Data Protection, Privacy, and Cybersecurity: An Update

Spice Route Legal | View firm profile

May 2021

The past few months have seen the data, privacy, and cybersecurity space in India bustling with activity. While a final draft of the much-awaited data protection bill remains to be seen, there have nonetheless been significant developments initiated by various sectoral regulators.

1. the new data protection law

India’s upcoming data protection law, the Personal Data Protection Bill, 2019 (“PDPB”), has seen numerous iterations and been entangled in various controversies (especially on issues of data localisation, cross-border transfers, and anonymisation). A parliamentary committee was set up in December 2019 to review the draft law and present its findings to the Indian parliament. In late March 2021, the committee received an extension to submit this report. The submission is now expected to occur between July and September of 2021 and the law is now expected to be implemented only in 2022.

2. a new regime for intermediaries
February 2021

 The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”) regulates a broad range of technology intermediaries that include telecom service providers, social media websites, and e-commerce marketplaces as well as OTT platforms and news aggregators. The Intermediary Rules impose diligence obligations on intermediaries and to tackle issues surrounding personal data theft, child pornography, the spread of fake news, and content regulation. Significant changes include obligations to identify originators of unlawful messages (thereby signalling roadblocks to companies’ claims of end-to-end encryption) and a notable regulation of the type of content that is aired on both, news aggregator sites and OTT platforms. Concerns surrounding the executive overreach have made the Intermediary Rules highly contentious and significant changes and updates are expected in the coming months.

3. rbi scrutiny January
March 2021

 The Reserve Bank of India (“RBI”), the country’s central monetary authority, has sought to put an end to risky models of data sharing in the financial services sector. It has cracked down on digital lending apps, issued “informal guidance” on various data sharing models that have been commonly used in the financial services industry, prescribed enhanced data security requirements for various players in the payments ecosystem, and banned numerous companies in the payments ecosystem from storing credit card information (even with consent). Various applications for licences submitted to the RBI now undergo a far more stringent verification of their data sharing and cybersecurity architecture, which is a marked departure from the regulator’s earlier “light touch” approach.

4. the regulation of geospatial and map data
February 2021

 On 15 February 2021, the Indian government reversed many years of licensing and eliminated the need for prior government approvals and liberalised the regulation of geospatial and map data.

5.  ban on chinese apps
January 2021, but also July 2020

 In June 2020, the Indian government banned 59 Chinese applications amidst rising Indo-China tensions. Citing a threat to national security that allegedly arose out of the unauthorised and surreptitious transfer of user data to servers outside India through Chinese mobile applications, the government issued the ban under the Information Technology Act, 2000.

Diplomatic tensions have not ceased, and later in 2020, the government banned another 150+ new Chinese mobile applications. It also went on to require developers of the initial list of 59 banned applications to demonstrate their compliance with Indian privacy and security requirements. In January 2021, on reviewing their responses, the government decided to retain the ban.

6. a non-personal data governance framework
December 2020

The Indian government is in the process of exploring the regulation and mandatory sharing of non- personally identifiable data or non-personal data (such as anonymised, aggregated, and meta data). A special committee of the Government has released a Non-Personal Data Governance Framework for public consultation in July 2020.

The new framework aims to identify and define new stakeholders that are likely to participate in the collection and processing of non-personal data, outlines their rights and obligations, and attempts to define data sharing methods for public purposes. The framework has provoked general discontent amongst stakeholders.

7. a new data centre policy
November 2020

 The government released a draft Data Centre Policy, 2020 in November 2020 with a view to encourage the growth of a global data centre hub. Significantly, the policy seeks to promote indigenous manufacturing and local involvement in data centre businesses while simultaneously promoting foreign investments. It also proposes a number of schemes and programmes that includes a data centre economic zone scheme, capacity building for data centres, creation of a data centre facilitation unit, promotion of joint ventures, and domestic marketing in order to support such data centres.

8. developments in the use of surveillance technology
November 2020

 Significant developments have occurred in the use of surveillance technologies by the Indian government and the police forces across transportation, education, and other public service sectors. This includes the use of facial recognition technologies, contact tracing applications, and drones. In various Indian states, police forces have been or plan to use these surveillance tools for policing purposes. In addition, in January 2020, the Ministry of Railways sanctioned the use of facial recognition technologies and drone surveillance systems across almost 1000 railway stations to tackle large rates of crimes in such stations.

9. localisation guidelines for ridesharing apps
November 2020

 In November 2020, the Ministry of Road Transport and Highways issued the Motor Vehicle Aggregator Guidelines, 2020 to regulate ridesharing platforms. The new guidelines require digital intermediaries that connect passengers with drivers for transportation purposes to localise data generated from its application or website on a server in India for a minimum of three months and a maximum of twenty- four months. In addition, the guidelines prohibit the disclosure of customer data without written consent of the customer. State governments are expected to use these guidelines to frame state-specific requirements.

10. a health data management policy
August 2020

 The Indian government introduced the Health Data Management Policy in October 2020 which is aimed at the protection of digital health data. The Health Data Management Policy applies to government authorities, health care professionals, health information providers, health facilities that process personal data in electronic forms, pharmaceutical companies, research bodies, and entities that have been issued a health identification under the policy. Based substantially on the provisions of the PDPB, the policy lays down data protection and information security standards for health data and seeks to introduce a unique health identification for every citizen and digitised health records with identifiers for doctors and health institutions. The policy goes on to empower individuals who are the subjects of this data by providing them the ability to revoke consent, delete data, and correct inaccuracies as well as control how their data is shared.

11. a new consumer protection framework for e-commerce entities
July 2020

 The Consumer Protection (E-Commerce) Rules (“E-Commerce Rules”), issued under India’s consumer protection law, were introduced in July 2020. While the aim of the rules was to oversee the functioning of online e-commerce marketplaces, the wide scope of “e-commerce entities” also brings a variety of internet service providers, including food delivery and ridesharing apps, within the ambit of the E- Commerce Rules.

Processes for obtaining consent and a grievance redressal mechanism have been introduced. Rules prohibit “opt-outs” and require express consent and clear notice. E-commerce entities are required to appoint a grievance officer and display the officer’s name, contact details, and designation on their platforms. Grievance officers must, in turn, acknowledge complaints within forty-eight hours and redress the complaint within one month.

12. breach notifications
2020 – 2021

In the last year, India was exposed to security incidents that involved the unauthorised disclosure of millions of data, ranging from 22 million user data of an online education platform to payment data of 35 million users of a leading payment gateway. India’s Computer Emergency Response Team (“CERT-In”), the country’s nodal cybersecurity authority, has reported over 700,000 cybersecurity incidents during the Covid-19 pandemic alone. Controllers and processors with servers located in India are subject to a breach notification requirement and CERT-In has indicated that it intends to enforce this requirement strictly.

13. judicial trends
2020 – 2021

 As new challenges arise with respect to privacy rights in the country, various Indian courts have gone on record to emphasise the importance of data privacy. Recently, the Karnataka High Court, in the context of investigations carried out under the Narcotic Drugs and Psychotropic Substances Act, 1985, was of the opinion that investigating officers do not have a right to seize and disclose private data sourced from electronic gadgets to third parties without obtaining consent. In an unrelated matter concerning the lack of protection accorded to sensitive personal data of individuals collected through Covid-19 contact tracing applications, the High Court of Meghalaya also emphasised the importance of privacy when it held that data protection safeguards are essential, especially when citizens are mandated to install applications that have the capacity to hold personal data at the behest of the government. The general judicial trend has been to recognise a robust right to privacy, although this right remains subject to ‘reasonable restrictions’.


Mathew Chacko –

Aadya Misra-

More from Spice Route Legal