ILN Data Privacy Paper

India

Introduction

2.1. Overview of principal legislation Since 2011 until 2023, India only had a very basic dedicated legislation covering the arena of data protection and data privacy. This piece of legislation was called the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) which was framed under the Information Technology Act, 2000 (“IT Act”). It is only in 2023 that the Central Government enacted the DPDPA, thereby re-hauling and introducing a more comprehensive data protection legislation. 2.2. Additional or ancillary regulation, directives or norms The regulatory landscape for data protection in India is additionally supplemented by a number of other laws (which are sector-specific). These legislations include Information Technology (the Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013 and the Consumer Protection (E- Commerce) Rules, 2020. Further, Reserve Bank of India (RBI) has also prescribed a set of comprehensive guidelines for handling of personal data by banking and financial service institutions. Governing Data Protection Legislation

The legal regime in India relating to data protection and privacy has undergone a significant re-haul and revamp. The Digital Data Protection Act, 2023 (“DPDPA”) received the President’s assent and was published in the official Gazette in India on August 11, 2023. Even though the DPDPA has been published in the Gazette, the date on which the statute will come into force is yet to be notified by the Government. The PDPA provides for the protection of the individual’s rights in relation to their personal data which is in digital form or has been digitized subsequently. It further extends beyond the borders in case processing of personal data occurs outside of India as regards goods or services being provided to persons located in India. There was an imminent requirement to curb the escalating concerns surrounding data breaches, unauthorized data exchange and absence of robust regulations surrounding processing of personal data of individuals. The enactment of the DPDPA seems to be a positive step taken by the government to address such concerns. While the rules under the DPDPA are yet to be released in the public domain (which will elaborate more on the manner of compliances), the DPDPA (in its current form) seems like an attempt by the government to strike a balance to safeguard the rights of individuals on one hand and at the same time ensuring that corporate entities are not overburdened with compliances.

www.ahlawatassociates.com

Made with FlippingBook - PDF hosting