Global Investigations Review: Data Privacy and Transfer in Investigations 2022

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?


There is currently no dedicated data protection legislation in India. Data in general is governed by the Information Technology Act, 2000 (IT Act), which is the umbrella legislation covering several matters relating to IT activities, cybercrimes and security and the like, and under which rules such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) have been framed. The IT Act, among other things, imposes an obligation on entities dealing with sensitive personal data to adopt ‘reasonable security practices and procedures’, and provides for compensation in cases of harm to data subjects. The SPDI Rules, on the other hand, are the most comprehensive Indian regulation dealing with personal data for the moment. Apart from providing the operating definition of ‘sensitive personal data or information’ (SPDI), the SPDI Rules regulate the collection, processing, disclosure, transfer and security of SPDI – all of which can be relevant for cross-border investigations. The SPDI Rules will thus, for the most part, be the focus of this chapter.

Certain sector-specific laws in fields such as banking, insurance, medicine or healthcare, and telecom (which will be discussed later in this chapter) also impose obligations regarding the confidentiality of personal data and its use for limited, pre-agreed or prescribed purposes. These sectoral laws would similarly be relevant depending on the nature and/or scope of a given cross-border investigation.

Apart from legislative mandates, Indian legal jurisprudence also provides additional safeguards that could include personal data within their ambit. In what is now popularly known as the Puttaswamy Judgment, the Supreme Court of India for the first time recognized the right to privacy as a fundamental right. While analysing the various facets of privacy and the allied issues it would impact, the Puttawamy Judgment engaged with the concept of ‘informational privacy’ and acknowledged an individual’s right to ‘control the dissemination of personal information’.