The Right to Privacy is a fundamental right and is
protected under the Indian Constitution. The Privacy
rules in India were contained in the Information
Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or
Information) Rules, 2011 (Privacy Rules) notified
under the Information Technology Act, 2000. The
Privacy Rules are applicable to bodies corporate
across industries and sectors.
On 11 December 2019, the Ministry of Electronics and Information Technology (MeitY) introduced the draft Personal Data Protection Bill, 2019 (PDP Bill) before the Parliament, which was referred to a Joint Parliamentary Committee (JPC) for further consideration. Post extensive stakeholder consultations, the JPC submitted its report in December 2021 which includes the recommendations of the JPC along with the draft bill, now titled the Data Protection Bill, 2021 (DP Bill), which is likely to be re-introduced this year and implemented in a phased manner.
The DP Bill now includes in its ambit, all Non-Personal Data (NPD), defined as ‘data other than personal data’.
The introduction of the DP Bill has brought India to the forefront globally with respect to the handling of personal information of an individual person.
The proposed bill emphasizes 'consent' to be the most significant acceptable grounds for processing/ collecting personal data.
Some of the areas organizations need to adhere to
comply with the requirements of the bill:
- Privacy by design throughout the data life cycle
- collection, processing, storage, transmission,
archival, and data disposal;
- Limit data collection to the minimum required for
the purpose of processing;
- Respect the rights of the data principal;
- Organizations will need to store at least one
serving copy of the personal data on a server or
data center located in India;
- Parental consent is mandatory for processing
- All data breaches (including breach of NPD) will have to be disclosed to the Data Protection Authority (DPA) within 72 hours;
- The DPA can authorize schemes of transferring sensitive personal data outside India after consultation with the Central Government and such contract or intra-group scheme will not be approved, if “the object of such transfer is against public policy or State policy”;
- Organizations are required to implement
appropriate security safeguards to protect
Under the Rules, an entity handling or
collecting personal information from any person is
the providers of the information;
- Retain information only for such time period as
may be required;
- Keep the information secure and not publish it;
- Obtain permission of the provider of information
prior to the disclosure of such information, unless
required to be disclosed by law or to certain
- Permit the providers of information, as and when
requested by them, to review the information
they had provided and ensure that any personal
information or sensitive personal data or
information found to be inaccurate or deficient is
corrected or amended as feasible;
- Provide an option to the provider of information to
not handover the data or information sought to be
collected or to withdraw the consent given earlier;
- Address any discrepancies and grievances of the provider of information with respect to the processing of information in a timely manner. Compliance requirements for significant data fiduciaries requires the appointment of a data protection officer, being a Key Managerial Personnel (or equivalent in entities that are not companies) to carry out various functions prescribed under the law.
Certain industries, where technology and data transfer
are critical, are closely monitored by the government,
e.g., licensed defense industries in the private sector.
Non-compliance can attract a fine of up to INR 150 million or 4% of the worldwide turnover, whichever is higher.