Home » What Is “Personal Data” Under India’s Privacy Law and Its Impact on Companies?

What Is “Personal Data” Under India’s Privacy Law and Its Impact on Companies?

General Legal issues / By
What Is "Personal Data" Under India's Privacy Law and Its Impact on Companies?

As India’s digital landscape rapidly expands, data protection has become a significant legal and operational concern for businesses. Because of the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, which recognized privacy as a fundamental right, India began moving toward stronger data protection norms. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, under the Information Technology Act of 2000, and the recently approved Digital Personal Data Protection Act, of 2023, define personal data and establish guidelines for processing such data.

This article elaborates on what personal data entails, as envisaged by Indian privacy laws, how such data is processed per the directives of various case laws, and some other implications.

Definition of Personal Data under Indian Law

Information Technology Act, 2000 and SPDI Rules, 2011:

  • The principal law on cybersecurity and data protection in India is the IT Act of 2000. However, it does not define “personal data.” The SPDI Rules are vital in guiding in this regard.
  • Anything that can act as an identifier for an individual, direct or indirect, is called “personal data.”

According to Rule 3 of SPDI Rules, this type of information is termed Sensitive Personal Data (SPD) and includes: 

  • Passwords
  • Financial information in the form of credit/debit cards and bank account information
  • Health records
  • Biometric data
  • Sexual orientation
  • Physical, physiological, and mental health conditions
  • Any details relating to the above categories provided to a corporate body for lawful purposes

Need A Legal Advice

The internet is not a lawyer and neither are you. Talk to a real lawyer about your legal issue

Talk to a Lawyer

Digital Personal Data Protection Act, 2023 (DPDP Act):

The DPDP Act, 2023, India’s first dedicated privacy legislation, defines personal data as:

Any data about an individual who is identifiable by or concerning such data.

Key Features of the DPDP Act’s Personal Data Definition:

  • Focuses exclusively on digital data (excluding offline data unless digitized).
  • Covers data collected in India or data processed outside India if it involves Indian individuals.
  • Introduces stricter compliance requirements for processing children’s data and sensitive personal data.

Key Case Laws on Personal Data India 

Mobarik Ali Ahmed v. The State of Bombay, AIR 1957 SC 857:

  • Key Ruling: The Supreme Court held that a person can be made criminally responsible for acts performed within India even if such person were actually outside of India if there exists the necessary intention (mens rea) and such person directed those acts towards India.
  • Impact on Criminal Law: This case acted as a precedent and allowed for the prosecution of persons involved in crime organized from outside India, provided their criminal acts bring them within the purview of the jurisdiction of the country.
  • Implications for Companies: Cross-border companies should understand that Indian courts can take jurisdiction of foreign entities if their actions cause adverse impacts on Indians or raise concern for Indians, particularly with issues of cybercrime, financial fraud, and failure to uphold data privacy.
ALSO READ:  Can Police Drive A Vehicle Without Number?

Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar Case), (2018) 1 SCC 809:

  • Key Ruling: The Supreme Court ruled that although Aadhaar biometric identification had constitutional validity, private entities could not demand Aadhaar data unless an act of Parliament allowed this.
  • Impact on Personal Data: Aadhaar data is placed into sensitive personal data and thus, requires a certain standard of precaution while ensuring its security.
  • Implications for Companies: This means that private entity representatives could not ask for the Aadhaar particulars, except in certain prescribed situations that are permitted by law. This strengthens the principle of purpose limitation.

Karmanya Singh Sareen v. Union of India, (2017) 3 SCC 201:

  • Key Ruling: The Delhi High Court looked into whether the sharing of user data with Facebook by WhatsApp was proper. Such sharing must abide by Indian privacy principles, as spelled out in Puttaswamy. 
  • Impact on Personal Data: The Court emphasized the fact that the collection and sharing of metadata and messages along with phone numbers by WhatsApp need to be based on the express consent of the user. 
  • Implications for Companies: Tech companies must create clear and precise disclosures about their practices in data processing and sharing, and they must obtain informed consent before sharing the data.

Naz Foundation v. Government of NCT of Delhi, 160 DLT 277 (Delhi HC, 2009):

  • Key Ruling: The Delhi High Court recognized the requirement for protection from privacy violations to an individual’s sexual orientation and termed it sensitive personal data. 
  • Implications for Companies: Strong secrecy and suitable measures of protection are required to handle such information by an employer service provider.
ALSO READ:  What is Trade Agreement?

Implications for Companies Handling Personal Data

Businesses processing personal data in India must comply with stringent obligations under both the IT Act, 2000, and the DPDP Act, 2023. The Corporate obligations under DPDP Act include:

Informed Consent:

  • Explicit consent must be obtained before data collection or processing.
  • Consent requests should be in clear, accessible language.

Data Minimization:

  • Collect only the minimum data necessary for the specified purpose.
  • Unnecessary data collection can lead to legal scrutiny.

Purpose Limitation:

  • Use data strictly for the stated purpose.
  • Repurposing data requires fresh consent.

Security Obligations:

  • Section 43A of the IT Act, 2000 mandates reasonable security practices to protect data.
  • Non-compliance may result in compensation claims for damages.

Data Breach Notification:

  • The DPDP Act, 2023 mandates prompt notification of data breaches to the Data Protection Board and affected individuals.
  • Timely action helps mitigate legal and reputational risks.

Cross-Border Data Transfer:

  • Data transfers outside India require ensuring adequate protection standards in the destination country.
  • Sensitive personal data may be subject to additional localization requirements under evolving Indian policies.

Data Retention and Erasure:

  • Companies need to formulate proper timelines for data retention and deletion once such time is over, keeping in mind data deletion purposes are fulfilled. 
  • The right to be forgotten allows individuals to exercise their rights concerning erasure of data.

Conclusion

The Future of data privacy in India has matured into more being after Puttaswamy, and this certainly strengthens frameworks for personal data protection. The DPDP Act of 2023 mandates extensive security measures, informed consent, and strict protocols regarding data handling for compliance with obligations concerning liability for data protection. 

Concerning companies, such non-compliance leads to financial penalties, harm to reputation, and legal consequences. European data rights are continuously incorporated emanating from evolving national policies about privacy, thereby creating avenues for aligning emerging privacy standards that businesses need to adopt proactively so that user trust remains intact while user data is being protected.

ALSO READ:  No Maintenance Wife Voluntarily Left The Husband

One can talk to lawyers from Lead India for any kind of legal support. In India, free legal advice online can be obtained at Lead India. Along with receiving free legal advice online, one can also ask questions to the experts online free through Lead India.

FAQs

1. What is the legal definition of “personal data” under Indian law?

Personal data is the data associated with an identifiable individual, defined by the Digital Personal Data Protection Act, 2023. This will mostly include direct identifiers such as name, phone numbers, and indirect ones such as IP address, location data, and behavioural information. The Sensitive Personal Data Information Rules further categorise sensitive data as financial details, biometric data, or health records that require special protection. This was, however, to change after the KS Puttaswamy judgment, which laid down the protection of personal data in India by influencing the definition of personal data itself.

2. How did the KS Puttaswamy judgment influence the definition and protection of personal data in India?

The KS Puttaswamy v. Union of India (2017) said that the right to privacy law is a fundamental right under Art 21 of the Constitution. The decision highlighted the necessity for: 

  • Informed Consent prior to data collection; 
  • Data Minimization, so as not to require excessive data; and 
  • Purpose Limitations to prevent misuse of data. 

All of this thus paved the way for stricter and stricter data protection regulations that were under discussion before and after the ruling and ended up influencing the DPDP Act of 2023.

3. What are the penalties for non-compliance with India’s data protection laws?

Under the DPDP Act, 2023 mentions that in case of an offence committed through the negligence of the entity itself, the maximum fine could be ₹250 crore, with data breach, and also other penalties in case of failing to take proper consent, providing data security, and not reporting data breached. It also states that these fines would be in addition to the financial losses borne by the organisation due to reputational risk, legal liability, and ultimate loss of trust from customers.

Social Media