India
Introduction
2.1. Overview of principal legislation From 2011 to 2023, India had only a very basic dedicated legislation covering the arena of data protection and data privacy. This piece of legislation was called the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) , which was framed under the Information Technology Act, 2000 (“IT Act”). It is only in 2023 that the Central Government enacted the DPDPA, thereby re-hauling and introducing a more comprehensive data protection legislation. 2.2. Additional or ancillary regulation, directives, or norms The regulatory landscape for data protection in India is additionally supplemented by several other laws (which are sector-specific). These legislations include Information Technology (the Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013, and the Consumer Protection (E-Commerce) Rules, 2020. Further, the Reserve Bank of India (RBI) has also prescribed a set of comprehensive guidelines for the handling of personal data by banking and financial service institutions. Governing Data Protection Legislation
The legal regime in India relating to data protection and privacy has undergone a significant overhaul and revamp. The Digital Data Protection Act, 2023 (“DPDPA”) received the President’s assent and was published in the official Gazette in India on August 11, 2023. Even though the DPDPA has been published in the Gazette, the date on which the statute will come into force is yet to be notified by the Government. The PDPA provides for the protection of the individual’s rights in relation to their personal data, which is in digital form or has been digitized subsequently. It further extends beyond the borders in case processing of personal data occurs outside of India, as regards goods or services being provided to persons located in India. There was an imminent requirement to curb the escalating concerns surrounding data breaches, unauthorized data exchange, and the absence of robust regulations surrounding the processing of personal data of individuals. The enactment of the DPDPA seems to be a positive step taken by the government to address such concerns. While the rules under the DPDPA are yet to be released in the public domain (which will elaborate more on the manner of compliances), the DPDPA (in its current form) seems like an attempt by the government to strike a balance to safeguard the rights of individuals on one hand and at the same time ensuring that corporate entities are not overburdened with compliances. www.ahlawatassociates.com
Made with FlippingBook - PDF hosting