India’s Information Technology Act, 2000
This information is provided by the Ministry of Electronics & Information Technology, Government of India.
Enacted in 2000, the Information Technology Act (No. 21 of 2000) is a complex and highly comprehensive law that regulates, among other things, electronic transactions and e-commerce, digital signature, privacy, data governance and a wide spectrum of Internet crimes.
The Act criminalizes falsification of electronic documents, identity theft, hacking, violation of privacy and even addresses cyber-terrorism. Aimed to bolster digitalization and provide assurance in the cyber space, the IT Act also modernized some sections of the Indian Penal Code, the Indian Evidence Act, the Banker’s Book Evidence Act, and the Reserve Bank of India Act to make them compatible with new technologies. Importantly, the Act applies only to the private sector. Differently from CCPA in California or SHIELD Act in New York, however, the IT Act does not provide exemptions or facilitations to SMEs.
The Sections 69A and 69B grant Indian authorities a broad power to intercept, monitor and decrypt any information through any computer resource, and to block public access of any information through any computer resource. Notably, these provisions were used to ban video app TikTok and 58 other Chinese mobile apps in 2020. Remarkably, under the same Sections, Indian government may order to decrypt any information in its jurisdiction, while refusal to do so is a criminal offense punishable by up to 7 years in prison.
Finally, under the Section 48(1) of the Information Technology Act, the Cyber Appellate Tribunal is established to adjudicate appeals on the matters governed by the Act. The Section 70B of the Act also establishes the Indian CERT (Computer Emergency Response Team), empowered to collect and analyze cybersecurity incidents across the country, alert population on major security incidents, coordinate incident response, issue guidelines and advisories related to cybersecurity and related areas.
Under the Act, the Ministry of Electronics & Information Technology of India, develops and promulgates specific rules and regulations. In 2011, the newly enacted privacy rules established a comprehensive set of privacy and personal data protection requirements.
The rules, as well as the IT Act, apply both to companies located in India and abroad as clearly elaborated by the Section 75 saying “this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.” Therefore, foreign companies doing business in India must be aware of and carefully consider provisions of the Act.
In April 2011, Ministry of Electronics & Information Technology of India released “Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules”, GSR 313(E), to address major concerns over privacy and personal data protection in the country.
The Rules broadly define “personal information” as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Likewise, virtually all commercial entities fall under the statutory definition of “body corporate” including sole proprietorships and associations involved into any commercial activities as defined in the Section 43A of the Act.
The Rules offer special protection for Sensitive Personal Information (SPI) that includes passwords, financial information, credit card and debit card details, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information of individuals.
Under the Rules, all organizations, collecting personal data, must develop and make readily accessible a privacy notice that would clearly elaborate what personal data is being collected from the individuals, for what purposes and duration, and with whom it will or may be shared. Likewise, the privacy notice must explain how personal data is being protected from cyber attacks and unlawful access.
Furthermore, the covered organizations must designate a Grievance Officer, an analogue of Data Protection Officer under GDPR in EU or PDPA in Singapore, to receive complaints from individuals about alleged violations of their privacy or personal data protection offered under the Act. The Grievance Officer must respond to complaints not later than in 30 days since receipt.
The above-mentioned “Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules” also address cybersecurity and data protection questions by mandating all entities, that collect or process personal data, to comply with reasonable security practices and procedures.
Furthermore, the requisite compliance must be thoroughly documented to explain implementation of adequate managerial, technical, operational and physical security controls. The ISO 27001 standard is expressly mentioned as an example of the reasonable security standard that evidences proper adherence to the data security requirements imposed by the Rules under the Act. An independent external entity shall certify compliance with such a standard by the virtue of annual security audits.
In a nutshell, under the Rules, virtually all Indian companies, as well as foreign businesses that do business in India, are required to abide by the norms of ISO 27001 or another similar standard. Among the specific security measures, required to comply, are holistic IT asset inventory, information classification, regular risk assessments, continuous security monitoring, incident detection and response plan, security training and awareness program, annual penetration testing and ongoing vulnerability scanning for external systems that process or store personal data.
Non-conformities with data protection requirements may be reported to the government Adjudicating Officer and trigger serious sanctions for intentional violations under the Section 72A of the Act that contemplates imprisonment of up to 3 years and a monetary fine.
Additionally, individuals, whose personal data is stolen due to poor or insufficient cybersecurity practices in violation of the above-mentioned Rules, may also file a civil lawsuit claiming damages under the Section 43A of the Act.
Data Breach Notification Requirements
Another set of rules, promulgated under the Information Technology Act by the Ministry of Electronics & Information Technology of India, is dedicated to mandatory incident and data breach notification, published in 2013.
The “Information Technology (the Indian Computer Emergency Response Team and manner of performing function and duties) Rules”, GSR 20(E), mandate the covered businesses, including data processors and intermediaries, to report incidents to the Indian CERT within a reasonable time.
Contrasted to many other laws and regulations, security incidents are construed in a much broader sense under the Rules, and include DoS attacks, phishing and ransomware incidents, website defacements, targeted scanning of networks or websites. Failure to report an incident is a violation of the IT Act and may be sanctioned.