While there is no Act or Directive which specifically focuses on the issue of data protection in India, provisions are made for the collection, storage and use of personal information under sections of the Information Technology Act (IT Act) of 2000.
Thanks to its sizable population, the abundance of skilled workers it offers and the relatively low overheads involved in its industry, India has emerged as the world’s largest data center hub for outsourcing services in the world. Despite this lofty status, the data law infrastructure in place in the country at the time of writing is sadly lacking.
At present, there is no legislation which provides a comprehensive framework for the laws surrounding data protection in India, nor is there is a dedicated authority responsible for governing the subject. However, certain high-profile data breaches, alongside the country’s growing status as a data center, mean that the government are currently in the process of implementing new laws which will tighten restrictions in the future.
The status quo
While there is no Act or Directive which specifically focuses on the issue of data protection in India, provisions are made for the collection, storage and use of personal information under sections of the Information Technology Act (IT Act) of 2000. What’s more, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, more commonly known as the 2011 SPDI Rules, also touch on the subject.
These pieces of legislation set out key obligations which corporations or individuals acting on behalf of corporations must adhere to when collecting sensitive data of their clients or customers. This includes notifying the individual in question of the data collection, being transparent about the type of data and the uses it is put to and offering the option of opting out of the policy. The corporation does have the right to revoke its goods or services in the case of an individual opting out.
Recognizing the risk
As India’s status in the data center world has grown, it has increasingly become a target for hackers and cyber criminals looking to steal sensitive information. This has been going on for more than a decade and the most high-profile scams have targeted the country’s financial institutions, hospitals and transport infrastructure.
Of course, the government has not been immune to these types of attacks, either, with more than 30,000 cyber-attacks targeting government departments and organizations in 2021 alone. In one particularly newsworthy incident, the Twitter account of Prime Minister Narendra Modi was hacked, and a fake message was published erroneously announcing Bitcoin as legal tender in the country. With no one safe from the cyber siege, India is now in the process of beefing up its data laws.
Future legislation
In 2019, the Indian government put forward the Personal Data Protection Bill (PDP Bill), which was referred to a Joint Parliamentary Committee for review and revision. In December 2021, the Committee published its report on the Bill, making certain recommendations and amendments. Perhaps the most significant among these is the expansion of the Bill to include non-personal as well as personal data, thus resulting in it changing its name to the Data Protection (DP) Bill.
Although it has not yet been formally ratified, the DP Bill is likely to enter into law in the coming months and years. Once this happens, there will be greater scope for authorities to police data privacy in India and hold those to account who harvest and sell the personal information of their users to the highest bidder.
The DP Bill should improve the data protection situation in India, but internet users can already take precautions to remove their personal information from the web as much as possible. This A to Z of opt-out guides helps you to locate data brokers which might store your details and request for their removal.
(India CSR)