Data Protection Laws in India

With the increasing digitization of services, the need for robust data protection laws in India has become more critical than ever. From online shopping and banking to social media and digital healthcare, individuals share vast amounts of personal data daily. However, the improper handling, unauthorized access, and misuse of this data pose significant privacy risks.

The evolution of data protection laws in India began with the Information Technology Act, 2000, which addressed cybercrime and e-commerce concerns but lacked specific provisions for data privacy. Recognizing this gap, the government introduced the IT Rules, 2011, which set guidelines for handling sensitive personal data. A significant breakthrough came in 2017 when the Supreme Court ruled privacy as a fundamental right in the landmark Justice K.S. Puttaswamy (Retd.) vs. Union of India case. This led to the formation of the Justice B.N. Srikrishna Committee, which played a crucial role in shaping India’s modern data protection framework.

In response to growing concerns, the Digital Personal Data Protection Act, 2023 (DPDP Act) was introduced, aligning India's regulatory framework with global standards like the EU's GDPR. This blog explores the evolution, necessity, key provisions, and legal framework of data protection laws in India, ensuring a comprehensive understanding of how personal data is safeguarded in the digital era.

Evolution Of Data Protection Laws In India

The movement of the Indian regulatory framework towards rigorous data protection laws did not happen out of the blue. It was a slow and steady process. The Information Technology Act, 2000 marked the beginning of the evolution of data protection laws in India. This law dealt with the issues of cybercrime and e-commerce-related issues.

However, the law did not contain any specific provision in connection to data privacy. Acknowledging this gap, the government brought the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules in 2011 into existence. These rules laid down detailed guidelines on how to handle sensitive personal data.

The turning point happened in 2017 when the Apex Court of India declared the right to privacy as a fundamental right under the Constitution. This happened in the matter of Justice K.S. Puttaswamy (Retd.) vs. Union of India. Owing to this landmark judgement, a pressing need was felt regarding the robust data protection legislation in India. The judgement resulted in the formation of Justice B.N. Srikrishna Committee.

The committee’s suggestions were given prioritization resulting in the formation of the Personal Data Protection Bill of 2019. However, this bill was given unanimous consent right away. After a lot of public consultations and discussions, this was finally implemented as the Digital Personal Data Protection Act, 2023.

The Need For Data Protection Law In India

You’re shopping for clothes, ordering food, booking tickets, booking cabs, aren’t you? You are doing this irrespective of your residence across the length and breadth of India. You and every other person is relying heavily on online services because of the comfort and ease they offer. But this is what you are not realising — these activities are resulting in unprecedented collection of your personal information by different entities. They are processing your personal data without your awareness. This raises concerns about breaches of your data, unauthorised use of your personal data, etc. The need for data protection laws comes into play owing to -

• Safeguard Individual Privacy - This helps in ensuring that whichever entity collects or processes your personal information, does it responsibly. This will make it certain that your privacy is not at stake.
• Regulate Data Processing - Laws will help the authorities in making it mandatory for the businesses and organisations to process the personal data of the users in a lawful manner.
• Build Trust - Laws will help in commanding the trust of the public and assuring them that their data is safe. This will encourage them to keep using the digital services.
• Align with Global Standards - The laws will help in harmonising the data protection laws of the country with global standards. This will help towards seamless data flows across borders.

Key Data Protection Laws In India

When you take a look at the data protection laws in India, you will notice that several of the statutes and regulations in India have the legislative intent of protecting personal information. Let us have a extensive look at them -

The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) is the cornerstone of India's data protection regime. This Act throws light on the rights of the individuals. In this scenario, individuals are referred to as data principals. Not only that but the Act talks at length about the duties and obligations of the entities who collect and process the sensitive personal information of the users. These entities are known as data fiduciaries.

Scope And Applicability

The DPDP Act applies to -

• Processing of Digital Personal Data - All the data that has been gathered online or offline. If it has been collected offline, it has been converted into digital information.
• Territorial Jurisdiction - All the information that is processed within the boundaries of india. It could be processed outside India if it involves offering goods or services to individuals in India.

This extraterritorial applicability aligns with global regulations like the EU's General Data Protection Regulation (GDPR), ensuring protection for Indian residents' data processed abroad.

Data Processing Principles

The Act enshrines several principles:

• Lawfulness, Fairness, and Transparency: Data must be processed lawfully and transparently.
• Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.
• Data Minimization: Only data necessary for the intended purpose should be collected.
• Accuracy: Data must be accurate and kept up-to-date.
• Storage Limitation: Data should not be retained longer than necessary.
• Integrity and Confidentiality: Data must be processed securely to prevent unauthorized access.

These principles mirror those in the GDPR, emphasizing responsible data handling.

Obligations Of Data Fiduciaries

Data fiduciaries are required to:

• Obtain Consent: Secure explicit consent from data principals before processing their data.
• Implement Security Measures: Adopt appropriate technical and organizational measures to protect data.
• Conduct Data Protection Impact Assessments (DPIAs): Evaluate the impact of data processing activities on privacy.
• Appoint Data Protection Officers (DPOs): Designate officers to oversee compliance, especially for significant data fiduciaries.

Regulatory Bodies

The Act establishes the Data Protection Board of India, responsible for:

• Monitoring Compliance: Ensuring adherence to the Act's provisions.
• Adjudicating Complaints: Addressing grievances from data principals.
• Imposing Penalties: Enforcing sanctions for non-compliance.

This centralized authority is akin to data protection authorities in other jurisdictions, such as the UK's Information Commissioner's Office.

International Data Transfer Provisions

The DPDP Act permits cross-border data transfers to countries notified by the central government, considering factors like data protection laws and international agreements. This approach balances the need for global data flows with safeguarding personal data, similar to the GDPR's adequacy decisions.

Other Relevant Laws

In addition to the DPDP Act, several other statutes contribute to India's data protection framework:

• Information Technology Act, 2000: Provides legal recognition for electronic transactions and penalizes cybercrimes.
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Specifies guidelines for handling sensitive personal data.
• Consumer Protection Act, 2019: Addresses unfair trade practices, including misuse of consumer data.
• Telecom Regulatory Authority of India (TRAI) Guidelines: Regulates the telecom sector's handling of subscriber information.

Regulatory Bodies & Enforcement Mechanisms

The Data Protection Board of India is the principal regulatory authority under the DPDP Act. It is empowered to:

• Investigate Complaints: Probe alleged violations of data protection norms.
• Conduct Audits: Assess data fiduciaries' compliance through regular audits.
• Issue Directions: Provide binding instructions to data fiduciaries to ensure adherence.
• Levy Penalties: Impose fines for non-compliance based on the severity of the breach.

The Board's enforcement mechanisms are designed to ensure accountability and deter violations, similar to enforcement practices under the GDPR.

Fines And Sanctions For Non-Compliance

The DPDP Act prescribes stringent penalties for non-compliance:

• Up to ₹250 Crores: For significant violations, such as data breaches resulting from negligence.
• Up to ₹200 Crores: For failing to implement reasonable security measures.
• Up to ₹150 Crores: For not fulfilling data principals' rights, like the right to access or erasure.

These penalties underscore the importance of compliance and are comparable to the hefty fines under the GDPR, which can reach up to €20 million or 4% of global turnover.

Also Read : Digital Personal Data Protection Bill 2022

Relevant Case Laws On Data Protection In India

Several landmark judgments have shaped India's data protection jurisprudence:

• Justice K.S. Puttaswamy (Retd.) vs. Union of India (2017) - The Supreme Court recognized the right to privacy as a fundamental right, laying the foundation for data protection laws.
• Karmanya Singh Sareen vs. Union of India (2016) - Challenged WhatsApp's data-sharing policy with Facebook, raising concerns over data privacy.

Data Protection Bill 2019:

India stands way behind when it comes the data protection infrastructure. Data Protection Bill 2019, which took five years in the making, was made to safeguard the national privacy issue. However, the government withdrew the bill while assuring a new bill to the table. The reason was the panel's suggestion of 81 amendments and 12 recommendations.

Also Read : Right To Be Forgotten In India

Information Technology Act, 2000

The Information Technology Act, 2000 referred to as the "IT Act," provides legal recognition for the transactions that are carried out through electronic data interchange and other electronic communication known as "electronic commerce," which uses the alternative to paper-based methods and storage of information to facilitate the filing of documents.

Penalty for Damage to Computer Systems under the IT Act

Section 43 of the IT Act penalizes without prescribing any upper limit for doing any of the following acts:

1. Accesses or secures access to a computer system or computer network;
2. Downloading, copying, or extraction of any data, or information or computer database from the computer, computer system, or network, including data that is held or stored in any removable storage medium;
3. Introduce any computer virus or contaminant into any computer system or network;
4. Damages to any computer system, computer network, computer database, data, or any other programs that reside in such computer system or computer network;
5. Disrupting any computer system or computer network;
6. Denies any person authorized to access any computer system or network by any means;
7. Charging the services that a person avails to another person by tampering or manipulating the computer system or network.
8. Destroys, deletes, or alters any information that is there is a computer resource or diminishes the value by any means;
9. Steal, destroy, conceal, or alter any computer source code used for a computer resource to cause damage.

Important Sections in IT Amdendant act 2008

Section 66 states that if any person fraudulently or dishonestly does any act referred to in section 43, the person shall be imprisoned for three years or with a penalty of Rs 5,00,000 or even both.

Amendments as introduced by the IT Amendment Act, 2008

Section 10A was put into the IT Act because it deals with the validity of the contracts that are formed through electronic means that shall not be deemed unenforceable.

The following important sections have been substituted and inserted by the IT Amendment Act, 2008:

1. Section 43A – Compensation for failure to protect personal and sensitive data.
2. Section 66 – Computer Related Offences
3. Section 66A – Punishment for sending offensive messages.
4. Section 66B – Punishment for dishonestly receiving the stolen computer resource or any communication device.
5. Section 66C – Punishment for any kind of identity theft.
6. Section 66D – Punishment for cheating by using computer resources.
7. Section 66E – Punishment for violating privacy.
8. Section 66F – Punishment for cybercrime and terrorism.
9. Section 67 – Punishment for transmitting or publishing obscene material in electronic form.
10. Section 67A – Punishment for transmitting of material containing sexually explicit acts in electronic form.
11. Section 67B – Punishment for publishing or transmitting material that depicts children in a sexually explicit act.
12. Section 67C – Retention and Preservation of information by intermediaries.
13. Section 69 – Powers to issue directions to monitor or decrypt any information in computer resources.
14. Section 69A – Blocking public access to any information in any computer resource.
15. Section 69B – Power to authorize, monitor, and collect traffic information for cyber privacy and security through any computer resource.
16. Section 72A – Punishment for disclosure of data in breach of any lawful contract.
17. Section 84A –Encryption methods.
18. Section 84B –Punishment for offenses.
19. Section 84C –Punishment for attempt to commit cyber offenses.

Conclusion

The evolution of data protection laws in India highlights the growing need to safeguard personal data in an increasingly digital world. From the Information Technology Act, 2000 to the landmark Digital Personal Data Protection Act, 2023, India has made significant strides in ensuring data privacy and security. With strict regulations on data processing, user consent, and international data transfers, the legal framework now aligns with global standards like the EU's GDPR.

As digital transactions and online services continue to expand, compliance with data protection laws in India becomes crucial for businesses, organizations, and individuals. These laws not only protect personal privacy but also foster trust in the digital ecosystem. Staying informed about evolving regulations and ensuring data security practices will be essential for both businesses and consumers in this rapidly changing landscape.

Found this interesting? Read more such blogs and improve your legal knowledge with Rest The Case.

Author Bio

Adv. Akshada Thakare

Akshada started her career with leading Indian and International law firms. Currently, she is the founder and partner of AT LEGAL law firm which is the first legal firm led by women. With her immense experience and expertise, Adv. Akshada has proven her strengths in offering world-class services in the field of corporate law. Adv. Akshada has a high level of expertise in Corporate Law and International Business Law, Litigation, Debt Recovery, Arbitration, and Negotiations. Her proficiency lies in corporate legal advisory, employment laws, incorporation of companies general corporate secretarial compliance, and corporate contracts. She has wide experience working on international matters related to the European Union and the United Kingdom. Along with corporate experience, Adv. Akshada also holds rich exposure in representing as an independent lawyer at Bombay High Court, Nagpur Bench. She has participated in the WTO Model 2013 negotiations simulations held in Geneva, Switzerland.