(Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules

In August 2017, the Supreme Court of India’s landmark judgment in Puttaswamy v. Union of India affirmed that the right to privacy is a fundamental right under the Indian Constitution. In Puttaswamy v. Union of India, the various opinions have observed that informational privacy is an important aspect of such privacy in this day and age. As arguments were made in this case, the Ministry of Electronics and Information Technology (MEITY), Government of India also set up a Committee of Experts to identify key data protection issues in India and recommend methods of addressing them. MEITY and the Committee of Experts have now issued a white paper which recognises the need for comprehensive data protection regulations that incorporate established data protection principles. Public comments and consultations have been called for on the basis of this paper, as we gear up to build on the fundamental right to privacy and put in place strong data protection laws to protect personal data. In this paper we analyse the only existing ‘comprehensive’ data protection rules in India, i.e. the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”), issued under the Information Technology Act, 2000 (“IT Act”). The paper examines the provisions of the IT Act and the Rules that provide for the protection of personal data, the kind of personal data that they apply to, as well as some of the criticisms of these provisions and their enforcement.