The Constitution of India guarantees the right to privacy to all citizens as part of the right to life and personal liberty under Articles 19 and 21, and as part of the freedoms guaranteed by Part III of the Constitution. This right was also upheld by the Supreme Court of India (SCI) in 2017 in its landmark judgment of Justice K S Puttaswamy (Retd) and Another v Union of India and Others (2017) 10 SCC 1 (the Privacy Judgment).
India does not currently have a comprehensive data privacy law. Personal and confidential information is protected under the Information Technology Act 2000 (ITA) and the IT Rules. India’s central (federal) government has ratified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (DP Rules) under the ITA, to govern entities that collect and process sensitive personal information in India.
The DP Rules apply only to corporate entities and are restricted to sensitive personal data (SPD), which includes attributes such as sexual orientation, medical records and history, biometric information and passwords.
Pursuant to the Privacy Judgment, the Indian Ministry of Electronics and Information Technology (MeitY) had formed the Justice B N Srikrishna Committee (expert committee), to frame an all-encompassing data protection law in India. Consequently, the draft Personal Data Protection Bill 2019 was introduced. Thereafter, in December 2021, the Joint Parliamentary Committee (JPC) presented a revised version of the 2019 Bill, the Data Protection Bill, 2021 in the Parliament. The revised bill expanded the scope of the law to cover non-personal data, and introduced stringent data breach reporting requirements (within 72 hours), data localization requirements, regulation of hardware manufacturers and enabling a certification mechanism for all digital and IoT devices to mitigate data breaches, etc.
Finally, in November 2022, MeitY had introduced a further revised draft bill, Digital Personal Data Protection Bill, 2022 (the “DPDP Bill”), which adopts a more simplified approach to handling “personal data” in comparison to the previous versions. The DPDP Bill covers several key principles pertaining to lawful usage of personal data, limitation on collection of personal data, data minimisation, data storage and accountability of the person processing personal data. The DPDP Bill is applicable only to the processing of “digital personal data”. Both non-personal data, and data in non-digital formats are excluded. Under the DPDP Bill, the role of the regulator is a reduced one, focused only on enforcement and adjudication.
India now awaits a robust data protection regime with the approval of the DPDP Bill.
Cybersecurity
India does not currently have a comprehensive cybersecurity law. Cybersecurity, data breach notification and incident response are governed under the ITA. The ITA defines “cybersecurity” as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction”.
Under the ITA, the Indian government has established the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity, to carry out functions including collection, analysis and dissemination of information on cyber incidents, forecast and alerts of cybersecurity incidents, emergency measures for handling cybersecurity incidents, co-ordination of cyber incidents response activities, and issue of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-In Rules”) prescribe that CERT-In will be responsible for responding to cybersecurity incidents and will assist cyber-users in the country in implementing measures to reduce the risk of cybersecurity incidents. CERT-In also has powers to issue directions to service providers, intermediaries, data centres, body corporates, etc, for enhancing cybersecurity infrastructure in the country.
Earlier, the service providers, intermediaries, data centres and body corporates handling sensitive personal data (SPD) had to mandatorily report all cybersecurity incidents to CERT-In “as early as possible”. In April 2022, the CERT-In issued a new directive modifying obligations under the 2013 Cert-In Rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. CERT-In has also set up sectoral CERTs to implement cybersecurity measures at a sectoral level. The details regarding the methods and formats for reporting cybersecurity accidents, vulnerability reporting and remediation, incident response procedures and dissemination of information on cybersecurity are published on CERT-In’s website and are updated from time to time.
For critical sectors, the government has set up the National Critical Information Infrastructure Protection Centre (NCIIPC) under the ITA, as the nodal agency, and has framed the NCIIPC Rules and guidelines to protect the nation’s critical information infrastructure (CII) from unauthorised access, modification, use, disclosure and disruption to ensure a safe, secure and resilient information infrastructure for critical sectors in the country.
Other relevant rules framed under the IT Act include the following.
- The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, which prescribe security measures for protected systems, as defined under the IT Act. Under the IT Act, the government may notify any computer resource that affects the facility of CII to be a “protected system”.
- The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 require intermediaries to implement reasonable security practices and procedures to secure their computer resources and information, maintaining safe harbour protections. Intermediaries are also mandated to report cybersecurity incidents to CERT-In.
Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860, which deals in criminal offences, including those committed in cyberspace, and the Companies Act 2013, which requires the companies to implement security systems to ensure that electronic records are secured from unauthorised access.
The ITA prescribes that any service provider, intermediaries, data centres, body corporate or person who fails to provide the information called for by CERT-In or comply with CERT-In’s direction will be punishable with imprisonment for a term which may extend to one year or a fine which may extend to INR100,000 or both.
The ITA also prescribes deterrence in terms of compensations, penalties and punishments for offences such as damage to computer system, failure to protect data, computer-related offences, theft of computer resource or device, SPD leak, identity theft, cheating by impersonation, violation of privacy, cyberterrorism, online pornography (including child pornography), breach of confidentiality and privacy, and breach of contract.
Regulators
In addition to the MeitY and NCIIPC, the government has established the National Security Council Secretariat (NSCS) as the central co-ordinating body for cybersecurity and internet governance. NSCS has developed a draft cybersecurity strategy to address the issue of security of national cyberspace, but currently there is no implementation date for this strategy.
The Ministry of Home Affairs has set up the Cyber and Information Security Division (C&IS) to deal with matters relating to cybersecurity, cybercrime, the National Information Security Policy & Guidelines (NISPG) and its implementation. C&IS comprises of a cybercrime wing, cybersecurity wing, information security wing, and a monitoring unit.
Further, the Home Ministry has established the Indian Cybercrime Co-ordination Centre (I4C) which is a nodal point in the fight against cybercrime and co-ordinates implementation of mutual legal assistance treaties (MLAT) with other countries.
The government has also set up the National Technical Research Organisation (NTRO) as a technical intelligence agency under the National Security Advisor in the Prime Minister’s office. Its primary role is to develop technology capabilities in aviation and remote sensing, data gathering and processing, cybersecurity, strategic hardware and strategic monitoring. NCIIPC comes within NTRO’s ambit.
The ITA mandates the central government to appoint an adjudicating officer to conduct inquiries, and adjudicate matters (ie, contravention of any of the provisions of the ITA or of any rule, regulation, direction or order made thereunder, including non-compliance of CERT-In’s direction), with claims for injury or damages valued up to INR50 million. Claims that exceed this amount must be filed before the competent civil court. Where more than one adjudicating officer is appointed, the ITA mandates the central government to specify the matters and places of jurisdiction of each adjudicating officer.
The first appeal from the adjudicating officer’s decisions can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and the subsequent appeal before the High Court.
The DPDP Bill prescribes filing the complaint before the data protection officer, which can be appealed before the adjudicating officer of the DPB, who will have the authority to impose penalties on the data fiduciary. The maximum penalty for violation of the DPDP Bill’s provisions by an individual is INR5 billion (USD60 million approx.), if the non-compliance is regarded as significant by the DPB. The DPDP Bill also prescribes specific penalties of INR500 million to INR2.5 billion (USD6 million to 30 million approx.) for failure to take reasonable security safeguards to prevent personal data breach; failure to notify the Board and affected data principals of data breaches; and non-compliance with additional obligations. The aforesaid offences under DPDP Bill are cognisable (ie, the police have the power to arrest the offender without a court warrant) and non-bailable.
The DPDP Bill proposes that the central government establish an appellate tribunal to adjudicate on appeals from the orders of the DPA, and the SCI as the final appellate authority for all purposes under the DPDP Bill.
Sector-specific regulators
Banking sector
The Reserve Bank of India (RBI) governs both public and private sector banks. The RBI’s guidelines prescribe that the RBI can request an inspection any time of any of the banks’ cyber-resilience. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) cell under the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the cybersecurity framework (CSF), and other regulatory instructions and advisories through on-site examinations and off-site submissions. The RBI has an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum, and has also issued guidelines on information security, electronic banking, technology risk management and cyber frauds. CERT-In and the RBI jointly carry out a cybersecurity awareness campaign on “Beware and be aware of financial frauds” through the Digital India Platform.
RBI also issued Guidelines on Regulation of Payment Aggregators and Payment Gateways, directing the payment aggregators to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds, and has specifically recommended implementation of data security standards and best practices such as PCI-DSS, PA-DSS, the latest encryption standards and transport channel security. Payment aggregators must establish a mechanism for monitoring, handling and follow-up of cybersecurity incidents and breaches, and mandatorily report incidents to RBI and CERT-In.
RBI regularly conducts audits and enquiries into the banks’ security frameworks, and imposes penalties on the banks for non-compliance of RBI’s cybersecurity framework for banks. RBI has also formulated an integrated scheme, The Reserve Bank – Integrated Ombudsman Scheme, 2021 (the “RB-IOS, 2021”) to simplify the grievance redress process at RBI by enabling the customers of all regulated entities to register their complaints at one centralised reference point. Through this portal RBI also spreads cyber-crime awareness including frauds using mobile apps/UPI/QR codes, etc.
With regard to data leaks, the RBI’s guidelines restrict payment aggregators and merchants from storing card and card-related data, and all such data previously stored to be deleted.
The RBI has provided tokenisation of card data as a solution to comply with the card storage restrictions. The RBI has widened the existing limited device-based tokenisation framework to all devices and also permitted card-on-file tokenisation.
The RBI has also issued a first-of-its-kind framework to enable digital payments with poor or no internet connectivity in offline mode.
Recently, in April 2023, the RBI had issued the Master Direction on Outsourcing of Information Technology Services (“Outsourcing Directions”) to bring IT service providers under additional level of compliance, audit and oversight, data storage norms and cyber security incident reporting.
Insurance sector
The Insurance Regulatory and Development Authority (IRDA) is the nodal agency for governance and regulation of the insurance sector in India. The IRDA conducts regular on-site and off-site inspections of insurers to ensure compliance with the legal and regulatory framework. The IRDA also has guidelines on Information and Cyber Security for Insurers (IRDA Cyber Security Policy), requiring vulnerability assessment and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by IRDA are: IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; IRDAI (Maintenance of Insurance Records) Regulations, 2015; and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, which contain a number of provisions and regulations on data security. Additionally, IRDAI has recently issued guidelines to insurers on structuring cyber-insurance for individuals and identifying gaps that need to be filled. As per the guidelines, cyber-insurance should provide cover against theft of funds and identity, unauthorised online transactions, email spoofing, etc.
Telecom sector
The Unified Access Service License ensures data protection to telecom networks and third party operators. The telecom networks are regulated by the Telecom Regulatory Authority of India (TRAI), the Department of Telecoms (DoT), the Telecoms Disputes Settlement and Appellate Tribunal (TDSAT), the Group on Telecom and IT (GOTIT), the Wireless Planning Commission (WPC) and the Digital Communications Commission) (DCC).
TRAI has released its recommendations on cloud services in relation to creation of a regulatory framework for cloud services, and constituting an industry-led body of all cloud service providers (CSP).
DoT regularly conducts cybersecurity workshops and cyber drills for better awareness.
Securities
The Securities Exchange Board of India (SEBI) has issued detailed guidelines to market infrastructure institutions (MIIs) to set up their respective Cyber Security Operation Centre (C-SOC) and to oversee their operations through dedicated security analysts. The cyber-resilience framework also extends to stockbrokers and depository participants.
Recently, in February 2023, SEBI has issued guidelines based on Financial Computer Security Incident Response Team’s (CSIRT-Fin) recommendations to enhance the cybersecurity and data privacy measures for the financial institutions and to curb the increasing cybersecurity threat to the securities market.
Health sector
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 governs patient confidentiality, and the Digital Information Security in Healthcare Act, 2018 (DISHA) governs collection, storage, transmission and access of health data. The DISHA prescribes for the establishment of a National Digital Health Authority to enforce privacy and security measures for health data and to regulate storage and exchange of health records. In December 2020, the Ministry of Health and Family Welfare has issued the Health Data Management Policy for the protection of individuals’/data principal’s personal digital health data privacy.
The Ministry of Health and Family Welfare had approved a Health Data Management Policy (the “HDM Policy”) largely based on the DPDP Bill to govern data in the National Digital Health Ecosystem. The HDM Policy recognises entities such as data fiduciaries and data processors similar to the DPDP Bill, and establishes a consent-based data-sharing framework.
Other Regulators
There are CERTs established under the Ministry of Power to mitigate cybersecurity threats in power systems, and four sub-CERTs for transmission, thermal, hydro and distribution to co-ordinate with power utilities. The amended Intermediaries Guidelines of 2022 under the ITA impose various obligations on the intermediaries including reporting cyber incidents to the CERT-In.