Privacy And Data Protection
Data Protection and Privacy Laws in India
Ahlawat & Associates is one of the few firms in India which specializes in providing services in the domain of data privacy and data protection. The firm’s data privacy team regularly advises numerous international and domestic clients ranging from Fortune 500 companies, multinational companies, partnership firms, start-ups, individuals, etc. The firm data protection and data privacy practice spreads across a variety of assignments relating to personal data security, data breach, identity theft, technology transfers, etc.
The data protection team at Ahlawat and Associates comprises of motivated and well-qualified lawyers who have immense experience in providing specific curated solutions on a plethora of legal issues concerning data collection, data processing, data transfer, data sharing, data security standards, etc. The team assists clients with drafting, reviewing and negotiation of various agreements which involves complex aspects of data transfers including cloud computing agreements, SaaS agreements, etc.
Ahlawat and Associates is one of the leading Data Protection law firms in India with its headquarters in Delhi NCR. Ahlawat & Associates serves clients PAN India including Bangalore, Mumbai, Chennai, Hyderabad, Chandigarh, Pune, Gurugram, Kolkata, etc.
The significance of data is paramount at present for any jurisdiction, and especially so for India which is an emerging hub for information technology services. The ease of the internet age has gradually led to increased access and demand for data and the processing and transfer of data – including sensitive data and information – across borders, is widespread and common. It follows that any negligence in this process poses an enormous risk and could lead to exploitation of data for unlawful purposes. Since data is a valuable commodity, the requirement of a robust regulation mechanism for the processing and transfer of data is the need of the hour.
Internationally, the General Data Protection Data (‘GDPR’) (effective since May 25, 2018) has set the standard for establishing a comprehensive legal framework for processing of personal data. The GDPR delineates stringent guidelines for the collection and processing of personal information from individuals based in the European Union. No similar legal framework is currently in effect in India, however, the Indian government has codified provisions for the protection of data and privacy of individuals under the Indian Information Technology Act, 2000 (‘Act’) and rules notified thereunder govern data protection in India.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘Rules’) is the predominant legislation in India that governs the collection, storage, transfer, disclosure, and other processing of the ‘personal information’ as well as ‘sensitive personal data and information’ of ‘providers of information’ (being Indian individuals) by a ‘body corporate’. For reference, for the purpose of the Rules, ‘personal information’ can be understood as information capable of identifying a natural person and ‘sensitive personal data and information’ includes certain categories of personal information such as financial or biometric data. Meanwhile, a ‘body corporate’ refers to a company, firm, sole proprietorship or other association of individuals engaged in any ‘commercial or professional activities’.
In addition, it must be kept in mind that while the Rules are the predominant legislation in India, additional regulatory and legislative safeguards may be required to be following depending upon the business of the body corporate. These include guidelines and rules implemented by regulatory bodies such as Securities and Exchange Board of India and Reserve Bank of India as well as other legislations (containing specialized data protection requirements) such as the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
Further, India is currently in the process of overhauling its personal data protection regime in a bid to introduce a comprehensive data protection regime – partly modelled on the GDPR. To this effect, the latest iteration of the draft Digital Personal Data Protection Bill, 2022 (‘DPDP Bill’) has been released by the Indian Ministry of Electronics and Information Technology on November 18, 2022 for public consultation.
The DPDP Bill applies to any ‘digital personal data’ processed within India. The term ‘digital personal data’ (in the DPDP Bill) encompasses a broader scope of data than the Rules (which cover only the electronic processing and collection of data). The DPDP Bill prescribes a vast set of compliances and restrictions on data processing (such as in respect to data of minors and transfer of data outside India) and allots additional rights to Indian individuals vis-à-vis their data (including right to correction, erasure, and deletion of data). Importantly, the DPDP Bill proposes to set up a Data Protection Board to oversee and enforce the provisions enshrined in the DPDP Bill.
The Indian Parliamentary Standing Committee has provided its assent to the draft Digital Personal Data Protection Bill, 2022 and the same is slated to be introduced (for consideration to be conceived as a law) before the Parliament in the second half of the budget session of the Indian Parliament in 2023. With the enforcement of the DPDP Bill (which will repeal the Rules) being eminent, it will be helpful for any business conducting or seeking to conduct business operations in the country to obtain legal advisory on the compliances thereunder at the earliest.
Founded in 1978, A&A is recognised as one of the leading laws firms in data protection and privacy laws. The attorneys of the firm have in-depth expertise in field of Data Privacy and IT Law and regularly provides advisory as regards regulatory and compliance requirements. In recent years, due to the enormous rise in cyberattacks, data breaches, privacy events, and technological difficulties, it has become crucial for businesses to comprehend and mitigate the privacy-related legal risks faced by them. To assist our clients in protecting their legal interests and addressing their regulatory concerns in the field of data privacy, we combine our years of knowledge and practical industry experience to advise clients on cutting-edge issues regarding readiness for cybersecurity, efficient handling of incidents of data breaches, criminal enforcement for cyber offences, etc.
The Data Protection Team also advises clients on regulatory framework with the evolving jurisprudence on data privacy in India. The firm has been conferred prestigious awards and accolades and has been recognized globally for its exceptional and diversified data protection practice. The Data Privacy Team, with their exposure and experience, delivers quality work and provides effective solutions to the most complex legal queries. We assist clients in ensuring compliance with the data protection statute in India, drafting of privacy policies, communicating with CERT-In and complying with their directions, etc. Our data protection specialist lawyers provide tailored advice to our clients from diverse industry practice areas including social media networking platforms, online streaming platforms, e-commerce platforms, etc.
1. What is personal data or information?
According to Rule 2 (i) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules), any piece of information that can be used to identify a person is considered personal data or information. Information such as name, phone number, residence, age, email address, etc. of an individual fall within the category of personal data or information.
2. What is sensitive personal data or information?
As per Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, sensitive personal data or information of a person means such personal information which consists of information relating to:
- financial information such as Bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- Biometric information;
- any detail relating to the above clauses as provided to body corporate for providing service; and
- any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
However, the statute provides that any information which is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of SPDI Rules.
3. What is the resolution mechanism to address user grievances under SPDI Rules?
As per Rule 5(9) of the SPDI Rules, a Body corporate is required to appoint a grievance officer to handle the grievances and discrepancies lodged by a user. Further, the Grievance Officer’s name and contact information must be published on the website (online platform) of the Body Corporate. The Rules further mandate that any grievance raised by a user must be resolved within one (1) month from date of receipt of grievance by the Grievance Officer.
4. Who is a ‘Data Fiduciary’ and ‘Data Principal’ as per the Digital Personal Protection Bill, 2022?
‘Data Fiduciary’ means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. On the other hand, a ‘Data Principal’ means the individual to whom the personal data relates and where such individual is a child, it includes the parents or lawful guardian of such a child.
5. Why choose Ahlawat & Associates for your Data Protection & Data Privacy requirements?
A&A’s data protection team focuses on a variety of concerns relating to privacy and security of data arising with the use of new age technologies. We assist our clients on diverse aspects of data and privacy protection issues ranging from data security and breach notification, protecting against data and privacy protection violations, privacy contracting and negotiations, policy and process formulation, security failures, etc. We understand the intricacy of preserving personal data and sensitive personal data collected online. Therefore, our team conducts in-depth research into the possible applicability of the relevant technological and data privacy laws including The Sensitive personal data or information (SPDI) Rules, 2011 and recently issued Draft Digital Personal Data Protection Bill, 2022.
6. What is the support offered by A&A in the field of data protection and data privacy?
Ahlawat & Associates assists in providing specialised services to clients on data protection and privacy-related issues. The team is also involved in drafting various privacy policies, user agreements, responses to notices from CERT-In pertaining to data theft and data breach, etc. Further, the team also provides industry-specific and expert opinion to clients including strategic and commercial advice on regulatory and compliance pertaining to cross border data transfer guidelines, data breach, KYC requirements for consumers/users, drafting privacy policies along with risk mitigation strategies, etc.
Get in touch with us today
We can be reached at