Shortcomings under the Indian Data Protection Regime

Introduction

India is a developing nation and over the years it has witnessed immense growth in technological advancement. With the growth of technology and internet age in recent years, India has emerged as the hub of technology-driven industries. The protection of data has become more than significant ever and the requirement of a robust regulation mechanism for the processing and transfer of data is the need of the hour in India and therefore it is of utmost importance to understand the intricacy of preserving personal data and sensitive personal data collected by cyber spaces.

India at present, does not have any comprehensive or dedicated legislation that deals with the aspect of data privacy. However, there are safeguards that are dispersed among many different laws, rules, and policies pertaining to data privacy laws in India. The Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) framed under the Information Technology Act of 2000 (“IT Act”)  govern India’s data protection issues at present. Arguably, however, the current legislation falls short in handling issues pertaining to cross border data flows and emerging technologies.

IT Act & SPDI Rules

As mentioned above, the SPDI Rules notified therein govern data protection in India. The SPDI Rules have been notified in accordance with the IT Act by the Government of India in a bid to protect personal information of Indian individuals. The SPDI Rules segregate and categorize certain categories of information as personal information and sensitive personal data or information and impose obligations for safeguarding such information as well as penalties for unauthorized disclosure or misuse of such information by “body corporates” (viz. “..any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities…”) engaged in collecting and processing such data. The SPDI Rules are applicable to body corporates (and individuals acting on a body corporate's behalf).

While SPDI Rules have been instrumental in dealing with cyber offenses, it is pertinent to note that technologies and digital landscape has evolved since the enactment of these laws and keeping up with emerging and dynamic nature of cybercrimes is one of the major challenges faced by authorities in India. The Government of India has brought about additional regulations and compliances and amended IT Act periodically to address some of these new challenges.  As regards data privacy, however, the SPDI Rules remain the predominant legislation in India that governs the collection, storage, transfer, disclosure, and other processing of the “personal information” and “sensitive personal information and data” of Indian individuals.

For reference, the SPDI Rules defines the term “personal information” as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”.

Further, the term “sensitive personal data or information” is defined as “personal information” which includes information pertaining to passwords, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological, and mental health condition, sexual orientation, medical records and history, biometric information among other information as may be received by a body corporate for processing, stored or processed under lawful contract. However, the SPDI Rules provide that information which is freely available or accessible in public domain or furnished under law for the time being in force does not constitute “sensitive personal data or information”.

Legislative Shortcomings

The SPDI Rules provide a framework for the protection and management of sensitive personal data or information and have been helpful in ensuring transparency, accountability, and security in the handling of personal data. While these rules are a significant step towards addressing the data privacy issues in India, however, we observe that the rapid development of technology seems to have led to some practical difficulties in the application of the SPDI Rules in the modern age. Some of these relevant aspects are analysed hereinbelow:

It is pertinent to note that the SPDI Rules were notified more than two decades ago, and since then the digital landscape has evolved significantly. The SPDI Rules were formulated at a time when certain technologies (providing for processing/transfer of data) such as cloud computing and social media, were not as prevalent as they are today. As a result, the SPDI Rules do not specifically address the unique challenges and risks associated with these technologies, potentially leaving gaps in the protection of data processed through them. The absence of provisions regarding emerging technology in the SPDI Rules makes it difficult to effectively regulate and address issues related to newer and advanced technologies.

Furthermore, the application of the SPDI Rules is limited to electronic data and is not applicable on information and data collected or processed in non-electronic modes. The limitation of application of SPDI Rules to electronic data is restrictive in nature as it excludes data collected or processed through paper forms, or physical documents, which means that data collected through such modes does not receive the same level of protection  as electronic data. The exclusion of non-electronic data from the present legislation, creates a potential gap in the regulatory framework, as organisation/entities may collect sensitive personal information through non-digital means or physical modes.

Further, while the SPDI Rules prescribe several statutory compliances for body corporates to ensure the safeguarding and safekeeping of individuals data, some of the standards set out in the SPDI Rules are ambiguous and create difficulty in interpretation and application.

For example, for the protection of  personal information of individuals, the SPDI Rules require body corporates to implement “reasonable security practices and procedures", however, the SPDI Rules do not provide specific guidelines or standards for what constitutes reasonable security practices. The inclusion of ambiguous language in the SPDI Rules creates confusion with respect to interpretation and implementation thereof among stakeholders and makes it challenging for stakeholders to understand and comply with the requirements set out thereunder.

As a further example, the SPDI Rules mention that the transfer of such data from one body corporate to another may be allowed under certain conditions, including the requirement of implementation of security procedures and practices equivalent to “reasonable security practices and procedures" (as required  under the SPDI Rules) by any body corporate to which data is being transferred, in India or abroad. However, the SPDI Rules do not explicitly set out requirements and safeguards for cross-border transfer of sensitive personal data or information.

Lastly, the application of SPDI Rule is limited to within the territorial boundaries of India, and the protection of sensitive personal data or information within the territory of India. The SPDI Rules do not contain clear stipulations for data being transferred outside the geographical boundaries of India. With the global nature of the internet, this makes it challenging to regulate foreign body corporates processing data of Indian individuals.

Conclusion

The SPDI Rules are instrumental in addressing the requirements of data protection and security in India. However, the current legislation suffers from issues related to enforcement and proper implementation.

On a global level, countries across the world have formulated comprehensive legal framework to ensure data privacy and protection. The General Data Protection Data Regulation (“GDPR”) in the European Union and similar laws in other jurisdictions have set guidelines and robust regulatory mechanism for the collection and processing of personal information from individuals, ensuring data protection. Therefore, a uniform legislation with strict implementation is currently a requirement of India which address all the recent changes in the way our data is handled in current times.

With the increasing demand for a stricter regulatory regime, and to keep pace with technological advancements worldwide, the Indian Ministry of Electronics and Information Technology released Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) on November 18, 2022 for public consultation with an objective to provide a comprehensive uniform legislation for the protection of personal data and privacy rights of individuals in India. The introduction of the DPDP Bill aims to bring India's data protection regime at par with world standards. The DPDP Bill covers various aspects of data processing, individual rights, enforcement, and cross-border transfers and outlines a more holistic and modern approach to data protection in line with global standards as compared to SPDI Rules that primarily focuses on regulating the handling of sensitive personal data or information in electronic form. Further, the DPDP Bill proposes the establishment of a Data Protection Authority responsible for enforcing the provisions of the law, conducting inquiries, and imposing penalties for non-compliance. The DPDP Bill also outlines fines for various offenses, including data breaches.

The introduction of the DPDP Bill reflects India's recognition of the need for a comprehensive data protection framework to address the challenges and risks associated with the digital age. The Indian Parliamentary Standing Committee has provided its assent to the draft DPDP Bill and the same is slated to be introduced for consideration as law before the Indian Parliament in the second half of its budget session in 2023. It will be interesting to see the changes the DPDP Bill is set to bring in India