DISSERTATION

X SEMESTER B.A,LL.B (ENERGY LAWS)

Privacy & Data Protection Law in India: Need of the Hour to bring new data
protection law.

GAUTAM MATORIA
R450216037
500053221

Submitted under the guidance of:

Mr. UDIT RAJ SHARMA

School of Law
University of Petroleum and Energy Studies
Dehradun

(2021-22)

1|Page
 DECLARATION/UNDERTAKING OF ORIGINALITY

I, GAUTAM MATORIA having Enrolment No. R450216037 SAP ID 500053221 declare that the Dissertation
/Synopsis

titled “Privacy & Data Protection Law in India ” is the outcome of my original work conducted under the
supervision of Ms. / Mr ./Dr./Prof. Mr. Udit Raj Sharma at School of Law, University of Petroleum and Energy Studies,
Dehradun.

I undertake full responsibility of the contents of this Dissertation/Synopsis complying with the ‘Academic Integrity’ policy of
UPES and I understand that if this work is found in violation of the same, this may result in rejection of Synopsis/Dissertation
and entail appropriate disciplinary proceedings as per Rules of the University.

Word Count of Synopsis/Dissertation… 20,050

Signature [Name of the Student] Date……………
Place…………….

Endorsement by the Mentor:

Date of final Submission:…………………..
Antiplagiarism Check /Similarity found: ………..
Late Submission………………………………….

Signature [Name of the Mentor]

Date……………

2|Page
 INDEX

S.n CHAPTERS Page

o No.
1. INTRODUCTION 5-9

2. CURRENT POLICY FOR INTERNET PRIVACY IN INDIA: 10-14

3. INTERNATIONAL DEVELOPMENTS IN INTERNET PRIVACY 15-18

4. PERSONAL DATA PROTECTION BILL 2019 19-31

5. CYBER CRIME AND THE THREATS FOR INDIA (SURVEILLANCE) 32-39

6. CONCLUSION 40-41

3|Page
 CONSULTATION RECORD

Full Name of the Student:………………………………………………………

Enrolment Number:……………………………………………………………
SAP Id:………………………………………………………………………….

SN Date Particulars of Consultation Sign of Mentor

*additional rows may be added

Signature [Name of
the Mentor]

4|Page
 INTRODUCTION

This Dissertation deals with the regulatory concerns of data protection in India in the present scenario. The
historical background, general development and the issues with the data protection laws in India have been
discussed. The authors put forward certain suggestions for the efficient regulation and enforcement of data
protection laws, with special reference to the Personal Data Protection Bill, 2018. The need for a specific
legislation and a governing body for protection of private data has been stressed. The recent developments in
the data protection norms in India were considered with the help of various articles. The paper further
emphasizes on the accountability of data handlers. The authors aim to capture key concepts and the potential
concerns surrounding data protection norms and try to throw light on the urgent need for the same. In a
recent judgment, Justice D Y Chandrachud wrote, “Ours is an age of information. Information is knowledge.
The old adage that ‘knowledge is power’ has stark implications for the position of the individual where data
is ubiquitous, an all- encompassing presence.1The growth of digitization of economy in India has been a
commendable step towards development in every sector. Through rapid digitalization and agile technology,
the concept of “data” has become the new raw material of business, being regarded as an economic input
almost on a par with capital and labor.2 Privacy is defined in Article 21(Constitutional Provision)
Article 21 of the Constitution of India provides that “No person shall be deprived of his life or personal
liberty except according to procedure established by law”3. However, the Constitution of India does not
specifically recognize ‘right to privacy’ as a fundamental right.

But the judiciary has recognized ‘right to privacy’ as a necessary ingredient of the ‘right to life’ and
‘personal liberty’. The Supreme Court of India in his landmark Judgement of Kharak Singh v. State of U.P
stated that “the right of privacy falls within the scope of Article 21 of the Constitution and therefore
concluded that an unauthorized intrusion in to a person’s home and disturbance caused to him is in violation
of personal liberty of the individual.”4

This basic right to protect an individual’s privacy has been enshrined in the Universal Declaration of Human
Rights, 19482 (“UDHR”)5 as follows:
“Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of
the law against such interference or attacks.”

The government has been demanding access to data from its citizens for the same, which has raised data
protection concerns. The Indian laws offer little protection against the misuse of data. Currently, the SPD
(Sensitive Personal Data) rules 2011 govern the transfer of personal data and have proved to be inadequate
for the task.6 The Data Protection Bill proposed in 2018 is a step further in the regulatory sphere of data
protection. It makes individual consent central to data sharing. It also provides for use of personal data in a
fair and reasonable manner and recognizes privacy as a fundamental right. But the concern at this hour is
related to the adoption and implementation of the bill.

1
Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., Writ Petition (Civil) No. 494 of 2012
2
Kenneth Cukier, “Data, data everywhere”, The Ec0n0mist, L0nd0n, February 25, 2010, available at
http://www.ec0n0mist.c0m/n0de/15557443.
3
3 Lutha R Nair, “Data Protection Efforts in India: Blind leading the Blind?,” The Indian Journal of Law & Technology VOL 4
(2008).
4
(1975) SCC (Cri) 468. The case related to surveillance according to Regulations 855 and 856 of Madhya Pradesh Police
Regulations. The Court held that though the right to privacy existed, it had not been violated since the procedure was required by
law.
5
India is a signatory to the UDHR
6
Radhika Merwin, ‘All you wanted to know about Personal Data Protection Bill 2018’ in The Hindu

5|Page
WHAT IS DATA AND DATA PROTECTION?

Data is a wide term which includes both personal aspects of individual and commercial aspects. The
personal aspect is dealt under privacy rights whereas the commercial aspect is dealt under proprietary rights.
The Information Technology Act, 2000 defines Data under Section 2(1)(o) as- data means a representation
of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in
a formalised manner, and is intended to be processed, is being processed or has been processed in a
computer system or computer network, and may be in any form (including computer printouts, magnetic or
optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

For the purpose of this research, we will be using the meaning of data as given in The Private Data
Protection Bill, 2018- “Data” means and includes a representation of information, facts, concepts, opinions,
or instructions in a manner suitable for communication, interpretation, or processing by humans or by
automated means.

While we reap its benefits, protection of data is also vital. Protection of Data can be understood in simple
terms as a process of safeguarding important information from corruption, compromise, or loss. The
importance of data protection has increased with the growing amount of data created and stored. The
excessive use has given rise to threat of cyber-crimes, data-theft, misuse of private and personal information
etc. A large part of data protection is the adoption of a data protection strategy which should encompass
three things- that data can be restored quickly after data corruption or loss, protecting it from compromise,
and ensuring data privacy.

EVOLUTION OF DATA PROTECTION LAWS IN INDIA

The digital revolution which is underway in this technology age, has permeated India as well. Recognizing
its significance, and that it promises to bring large disruptions in almost all sectors of society, the
Government of India has envisaged and implemented the “Digital India” initiative. With nearly 450 million
Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has
a large market for global players.7
India has witnessed various instances 0f Data theft as stayed by cyber protection cells. Therefore, to curb
data theft, effective and well-formulated mechanism is required. The existing data protection laws in India
are narrow in scope. In the absence of specific legislation, data protection was achieved in India by the
provisions of The Information Technology Act, 2000, amended by the Information Technology
(Amendment) Act, 2008.8 But, this act is not data or privacy protection legislation per se. It is a generic
legislation and does not lay down any specific data protection or privacy principles.9

In April 2011, after European Union enacted strict and stringent Data Protection laws, the Indian Ministry of
Communications and Technology published four sets of rules implementing certain provisions of the act out
of which the first set of rules is relevant to the issue of data protection. The Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (2011)
framed under Section 43A of the IT Act are also a part of this list of legislations. Section 43A states that if a
body corporate possessing, dealing or handling any sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable
security practices and procedures, and thereby causes wrongful loss or wrongful gain to any person, this
body corporate will become liable to pay damages as compensation to the affected person.

It gives definition of sensitive personal data. It states that “sensitive personal data includes passwords;

7
https://meity.gov.in/; Last visited 01.04.2021.
8
The Information Technology Act, 2000.
9
Mohammed Nyamathulla Khan, ‘Does India have a Data Protection Law?’ in Legal Service India.

6|Page
financial information, such as bank account or credit card 0r debit card 0r 0ther payment instrument details;
physical, physiological and mental health conditions; sexual orientation; medical records and history;
biometric information; any details relating to the above clauses as provided to a body corporate for provision
of services; and any information received under the above clauses by a body corporate for processing, or
which has been stored 0r processed under lawful contract 0r otherwise.”

No legislation provides definition of personal data except IT rules. Further the IT Rules cast a duty upon the
Body Corporate to provide a privacy policy which shall be available 0n the website 0f such Body Corporate.
The policy shall deal with the personal information and sensitive data including purpose of collection and its
usage. The IT Rules m0re0ver deal with the process and procedure that should be adopted by the Body
Corporate for collection 0f the personal information and sensitive data.10 It also states that the Body
Corporate cannot retain the information longer than it is lawfully required. Therefore, it can be said that the
new law is stricter and stringent and in par with EU laws, the Body Corporate has duty to comply with IT
Rules and ensure transparency in its new privacy policies.

However, the existing mechanism however still lacks in the sphere of Protecting the data because the
statutes in question were not drafted specifically with the protection of data in mind, the current legislation
has a lot of gaps regarding effective protection of data. For this, the government proposed the Privacy Bill in
2011 but the Bill has not become a law yet.

AT THE OUTSET OF THE DATA PROTECTION & REGULATORY CONCERNS

Indian government after considering the fact that the laws were not implemented keeping in mind pers0nal
data protection, has proposed to enact specific legislations 0n Privacy. A Data (Privacy and Protection) Bill,
2017 had also been introduced in the parliament by a private member seeking the establishment of a Data
Privacy and Protection Authority for regulation and adjudication of privacy-related disputes.
The Data protection may also sometimes occur through The Copyright Act 1957. Since it protects
intellectual property rights in different types of creative works including literary works, it provides some
scope for protecting different types of data as literary works. Moreover, The Indian Penal Code 1860 could
be used to prevent theft of data.

In all India does not have a large data protection and regulation framework. A strict regulation covering all
aspects of data protection and encompassing provisions of all the scattered legislations needs to be adopted
to protect private data. With growing threat to privacy from both the State and non-State elements, the
government should “put into place a robust regime for data protection”.11Further, there may be multiple
rules and regulations that directly 0r indirectly govern privacy and data protection domain in India, which
include the IT Act, Right to Information Act, Right to privacy, Aadhaar Act and rules framed thereunder and
additional regulations governing sectors such as telecom, banking, medicine and healthcare and insurance.

Existing mechanism after a critical analysis of the literature, it is to bring to light the space in the proper
adoption and implementation of the laws made for protection of private data. The need for a specific
legislation cannot be denied. But we need to ask more questions. Questions related to accessibility concerns.
By whom and to what extent is personal data being accessed? Accountability question, the question of the
establishment of a data protection authority, the question of adjudication of causes related to data breach and
other regulatory concerns. The paper shall further deal with a discussion on the said issues with special
reference to The Personal Data Protection Bill, 2018.

The Personal Data Protection Bill, 2018 is India’s move to provide its citizens with comprehensive data
protection rights. It was drafted by a committee headed by former Supreme Court judge Justice B N
Srikrishna on July 27th, 2018. It forms the framework for India’s data protection laws and explains how an
organization should collect, process and store citizens’ data. The objective of Personal Data Protection, 2018
10
Rule 5 0f IT Rules
11
Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., Writ Petition (Civil) No. 494 of 2012

7|Page
is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”

The Applicability 0f the bill is on both government and private entities. The applicability of the law will
extend to data controllers / fiduciaries or data processors not present within the territory 0f India, if they
carry 0ut processing of personal data in connection with any business carried in India, systematic 0ffering 0f
good and services to data principals in India 0r any activity which involves profiling 0f data principals
within the territory 0f India. Further, the bill entrusts data principals with stronger control over informati0n
about them. All in all it will definitely change the way privacy is perceived and practiced within Indian
paradigm.

It states right to privacy as a fundamental right and necessitates protection of personal data as an essential
facet of informational privacy. One of the most important proposals in the committee’s white paper was that
a high-powered statutory authority with regulatory capacities should be set up. It also mentions two models,
the European Union’s, tilted towards privacy of individuals and the US, giving innovation primacy over
regulation, and says that India will have to follow a nuanced approach towards data protection.12The bill
aims to protect personal data and has a wide applicability. It states that personal data can only be processed
on the basis of the following:

 Consent of the owner

 If being used for the function of the state
 If mandated by law or required for compliance of a judicial order
 If necessary, for an emergency
 For employment purposes

For reasonable purposes as notified by the data protection authority at the outset, the bill provides excessive
powers in the hands of the central government, especially under Section 98 which not only states that the
central government can issue directions to the authority, but also that the authority shall be bound by
directions on questions of policy in which the decision of the central government is final.13Moreover, the
criminal liabilities making all offenses cognizable and non-bailable under this bill are worrying.

Data protection has been a hot topic for discussion among businesses, academia, interest groups and think
tanks. The bill is under review and speculation and a topic for debate as to its means and end. Debates and
journals have tried to cover almost all its aspects and brought to light what is not and what should be. The
authors will also throw light on what should be stressed- what is the need of the hour.

It is criticized for being too lenient and lacking in clarity on key issues. However, with the bill coming into
force, the 0rganizati0ns will have t0 ensure that they handle the personal data judiciously. The requirements
for notice, consent and grounds 0f processing personal and sensitive personal data will force organizations to
redesign their core systems, 0btain fresh consent, and change their data practices that will eventually
increase the cost 0f compliance for companies. Though the draft bill addresses various escalating issues 0f
the personal data ecosystem in India and clearly articulates the rights of individuals, yet it falls short 0n key
landmines that form the center 0f a robust data protection framework.

Need of the hour it is clear from the above discussion that the fundamental need is of a specific legislation in
the area which should cover all aspects of data protection- the what, the how and the by whom.
 What is the data that is to be protected?
 Is mere protection of private data enough?
 What about commercial data and business data?

12
Krishn Kaushik, ‘What India needs: Data law, regulator’ in The Indian Express
13
Ananya Bhattacharya, “India’s first data protection bill is riddled with problems” in Quartz India

8|Page
  What all authorities does India need to set up in order to ensure efficient regulation of the protection
of data?

These are only some of the many concerns that data protection raises.
The Private Data Protection Bill 2018 does have certain lacunas but is a step in the right direction and should
be carried forward to be made an act after its speculation. An independent dedicated Data Protection
Authority having a specialized structure should be set up and be given reasonable powers as may be
necessary for an efficient adjudication and dispersal of data privacy issues. It should have sufficient
jurisdiction and power to adjudicate disputes and issue binding orders. It could be quasi-legislative body to
prescribe rules and procedures. It could include people from the know-how, experts, and persons of adequate
qualification, backed by police intelligence authorities- local and central, so that speedy remedy can be
given. Also, it must have a judicial wing.

Moreover, in terms of transparency and accountability, data controllers and processors should adopt certain
measures based on standards and regulations having fixed liability in case of data breach. There should be
implementation of data protection principles and if required, demonstration of such implementation by a
supervisory authority in order to ensure greater accountability. Also, a system should be in place to detect
and prevent data breach. As data breach involves issues of privacy, which is a fundamental right under
Article 21 of the Indian Constitution,14 it becomes necessary to take measures against it. Data protection law
in India is currently facing many problems due the absence of proper legislative framework.14But with the
enactment of the Personal Data Protection Bill 2018, we will have an overarching regulation that will be
more effective and overshadow all existing privacy laws. The ongoing explosion of cybercrimes, and theft
and sale of stolen data has raised issues and concerns worldwide. India, with much of its population having
an online identity, could easily fall victim to cases of cybercrimes and, data and privacy breach.

Absence of data protection law is also a huge blow to the outsourcing industry in India. By creating a good
data protection law, India could extend well beyond being a mere supplier of services to the world's
multinational corporations. Whatever steps the government can take right now in the wake of the hour, it
should and the rest shall follow. The process is slow but is achievable if taken seriously by the authorities.
The Private Data Protection Bill 2018 is a right start to a needful end. Justice Sri krishna has most
appropriately noted in regard to the bill, ‘The report is like buying new shoes. It’s tight in the beginning but
it will become comfortable over a period of time. It remains to be seen if the citizens of India get used to
these shoes or return them.’

14
The Constitution of India
9|Page
 CURRENT POLICY FOR INTERNET PRIVACY AND DATA PROTECTION IN INDIA

India does not have a dedicated law on data protection and privacy. India has also not adopted any
international instruments on privacy or data protection. Specific provisions on privacy are found in the
Information Technology Act 2000 (IT Act). The IT Act is based on the United Nations Model Law on
Electronic Commerce adopted by the United Nations Commissions on Internal Trade law on 30 January
1997 vide resolution A/RES/51/162. A plethora of laws in areas such as banking, telecoms and the medical
field prescribe obligations of confidentiality. Banking regulations deal with when financial institutions can
transfer data overseas and the types of data that cannot be transferred overseas. Telecom regulations, by and
large, prevent the transfer of customer information overseas. The code of conduct of medical practitioners
prevents disclosure of patient information. The insurance regulations restrict transfer of claims-related data
overseas.

Section 2(1)(o) has defined "data”:

“A representation of information, knowledge, facts, concepts or instructions which are being prepared or
have been prepared in a formalised manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network, and may be in any form (including computer printouts
magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the
computer.”

The electronic consent framework issued by the Digital Locker Authority defines ‘data’ to mean “any
electronic information that is held by a public or private service provider (like a government service
department, a bank, a document repository, etc. This may include both static documents and transactional
documents. However, the concept of data is not only restricted to electronic information but also extends to
information stored in physical form, e.g. on a piece of paper”15
The act Contain many sections in which the govt can temper the Personal Data for security reasons but there
is no specific law relating to one-person personal data protection.
India's most comprehensive data protection standards are found in the Information Technology “Reasonable
security practices and procedures and sensitive personal data or information” Rules 2011

The IT Act contains three provisions on data protection and privacy.

Section 43A provides for compensation in the event one is negligent in using reasonable security practices
and procedures (RSPP) in protecting sensitive personal data and information (SPDI) and this results in a
wrongful gain or wrongful loss. It should be noted that this law provides only compensation, and only when
a wrongful gain or loss results from the failure to observe RSPP. It can be argued that this is nothing but a
codification of the law of negligence. This means that there is no negative consequence arising merely from
the failure to observe RSPP. Further, RSPP is defined to mean such procedures stated by a law in force or as
agreed to by the parties, and in the absence of both, the rules framed by the government. There is no statute
that prescribes RSPP. This means that if parties - for example, an employer and an employee - agree on the
RSPP to be adopted, the rules of the government would not apply.
In the guise of prescribing what constitutes RSPP, the government has issued somewhat basic and not very
well-written privacy rules. As stated above, these rules apply only if the concerned parties have not agreed
on the RSPP that would apply. These rules contain basic principles of privacy such as when SPDI can be
collected, requirements of notice and consent, when SPDI can be transferred, among others.

Section 72A provides for criminal punishment if, in the course of performing a contract, a service provider
discloses personal information without the consent of the person concerned or in breach of a lawful contract
and he or she does so with the intention to cause, or knowing he or she is likely to cause, wrongful loss or
wrongful gain.

Section 72 prescribes criminal punishment if a government official discloses records and information
15
Information Technology Act, 2000 Section 2(1)(o)
10 | P a g e
accessed by him or her in the course of his or her duties without the consent of the concerned person or
unless permitted by other laws.

Data protection authority

There is no specific data protection authority in India. The IT Act provides for an adjudicating officer to be
appointed to adjudicate whether a person has contravened the IT Act or its rules where the claim of injury or
damages does not exceed 50 million rupees. If the claim exceeds 50 million rupees, the adjudicating
authority would be the civil court. The Secretary to the Ministry of Information Technology in each state
government has been appointed as the adjudicating officer. The adjudicating officer has all powers of a civil
court. These include summoning the attendance of persons and examining them on oath, requiring the
discovery or production of documents and other electronic records, receiving evidence on affidavits and
issuing commissions for the examination of witnesses or documents.

The police have the power to investigate offences under the IT Act such as under section 72 and section
72A. Under specialised statutes relating to banking, telecom and in the medical field, the relevant sectoral
regulator has powers. Legal obligations of data protection There is no data protection authority in India.

Breaches of data protection

Under section 43A, if a breach results in a wrongful gain or wrongful loss, the adjudicating officer can
order compensation to be paid. The law does not prescribe what the maximum compensation is. Under
section 72, the punishment is imprisonment of up to two years or a fine of up to 100,000 rupees, or both.
Under section 72A, the punishment is imprisonment of up to three years or a fine of up to 500,000 rupees, or
both. Other laws provide for penalties under those statutes for breach of confidentiality provisions.

Scope

 Does the data protection law cover all sectors and types of organisation or are some areas of activity
outside its scope?

The provisions under the IT Act apply to all sectors, though laws specific to particular sectors would apply
concurrently. Section 43A relates to a body corporate and the rules issued thereunder exclude government
from the meaning of body corporate.

Section 72A covers all types of organisations and Section 72 relates only to a government officer.

It should be noted that under section 43A, the parties concerned can agree among themselves on the RSPP to
be adopted. If they do so, then the privacy rules passed by the Indian government would be excluded.

 Does the data protection law cover interception of communications, electronic marketing or
monitoring and surveillance of individuals?

Yes, the Indian Telegraph Act 1885 and the Information Technology Act 2000 permit the government to
engage in surveillance based on certain criteria that is in the interests of the sovereignty and integrity of
India, security of the state, friendly relations with foreign states, public order or for prevention of incitement
of the commission of an offence. These grounds are based on reasonable restrictions to free speech
contained in the Constitution of India.
All surveillance has to be approved in writing by the Home Secretary of the central government or the
relevant state government as the case may be. The Home Secretary is the most senior of bureaucrats tasked
with maintaining law and order. Indian law does not require the permission of a court to engage in
surveillance.

Other laws
11 | P a g e
Many laws provide a duty on service providers to maintain confidentiality of customer information. For
example, medical laws deal with maintaining confidentiality of patient information. Such laws, for example,
relate to medical termination of pregnancy and mental health. The code of ethics for medical professionals
also prescribes that doctors must maintain confidentiality of patient information.

Banking laws also deal with protection of confidentiality of customer information. This is provided both in
statutes relating to banks and payment systems as well as regulations passed by India’s central bank, the
Reserve Bank of India (RBI), on customer servicing, credit card operations of banks, among others.

A statute dealing with credit information companies requires credit information companies and credit
institutions (banks, etc) to adopt principles relating to collection of information, processing of such
information, protection of data and the manner of access and sharing of data. The principles are not
prescribed by the law or by the regulator but have to be framed by the concerned credit information
companies and institutions.

PII formats

What forms of PII are covered by the law?

While section 72A covers personal information, section 43A covers SPDI. Personal information means
information that relates to a natural person, which either directly or indirectly in combination with other
information available or likely to be available with a body corporate is capable of identifying such person.
SPDI covers the following:

 Passwords
 Financial information such as bank account or credit card or debit card or other payment instrument
details
 Physical, physiological and mental health conditions
 Sexual orientation; medical records and history
 Biometric information.

The law does not distinguish personal information on the basis of the format of the information, such as
electronic as opposed to physical records. However, the laws on SPDI are applicable only to SPDI in
electronic form.

The data breach regulations

It defines ‘cybersecurity incident’ to mean any real or suspected adverse event in relation to cybersecurity
that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of
service or disruption, unauthorised use of a computer resource for processing or storage of information or
changes to data without authorisation. There is a further definition through a description of various incidents
that constitute cybersecurity incidents.
These are:

 Targeted scanning or probing of critical networks and systems

 Compromise of critical systems or information
 Unauthorised access of it systems or data
 Defacement of a website or intrusion into a website and unauthorised changes such as inserting
malicious code, links to external websites, etc
 Malicious code attacks such as spreading of viruses, worms, trojans, botnets or spyware
 Attacks on servers such as database, mail and dns, and network devices such as routers
 Identity theft, spoofing and phishing attacks
12 | P a g e
  Denial of service and distributed denial of service attacks
 Attacks on critical infrastructure, Scada systems and wireless networks
 Attacks on applications such as e-governance, e-commerce, etc.

The Ministry of Communication and Information Technology has set up CERT under the IT Act. CERT is
the nodal agency for resolving cybersecurity incidents in India. It is responsible for scanning cyberspace for
cybersecurity vulnerabilities, breaches and malicious activity and can block web pages and websites.

Internal controls

Data protection officer

The privacy rules provide for the need to appoint a grievance officer to address discrepancies and grievances
of providers of information. There is no requirement for the appointment of a data protection officer.

Is the transfer of PII outside the jurisdiction restricted?

SPDI or any information can be transferred to a person outside India if he or she ensures the same level of
data protection as provided by the rules. Further, such transfer is permitted only if necessary, for the
performance of the contract with the provider or where the provider has consented to the transfer. Further,
Indian company law requires companies that maintain their books of accounts and books and papers in
electronic form outside India to keep a backup of such books of accounts and books and papers in servers
physically located in India.
Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

No, transfer of PII does not require notification to or authorisation from a supervisory authority.

The law is not entirely clear on If transfers outside the jurisdiction are subject to restriction or authorisation,
Transfer of SPDI to a third party can be done only if it agrees to ensure the same level of protection under
the privacy rules. We believe that it follows, therefore, that if transfer of PII from the owner to a service
provider is subject to restrictions, the restrictions should apply to a further transfer from the service provider
to another service provider. It may also be noted that notice has to be given to the provider of the
information of the name and address of every agency that will have access to such information. This would,
therefore, cover onward transfers.

Electronic communications marketing

Rules on marketing by email, fax or telephone.

Indian law does not deal with marketing through email or fax. In 2015, a badly worded provision that
appeared to deal with spam was struck down by the Supreme Court of India as being unconstitutional.
The IT Act does not cover electronic marketing. This is covered by ‘do not call’ rules framed by the
Telecom Regulatory Authority of India (TRAI).
A person can list his or her number on the ‘do not call’ registry, after which marketing calls and SMS cannot
be sent to him or her. One can, however, select certain exception categories, in which case unsolicited
communications in those categories can be sent to the customer. Messages can continue to be sent if they are
transactional in nature. A list of types of transactional messages has been published. A significant feature of
the new regulations is the back-end technical implementation of the same.
A telemarketer has to take special telecoms resources for making telemarketing calls and SMS. The telecoms
companies will ensure that their systems are connected to the registry so a call or message will not go
through to someone who is listed on the registry. Separate resources have to be taken for transactional
13 | P a g e
messages so they can be sent to persons listed on the ‘do not call’ registry.

Penalties have been prescribed for violation of the regulations.

A person is entitled to three counts –
on the third count, the person will be blacklisted and cannot receive any telecom resources for a period of
two years.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.
India does not have any rules or regulations governing the use of cloud computing services. The TRAI has
recently released a consultation paper on cloud computing. The consultation paper points out several issues
relating to cloud services, such as interoperability, data security, data localisation, data ownership, cross-
border movement of data and taxation of cloud services. The consultation paper is open for public
comments, and based on the public comments and discussion with the stakeholders TRAI may soon come
out with regulations governing the use of cloud computing services.

14 | P a g e
 INTERNATIONAL DEVELOPMENTS IN INTERNET PRIVACY:

This is based totally on United Kingdom law. It changed into ultimate up to date in February 2008.
Evaluation information safety legal guidelines exist to strike a balance between the rights of people to
privacy and the capability of firms to use data for the purposes of their business. The information safety Act
1984 introduced basic rules of registration for users of records and rights of get entry to to that statistics for
the people to which it associated. those rules and rights were revised and superseded through the facts safety
Act 1998 which came into pressure on 1st March 2000. This guide explains what you need to recognise
approximately records safety under the records safety Act 1998 ('the Act').

why does facts safety law apply?

Information safety regulation applies each time a facts controller procedure personal fact. these words are
given unique meanings by means of the Act.

Information controllers

A statistics controller is the person that determines the purposes for which, and the manner wherein, any
private information is, or is possibly to be, processed. In different phrases, you'll be a data controller if the
processing of private records is undertaken on your advantage and you make a decision what non-public
statistics must be processed and why. a regular example of a facts controller is an organization

Personal records

personal records manner statistics which relate to a residing character who may be recognized from that
information or from that statistics and different data that is in the ownership of, or is possibly to come back
into the ownership of, the information controller. as an instance, most enterprises will process private
records regarding personnel, clients, providers and enterprise contacts. those individuals are cited inside the
Act as 'records topics'.
Processing

The Act applies when non-public facts is processed or is to be processed by means of a computer, or is
recorded or to be recorded in a based guide filing machine. There are different styles of machine included
with the aid of the Act, however those are the maximum common.whether or not guide files are covered
through the Act isn't always an easy question to answer.

To be included:

 There need to be a fixed of statistics regarding individuals,

 That is established both by connection with people or by using criteria relating to people,
 In the sort of way that particular information regarding unique people is readily available. If your
guide documents fall within this definition, you may should follow the Act.
 The term 'processing' covers virtually any use which can be made of private data, from collecting the
facts, storing it and using it to destroying it.

What are the responsibilities?

The facts safety concepts

As a way to comply with the Act, an information controller needs to observe the following eight ideas:

(i) The facts should be processed fairly and lawfully and may not be processed unless the data
controller can fulfill one of the conditions for processing set out inside the Act.
15 | P a g e
 (ii) Records need to be received simplest for designated and lawful purposes. Three. Statistics need
to be ok, applicable and not immoderate.
(iii) Facts have to be accurate and, where important, saved up to date.
(iv) Data have to not be stored longer than is important for the functions for which it's far processed.
(v) Facts should be processed according with the rights of the information situation under the Act.
(vi) Suitable technical and organisational measures must be taken in opposition to unauthorised or
illegal processing of personal records and against unintentional loss or destruction of, or harm to,
personal records.
(vii) Records have to not be transferred to a rustic or territory outside the ecu financial vicinity except
that united states or territory guarantees an good enough degree of protection for the rights and
freedoms of statistics subjects in terms of the processing of private information.
(viii) Different requirements for facts controllers

Below the primary records protection principle, a records controller must justify its processing of personal
records beneath one of the following situations:

(i) The statistics subject has given his consent to the processing;
(ii) The processing is vital for the performance of a settlement or the stepping into of a settlement to
which the facts difficulty is a party;
(iii) The processing is necessary for compliance with any criminal obligation to which the data
controller is situation;
(iv) The processing is vital with a purpose to protect the important interests of the records situation;
(v) The processing is essential for the management of justice; or
(vi) The processing is important for the functions of valid hobbies pursued by using the facts
controller provided such processing does now not damage the rights and freedoms or valid
pursuits of records subjects.
(vii) The statistics controller must also sign in with the statistics commissioner ('the commissioner').
Touchy private information
(viii) In which the facts controller intends to system sensitive non-public facts, there are similarly
situations. Sensitive private statistics includes records referring to the racial or ethnic starting
place of a records problem, his political reviews, religious beliefs, exchange union membership,
sexual lifestyles, physical or mental fitness or situation, or criminal offences or file. Of these
further conditions, the most useful to most agencies may be:
(ix) In which the information subject has given his express consent;
(x) In which the processing is required for the functions of complying with employment law;
(xi) Wherein it's miles important to set up, workout or defend felony rights.
(xii) If none of the situations may be met, processing cannot legally keep.

Functions of processing

Statistics topics should receive information about the purposes of the processing. This fact is normally
supplied in the shape of a data safety observe, which may be given in software bureaucracy, terms and
conditions, by means of phone or on a internet site. The statistics to be set out in a fact’s protection note
ought to include an outline of:

(i) Details of the information controller;

(ii) The functions for the processing, inclusive of any non-obvious functions (e.g. Move- mailing,
host mailing);
(iii) Information of any recipients of the personal information (e.g. Different companies in the group)
and their purposes;
(iv) An opt-out / choose-in to advertising, as suitable;
(v) An outline of the techniques for use for contacting individuals for advertising and marketing
purposes (e.g. Smartphone, fax, sms, email and/or mail); and
16 | P a g e
 (vi) Another statistics this is necessary to make the processing honest (e.g. Whether it is compulsory
to provide all the records requested or whether or not provision of some of that information is
optional).
(vii) By way of the usage of an accurately worded facts protection be aware, a web business can make
sure that there may be consent from visitors to its internet web site to permit the enterprise to
construct a valuable contacts database and market its services to the site visitors.
(viii) Protection necessities
(ix) Facts controllers must put in vicinity good enough technical and organisational measures to
shield non-public facts which they're processing from destruction, adequate loss, unauthorised get
entry to or disclosure. This would include, as an example, the usage of a relaxed server while
payments are made online.

furthermore, all facts controllers need to put in area processing contracts with their 'information processors'.
A records processor is a 3rd birthday celebration appointed with the aid of the information controller to
procedure non-public facts on its behalf, even though it will still be the information controller who in the end
makes a decision what happens to the statistics. those processing contracts need to be in writing and must set
out what the records processor might also or may not do with the non-public information, which include
what safety features have to be taken to protect the facts. information controllers need to reserve for
themselves the right to audit statistics processors to make sure compliance with the agreement to present a
realistic instance, if a website collects e mail addresses, this may constitute private information – so the facts
controller not best has to register with the Commissioner but make certain that security be put in vicinity to
guard in opposition to hacking. If the website is truly hosted by a third birthday celebration on behalf of the
facts controller, then the data controller will ought to contractually oblige that third birthday celebration to
put the applicable protection in region. Of path, the statistics controller may even must observe different
principles.

Transfer of records foreign places

If private statistics is disclosed or made available to someone distant places, this is taken into consideration a
switch for the functions of the eighth information protection precept above. inside the context of the internet,
if the information is located on a internet site without particular consent from the character, this can be in
breach of the Act because the data can be accessed in countries with much less stringent data safety legal
guidelines.

Rights of individuals

Information controllers should provide the subsequent rights to records subjects:

(i) The right of access to his or her personal records;

(ii) The right to item to sure processing inflicting significant harm or misery;
(iii) The right to object to automated selection taking;
(iv)The proper to object to direct advertising and marketing.

The most critical of these rights is the right to get entry to personal facts. An character can also request get
admission to to all personal statistics of which he or she is the problem and that is being processed via the
information controller. The records controller may also require the information issue to pay a most rate of
£10, to make the request in writing and to offer sufficient facts to perceive and affirm the identity of the facts
situation making the request. There are exemptions from those access guidelines in certain limited
circumstances.

Every other proper that allows you to be of significance to any corporation which markets to individuals, is
the right given to information subjects to item to direct marketing. There are no exemptions to this proper.
17 | P a g e
What are the effects of non-compliance?

Compliance need to no longer be taken lightly as the brand new Act has more enamel than its predecessor,
the statistics protection Act 1984. The Commissioner has been given tremendous powers of enforcement
which rival the ones of the VAT man. records controllers ought to, as an instance, discover those new
powers used in opposition to them by way of disgruntled personnel or clients, who touch the Commissioner
to complain that there has been a breach of the regulations

The Commissioner can now serve a information controller with an 'records note' requiring the records
controller to provide sure records within set deadlines. Failure to comply with such be aware, or supplying
deliberately false information, is a criminal offence. If the Commissioner concludes that there has been a
breach of the Act, she might also then serve a statistics controller with an 'enforcement note'. This can
pressure a data controller to cease processing personal facts, or end processing information in a specific way.
Failure to conform with an enforcement notice is a crook offence.

Criminal liability does not lie simply with the records controller. It's miles possible for officers of a business
enterprise, inclusive of its administrators or managers, to be individually criminally accountable if the
offence has been devoted with their consent, connivance or overlook. Personnel may additionally incur
crook liability in certain restricted instances if they divulge or obtain private data with out authority of the
data subject controller even though the fee of a crook offence underneath the Act will not result in a jail
sentence, it's going to bring about fines which, depending at the situations, can be of an infinite quantity.
Similarly, the creation of custodial sentences underneath the Act is being considered by means of
Parliament. It is also more and more the case that industry regulators are searching at subjects of information
security which are just like those addressed through the Act.
However, the fines are not going to be the reason why maximum statistics controllers will need to comply.
Few information controllers can be capable of retain with commercial enterprise as usual if they may be
prevented from processing non-public information due to an enforcement word and no data controller will
want the horrific publicity that is connected to the unfair processing of personal facts.

The increasing use of statistics era and the net ensures that records protection remains one of the most
crucial and relevant legal guidelines that on-line agencies are required to comply with. The net is all about
the switch of records. no longer only is the internet used to disseminate facts, however also to accumulate it.
corporations have to look now at how they gather, keep and use private statistics and ask themselves whether
or not they comply with the Act. this could contain amending employment and marketing practices similarly
to internal education.

18 | P a g e
 PERSONAL DATA PROTECTION BILL 2019

The draft Personal Data Protection Bill seeks to introduce a data protection regime that can strike the
appropriate balance between protecting the interests of individuals and the legitimate use of data by the State
and private businesses.
The Ministry of Electronics and Information Technology (MeitY) set up a nine-member committee of
experts headed by Justice B.N. Srikrishna Committee in July 2017, to study issues relating to data protection
in India, and to draft a comprehensive data protection bill. The objective of setting up this committee was to
"ensure growth of the digital economy while keeping personal data of citizens secure and protected. "

Shortly thereafter, the Supreme Court of India upheld the Right to Privacy of individuals in the landmark
case of Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. (Judgement). The Judgement
recommended that the Central Government put in place a robust regime for data protection which would
take into account the interests of individuals as well as the legitimate concerns of the state, while fostering
an environment for entrepreneurship which is attractive to companies across the world.

The Committee released a white paper (Paper) in November 2017 seeking public comments. Thereafter, on
27 July 2018, the Committee submitted its recommendations to the MeitY (Report) along with a Personal
Data Protection Bill (Draft Bill )
This Draft Bill, if enacted in its current form, would introduce a sea change in the way data is processed in
the country and require corporates and individuals that process personal data to implement certain processes
in order to fulfil their obligations under this bill.
This update provides a snapshot of these compliances and is a good starting point to interpret the Draft Bill.

Meaning:

Setting the premise for the applicability of its provisions, Section 3 of the Draft Bill lays down important
definitions.

(i) Personal Data and Sensitive Personal Data (personal)

The Draft Bill treats both, "personal data" (PD) and "sensitive personal data", (SPD) separately and specifies
different obligations in relation to them. The definitions of these two classes of data are central to the
operation of the Draft Bill.

PD is defined as data about or relating to a natural person who is directly or indirectly identifiable, having
regard to a feature of identity or a combination of such features. The natural person whose PD is collected is
referred to as the "data principal" and the entity that determines the purpose or means of processing this data
is referred to as the "data fiduciary". Data fiduciaries include the State, corporate entities and individuals.
Processing is defined broadly, to encompass most operations on data including storage, adaptation, retrieval,
dissemination, and erasure or destruction.

SPD is PD that reveals, is related to, or constitutes passwords, financial data, health data, official identifiers
(like the PAN or the Aadhaar) sex life and sexual orientation, biometric data, genetic data, transgender
status, intersex status, and caste or tribe, religious, political belief or affiliation, and any other category as
may be notified by the Data Protection Authority ( DPA).

(ii) Financial Data

The term financial data is defined narrowly in the Draft Bill. Section 3(19) defines financial data as any

19 | P a g e
number or other
PD that is used to identify:

 An account opened by a data fiduciary; or

 A card or payment instrument issued by a financial institution. Or
 Pd regarding the relationship between a financial institution and a data principal, including financial
status and credit status. Notably absent are classes of data like account statements, data relating to
other financial products, investment information etc.

(iii) Anonymisation

"Anonymisation" is characterized as an irreversible procedure of changing or changing over PD to a

structure in which the information main can't be recognized, and fulfilling guidelines set somewhere around
the DPA. The useful materialness of this definition is dubious as there gives off an impression of being no
procedure which can guarantee that an information important is irreversibly unidentifiable. Since
anonymisation methods that fulfill the guidelines set out in the Draft Bill stay vague, it is hard to group any
information as anonymised information. Given that anonymised information is excluded from the necessities
of the Draft Bill, the classes of information that would be absolved from the pertinence of this Draft Bill stay
hazy as well.

(iv) Harm

Under section 3(21) of the Draft Bill, "harm" is defined to inter alia include any denial or withdrawal of a
service, benefit or good resulting from an evaluative decision about the data principal. What constitutes an
"evaluative decision" has not been clarified under the Draft Bill. However, it would likely include predictive
decisions based on data-processing that determine whether a data subject should be provided with certain
entitlements such as credit, employment, Government subsidies, etc.
The definition of "harm" does not make a distinction between evaluative decisions that are prejudicial to or
discriminatory against the data principal and evaluative decisions that are otherwise justifiable. Hence, the
mere act of denying a data principal certain goods, services, or benefits based on an evaluative decision
would constitute a harm against the data principal.

While data principals can only claim compensation for a harm suffered as a result of any violation of any
provision under the Draft Bill, and not for a harm per se, this may have certain unintended consequences.
For instance, if the data fiduciary is unable to provide the data principal with a summary of the processing
undertaken to make the evaluative decision, thereby violating the data principal"s right to confirmation and
access provided in section 24, then the data principal could claim compensation, even though the denial of
service may be entirely justified.

Further, unlike the European Union"s General Data Protection Regulation, 2018 (GDPR), the definition of
"harm" under the Draft Bill extends to all types of evaluative decisions regardless of whether humans are
involved or not. Such a broad definition may have a chilling effect on data-based predictive decision-
making.

(v) Eligibility

Owing to the universal and dynamic nature of the internet, any data protection framework must necessarily
address the specific types of data that it intends to cover within its ambit.
The Draft Bill, applies to the processing of PD by the State and state entities, and to Indian corporate entities
and Indian citizens if they are located within India. The Draft Bill also applies to the processing of any PD
by entities located outside India if the PD processed is with respect to any business or activity that involves
20 | P a g e
offering goods or services to individuals located in India or the "profiling" (defined to mean any form of
processing that analyses or predicts the behaviour, attributes or interests of a data principal located in India)
of data principals within India. However, any such activity must specifically target Indian citizens and the
provision of goods or services must not be incidental
The Draft Bill does not apply to the processing of anonymised data.

Data Protection Obligations

The Draft Bill envisages a fiduciary relationship between the data fiduciary and data principal wherein the
data fiduciary must act in the best interest of the data principal. In this context, the Draft Bill imposes several
obligations on data fiduciaries with respect to collection and processing of PD as set out below:

(vi) Fair and Reasonable Processing

The Draft Bill mandates a data fiduciary to process PD fairly and in a manner that upholds the privacy of the
data principal and does not go beyond the reasonable expectations of the data principal. This obligation
extends to data processors with whom the data fiduciary may have shared the PD for fulfilment of the
purpose, irrespective of whether such a data processor has a direct relationship with the data principal or not.

(vii) Collection and Purpose Limitation

The Draft Bill requires the data fiduciary to use PD provided by the data principal only for lawful purposes
that were specified to the data principal or for incidental purposes that the data principal reasonably expects
it to be used. The collection of PD must be limited to such data that is necessary for the purposes of such
processing.

(viii) Notice

The data fiduciary is obliged to provide notice to the data principal no later than at the time of the collection
of PD. The notice must contain inter alia

 The various purposes for which PD is to be processed;

 The categories of PD being collected;
 The identity and contact details of the data fiduciary (including its data trust score, if applicable)
and Data protection Officer (DPO);
 The rights of the data principal;
 Information pertaining to sharing, cross-border transfer and retention of PD;
 The procedure for grievance redressal; and
 Any other information as specified by the DPA.

Such notice must be provided to the data principal in a clear and concise manner that is easily
comprehensible to a reasonable person and in multiple languages, if necessary. If PD is not being collected
from the data principal directly, this obligation is still applicable and the data fiduciary is required to provide
notice as soon as is reasonably practicable

(ix) Data Quality

The key requirements of data quality are that data should be accurate, complete and up-to-date. The data
fiduciary is required to take reasonable steps to ensure that the PD being used is relevant to the purpose for
which it is to be used and is not misleading. The data fiduciary is also responsible for ensuring accuracy and
in case any data is inaccurate, it must correct, complete or update the data on request by the data principal.
While taking reasonable steps in this regard, is required to consider whether the PD is (i) likely to be used to
make a decision about the data principal; (ii) likely to be disclosed to other individuals or entities; or (iii)
kept in a form that distinguishes PD based on facts from opinions or personal assessments.
21 | P a g e
 (x) Data storage limitation

The data fiduciary can store PD for only as long as is reasonably necessary to satisfy the purpose for which it
was initially collected or is being processed. However, PD may be retained for a longer period provided such
retention is mandated or necessary to comply with any obligation under applicable law. Additionally, to
avoid any breach of data, the data fiduciary is required to periodically review the PD it possesses and
determine whether it is necessary to retain such PD. Once the purpose for which PD is collected and
processed is achieved and such PD is not necessary to be retained, the data fiduciary is required to delete the
PD.

(xi) Accountability

With the target of guaranteeing straightforwardness for the duration of the existence cycle of the preparing
of PD, information trustees are made responsible to the information primary and must probably show
consistence with the arrangements of the Draft Bill.

Grounds for Processing Personal and Sensitive Personal Data

Under the Draft Bill, assent isn't the main ground under which PD or SPD might be prepared. PD or SPD
may possibly be handled if any of the grounds, as itemized beneath, are fulfilled:

Consent:

Agree should be acquired no later than at the initiation of the handling. It must be free, educated, explicit,
clear and equipped for being pulled back as effectively as it is given. In the event that assent is pulled back,
the information chief should bear any lawful ramification for the impact of such withdrawal.

For the preparing of SPD, assent should moreover have the accompanying traits, educated, with the end goal
that the consideration of the information main is attracted to the reasons or handling activities that could
have noteworthy ramifications for the information primary clear, to such an extent that it is important
without plan of action to induction from lead
Explicit, to such an extent that the information foremost is given the decision to independently agree to the
reason, tasks in, and the utilization of various classifications of SPD pertinent to the preparing

For compliance with law or any order of any court or tribunal

PD and SPD can be handled in the event that it is expressly commanded under any law made by Parliament
or any State assembly, or to conform to any request or judgment of any court or council in India.

Prompt action

PD and SPD can be handled

(I) to react to any restorative crisis including a danger to life or an extreme risk to the soundness of an
individual;
(II) to give therapeutic treatment or wellbeing administrations to people amid a flare-up of a pandemic
or illness, or some other risk to general
(III) to take any quantify to guarantee security of, or give help or administrations to, any person amid any
catastrophe or breakdown of open request.

Employment

22 | P a g e
PD may be processed by an employer for recruitment or termination of employment of a data principal,
provision of any service to, or benefit sought by the data principal, verifying the data principal"s attendance,
or any other activity relating to the assessment of the performance of the data principal.
This ground however may be used only where processing based on consent is not appropriate based on the
relationship with the data principal or which would involve a disproportionate effort on the part of the data
fiduciary.

Reasonable purposes

The DPA may specify reasonable purposes for collection of PDs in relation to activities such as prevention
and detection of any unlawful activity including fraud, whistle blowing, mergers and acquisitions, network
and information security, credit scoring, recovery of debt, and processing of publicly available PD.

Personal and Sensitive Personal Data of Children

The Draft Bill requires information trustees that procedure PD of a tyke to act in a way that ensures and
propels the best advantages of the tyke. A "kid" is characterized as an information key under 18 years old.

Information trustees must join components for age confirmation and parental agree to process children’s PD.
Information trustees who work business sites or online administrations coordinated at kids, or procedure
expansive volumes of children’s PD, might be advised by the DPA as "watchman information guardians".
Gatekeeper information trustees are precluded from profiling, following, social observing, or focused on
publicizing coordinated at kids, or undertaking other handling that may make critical mischief youngsters. In
any case, where watchman information trustees only give directing or tyke insurance administrations to
youngsters, parental assent isn't required.

Any type of preparing that may involve a danger of huge mischief to a tyke is restricted. The unequivocal
language of the arrangement on best advantages of the kid shows a positive commitment on information
trustees to process information to assist the tyke. By method for safety measure, substances handling
children"s PD would do well to be straightforward about the reason for which the information is being
utilized, what the dangers and shields are, and expressly accommodating withdrawal of assent. Indeed, even
as for items went for grown-ups, if there is a probability that youngsters may utilize them, fitting protections
must be taken to prevent kids from giving PD.

Data Principal Rights

Under the Draft Bill, a data principal has the following rights with respect to a data fiduciary:

The Right to Confirmation and Access

A data principal has the right to request a data fiduciary to confirm if it is processing or has processed his
PD. The data principal can also request the data fiduciary for a brief summary of the PD being processed or
that has been processed, including a summary of processing activities undertaken with respect to the PD.
The data fiduciary has a duty to provide all such information to the data principal in a clear and concise
manner that is easily comprehensible to a reasonable person.

The Right to Correction

The data principal, has been granted the right to compel a data fiduciary processing his PD-

23 | P a g e
(i) To correct inaccurate or misleading PD
(ii) Complete any incomplete PD
(iii) Update PD that is out of date.

When a data fiduciary makes such a change, it must also take reasonable steps to notify the change to all
relevant entities or individuals to whom the PD has been disclosed, particularly where such change would
have an impact on the rights and interests of the data principal or on decisions made regarding data principal.
Adequate justification must be provided to the data principal in writing if the request is rejected. The data
principal then has the option to require the data fiduciary to take reasonable steps to indicate, alongside the
relevant PD, that the same is disputed.

The Right to Data Portability

The Draft Bill grants a data principal the right to receive his PD in a structured, commonly used and
machine-readable format. This relates not only to data which has been provided to the data fiduciary, but
also data that is generated in the course of providing goods or services by the data fiduciary or which forms
part of any profile, or which the data fiduciary has otherwise obtained.
A data principal also has the right to have such data transferred to any other data fiduciary. This right is
however not available where compliance with such request would reveal a trade secret of the transferor data
fiduciary or would not be technically feasible.

The Right to be Forgotten

A data principal has the right to restrict or prevent continued disclosure of PD by a data fiduciary, where
such disclosure

i. Has served the purpose for which it was made or is no longer necessary,
ii. Was made on the basis of consent under section 12 and such consent has since been
withdrawn,
iii. Was made contrary to the provisions of this draft bill or any other law made by parliament
or any state legislature.

However, for this restriction to apply, an Adjudicating Officer must first determine that one of the above
three conditions is satisfied, and also that the rights and interests of the data principal in preventing or
restricting the continued disclosure override the right to freedom of speech and expression and the right to
information of any citizen.

Other than the right to be forgotten, the above-mentioned rights may only be exercised upon a request made
in writing to the data fiduciary, with reasonable information to satisfy the data fiduciary of the identity of the
data principal making the request. A reasonable fee may be charged except in specific cases. If a data
fiduciary refuses any such request, the data fiduciary must provide the data principal with the reasons for
such refusal and inform the data principal that he has the right to file a complaint with the Authority against
the refusal, within such period and in such manner as may be specified. However, a data fiduciary need not
comply with a request where compliance would harm the rights of another data principal.

Transparency and Accountability Measures

Privacy by Design

The Draft Bill provides for the implementation of organizational measures that engender trust in a data
24 | P a g e
fiduciary, with the objective to ensure that PD is processed lawfully, fairly and reasonably. Such measures
aim at setting up an accountability framework under the Draft Bill, and these organizational measures
constitute "privacy by design". Key among these are:

 Designing business practices and technical systems to anticipate, identify and avoid harm to a data
principal.
 Embedding obligations regarding grounds of processing pd in the organisational and business
practices of the data fiduciary.
 Protecting privacy at all stages of processing of pd till deletion.
 Processing pd in a transparent manner.
 Considering the interest of a data principal at every stage of processing.
 Transparency and safety safeguards

Section 30 of the Draft Bill details the level of transparency that a data fiduciary will have to maintain
regarding its practices for processing PD. A data fiduciary must make available, in an easily accessible form,
information such as,

(i) The categories of PD collected,

(ii) The purpose and manner of such collection,
(iii) The existence and procedure for exercise of the rights of a data principal,
(iv) The existence of the right to file complaints to the DPA,
(v) Information regarding cross-border transfers of PD. There is a further obligation on a data
fiduciary to notify a data principal of important operations in the processing of PD periodically.

Every data fiduciary as well as data processor is required by Section 31 to implement security safeguards,
including:

(i) The use of de-identification and encryption;

(ii) Measures to protect the integrity of pd; and
(iii) Measures to prevent misuse, unauthorized access to, modification, disclosure or destruction of pd.
These safeguards must be implemented taking into account the nature and scope of processing, the
risks associated, and the likelihood of harm that may be caused to the data principal and must be
reviewed periodically.

Personal Data Breach

Section 32 (1) mandates a data fiduciary to notify the DPA (as soon as possible and no later than the period
specified by the DPA) of any PD breach that is likely to cause harm to any data principal. Such notification
must include particulars of the nature of the PD breached, the number of data principals affected,
consequences of the breach and measures being taken to remedy it

The DPA will determine as to whether such breach should be reported by the data fiduciary to the data
principal, taking into account the severity of harm to the data principal and whether some action is required
from the data principal to mitigate such harm. The DPA may also direct the data fiduciary to publish the
details of the breach on its website and additionally may also post such details on its own website.

Third party processing of personal data

A data fiduciary may engage a data processor to process PD on its behalf only through a valid contract.
Further, the processing may not be sub-contracted by a data processor without the authorization of the data
fiduciary, contractually or otherwise. Further, such processing must be done only in accordance with the
instructions of the data fiduciary unless otherwise prescribed by law.
25 | P a g e
Significant data fiduciaries

Considering the volume of personal data processed, sensitivity of such data, annual turnover of the data
fiduciary, the risk of harm from any processing undertaken by the data fiduciary, use of new technologies,
and any other factor that may be relevant in causing harm to any data principal as a result of such
processing, the DPA is required to notify certain data fiduciaries (or classes of data fiduciaries) as
"significant data fiduciaries".

Significant data fiduciaries are required to register themselves with the DPA. Generally, significant data
fiduciaries will be subject to heightened organizational measures as well as higher compliance standards.
Notably, these are: Data Protection Impact Assessment

If a data fiduciary intends to undertake any data processing involving new technologies or large- scale
profiling, or use of SPD, or any other processing that may pose a risk of significant harm to a data principal,
it must first undertake a Data Protection Impact Assessment (DPIA). Owing to the ambiguity of what
amounts to "new technology", it is currently uncertain as to when the requirement to obtain a DPIA is
triggered for a significant data fiduciary. For entities that operate in high technology fields, this will
potentially apply to most forms of processing that they undertake.

The DPIA is required to contain:

(i) A detailed description of the proposed processing including the purpose and nature of the data
processed;
(ii) Assessment of potential harm to data principals;
(iii) measures for managing and mitigating such risk of harm.

Upon completion of the DPIA, the DPO appointed by the data fiduciary is required to review the DPIA and
submit the same to the DPA. The DPA may then (if it believes that the processing may cause harm to data
principals) direct the data fiduciary to cease such processing or may prescribe conditions to such processing.

Data Protection Officer (DPO)

Every data fiduciary must appoint a DPO to carry out functions such as:

 advising the data fiduciary on compliance with the Draft Bill.

 monitoring processing activities to ensure such processing does not violate the act.
 providing advice on DPIAs and Privacy by Design.
 acting as a point of contact between the DPA and the data fiduciary.
 acting as a point of contact between a data principal and the data fiduciary.
 maintaining an inventory of all records.

Data Localisation and Cross Border Transfers of Data

The Draft Bill includes extensive provisions on the localisation of data and the way cross border transfers of
data can take place.

Data Localisation

One of the most prominent requirements under the Draft Bill (Section 40) is the obligation to store one
"serving" copy of all data to which the Draft Bill applies in India. Setting aside for the moment the
significant practical difficulties that this requirement poses, the exact scope of this requirement is unclear.
26 | P a g e
While from a plain reading of the provision it may presumably be interpreted as a requirement to store a live
copy of the data that the Draft Bill applies to, very little other interpretative assistance is available. The
intention appears to be that data fiduciaries mirror all data that they process (in any form) anywhere in the
world, and to which the Draft Bill applies, in India. This would therefore also include all metadata, data
stored in a transient form and other such kinds of data as well, for the duration for which they are processed,
anywhere in the world. If we adopt this interpretation, the practical implications of this are far reaching.

The Draft Bill excludes small entities from the following:

(i) The requirement to provide notice for collection of PD,

(ii) The obligation to ensure quality of data,
(iii) The limitations on storage of PD,
(iv) The obligation to provide a summary of processing activities to data principals,
(v) The requirement to facilitate a data principal"s right to data portability and the right to be forgotten,
(vi) The obligations regarding privacy by design, transparency, security safeguards, personal data breach
notification, data protection impact assessment, maintenance of records, data audits, data protection
officer and grievance redressal. Further, such data fiduciaries will not be subject to classification as
significant data fiduciaries.

Data Protection Authority

The Draft Bill establishes a DPA to serve as the regulatory and enforcement body. The DPA has been vested
with wide ranging powers to,
(i) Provide guidelines and directions on the applicability of several provisions of the Draft Bill,
(ii) Ensure consistency of data protection regulations across ministries, regulators and legislations
and monitor, and
(iii) Enforce compliance with provisions of the Draft Bill by various stakeholders.

In performing these functions, the DPA would have the powers of a civil court with respect to discovery,
summons and inspection.

While the Draft Bill itself specifies the substantive obligations that would apply to the handling of data, the
specifics of these obligations are to be detailed under what is termed in the Draft Bill as "Codes of Practice",
which will be issued by the DPA.

These Codes of Practice would relate to issues such as form of notices, retention periods, grounds for
processing, method for exercise of rights by data principals, specific measures or standards for security and
safeguards for personal data, cross border data transfers, personal data breaches, data protection impact
assessments, processing of de-identified data for research, archiving or statistical purposes etc.

Codes of Practice would be applicable either generally or to a particular industry or sector. The DPA would
have to issue these Codes of Practice in consultation with the relevant stakeholders including the regulators,
the industry and the public. The DPA would also be authorised to approve Codes of Practice submitted by an
industry or trade association.

Considering that the Draft Bill deals with the substantive provisions and majority of the compliance
obligations under the Draft Bill would be covered under the Codes of Practice that would then operate as
sectoral privacy regulations, it is advisable to engage with the DPA in the formulation of these to ensure that
the interests of the industry are also adequately protected.

27 | P a g e
Inquiry and Investigation

The DPA can conduct an inquiry when it has reasonable grounds to believe that a data fiduciary or processor
is either contravening its obligations under the Draft Bill or carrying out activities detrimental to the interest
of data principals. For
this purpose, the DPA may appoint an Inquiry Officer. Inquiry Officers have broad powers to investigate and
examine the records and personnel of any data fiduciary or processor under the Draft Bill.

Bar on processing certain forms of biometric data

The Draft Bill prohibits a data fiduciary from processing any biometric data which has been notified by the
central government as being subject to such restriction. However, such processing may be carried out if the
data fiduciary is specifically permitted by law.
While it is presently unclear as to what kind of biometric data will be notified under this section, it seems
likely that entities may face some restrictions on use of specific forms of biometric data, such as fingerprints,
iris scans, facial recognition, etc. This has the potential to affect a wide variety of activities from biometric
verification systems for employees to device access.

The Draft Bill when enacted will usher in a new data privacy regime requiring corporates to re-examine their
privacy practices with respect to processing of PD in India. However, since many compliances may come
from the Codes of Practice, the full impact of the Draft Bill will have to be assessed upon their release.

The Draft Bill when enacted will usher in a new data privacy regime requiring corporates to re-examine their
privacy practices with respect to processing of PD in India. However, since many compliances may come
from the Codes of Practice, the full impact of the Draft Bill will have to be assessed upon their release.
The argument of surveillance is not new. In the year 2007 Indian Telegraph Rules, 1951 were amended and
Rule 419A was inserted in the Rules. Rule 491 A was inserted so as to provide the Government with powers
under the Act and the Rules to do surveillance, intercept any message and such other powers so as to
safeguard the sovereignty of our country. Then in the years 2009 and 2011 respectively, under the
Information Technology Act, 2000, The Information Technology (Procedures and Safeguards for
Interception, Monitoring and Decryption of Information) Rules 2009 and The Information Technology
(Procedures and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2011 were
added. These set of rules, deal in depth, with how the Government can intercept, monitor and decrypt
computer systems, computer networks, internet
messages basically any transmission made through Internet to safeguard our country. National security, is
of-course one of the primary roles of the Government.

The Draft Bill also provides wide, discretionary and unfettered powers to the Government and the Data
Privacy obligations is sub-servient to the Government's obligations of security of the State and prevention,
detection, investigation and prosecution for contravention of law. Data Protection Authority of India: The
independent regulatory body for data protection, has the power to issue directions, conduct inquiry, call for
information, and conduct search and seizure, monitoring and enforcement; legal affairs, policy and standard
setting; research and awareness; conducting inquiries, grievance handling and adjudication.

While this is "the" legislation for Data Protection, Section 67 envisages situations of concurrent jurisdiction
and provides for a consultative approach in resolving such disputes. Therefore, the Authority has to take into
considerations other laws and recommendations provided by other regulators, for example, Ministry of
Information and Broadcasting or TRAI (for instance the recommendation published by TRAI on Privacy,
Security and Ownership of the Data in the Telecom Sector- Dated 16 July, 2018). Grievance handling and
adjudication: The proposal of having Appellate Tribunal as a special court, is helpful in a speedy disposal of
disputes. The proposal perhaps might have come by, since the Courts are already over-burdened. Every Data
28 | P a g e
Fiduciary should have proper procedures and effective mechanisms to address the grievance of Data
Principal which should be resolved in an expeditious manner within a period of 30 (thirty) days. It is
heartening to see time-bound approach for resolving disputes.

Transfer Of Personal Data Outside India(Chapter VIII of the Act)

S. 40 imposes restrictions on cross-border transfer of personal data. A copy of personal data must be kept at
a server or data center in India. Besides, critical personal data, as determined by Central Government, shall
only be processed in India. However, certain categories of personal data may be exempted from localisation
requirement.

Under, S. 41, data besides that in S. 40 may be transferred outside India but after meeting certain conditions
like consent of data principal or under contractual obligations/intra-group schemes prescribed by the
Authority or countries/sectors prescribed by Central Government with concurrence of the Authority or in a
situation of necessity.

Central government while permitting data transfer must ensure that it is subject to adequate level of
protection such as applicable laws, international agreements and law enforcement. However, the transfer
may be permitted without meeting these conditions in case of health and emergency services, or where
transfer is necessary for any class of data fiduciaries or data processors and it does not hamper effective
enforcement of the Act. While prescribing contractual obligations/intra-group schemes, the Authority must
ensure adequate level of data protection for data transferred. In such cases data fiduciary must certify that it
adheres to the contractual obligations and shall be liable for non-compliance.

Exemptions(Chapter IX of the Act)

This Chapter exempts utilization of specific arrangements of this Act for information preparing for explicit
purposes. The accompanying information assurances would not be material, if information is handled for
Security of State(Sec 42); for Prevention, Detection, Investigation And Prosecution Of Contraventions Of
Law(Sec 43); for Domestic Purposes for example non-business or undisclosed to public(Sec 46); for
Journalistic purposes(Sec 47):

Penalties and remedies

The Draft Bill provides for penalties which are in consonance with GDPR and the quantum of penalty acts
as a deterrent to engage in wrongful acts. It should be seen over time if this deterrence is helpful in
mitigating occurrences of breaches or would it increase litigation. Penalties have been imposed on the
following activities:

(i) Penalty for failure to comply with Data Principal's requests under chapter VI of the Draft Bill,
Penalty for failure to furnish report, information, etc.
(ii) Penalty for failure to comply with the directions or orders issued by the Authority Penalty for
contravention when no separate penalty has been provided.
(iii) Further Section 69 (1), also makes the Data Fiduciary liable if it fails to fulfil the obligations
relating to taking prompt action related to data breach or undertaking a data protection impact
assessment, or conducting a data audit by a significant data fiduciary or failing to register with
the authority. The penalty for Data Fiduciary under this sub-section extends to Rs. 5,00,00,000/-
(Rupees Five Crore Only) or 2 (two) per cent of the total worldwide turnover of the preceding
financial year, whichever is higher.

29 | P a g e
Section 69 (2) makes the Data Fiduciary liable for a penalty when it contravenes of any of the requirements
as mentioned under this sub-section. The penalty may extend to Rs. 15,00,00,000/- (Rupees Fifteen Crore
only) or 4 (four) percent of the total worldwide turnover of the preceding financial year, whichever is higher.

Criminal liability:

Not only penalties but imprisonment has also been prescribed. For instance, any person who obtains,
transfers or sells personal data which is contrary to the provisions of the Draft Bill would be liable for an
imprisonment of not exceeding 3 (three) years or shall be liable for a fine which may extend up to Rs
2,00,000/- ( Rupees Two Lakhs Only) or both. Further any person

who obtains, transfers or sells SPD, would be liable for an imprisonment not exceeding 5 (five) years or
shall be liable for a fine which may extend up to Rs 3,00,000/- ( Rupees Three Lakhs Only) or both. There is
imprisonment for a term not exceeding 3 (three) years or a fine which may extend to Rs 2,00,000 (Rupees
Two Lakhs Only) or both, when any person re-identifies the Personal Data which has been de-identified by
the Data Fiduciary or Data Processor or re-identifies and processes such Personal Data without the consent
of the Data Fiduciary or Data Processor.

The Draft Bill has made suitable provisions whereby the company and its directors, officers, as well as
Central or State Governments along with its head of departments, officers could be made liable for offences
committed under this Draft Bill.
Compensation: The Data Principal also has a right to claim compensation from the Data Fiduciary and Data
Processor if it contravenes with any provisions of the Draft Bill. Section 76 states that any compensation
awarded or penalty imposed under this Draft Bill would not prevent the award of compensation or
imposition of any other penalty or punishment under any law for the time being in force.

We have added our thoughts as we discuss the Draft Bill above. The dynamics of this digital economy are
changing rapidly, people are using more and more innovative technologies to disrupt the industry and in all
of this, the most crucial element is Data. It is rightly said that data is the new oil of this digital economy and
therefore this much anticipated Draft Bill is, though late, a step towards regulating use of Data. The content
of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Summary of the Personal Data Protection Bill, 2018

This is a summary of the key provisions of the Personal Data Protection Bill, 2018 (“the Bill”/ “the Act”).

The Bill has been divided into 15 Chapters. It is composed of 112 Sections, with 2 schedules and 4 recitals.
According to Section 1 of the Bill, the law shall apply to the whole of India.

The Recitals:
The Bill has recognized the right to privacy as a fundamental right and protection of personal data as an
essential facet of informational privacy.
The intent of the Bill is to:
 Protect individual autonomy in relation to their personal data
 Specify where flow and usage of personal data is appropriate
 Create a relation of trust between persons and entities; Specify rights of individuals towards their
data
 Create a framework for processing of personal data; Layout norms for cross-border transfer of
personal data
 To ensure accountability of entities processing personal data

30 | P a g e
Grounds for Processing of Personal Data (Chapter III of the Act)

Personal data may be processed on the basis of consent, but such consent must be free, informed, specific,
clear and meaningful. Consent should be also be capable of being withdrawn.
Section 13 empowers the Parliament and State Legislatures to process personal data if it’s necessary for their
functions. It also gives power to the State to process personal data for any function authorised by law.

Personal data may also be processed if there is: Public interest in processing such data; prevention and
detection of any unlawful activity;

 whistle blowing;
 network and information security; etc.
 Grounds for Processing of Sensitive Personal Data (Chapter IV of the Act)

31 | P a g e
 CYBER CRIME AND THE THREATS FOR INDIA (SURVEILLANCE)

Cyber Crimes and Terrorism Hacking:

The IT Act does not define the term ‘hacking’, however, section 43 of the IT Act provides that any person
who without permission of the owner of a computer, computer system accesses or secures access to,
downloads, copies or extracts any data from, introduces or causes to be introduced any computer
contaminant or computer virus into, damages, disrupts, denies access to such computer system or charges
services availed of by one person to another person shall be liable to pay damages by way of compensation
to the extent of Rs. 1,00,00,000/-.

Cyber Terrorism:

Whoever with the intent to threaten the unity, integrity, security, or sovereignty of India or strike terror in
the people denies authorised personnel access to computers, attempts to penetrate or access a computer
resource without authorisation, or introduces malware to any computer, is considered to be committing an
act of cyber terrorism.16

Voyeurism:

Section 66E of the IT Act provides that whoever, intentionally or knowingly captures, publishes or transmits
the image of a private area of any person under circumstances violating the privacy of that person, and
without consent would be liable to be imprisoned for up to 3 years and also pay a fine of up to 2 lakh rupees.
The section further clarifies that a “private area” means the naked or undergarment clad genitals, pubic area,
buttocks or female breast”, “publishes” means reproduction in the printed or electronic form and making
available to the public, “under circumstances violating privacy” means circumstances in which a person can
have a reasonable expectation that he or she could disrobe in privacy, without being concerned that an image
of his private areas was being captured or, any part of his or her private area would not be visible to the
public, regardless of whether that person is in a public or private place.17

Section 354C of the Indian Penal Code,

1860 provides a similar protection, but provides varying penalties for the first and second offense. When
comparing the two, the penalties are different – as the IPC provides for two levels of penalty for offenders.
66E also includes the publishing and transmission of a picture of any persons, whereas the IPC includes
watching or capturing the image of a woman engaged in a private act.18

Breach of Confidentiality and Privacy:

The IT Act prohibits the disclosure of information that is obtained without consent of the relevant individual
and any such disclosure is punishable with imprisonment for up to two years and a fine of up to one lakh
rupees.106 It further provides that any intermediary or person causing disclosure of information with the
intent of causing wrongful loss or wrongful gain, without the consent of the person concerned, or in breach
of a lawful contract would be liable to imprisonment for up to 3 years and fine which may extend up to five
lakh rupees.

Identity Theft:

16
102 Rule 3(2), Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information)
17
Rules, 2009. 103 Rule 3(3), Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or
Information)
18
Rules, 2009. 104 Rule 7, Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or
Information) Rules, 2009.

32 | P a g e
Whoever, fraudulently or dishonestly makes use of an electronic signature, password or any other unique
identification feature of any other person, is liable to be punished with imprisonment of up to three years and
fine which may extend to one lakh rupees.

Cheating by Impersonation:

Any person who by means of any communication device or computer resource cheats by personation, is
liable to be punished with imprisonment of up to three years and fine which may extend to one lakh rupees.

Offences Relating to Interception:

Service providers that do not comply with interception requests from authorised agencies would be liable to
imprisonment for up to seven years and an unlimited amount of fine.109 Any intermediary or employee of
the same who intentionally and without authorisation attempts to intercept, authorise, or assist any person to
intercept information in transmission at any place within India shall be liable to be imprisoned for up to two
years and a fine which may extend to one lakh rupees.

Legal Landscape for Surveillance

In India surveillance by the law enforcement authorities has always been an accepted practice, in fact, it was
in the context of police surveillance that the two most landmark decisions on the right to privacy were
pronounced by the Supreme Court. Even in those two cases, one upheld the surveillance activities of the
police and the other struck them down mainly on a technical ground that they were being carried on without
the proper authorisations. In the modern age however, most surveillance activities are carried on through
tapping or interception of telecommunication messages and therefore the two most important legislations in
the context of surveillance today are the Indian Telegraph Act, 1885 and the Information Technology Act,
2000.

Since the Indian Telegraph Act, 1885 is an older statute and some of the legal jurisprudence on surveillance
originated around it, we shall first discuss the provisions of this statute that deal with surveillance before
moving on to the provisions of the Information Technology Act, 2000.
The Indian Telegraph Act, 1885

The provision of the Indian Telegraph Act, 1885, (“Telegraph Act”)

which is relevant for the purpose of surveillance is Section 5 which empowers the Central Government and
State Governments of India to order the interception of messages in two circumstances:
(i) In the occurrence of any “public emergency” or in the interest of “public safety”,
(ii) If it is considered necessary or expedient to do so,

In addition to the following instances:

(i) The interests of the sovereignty and integrity of India;
(ii) The security of the State ;
(iii) Friendly relations with foreign states;
(iv)Public order;
(v) For preventing incitement to the commission of an offense;

It is important that the paragraph reads that these are two overarching pre-conditions for any interception to
take place and must be met in addition to the listed instances.
The Supreme Court of India has specified the terms 'public emergency' and 'public safety', in the following
terms:
"Public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at
33 | P a g e
large calling for immediate action. The expression 'public safety' means the state or condition of freedom
from danger or risk for the people at large. When either of these two conditions are not in existence, the
Central Government or a State Government or the authorised officer cannot resort to telephone tapping even
though there is satisfaction that it is necessary or expedient so to do in the interests of its sovereignty and
integrity of India etc. In other words, even if the Central Government is satisfied that it is necessary or
expedient so to do in the interest of the sovereignty and integrity of India or the security of the ,it cannot
intercept the message, or resort to telephone tapping unless a public emergency has occurred or the interest
of public safety or the existence of the interest of public safety requires. Neither the occurrence of public
emergency nor the interest of public safety are secretive conditions or situations. Either of the situations
would be apparent to a reasonable person."19

In 2007, Rule 419A was added to the Indian Telegraph Rules, 1951 framed under the Indian Telegraph Act
which provided that orders on the interception of communications should only be issued by the Secretary in
the Ministry of Home Affairs. However, it provided that in unavoidable circumstances an order could also
be issued by an officer, not below the rank of a Joint Secretary to the Government of India, who has been
authorised by the Union Home Secretary or the State Home Secretary.20

According to Rule 419A, the interception of any message or class of messages shall be carried out with the
prior approval of the Head or the second senior most officer of the authorised security agency at the Central
Level and at the State Level with the approval of officers authorised in this behalf not below the rank of
Inspector General of Police, in the below mentioned emergent cases:
(i) In remote areas, where obtaining of prior directions for interception of messages or class of
messages is not feasible.
(ii) For operational reasons, where obtaining of prior directions for interception of message or class
of messages is not feasible.
However, the concerned competent authority should be informed of such interceptions by the approving
authority within three working days and such interceptions should be confirmed by the competent authority
within a period of seven working days. If the confirmation from the competent authority is not received
within the stipulated seven days, such interception should cease and the same message or class of messages
should not be intercepted thereafter without the prior approval of the Union Home Secretary or the State
Home Secretary.21

Rule 419A also tried to incorporate certain safeguards to curb the menace of unrestricted surveillance by the
law enforcement authorities which include the following:
(i) Any order for interception issued by the competent authority should contain reasons for such
direction and a copy of such an order should be forwarded to the Review Committee within a
period of seven working days22
(ii) Directions for interception should be issued only when it is not possible to acquire the
information by any other reasonable means.23
(iii) The directed interception should include the interception of any message or class of messages
that are sent to or from any person n or class of persons or relating to any particular subject
whether such message or class of messages are received with one or more addresses, specified in
the order being an address or addresses likely to be used for the transmission of communications
from or to one particular person specified or described in the order or one particular set of
premises specified or described in the order.24
(iv) The interception directions should specify the name and designation of the officer or the authority
to whom the intercepted message or class of messages is to be disclosed to.25
19
PUCL v. Union of India, http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584
20
Rule 419A(1), Indian Telegraph Rules, 1951.
21
Rule 419A(1), Indian Telegraph Rules, 1951.
22
Rule 419A(2), Indian Telegraph Rules, 1951.
23
Rule 419A(3), Indian Telegraph Rules, 1951.
24
Rule 419A(4), Indian Telegraph Rules, 1951.
25
Rule 419A(5), Indian Telegraph Rules, 1951.
34 | P a g e
 (v) The directions for interception would remain in force for sixty days, unless revoked earlier, and
may be renewed but the same should not remain in force beyond a total period of one hundred
and eighty days.26

(vi) The officer authorized to intercept any message or class of messages should maintain proper
records mentioning therein, the intercepted message or class of messages, the particulars of
persons whose message has been intercepted, the name and other particulars of the officer or the
authority to whom the intercepted message or class of messages has been disclosed, etc.27
(vii) All the requisitioning security agencies should designate one or more nodal officers not below the
rank of Superintendent of Police or the officer of the equivalent rank to authenticate and send the
requisitions for interception to the designated officers of the concerned service providers to be
delivered by an officer not below the rank of Sub-Inspector of Police.28
(viii) Records pertaining to directions for interception and of intercepted messages should be destroyed
by the competent authority and the authorized security and Law Enforcement Agencies every six
months unless these are, or likely to be, required for functional requirements;29

According to Rule 419A, service providers which are required by law enforcement to intercept
communications are required to comply with the following:
(i) In any approved service area/State/Union Territory, service providers should appoint two senior
executives as nodal officers to obtain and manage certain requisitions for interception.
(ii) On receipt of intimations for interception, the service providers appointed nodal officers should
issue acknowledgment letters to the concerned security and law enforcement agencies within two
hours.
(iii) In emergency/unavoidable situations where prior approval of the competent authority has not
been obtained, the system of appointed nodal officers for interacting and receiving requisitions
for interceptions should also be followed.
(iv) Every fifteen days, the service providers appointed nodal officers should send a list of
interception authorizations issued during the previous fortnight to the security and law
enforcement agencies' nodal officers for confirmation of the validity of such authorizations.
(v) Service providers must implement appropriate and efficient internal controls to ensure that
unauthorised message interception does not occur, that extreme secrecy is maintained, and that
message interception is handled with the utmost care and caution.
(vi) Service providers are held liable for their employees' conduct. In the event of a proven breach of
license requirements relating to information secrecy and confidentiality, as well as illegal contact
interception, action may be taken against service providers under the Indian Telegraph Act,
which could include not only a fine, but also the suspension or revocation of their license.

Information Technology Act, 2000

The Information Technology Act, 2000 (“IT Act”) widely regulates the interception, monitoring, decryption
and collection of information of digital communications in India. More specifically, section 69 of the IT Act
empowers the Central Government and the State Governments to issue directions for the monitoring,
interception or decryption of any information transmitted, received or stored through a computer resource.
Section 69 of the IT Act expands the grounds upon which interception can take place as compared to the
Telegraph Act. As such, the interception of communications under Section 69 is carried out in the interest
of:

 The sovereignty or integrity of India;

 Defense of India;
26
Rule 419A(6), Indian Telegraph Rules, 1951.
27
Rule 419A(7), Indian Telegraph Rules, 1951.
28
Rule 419A(7), Indian Telegraph Rules, 1951.
29
Rule 419A(7), Indian Telegraph Rules, 1951.

35 | P a g e
  Security of the State;
 Friendly relations with foreign States;
 Public order;
 Preventing incitement to the commission of any cognizable offense relating to the above; and
 For the investigation of any offense.

It must be noted that although the grounds for interception are roughly the same as the Telegraph Act
(except for the condition of prevention of incitement of only cognizable offences, defense of India and the
addition of investigation of any offence) the IT Act does not have the overarching condition that interception
can only occur in the case of public emergency or in the interest of public safety. Additionally, section 69 of
the IT Act mandates that any person or intermediary who fails to assist the specified agency with the
interception, monitoring, decryption or provision of information stored in a computer resource shall be
punished with an imprisonment for a term which may extend to seven years and shall be liable for a fine.

Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of
Information) Rules, 2009

Just like with Rule 419A of the Indian Telegraph Rules, the Information Technology (Procedure and
Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“IT Interception
Rules”) framed under Section 69 and 69B stipulate as to who may issue directions of interception and
monitoring, how such directions are to be executed, the duration they remain in operation, to whom data
may be disclosed, confidentiality obligations of intermediaries, periodic oversight of interception directions
by a Review Committee under the Telegraph Act, the retention of records of interception by intermediaries
and to the mandatory destruction of information in appropriate cases.

According to the IT Interception Rules, the secretary of the Ministry of Home Affairs has been designated as
the "competent authority" to issue directions permitting the interception, monitoring, and decryption of
communications. At the State and Union Territory level, the State Secretaries respectively in charge of the
Home Departments are designated as "competent authorities" to issue interception directions.30 In
unavoidable circumstances the Joint Secretary to the Government of India, when so authorised by the
Competent Authority, may issue an order. Interception may also be carried out with the prior approval of the
Head or the second senior most officer of the authorised security agency at the Central Level and at the State
Level with the approval of officers authorised in this behalf not below the rank of Inspector General of
Police, in the below mentioned emergent cases;

 In remote areas, where obtaining of prior directions for interception of messages or class of messages
is not feasible; or
 For operational reasons, where obtaining of prior directions for interception of message or class of
messages is not feasible;

However, in the above circumstances the officer would have to inform the competent authority in writing
within three working days about the emergency and of the interception, monitoring or decryption and obtain
the approval of the competent authority within a period of seven working days. If the approval of the
competent authority is not obtained within the said period of seven working days, such interception or
monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted
thereafter without the prior approval of the competent authority.31If a state wishes to intercept information
that is beyond its jurisdiction, it must request permission to issue the direction from the Secretary in the
Ministry of Home Affairs.
30
Secretary in the Ministry of Home Affairs in case of the Central Government, Secretary in charge of the Home Department in
case of a State Gov or Union territory; Rule 2(d), Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009.
31
Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information)
Rules, 2009.
36 | P a g e
If authorised by the competent authority, any agency of the government may intercept, monitor, or decrypt
information transmitted, received, or stored in any computer resource only for the purposes specified in
section 69(1) of the IT Act.32The IT Interception Rules further provide that the competent authority may give
any decryption direction to the decryption key holder.

The officer issuing an order for interception is required to issue requests in writing to designated nodal
officers of the service provider.Upon receiving an order for interception, service providers are required to
provide all facilities, co-operation, and assistance for interception, monitoring, and decryption. This includes
assisting with: the installation of the authorised agency's equipment, the maintenance, testing, or use of such
equipment, the removal of such equipment, and any action required for accessing stored information under
the direction. Additionally, decryption key holders are required to disclose the decryption key and provide
assistance in decrypting information for authorized agencies. Any direction issued by the competent
authority must contain the reasons for direction, and must be forwarded to the review committee seven days
after being issued.

Authorized agencies are prohibited from using or disclosing contents of intercepted communications for any
purpose other than investigation, but they are permitted to share the contents with other security agencies for
the purpose of investigation or in judicial proceedings. Furthermore, security agencies at the union territory
and state level will share any information obtained by following interception orders with any security agency
at the centre. All records, including electronic records pertaining to interception are to be destroyed by the
government agency “every six months, except in cases where such information is required or likely to be
required for functional purposes”.33In addition, all records pertaining to directions for interception and
monitoring are to be destroyed by the service provider within a period of two months following
discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal
proceedings. The contents of intercepted, monitored, or decrypted information will not be used or disclosed
by any agency, competent authority, or nodal officer for any purpose other than its intended purpose.

The agency authorised by the Secretary of Home Affairs is required to appoint a nodal officer (not below the
rank of superintendent of police or equivalent) to authenticate and send directions to service providers or
decryption key holders.Every fifteen days the officers designated by the intermediaries are required to
forward to the nodal officer in charge a list of interceptions orders received by them. The list must include
the details such as reference and date of orders of the competent authority.

Indian Post Office Act, 1898

Section 26 of the Indian Post Office Act, 1898, empowers the Central Government and the State
Governments of India to intercept postal articles. In particular, section 26 of the Indian Post Office Act,
1898, states that on the occurrence of any public emergency or in the interest of public safety or tranquility,
the Central Government, State Government or any officer specially authorised by the Central or State
Government may direct the interception, detention or disposal of any postal article, class or description of
postal articles in the course of transmission by post. Furthermore, section 26 states that if any doubt arises
regarding the existence of public emergency, public safety or tranquility then a certificate to that effect by
the Central Government or a State Government would be considered as conclusive proof of such condition
being satisfied.
Code of Criminal Procedure, 1973

Section 91 of the Code of Criminal Procedure, 1973 regulates targeted surveillance. In particular, section 91
states that a Court in India or any officer in charge of a police station may summon a person to produce any

32
Rule 6, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules,
2009.
33
Rule 23, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules,
2009.

37 | P a g e
document or any other thing that is necessary for the purpose of any investigation, inquiry, trial or other
proceeding under the Code of Criminal Procedure. Under section 91, law enforcement agencies in India can
access stored data.

Indian Wireless Telegraphy Act, 1933

Under section 3 of the Indian Wireless Telegraphy Act, 1933, the possession of wireless telegraphy
apparatus without a license is considered an offense. As such, the unauthorised establishment, maintenance
or operation of wireless communications networks for the purpose of monitoring, intercepting and
surveillance of communications is in violation of the Indian Wireless Telegraphy Act, 1933.

Central Motor Vehicle Act 1898 and 2012 Rules

In October 2012, Rule 138A of the Central Motor Vehicle Rules, 1989, concerning radio frequency
identification tags, was proposed. This proposed Rule mandates the installation of radio frequency
identification (“RFID”) tags on all light and heavy motor vehicles to enable their instant identification and
monitoring by electronic collection toll booths, the police and any other authority or person that is able to
query and read RFID tags34.

License Agreements for Internet Service Providers (ISPs) and Telecom Service Providers (TSPs)

The Department of Telecommunications of the Ministry of Communications and Information Technology of

the Government of India has issued license agreements with which Internet Service Providers (ISPs) and
Telecom Service Providers (TSPs) operating in India need to comply. Such license agreements mandate the
terms and conditions under which ISPs and TSPs in India can operate and in certain circumstances, ISPs and
TSPs are required to carry out mass surveillance in order to be in compliance with these license agreements.

ISP License Agreement

Internet Service Providers (ISPs) in India are required to comply with the License Agreement
for Provision of Internet Services in order to operate, which is issued by the Department of
Telecommunications of the Ministry of Communications and Information Technology. This License
Agreement is governed by the Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933, and
by the Telecom Regulatory Authority of India Act, 1997, as modified throughout time.

TSP License Agreements

Telecom Service Providers (TSPs) in India have to comply with two license agreements in order to operate:
The Cellular Mobile Telephone Service (CMTS) License Agreement and the License Agreement for the
Provision of Basic Telephone Services (BTS). The first license agreement applies to cellular mobile
communications, whereas the second applies to landlines.

(i) Unified Access Services (UAS) License Agreement

(ii) The Unified Access Services (UAS) License Agreement applies to both Internet Service
Providers (ISPs) and Telecom Service Providers (TSPs) operating in India and serves as a sort of
“umbrella” license agreement.

As of a few years ago, the Government of India has decided to set up a Centralized Monitoring System
(CMS) for the lawful interception and monitoring of communications. In order to implement this, clause
41.10 of the UAS License Agreement has been amended to mandate the establishment of the Centralized
Monitoring System (CMS). In particular, TSPs are required to integrate Interception Store and Forward
(ISF) servers with their Lawful Interception Systems and to connect them with the Regional Monitoring
34
Bhairav Acharya, “Comments on the Proposed Rule 138A of the Central Motor Vehicle Rules, 1989, Concerning Radio
Frequency Identification Tags”, The Centre for Internet and Society, 03 December
38 | P a g e
Centers (RMC), which are connected to the Centralized Monitoring System (CMS). This amendment
specifies that TSPs are required to provide connectivity up to the nearest point of presence of MPLS (Multi-
Protocol Label Switching) network of the CMS at their own cost, in the form of dark optical fibre. From the
MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost.

Legal Landscape for Cyber Security

The Central Government may track and collect information and traffic data generated, distributed, obtained,
or stored via any computer resource for the purpose of cyber security and to identify, analyse, and prevent
any intrusion or spread of computer contaminant in the country, according to Section 69B of the IT Act.
According to this clause, any intermediary who knowingly or deliberately fails to provide technical
assistance to an authorised entity that is responsible for monitoring and collecting information and traffic
data faces a three-year jail sentence as well as a fine. The word "cyber security" has a long history.
Information, equipment, devices, computer, computer resource, communication device, and information
stored therein are specified in section 2(nb) of the IT Act as “protecting information, equipment, devices,
computer, computer resource, communication device, and information stored therein from unauthorised
access, use, disclosure, interruption, alteration, or destruction.” The Information Technology (Procedure and
Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009, which are discussed
below, provide more detail on the term's context and significance.
While Section 69 (the provision for interception) requires the interception, monitoring, and decryption of
information generated, transmitted, received, or stored through a computer resource, Section 69B
specifically provides a mechanism for all metadata through a computer resource for the purpose of
combating threats to "cyber security." The Secretary of the Home ministry can issue directions under Section
69, while the Secretary of the Department of Information Technology under the Union Ministry of
Communications and Information Technology can issue directions under Section 69B.

The Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or
Information) Rules, 2009

The Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or
Information) Rules, 2009 issued under section 69B of the Information Technology Act stipulate that
directions for the monitoring and collection of traffic data or information can be issued by an order made
by the competent authority for any or all of the following purposes related to cyber security:

 Forecasting of imminent cyber incidents;

 Monitoring network application with traffic data or information on computer resource;
 Identification and determination of viruses or computer contaminant;
 Tracking cyber security breaches or cyber security incidents;
 Tracking computer resource breaching cyber security or spreading virus or computer contaminants;
 Identifying or tracking any person who has breached, or is suspected of having breached or likely to
breach cyber security;
 Undertaking forensic of the concerned computer resource as a part of investigation or internal audit
of information security practices in the computer resources;
 Accessing stored information for enforcement of any provisions of the laws relating to cyber
security for the time being in force.

39 | P a g e
 Conclusion

Data protection law in India is currently facing many problems due the absence of proper legislative
framework. But with the enactment of the Personal Data Protection Bill 2018, we will have an overarching
regulation that will be more effective and overshadow all existing privacy laws. The ongoing explosion of
cybercrimes, and theft and sale of stolen data has raised issues and concerns worldwide. India, with much of
its population having an online identity, could easily fall victim to cases of cybercrimes and, data and
privacy breach. Absence of data protection law is also a huge blow to the outsourcing industry in India.

By creating a good data protection law, India could extend well beyond being a mere supplier of services to
the world's multinational corporations. Whatever steps the government can take right now in the wake of the
hour, it should and the rest shall follow. The process is slow but is achievable if taken seriously by the
authorities. The Private Data Protection Bill 2018 is a right start to a needful end. Justice Sri Krishna has
most appropriately noted in regard to the bill, “The report is like buying new shoes. It’s tight in the
beginning but it will become comfortable over a period of time. It remains to be seen if the citizens of India
get used to these shoes or return them.”

Given the growth and implications of international trade, especially in light of the Internet's influence, it is
critical that India work with the international community to develop strict privacy and personal data
protection laws. At the moment,
Due to insufficient privacy regulations, some countries (such as the EU) are reluctant to trade with India.
This is especially important as India becomes a hub for back-office operations such as credit processing,
medical transcription, and so on. The threat to privacy is also a barrier to promoting a safe atmosphere for
Internet communication.
Unless these concerns are resolved, India will be unable to fully profit from the enormous opportunities and
benefits that e-commerce offers developing countries like ours.

Clearly, in India's internet society, privacy is an emerging and increasingly important area. As businesses
gather more data from and about online users, and as the government seeks greater access and surveillance
capabilities, it is important that India prioritises privacy and implements strict protections to protect the
privacy of both Indians and foreigners whose data resides in India temporarily or permanently. The passage
of substantive privacy legislation that recognises privacy as a constitutional right is the first step in this
direction. The Group of Experts on Privacy Report and the government's consideration of a draught privacy
bill are both moves in the right direction.

 The bill requires notice and consent for the collection of data and also places other significant
obligations on data processing. These taken together may not actually protect privacy adequately, as
they are based on principles for the regulation of data (fair information practices) devised before the
current structure of the market came into existence. These also do not protect users from harms
emanating from a violation of privacy.

 The bill is not based on any empirical understanding of the trade-offs users make while providing
their information. The Srikrishna committee, which drafted the first version of the bill, did not
undertake any study to assess the specific contexts in which users are willing to exchange personal
data for benefits. Evidence from other jurisdictions points to such trade-offs differing depending on
the context of the transaction. To the extent that the bill protects privacy without evidence of its
relevance to users, it may negatively affect benefits accruing from data-led innovation without
effectively protecting personal data.

 The bill proposes to impose significant compliance costs on firms engaged in data processing. While
small ones are exempt from many obligations, these exemptions will only apply to businesses that

40 | P a g e
 manually process data. As a result, a large cross-section of economic actors would have to incur
significant costs to implement the bill. The provisions requiring businesses to hand over nonpersonal
data to the government are particularly onerous and constitute a significant dilution of property
rights. This could have negative long-term effects for innovation and economic growth.
 The design of the DPA suffers from structural issues. The broad preventive framework of the bill
will impose serious capacity constraints on it. The proposed composition of the authority does not
allow for independent inputs and oversight. The DPA may also not be required to follow adequate
consultative processes in its regulation-making functions.
 These issues suggest a need for a more pragmatic and modest approach to data protection and harms
from misuse of personal
 Data should not be collected and processed without consent. Businesses that violate this principle
would also violate Indian constitutional norms of informational privacy, as well as the property
interests of users. At the same time, consenting individuals must be allowed to take responsibility for
their choices.

Given the growth and consequences of international trade, especially in light of the Internet's influence, it is
critical that India work with the international community to develop strict privacy and personal data
protection laws. Currently, owing to insufficient privacy regulations, certain countries (such as the EU) are
unable to trade with India. This is especially important as India becomes a hub for back-office operations
such as credit collection, medical transcription, and so on. The threat to privacy is also a barrier to promoting
a safe atmosphere for Internet communication. India will be unable to progress until these questions are
resolved E-commerce offers developed countries like ours enormous opportunities and rewards.

A regulatory process must be developed that establishes basic requirements for the processes and purposes
of personal data adaptation both offline and online. Consumers must be informed of the risks of exchanging
information freely, and no data can be obtained without their explicit permission. The future of India's
economy depends on finding a good balance between personal freedoms and stable trade routes.

41 | P a g e