The Information Technology Act, 2000 (as amended in 2008) (“IT Act”) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”) deal with certain aspects of protection of personal data.  

Note: 

India does not have specific legislation dedicated to data protection. At present, the IT Act read with the Privacy Rules recognizes the concept of personal information and sensitive personal data and to that limited extent govern the aspects of data protection and privacy in India.

• The IT Act extends to the whole of India.
• It is also applicable to any offense or contravention committed outside India by any person irrespective of its nationality if the act or conduct constituting the offense or contravention involved a computer, computer system or computer network located in India.¹ 
• Through an amendment in 2008, a few provisions relating to the protection of personal data were introduced into the IT Act²:

The notable changes are embodied by Section 43A³ and Section 72A⁴. Section 43A provides for compensation in instances where there has been a failure to protect sensitive personal data and information. Section 72A prescribes punishment for disclosure of information which is in breach of a lawful contract.

• On April 11, 2011, the central government announced the Privacy Rules. These rules represent an important advancement in the regulation of data privacy. They impose stringent obligations on corporations for the implementation of adequate steps that protect personal information and sensitive personal data or information (“SPDI”).
• The Privacy Rules contain detailed provisions relating to the protection of data such as:
  • collection and use of personal information and SPDI;
  • mandatory publication of privacy policy for corporations that collect personal information;
  • technical requirements for security practices and procedures; and
  • disclosure as well as the transfer of personal information and SPDI.
• In addition to the aforesaid provisions in the IT Act, the right to privacy has been recognized by numerous decisions of the Supreme Court of India as well as various High Courts. On August 24, 2017, a nine-judge bench of the Supreme Court of India examined these cases and reaffirmed that “right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”⁵. The Supreme Court  laid down that any invasion of the fundamental right to privacy must meet the threefold requirement of 

(i)    legality, which postulates the existence of law; 
(ii)    need, defined in terms of a legitimate State aim; and 
(iii)    proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.”

• A five-judge bench of the Supreme Court also reiterated this test⁶.
• Various other Indian statutes such as, (i) Indian Contract Act, 1872⁷; (ii) Indian Penal Code, 1860⁸; (iv) Specific Relief Act, 1963⁹; and (v) Copyright Act, 1957 etc. also contain provisions, which directly or indirectly protect against breaches of confidentially and unauthorized disclosure of personal data.

________

[1] Section 75 of IT Act: Act to apply for offense or contravention committed outside India- (1) Subject to the provisions of sub-section (2), the provisions of this act shall apply also to any offense or contravention committed outside India by any person irrespective of his nationality.

(2) For the purposes of sub-section (1), this act shall apply to an offense or contravention committed outside India by any person if the act or conduct constituting the offense or contravention involves a computer, computer system or computer network located in India.

[2] The amendments to the IT Act have come into effect from October 28, 2009.

[3] 43A. Compensation for failure to protect data.--

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation.-- For the purposes of this section,--

"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

("Sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

[4] 72A. Punishment for disclosure of information in breach of lawful contract.--

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that his likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

[5] Justice K S Puttaswamy v. Union of India (2017) 10 SCC 1, Kharak Singh v State of UP AIR 1963 SC 1295, Gobind v State of M.P. (1975) 2 SCC 148, State v Charulata Joshi (1999) 4 SCC 65, R. Rajagopal v State of Tamil Nadu AIR 1995 SC 264.

[6] Justice KS Puttaswamy v. Union of India (2019) 1 SCC 1 ("Puttaswamy Judgement")

[7] Section 73 & 74 of the Contract Act deals with remedies for contractual damages by way of compensation for violation of terms of the contract or non-performance of the obligations.

[8] Section 406: Criminal Breach of Trust (imprisonment up to three years or fine and/or both), Section 420: Cheating (imprisonment up to seven years’ imprisonment or fine and/or both).

[9] Specific Performance for breach of contract.

The Privacy Rules provide for the protection of - 'personal information' and SPDI.

Note: 

The provisions of the IT Act read with the Privacy Rules provide for the protection of Personal Information and SPDI.

'Personal information' is defined as:

"any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying that person."¹

It is to be noted that this definition specifically applies to natural persons and not corporate entities or other legal persons.

“SPDI” is defined as:

"personal information that consists of information relating to passwords; financial information such as Bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical history and records; biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise."2

Note: Any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 shall not be regarded as SPDI.

________

[1] Section 2(1)(i), Privacy Rules

[2] Section 3, Privacy Rules

The Privacy Rules only apply to bodies corporate or persons located in India as per the August 24, 2011 Press Note issued by the Ministry of Communication and Information Technology [1]. However, as the enforceability of the press note itself is questionable, there is a risk that obligations under the Privacy Rules may also be found to apply to body corporates located outside India.

Note:

Bodies Corporate and persons located in India are subject to privacy obligations. A body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.¹

A press note dated August 24, 2011, clarifies, that the body corporate which provides services relating to the collection, storage, dealing or handling of SPDI under a contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6 of the Privacy Rules.²

________

[1] https://pib.gov.in/newsite/erelcontent.aspx?relid=74990 (last visited on 14/06/2022)

The entity which seeks to use personal data or information cannot collect the same unless it obtains the prior consent of the provider of such data or information.

Note:

The personal data including SPDI should be collected:

• only for a lawful purpose;
• when the collection is necessary for that purpose. The information collected must be used only for the purpose for which it has been collected.
• The providers of information must be informed of the purpose for which the sensitive data is being collected and their consent must be obtained.

Note: The Press Note dated August 24, 2011, makes it clear that the consent under Rule 5(1) includes consent given by any electronic communication.³

• While collecting information directly from the person concerned, the body corporate or any person on its behalf must ensure that the person concerned has knowledge of  —

the fact that the information is being collected;
the purpose for which the information is being collected;
the intended recipients of the information; and
the name and address of —

• the agency that is collecting the information; and
• the agency that will retain the information.⁴

Withdrawal of Consent - The providers of information must be given an option to not provide the sensitive data sought or collected and also, to subsequently withdraw his/her consent given earlier.⁵

________

[1] Explanation (i), Section 43A, IT Act
[2]https://www.dsci.in/sites/default/files/Government%20Clarification%20on%20notified%20Rules%20under%20sec%2043A%20of%20IT%20(Amendment)%20Act%202008.pdf (last visited on 04/04/2016);
https://pib.gov.in/newsite/erelcontent.aspx?relid=74990 (last visited on 20/11/2019)

[3] Ibid

[4] Rule 5(3)

[5] Rule 5(7)

Subject to specific exceptions, a body corporate may only use or disclose personal information/SPDI for the purpose for which it was collected.

Note:

The Privacy Rules disallow the disclosure of any collected SPDI to a third party without the prior permission of the provider except when the disclosure is:¹

• in terms of a contract between the body corporate and the provider of the information;
• necessary for compliance with a legal obligation; or
• to government agencies mandated under law to obtain information for the purposes of verification of identity, prevention, detection, investigation of cyber incidents, prosecution and punishment of offenses.

A third party that receives any SPDI through the above-explained mechanism is disallowed from disclosing it further.²

________

[1] Rule 6

[2] Rule 6(4)

The Privacy Rules state that a body corporate holding SPDI shall not retain such information for longer than is required for the lawful purpose which requires the use of such information. Further, the body corporate is required to comply with reasonable security practices and procedures.¹

Note: 

Storage and Retention

The entity which seeks to use SPDI cannot store it for longer than is required for any lawful use, or as otherwise required under any other law. The IT Act also prescribes the manner in which documents or records are to be retained in electronic form if the same is required by any other applicable law. It requires that-

• The information retained should be accessible for any subsequent reference;
• The record should be retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately, the information originally generated, sent or received; and
• The information regarding the origin, destination, date and time of dispatch or receipt of the electronic record are available in the electronic record.²

Security

The Privacy Rules require that body corporates adopt reasonable security practices and standards and that they have a comprehensively documented information security program and information security policies.

The international standard IS/ISO/IEC 27001 on "Information Technology-Security Techniques-Information Security Management System-Requirements" is an example of the above-mentioned standard.³

The adopted measures should be designed to protect SPDI from “unauthorized access, damage, use, modification, disclosure or impairment” and can be specified by an agreement between the parties or a law. If such specification is absent, such practices can be prescribed by the Central Government.⁴ 

________

[1] Sub Clause (4) of Rule 5 of the Privacy Rules

[2] Section 7 of the IT Act

[3] Rule 8 of Privacy Rules

[4] Section 43A(ii), IT Act

The providers of the information have the right to review the information provided and to ask for inaccurate or deficient information to be corrected, as feasible.¹

In other words, information retained should be accessible for any subsequent reference.

Note: 

The personal information and SPDI should be made available to the providers of information for review and modification, as and when requested by them. This is to allow the providers of information to correct (as feasible) personal information or SPDI if it is found to be inaccurate or deficient in any manner.

________

[1] Rule 5(6) of Privacy Rules

India permits the transfer of data to other jurisdictions for the performance of a lawful contract between the body corporate or any person on its behalf and the provider of information (data subject) or in cases where the data subject has consented to the transfer.

Note:

At present, there are no specific restrictions or requirements under Indian law for cross-border transfers of personal information/SPDI. Similarly, onward transfers of the data will continue to be governed by the contractual provisions between the parties. Unless the contract otherwise specifies, the transfer of SPDI including any information is subject only to two restrictions -

The entity receiving the information must ensure the same level of data protection, as provided under the Privacy Rules.

The transfer should be necessary for the performance of a lawful contract between the body corporate and the provider of information or the provider should have consented to such transfer.¹

________

[1] Rule 7, Privacy Rules

The Central Government has been empowered by Section 70B of the IT Act to appoint an agency called the Indian Computer Emergency Response Team (“Cert-In”).

The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ("Cert-In Rules") define 'cybersecurity incidents' as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorization”.

Cert-In would provide forecast and alerts of cybersecurity incidents, provide emergency measures for handling such incidents, coordinate cyber incident response activities, and collect, analyze and disseminate information on cyber incidents.

Note: 

Service providers, intermediaries, data centers, body corporates and government entities are required to mandatorily notify the occurrence of certain ‘cybersecurity incidents’, under the CERT-In Rules. On April 28, 2022, CERT-In issued directions (“Directions") supplementing the existing CERT-In Rules, which will come into force starting June 28, 2022.² The Directions impose several new obligations, including doubling the number of types of reportable incidents and imposing a fixed timeline to report. Cert-In has also issued FAQs to clarify the Directions.³

The CERT-In serves as a national agency and performs the functions listed in Section 70B(4) of the IT Act. These functions are:

• the collection, analysis, and dissemination of information on cyber incidents;
• the forecast and alerts of cybersecurity incidents;
• the emergency measures for handling cybersecurity incidents;
• the coordination of cyber incidents response activities;
• to issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, presentation, response and reporting of cyber incidents; and
• Other functions relating to cybersecurity as may be prescribed.

The CERT-In functions at the Department of Information Technology, Ministry of Electronics and Information Technology and is located at “Electronics Niketan”, 6, CGO Complex, Lodhi Road, New Delhi – 110003.

Rule 3(1)(l) of the Information Technology (Intermediaries guidelines and Digital Media Ethics Code) Rules, 2021 requires intermediaries to report cybersecurity incidents and share information related to such incidents with CERT-In.

CERT-In is required to operate an incident response help desk on a 24 hours basis every day, including government and other public holidays, in order to facilitate the reporting of cybersecurity incidents. Any individual, organization or corporate affected by cybersecurity incidents may report the incident to CERT-In. 

The occurrence of the following types of cybersecurity incidents ("Trigger Incidents") will trigger the requirements under the CERT-In Rules read with the Directions to notify CERT-In of the incident within 6 hours of noticing such incidents or being brought to notice about such incidents.:

• targeted scanning/probing of critical networks/systems;
• compromise of any critical information/systems;
• unauthorized access to IT systems/data;
• defacement of websites or intrusion into websites & unauthorized changes such as inserting malicious codes links to external websites;
• malicious code attacks such as spreading viruses, worms/trojans/botnets/spyware;
• attacks on servers such as databases, mail and DNS & network devices such as routers;
• identity theft, spoofing and phishing attacks;
• denial of service (DoS) & distributed denial of service (DDoS) attacks;
• attacks on critical infrastructure, SCADA systems and wireless networks;
• attacks on applications such as e-governance and e-commerce etc.
• data breach 
• data leak 
• attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers 
• attacks or incidents affecting digital payment systems 
• attacks through malicious mobile apps 
• fake mobile apps 
• unauthorized access to social media accounts 
• attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications 
• attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, drones 
• attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to artificial intelligence and machine learning

The FAQs clarify that the entities may provide information to the extent available at the time of reporting. Additional information may be reported later within a reasonable time to CERT-In. Any incident as stated in Annexure-I of the Directions and meeting the following criteria should be reported within the stipulated 6-hour time:⁴

• cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, the spread of computer contaminants including Ransomware) on any part of the public information infrastructure including backbone network infrastructure
• data breaches or data leaks
• large-scale or most frequent incidents such as intrusion into computer resources, websites, etc.
• cyber incidents impacting the safety of human beings

Other cybersecurity incidents shall be reported within a reasonable time of occurrence or noticing of the incident to leave scope for timely action.⁵ The FAQs additionally clarify that it is imperative for intermediaries to report the incidents that do not fall within 20 types identified in Annexure-I depending on the nature, severity, and impact of the incident.⁶

The details regarding methods and formats of reporting cyber security incidents are also published on the website of CERT-In.

________

[1] Rule 2(h) of CERT-In Rules

[2] https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf (last visited on 15/06/2022)

[3] https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf (last visited on 15/06/2022)

[4] FAQ 30, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf (last visited on 15/06/2022)

[5] Rule 12(1)(a) of CERT-In Rules

[6] FAQ 10, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf (last visited on 15/06/2022)

There is no regulator responsible for the enforcement of the data protection rules.

The Ministry of Electronics and Information Technology (“IT Ministry”) is empowered to make rules under Section 43A of the IT Act.

Note:

The IT Ministry has the power to issue rules under the IT Act.  While there exists no regulator for the enforcement of the Privacy Rules, the IT Ministry issues guidelines on behalf of the government, within the scope of the powers granted by the IT Act.

The IT Act and the Privacy Rules prescribe remedies in the nature of a claim for damages for the negligent acts of corporate bodies.

If the negligence leads to wrongful loss or gains for any person, Section 43A of the IT Act allows for damages by way of compensation. [1]

Similarly, Section 72A of the IT Act prescribes the punishment for any person including an intermediary who intentionally discloses personal information without the consent of the data subject, or in breach of a lawful contract. Such persons can be imprisoned for a period of up to 3 years, or be fined up to INR 5,00,000, or both.

Further, a penalty up to INR 25,000 has been prescribed for a contravention of the Privacy Rules. 

Note:

Section 43A of the IT Act requires a corporate body corporate which possesses, deals or handles SPDI in a computer resource owned, controlled or operated by it to implement and maintain reasonable security practices and procedures. Wrongful loss or wrongful gain to any person due to non-compliance with the above requirements would result in the body corporate being liable to pay damages by way of compensation to the person affected.

Section 72 of the IT Act also prescribes the penalty for the breach of confidentiality and privacy by a person who discloses any electronic records, books, registers, correspondences, information, documents or any other material to which he/she secured access under powers conferred under the IT Act without the consent of the concerned person. Those punished under this provision can be imprisoned for up to two years or fined up to INR 100,000 or both.

The IT Act separately deals with the disclosure of personal information which is in breach of a lawful contract. Under Section 72A, such disclosure is a punishable offense when done intentionally, or with the knowledge that it is likely to cause wrongful gain or loss. The punishment prescribed for the same is imprisonment up to three years or a fine up to INR 500,000, or both.

For invoking the above provision, the following conditions need to be satisfied:

• access to any material containing personal information;
• the existence of an intention or knowledge of causing wrongful loss or wrongful gain; and
• disclosure without consent of the person concerned, or in breach of a lawful contract

Penalties under the IT Act apply to “any offense or contravention thereunder committed outside India by any person”. ² The IT Act clarifies that this provision is applicable only if the “act or conduct constituting the offense or contravention involves a computer, computer system or computer network located in India”.³

________

[1] Section 43A, IT Act
[2] Section 1(2), IT Act
[3] Section 75(2), IT Act

The IT Act does not explicitly refer to electronic marketing.

However, the Telecom Regulatory Authority of India ("TRAI") regulates the Do Not Call ("DNC") Registry which is implemented by the respective access providers. 

Note: 

They also require that companies address marketing and information collection practices in their privacy policies. Additionally, TRAI effectively enforces the Do Not Call ("DNC") Registry. Repeated violations of the DNC norms can lead to telemarketing companies losing their licenses.

Unsolicited commercial calls are regulated under the Telecom Commercial Communications Customer Preference Regulations, 2018 ("2018 Regulations").¹ Instead of seeking to directly regulate telemarketers, the 2018 Regulations devolve control and regulatory power to access providers who are required to establish their own Codes of Practice ("CoPs"). Consent, both explicit and inferred, and registered preferences of telecom subscribers are to be considered while sending commercial communication. Customers can opt-out and entities are to scrub using scrubbers to ensure compliance with customer preferences and consent.

A Customer Complaint Registration Facility ("CCRF") is required to be established by access providers while also providing for means of lodging complaints about violation of preferences. 

The 2018 Regulations require access to providers to ensure that all entities making and sending commercial communications are registered with them and that they comply with the 2018 Regulations. Failure to register may result in the capping of their services and may even result in the disconnection of telecom services and blacklisting.

________

[1] The Telecom Commercial Communications Customer Preference Regulations, 2018 may be accessed at https://www.trai.gov.in/sites/default/files/RegulationUcc19072018_0.pdf (Last visited on 15/06/2022)

The government has signaled an intent to replace the existing privacy regime. In December 2019, the Personal Data Protection Bill, 2019 (“2019 Bill”) was introduced in the Indian Parliament. The bill aims to introduce a comprehensive new framework for privacy and data protection in India. The 2019 Bill was reviewed by a Joint Parliamentary Committee (“JPC”) which published a report capturing its suggestions. For some of the recommendations, the report suggests changes to the 2019 Bill, now referred to as the Data Protection Bill (“DP Bill”). Having received the JPC’s recommendation, the IT Ministry is expected to give its views on the DP Bill to the Union Cabinet which may include accepting/rejecting the JPC’s recommendation and presenting a new version of the DP Bill. Thereafter, the IT Ministry would re-introduce the DP Bill before Parliament for the passing of the bill (including based on further legislative deliberation). https://economictimes.indiatimes.com/tech/technology/fresh-legislation-may-replace-data-protection-bill/articleshow/89624369.cms However, importantly, news reports also indicate that the Government of India is considering replacing the previously suggested draft bill with a fresh draft altogether.

Note: 

While numerous legislation aimed at strengthening the privacy regime in India have been drafted, only the 2019 Bill was introduced in the Indian Parliament. In December 2021, the JPC presented its report on the 2019 Bill, and proposed several changes to the 2019 Bill. Among other things, the bill now governs non-personal data and is referred to as the Data Protection Bill ("DP Bill").  Prior to the 2019 Bill, Privacy Protection Bill, 2013 and the Personal Data Protection Bill, 2014 contained:

• The right to demand destruction of the data which is unnecessary for the purpose for which it is collected.
• The requirement of consent for disclosure of personal data and not just SPDI.
• The exemption from prior consent required for the disclosure of personal data being restricted to specific grounds such as national security, defense, public order and so on.
• The continuing liability of entities after they transfer data to others.
• Notification obligations for corporates, if the confidentiality, integrity or safety of personal data has been violated due to enumerated reasons.

Thereafter, the draft Personal Data Protection Bill, 2018 was prepared, having the following salient features:

• The extended scope of application as compliance with the new framework will be required in respect of data processing activities within India, processing by private and public Indian entities as well as certain processing activities that take place outside India.
• The new set of rights guaranteed to the data principal such as the right to be forgotten.
• The proposal to establish an independent and dedicated Data Protection Authority to administer and enforce the framework. The authority will have additional powers in relation to facilitating data breach notifications to data principals, and prescribing Codes of Conduct for data fiduciaries to adopt.
• The parameters for consent for the processing of personal data to be valid - free, informed, specific, clear and capable of being withdrawn. For the processing of sensitive personal data, consent will have to be explicit.
• The various non-consensual grounds for the processing, including prompt action, reasonable purposes, and employment. The important exemptions to the applicability of the bill, including for research activities, personal or domestic purposes and for journalistic activities.

The 2019 Bill retains much of the draft Personal Data Protection Bill, 2018. Some of the key differences in the 2019 Bill are:

• Personal Data includes ‘inference drawn from [the other categories of personal data] for the purposes of profiling’. 
• Several new categories of data fiduciaries have been introduced, i.e. ‘significant data fiduciaries’, ‘social media intermediaries’ and ‘consent managers’. Different obligations have been provided for entities falling within these categories. 
• Data localization requirements have been slightly relaxed. There are no restrictions on the transfer of ‘persona data’; ‘sensitive personal data’ has to be stored in India though it can be transferred outside India. However, the restriction on processing ‘critical personal data’ within India continues to remain.
• The central government has the power to requisition any anonymized personal or non-personal data from a data fiduciary or data processor for enabling better targeting of delivery services or formulation of evidence-based policies. Non-personal data has been defined as all data other than personal data.

The key concepts in the DP Bill overlap with the 2019 Bill and follow a structure similar to global data protection regimes. Key differences between the two include:

• All previous versions of India’s data protection law focused on personal data -- however, the DP Bill has expanded the scope to cover non personal data (“NPD”) expressly.
• A “social media intermediary” in the 2019 Bill now referred to as a “social media platform” ("SMP"), to account for the fact that platforms often act as publishers of content and they should be held accountable for any unlawful content they host. However, the obligations applicable to such platforms have not substantially changed from the 2019 Bill.
• With respect to data localization requirements, while the overall requirements are similar, key changes include that all contracts/intra-corporate schemes/transfers for a particular purpose should be approved by the DPA in consultation with the Central Government, and that transfer of sensitive personal data to foreign governments and agencies will only be allowed after approval of the Central Government.
• In addition to the expansion of data breaches to include NPD breaches, the DP Bill also mandated a reporting persona data breach within 72 hours from becoming aware of the breaches.
• Under the revised penalty clause, the quantum of penalty as may be imposed on a data fiduciary is now left to be prescribed by the Central Government in the form of rules, with the maximum amount of penalty being defined (in the highest case, fifteen crore rupees or 4% of global turnover).

Additionally, the Aadhar (Target Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”) provides for the protection of the various information collected in furtherance of providing individuals with the Aadhar Unique Identification Number.

It provides for the protection of biometric information such as an individual’s fingerprints, iris scans and other biological identifiers (specified by regulations). This information can only be used for Aadhaar enrolment and authentication. Further, it cannot be shared with anyone, or displayed publicly, except for the purposes enumerated by the regulations. [Section 28 of the Aadhaar Act] 

Section 37 of the Aadhar Act penalizes the illegal disclosure of information with imprisonment up to three years and/or a fine of up to ten thousand rupees. In the case of a company, the fine can extend up to one lakh rupees.

This legislation was challenged before the Supreme Court of India in the Puttaswamy Judgement. On September 26, 2018, the court upheld the constitutionality of the Aadhaar Act, while a few provisions of the act and related rules, regulations, circulars and notifications were struck down or read down. The court, however, did not rule on the validity of Section 28 or Section 37 of the Aadhaar Act.

In this decision, the court balanced the right to lead a dignified life (which entails subsidies, benefits and services offered by the Government) and the right to personal autonomy (which entails the right to informational privacy).

Accordingly, the court read down Sections 33(2), 47 and 57, extensively relying on principles of data protection.

Pursuant to the Puttaswamy Judgment, the Aadhaar Amendment Act, 2019 ("2019 Amendment") had been enacted to amend the Aadhaar Act. Amongst other things, this amendment:

• Provides that Aadhaar enrollment and its use for authentication are voluntary and minors enrolled by guardians have the option to opt-out of the Aadhaar ecosystem.
• Ensures that even disclosures pertaining to Aadhaar pursuant to directions by a court cannot be made by a court inferior to the High Court (court established under the Constitution of India).
• Provides a civil penalty for non-compliance with the Aadhaar Act and rules made thereunder act which may extend to one crore rupees (INR 1,00,00,000/-) for each contravention and in case of a continuing failure, with an additional penalty which may extend to ten lakh rupees (INR 10,00,000/-) for every day during which the failure continues after the first contravention.