India currently does not have any express legislation governing data privacy and protection. While the transition to a digital economy is underway, the processing of personal data has already become omnipresent. The reality is that almost every single activity undertaken by an individual involves some sort of data transaction or the other. The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 at present govern protection of personal and sensitive personal information of individuals however, it does not address the growing concern on data security and the technological revolution that India is facing.
The Indian jurisprudence on privacy and data protection changed in August 2017 and marked a watershed moment when the Supreme Court in Justice K.S. Puttaswamy v. Union of India held that the Indian Constitution under Article 21 included a fundamental right to privacy. The ruling is the outcome of a petition challenging the constitutional validity of the Indian biometric identity scheme Aadhaar and the validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. This conception of privacy also aligned with already existing regulatory frameworks in data protection in other jurisdictions.
The European Union (EU) in 2013 proposed to harmonize and consolidate its preexisting data protection framework through a new regulation: the General Data Protection Regulation (GDPR). After GDPR went through extensive rounds of consultations, it finally came into force in 2018. This effort to create a comprehensive data protection regulation in the EU influenced the debate in India.
In December 2019, the government introduced the Personal Data Protection Bill, 2019, which would create the first cross-sectoral legal framework for data protection in India. The bill is largely modelled on the GDPR and aims to protect the informational privacy of individuals by creating a preventive framework that regulates how businesses collect and use personal data.
The bill creates a set of rights and responsibilities for the processing of personal data and broadly proposes to:
- create a DPA for making regulations and enforcing the legal framework;
- make consent a centerpiece of all processing of personal data;
- create a separate category of “sensitive personal data” and states that such data can be processed only with explicit consent;
- make data fiduciaries accountable for all compliances under the bill;
- exempt certain kinds of data collection and processing from specific requirements;
- require data localization;
- follow a consultative process including various regulatory bodies in India;
- implement monetary and criminal penalties including imprisonment for non-compliance.
The bill was until recently was open to comments from various stakeholders. We are yet to see what amendments were incorporated.