Introduction

Unlike the European Union which adopted the Data Protection Directive in 1995 and has
most recently passed the General Data Protection Regulation that is scheduled to become
enforceable with effect from May 25, 2018, India does not currently have a separate data
protection law and when the Information Technology Act, 2000 (hereinafter referred to as the
"IT Act") first came into force on October 17, 2000 it lacked provisions for protection and the
procedure to be followed to ensure the safety and security of sensitive personal information
of an individual.

This led to the introduction of the Information Technology Bill, 2006 in the Indian Parliament
which later led to the Information Technology (Amendment) Act, 2008 whose provisions
came into force on October 27, 2009. The Information Technology (Amendment) Act, 2008
inserted Section 43A in the IT Act and the Central Government, in exercise of the powers
conferred by clause (ob) of sub-section (2) of Section 87 read with Section 43A of the IT Act,
2000 notified the Information Technology (Reasonable security practices and procedures
and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the "2011
Rules").

Important Provisions of IT Act related to Data Protection

 Section 43A of the IT Act explicitly provides that whenever a corporate body
possesses or deals with any sensitive personal data or information, and is negligent
in maintaining a reasonable security to protect such data or information, which
thereby causes wrongful loss or wrongful gain to any person, then such body
corporate shall be liable to pay damages to the person(s) so affected.
 Further, Section 72A provides for the punishment for disclosure of information in
breach of lawful contract and any person may be punished with imprisonment for a
term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or
with both in case disclosure of information is made in breach of lawful contract.

Information Technology (Reasonable security practices and

procedures and sensitive personal data or information) Rules, 2011
The Department of Information Technology notified Information Technology the 2011 Rules
on April 11, 2011 vide notification no. G.S.R. 313(E). The main highlights of the 2011 Rules
are as follows–

 The Information Technology (Reasonable Security Practices and Procedures and

Sensitive Personal Data or Information) Rules 2011 only apply to bodies corporate
and persons located in India. This was clarified vide a press note dated August 24,
2011 issued by the Ministry of Communication and Information Technology wherein it
was stated the 2011 Rules were applicable to a body corporate or any person
located within India1.
 Rule 3 of the 2011 Rules provides a list of items that are to be treated as "sensitive
personal data", and includes inter alia information relating to passwords, credit/ debit
cards information, biometric information (such as DNA, fingerprints, voice patterns,
etc. that are used for authentication purposes), physical, physiological and mental
health condition, etc. It is further clarified that any information is freely available or
accessible in the public domain is not considered to be sensitive personal data.
 Rule 4 imposes a duty on Body Corporates seeking sensitive personal data to draft a
privacy policy and make it easily accessible for people who are providing the
information. The privacy policy should be clearly published on the website of the
 body corporate and should contain details on the type of information that is being
collected, the purpose for which it has been collected and the reasonable security
practices that have been undertaken to maintain the confidentiality of such
information.
 Rule 5 provides the guidelines that need to be followed by a Body Corporate while
collecting information and imposes the following duties on the Body Corporate:

a. Obtain consent from the person(s) providing information in writing or by Fax

or by e-mail before collecting such sensitive personal data. Vide the press
note dated August 24, 2011 issued by the Ministry of Communication and
Information Technology it was clarified that consent includes consent given by
any mode of electronic communication;
b. Information shall not be collected unless it is for lawful purpose, and is
considered necessary for the purpose. The information collected shall be
used only for the purpose for which it is collected and shall not be retained for
a period longer than which is required;
c. Ensure that the person(s) providing information are aware about the fact that
the information is being collected, its purposes & recipients, name and
addresses of the agencies retaining and collecting the information;
d. Retain the information for no longer than is required for the purposes for
which the information may lawfully be used or is otherwise required under any
other law for the time being in force;
e. Offer the person(s) providing information an opportunity to review the
information provided and make corrections, if required;
f. Before collection of the information, provide an option to the person(s)
providing information to not provide the information sought;
g. Maintain the security of the information provided; and
h. Designate a Grievance Officer, whose name and contact details should be on
the website who shall be responsible to address grievances of information
providers expeditiously. A maximum period of one month has been provided
for resolution of such grievances.
 Rule 6 provides that a Body Corporate must seek prior permission of the information
provider before disclosing such information to a third party. However, no prior
permission is required if request for such information is made by government
agencies mandated under law or any other third party by an order under law.
 Rule 8 provides the reasonable security processes and procedures that may be
implemented by Body Corporates. International Standards (IS / ISO / IEC 27001) is
one such standard which can be implemented by a body corporate to maintain data
security. It is pertinent to note that an audit of reasonable security practices and
procedures shall be carried cut by an auditor at least once a year or as and when the
body corporate or a person on its behalf undertake significant upgradation of its
process and computer resource.

Other Clarifications Issued by Ministry of Communications and

Information Technology
It was clarified that any Body Corporate providing services relating to collection, storage,
dealing or handling of sensitive personal data or information under contractual obligation
with any legal entity located within or outside India was not subject to the requirements of
Rules 5 & 6. However, body corporates providing services to the provider of information
under a contractual obligation directly with them, as the case may be, are subject to Rules 5
& 6.
Recent Comments by the Government in the Supreme Court
An important debate that arisen before the Supreme Court of India is whether there is a
fundamental right to privacy2. The matter was referred to a nine-judge constitutional bench
and a decision is forthcoming in this regard. An important point that was raised before the
Court in a hearing on August 1, 2017 is that Central Government has constituted a
committee of experts, led by former Supreme Court judge, Justice B.N. Srikrishna, to identify
"key data protection issues" and suggest a draft data protection Bill3. Reading from an office
memorandum dated July 31, 2017 the Additional Solicitor General of India informed the
Court that the Ministry of Electronics and Information Technology would work with the panel
and hand over all necessary information to the Committee within the next eight weeks, after
which the latter would start its deliberations.