You are on page 1of 20

4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

India

DataProtection2016

OrdertheBook
OrderChapterasPDF

Published:09/05/2016

ChaptercontentFreeaccess
1 RelevantLegislationandCompetentAuthorities

2 Definitions

3 KeyPrinciples

4 IndividualRights

5 RegistrationFormalitiesandPriorApproval

6 AppointmentofaDataProtectionOfficer

7 MarketingandCookies

8 RestrictionsonInternationalDataTransfers

9 WhistleblowerHotlines

10 CCTVandEmployeeMonitoring

11 ProcessingDataintheCloud

12 BigDataandAnalytics

13 DataSecurityandDataBreach

14 EnforcementandSanctions

15 Ediscovery/disclosuretoforeignLawenforcementagencies

16 TrendsandDevelopments

1 RelevantLegislationandCompetentAuthorities

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 1/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

1.1Whatistheprincipaldataprotectionlegislation?

Intheabsenceofspecificlegislation,dataprotectionisachievedinIndiaonthebasisofthefollowing
legislation,whichappliesalsotootheraspectsofonlineregulations,suchasecommerceand
cybercrime:

TheInformationTechnologyAct(2000),amendedbytheInformationTechnology(Amendment)Act
(2008)henceforthreferredtoastheITActwhichcontainsprovisionsfortheprotectionof
electronicdata.TheITActpenalisescybercontraventionswhichattractcivilprosecutionunder
section43(a)(h)andcyberoffenceswhichattractcriminalactionundersections6374.The
formercategoryincludesgainingunauthorisedaccessto,anddownloadingorextractingdatafrom,
computersystemsornetworks.Thelattercoversseriousoffencesliketamperingwithcomputer
sourcecode,hackingwithintenttocausedamageandbreachofconfidentialityandprivacy.

InApril2011,theIndianMinistryofCommunicationsandTechnologypublishedfoursetsofrules
implementingcertainprovisionsoftheInformationTechnology(Amendment)Act(2008),asfollows:

TheSecurityPracticesRulesrequireentitiesholdingsensitivepersonalinformationofusersto
maintaincertainspecifiedsecuritystandards.
TheIntermediaryGuidelinesRulesprohibitcontentofspecificnatureontheinternet.Anintermediary,
suchasawebsitehost,isrequiredtoblocksuchcontent.
TheCyberCafRulesrequirecybercafstoregisterwitharegistrationagencyandmaintainalogof
identityofusersandtheirinternetusage.
UndertheElectronicServiceDeliveryRules,theGovernmentcanspecifycertainservices,suchas
applications,certificates,licences,etc.,tobedeliveredelectronically.

Ofrelevancetotheissueofdataprotectionisthefirstsetofrulesinthelistabove:

TheInformationTechnology(ReasonableSecurityPracticesandProceduresandSensitivePersonal
DataorInformation)Rules(2011)henceforthreferredtoastheITRuleswhichwereframed
undersection43AoftheInformationTechnologyAct(2000)asamendedin2008.TheITRulesset
outproceduresforcorporateentitieswhichcollect,processorstorepersonaldata(including
sensitivepersonalinformation).TheseRulesalsodistinguishpersonalinformationfromsensitive
personalinformation.

Itmustbepointedoutthatbecausethestatutesinquestionwerenotdraftedspecificallywiththe
protectionofdatainmind,thepatchworkofexistinglegislationcurrentlybeingusedforthispurpose
certainlyleavesalottobedesiredintermsofeffectiveprotectionofdataandevenabasicdefinitionof
scopeandsanctions.

TheGovernmentrecognisesthis,andhasalsoproposedtoenactspecificlegislationonprivacy(the
PrivacyBill)which,ifitcomesintoforce,willoverridetheITRules.ThePrivacyBillrecognisesan
individualsrighttoprivacyandprovidesthatthisrightcannotbeinfringedexceptincertain
circumstancesspecifiedintheBill,whichincludeprotectionofnationalintegrityorsovereignty,national
security,preventionofcrimeandpublicorder.AlthoughthePrivacyBillwasfirstdraftedin2011,and
multiplereviseddraftshavebeenpublishedregularlyeversince,theBillhasnotyetpassedintoLaw.
Currently,twomajorissuesarehinderingsmoothpassageoftheBillintheLegislature:

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 2/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

1)Adisagreementbetweenthejudiciaryandintelligenceagenciesoverwhetherornottheagencies
oughttobeunderthescrutinyofacompetentcourtwithrespecttointerceptionofpersonaldatawhen
theydeemitnecessary.

2)Adebateovertheextensionofprotectiongrantedbythelegislationtoallresidentsofthecountry
(asopposedtoonlythecitizens).

Thebillisexpectedtobecomelawlaterthisyear.Itmustbenotedthatalthoughthelatestdraftofthe
proposedBillwasallegedlycirculatedtotheCommitteeofSecretariesandleakedtotheCentrefor
InternetandSociety(anindependentnonprofitorganisationinDelhiandBangalore)in2014,thislast
draftisnotyetpubliclyavailable.AllreferencestothedraftPrivacyBillinthischapterthereforereferto
thepubliclyavailabledraftfrom2011.

1.2Isthereanyothergenerallegislationthatimpactsdataprotection?

Dataprotectionmayalsosometimesoccurthroughtheenforcementofpropertyrightsbasedonthe
following:

TheCopyrightAct(1957):SincetheActprotectsintellectualpropertyrightsindifferenttypesof
creativeworkincludingliteraryworks,andthetermliteraryworkstatutorilyincludescomputer
databases,copyingacomputerdatabase,orcopyingordistributingadatabasecouldamountto
copyrightinfringementundertheAct.Thisprovidessomescopeforprotectingdifferenttypesof
dataasliteraryworks.Itisimportanttonote,however,thatthereisadifferencebetweendatabase
protectionanddataprotection,bothofwhichserveverydifferentpurposes.Databaseprotection
protectsthecreativeinvestmentincompilation,presentationandverificationofdatabases,whiledata
protectionaimstoprotecttheprivacyofindividualsbylimitingorrestrictingaccesstotheirpersonal
orsensitiveinformation.

TheIndianPenalCode(1860):Thiscouldbeusedtopreventtheftofdata.Theoffencesoftheftand
misappropriationtechnicallyapplyonlytomovablepropertyundertheIndianPenalCode,butthe
termmovablepropertyhasbeendefinedtoincludecorporealpropertyofeverydescriptionexcept
landorpropertythatispermanentlyattachedtotheearth.

TheIndianConstitution:Article21oftheConstitutionprotectsanindividualsrighttolifeand
personalliberty.TheSupremeCourtofIndiahasrepeatedlyheldthattherighttoprivacyisimplicitin
therighttolifeandpersonalliberty.The2014draftofthePrivacyBillrecognisestherighttoprivacy
asbeingunderthescopeofArticle21oftheConstitution.Article300AoftheConstitutionalso
guaranteestherightnottobedeprivedofonespropertyexceptbyauthorityoflaw,soifthedatain
questionisregardedasproperty,thisprovisionmaybereliedupon.Itmustbenoted,however,that
rightsguaranteedbytheConstitutionmaynormallyonlybeusedagainsttheStateorStateowned
enterprises.

Inadditiontotheabove,invasionorbreachofprivacycouldleadtoanactionintort.

1.3Isthereanysectorspecificlegislationthatimpactsdataprotection?

BusinessProcessOutsourcingUnitsimplementselfregulatoryprocesses,suchastheBS7799andthe
ISO17799standards,tostandardiseinformationsecuritymanagementandrestrictthequantityofdata
madeavailabletoemployees.

TheReserveBankofIndiaperiodicallyissuesguidelines,regulationsandcircularstomaintainthe
confidentialityandprivacyofclientinformation,andin2006,inconjunctionwithseveralotherbanks
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 3/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

belongingtotheIndianBanksAssociation,alsoestablishedabodycalledtheBankingCodesand
StandardsBoardofIndiatoevolveasetofvoluntarynormswhichbanksmustenforcethemselves
throughinternalgrievanceredressalmechanismswithineachbank.Thesemechanismsincludea
designatedCodeComplianceOfficerandanOmbudsman.

Similarly,theSecuritiesandExchangeBoardofIndiaisasecuritiesmarketregulatorwhichrequires
securitiesmarketintermediariestomaintainconfidentialityofclientdata,includingpersonaldata.

TheseregulationsapplyinadditiontotheITRules.Whiletheyprovideacertaindegreeofsecurity,the
lackoflegislativeenforcementandforesightmeanthattheyareenforcedinvaryingdegreesbyeach
individualinstitutionanddonotcomewithguaranteedparliamentarysanction.

1.4Whatistherelevantdataprotectionregulatoryauthority(ies)?

TherearenospecificnationalregulatorsdealingwithadministrationofprivacylawsinIndia.However,
thePrivacyBillcontemplatesthecreationofaDataProtectionAuthorityofIndiawhichwillmonitorand
enforcecompliancewiththeBill.

Incaseswherethecompensationamountclaimedforafailuretoprotectconfidentialityofsensitive
personalinformationislessthanINR50,000,000,theITActprovidesfortheGovernmenttoappointan
AdjudicatingOfficer.AllproceedingsbeforetheAdjudicatingOfficeraredeemedtobejudicial
proceedingsandtheofficerhasthepowersofacivilcourt.Thedetailsoftheenquiryprocedurethatthe
AdjudicatingOfficermustuseareprovidedintheInformationTechnology(QualificationandExperience
ofAdjudicatingOfficersandMannerofHoldingEnquiry)Rules(2003).

2 Definitions

2.1Pleaseprovidethekeydefinitionsusedintherelevantlegislation:

PersonalData
Thelegislationdoesnotcontainadefinitionofthetermpersonaldata.However,theITRulesdefine
personalinformationasanyinformationthatrelatestoanaturalperson,which,eitherdirectlyor
indirectly,incombinationwithotherinformationavailableorlikelytobeavailablewithabodycorporate,
iscapableofidentifyingsuchaperson.

TheITActdefinesdataasarepresentationofinformation,knowledge,facts,conceptsorinstructions
whicharebeingpreparedorhavebeenpreparedinaformalisedmanner,andisintendedtobeprocessed
orhasbeenprocessedinacomputersystemorcomputernetwork,andmaybeinanyform(including
computerprintouts,magneticoropticalstoragemedia,punchedcards,punchedtapes)orstored
internallyinthememoryofthecomputer.

ThedraftoftheproposedPrivacyBilldefinespersonaldataasanydatawhichrelatestoaliving,
naturalperson,ifthatpersoncan,eitherdirectlyorindirectly,inconjunctionwithotherdatathatthedata
controllerhasorislikelytohave,beidentifiedfromthatdata.Thisincludesanyexpressionofopinion
aboutsaidperson.

SensitivePersonalData
TheITRulesdefinesensitivepersonaldataorinformationassuchpersonalinformationwhich
consistsofinformationrelatingto:

passwords

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 4/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

financialinformation,suchasbankaccountorcreditcardordebitcardorotherpayment
instrumentdetails
physical,physiologicalandmentalhealthconditions
sexualorientation
medicalrecordsandhistory
biometricinformation
anydetailsrelatingtotheaboveclausesasprovidedtoabodycorporateforprovisionof
servicesand
anyinformationreceivedundertheaboveclausesbyabodycorporateforprocessing,or
whichhasbeenstoredorprocessedunderlawfulcontractorotherwise.

Providedthatanyinformationthatisfreelyavailableoraccessibleinthepublicdomain,orfurnished
undertheRighttoInformationAct(2005)oranyotherlawcurrentlyinforce,shallnotberegardedas
sensitivepersonaldataorinformationforthepurposesoftheserules.

TheproposedPrivacyBillprovidesamorespecificdefinitionofsensitivedataasfollows:

Sensitivepersonaldataofanindividualmeanspersonaldatarelatingto:

1.UniqueIdentifierssuchastheAadharnumberorPAN(PersonalAccountNumber)
2.physicalandmentalhealth,includingmedicalhistory
3.biometricorgeneticinformation
4.criminalconvictions
5.bankingcreditandfinancialdataand
6.narcoanalysisand/orpolygraphtestdata.

Processing
NeithertheITActnortheITRulescontainadefinitionofthetermprocessing.

However,theproposedPrivacyBilldefinesprocessingasanyoperation,orsetofoperations,whether
carriedoutthroughautomaticmeansornot,thatrelateto:

1.theorganisation,collation,storage,update,modification,alterationoruseofpersonaldataor
2.themerging,linking,blocking,degradation,erasureordestructionofpersonaldata.

DataController
NeithertheITActnortheITRulescontainadefinitionofthetermdatacontroller.

However,theproposedPrivacyBilldefinesthetermasanypersonwhoprocessespersonaldata.This
includesbodiescorporate,partnerships,societies,trusts,associationsofpersons,Government
companies,Governmentdepartments,urbanlocalbodies,agenciesorinstrumentsoftheState.

DataProcessor
NeithertheITActnortheITRulescontainadefinitionofthetermdataprocessor.

However,itisgenerallyunderstoodthatbodiescorporatecollectingandprocessingdatafromdata
subjectsarecalleddataprocessors.Thisunderstandingisbroadlyaffirmedbythedefinitionprovidedin
theproposedPrivacyBill,whichstatesthatinrelationtopersonaldata,adataprocessorisanyperson
(otherthananemployeeofthedatacontroller)whoprocessesthedataonbehalfofthedatacontroller.

DataSubject
InAugust2011,theMinistryofCommunicationsandInformationissuedaPressNote(Clarification
onthePrivacyRules)whichstatesthatthetermproviderofinformationreferstothosenatural
personswhoprovidesensitivepersonaldataorinformationtoabodycorporate.Itisgenerally
understoodthatproviderofinformationissynonymouswithdatasubject,althoughthelegislation
containsnodefinitionofeitherterm.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 5/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

AccordingtotheproposedPrivacyBill,adatasubjectisanylivingindividualwhosepersonaldatais
processedbyadatacontrollerinIndia.

Otherkeydefinitionspleasespecify(e.g.,PseudonymousData,DirectPersonalData,
IndirectPersonalData)
PseudonymousData
NeithertheITActnortheITRulescontainadefinitionofthetermpseudonymousdata.

DirectPersonalData
NeithertheITActnortheITRulescontainadefinitionofthetermdirectpersonaldata.

IndirectPersonalData
NeithertheITActnortheITRulescontainadefinitionofthetermindirectpersonaldata.

3 KeyPrinciples

3.1Whatarethekeyprinciplesthatapplytotheprocessingofpersonaldata?

Transparency
UndertheITRules,datacontrollersanddataprocessorsmustprovideaprivacypolicyforthehandling
ofordealinginpersonalinformation,includingsensitivepersonalinformation,andensurethatthis
policyisavailabletothedatasubjectwhohasprovidedsaidinformationbylawfulcontract.Further,the
policyshallbepublishedonthewebsiteofthebodycorporateoranypersononitsbehalf,andshall
provide:

1.clearandeasilyaccessiblestatementsofthepracticesandpoliciesofthedatacontroller
2.typesofsensitiveorpersonaldataorinformationcollectedbythebodycorporateandasdefined
bytheITRules
3.thepurposeofcollectionandusageofsuchinformation
4.disclosureofinformationincludingsensitivepersonaldataorinformationasandwhenitis
requestedbythedatasubjectunderspecifiedconditionsand
5.reasonablesecuritypracticesandproceduresasspecifiedintheRules.

TheproposedPrivacyBill,inChapterIII,section9,furtherprovidesforthefollowingprinciplestobe
adheredtointhetransparentcollectionofpersonaldata:

Personaldatamustbedirectlycollectedfromthedatasubjectexceptif:

1.theinformationispartofthepublicrecordorhasbeenmadepublicbythedatasubjector
2.thedatasubjecthasconsentedtothecollectionofpersonaldatafromanothersource.

Further,theBillalsostatesthatwhenpersonaldataiscollecteddirectlyfromthedatasubject,thedata
controllermust,atanytimebeforethedataisprocessed,takereasonablestepstomakethedatasubject
awareofthefollowing:

1.thedocumentedpurposeforwhichsuchpersonaldataisbeingcollected
2.whetherprovisionofdatabythedatasubjectisvoluntaryormandatoryunderthelaw,orsimply
inordertoavailofanyproductsorservices
3.theconsequencesofthefailuretoprovidesaidpersonaldata
4.therecipientorcategoryofrecipientsofthepersonaldata
5.thenameandaddressofthedatacontrollerandallpersonswhoare,orwillbe,processing
informationonbehalfofthedatacontrollerand

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 6/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

6.ifitisintendedthatthepersonaldatabetransferredoutofthecountry,thendetailsofsaid
transfer.

Lawfulbasisforprocessing
TheITRulesmandatethatthebodycorporate(oranypersononitsbehalf)mustobtainconsentin
writingfromthedatasubjectforthespecificpurposeforwhichthedatawillbeused,beforethe
collectionofthedata.Sensitivepersonalinformationmayonlybecollectedforalawfulpurpose
connectedwithafunctionorpurposeofthecorporateentity,andonlyifsuchcollectionisconsidered
necessaryforthatpurpose.Thecorporateentitymustensurethattheinformationisbeingusedonlyfor
thepurposeforwhichitwascollected.

TheproposedPrivacyBillfurtherprovidesthatpersonaldatashallbecollectedonlywiththeconsentof
thedatasubject,unlesssaidcollectioniseithernecessaryforthedatacontrollerinordertocomplywith
aparticularlaworordinance,orismandatoryundercurrentlaw.However,foranydatasubjectunderthe
ageof18,obtainingconsentfromtheirlegalornaturalguardianismandatory,regardlessofthe
exceptionspreviouslymade.

TheBillalsoprovides,insections9and10ofChapterIII,guidelinesforthelawfulprocessingof
personaldata,specifyingthatpersonaldatamustbeprocessedonlyinafair,appropriateandlawful
mannerandforthedocumentedpurposealone.TheBillstatesthatthedatacontrollershallcollectand
processonlysuchtypeandamountofpersonaldataasisabsolutelynecessarytofulfillthedocumented
purpose.Datacontrollersmustalsoensure,accordingtotheBill,thatallpersonsinvolvedinanystage
oftheprocessingofpersonaldatashalltreatthepersonaldataasconfidential,andshallcommunicate
saiddataonlywithpeoplewhoaredirectlyemployedbythedatacontroller,oranysubcontractorofthe
datacontrollerwhoisunderanobligationtomaintainconfidentiality.

ThedraftersoftheproposedPrivacyBillhavealsoseenfittodrawadistinctionbetweentheguidelines
forthelawfulprocessingofpersonaldataandthosethatgoverntheprocessingofsensitivepersonal
data.ChapterIII,section12oftheBillspecificallyaddressestheprocessingofsensitivepersonaldata,
statingthatitshallnotbecollectedorprocessedunlessauthorisedbyauthority,furtherstatingthat
nosuchauthorisationshallberequiredinaparticularlistofcircumstances,whichinclude,among
otherthings,thatthecollectionorprocessingofsuchdataisrequiredbylaw,thesaiddatahasalready
beenmadepublicbythedatasubject,suchcollectionandprocessingismadeinconnectionwithany
legalproceedingsifsaidprocessingisnecessaryforthepurposesofobtaininglegaladvice,orfor
establishingordefendinglegalrights,andifdatarelatingtocriminalconviction,biometricsandgenetic
informationiscollectedandprocessedbylawenforcementagencies.

Purposelimitation
TheITRulesortheActdonotprovideaspecifictimeframefortheretentionofsensitivepersonal
information.However,theITRulesstatethatabodycorporateoranypersononitsbehalfholding
sensitivepersonaldataorinformationshallnotretainthatinformationforlongerthanisrequiredforthe
purposesforwhichtheinformationmaylawfullybeusedorisotherwiserequiredunderanyotherlawfor
thetimebeinginforce.

Dataminimisation
Thereisnostatutorydefinitionorguidancewithrespecttodataminimisation.

Proportionality
Thereisnostatutorydefinitionorguidancewithrespecttoproportionality.

Retention
Asexplainedabove,neithertheITRulesnortheITActprovidesspecificguidancewithrespecttothe
timeframeforretentionofsensitivepersonalinformation.However,theRulesdonotoverride
provisionsofotherlawsthatmayspecifyamaximumperiodofretentionforsensitivedata.Forexample,
telecomlicencesrequirelicenseestomaintain,forsecurityreasonsandforscrutinybytheDepartmentof
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 7/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

Telecommunication,allcommercialrecordsrelatedtocommunicationsexchangedonthenetworkforat
leastoneyear.

Section67CoftheITActrequiresanintermediarytoretainsuchinformation,andforsuchperiodof
timeasshallbeprescribedbytheCentralGovernment.Intermediaryincludestelecomservice
providers,networkserviceproviders,internetserviceproviders,webhostingserviceproviders,search
engines,onlineauctionsites,onlinemarketplacesandcybercafs.TheCentralGovernmenthasyetto
framerulesimplementingtheretentionprovision,andthereforethenatureofdatatoberetainedandthe
durationofretentionareunclear.

TheproposedPrivacyBillwillclarifythelawonretentionofpersonaldata,statingasitdoesinsection
13ofChapterIIthatpersonaldatashallonlyberetainedforaslongasisnecessarytoachievethe
documentedpurpose,unless:

1.itisrequiredbylawtoberetainedforalongerperiod
2.thedatasubjectconsentstoitsretentionforalongerperiod
3.suchretentionisrequiredbyacontractbetweenthedatasubjectandthedatacontrolleror
4.itisrequiredtobesoretainedforhistorical,statisticalorresearchpurposes.

TheBillfurtherstatesthatallpersonaldatathatneednolongerberetainedinaccordancewiththeabove
shalleitherbedestroyedoranonymised.Duringtheprocessofdestructionoranonymisation,thedata
controllermustensurethatunauthorisedpersonsdonotgainaccesstothepersonaldata.The
destructionofpersonaldatamustbecarriedoutinamannerthatensuresthatitisimpossibletore
identifythepersonaldataonceithasbeendestroyed.

Otherkeyprinciplespleasespecify
Therearenootherkeyprinciplesinparticular.

4 IndividualRights

4.1Whatarethekeyrightsthatindividualshaveinrelationtotheprocessingoftheirpersonal
data?

Accesstodata
Rule5,subsection6oftheITRulesmandatesthatthebodycorporateoranypersononitsbehalfmust
permitprovidersofinformationordatasubjectstoreviewtheinformationtheymayhaveprovided.
However,theRulesdonotexplaintheproceduretobefollowedbydatasubjectsinexercisingtheright
toaccessthedatatheyhaveprovided.Italsodoesnotdetailwhetherthereisatimelimitwithinwhich
thedataprocessormustcomplywitharequestforaccess.

ThissituationwillbeclarifiedsomewhatbytheproposedPrivacyBill,whichstatesthatanydatasubject
shall,providedheorshecanproveheridentity,havetherighttoaskforconfirmationfromthedata
controllerthatitdoeshavecompletecontroloverthepersonaldata,requestdetailswithrespecttowho
elseincludinganythirdpartieshasaccesstothepersonaldata,andrequirethedatacontrollerto
provideinformationaboutthelogicinvolvedintheautomatedprocessofdecisionmakingwherethe
personaldatainquestionisbeingprocessedautomaticallyforevaluationpurposes.

TheBillstatesthatdatacontrollersmustprovidetherequiredinformationtothedatasubjectwithin45
daysofreceivingarequestforit,providedthattherequestwasaccompaniedbytheprerequisitefee,
andthatthedatacontrollerisobligedtoinformthedatasubjectthatthelattermaylegallyaskthedata
controllertomakeanychangestoinaccurateordeficientpersonaldata.Accesstopersonaldatamaybe

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 8/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

deniedonlyiftheinformationcannotbegivenoutwithoutalsodisclosinginformationaboutanother
datasubjectwhocouldbeidentifiedfromthatinformation,unlessthatdatasubjecthasconsentedto
suchdisclosure.

Correctionanddeletion
Rule5,subsection6oftheITRulesstatesthatdatasubjectsmustbeallowedaccesstothedata
providedbythemandensurethatanyinformationfoundtobeinaccurateordeficientshallbecorrected
oramendedasfeasible.AlthoughtheRulesdonotdirectlyaddressdeletionofdata,theystatein
Rule5,subsection1,whichcorporateentitiesorpersonsrepresentingthemmustobtainwrittenconsent
fromdatasubjectsregardingtheusageofthesensitiveinformationtheyprovide.Further,datasubjects
mustbeprovidedwiththeoptionnottoprovidethedataorinformationsoughttobecollected.

TheproposedPrivacyBillaffirmstheabove,andfurtherstatesthatunlessthedatacontrollercan
adduceadequateevidenceofthecompleteaccuracyandcompletenessofthedataandthefactthatitis
entirelyfittingwithrespecttothepurposeofthedatacollectioninquestion,orofthelawfulnessofits
collection,thedatasubjecthastherighttorequestadatacontrollertodestroyanypersonaldatathathe
orsheconsiderseitherexcessiveinrelationtothedocumentedpurposeofcollection,orbasedon
incorrectfacts,orprocessedunlawfully.

Objectiontoprocessing
Rule5oftheITRulesstatesthatthedatasubjectorproviderofinformationshallhavetheoptiontolater
withdrawconsentwhichmayhavebeengiventothecorporateentitypreviouslysuchwithdrawalof
consentmustbestatedinwritingtothebodycorporate.Onwithdrawalofconsent,thebodycorporate
isprohibitedfromprocessingthepersonalinformationinquestion.

Inthecaseofthedatasubjectnotprovidingconsent,orlaterwithdrawingconsent,thebodycorporate
shallhavetheoptionnottoprovidethegoodsorservicesforwhichtheinformationwassought.

Objectiontomarketing
Thisisthesameastheobjectiontoprocessingseeabove.

Complainttorelevantdataprotectionauthority(ies)
Rule5,subsection9oftheITRulesmandatesthatalldiscrepanciesorgrievancesreportedtodata
controllersmustbeaddressedinatimelymanner.CorporateentitiesmustdesignateGrievanceOfficers
forthispurpose,andthenamesanddetailsofsaidofficersmustbepublishedonthewebsiteofthe
bodycorporate.TheGrievanceOfficermustredressrespectivegrievanceswithinamonthfromthedate
ofreceiptofsaidgrievances.

Otherkeyrightspleasespecify
Disclosureofdata
Datasubjectsalsopossessrightswithrespecttodisclosureoftheinformationtheyprovide.Disclosure
ofsensitivepersonalinformationrequirestheproviderspriorpermission,unlesseither:

1.disclosurehasalreadybeenagreedtointhecontractbetweenthedatasubjectandthedata
controlleror
2.disclosureisnecessaryforcompliancewithalegalobligation.

Theexceptionstothisruleareifanorderunderlawhasbeenmade,orifadisclosuremustbemadeto
Governmentagenciesmandatedunderthelawtoobtaininformationforthepurposesof:

1.verificationofidentity
2.prevention,detectionandinvestigationofcrimeor
3.prosecutionorpunishmentofoffences.

Recipientsofthissensitivepersonalinformationareprohibitedfromfurtherdisclosingsaidinformation.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 9/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

5 RegistrationFormalitiesandPriorApproval

5.1Inwhatcircumstancesisregistrationornotificationrequiredtotherelevantdataprotection
regulatoryauthority(ies)?(E.g.,generalnotificationrequirement,notificationrequiredforspecific
processingactivities.)

Therearenostatutoryregistrationornotificationrequirementsforeitherdataprocessorsordata
controllers.

TheproposedPrivacyBillprovidesfortheestablishmentofaDataProtectionAuthorityofIndia,andin
ChapterVII,section43,stipulatesthattheAuthorityshallestablishandmaintainaNationalData
ControllerRegistryanonlinedatabasetofacilitatetheefficientandeffectiveentryofparticularsby
datacontrollers.IftheBillisenacted,datacontrollersshallnotbepermittedtoprocessanydata
belongingtoanydatasubjectforagivendocumentedpurpose,unlesstheyfirstmakeanentryinthe
RegistryinaformattobepreordainedbytheCentralGovernment.

5.2Onwhatbasisareregistrations/notificationsmade?(E.g.,perlegalentity,perprocessing
purpose,perdatacategory,persystemordatabase.)

Asstatedinquestion5.1,Indiahasnocurrentlegislativerequirementswithrespecttoregistrationor
notification.However,thedraftoftheproposedPrivacyBillsuggeststhattheregistrationrequirements
itprescribes,onceenforced,willfunctionasperthedocumentedpurposeofprocessing.

5.3Whomustregisterwith/notifytherelevantdataprotectionauthority(ies)?(E.g.,locallegal
entities,foreignlegalentitiessubjecttotherelevantdataprotectionlegislation,representativeor
branchofficesofforeignlegalentitiessubjecttotherelevantdataprotectionlegislation.)

Asstatedinquestions5.1and5.2above,legislationcurrentlyinforceinIndiacontainsnoinformation
onregistrationrequirementsfordataprocessorsorcontrollers.However,theproposedPrivacyBill
statesthatalldatacontrollerswhowishtoprocessdataforaparticularpurposemustfirstregisterwith
theNationalDataControllerRegistrywithrespecttothatparticulardocumentedpurpose.

5.4Whatinformationmustbeincludedintheregistration/notification?(E.g.,detailsofthe
notifyingentity,affectedcategoriesofindividuals,affectedcategoriesofpersonaldata,processing
purposes.)

Asstatedinquestions5.1,5.2and5.3above,Indiacurrentlydoesnothaveanylegislativerequirements
withrespecttoregistrationornotificationproceduresfordatacontrollersorprocessors.However,the
proposedPrivacyBillprescribesinChapterVII,section43(5)thattheNationalDataControllerRegistry
shallcontainthefollowingdetailsofdatacontrollersinrespectofeachdocumentedpurposeforwhich
thepersonaldataisbeingprocessed:

1.name
2.addressofprincipalplaceofbusinessofthedatacontroller
3.nameandaddressofthenominatedrepresentativeofthedatacontrollerifonehasbeenso
nominated
4.descriptionofthedocumentedpurpose
5.descriptionofthepersonaldatabeingprocessedortobeprocessedbythedatacontroller
6.descriptionoftherecipientsofthepersonaldataoranypersonstowhomthedatacontrollermay
disclosethepersonaldataand
7.descriptionofthecountriestowhichthedatacontrollerdirectlyorindirectlytransfersorintends
totransferthepersonaldata.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 10/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

5.5Whatarethesanctionsforfailuretoregister/notifywhererequired?

SinceIndianlegislationdoesnotcurrentlyspecifyanyparticularregistrationornotificationrequirements
fordataprocessorsorcontrollers,thelawiscorrespondinglysilentonthequestionofsanctionsfor
failuretodothesame.

TheproposedPrivacyBillincludes,withinthefunctionsoftheDataProtectionAuthorityofIndia,the
functionofreceivingandinvestigatingallegedviolationsofdataprotection,aswellasanydatasecurity
breaches,andissuingappropriateordersasmayberequiredtosafeguardsecurityinterestsofthedata
subjectsinquestion.

TheproposedBilldoesstateinChapterX,section60,thatthepenaltyforfailuretoregisterwillbeafine
extendinguptoINR500,000.

5.6Whatisthefeeperregistration(ifapplicable)?

Neitherthecurrentnorproposedlegislationprescriberegistrationfees.

5.7Howfrequentlymustregistrations/notificationsberenewed(ifapplicable)?

Neitherthecurrentnorproposedlegislationprescribeguidelineswithrespecttorenewals.

5.8Forwhattypesofprocessingactivitiesispriorapprovalrequiredfromthedataprotection
regulator?

TheITActandassociatedamendmentsandrulesdonotprescribepriorapprovalrequirements
specificallywithrespecttodataprotectionregulators.However,asstatedinquestion4.1above,data
controllersmustobtaintheconsentofthedatasubjectregardingthepurposeofusebeforecollecting
anysensitivepersonalinformation.Theymustnotcollectanysensitivepersonalinformationunless:

1.theinformationiscollectedforalawfulpurposeandisconnectedwithafunctionoractivityof
thedatacontrollerand
2.thecollectionoftheinformationisconsiderednecessaryforthatpurpose.

Thelegislationbothcurrentandproposeddoesnotaddressrequirementsforanyotherapproval
thatdatacontrollersarerequiredtotake,orwhatactivitieswarrantsaidapproval.

5.9Describetheprocedureforobtainingpriorapproval,andtheapplicabletimeframe.

Thisisnotapplicable.Seetheanswertoquestion5.8above.

6 AppointmentofaDataProtectionOfficer

6.1IstheappointmentofaDataProtectionOfficermandatoryoroptional?

NeithertheITActnortheITRulesmentiontheappointmentorroleofaDataProtectionOfficer.

Accordingtosection46oftheITAct,anAdjudicatingOfficershallbeappointedbyorderoftheCentral
Governmentforthepurposeofdiscerningwhetherornotanypersonhascontravenedanyprovisionof
theITAct.TheAdjudicatingOfficerhasthetrappingsofacivilcourt.

Inaddition,section48oftheActprovidesfortheestablishmentbynotificationofanappellate
tribunalknownastheCyberRegulationsAppellateTribunal.Thetribunalwillhaveanappellate
jurisdictionandisentitledtoexerciseitsjurisdictionbothonfactandlawoveradecisionororder
passedbytheAdjudicatingOfficerortheControllerofCertifyingAuthorities.
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 11/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

TheappointmentsofboththeAdjudicatingOfficer,aswellastheCyberRegulationsAppellateTribunal,
areoptionalandentirelyatthediscretionoftheCentralGovernment.TheActdoesnotspecifywhich
circumstancesjustifytheappointmentoftheAdjudicatingOfficerortheAppellateTribunal.Itisalso
unclearwhethersuchappointmentismadesuomotuoronrepresentationbyanotherparty.

6.2WhatarethesanctionsforfailingtoappointamandatoryDataProtectionOfficerwhere
required?

NeithertheITActnortheITRulesaddressthequestionofsanctionsinthecircumstancesthatan
AdjudicatingOfficerisnotappointed.

6.3WhataretheadvantagesofvoluntarilyappointingaDataProtectionOfficer(ifapplicable)?

Thisisnotapplicable.

6.4PleasedescribeanyspecificqualificationsfortheDataProtectionOfficerrequiredbylaw.

SincethelawdoesnotaddresstheappointmentofaDataProtectionOfficerspecifically,thereareno
statutorilyprescribedqualificationsforthisposition.

However,undersection46oftheITAct,theAdjudicatingOfficermustnotbebelowtherankofa
DirectortotheGovernmentofIndia,oranequivalentofficeroftheStateGovernment,andmustpossess
suchexperienceinthefieldofinformationtechnologyandlegalorjudicialexperienceasmaybe
prescribedbytheCentralGovernment.IfmorethanoneAdjudicatingOfficerisappointed,theCentral
Governmentwilldeterminethejurisdictionalpowersoftheofficers.

Undersection48oftheITAct,theCentralGovernmenthasbeengivenamandatetoemploymorethan
oneCyberRegulationsAppellateTribunal,butthelanguageofRule13oftheCyberRegulations
Tribunal(Procedure)Rules(2000)makesitclearthatthereshallbeonlyonetribunal.Thetribunalmust
consistofonepersononly,referredtoinsection49oftheActasthePresidingOfficeroftheCyber
AppellateTribunal.ThequalificationsofthePresidingOfficermustbethefollowing:

1.thatheis,orhasbeen,orisqualifiedtobe,aJudgeoftheHighCourtor
2.heis,orhasbeenamemberoftheIndianLegalServiceandisholdingorhasheldapostinGrade
1ofthatserviceforatleastthreeyears.

TheCentralGovernmenthasnotsofarappointedaPresidingOfficerfortheCyberRegulations
AppellateTribunal.

6.5WhataretheresponsibilitiesoftheDataProtectionOfficer,asrequiredbylawortypicalin
practice?

Section46oftheITActmandatesthatanAdjudicatingOfficerisappointedbytheCentralGovernment
forthepurposesofholdinganinquiryinthemannerprescribedbytheCentralGovernment.

ThissectionfurtherstatesthattheAdjudicatingOfficershall,aftergivingthepersonwhohascommitted
theallegedcontraventionareasonableopportunityformakingrepresentationinthematter,andif,on
suchinquiry,heissatisfiedthatthepersonhascommittedthecontravention,mayimposesuchpenalty
orawardsuchcompensationashethinksfitinaccordancewiththeprovisionsofthatsection.

Section47oftheActstatesthatthefactorstobetakenintoaccountbytheAdjudicatingOfficerin
determiningthequantumofcompensationarethefollowing:

(a)theamountofgainofunfairadvantage,whereverquantifiable,madeasaresultofthedefaultand

(b)theamountoflosscausedtoanypersonasaresultofthedefaultandtherepetitivenatureofthe
default.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 12/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

TheCyberRegulationsAppellateTribunal,beinganappellatebody,hasthepowertoexamine
thecorrectness,legalityorproprietyofthedecisionororderpassedbytheControllerofCertifying
AuthoritiesortheAdjudicatingOfficerundertheITAct.Thispowerisabsolutewhich,byimplication,
barsthejurisdictionofcivilcourtstohearsuchappeals.

TheActgrantsanunconditionalrightofappealtoanyaggrievedpartytoappealanordermadebythe
ControlleroranAdjudicatingOfficerunderthisAct.Further,theappealbeforetheTribunalshallbe
filedwithinaperiodof45daysfromthedateonwhichacopyoftheordermadebytheControllerorthe
AdjudicatingOfficerisreceivedbythepersonsoaggrieved,accordingtosection57oftheAct.

ThejudicialfunctionoftheCyberRegulationsAppellateTribunalistogivethepartiestotheappealan
opportunitytobeheard,andtopasssuchordersthereonasitthinksfit,confirming,modifyingorsetting
asidetheorderappealedagainst.

Undersection57,subsection6oftheAct,theemphasisisonemployingalljudicialmeanstodispose
oftheappealwithinsixmonthsofthedateofreceiptoftheappeal.

TheActfurtherprovidesasecondforumofappealintheformoftheHighCourt(thefirstbeingthe
CyberRegulationsAppellateTribunal)toanypersonaggrievedbyanydecisionororderoftheCyber
RegulationsAppellateTribunal.Anappealistobefiledwithin60daysfromthedateofcommunication
ofthedecisionororderoftheCyberRegulationsAppellateTribunal,onanyquestionoffactorlaw
arisingoutofsaidorder.

6.6MusttheappointmentofaDataProtectionOfficerberegistered/notifiedtotherelevantdata
protectionauthority(ies)?

NeithertheITActnortheITRulesprescribenotification/registrationrequirementsfortheappointment
ofanAdjudicatingOfficer.

7 MarketingandCookies

7.1Pleasedescribeanylegislativerestrictionsonthesendingofmarketingcommunicationsby
post,telephone,email,orSMStextmessage.(E.g.,requirementtoobtainprioroptinconsentorto
provideasimpleandfreemeansofoptout.)

Therearenolegislativeguidelinesorstatutoryregulationsgoverningmarketingcommunications
throughemailorpost.However,theTelecomUnsolicitedCommercialCommunicationsRegulations
(2007)andtheTelecomCommercialCommunicationsCustomerPreferenceRegulations(2010),bothmade
undertheTelecomRegulatoryAuthorityofIndia(TRAI)1997,regulateunsolicitedcommercial
communicationsthroughtelephoneorbytext.TheRegulationsstatethattelemarketersmustregister
themselveswithTRAIbeforetheymaysendoutmarketingcommunicationthroughtelephoneortext
messages.

TheRegulationsalsoprovideforthosewhowishnottoreceiveunsolicitedcommercialcommunication
tooptoutofreceivingsaidtelephonecallsortextmessages.Thisisdonesimplybyregisteringones
preferencewiththeCustomerPreferenceRegistrationFacility,whichisstatutorilyrequiredtobesetup
bythelocalaccessprovider(definedintheRegulationsasincludingthebasictelephoneservice
provider,thecellularmobiletelephoneserviceproviderandtheunifiedaccessserviceprovider)orby
registeringwiththeNationalDoNotCallRegister.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 13/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

TheproposedPrivacyBill,inChapterVI,section30,placesrestrictionsondirectmarketing.Whenthe
Billisenacted,nopersonshallbepermittedtoholdorprocessapersonaldatabaseusedfordirect
marketingservices,unlessheisregisteredwiththeNationalDataRegistryandoneofthepurposesof
registrationisinfactdirectmarketing,hehasarecordstatingthesourcefromwhichheobtainedthe
personaldata,andalltheindividualswhosedataiscontainedinthedatabasehaveconsentedtoreceive
directmarketingcommunicationfromthepersoninquestion.

7.2Istherelevantdataprotectionauthority(ies)activeinenforcementofbreachesofmarketing
restrictions?

Asstatedabove,therearenomarketingrestrictionsontheinternetorthroughmail.However,TRAI
activelyenforcespenaltiesontelemarketerswhoareinbreachofitsregulationsinrespectofcommercial
communicationthroughtelephoneandtextmessages.

7.3Arecompaniesrequiredtoscreenagainstanydonotcontactlistorregistry?

TheTRAIregulationsfortelemarketersprescribethattelemarketersmustdownloaddatafromthe
NationalCustomerPreferenceRegisterandthattheyshallupdatetheirnationalcustomerpreferencedata
withtheupdateddeltadataeveryTuesdayandFriday.Inordertoensureuseofonlyupdated
synchroniseddata,theregulationsstatethatthedeltadataupdatedanddownloadedonTuesdayswill
beusedfrom0000hrsonWednesdaysto2359hrsonFridays,andthedeltadataupdatedand
downloadedonFridayswillbeusedfrom0000hrsonSaturdaysto2359hrsonTuesdays.

Theregulationsfurtherstatethatthetelemarketer,beforesendinganySMSormakingatelemarketing
calltoatelecomsubscriber,shallscrubthetelephonenumberofthesubscriberwiththeupdated
database,downloadedasdescribedabovefromtheNationalCustomerPreferenceRegisterwebsite
atwww.nccptrai.gov.in.

7.4Whatarethemaximumpenaltiesforsendingmarketingcommunicationsinbreachof
applicablerestrictions?

TelemarketersmayapplytoAccessProvidersfortelemarketingresourcesonlyaftertheyhaveregistered
withTRAI.Iftelemarketerscontinuetosendunsolicitedcommercialcommunicationtotelephoneand
mobilenumberswhohaveregisteredthemselveswiththeNationalDoNotCallRegisterorhaveopted
outofreceivingsaidcommunicationwiththeCustomerPreferenceRegistrationFacility,complaintsmay
bemade,tollfree,totheAccessProvider,whothenservesanoticeuponthetelemarketerinbreach.
ChapterIII,Regulation18oftheTelecomCommercialCommunicationsCustomerPreferenceRegulations
(2010)providesfortheblacklistingoftelemarketerswhohavereceivedsaidnoticesixtimesormore.No
AccessProviderispermittedtoprovidetelecomresourcestosaidtelemarketer.

7.5Whattypesofcookiesrequireexplicitoptinconsent,asmandatedbylaworbinding
guidanceissuedbytherelevantdataprotectionauthority(ies)?

DuetothefactthatIndiahasnocomprehensivedataprotectionregime,issuessuchascookieconsent
havenotsofarbeenaddressedbyIndianlegislation.ItisplannedthatthePrivacyBillwillintroduce
dataprotectionlegislationmorespecificallytargetedtoissuesofcybersecurity.

7.6Forwhattypesofcookiesisimpliedconsentacceptable,underrelevantnationallegislation
orbindingguidanceissuedbytherelevantdataprotectionauthority(ies)?

Pleaserefertoquestion7.4above.

7.7Todate,hastherelevantdataprotectionauthority(ies)takenanyenforcementactionin
relationtocookies?

Pleaserefertoquestion7.4above.

7.8Whatarethemaximumpenaltiesforbreachesofapplicablecookierestrictions?
https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 14/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

Pleaserefertoquestion7.4above.

8 RestrictionsonInternationalDataTransfers

8.1Pleasedescribeanyrestrictionsonthetransferofpersonaldataabroad?

Section7oftheITRulesstatesthatbodiescorporatecantransfersensitivepersonaldatatoanyother
bodycorporateorpersonwithinoroutsideIndia,providedthatthetransfereeensuresthesamelevelof
dataprotectionwhichthebodycorporatehasmaintained,asrequiredbytheITRules.Adatatransferis
onlyallowedifeither:

1.itisrequiredfortheperformanceofalawfulcontractbetweenthedatacontrollerandthedata
subjectsor
2.thedatasubjectshaveconsentedtothetransfer.

TheproposedPrivacyBill,ifenacted,willplaceslightlymorestringentrestrictionsoninternational
transfersofpersonaldata.TheBillstatesinChapterIII,section22thatcrossbordertransfersof
personaldatabydatacontrollersshallnotbepermittedunless:

1.thetransfereeissubjecttoalaw,codeofconductorcontractwhichbindssaidtransfereeto
principlesofadaptprotectionsubstantiallysimilartothosestipulatedinthePrivacyBill
2.thedatasubjectconsentstothetransferor
3.thetransferisnecessaryinconnectionwithacontracttowhichboththecontrolleraswellasthe
subjectareparties.

8.2Pleasedescribethemechanismscompaniestypicallyutilisetotransferpersonaldataabroad
incompliancewithapplicabletransferrestrictions.

InaPressNotereleasedonAugust24,2011,theMinistryofInformationTechnologyclarifiedthatthe
rulesonsensitivedatatransferdescribedabovearelimitedinjurisdictiontoIndianbodiescorporateand
legalentitiesorpersons,anddonotapplytobodiescorporateorlegalentitiesabroad.Assuch,
informationtechnologyindustriesandbusinessprocessoutsourcingcompaniesascribetosecure
methodsofdatatransferwhichtheyprefer,providedthatthetransferinquestiondoesnotviolateany
laweitherinIndiaorinthecountrytowhichthedataisbeingtransferred.

8.3Dotransfersofpersonaldataabroadrequireregistration/notificationorpriorapprovalfrom
therelevantdataprotectionauthority(ies)?Describewhichmechanismsrequireapprovalor
notification,whatthosestepsinvolve,andhowlongtheytake.

Neitherthecurrentnortheproposedlegislationspecifiesanyrequirementsforregistrationor
notificationsfordatatransfersabroad.Therequirementsarelimitedtothecriteriaspecifiedinquestion
8.1above.

9 WhistleblowerHotlines

9.1Whatisthepermittedscopeofcorporatewhistleblowerhotlinesunderapplicablelawor
bindingguidanceissuedbytherelevantdataprotectionauthority(ies)?(E.g.,restrictionsonthescope

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 15/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

ofissuesthatmaybereported,thepersonswhomaysubmitareport,thepersonswhomareportmay
concern.)

Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.

9.2Isanonymousreportingstrictlyprohibited,orstronglydiscouraged,underapplicablelawor
bindingguidanceissuedbytherelevantdataprotectionauthority(ies)?Ifso,howdocompaniestypically
addressthisissue?

Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.

9.3Docorporatewhistleblowerhotlinesrequireseparateregistration/notificationorprior
approvalfromtherelevantdataprotectionauthority(ies)?Pleaseexplaintheprocess,howlongit
typicallytakes,andanyavailableexemptions.

Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.

9.4Docorporatewhistleblowerhotlinesrequireaseparateprivacynotice?

Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.

9.5Towhatextentdoworkscouncils/tradeunions/employeerepresentativesneedtobenotified
orconsulted?

Neithercurrentnorproposedlegislationcontainsprovisionsspecifictowhistleblowerhotlinesor
anonymousreporting.

10 CCTVandEmployeeMonitoring

10.1DoestheuseofCCTVrequireseparateregistration/notificationorpriorapprovalfromthe
relevantdataprotectionauthority(ies)?

CurrentlegislationdoesnottouchuponquestionsrelatingtoCCTVsurveillance.However,the
proposedPrivacyBillstatesinChapterV,section26thattheinstallationandoperationofCCTV
surveillanceinpublicareasshallbeinaccordancewithprescribedprocedureforlegitimateand
proportionateobjectives,andwillnotaffecthisrighttoprivacy.Therearenoregistrationrequirements
specificallylaidoutinthisproposedlegislation,neitherdoesitelaborateonwhattheprescribed
procedurefortheinstallationandoperationofCCTVwillbe.

10.2Whattypesofemployeemonitoringarepermitted(ifany),andinwhatcircumstances?

NeithercurrentnorproposedlegislationcontainsspecificprovisionsrelatingtoCCTVsurveillanceof
employees.However,theproposedPrivacyBill,wheninforce,willbancovert,intrusiveordirected
surveillanceexceptincertainspecifiedcircumstances,includingobjectivesofnationalsecurityorpublic
safety.TheproposedBillalsostatesthattheprovisionsitcontainsrelatingtothestorage,processing,
retention,sharing,securityanddisclosureofpersonaldataapplyequallytodatacollectedthrough
surveillance.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 16/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

10.3Isconsentornoticerequired?Describehowemployerstypicallyobtainconsentorprovide
notice.

Currentlegislationcontainsnoprovisionsrelatingtorequirementsofconsentfromemployees.
However,theproposedPrivacyBillbanscovertsurveillance,whichsuggeststhatconsentwillhaveto
beobtainedfromemployeesoncethislawcomesintoforce,althoughtheBillissilentondetailsrelating
towhatqualifiesasconsentandhowitmaybeobtained.

10.4Towhatextentdoworkscouncils/tradeunions/employeerepresentativesneedtobenotified
orconsulted?

Neithercurrentnorproposedlegislationcontainsprovisionsonthismatter.

10.5Doesemployeemonitoringrequireseparateregistration/notificationorpriorapprovalfrom
therelevantdataprotectionauthority(ies)?

Neithercurrentnorproposedlegislationcontainsprovisionsonthismatter.

11 ProcessingDataintheCloud

11.1Isitpermittedtoprocesspersonaldatainthecloud?Ifso,whatspecificduediligencemustbe
performed,underapplicablelaworbindingguidanceissuedbytherelevantdataprotection
authority(ies)?

Neithercurrentnorproposedlegislationcontainsprovisionspertainingtocloudbaseddataprocessing.

11.2Whatspecificcontractualobligationsmustbeimposedonaprocessorprovidingcloudbased
services,underapplicablelaworbindingguidanceissuedbytherelevantdataprotection
authority(ies)?

Neithercurrentnorproposedlegislationcontainsprovisionspertainingtocloudbaseddataprocessing.

12 BigDataandAnalytics

12.1Istheutilisationofbigdataandanalyticspermitted?Ifso,whatduediligenceisrequired,
underapplicablelaworbindingguidanceissuedbytherelevantdataprotectionauthority(ies)?

Bigdataandanalyticsareincreasinglybeingrecognisedasessentialforthegrowthofmostindustries,
withthetelecom,retailandecommercesectors,andeventheDepartmentofNationalSecurity,among
others,alreadyemployingeitherorbothtomanageandprocesslargeamountsofdataandtrackdatain
realtime.Indianlegislationdoesnotcurrentlydirectlyaddressissuesofduediligenceorprovide
guidelinesfortheusageofbigdataandanalytics.TheITRulesprovidereasonablesecuritypracticesas
statutorysecurityproceduresforcorporateentitiesthatcollect,handleandprocessdatatofollow,which
alsoapplytotheuseofbigdata.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 17/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

13 DataSecurityandDataBreach

13.1Whatdatasecuritystandards(e.g.,encryption)arerequired,underapplicablelaworbinding
guidanceissuedbytherelevantdataprotectionauthority(ies)?

Rule8oftheITRulesdescribesreasonablesecuritypracticesandproceduresasfollows:

1)Abodycorporate,orapersononitsbehalf,shallbeconsideredtohavecompliedwithreasonable
securitypracticesandproceduresiftheyhaveimplementedsuchsecuritypracticesandstandards,have
acomprehensivedocumentedinformationsecurityprogrammeandinformationsecuritypoliciesthat
containmanagerial,technical,operationalandphysicalsecuritycontrolmeasuresthatarecommensurate
withtheinformationassetsbeingprotectedandwiththenatureofthebusinessinquestion.

2)Intheeventofaninformationsecuritybreach,thebodycorporateorapersononitsbehalfshallbe
requiredtodemonstrate,asandwhencalledupontodosobytheagencymandatedunderthelaw,that
theyhaveimplementedsecuritycontrolmeasuresaspertheirdocumentedinformationsecurity
programmeandinformationsecuritypolicies.TheinternationalstandardIS/ISO/IEC27001on
InformationTechnologySecurityTechniquesInformationSecurityManagementSystem
Requirementsisonesuchstandard.

3)Anyindustryassociationoranentitywhosemembersareselfregulatingbyfollowingcodesother
thantheIS/ISO/IECcodesofbestpracticefordataprotectionasper(1)above,shallgetitscodesofbest
practicedulyapprovedandnotifiedbytheCentralGovernment.

4)Thebodycorporateorapersononitsbehalf,thathasimplementedeithertheIS/ISO/IEC27001
standardorthecodesofbestpracticefordataprotectionasapprovedandnotifiedunderpoint(3)
above,shallbedeemedtohavecompliedwithreasonablesecuritypracticesandprocedures,provided
thatsuchastandardorsuchcodesofbestpracticearecertifiedorauditedonaregularbasisbyan
independentauditor,dulyapprovedbytheCentralGovernment.Thisauditshallbecarriedoutbyan
auditoratleastonceayear,orasandwhenthebodycorporateundertakesasignificantupgradeofits
processandcomputerresources.

InAugust2011,theMinistryofCommunicationsandInformationissuedaPressNote(Clarification
onthePrivacyRules)whichprovidesthatanyIndianoutsourcingserviceprovider/organisation
providingservicesrelatingtocollection,storage,dealingorhandlingofsensitivepersonalinformation
orpersonalinformationundercontractualobligationswithalegalentitylocatedwithinoroutside
Indiaisnotsubjecttocollectionanddisclosureofinformationrequirements,orconsentrequirementas
detailedbytheITRules,provideditdoesnothavedirectcontactwiththedatasubjectswhenproviding
theirservices.

TheproposedPrivacyBill,whichwilloverridetheITRulesifenacted,alsocontainsprovisions
pertainingtothesecurityofpersonaldata,statingspecificallythateverydatacontrollermustset
appropriatetechnological,organisationalandphysicalstandardsforthesecurityofdataunderits
control.InChapterIII,section15oftheproposedBill,itisalsostatedthattheDataProtection
Authority(theestablishmentofwhichisprovidedforinthesameBill)mayprescriberegulationsor
codesofpractice,layingdownstandardsfortechnological,organisationalandphysicalmeasuresfor
protectionofpersonaldata,andthatdifferentstandardsmaybeprescribedfordifferentclassesof
organisation.

13.2Istherealegalrequirementtoreportdatabreachestotherelevantdataprotection
authority(ies)?Ifso,describewhatdetailsmustbereported,towhom,andwithinwhattimeframe.Ifno
legalrequirementexists,describeunderwhatcircumstancestherelevantdataprotectionauthority(ies)
expectsvoluntarybreachreporting.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 18/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

Thecurrentlegislationcontainsnolegalrequirementstoreportdatasecuritybreachestoeither
authoritiesordatasubjects.

TheproposedPrivacyBill,inChapterIII,section16,prescribesthatwhereadatacontrollerhas
reasonablegroundstobelievethatthepersonaldataofanydatasubjectunderitscontrolhasbeen
accessedoracquiredbyunauthorisedpersons,thedatacontrollermust,assoonasisreasonably
possibleafterdiscoveringthebreach,notifyboththedatasubjectandtheDataProtectionAuthority.
Thenotificationshallbeinwriting,andshallbesenteithertothelastknownaddressofthedatasubject
byregisteredpostrequestingdueacknowledgment,orpublishedinatleasttwonationalnewspapers.
Thenotificationmustcontainsufficientinformationasisnecessarytoenablethedatasubjecttotake
stepstomitigatethepotentialconsequencesofthedatasecuritybreach,including,ifpossible,the
identityofthepersonwhomayhavecommittedthebreachandthedateonwhichitoccurred.

13.3Istherealegalrequirementtoreportdatabreachestoindividuals?Ifso,describewhat
detailsmustbereported,towhom,andwithinwhattimeframe.Ifnolegalrequirementexists,describe
underwhatcircumstancestherelevantdataprotectionauthority(ies)expectsvoluntarybreach
reporting.

Thecurrentlegislationdoesnotcontainanysuchrequirement.However,asexplainedinquestion13.2
above,theproposedlegislationdoes.TheonlyexceptiontotherequirementintheproposedPrivacy
BillthatthedatacontrollernotifythedatasubjectintheeventofabreachisiftheDataProtection
Authoritybelievesthatsuchanotificationwillimpedeacriminalinvestigation,oriftheidentityofthe
datasubjectcannotpossiblybeidentified.

13.4Whatarethemaximumpenaltiesforsecuritybreaches?

Aspreviouslyexplained,thelegislationcurrentlyinforcedoesnotdealwithdatabreachesatall,except
asindicatedinquestion13.1above.TheproposedPrivacyBillelaboratesonpenaltiesfordifferent
typesofbreaches,includingviolationofsecurity/secrecy/confidentialitylicences,unauthorised
interceptionofcommunication(anddisclosureofsaidinterceptedcommunication),obtainingpersonal
informationonfalsepremises,disclosure,datatheftandcontraventionofthedirectionsoftheproposed
DataProtectionAuthority.Thepenaltiesimposedareintheformofheavyfines,whichvaryforeach
offencebutwhichdonotextendbeyondINR1,000,000.Theonlyexceptiontothisisapenaltyimposed
forcontraventionofdirectionoftheDataProtectionAuthority,whichmayextendtoINR200,000and,in
thecaseofacontinuingbreach,anadditionalsumwhichmayextendtoINR200,000foreverydaythat
thedefaultcontinues.

14 EnforcementandSanctions

14.1Describetheenforcementpowersofthedataprotectionauthority(ies):

IndianlegislationdoesnotspecificallyprovidefortheestablishmentandfunctionofDataProtection
Authorities,althoughproposedlegislationintheformofthePrivacyBillseekstoalterthis.Pleaserefer
tosections1and6aboveforfurtherinformationoncurrentlegislationwithrespecttoDataProtection
Authorities.

14.2Describethedataprotectionauthoritysapproachtoexercisingthosepowers,withexamples
ofrecentcases.

IndianlegislationdoesnotspecificallyprovidefortheestablishmentandfunctionofDataProtection
Authorities,althoughproposedlegislationintheformofthePrivacyBillseekstoalterthis.Pleaserefer

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 19/20
4/11/2017 IndiaDataProtection2016ICLGInternationalComparativeLegalGuides

tosections1and6aboveforfurtherinformationoncurrentlegislationwithrespecttoDataProtection
Authorities.

15 Ediscovery/disclosuretoforeignLawenforcementagencies

15.1Howdocompanieswithinyourjurisdictionrespondtoforeignediscoveryrequests,or
requestsfordisclosurefromforeignlawenforcementagencies?

Aslongasrequestsfromforeigncompaniesarebasedonanorderfromacourtoflawandifthecountry
inquestionhasareciprocalarrangementwithIndia,thensucharequestmaybeenforcedinIndia,if
necessary,throughanIndiancourt.Absentacourtorder,Indiancompaniesdonothaveanyobligation
torespondtoforeignediscoveryrequestsorrequestsfordisclosure.

15.2Whatguidancehasthedataprotectionauthority(ies)issued?

None.Pleaserefertoquestion14.1above.

16 TrendsandDevelopments

16.1Whatenforcementtrendshaveemergedduringtheprevious12months?Describeany
relevantcaselaw.

TheissueofdataprotectionhasbeenraisedbeforetheIndianHighCourtsinrespectofafewPatent
cases,buttheCourtshavegenerallytakentheviewthatwhatisnotexpresslyprohibitedispermitted.
Onceproperlegislativeenactmentscomeintoforcetoplugtheexistingloopholes,onemayexpecta
seriesofjudicialpronouncementsclarifyingandimplementingthelaw.However,theITActhascome
underjudicialscrutinyforreasonsoutsidethesphereofIntellectualPropertyRights.InShreyaSinghal
vUOI,theSupremeCourtstruckdownsection66AoftheITAct,whichmadeitacriminaloffenceto
sendelectronicallyanyinformationthatisgrosslyoffensive,menacing,causesannoyance,
obstruction,insult,andhatredamongstotherthings.Itneitherdefinedanyofthesewordsnorgave
anyindicationoftheirimport.Thesectionhadlongbeencriticisedbyfreespeechactivistsithad
oftenbeenused,forinstance,againstuserswhohadtakentoFacebooktocriticisethecurrentruling
partyinParliament.TheSupremeCourtstruckitdownspecificallyduetoitschillingeffectonfree
speech,itsvaguenessandwhatthecourtreferredtoasoverbreadth.Thesignificanceofthismovelies
mainlyinthejudicialacknowledgementofthethoroughundesirabilityofextremecensorship.

16.2Whathottopicsarecurrentlyafocusforthedataprotectionregulator?

SeveralimportantamendmentstotheITActarebeingconsideredbytheIndianGovernment.The
proposedamendments,iftheycomethrough,willincreasethescopeforliabilityincaseofanybreachof
dataprotectionrules.Additionally,amendmentsbasedontheEuropeanUniondirectivearebeing
considered.

https://iclg.com/practiceareas/dataprotection/dataprotection2016/india 20/20