We're excited to welcome Kalindhi Bhatia, a partner at BTG Advaya in Mumbai, India, to today's episode. As a tech and media lawyer with a focus on data privacy, online content, and digital payments, Kalindi will share insights on the latest developments in India's privacy landscape. Let's get started with a new episode of A Little Privacy, Please!®
To set the scene, can you tell what is the current data privacy regime in India and how it is regulated?
Data privacy in India is currently regulated by the Information Technology Act of 2000. This law is about 25 years old and was implemented when technology was still growing in India. In 2011, the government introduced specific regulations on data privacy under this law. The current law is quite simple, with about eight rules focusing on consent, grievance officers, security standards, and data transfers overseas. However, we don't have a dedicated regulator, so enforcement and compliance are poor.
What about the key features of the new data privacy law in India?
The new law came about after a 2017 Supreme Court ruling that recognized information privacy as a fundamental right. The government was asked to create a regulation focused on data privacy. After several iterations and public consultations, the new law was introduced in 2023. It's a toned-down version of the GDPR but a significant step up from the 2011 rules. The new law emphasizes compliance for data collectors and includes draft rules currently open for public comments.
Which processing activities are covered by India's new data privacy law, and does it have extraterritorial applicability?
The new law applies to the processing of digital or digitized personal data. It covers any processing within India or outside India if it relates to goods and services provided within India. The basis for processing under the new law is primarily consent, which is a significant deviation from GDPR. There are also legitimate purposes for processing data, such as mergers, acquisitions, employee data, and medical emergencies.
Are there separate consent requirements for children under India's data privacy law?
Yes, there is a higher threshold for obtaining consent from children and disabled persons. The law requires verifiable consent from parents or guardians, which involves confirming their identity and age through identity documents or digital tokens connected to their ID information.
What obligations apply to data controllers and processors under the new law?
The law primarily targets data collectors, who are responsible for obtaining consent, providing privacy notices, reporting data breaches, and implementing security standards. Data processors have secondary obligations and must comply with their contracts with data collectors. Data collectors may impose compliance requirements on data processors to meet legal obligations.
How will the law be enforced? Is there a regulatory body or private rights of action?
The law will be enforced by a Data Protection Board, which will function as an adjudicatory and enforcement body. The central government will continue to act as the regulator. The Data Protection Board is expected to be a digital office, and it will be interesting to see how it is set up and how it enforces the regulations.
