and other public holidays, in order to facilitate the reporting of cybersecurity incidents. Any individual, organization, or corporate affected by cybersecurity incidents may report the incident to CERT-In. 
•    The details regarding methods and formats of reporting cyber security incidents are also published on the website of CERT-In.

DPDP Act

•    The Board will have various functions with respect to the enforcement of the DPDP Act including:  

(i)    inquiring into PD breaches and directing urgent remedial or mitigation measures in such cases;
(ii)    inquiring into and imposing penalties in case of a person’s non-compliance with the law; and
(iii)    issuing binding directions to any person for the effective discharge of its functions under the law. 

The Board, however, does not have the power to enact subordinate legislation under the DPDP Act.

•    The Central Government of India is empowered to issue notifications and prescribe rules under the DPDP Act. This leaves a substantial aspect of the law to be set out in subordinate legislation. Additionally, the Central Government can direct the Board or any intermediary (as defined under the IT Act) to, for the purposes of the law, furnish any information to it. The Central Government can also issue a blocking order to a Government agency or intermediary to, in public interests, prevent a DF from offering goods or services to Data Principals within India, upon receiving a reference from the Board. 

Privacy Rules

•    With respect to the Privacy Rules, there is no regulator responsible for its enforcement. However, the IT Ministry is empowered to make rules under Section 43A of the IT Act.
 
Note:
As per the IT Act, an ‘intermediary’ with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online marketplaces and cyber cafes. 

DPDP Act

•    On receiving an intimation of PD breach, the Board may direct any urgent remedial or mitigation measures and inquire into such PD breach, and impose penalties as provided in the DPDP Act. Further, on receiving a complaint from a Data Principal pertaining to a PD breach, or a breach in observance by a DF of its obligations in relation to their PD, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, the Board may inquire into such breach, and impose penalties as provided in the DPDP Act. 
•    The DPDP Act sets out penalties for breaches in observing obligations: (i) of DFs to take reasonable security safeguards to prevent PD breaches which may extend to INR 2,500,000,000 (approximately USD 28,370,000); and (ii) to give the Board or affected Data Principal notice of a PD breach which may extend to INR 2,000,000,000 (approximately USD 2,26,94,000).  
•    Any person, subject to proceedings before the Board relating to non-observance with the DPDP Act, can provide a voluntary undertaking to remedy the same. Acceptance of a voluntary undertaking by the Board creates a bar on further proceedings under the DPDP Act regarding the contents of such undertaking. Further, a breach of a voluntary undertaking will be deemed to be a breach of the law itself. 

IT Act and Privacy Rules

•    The IT Act and the Privacy Rules prescribe remedies in the nature of a claim for damages for the negligent acts of corporate bodies.
•    If the negligence leads to wrongful loss or gains for any person, Section 43A of the IT Act allows for damages by way of compensation.
•    Similarly, Section 72A of the IT Act prescribes the punishment for any person including an intermediary who intentionally discloses personal information without the consent of the personal information provider, or in breach of a lawful contract. Such persons can be fined up to INR 2,500,000 (approximately USD 28,000).
•    Further, Section 45 of the IT Act prescribes residuary penalties, for contraventions of which no penalty has been separately provided, providing a penalty not exceeding INR 100,000 (approximately USD 1,100), in addition to compensation to each person affected by such violation of up to INR 1,000,000 (approximately USD 11,300) by an intermediary, company or body corporate. 

CERT-In Rules and Directions

•    Under the CERT-In Rules and the CERT-In Directions, entities are required to report certain mandatorily reportable “cyber incidents” including data breaches and data leaks to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. Such reporting must be done through a point of contact appointed to interface with CERT-In whose details must be shared with CERT-In in the prescribed format. Further, under the CERT-In Directions, such entities are required to maintain logs of information and communications technology systems securely, for a rolling period of 180 days in India, that can be provided to CERT-In, while reporting any incident or under any order or direction issued by CERT-In.
•    Under Section 70B(7) of the IT Act, failure to comply with the CERT-In Directions is punishable with imprisonment for a term which may extend to 1 year or with fine which may extend to INR 10,000,000 (approximately USD 113,500) or with both. Therefore, the failure of an entity to comply with such requirements, including reporting any instances of data leaks may make it subject to such penalties.
 
IT Act Note:
•    Section 43A of the IT Act requires a body corporate which possesses, deals, or handles SPDI in a computer resource owned, controlled, or operated by it to implement and maintain reasonable security practices and procedures. Wrongful loss or wrongful gain to any person due to non-compliance with the above requirements would result in the body corporate being liable to pay damages by way of compensation to the person affected.
•    Section 72 of the IT Act also prescribes the penalty for the breach of confidentiality and privacy by a person who discloses any electronic records, books, registers, correspondences, information, documents, or any other material to which they secured access by virtue of powers conferred under the IT Act without the consent of the concerned person. Those punished under this provision can be fined up to INR 500,000 (approximately USD 5,700) or both.
•    The IT Act separately deals with the disclosure of personal information which is in breach of a lawful contract. Under Section 72A, such disclosure is a punishable offense when done intentionally, or with the knowledge that it is likely to cause wrongful gain or loss. The punishment prescribed for the same is a fine up to INR 2,500,000 (approximately USD 28,400). For invoking this provision, the following conditions need to be satisfied:
(i)    access to any material containing personal information;
(ii)    the existence of an intention or knowledge of causing wrongful loss or wrongful gain; and
(iii)    disclosure without consent of the person concerned, or in breach of a lawful contract.
•    Penalties under the IT Act apply to “any offense or contravention thereunder committed outside India by any person”. The IT Act clarifies that this provision is applicable only if the “act or conduct constituting the offense or contravention involves a computer, computer system or computer network located in India”.

•    The IT Act does not explicitly refer to electronic marketing. Commercial communications (including messages and voice calls) are regulated under the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”).  Instead of seeking to directly regulate telemarketers, the TCCCPR devolves control and regulatory power to access providers who are required to establish their own Codes of Practice (CoPs). 
•    Entities wishing to send commercial communications are required to register with access providers as senders / principal entities. Additionally, senders are required to ensure that the content templates of commercial messages are registered with such access providers and only send commercial communications through headers registered with such access providers.
•    Senders / principal entities who seek to send messages and voice calls that are commercial communications using telecommunication services need to collect and record consent from both existing as well as fresh customers through the new ‘Digital Consent Acquisition’ facility of access providers, in accordance with the Directions issued by Telecom Regulatory Authority of India (“TRAI”) on ‘Digital Consent Acquisition’, dated Directions dated June 2, 2023 and November 7, 2023.

Note: 
•    Under the TCCCPR, if unregistered entities send commercial communications to telecom subscribers, access providers are empowered to place restrictions on the usage of telecom resources by such unregistered entities, especially upon receiving complaints from customers. As part of this, access providers may blacklist / suspend unregistered entities from using their telecom resources. Even where an entity has obtained the requisite registrations, the TCCCPR empowers access providers to impose penalties or consequences (such as forfeiture of security deposits, imposition of financial disincentives, or even suspension / blacklisting of the entity itself – as the case may be) in case of non-compliance with applicable requirements. Further, if a customer files a complaint in relation to any unsolicited commercial communication, access providers are generally empowered to direct suspension of traffic / disconnection of telecom resources / blacklisting of the concerned entity – as the case may be. Lastly, TRAI may also direct action be taken by access providers against registered / unregistered senders, in case of any violation of the TCCCPR and if deemed necessary by the regulator.

DPDP Act Note

•    Under the DPDP Act, DFs are barred from tracking or behaviourally monitoring children, or directing targeted advertising at them. They are also not permitted to undertake processing of PD that is likely to cause any detrimental effect on the well-being of a child.  That said, the Central Government may exempt classes of DFs from the obligations on verifiable consent and tracking / monitoring / targeted advertising, subject to any conditions that it may prescribe. Further, by way of a new provision, the Central Government is also empowered to notify the age above which certain DFs will be exempt from these obligations, if it is satisfied that the processing of children’s PD is carried out by a DF in a ‘verifiably safe’ manner.

Yes, various sectoral laws in India prescribe additional requirements with respect to data privacy for specific datasets and entities. We have explained below some of these requirements:

Aadhaar framework

• The Aadhar (Target Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”) provides for the protection of the various information collected in furtherance of providing individuals with the Aadhar Unique Identification Number. It provides for the protection of biometric information such as an individual’s fingerprints, iris scans and other biological identifiers (specified by regulations). This information can only be used for Aadhaar enrolment and authentication. Further, it cannot be shared with anyone, or displayed publicly, except for the purposes enumerated by the regulations.  The Aadhar Act penalizes the illegal disclosure of information with imprisonment up to 3 years and/or a fine of up to INR 10,000 (approximately USD 100). In the case of a company, the fine can extend up to INR 100,000 (approximately USD 1,100). 

Telecommunications:

• As per the Unified Access Service License Agreement (“Unified License”) , intended to be entered into between access providers and relevant Governmental Authorities, access providers are prohibited from transferring the user information and accounting information relating to a telecom user (except for international roaming and billing information) outside of Indian borders. Furthermore, access providers typically contractually pass on such requirements to service providers, in order to ensure compliance.

Official Secrets Act, 1923 (“OSA”):

• The OSA criminalizes the unauthorized possession, retention, or disclosure of Official Secrets, aiming to protect sensitive government information. Note that the OSA describes secret information quite broadly.  As such, any information related to Government departments, defence sector, or any other information which may affect the sovereignty or integrity of India may be considered an official secret (“Official Secret”) and will be covered under the OSA.
• The OSA stipulates that if any person having in his possession or control any official document (i) wilfully communicates to any unauthorized person, (ii) uses the information for the benefit of any foreign power, (iii) retains it without being authorized to do so, or (d) fails to take reasonable care of it, will be considered guilty under the OSA. The burden to justify their possession of such material lies with the individual. Any person guilty under the OSA for unauthorized disclosure of Official Secrets will be punished with imprisonment for a term which may extend to 5 years (and up to 10 years and a fine where a person assists any country committing external aggression against India).

The Reserve Bank of India (“RBI”) circular on ‘Storage of Payment System Data’ (“Data Localization Circular”)

• The Data Localization Circular  issued by the RBI states that all Payment Data should be stored only in India.  For cross border transaction data consisting of a foreign and domestic component, a copy of the domestic component may also be stored abroad, if required.
• Payment data has been broadly defined to include “end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction” (“Payment Data”). Among other things, the definition of Payment Data covers customer data (name, mobile number, email, government issued-ID numbers, etc.), payment sensitive data (customer and beneficiary account details), payment credentials (OTP, PIN, passwords, etc.) and transaction data.
• In relation to processing of Payment Data, there is no bar on payment system operators (which are entities regulated by RBI (“RBI REs”)) processing the Payment Data abroad. However, any Payment Data processed outside India should be brought back to India for storage no later than one business day or 24 hours from payment processing (whichever is earlier) and purged from systems abroad. 

Master Direction - Know Your Customer (KYC) Direction, 2016 issued by RBI (“KYC MDs”): 

• The KYC MDs  require RBI REs to undertake certain customer due diligence measures while undertaking account-based relationships, etc. The KYC MDs obligate the RBI REs to ensure that the entire data and recordings related to video-based customer identification process (“V-CIP”)  be stored in systems located in India in a safe and secure manner and bear the date and time stamp. The V-CIP data is required to be stored in a manner prescribed in the KYC MDs. 

Reserve Bank of India (Digital Lending) Directions, 2025(“Digital Lending Directions”) and the FAQs:

• The RBI REs regulated under the Digital Lending Directions  are banks and non-banking financial companies (“NBFCs”) (including housing finance companies). The other key participants in the digital lending ecosystem are the digital lending apps (“DLA”)  and lending service providers (“LSP”)  who enter into arrangements with RBI REs to provide digital lending products to consumers. 
• Under the Digital Lending Directions, RBI REs have to ensure that the LSPs/DLAs they engage with, do not store the personal information of borrowers except some basic minimal data (name, address, contact details of the customer, etc.) that may be required to carry out their operations (“Digital Lending Data”) – which has to be held in India. Further, RBI REs must ensure that no biometric data of any customer is stored by any LSP/DLA, unless required by statutory guidelines. RBI REs are obligated to ensure that all data is stored only on servers located within India, while ensuring compliance with legal and regulatory requirements. Further, in the event that Digital Lending Data is processed outside India, the RE shall ensure that such data is deleted from servers outside India and brought back to India within 24 hours of its processing.

RBI Master Direction (NBFC– Scale Based Regulation) Directions (“NBFC MDs”):

• The NBFC MD  requires all NBFCs to conduct a self-assessment of their existing outsourcing arrangements  to align them with the prescribed requirements. With respect to offshore outsourcing of financial services relating to Indian operations, NBFCs are required to ensure, among other things, that: (i) the service provider does not obstruct inspection by the NBFC or the RBI, (ii) the regulatory authority of the foreign country does not have access to data relating to Indian operations by default (unless processing is being undertaken at NBFC’s home country), and (iii) maintaining all original records in India. 

Framework for Adoption of Cloud Services by SEBI Regulated Entities (“SEBI Cloud Services Circular”) issued by the Securities and Exchange Board of India (“SEBI”):

• The SEBI Cloud Services Circular  requires all registered/ recognized intermediaries (such as stock brokers, mutual funds, KYC registration agencies) and market infrastructure institutions (stock exchanges, clearing corporations, and depositories) regulated by SEBI (“SEBI REs”), who wish to adopt cloud computing services, to keep and process data within the boundaries of India. Data required to be localized includes data related to data centers, disaster recovery or near disaster recovery etc., including logs and any other data/ information pertaining to the SEBI RE in any form in the cloud. However, if the data pertains to a foreign investor (whose country of incorporation is outside India), then the SEBI RE is required to keep the original data / transactions / logs available and easily accessible in a legible and usable form within India.
• Further, as per the SEBI Cloud Services Circular, SEBI REs are also required to unambiguously specify the party responsible for compliance with each obligation in the SEBI Cloud Services Circular, in their contractual arrangements with CSPs. Specifically, the agreement/contract made by the SEBI RE with CSP must include a clause regarding storage of data (as applicable to the SEBI RE) within the legal boundaries of India as per extant regulatory requirements. Thus, SEBI REs will contractually require their service providers to ensure that both data processing and data storage are carried out within India.  

Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) (“SEBI SaaS Advisory”) read with CERT-Ins Advisory for Financial Sector Organizations (“CERT-In SaaS Advisory”)

• The SEBI SaaS Advisory  requires REs  to comply with the CERT-In SaaS Advisory,  and file an undertaking of compliance in the half yearly report. The CERT-In SaaS Advisory requires all the financial sector institutions availing or thinking of availing SaaS based solution to keep ‘critical data’  within the legal boundary of India as part of its monitoring and control protocols. Further, CERT-In has to be informed of the steps taken in this regard. 

Circular on Cyber Security and Cyber Resilience Framework for SEBI Regulated Entities (“CSCRF”)

• The CSCRF  requires REs to ensure that processing and storage of data is done within legal boundaries of India. Therein all ‘regulatory data’  (i.e., data related to core and critical activities of the RE, reporting obligations, etc.), including any data that relates to foreign investors, has to be stored in an easily accessible, legible and usable form, within the legal boundaries of India. 
• However, any IT and cybersecurity data (i.e., logs and metadata related to RE’s IT systems and their operations excluding any regulatory data) that is being processed outside India for security operations centers of the RE and SaaS based cybersecurity solutions, can be stored outside India, subject to approval and annual review by the REs.

IRDAI (Maintenance of Insurance Records) Regulations, 2015 (“Insurance Records Regulations”):

• As per the Insurance Records Regulations, the records pertaining to all the policies issued and all claims made in India (including those held in electronic mode) (“Insurance Records”) must be held in data centres located and maintained in India only. Note, however, there is no bar on processing such data outside India. Note further that the insurers are required to ensure that Insurance Records may be easily accessed to fulfil compliance requirements under applicable regulatory frameworks. 

Aadhaar Act Note:

• This Aadhaar Act was challenged before the Supreme Court of India in the Puttaswamy Judgement. On September 26, 2018, the court upheld the constitutionality of the Aadhaar Act, while a few provisions of the act and related rules, regulations, circulars and notifications were struck down or read down. The court, however, did not rule on the validity of Section 28 or Section 37 of the Aadhaar Act. In this decision, the court balanced the right to lead a dignified life (which entails subsidies, benefits and services offered by the Government) and the right to personal autonomy (which entails the right to informational privacy). Accordingly, the court read down Sections 33(2), 47 and 57, extensively relying on principles of data protection.
• Pursuant to the Puttaswamy Judgment, the Aadhaar Amendment Act, 2019  had been enacted to amend the Aadhaar Act. Amongst other things, this amendment:
  
  1. Provides that Aadhaar enrollment and its use for authentication are voluntary and minors enrolled by guardians have the option to opt-out of the Aadhaar ecosystem.
  2. Ensures that even disclosures pertaining to Aadhaar pursuant to directions by a court cannot be made by a court inferior to the High Court (court established under the Constitution of India).
  3. Provides a civil penalty for non-compliance with the Aadhaar Act  and rules made thereunder which may extend to INR 10,000,000 (approximately USD 113,500) for each contravention and in case of a continuing failure, with an additional penalty which may extend to INR 1,000,000 (approximately USD 11,300) for every day during which the failure continues after the first contravention. 

DPDP Act

• Under the DPDP Act, DFs must establish an effective mechanism to redress the grievances of Data Principals. It will need to: (i) appoint a person/data protection officer to answer – on behalf of the DF – the Data Principal’s questions about the processing of their PD; and (ii) publish such persons’/ data protection officer’s business contact information.  The DPDP Act does not specify the qualifications required for such person/data protection officer. Further, please note that the requirement to appoint a data protection officer only applies to SDFs (which are yet to be notified/designated). 

Privacy Rules

• The Privacy Rules require bodies corporate collecting personal information, including SPDI to appoint a grievance officer and publish their name and contact details on its website.  Such an officer must redress the grievances of the personal information provider within 1 month from the date of receipt. The Privacy Rules do not specify the qualifications required for sucha  grievance officer.

DPDP Act

• The DPDP Act specifies that PD must be erased by DFs when its purpose is no longer served or when the Data Principal withdraws their consent (if consent was the basis of collecting their PD), whichever is earlier, unless it is required to be retained under applicable laws. Additionally, DFs must cause their Processors to erase such PD. Further, the DPDP Act clarifies that the purpose is deemed to be no longer served when the Data Principal to whom it relates does not exercise their rights or approach the DF for performing the purpose within a specified time period (which is yet to be notified). Accordingly, such DFs may store its Data Principal’s PD until the purpose for which it was collected has been served, unless it is required to be retained for a longer period as per applicable legal obligations. 

Privacy Rules

• As per the Privacy Rules, bodies corporate or any person on their behalf holding any SPDI may not retain such information for any period longer than may be required for the fulfilment of the lawful purposes for which the SPDI was collected, unless required under any other applicable law.  As such, limitations on storage periods do not apply to PI (unless it qualifies as SPDI). Accordingly, such bodies corporate may store its users’ SPDI until the lawful purpose for which it was collected has been achieved, unless it is required to be retained for a longer period as per applicable legal obligations.

Note:

Please note below certain examples of legally prescribed data retention requirements:

• Under the CERT-In Directions, entities are required to maintain logs of information and communications technology systems securely, for a rolling period of 180 days in India, that can be provided to CERT-In, while reporting any incident or under any order or direction issued by CERT-In.
• Further, under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, intermediaries that collect information from users for their registration on the concerned computer resource, are required to retain such information for a period of 180 days after any cancellation / withdrawal of their registration.

DPDP Act

• The DPDP Act does not require DFs to undertake DPIAs in general. However, SDFs (which are yet to be notified/designated) are required to conduct periodic DPIAs, which is a process including: 
  
  1. a description of Data Principals’ rights and the purpose of processing of their PD, 
  2. assessment and management of the risk to such Data Principals’ rights, and 
  3. such other matters regarding such process as may be prescribed.
• Additional specifications on DPIAs may be prescribed by subordinate legislation notified under the DPDP Act.

Privacy Rules

• The Privacy Rules do not lay down any requirements to conduct DPIAs.

DPDP Act

• As per the DPDP Act, DFs may engage/appoint/use/involve Processors to process PD on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. Furthermore, the DF will be responsible for all compliances under the DPDP Act. 
• Further, any sharing of PD by the DF with third parties including Processors requires the consent of the Data Principal, unless the DF may avail legitimate uses as explained in our response concerning “How is the defined data protected?”.

Privacy Rules

• As per the Privacy Rules, bodies corporate processing SPDI may disclose such SPDI to any third party only with the prior permission from the SPDI provider unless:  
  
  1. such disclosure has been agreed to in the contract between the body corporate and the SPDI provider, or 
  2. the disclosure is necessary for compliance with a legal obligation. Further, the body corporate must not publish the SPDI and the third party receiving the SPDI must not disclose it further.
• Further, such SPDI may be shared by the body corporate with any third party provided that: 
  
  1. the receiving person must ensure the same level of data protection that is adhered to by the body corporate itself under the Privacy Rules, and 
  2. the transfer can take place only if it is either necessary for the performance of a lawful contract between the body corporate and the SPDI provider or if such provider has consented to the same.

DPDP Act

• The DPDP Act envisages a civil liability regime in case of non-compliance. Penalties, which have been stipulated in the Schedule, range from INR 10,000 (approximately USD 100) to INR 2,500,000,000 (approximately USD 28,370,000).
• As per the DPDP Act, any person subject to proceedings before the Board relating to non-observance with the DPDP Act can provide a voluntary undertaking to remedy the same. Acceptance of a voluntary undertaking by the Board creates a bar on further proceedings under the DPDP Act regarding the contents of such undertaking. The DPDP Act now also specifies that a breach of a voluntary undertaking will be deemed to be a breach of the law itself. 

Privacy Rules

• As per Section 43A of the IT Act, uncapped damages may be awarded to a person who has suffered a wrongful loss, on account of a body corporate’s negligence or failure to implement and maintain, inter alia, reasonable security practices and procedures as prescribed under the Privacy Rules issued under the IT Act. 

Note:

• As per Section 72A of the IT Act, any person who, while providing services pursuant to a lawful contract, has secured access to any material containing personal information about another person, discloses such material to any other person without the consent of the personal information provider, or in breach of a lawful contract with the intent to cause or knowing that they are likely to cause wrongful loss / wrongful gain, shall be liable to penalty which may extend to INR 2,500,000 (approximately USD 28,400).
• Sections 43 and 66 of the IT Act aim to protect computer systems and networks from unauthorised and harmful activities, where: (i) Section 43 criminalises activities such as accessing a computer , computer system  or computer network,  and downloading or extracting any data from a computer, computer resource or system without permission of the owner of the system; and (ii) Section 66 provides penalties for any person who dishonestly or fraudulently does any acts mentioned in Section 43. 
• Under Section 70B(7) of the IT Act, failure to comply with the CERT-In Directions is punishable with imprisonment for a term which may extend to 1 year or with fine which may extend to INR 10,000,000 (approximately USD 113,500) or with both. Therefore, the failure of an entity to comply with such requirements, including reporting any instances of data leaks may make it subject to such penalties.
• Section 45 of the IT Act prescribes residuary penalties, for contraventions of which no penalty has been separately provided including a penalty not exceeding INR 100,000 (approximately USD 1,100), in addition to compensation to each person affected by such violation of up to INR 1,000,000 (approximately USD 11,300). Therefore, bodies corporate may also be subject to such penalties in such cases involving data breaches and other non-compliances including those under the Privacy Rules, CERT-In Rules or CERT-In Directions.
• Section 72 of the IT Act also prescribes the penalty for the breach of confidentiality and privacy by a person who discloses any electronic records, books, registers, correspondences, information, documents or any other material to which he/she secured access by virtue of powers conferred under the IT Act without the consent of the concerned person. Those found guilty under this provision can be fined up to INR 500,000 (approximately USD 5,700).

DPDP Act

• While the compliance obligations have been highlighted in our response concerning “How is the defined data protected?”, the DPDP Act does not require DFs to undertake periodic audits in general. However, SDFs (which are yet to be notified/designated) are required to appoint an independent data auditor to undertake data audits to assess the SDF’s compliance with the provisions of the DPDP Act. SDFs are also required to carry out periodic audits, as per further prescriptions that may emerge under subordinate legislation issued by the Central Government.

Privacy Rules

• While the compliance obligations have been highlighted in our response concerning “How is the defined data protected?”, specifically, there are certain audit requirements prescribed under the Privacy Rules. The Privacy Rules explain that a body corporate dealing with personal information or SPDI is required to maintain a comprehensive documented information security programme and information security policies and implement standards and policies that are commensurate with the information assets being protected and the nature of business. The international standard IS/ISO/IEC 27001 (on “Information Technology - Security Techniques - Information Security Management System – Requirements”) is considered as one such standard. The body corporate is deemed to have complied with these reasonable security practices and procedures (as required under the IT Act) provided that it is certified and audited by an independent auditor duly approved by the Government of India on a periodic basis (i.e., at least annually or as and when significant upgrades are undertaken in respect of process and computer resource).

DPDP Act

•    As of 11 August 2023, the President of India gave her assent to DPDP Act, after it was passed by both Houses of the Parliament. The DPDP Act was, thereafter, published in the Official Gazette. While the DPDP Act has now been enacted, it is yet to be enforced. The law does not contain specific transitional provisions, such as timelines for issuance of relevant rules and notifications.
•    That said, the law will be enforced on a date notified by the Central Government in the Official Gazette. Different dates can be specified for different provisions of the DPDP Act. A similar process was adopted for the IT Act.  The DPDP Act, therefore, will come into force when such notification(s) regarding its commencement is published by the Central Government in the Official Gazette. 

Draft Rules

•    Further, the IT Ministry has concluded public consultations on the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) recently to facilitate the implementation of the DPDP Act. Upon finalizing the Draft Rules, the IT Ministry is expected to notify the DPDP Act and Draft Rules.
•    The Draft Rules lay out a comprehensive framework for implementing the provisions of the DPDP Act, covering aspects including: 
(i)    Specifications for notices to be provided by DFs to Data Principals.
(ii)    Specifications on registration requirements and responsibilities of consent managers who shall be persons registered with the Board, acting as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
(iii)    The requirements for adopting reasonable security safeguards, protocols for reporting PD breaches, and clear processes for Data Principals to exercise their rights. 
(iv)    Special provisions for processing the PD of children or persons with disabilities, ensuring their PD is handled with extra care. 
(v)    The establishment of the Board, detailing the appointment and service conditions of its chairperson and members, as well as its functioning as a digital-first office. 
(vi)    A structured procedure for filing appeals with an appellate tribunal, enabling streamlined redressal of disputes.

TRAI Directions

•    Senders / principal entities who seek to send messages and voice calls that are commercial communications using telecommunication services are now required to collect and record consent from both existing, as well as fresh customers through the new ‘Digital Consent Acquisition’ facility of access providers, in accordance with the Directions issued by TRAI on ‘Digital Consent Acquisition’, dated June 2, 2023 and November 7, 2023.

Jan Vishwas Act

•    The Jan Vishwas (Amendment of Provisions) Act, 2023 (“Jan Vishwas Act”) was recently enforced, amending various penalty provisions in the Indian legal system. Some of the notable changes brought about by the Jan Vishwas Act are as follows:
(i)    Section 45 of the IT Act on residuary penalties (for which no penalty has been separately provided) was recently amended to provide for penalties not exceeding INR 100,000 (approximately USD 1,100), in addition to compensation to each person affected by such violation of up to: (a) INR 1,000,000 (approximately USD 11,300) by an intermediary, company or body corporate; and (b) INR 100,000 (approximately USD 1,100) by any other person. Prior to enforcement of the Jan Vishwas Act, the penalties involved therein would not exceed INR 25,000 (approximately USD 300) and the overall compensation that may have been provided to any person would not exceed INR 25,000 (approximately USD 300), regardless of the nature of the violating entity. Furthermore, the residuary penalty now also extends “directions” and “orders” made under the IT Act for which no other penalty has been specifically provided; and not just to “rules” and “regulations” made under the IT Act in this regard.
(ii)    Section 70B(7) of the IT Act which provides for penalties for the failure to comply with directions issued by CERT-In has been amended, increasing the maximum penalty amount therein from to INR 100,000 (approximately USD 1,100) to INR 10,000,000 (approximately USD 113,500).
(iii)    Section 72 of the IT Act prescribes the penalty for the breach of confidentiality and privacy by a person who discloses any electronic records, books, registers, correspondences, information, documents or any other material to which he/she secured access under powers conferred under the IT Act without the consent of the concerned person. This section has been amended to provide for fines that may extend up to INR 500,000 (approximately USD 5,700) as opposed to: (a) imprisonment for up to 2 years; or (b) fines of up to INR 100,000 (approximately USD 1,100); or (c) both.
(iv)    Section 72A of the IT Act which prescribes the punishment for any person including an intermediary who intentionally discloses personal information without the consent of the personal information provider now provides for a penalty up to INR 2,500,000 (approximately USD 28,400) as opposed to: (a) imprisonment up to 3 years; or (b) a fine up to INR 500,000 (approximately USD 5,700); or (c) both.