INDIA
Since June 2000, as amended in October 2009, last amended in August 2023
Since October 2009
Since October 2009
Since October 2009
Since October 2009
Pillar Domestic data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Information Technology Act, 2000
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
Under Section 69 of the Information Technology Act, both central and state governments are empowered to instruct any government agency to intercept, monitor, or decrypt electronic information. This authority can be exercised on the following grounds: in the interest of India's sovereignty or integrity; for the security of the State; to maintain friendly relations with foreign states; for public order; or to prevent or investigate the commission of an offence. Additionally, under Section 69B, the government is authorised to permit any agency to monitor and collect traffic data or information exchanged through a computer resource.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.
Coverage Horizontal
Sources
- https://web.archive.org/web/20211115020524/https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
- https://web.archive.org/web/20231005133242/https://www.meity.gov.in/writereaddata/files/Information%20Technology%20(Procedure%20and%20Safeguards%20for%20Interception,%20Monitoring%20and%20Decryption%2...
- https://web.archive.org/web/20221223012141/https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=ru_cen_45_0_00028_1519711141735.pdf
- https://www.dataguidance.com/notes/india-third-country-assessment
- https://web.archive.org/web/20231221030143/https://www.gp-digital.org/world-map-of-encryption/
- Show more...
INDIA
Since July 1885, last amended in December 2015
Since October 1951, last amended in August 2023
Since October 1951, last amended in August 2023
Pillar Domestic data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Telegraph Act, 1885
Telegraph Rules
Telegraph Rules
Pursuant to Section 5 of the Telegraph Act and the Telegraph Rules, the Government has the power to temporarily possess licensed telegraphs and order the interception or disclosure of messages sent through such devices. The definition of a telegraph is fairly wide: it means any appliance, instrument, material, or apparatus used (or that is capable of being used) for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual, or other electromagnetic emissions, radio waves or Hertzian waves, or galvanic, electric, or magnetic means. It is not clear whether a court order is required to access the data.
Coverage Horizontal
Sources
- https://web.archive.org/web/20220214215829/https://dot.gov.in/actrules/indian-telegraph-act-1885
- https://web.archive.org/web/20191009060105/https://dot.gov.in/act-rules-content/2430
- https://web.archive.org/web/20211207203447/https://dot.gov.in/sites/default/files/358%20GI-2014%20dated%208.2.2014_6.pdf?download=1
- https://www.dataguidance.com/notes/india-third-country-assessment
- Show more...
INDIA
Since June 2000, entry into force in October 2000, last amended in August 2023
Pillar Intermediary liability |
Sub-pillar Safe harbour for intermediaries for copyright infringement
Information Technology Act, 2000
The Information Technology Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 79 of the Act provides intermediaries with qualified immunity for unlawful content as long as they follow the prescribed due diligence requirements and do not conspire, abet or aid an unlawful act. However, the protection lapses if an intermediary with "actual knowledge" of any content used to commit an unlawful act or, on being notified of such content, fails to remove or restrict access to it.
Coverage Internet intermediaries
Sources
- https://web.archive.org/web/20231204123614/https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=
- https://web.archive.org/web/20241127192721/https://www.mondaq.com/india/social-media/1088968/intermediary-liability-in-india--moving-goalposts
- https://web.archive.org/web/20231210112408/https://www.forbesindia.com/article/iim-calcutta/indias-tryst-with-intermediary-liability-from-2000-to-2021-changing-paradigms-in-the-social-media-age/69121/...
- Show more...
INDIA
Since February 2021
Pillar Intermediary liability |
Sub-pillar Safe harbour for intermediaries for any activity other than copyright infringement
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 establish a safe harbour regime beyond intermediaries for copyright infringement. According to Rule 3.1(d), an intermediary, after receiving 'actual knowledge' through a court order or by being notified by a government agency, must remove information that is prohibited by law in relation to the interest and sovereignty of India, the security of the state, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence or information which violates any law which is in force. Such information has to be removed within thirty-six hours from receipt of actual knowledge by the intermediary.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.
Coverage Internet Intermediaries
Sources
- https://web.archive.org/web/20230923205328/https://wilmap.stanford.edu/entries/information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- https://web.archive.org/web/20230929034953/https://sflc.in/analysis-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021/
- https://web.archive.org/web/20231208000516/https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- Show more...
INDIA
Since October 2017
Pillar Intermediary liability |
Sub-pillar User identity requirement
Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication
According to the Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication, Indian citizens are required to register their SIM card with their Aadhaar Card (a type of national identity card). Foreigners have to provide their passport, a photocopy of their Indian visa/ travel permit, a passport-sized photo and contact details.
Coverage Telecommunications sector
Sources
- https://web.archive.org/web/20220125013040/https://dot.gov.in/sites/default/files/OTP%20Based%20Reverification.PDF?download=1
- https://web.archive.org/web/20231204204245/https://www.indiatoday.in/information/story/heres-how-an-indian-citizen-and-a-foreign-national-can-buy-a-sim-card-in-india-1841117-2021-08-15
INDIA
Since December 2018
Pillar Intermediary liability |
Sub-pillar Monitoring requirement
Information Technology Intermediaries Guidelines (Amendment) Rules, 2018
According to Art. 3.3 of the Information Technology Intermediaries Guidelines Rules, intermediaries are required to deploy technology-based automated tools or appropriate mechanisms with appropriate controls for proactively identifying and removing or disabling public access to unlawful information or content.
Coverage Internet intermediaries
Sources
- https://web.archive.org/web/20220120082414/http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf
- https://web.archive.org/web/20220201093401/https://www.medianama.com/wp-content/uploads/Draft_Intermediary_Amendment_24122018.pdf
- https://web.archive.org/web/20201031191759/https://law.asia/intermediary-liability-rules-not-safe-harbour/
- Show more...
INDIA
Since June 2000, entry into force in October 2000, last amended in August 2023
Pillar Intermediary liability |
Sub-pillar Monitoring requirement
Information Technology Act, 2000
Section 69 of the Indian Information Technology Act (IITA) requires intermediaries to extend all facilities and technical assistance to intercept, monitor or decrypt information as well as to provide information stored in a computer or provide access to a computer resource when called upon to do so by certain agencies. This extends to online intermediaries, which are required to designate an officer to facilitate the execution of such orders. Intermediaries that fail to meet these obligations may be punished with imprisonment of up to seven years.
Coverage Internet intermediaries
INDIA
Since February 2021
Pillar Intermediary liability |
Sub-pillar Monitoring requirement
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
According to Art. 4.2 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021, a significant social media intermediary (defined as a social media intermediary having a number of registered users in India above five million) providing messaging services must enable identification of the first originator of the information on its computer resource as may be required by a judicial order or an order passed by a competent authority. In complying with an order for the identification of the first originator, a significant social media intermediary will not be required to disclose the contents of the electronic message related to the first originator or other users. No order must be passed in cases where there are less intrusive means of identifying the originator of the information.
Coverage Social media
Sources
- https://web.archive.org/web/20231005153411/https://www.meity.gov.in/writereaddata/files/Information%20Technology%20(Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code)%20Rules%2C%202021...
- https://web.archive.org/web/20230929034953/https://sflc.in/analysis-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021/
INDIA
Since October 2009
Pillar Content access |
Sub-pillar Blocking or filtering of commercial web content
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
According to Art. 8 of the The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules of 2009, an officer so designated by the Central Government under the Rules (known as 'Designated Officer') can on the receipt of a request from any nodal officer of a government organisation or a competent court or by an order of any agency of the government can block access by the public to any information transmitted, received, stored or hosted in any computer resource. The request will be examined by a committee consisting of the designated officer, its chairperson, and representatives, who shall determine if the information must be blocked.
Coverage Intermediaries
INDIA
Since August 2017, last amended in November 2020
Pillar Content access |
Sub-pillar Blocking or filtering of commercial web content
Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017
According to the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017, national or state-level officials are allowed to issue temporary suspension orders to shut down telecom services in times of public emergency or threats to public safety. However, each order should contain reasons for shutdowns of telecom services and should be forwarded to a review committee for assessment.
Coverage Horizontal
INDIA
N/A
Pillar Domestic data policies |
Sub-pillar Framework for data protection
Lack of comprehensive legal framework for data protection
India has not yet enacted specific legislation concerning data protection. Currently, the regulation of personal data processing is primarily governed by the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, which were promulgated under the Act. Additionally, sector-specific laws, such as those applicable to the financial services and telecommunications sectors, contribute to the regulatory framework.
The Digital Personal Data Protection Act was enacted on 11 August 2023 and will come into force on a date to be notified by the Government of India. As of February 2024, the Act has not yet become effective. Once in effect, the Act is expected to establish a comprehensive data protection regime in India.
The Digital Personal Data Protection Act was enacted on 11 August 2023 and will come into force on a date to be notified by the Government of India. As of February 2024, the Act has not yet become effective. Once in effect, the Act is expected to establish a comprehensive data protection regime in India.
Coverage Horizontal
Sources
- https://web.archive.org/web/20230209022041/https://www.linklaters.com/en/insights/data-protected/data-protected---india
- https://www.dataguidance.com/jurisdiction/india
- https://web.archive.org/web/20240305070659/https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
- Show more...
INDIA
Since April 2022
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Indian Computer Emergency Response Team Direction No. 20(3)/2022-CERT-In
Section 5 of Direction No. 20(3)/2022-CERT-In mandates data centres, virtual private server providers, cloud service providers, and virtual private network service providers to mandatorily collect and retain certain subscriber-related information accurately for a minimum period of five years after the subscriber is no longer availing the underlying services. These data sets include subscriber names, period of hire including dates, IPs allocated and used, e-mail address along with IP and time stamp used at time of registration, purpose of availing the services, verified address and contact numbers, and ownership pattern of subscribers. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also maintain KYC information and records of financial transactions for a period of 5 years. Specific to transaction records, Direction No. 20(3)/2022-CERT-In states that information must be maintained accurately in such a way that individual transactions can be reconstructed along with the relevant constituents such as IP addresses, time zones, transaction ID, public keys or equivalent identifiers, addresses or accounts involved, nature and date of transaction, amount transferred, etc.
Coverage Data centres and virtual private server, cloud service, virtual private network service, virtual asset service, virtual asset exchange and custodian wallet providers
Sources
- https://web.archive.org/web/20240818125254/https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
- https://web.archive.org/web/20240227013228/https://www.mondaq.com/india/social-media/1233722/new-cert-in-directions-overview-and-implications
- https://web.archive.org/web/20231204133353/https://internetfreedom.in/cert-in-guidelines-on-cybersecurity-an-explainer/
- https://web.archive.org/web/20241211173426/https://www.lexology.com/library/detail.aspx?g=899f3b94-c31f-4983-868f-5ee5abbf78c8
- Show more...
INDIA
Since 2000
Pillar Telecom infrastructure & competition |
Sub-pillar Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
Bharat Sanchar Nigam Limited, the incumbent, is fully owned by the Government of India. BSNL (Bharat Sanchar Nigam Ltd.) provides all types of telecom services, namely telephone services on landlines, Wireless Local Loop and GSM mobile, Broadband, Internet, leased circuits and long-distance telecom services.
Coverage Telecommunications sector
INDIA
Since November 1998, last amended in January 2022
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Licence Agreement for Provision of Internet Services
According to the License Agreement for Provision of Internet Services, the Internet Service Provider licensee shall maintain all commercial records, call detail records, exchange detail records, and IP detail records with regard to the communications exchanged on the network. Such records shall be archived for at least two years for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the Licensor.
Coverage Internet Service Providers
Sources
- https://web.archive.org/web/20220127122544/https://dot.gov.in/sites/default/files/Amendment%20in%20Internet%20Service%20Provider%20.pdf?download=1
- https://web.archive.org/web/20231003081823/http://cis-india.org/internet-governance/blog/data-retention-in-india#fn8
- https://web.archive.org/web/20130611231210/http://www.dot.gov.in/data-services/internet-services
- https://web.archive.org/web/20220927210431/https://www.saras.gov.in/main/License%20Agreement/ISP.pdf
- https://www.dataguidance.com/notes/india-data-protection-overview
- Show more...
INDIA
N/A
Pillar Telecom infrastructure & competition |
Sub-pillar Functional/accounting separation for operators with significant market power
Lack of mandatory functional separation for dominant network operators
India does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, the Accounting Separation Regulation is applicable to all the service providers having aggregate turnover of not less than rupees one hundred crore (approx. 12,182,700 USD) during the accounting year for which report is required to be submitted from operations under the telecom license(s) issued to them under section 4 of the Indian Telegraph Act 1885. The telecom service providers are required to submit their audited accounting separation reports based on a historical cost basis every year and on a replacement cost basis every second year within seven months of the end of the accounting year.
Coverage Telecommunications sector