India Privacy Law

Information Technology Act, 2000 and SPDI Rules - India

Overview and Scope

Information Technology Act, 2000 ('the IT Act') and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') are the key privacy regulations in India. 

The SPDI Rules are issued under the IT Act and, in addition to having a territorial application, applies to offences that occur outside India, if the offences involve electronic resources in India.

Does it require providing a privacy notice?

No notice is required. However, all companies that process personal data must display on their websites privacy policies a notice of their processing activities, the types of data collected and purposes for their collection, any disclosure practices, and descriptions of their security safeguards.

Nature of consent under the IT Act 2000

Under current law, consent is the primary means by which personal data can be processed. The concept of consent is not clearly defined, so businesses often use principles of contract law to determine how, when, and through which means consent should be obtained. As long as consent is obtained willingly and without any undue influence, there are few limitations on the process and method of obtaining it. However, if consent is obtained as part of a standard form contract, the terms of the contract must be fair and reasonable.

What are the categories of sensitive personal data?

According to the SPDI Rules, sensitive personal information or data refers to passwords, financial information, physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information. However, this does not include any personal data that is already publicly available or can be accessed through the Right to Information Act of 2005 or any other applicable laws.

What exemptions, if any, are there for academic research?

No such exemption stated.

Does it require appointing representative in India?

No such requirement is stated.

How is it enforced?

Ministry of Electronics and Information of India (MeitY) has the authority to provide guidance on matters related to electronics and information technology. In the event of a security incident, MeitY has established the Indian Computer Emergency Response Team ('CERT') to serve as the main agency responsible for receiving and addressing notifications of breaches.

What are the potential penalties?

If a company fails to properly implement and maintain security measures to protect sensitive personal data or information, it may be required to pay compensation to the affected individual. There is no maximum amount specified for this type of compensation.