August 26, 2011

Clarification to the Indian Data Protection Laws


In April 2011, the Government of India had notified the “Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011” (“Rules”) under Section 43A of the Information Technology Act, 2000 (“Act”). These Rules were notified in furtherance of Section 43A for protection of individual data. Though these Rules were reformatory in nature, there were quite a few gray areas with respect to its applicability. We had undertaken an analysis of the same vide our hotline1 dated June 18, 2011,


In view of these gray areas and industry concerns raised with regard to its applicability, the Ministry of Communications and Information Technology on August 24, 2011 issued a Press Note clarifying some of the provisions of these Rules.



·         Applicability:

The Rules are regarding sensitive personal data or information2 (“SPDI”) and are applicable to body corporate or any person located in India.

Analysis: The Rules had used the expressions “information”, “personal information” and “Sensitive Data and Information” interchangeably, leading to confusion as to which provisions would apply to what type of information. Section 43A under which the Rules have been issued, relates only to SPDI. The Press Note now clarifies that the Rules apply only in relation to SPDI.

Further, it has also been clarified that the Rules would only apply to body corporates or  persons located in India. We have examined below different scenarios in relation to the applicability of these Rules, in view of the clarification issued:

                i.        In case of the body corporate located in India, the Rules will apply, irrespective of the location of the computer resource (i.e whether in India or abroad) and irrespective of the residential status of individuals;

               ii.        In case the body corporate is located abroad but a computer resource is located in India, then from a bare reading of Section 43A with Section 75, it appears that the provisions of the Act shall apply but the Press Note seems to suggest that the Rules will not apply to such a body corporate located abroad. Thus it will be interesting to see if the regulators / judiciary interpret the Rules so as to make a non Indian entity liable for contravention of the Act, when the Rules per se are not applicable to such entity.

              iii.        The Press Note states that the Rules will apply when the person is located in India. However, the Press Note does not clarify whether “person” as used therein in relation to applicability refers to “natural individuals”, or the data collector. Assuming it refers to “natural individuals”, then, even if the body corporate is located abroad handling data of individuals located in India through a computer resource located in India, the Rules may still apply.  


·         Provider of Information:

In the Rules the expression “provider of information” has been used in certain provisions, which had created confusion whether regulators intend to distinguish between the ‘individuals providing SPDI’ and ‘entities that collect such information and provide to another entity’. Now it has been clarified that ‘”provider of information” shall mean those natural persons who provide SPDI to a body corporate.


·         Collection & Disclosure:

Rules governing collection and disclosure of SPDI (Rules 53 & 64) will not apply to any body corporate providing services relating to collection, storage, dealing or handling of SPDI under contractual obligation with any legal entity located within or outside India. The Rules will apply to a body corporate, providing services directly to the provider of information under a contractual obligation.

Analysis: This clarification addresses the concerns of the outsourcing industry, wherein Rules 5 & 6 will not apply to a body corporate that comes into possession of SPDI from another body corporate under a contract for the purpose of rendering services. The obligations under Rule 5 & 6 will only apply to the body corporate which provides services directly to the provider of information under a contract with the provider.


·         Privacy Policy:

The privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract.

Analysis: Any body corporate which collects, stores, deals or handles SPDI, irrespective of any contractual obligations, will need to fulfill the obligations as prescribed under Rule 4. The obligation under this Rule seems to be applicable to business processing companies who collect, store, deal or handle SPDI on behalf of third parties.


·         Consent:

In Rule 5(1) consent includes consent given by any mode of electronic communication.

Analysis: Rule 5(1) had specified that the consent in relation to the purpose for which the SPDI may be collected and used may be obtained by letter, fax or e-mail. Press Note clarifies that the consent may also be obtained via electronic communication. Thus, as mentioned in our earlier hotline, consent obtained via a click through mechanism in an electronic medium should suffice.



The clarification as to the applicability and extent of these Rules, whereby they would apply only to body corporate / person located in India, is a welcome move since there were concerns raised about the consequences in relation to its extra territorial jurisdiction. Additionally, this Press Note also addresses the fears of the Industry as raised by NASSCOM and DSCI5 with respect to the adverse effect that the Rules would have had on the BPO industry. The Government’s initiative to issue this Press Note is laudable but its implementation may still raise certain practical challenges for some industry players. Also, companies should tread carefully and revisits their existing practices to determine various levels at which SPDI is collected, received, possessed, stored, dealt or handled, to ensure relevant compliances as specified in the Rules.


- Kartik Maheshwari, Huzefa Tavawalla & Gowree Gokhale

You can direct your queries or comments to the authors






2 Sensitive personal data or information of a person means such personal information which consists of information relating to;—


(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:


However, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.


3 Rules regarding collection of Information

4 Rules regarding disclosure of Information



Management by Trust in a Democratic Enterprise: A Law Firm Shapes Organizational Behavior to Create Competitive Advantage, Global Business and Organizational Excellence, Sep 2009

NDA: A different approach by Shyamal Majumdar, Business Standard, July 23, 2009.

A law firm head spends his time studying organisational behavior.

Nishith Desai: Honoured with the title of "Prof. Yunus Social Business Pioneer of India" - 2010 by The Grameen Lab and the Wockhardt Foundation

Legal 500: Ranked in Tier 1 for Tax, TMT and Investment Funds

Nishith Desai: Featured in the Lex Witness publication ‘Witness Hall of Fame: Top 50’ - August 2010



Acquiring India - now a competitive task!, Legal Era, Akshay Bhargav & Simone Reis, June 06, 2011

Dealing with the new competition laws, The Hindu, Business Line, Ruchi Biyani & Simone Reis, May 30, 2011

Cairn-Vedanta Deal: Legal Issues May Land Govt. In Trouble, VCCircle, Prateek Bagaria & Vyapak Desai, May 27, 2011

Cairn-Vedanta deal: Govt must be conscious of legal hiccups, The Economic Times, Prateek Bagaria & Vyapak Desai, May 27, 2011

Doing Business in India

Joint Ventures in India

Mergers & Acquisitions in India

Dispute Resolution in India

Real Estate Investment


Indian Merger Control Regulations Finally Notified, May 19, 2011

Overview of the UCITS regime: The Luxembourg and Dublin experiences; tax efficiencies, April 29, 2011

New Consolidated Foreign Direct Investment Policy, April 7, 2011

FCPA issues with a special focus on India, March 14, 2011



Welcome to connect with us at interesting conferences, seminars and events.



Introducing NDA Dialawgue and Deal Destination.

Siddharth Shah on CNBC TV - 18: Cairn – Vedanta deadlock: Should a third party step in ?, April 08, 2011

Nishchal Joshipura on CNBC TV - 18: To exempt or not to exempt?, April 8, 2011

Siddharth Shah on CNBC TV - 18: SmartLink move not smart enough for shareholders, April 01, 2011

Nishith Desai on CNBC TV 18: Chasing black money!, Feb 12, 2011



Click here to view Hotline archives.

Funding Real Estate Projects - Exit Challenges, April 28, 2011

Real Estate in India - A Practical Insight, March 22, 2011


Hero to ride without its 'Pillion Rider', March 15, 2011

Piramal - Abbott Deal: The Great Indian Pharma Story, Aug 05, 2010



Our email newsletters – Hotlines are very popular for their insights and analysis. Sign-up to receive Hotlines on the following – Tax, CorpSec, HR, Dispute Resolution and our regular updates such as M&A Labs, IP, Pharma, Media, Telecom Updates and Budget and Policy Analyses.


Please visit to access our Research online.





Disclaimer: The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements. 

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender's contact information, which this mail does. In case this mail doesn't concern you, please unsubscribe from mailing list.