You are here

IT Act & SPDI Rules: Data Protection Regime of India

Submitted by tsaaro on Mon, 06/24/2024 - 22:21

1. Introduction to SPDI Rules
The Information Technology Act, 2000 (hereinafter, “The IT Act”) as amended by the Information Technology (Amendment) Act, 2008 provides certain provisions relating to personal and sensitive data privacy and protection in India.

Although some provisions under the IT Act aims at regulating the processing of personal data in cyberspace, the primary focus of the IT Act has been on providing information security regulations for the protection of personal and sensitive data in cyberspace.

In adherence to data protection provisions under the IT Act, the Central Government has enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (hereinafter, “The SPDI Rules”). The SPDI Rules encompasses provisions to regulate:

a.Processing of Personal Data/Information and/or Sensitive Personal Data/Information

b.Prescribing security practices and procedures for handling Personal Data/Information and/or Sensitive Personal Data/Information

2. When does the SPDI Rules come into play?
The provisions of the IT Act and SPDI Rules apply to all body corporates collecting, receiving, possessing, storing, dealing or handling the personal information of natural persons in India.

a. If a body corporate is located in India: SPDI Rules are applicable.
b. If a body corporate is located outside of India: SPDI Rules are applicable only if the body corporate has a computer, computer system or computer network located in India.
2.1. Who would fall under the definition of ‘Body Corporate’?
The SPDI Rules are applicable only to body corporates and individuals acting on behalf of body corporates.

Any company including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities come within the ambit of ‘body corporate’[1].

This definition is understood to exclude organisations not engaged in commercial or professional activities, for example, NGOs or other think tanks

2.2. Extends only to Indian Nationals
The SPDI Rules protects natural persons residing in India[2]. Therefore, the collection of information/data of a firm, partnership, trust, company, LLP, etc. will not attract data protection requirements under the SPDI Rules.

It is unclear if the SPDI Rules apply to foreign nationals residing in India. As per the popular understanding, the applicability of SPDI Rules is limited to Indian Nationals.

2.3. No Application on Data collected through physical mode
The IT Act and the SPDI Rules are only applicable to information and data collected in cyberspace and have no application on information and data collected through offline/physical modes.

3. Data categorisation under SPDI Rules
The SPDI Rules define Personal Information as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.[3]”

Further, Sensitive Personal Data or Information has been defined as personal information which consists of information relating to[4]:

a. Password

b. Financial information

c.Physical, physiological and mental health conditions

d.Sexual orientation

e.Medical records and history

f.Biometric information

It is pertinent to mention that although the SPDI Rules define “Personal Information”, the rules are majorly focused on protecting “Sensitive Personal Data or Information”.

Data Protection Regime of India >