India’s Historic Data Law

2023 was a milestone 12 months for information safety and privateness in India with the enactment of the much-anticipated private information safety legislation- the Digital Personal Data Protection Act, 2023 (“DPDPA”). The DPDPA has been within the making since 2017 and after a number of stakeholder consultations and revisions, the DPDPA was enacted by the Indian Government in August 2023. While the implementation and enforcement of the DPDPA has been handed over to 2024, stakeholders are gearing up for this new regulation. 

In line with the long-standing twin privateness regulation strategy, sectoral regulators have additionally taken the entrance foot by additional creating the prevailing sector-specific information safety obligations. In the previous 12 months, regulators such because the Insurance Regulatory and Development Authority (“IRDAI”), Securities and Exchange Board of India (“SEBI”) and the Reserve Bank of India (“RBI”) have issued pointers to their respective sectors which inter alia additionally requires regulated entities within the respective industries to undertake larger safety measures for storage of knowledge, privateness and confidentiality. This time round, the regulators have targeted on the important thing influence areas together with cybersecurity and information storage on cloud providers. These developments mirror the overall curiosity of the Government in equipping itself for sectoral information privateness points. 

The Courts have been instrumental in defending the appropriate to privateness in addition to adjudicating on varied issues pertaining to the guardrails for exercising this proper. However, broadly, in quite a few situations, the Supreme Court and High Courts have emphasised on the necessity for the Government to implement the standalone information privateness regulation (i.e. the DPDPA). With the passage of the DPDPA in August 2023, we anticipate 2024 to see a surge in privateness litigation due to this fact, requiring the Courts to adjudicate on statutory rights along with the Constitutional proper to privateness. 

The key developments and milestones in information privateness laws for 2023 are mentioned beneath. 

New Data Law: Digital Personal Data Protection Act, 2023 

The DPDPA¹ has been printed within the official gazette on August 11, 2023, nonetheless, its provisions are but to be notified to come back into power.² The DPDPA in its present kind gives a principal-based framework for information safety compliances 

The DPDPA is relevant to (a) processing of digital private information in India and (b) processing of private information outdoors India (regardless of the situation of the entity processing) in reference to providing items or providers to information principals positioned inside the territory of India. Digital private information is (i) private information³ in digital format and (ii) private information which is collected in a bodily format and subsequently digitized. 

The DPDPA prescribes compliances for information fiduciaries⁴ (akin to information controllers). In transient, the DPDPA lays down necessities with respect to consent and spot, safety of private information, transfers and disclosures of private information, cross-border switch restrictions, information breach notification necessities and information principal rights and grievance redressal mechanism. The Data Protection Board of India is the designated regulator below the DPDPA. In the occasion of non-compliance with the DPDPA, penalties within the vary of INR 500 million (approx. USD 5.9 million) to INR 2.5 billion (approx. USD 30 million) could also be triggered. 

The Central Government will subsequently concern guidelines which is able to elaborate on the implementation points of the DPDPA. The guidelines will present additional readability on discover necessities; features of the consent supervisor; process for information breach notifications; parental consent for youngsters’s information⁵; grievance; exemptions for processing of private information; redressal procedures and so forth. 

Reportedly the Rules could also be issued for public session very quickly , nonetheless the implementation of the DPDPA itself might probably be in June, 2024 or later.⁶

Our hotline accessible here⁷ discusses the provisions and implications of the DPDPA intimately. 

Higher Penalties Under Current Data Law 

Till such time the DPDPA is notified to come back into force- the present information privateness framework below the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable safety practices and procedures and delicate private information or info) Rules, 2011 (“Data Protection Rules”) proceed to be relevant. 

In 2023, by means of the Jan Vishwas (Amendment of Provisions) Act, 2023, the penalty provisions below the IT Act have been amended to introduce larger penalties. Accordingly, for contravention of any guidelines (together with the Data Protection Rules and The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013), laws, instructions or orders made below the IT Act, a penalty of INR 100,000 (approx. USD 1200) and legal responsibility for compensation (payable to the particular person affected by such contravention) of INR 100,000 – 1,000,000 (approx. USD 1200- 12,000) could also be triggered. Additionally, if a service supplier, middleman, information centre, physique company or any particular person fails to cooperate with any request for info or instructions issued by the CERT-In, a penalty for imprisonment for a time period which can lengthen to 1 12 months or a wonderful which can lengthen to INR 1,00,00,000 (approx. USD 120,300) could also be triggered. 

RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, 2023

The RBI has issued the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices, 2023⁸ (“RBI IT Direction”), which shall be efficient from April 1, 2024. The RBI IT Direction replaces a number of pointers and instructions beforehand issued by the RBI for info safety and system administration.⁹ 

The RBI IT Direction applies to the next RBI regulated entities- Scheduled Commercial Banks (excluding Regional Rural Banks); Small Finance Banks; Payments Banks; Non-Banking Financial Companies; Credit Information Companies; and All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI). The RBI IT Direction doesn’t apply to Local Area Banks and NBFC-Core Investment Companies. 

Among different compliances, the RBI IT Direction requires the above-mentioned RBI regulated entities to institute an info know-how (IT) Governance Framework that takes under consideration info safety organizational construction, danger administration, IT auditing, and enterprise continuity/ catastrophe restoration administration. Specifically, the regulated entities ought to undertake a cyber incident¹⁰ response mechanism and likewise report the incidents to the RBI and the Indian Computer Emergency Response Team (“CERT-In”) – the designated regulator below the overall cyber safety framework in India.¹¹

Further, in contracting with distributors who’re non-RBI regulated entities, the RBI regulated entity is required to place in place ample controls in step with relevant authorized, regulatory necessities and requirements for defense of buyer information.

RBI Master Direction on Outsourcing of Information Technology Services

The RBI has issued the Master Direction on Outsourcing of Information Technology Services by Regulated Entities, 2023 (as described beneath) on 10 April 2023¹² (“RBI Outsourcing Direction”). The RBI Outsourcing Direction got here into impact on October 1, 2023. Previously, the RBI had printed draft instructions for public session on June 23, 2022, pursuant to which the ultimate RBI Outsourcing Directions have been finalized. 

The RBI Outsourcing Direction applies to the next RBI regulated entities- Scheduled Commercial Banks (excluding Regional Rural Banks); Local Area Banks; Small Finance Banks; Payments Banks; Primary (Urban) Co-operative Banks; Non-Banking Financial Companies; Credit Information Companies; and All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI). Specifically, the RBI Outsourcing Direction is triggered when the aforementioned RBI regulated entities outsource materials IT features.¹³

The RBI Outsourcing Direction lays down the obligations and compliances which RBI regulated entities are required to contractually move to its distributors and repair suppliers who’re non-RBI regulated entities. Inter alia, these embrace compliance with relevant privateness legal guidelines to guard buyer information; confidentiality and privateness of knowledge; notification of knowledge breaches to the RBI regulated entity; enabling information portability on termination of providers; audits. 

Importantly, by way of breach reporting, RBI IT Direction lays down that the regulated entities ought to be sure that their service suppliers notify them of cyber incidents with out undue delay, in an effort to be sure that the regulated entity is ready to report the cyber incident inside 6 hours of detection to the RBI. This requirement seems to be in step with timelines for cyber safety incident reporting to the CERT-In below the overall cyber safety framework (which applies to all entities together with RBI regulated entities). 

SEBI Framework for Adoption of Cloud Services by SEBI Regulated Entities, 2023

The SEBI has issued the Framework for Adoption of Cloud Services by SEBI Regulated Entities, 2023¹⁴ (“SEBI Cloud Framework”) in March 2023. A interval of 1 12 months (i.e. till March 6, 2024) has been supplied for implementation. The SEBI Cloud Framework applies to SEBI registered entities- Stock exchanges; clearing companies; depositories; inventory brokers by exchanges; depository members by depositories; asset administration firms; mutual funds, trustee firms; boards of trustees of mutual funds; Association of Mutual Funds in India (AMFI); certified registrars to a difficulty; share switch brokers and KYC registration businesses.

Among different compliances, the SEBI Cloud Framework requires the above-mentioned SEBI regulated entities that are availing cloud providers by a public cloud, group cloud and hybrid cloud to make sure that information/info (all information associated to monetary providers supplied by the SEBI regulated entity) together with logs (information heart, catastrophe restoration) are saved and processed inside the authorized boundary of India. The SEBI Cloud Framework doesn’t expressly limit entry to information saved in India to be given to individuals outdoors India. The SEBI Cloud Framework specifies that the requirement to retailer the info in India is to make sure SEBI’s proper to entry regulated entities’ information and SEBI’s rights of search and seizure should not affected by the adoption of cloud providers. Therefore, this seems to be the rationale behind the info localization requirement.

Additionally, SEBI regulated entities are required to make sure that their cloud service suppliers are assembly the minimal safety necessities and undertake a safety administration coverage in step with the SEBI Cloud Framework. 

IRDAI Guidelines on Information and Cyber Security for Insurers, 2023

The IRDAI has issued the Guidelines on Information and Cyber Security for Insurers, 2023 (“IRDAI CS Guidelines”) in April 2023. The IRDAI CS Guidelines apply to all insurers together with FRBs, Insurance Intermediaries overlaying Brokers, Corporate Agents, Web Aggregators, TPAs, IMFs, Insurance Repositories, ISNP, Corporate Surveyors, MISPs, CSCs and Insurance Information Bureau of India (IIB). The IRDAI CS Guidelines replaces a number of pointers and instructions beforehand issued by the IRDAI for safety of knowledge and programs within the insurance coverage sector.¹⁵

Among different compliances, the IRDAI CS Guidelines require the above-mentioned stakeholders within the insurance coverage sector to undertake a Board-approved cyber safety coverage and conduct unbiased assurance audit yearly. Further, all info safety incidents¹⁶ are required to be reported to the related stakeholders events together with the IRDAI, CERT-In (inside 6 hours of detection), regulation enforcement and prospects. Specifically, as per the audit guidelines within the IRDAI CS Guidelines, the regulated entities are required to verify whether or not ICT infrastructure, Critical and Business information saved in India, due to this fact, implying that the IRDAI requires such information to be localized.

Supreme Court: Consenting to Privacy Policy Should Not Be Pre-Condition to Usage Of Platform

In the matter pertaining to the privateness coverage of WhatsApp,¹⁷ the Constitution Bench of the Supreme Court of India has directed the platform to broadly publicize (by means of publication of full-page ads on two events in 5 nationwide newspapers) its stand that its customers in India don’t have to simply accept its 2021 privateness coverage in an effort to use the cellular software. The instructions have been issued in mild of the continuing concern pertaining to the platform’s privateness coverage since 2016 . The privateness coverage enabled the platform to entry and use private info of customers, giving the Indian customers with out an choice to opt-out. Controversially, the privateness coverage enabled the widespread sharing of person information with group entities. In 2016, WhatsApp revised its privateness coverage for Indian customers which was disputed on grounds that it violated Article 21 of the Indian Constitution (i.e. proper to privateness derived from the basic proper to life). In view of the Supreme Court Directions, customers who didn’t consent to the 2021 privateness coverage have been enabled to proceed to make use of the platform with out accepting the 2021 coverage. Users who had beforehand consented to the 2021 privateness coverage weren’t supplied an opt-out choice. (Further readings: In our 2021 data wrap¹⁸ we’ve mentioned the anti-trust judgement on WhatApp’s Privacy Policy ). 

The ultimate judgement on this matter has been deferred in mild of the anticipated modifications within the private information regime in India. It is anticipated that the ultimate verdict on this privateness coverage dispute shall be handed in 2024 in mild of the DPDPA being notified. 

ROAD AHEAD 

2023 is a landmark with the introduction of the DPDPA, the primary important step in privateness legal guidelines in India after the Puttaswamy v. Union of India judgement. In view of the truth that a lot of the authorized and regulatory improvement is latest, the Government, trade and stakeholders are within the steady strategy of understanding the brand new developments and capability constructing. Importantly, Courts in India have been emphasizing the Indian Government to speed up the enactment of the brand new information regulation.¹⁹ Significant litigations on the WhatsApp Privacy Policy and Government surveillance²⁰ are but to be concluded and it could be attention-grabbing to see how the enactment of the brand new regulation will influence the Courts’ verdicts. 

In phrases of the highway forward for privateness in India, as trade regulators play a extra proactive position and with the implementation of the DPDPA across the nook, 2024 shall be a historic 12 months. The guidelines below the DPDPA can even be a gamechanger by way of shaping the way forward for the non-public information safety legal guidelines and putting a steadiness between enterprise pursuits and particular person’s privateness. With each the trade and regulators navigating the challenges of the brand new regime, we foresee elevated collaboration and Government’s proactiveness in maintaining with new-age technological developments and information implications. 2024 can also be the 12 months the place we see elevated regulatory deal with beforehand unchartered areas comparable to privateness in synthetic intelligence primarily based purposes; kids’s information privateness; client privateness rights and so forth. 

¹  Once the provisions of the DPDPA are notified to come back into power, it’s going to successfully change the Information Technology (Reasonable safety practices and procedures and delicate private information or info) Rules, 2011. 
²  Currently, the Government has not formally indicated the timeline for enforcement of the DPDPA. Basis publicly accessible info, we perceive that the DPDPA could also be notified within the first quarter of 2024. However, do be aware that the Government might undertake completely different dates for the notification of various provisions and compliances could also be triggered accordingly. 
³  As per DPDPA ‘personal data’ means “ any data about an individual who is identifiable by or in relation to such data.”
⁴  As per DPDPA, ‘data fiduciary’ means “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”
⁵  For reference see: https://indianexpress.com/article/india/aadhaar-based-consent-for-children-to-go-online-9071238/ (final accessed on January 29, 2024).
⁶  See: https://www.cnbctv18.com/technology/data-protection-framework-postponed-dpdp-notifcation-after-lok-sabha-elections-18823331.htm (final accessed on January 29, 2024).
⁷  See: https://www.nishithdesai.com/SectionCategory/33/Technology-Law-Analysis/12/60/TechnologyLawAnalysis/10703/1.html (final accessed on January 29, 2024).
⁸  See: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/107MDITGOVERNANCE3303572008604C67AC25B84292D85567.PDF (final accessed on January 29, 2024).
⁹ Specifically, the RBI IT Direction replaces Risks and Control in Computer and Telecommunication Systems, 1998; Information System Audit – A Review of Policies and Practices; 2004; Operational Risk Management – Business Continuity Planning, 2005; Business Continuity / Disaster Recovery Planning, 2006; RBI Direction on Phishing Attacks, 2006; Business Continuity Plan (BCP), Disaster Recovery (DR) drill and Vulnerability Assessment-Penetration Testing (VAPT), 2010; Business Continuity Plan (BCP) and Disaster Recovery (DR); Vulnerability Assessment Penetration Testing(VAPT), 2012; Sharing of Information Technology Resources by Banks – Guidelines, 2013; Business Continuity Planning (BCP), Vulnerability Assessment and Penetration Tests (VAPT) and Information Security, 2013; Security Incident Tracking Platform – Reporting, 2014; Risk Governance Framework-Role of Chief Information Security Officer (CISO), 2017; Master Direction – Information Technology Framework for the NBFC Sector, 2017. 
¹⁰  As per the RBI IT Direction ‘cyber incident’ is “a cyber event that adversely affects the cyber security of an information asset whether resulting from malicious activity or not.”
¹¹  Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 and instructions issued thereunder.
¹²  See: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/102MDITSERVICES56B33FD530B1433187D75CB7C06C8F70.PDF (final accessed on January 29, 2024).
¹³  IT providers which if disrupted or compromised shall have the potential to considerably influence the RE’s enterprise operations; or b) might have materials influence on the RE’s prospects within the occasion of any unauthorised entry, loss or theft of buyer info.
¹⁴  See: https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-services-by-sebi-regulated-entities-res-_68740.html (final accessed on January 29, 2024).
¹⁵  Specifically, the IRDAI CS Guidelines have changed the rules beforehand issued in 2017, 2020 and 2022. 
¹⁶  As per the IRDAI CS Guidelines ‘Security/Operational incident’ is “an hostile occasion the place: the IT useful resource is attacked or threatened with an assault; accessed/monitored/modified with out authorisation; and utilized in a way inconsistent with the established group’s/regulatory coverage leading to an actual or Page 90 of 175 attainable lack of confidentiality, integrity or availability of the IT useful resource or info. Examples of Security incidents are: inside or exterior makes an attempt (both failed or profitable) to realize unauthorised entry to the IT system or its information; DLP violations; Attempts (both failed or profitable) to realize entry to blocked websites as per proxy guidelines; denial of service (DoS) or unauthorised disruption to IT system and infrastructure; precise or suspected lack of proprietary, confidential or entrusted info of the group; modifications to system {hardware}, firmware or software program traits with out the division head information, instruction or consent; malicious code (virus, Trojan horse) assaults; social engineering (tricking somebody to reveal confidential/proprietary info like passwords that might compromise system safety); signature replace failure; and hoaxes (deliberate trickery supposed to realize a bonus e.g. false virus warnings might lead some person to disregard all virus warning messages, leaving them weak to a real, harmful virus). Examples of Operational incidents are: firewall {hardware} failure; anti-virus equipment {hardware} failure; and IDS {hardware} failure.
¹⁷  Karmanya Singh Sareen v. Union of India, SLP(C) 804 of 2017, Order dated February 1, 2023
¹⁸  See: https://www.nishithdesai.com/NewsDetails/5105 (final accessed on January 29, 2024). 
¹⁹  See: Karmanya Singh Sareen v. Union of India, SLP(C) 804 of 2017. 
²⁰  Apar Gupta v CPIO, MHA & Ors is a 2022 PIL filed within the Delhi High Court difficult the interception and monitoring actions carried out by the Indian Government below the Information Technology Act, 2000 and Telegraph Act, 1885.