Key statutes and regulations
Privacy has been a continuously evolving concept in India, both legally and practically, and has been subject to increasing judicial scrutiny over time. The Supreme Court of India has come a long way from its earlier opinions in the 1950s to 1960s to its historic 2017 judgment in the case of Justice K S Puttaswamy (Retd.) v. Union of India and Ors., upholding the right to privacy as a fundamental right. In its judgment, the Court also recognised informational privacy as a facet of the right to privacy and recommended that the Indian government come up with a robust data protection regime.
While dedicated legislation titled the Personal Data Protection Bill (the PDP Bill) had been tabled in parliament – and went through several revisions, including a change in scope and title to the Data Protection Bill (the DP Bill) – it was recently withdrawn in its entirety. As of now, India does not have stand-alone, dedicated privacy or data protection legislation, although it can be expected in the near future. Without the definitive boundaries and judicial interpretations of an overarching data protection law, the patchwork of regulations that currently govern and impact privacy and data protection in India therefore suffer from serious gaps, and these regulatory gaps can – and often do – become vulnerable to arbitrary enforcement and state overreach. While we have not gone into detail about the PDP Bill’s specific provisions given its recent withdrawal, we have touched on the PDP Bill and the DP Bill at various points in this chapter to give readers an idea of what to expect from a potential legislative framework for privacy in India.
For now, facets of data protection are governed by the Information Technology Act 2000 (the IT Act) and the rules framed thereunder, particularly, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the SPDI Rules).