Privacy

The Right to Privacy is a fundamental right and is protected under the Indian Constitution. The Privacy rules in India were contained in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) notified under the Information Technology Act, 2000. The Privacy Rules are applicable to bodies corporate across industries and sectors.

On 11 December 2019, the Ministry of Electronics and Information Technology (MeitY) introduced the draft Personal Data Protection Bill, 2019 (PDP Bill) before the Parliament, which was referred to a Joint Parliamentary Committee (JPC) for further consideration. Post extensive stakeholder consultations, the JPC submitted its report in December 2021 which includes the recommendations of the JPC along with the draft bill, now titled the Data Protection Bill, 2021 (DP Bill), which is likely to be re-introduced this year and implemented in a phased manner.

The DP Bill now includes in its ambit, all Non-Personal Data (NPD), defined as ‘data other than personal data’.

The introduction of the DP Bill has brought India to the forefront globally with respect to the handling of personal information of an individual person.

The proposed bill emphasizes 'consent' to be the most significant acceptable grounds for processing/ collecting personal data.

Some of the areas organizations need to adhere to comply with the requirements of the bill:

• Privacy by design throughout the data life cycle - collection, processing, storage, transmission, archival, and data disposal;
• Limit data collection to the minimum required for the purpose of processing;
• Respect the rights of the data principal;
• Organizations will need to store at least one serving copy of the personal data on a server or data center located in India;
• Parental consent is mandatory for processing children’s information;
• All data breaches (including breach of NPD) will have to be disclosed to the Data Protection Authority (DPA) within 72 hours;
• The DPA can authorize schemes of transferring sensitive personal data outside India after consultation with the Central Government and such contract or intra-group scheme will not be approved, if “the object of such transfer is against public policy or State policy”;
• Organizations are required to implement appropriate security safeguards to protect personal information.

Under the Rules, an entity handling or collecting personal information from any person is required to:

• Provide a privacy policy and make it accessible to the providers of the information;
• Retain information only for such time period as may be required;
• Keep the information secure and not publish it;
• Obtain permission of the provider of information prior to the disclosure of such information, unless required to be disclosed by law or to certain government agencies;
• Permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient is corrected or amended as feasible;
• Provide an option to the provider of information to not handover the data or information sought to be collected or to withdraw the consent given earlier;
• Address any discrepancies and grievances of the provider of information with respect to the processing of information in a timely manner. Compliance requirements for significant data fiduciaries requires the appointment of a data protection officer, being a Key Managerial Personnel (or equivalent in entities that are not companies) to carry out various functions prescribed under the law.

Certain industries, where technology and data transfer are critical, are closely monitored by the government, e.g., licensed defense industries in the private sector.

Non-compliance can attract a fine of up to INR 150 million or 4% of the worldwide turnover, whichever is higher.