Coupon Accepted Successfully!

Data protection and Privacy on the Internet under Indian Law
Is data protection relevant for businesses?

Indian law imposes certain obligations on entities which collect certain kinds of personal information of individuals which is considered to be ‘sensitive’. The obligations may apply to e-commerce websites, banks, employers, hospitals, and other entities, if they collect personal information of users. Primarily, data protection law in India regulates the kinds of information that is collected, the purpose for which it may be collected, the manner of collection of the information and the conditions necessary for its disclosure or transfer to another entity.

The obligations for data protection have been mentioned in the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). The obligations under the IT Act and the SPDI Rules are applicable to body corporates, which includes companies, firms, or any association of individuals engaged in commercial activities that involve collection of sensitive personal data or information. Thus, a partnership firm which collects sensitive data will have to comply with the SPDI Rules.

  1. The rules are not applicable when data is collected or processed by an individual, e.g. a proprietorship business. 
  2. The SPDI Rules are also not applicable to Indian companies which collect and process data of foreign nationals – e.g. UK or US citizens.
This is as per a Press Note issued by the Ministry of Communications & Information Technology on 24 August 2011 (Press Note), which was issued to clarify doubts regarding applicability of data protection obligations under Indian law to information (of foreigners) collected and processed by Indian outsourcing companies.
  1. The rules will apply only to data that pertains to individuals, i.e. natural persons. The Press Note clarifies that the rules will be applicable if sensitive personal data or information is provided by natural persons.
What is sensitive personal data or information?

Personal information relating to the following categories is considered to be sensitive as per the SPDI Rules:
  • a password
  • financial information such as bank account, credit card, debit card or other payment instrument details
  • physical, physiological and mental health condition
  • sexual orientation;
  • medical records and history;
  • biometric information;
  • any detail relating to the above clauses as provided to body corporate for providing service; and
  • any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Test Your Skills Now!
Take a Quiz now
Reviewer Name