Data Protected - India

Contributed by Talwar Thakore & Associates

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

India enacted the Digital Personal Data Protection Act, 2023 (“DPDP Act”) on 11 August 2023. The DPDP Act is not yet effective but it is expected to come into force during 2024.

When the DPDP Act comes into force it will repeal the current key data protection laws in India namely Sections 43A and Section 72A of the Information Technology Act (2000) (“IT Act”) which give a right to compensation for improper disclosure of personal information.

The DPDP Act will also repeal the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) issued under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”). The SPDI Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.

There are also various other laws which also protect personal data in India. For example, India has a biometric based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder which includes provisions in relation to the protection of Aadhaar (including the biometric information that has been collected), the grounds for its use and processing. Entities in regulated sectors (e.g. financial services and telecom sector) are also subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.

Personal data is also protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & another Vs. Union of India), the Supreme Court of India has recognised the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been recognised as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The court stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognised the right of individuals over their personal data.

However, fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognised that enforcing the right to privacy against private entities may require legislative intervention. The Privacy Judgment was thus the impetus for the DPDP Act.

Entry into force

Section 43A and Section 72A of the IT Act came into force on 27 October 2009. The SPDI Rules came into force on 11 April 2011. The Aadhaar Act came into force on 12 September 2016.

The Privacy Judgment was delivered on 24 August 2017.

The DPDP Act was enacted on 11 August 2023 and will come into force on a date notified by the Government of India. The general expectation is that it could be made effective during the course of 2024. However, this depends on the Indian Central Government completing some of the preparatory work in order for it to be made effective (for example, constitution of the Data Protection Board of India and issuance of rules). These are described in detail later on in this note. Even after notification, it is expected that the DPDP Act will be implemented in a phased manner.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

India does not presently have a national regulatory authority for protection of personal data.

The Ministry of Electronics and Information Technology (the “Ministry”) is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The authorities established under the IT Act – i.e., the adjudicating officer and Telecom Disputes Settlement and Appellate Tribunal (“Appellate Tribunal”) and, thereafter, the different High Courts and the Supreme Court, are responsible for enforcing the IT Act.

Ministry of Electronics & Information Technology (Government of India), Department of Electronics and Information Technology

Electronics Niketan, 6,
CGO Complex,
Lodhi Road,
New Delhi 110003

http://meity.gov.in/

The DPDP Act provides for the establishment of authority i.e., the Data Protection Board of India (“Board”). The Board will be the authority responsible for administering and implementing the DPDP Act and shall have exclusive jurisdiction over all matters addressed in it including  the power to conduct enquiries, order for remedial measures or impose penalties and directions.

Notification or registration scheme and timing

There is currently no requirement to register or provide a prior written notification to any authority for processing data. There are obligations to notify specific events, such as data breaches, which are addressed later in the note. Depending on the sector where data is processed, entities processing personal data may be required to retain the data being processed for a certain time period. 

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The SPDI Rules issued under Section 43A of the IT Act apply only to a body corporate or any person located within India.

The provisions of the IT Act (except in respect of matters governed by the SPDI Rules) are also applicable to any offence committed by a person outside India involving a computer, computer system or computer network located in India.

The DPDP Act will be applicable to the processing of digital personal data within the territory of India. It also has extra territorial application over processing of digital personal data outside India, if such processing is in connection with any activity related to offering of goods or services to individuals in India.

Is there a concept of a controller and a processor?

Presently, Indian law does not contain the concepts of controller and processor. Instead, the SPDI Rules refer to the concept of a ‘body corporate’ and a ‘provider of information’. A body corporate is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. The ‘provider of information’ is the natural person who provide sensitive personal data or information to a body corporate.

The DPDP Act recognises the concept of a data controller (referred to as a data fiduciary) and data processor.

A data fiduciary refers to any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

The DPDP Act also contains the concept of a significant data fiduciary. These will be designated by the Government considering, amongst others, factors like the volume and sensitivity of personal data processed, risk to the rights of data principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State and public order.

A data processor is defined as any person who processes personal data on behalf of a data fiduciary. A data processor may only process data on behalf of the data fiduciary under a valid contract. Further, the data fiduciary remains responsible for ensuring that the data processor is compliant with the provisions of the DPDP Act.

Are both manual and electronic records subject to data protection legislation?

The SPDI Rules are issued under the IT Act which applies only to electronic records. The requirements under the Aadhaar Act are applicable to both manual and electronic records.

The DPDP Act will only be applicable to the processing of digital personal data which is either collected digitally or collected in a non-digital form and subsequently digitised.

Are there any national derogations?

Under the SPDI Rules, any data that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or under any other law in force shall not be regarded as ‘sensitive personal data or information’ (“SPDI”). Further, SPDI may be disclosed to government authorities mandated under law to obtain information for the purpose of verification of identity or for prevention, detection or investigation without obtaining the consent of the ‘provider of information’. 

The fundamental right to privacy recognised under the Privacy Judgment can be enforced only against the state or instrumentalities of the state and not against entities in the private sector.

The DPDP Act will not apply to processing of personal data when it is: (i) done by such state instrumentalities as notified by the government, including data submitted by such state instrumentalities to the government for processing or (ii) necessary for research or statistical purposes if the personal data processed is not used to take any decision specific to the data principal.

Several provisions of the DPDP Act are disapplied in relation to: (i) publicly available data, including data which was obligatorily disclosed under a present law in force; (ii) personal data processed in the interest of prevention, detection, investigation or prosecution of any contravention of law in force; (iii) personal data processed by court in pursuit of a judicial, quasi-judicial, regulatory or supervisory aim; (iv) processing necessary to enforce a legal right or claim; (v) processing necessary for a scheme of compromise, merger or arrangement between two companies; and (vi) processing necessary to ascertain the financial status of person who has defaulted on a loan or advance.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data under the Indian laws and rules is termed as “personal information”. Personal information has been defined under the SPDI Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. 

Under the DPDP Act, personal data means any data about an individual who is identifiable by or in relation to such data.

Is information about legal entities personal data?

No. Personal information pertains only to information about a natural person.

What are the rules for processing personal data?

There are presently no general rules in force that govern the processing of personal data.

However, the SPDI Rules state that a body corporate or any person who processes personal information on behalf of the body corporate should provide a privacy policy (see Is there a general accountability obligation?  below).

Once the DPDP Act is enforced, processing of data must be done for a lawful purpose in accordance with the DPDP Act and the rules provided thereunder. The DPDP Act has detailed provisions in relation to various aspects of processing personal data, including grounds for processing, notice to be provided and its form, special conditions relating to processing personal data of children and rules relating to several other significant matters.

In relation to the grounds for processing, a data fiduciary should only process personal data with consent or where there is a legitimate use. The legitimate uses apply to processing: (i) for specified purposes for which the data principal has voluntarily provided her personal data, and has not objected to the purpose; (ii) for the provision of, inter alia, subsidies, benefits, certificates, or licences by State/ State Instrumentalities where such data is already digitally maintained by the State or processing of the same has been consented to; (iii) to fulfil any legal obligation in relation to disclosure of information to State/ State instrumentalities; (iv) to comply with judgment, decree or order, including orders relating to contractual or civil claims under laws outside India; (v) for medical emergencies,  health services and breakdown of public order; and (vi) for employment/ safeguarding the employer from loss or liability. 

Are there any formalities to obtain consent to process personal data?

Presently, no general formalities to obtain consent for processing personal information have been stated.

However, under the SPDI Rules, consent must be acquired in writing regarding purpose of usage of information before collection of SPDI. The person from whom SPDI is being collected should be informed of:(i) the fact the SPDI is being collected; (ii) the purpose of collection of SPDI; (iii) intended recipients of the SPDI; and (iv) the address of the agency collecting or retaining the SPDI.

The DPDP Act will require an individual’s free, specific, informed, unconditional and unambiguous consent accompanied by a clear affirmative action, unless such processing is for certain legitimate uses. A request to obtain consent must be accompanied or preceded by a notice informing the individual about: (i) the personal data and the proposed purpose for its processing; (ii) the manner in which the individual’s rights under the DPDP Act may be exercised; and (iii) the manner in which the individual may make a complaint to the Board.

Every request for consent under the DPDP Act must be provided in clear language, with an option to access the request in English or certain vernacular languages. It must be accompanied with contact information of the relevant data protection officer, if applicable.

Are there any special rules when processing personal data about children?

The SPDI Rules do not contain any specific rules when processing personal data about children.

The DPDP Act requires that the verifiable consent of the lawful guardian of the child be obtained before processing the personal data of a child. Processing of personal data is prohibited if it is likely to cause any detrimental effect on the well-being of a child. Tracking or behavioural monitoring of or targeted advertising towards children is also disallowed. A child is defined as anyone under the age of 18 years.

Are there any special rules when processing personal data about employees?

The IT Act and the SPDI Rules do not prescribe any specific requirements with respect to processing personal data about employees.

Under the DPDP Act, processing of personal data for purposes related to employment is considered a legitimate use and is exempt from consent requirements. Other than that, there are no other specific rules relating to processing of personal data of employees under the DPDP Act.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data exists as the concept of SPDI under the SPDI Rules. It means personal information which consists of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above items provided to a body corporate for providing services; and (viii) any of the information received under the above items by a body corporate for processing, that is stored or processed under lawful contract or otherwise.

SPDI does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.

The DPDP Act has done away with the concept of SPDI and the same rules apply to all categories of personal data.

Are there additional rules for processing sensitive personal data?

The SPDI Rules contain specific provisions regarding the collection of SPDI. They apply to all body corporates or any person within India other than those providing services related to the collection, storage, dealing or handling of SPDI to any legal entity under a contract. However, such provisions will also apply to such exempted body corporates if they provide such services directly to the provider of information under a contract.

The key rules on collection are: (i) it is necessary to obtain the consent of the provider of information prior to the collection. The provider of information must be given an option not to provide the requested SPDI and to withdraw its consent by informing the body corporate in writing; (ii) SPDI can only be collected where necessary for a lawful purpose that is connected with a function or activity of the body corporate or any person on its behalf; and (iii) the body corporate should provide additional information to the provider of information (see below).

The body corporate must also comply with other general requirements, such as not keeping SPDI for longer than is required and ensuring it is kept secure or applying reasonable security practices and procedures which contain managerial, technical, operational and physical security control measures to protect SPDI.

Additional rules apply to the disclosure of SPDI. The body corporate and any person acting on its behalf are not allowed to publish any SPDI. Further, the disclosure of SPDI to any third party requires the prior permission of the provider of information. The only two exceptions to this requirement are: (i) when such disclosure has been agreed upon in the contract between the body corporate and the provider of information; or (ii) when it is necessary to disclose the information in compliance with a legal obligation. The third party that receives such SPDI is required not to disclose it further. The body corporate is also allowed to share information with government agencies mandated under the law to obtain information or to a third party by an order under law.

SPDI can be transferred to any other body corporate or a person in India or located in any country that offers the same levels of data protection as India. 

Since the DPDP Act does not make a distinction between personal data and sensitive personal data, the same rules apply to processing of all categories of personal data. 

Are there additional rules for processing information about criminal offences?

The rules are the same as for sensitive personal data.

Are there any formalities to obtain consent to process sensitive personal data?

Consent of the provider of information should be obtained in writing (which includes any mode of electronic communication) regarding the purpose of its usage and is also required before further transfer or disclosure. As set out previously, the DPDP Act has very stringent requirements in respect of obtaining consent for processing personal data and no distinction is made between personal data and sensitive personal data. 

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Under the SPDI Rules, body corporates are required to designate a grievance officer and there is no general requirement to appoint a data protection officer.

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties), 2013 (“CERT-In Rules”), lay down the operations of the Indian Computer Emergency Response Team (“CERT-In”), created under Section 70B of the IT Act. Entities, including body corporates offering services to Indian users are mandated to designate a point of contact to interface with CERT-In. The details of the point of contact are to be shared with CERT-In in the specified format and are to be updated from time to time.

The DPDP Act only requires significant data fiduciaries (and not all data fiduciaries) to appoint a data protection officer. In case of data fiduciaries which are not significant data fiduciaries, a person must be appointed to answer questions raised by individuals about the processing of their personal data.

What are the duties of a data protection officer?

The grievance officer under the SPDI Rules shall address any discrepancies or grievances of providers of information with respect to processing of information in a time-bound manner. The grievance officer is required to redress the grievance expeditiously, within one month from the date of receipt of such grievance. The body corporate is required to publish the name and contact details of the grievance officer on its website.

Under the DPDP Act, the data protection officer must be an individual based in India who represents the significant data fiduciary and is responsible to the governing body of the significant data fiduciary. The data protection officer serves as the point of contact for the grievance redressal mechanism under the Act. Contact information of the data protection officer must be published by the significant data fiduciary such that the officer can answer questions raised by the individual regarding their personal data.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The SPDI Rules state that a body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information including SPDI of a provider of information, should provide a privacy policy.

This privacy policy should serve to protect the personal information that is provided, and the provider of such information should be able to review the policy. The privacy policy is required to be made available on the website of the body corporate and should provide for: (i) clear and accessible statements relating to its practices and policies; (ii) the type of personal information or SPDI that is being collected; (iii) the purpose of collecting and using of such information; (iv) the instances in which disclosure of such information may be made under the SPDI Rules; and (v) reasonable security practices and procedures required under the SPDI Rules.

Under the DPDP Act, there are certain conditions for processing of personal data. For instance, data must be processed for a lawful purpose, for (i) which the data principal has given her explicit consent or (ii) other certain legitimate uses. Data fiduciaries are responsible for complying with the provisions of the DPDP Act in respect of processing of personal data undertaken by it or any data processors on behalf of it.

Are privacy impact assessments mandatory?

Under the SPDI Rules, a body corporate handling and processing sensitive personal data is required to have its security practices and procedures certified and audited by an independent auditor who is approved by the Indian Central Government at least once every year, or when there is a significant upgrade in its computer resource.

Under the DPDP Act, a significant data fiduciary is required to appoint an independent data auditor to conduct data audits evaluating the compliance of the significant data fiduciary with the DPDP Act. Such significant data fiduciaries are also required to conduct periodic data protection impact assessments and periodic audits.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

A body corporate collecting SPDI should keep the provider of information informed about: (i) the fact that the information is being collected; (ii) the purpose for doing the same; (iii) the intended recipients; and (iv) the name and address of the agency collecting and retaining the information. All the requirements applicable to personal data, such as the requirement for a privacy policy (see Is there a general accountability obligation?  above), are applicable when processing sensitive personal data.

Under the DPDP Act, every request made to an individual to obtain their consent for processing of their personal data must accompanied or preceded by a notice informing: (i) the personal data to be collected and the purpose for which the same is proposed to be processed; (ii) the manner in which the data principal may exercise its rights; and (iii) the manner in which the data principal may make a complaint to the Board.

Rights to access information

A provider of information can access information provided by it upon request. 

Rights to data portability

No. 

Right to be forgotten

The “right to be forgotten” is not recognised as such in India, and there are no provisions of law that provide for this.

There have been judicial precedents wherein various courts have recognised this right, especially in relation to sexual offences against women. The Supreme Court of India has held that anonymity of victims must be maintained as far as possible in cases involving sexual offence (State of Punjab vs Gurmit Singh). The Karnataka High Court, in a recent decision, has recognised that certain information can be erased in sensitive cases involving rape, or affecting the modesty and reputation of the person concerned. However, other High Courts have taken a different view in this regard. For example, the Gujarat High Court has rejected a plea to restrain public exhibition of a judgement on public sources (Dharmraj Bhanushankar Dave v. State of Gujarat).

However, under the DPDP Act, individuals will have the right to erasure of data. Upon receipt of such a request, the data fiduciary is obligated to erase the individual’s personal data unless retention of the data is necessary for the specified purpose or for compliance with law.

Objection to direct marketing and profiling

The IT Act and Rules do not impose any conditions regarding the usage of SPDI for direct marketing. However, where the information is collected from a provider of information (i.e., in a situation in which SPDI is collected), the prior consent of the provider of information must be obtained, including the purpose for which the information is being collected.

The DPDP Act prohibits behavioural monitoring of or targeted advertising directed at children.

Other rights

The individual providing the data has the right to review the information provided and withdraw consent that was previously provided. A body corporate cannot refuse such a request. Additionally, any discrepancies and inaccurate information can be corrected by the provider of information.

Under the DPDP Act, a data principal will have the right to have a readily available means of grievance redressal. Data principals also have the right to nominate other individuals to exercise their rights in the event of the former’s death or incapacity.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The SPDI Rules provide that reasonable security practices and procedures need to be maintained by each body corporate. A body corporate or a person acting on its behalf is “considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business”. The Ministry has listed the International Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System -Requirements” as one such standard. Body corporates, that are self-regulating by following other standards are required to get their security practice and standards notified to and approved by the Indian Central Government for effective implementation.

A body corporate is required to have its security practice and procedures certified and audited by an independent auditor who is approved by the Indian Central Government at least once every year, or when there is a significant upgrade in its computer resource.

Under the DPDP Act, data fiduciaries are responsible for protecting personal data under their possession, including when processing is done on its behalf by a data processor, by undertaking reasonable security safeguards to prevent a personal data breach.

Specific rules governing processing by third party agents (processors)

There are no specific rules that govern third party agents acting on behalf of a body corporate. They are governed by the same regime applicable to body corporates.

Under the DPDP Act, a data fiduciary will be responsible for complying with the provisions of the DPDP Act, once in force, in respect of any processing undertaken on its behalf by a data processor.

Notice of breach laws

Certain types of cyber security incidents need to be mandatorily reported to the CERT-In created under Section 70B of the IT Act by filling in the prescribed forms on CERT-In’s website. These incidents include (i) compromise of critical systems or information; (ii) targeted scanning or probing of critical networks or systems; (iii) identity thefts, spoofing or phishing attacks; (iv) unauthorised access of IT systems or data; (v) defacement of a website or intrusion into a website; (vi) malicious code attacks; (vii) Denial of Service or Distributed Denial of Service (DoS or DDoS) attacks; (viii) data breach; (ix) data leak; (x) attacks through malicious mobile apps; (xi) attacks on servers; and (xii) unauthorised access to social media accounts.

These cyber security incidents have to be mandatorily reported within a 6 hour timeframe if they meet the following criteria: (i) cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, spread of computer contaminant including Ransomware) on any part of the public information infrastructure including backbone network infrastructure; (ii) data breaches or data leaks; (iii) large-scale or most frequent incidents such as intrusion into computer resource, websites etc.; (iv) cyber incidents impacting safety of human beings.

Entities may report information to the extent available within the 6 hours timeframe and additional information can be reported later within ‘reasonable time’.

CERT-In is also authorised to collect or analyse information in relation to cyber security incidents from individuals and organisations. Information that may lead to identification of individuals or organisations that have been affected by cyber security incidents cannot be disclosed without explicit written consent, or through the order of a competent court.

Under the DPDP Act, in event of a personal data breach, the data fiduciary must notify the Board and each affected data principal.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The SPDI Rules provide that transborder dataflows of SPDI can be made to any other body corporate or a person in India or located in any other country if the same levels of data protection in India are adhered to, provided that such transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf and the provider of information or such transfer has been consented to by the provider of information.

There is no restriction under the SPDI Rules regarding transborder dataflows of information that is not SPDI.

The Reserve Bank of India (“RBI”), through a notification issued on 6 April 2018 read with RBI’s FAQs on storage of payment system data, has made it mandatory for all banks, intermediaries and other third parties to store all information pertaining to payments data in India. In case of international transactions, the data on the foreign leg of the transaction can be stored in a foreign location, if required.

The DPDP Act allows transboundary transfer of data unless specifically prohibited by the Government of India.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional requirement to notify or obtain the approval of any regulatory authority. 

Use of binding corporate rules

Transborder dataflows are only allowed to jurisdictions that require body corporates situated there to provide the same level of data protection as in India. The data protection regime in India is bespoke in nature and may not be similar to the level of protection provided by binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

Section 72A of the IT Act provides for a fine of up to INR 500,000 when there is disclosure of personal information in breach of a lawful contract or without consent.

Section 70B(7) of the IT Act read with the directions issued by CERT-In on 28 April 2022 (“CERT-In Directions”) provides for a fine of up to INR 100,000 where there is a failure to furnish information to CERT-In and in case of non-compliance with CERT-In’s reporting requirements.

The DPDP Act provides for varying levels of fines for different offences as follows: (i) failure of data fiduciary to take reasonable security safeguards to prevent personal  data breach - up to two  hundred and fifty crore rupees (approximately Euro 25m); (ii) failure to notify the Board or affected data principals about personal data breach - up to two hundred crore rupees (approximately Euro 20m); (iii) failure to observe the special rules relating to processing of data of children – up to two hundred crore rupees (approximately Euro 20m); (iv) failure to observe additional obligations applicable to a significant data fiduciary – up to one hundred and fifty crore rupees (approximately Euro 15m); (v) failure of individual to adhere to duties given under the DPDP Act – up to ten thousand rupees (approximately Euro 100); and (vi) failure to adhere to any other provisions of the DPDP Act – up to fifty crore rupees (approximately Euro 5m).

Criminal liability

Section 72A of the IT Act provides for imprisonment of up to three years when there is disclosure of personal information in breach of a lawful contract or without consent.

Section 70B(7) of the IT Act read with the CERT-In Directions provides for imprisonment of up to one year where there is a failure to furnish information to CERT-In and in case of non-compliance with CERT-In’s reporting requirements. 

Compensation

Section 43A of the IT Act provides that bodies corporate possessing, dealing with or handling any SPDI in a computer resource owned, controlled or operated by it would be liable to pay damages as compensation to affected persons if they are negligent in implementing and maintaining reasonable security practices and procedures to protect SPDI, thereby causing wrongful loss or wrongful gain to any person. 

Other powers

There are no other enforcement provisions in relation to data protection in the DPDP Act, IT Act or the SPDI Rules.

Practice

There have been a number of judgments in the courts on privacy matters, including the Privacy Judgment. However, there is no significant court regulatory practice on the application of these provisions.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation
ePrivacy laws

Apart from the Telecom Commercial Communications Customer Preference Regulations, 2018 (“Customer Preference Regulations”) issued by the Telecom Regulatory Authority of India (“TRAI”) to telecom service providers to set up a mechanism to register requests of subscribers not to receive unsolicited commercial calls, there are no specific laws or regulations in India on the use of cookies or direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific laws or regulations in India on the use of cookies.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

There are no specific laws or regulations in India on direct marketing by email.

Conditions for direct marketing by e-mail to corporate subscribers

Not applicable.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Marketing by telephone to individual subscribers without their consent is expressly prohibited with the telecom service providers being responsible to ensure that such a prohibition is enforced. Telecom service providers are required to establish a Customer Preference Registration Facility (“CPRF”) under which customers can provide or revoke their consent with regard to the category, the mode (whether voice calls or text messages) and the time slot of such marketing.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no separate rules for corporate subscribers, who are governed by the same regime as non-corporate subscribers.

Exemptions and other issues

The CPRF provides customers the option to register under the ‘partially blocked category’ pursuant to which customers can opt in or opt out from receiving promotional communications under the following categories: (i) banking/insurance/financial products/credit cards; (ii) real estate; (iii) education; (iv) health; (v) consumer goods and automobiles; (vi) communication/broadcasting/entertainment/IT; (vii) tourism and leisure; and (viii) food and beverages.

_____________________________________________________________________ Top