1. Relevant Legislation and Competent Authorities
1.1 What is the principal data protection legislation?
The Digital Personal Data Protection Act, 2023 (DPDP Act), was enacted in August 2023; however, the Rules under this Act have yet to be notified. As such, until the Rules and the Data Protection Board are notified under this Act, we will continue to adhere to the existing legislation in this domain. To reiterate, in Justice K.S. Puttaswamy & Anr. v Union of India & Ors. ((2017) 10 SCC 1), the Supreme Court of India recognised privacy as a fundamental right and highlighted the need for a comprehensive framework for data protection.
Further, until such time that the DPDP Act and Rules are implemented, the Information Technology Act, 2000 (IT Act), along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), have been the cornerstone for data protection in India.
To tactfully mitigate issues arising from cybercrimes, along with the other challenges around data privacy in recent years, there were multiple amendments and various Rules formulated supplementing the IT Act, such as the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021), which have been further amended in 2023.
1.2 Is there any other general legislation that impacts data protection?
This is covered in question 1.1 above and question 1.3 below.
1.3 Is there any sector-specific legislation that impacts data protection?
In terms of sector-specific legislation, at present, there is no specific legislation, though there are guidelines from the Reserve Bank of India (RBI) on personal data in relation to financial data, i.e., the rules published by the regulatory authorities in India, such as the RBI, the Insurance Regulatory and Development Authority of India, and the Securities Exchange Board of India with reference to credit cards, online platforms and digital intermediaries. There are also telecom guidelines and healthcare guidelines that speak on personal data.
Certain ancillary laws that impact data protection based on their jurisdiction and subject matter include:
- The Information Technology (the Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013.
- The Directions imposed by the Indian Computer Emergency Response Team (CERT-In).
- The Consumer Protection Act, 2019.
- The Consumer Protection (E-Commerce) Rules, 2020.
1.4 What authority(ies) are responsible for data protection?
In India, there are no authorities responsible for data protection, and the relevant government departments under the supervision of the Ministry of Electronics and Information Technology (MeitY), oversee the enforcement of data protection. However, the DPDP Act envisages the setting up of a Data Protection Board of India (DPBI) to regulate the entire regime of digital personal data protection in the country.
Once set up, the DPBI will be entrusted with handling vast amounts of data collected, redressing grievances of Data Principals, and imposing penalties on Data Fiduciaries in case of non-compliance. The DPBI will have the power to summon and enforce the attendance of persons, examine such persons under oath and inspect any data, book, document, register, books of account or any other document to conduct an inquiry for determining legislative compliance by Data Fiduciaries.
To read more visit the Chapter first published by: ICLJ.com here
Authors: Srinjoy Banerjee and Puja Tiwari