Personal Data Protection Laws in India

Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and 72A of the Information Technology Act 2000, protects personal and sensitive information of Indian Citizen.

Section 43A – Compensation for failure to protect data.

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Section 72A – Punishment for disclosure of information in breach of lawful contract.

Any person including an intermediary, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person. Such person shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

In 2017, Honorable Supreme Court of India in a historic judgment declared the right to privacy as a fundamental right under the Constitution of India. Soon after, a committee was formed and chaired by Justice B. N. Srikrishna to draft Personal Data Protection Bill.

Justice B. N. Srikrishna Committee submitted the draft of PDPB in July 2018, and after some necessary changes, in December 2019 the bill was tabled in Lok Sabha. Joint Parliamentary Committee was formed for a further comprehensive study.JPC has made 89 Amendments and added one clause to Personal Data Protection Bill, 2019, to submit its report in the Budget Session, 2021.

Definitions as per Personal Data Protection Bill, 2019

  • Personal Data is any information directly or indirectly related to an identified or identifiable natural person, e.g. name, email address, IP address, etc.
  • Sensitive Personal Data is an exhaustive list of data that reveals any of the following,
    1. Financial data;
    2. Health data;
    3. Official identifier;
    4. Sex life;
    5. Sexual orientation;
    6. Biometric data;
    7. Genetic data;
    8. Transgender status;
    9. Intersex status;
    10. Caste or tribe;
    11. Religious or political belief or affiliation; or
    12. Any other data categorized as sensitive personal data under section 15.
  • Data Principal is a natural person whose personal data, a data fiduciary or data processor processes.
  • Data Fiduciary is any organization who determines the purpose and means of processing data.
  • Data Processor is an organization who processes personal data on behalf of data fiduciary.

Compliances as per Personal Data Protection Bill, 2019

List of Services:

  • PDPA Readiness Assessment;
  • PDPA Training and Awareness;
  • Contract Review and Revision as per PDPA;
  • PDPA Policies and Procedures;
  • Procedure for Executing Data Principal Rights;
  • Embedding privacy by default in an organization;
  • Data Protection Impact Assessment and its Procedure;
  • Procedure for Cross-Border Transfer of Personal Data;
  • Incident Response Plan and Procedure;
  • PDPA Audit.