INDIA
Since June 2000, last amended in 2008
Pillar Intermediary liability |
Sub-pillar Safe harbor for intermediaries for copyright infringement
Information Technology Act, 2000 as amended by the Information Technology (Amendment) Act, 2008 (IITA)
The Information Technology Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 79 of the Act provides intermediaries with qualified immunity for unlawful content, as long as they follow the prescribed due diligence requirements and do not conspire, abet or aid an unlawful act. However, the protection lapses if an intermediary with "actual knowledge" of any content used to commit an unlawful act, or on being notified of such content, fails to remove, or disable access to it.
Coverage Internet intermediaries
Sources
- https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=#:~:text=%5B9th%20June%2C%202000%5D%20An,communication%20and%20stor...
- https://www.mondaq.com/india/social-media/1088968/intermediary-liability-in-india--moving-goalposts#:~:text=In%20India%2C%20the%20Supreme%20Court,child%20and%20women%20protection%20laws.
- https://www.forbesindia.com/article/iim-calcutta/indias-tryst-with-intermediary-liability-from-2000-to-2021-changing-paradigms-in-the-social-media-age/69121/1
- Show more...
INDIA
Since February 2021
Pillar Intermediary liability |
Sub-pillar Safe harbor for intermediaries for any activity other than copyright infringement
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, establishes a safe harbour regime beyond intermediaries for copyright infringement. According to Rule 3(1)(d), an intermediary, after receiving 'actual knowledge' through a court order or by being notified by a government agency must remove information that is prohibited by law in relation to the interest and sovereignty of India, the security of the state, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence or information which violates any law which is in force. Such information has to be removed within a duration of thirty-six hours from receipt of actual knowledge by the intermediary.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.
Coverage Internet Intermediaries
Sources
- https://wilmap.stanford.edu/entries/information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- https://sflc.in/analysis-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- Show more...
INDIA
Since 2009
Pillar Domestic Data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009
The Rules provide that the officer so designated by the Central Government under the Rules (known as 'Designated Officer') can on the receipt of request from any nodal officer of a government organisation or a competent court or by an order of any agency of the government can block access by the public to any information transmitted, received, stored or hosted in any computer resource. The request will be examined by a committee consisting of the designated officer and its chairperson and representatives, who shall determine if the information must be blocked.
Coverage Intermediaries
INDIA
Since July 1885, last amended in December 2015
Pillar Domestic Data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Indian Telegraph Act, 1885
Telegraph Rules
Telegraph Rules
Pursuant to Section 5 of the Telegraph Act and the Telegraph Rules, the Government has the power to temporarily possess licensed telegraphs and order the interception or disclosure of messages sent through such devices. The definition of a telegraph is fairly wide: it means any appliance, instrument, material, or apparatus used (or that is capable of being used) for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual, or other electromagnetic emissions, radio waves or Hertzian waves, or galvanic, electric, or magnetic means. It is not clear whether a court order is required to access the data.
Coverage Horizontal
INDIA
Since 2002
Since 2009
Since 2009
Pillar Domestic Data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Department of Telecommunications, Ministry of Communications & IT, Government of India, “License Agreement for Provision of Internet Services”
Department of Telecommunications, Ministry of Communications & IT, Government of India, "License Agreement for Provision of Unified Access Services after Migration from CMTS"
Department of Telecommunications, Ministry of Communications & IT, Government of India, "License Agreement for the Provision of Basic Telephone Services"
Department of Telecommunications, Ministry of Communications & IT, Government of India, "License Agreement for Provision of Unified Access Services after Migration from CMTS"
Department of Telecommunications, Ministry of Communications & IT, Government of India, "License Agreement for the Provision of Basic Telephone Services"
Under the Agreement for Provisions of Internet Services, ISP License holders must maintain a log of all users connected to the service they are using and outward logins through an ISPs computers, which must be made available to the Telecom Authority at all times. ISP License holders must also provide to authorized intelligence agencies at any time a complete list of subscribers made available on the ISP website with password controlled access. A complete list of the records that must be maintained and provided for security purposes to authorities is set out in the link. ISPs are regulated and operate under a license issued under the Telegraph Act, 1885. Under the Telegraph Act, any interception of messages may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State or Central Government. The officer must be satisfied that it is necessary or expedient to do so in the interests of the security and sovereignty of India. However, such a requirement appears to be only for interception of messages and not for storage of subscriber related information.
The CMTS and the BTS Licenses identify several categories of records that must be made available and provided for security purposes to the Telecom Authority or authorized Intelligence Agencies. For example, under the BTS License, a designated person from the Central/State government has the right to monitor the telecommunication traffic in every switch and any other point in the network set up by the TSP. Further, TSPs are required to make arrangement for monitoring and simultaneous calls by Government security agencies at the location desired by the Central/State government. Along with the monitored calls, the following records should be made available: (i) called/calling party numbers; (ii) time/date and duration of interception; (iii) precise location of target subscribers; (iv) subscriber numbers if any call-forwarding feature has been invoked by the target subscriber; (v) data records for even failed call attempt. Since the BTS is provided under the aegis of the Telegraph Act, any conditions related to interception pursuant to an order of an officer of the State/Central Government may apply here.
The CMTS and the BTS Licenses identify several categories of records that must be made available and provided for security purposes to the Telecom Authority or authorized Intelligence Agencies. For example, under the BTS License, a designated person from the Central/State government has the right to monitor the telecommunication traffic in every switch and any other point in the network set up by the TSP. Further, TSPs are required to make arrangement for monitoring and simultaneous calls by Government security agencies at the location desired by the Central/State government. Along with the monitored calls, the following records should be made available: (i) called/calling party numbers; (ii) time/date and duration of interception; (iii) precise location of target subscribers; (iv) subscriber numbers if any call-forwarding feature has been invoked by the target subscriber; (v) data records for even failed call attempt. Since the BTS is provided under the aegis of the Telegraph Act, any conditions related to interception pursuant to an order of an officer of the State/Central Government may apply here.
Coverage Internet Service Providers
INDIA
Since 2008
Pillar Domestic Data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Information Technology Act, 2000
Section 69 of the Information Technology Act 2000, as amended by the Information Technology (Amendment) Act 2008, gives the central and state governments the power to direct any agency to intercept, monitor or decrypt, or cause to be intercepted, monitored or decrypted any information transmitted, received or stored through any computer resources. The government must be satisfied that this is necessary in the interest of the sovereignty, security or defense of India. The government may require any subscriber or intermediary or any person in charge of the computer resource to extend all facilities and technical assistance necessary to decrypt the information.
Coverage Horizontal
INDIA
Since February 2021
Pillar Domestic Data policies |
Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
Under Rule 4 of the Information Technology Rules of 2021, a "significant" social media intermediary (defined as a social media intermediary having number of registered users in India above 5,000,000) must appoint a Chief Compliance Officer who must ensure compliance with the Rules and will be liable in any proceedings relating to any relevant third-party information, data or communication link made available or hosted by that intermediary where he/she fails to ensure that such intermediary observes due diligence while discharging its duties under the Rules.
Coverage Significant social media intermediaries
INDIA
Since 2013, last amended in January 2022
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
License Agreement for Provision of Internet Services
Amendment in Internet Service Provider (ISP) License Agreement guidelines for change in time period of storage of commercial records
Amendment in Internet Service Provider (ISP) License Agreement guidelines for change in time period of storage of commercial records
According to the License Agreement Guidelines, the Internet Service Provider licensee shall maintain all commercial records, call detail records, exchange detail records, and IP detail records with regard to the communications exchanged on the network. Such records shall be archived for at least two years for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the Licensor.
Data retention requirements were previously in place under the “License Agreement for Provision of Internet Services” by the Department of Telecommunications, Ministry of Communications & IT, Government of India.
Data retention requirements were previously in place under the “License Agreement for Provision of Internet Services” by the Department of Telecommunications, Ministry of Communications & IT, Government of India.
Coverage Internet Service Providers
Sources
- https://dot.gov.in/sites/default/files/Amendment%20in%20Internet%20Service%20Provider%20.pdf?download=1
- http://cis-india.org/internet-governance/blog/data-retention-in-india#fn8
- https://www.dataguidance.com/notes/india-data-protection-overview
- http://www.dot.gov.in/data-services/internet-services
- https://www.saras.gov.in/main/License%20Agreement/ISP.pdf
- Show more...
INDIA
Since 2005
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Prevention of Money-laundering (Maintenance of Records of the Nature and Value of Transactions, the Procedure and Manner of Maintaining and Time for Furnishing Information and Verification and Maintenance of Records of the Identity of the Clients of the Banking Companies, Financial Institutions and Intermediaries) Rules, 2005
Banking information must be stored for 10 years "from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be".
Coverage Banking companies and financial institutions
INDIA
Since December 2015
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015
As per the SEBI Listing Regulations, a listed entity (i.e. an entity which is listed on the stock market) is required to have a policy for the preservation of documents. The SEBI Listing Regulations require that records, books, papers and documents of the company be preserved as per the following classifications:
- Schedule I - to be preserved permanently. Documents listed under these schedule include incorporation documents, share certificates, register of minutes of board meetings, register of members etc.
- Schedule II – to be preserved for eight years. Documents listed under this schedule include books of accounts, attendance register of board meetings, register of debenture holders etc.
- Schedule III – to be preserved for a minimum period of five years or such higher period as may be determine by the board of directors of the company. Documents listed under this schedule include register of stock options, register of directors and key managerial personnel, disclosures made under applicable company laws etc.
As per the SEBI Listing Regulations, documents set out in Schedule I and II can be kept in electronic mode. The complete list of documents under each schedule is set out in the SEBI Listing Regulations.
- Schedule I - to be preserved permanently. Documents listed under these schedule include incorporation documents, share certificates, register of minutes of board meetings, register of members etc.
- Schedule II – to be preserved for eight years. Documents listed under this schedule include books of accounts, attendance register of board meetings, register of debenture holders etc.
- Schedule III – to be preserved for a minimum period of five years or such higher period as may be determine by the board of directors of the company. Documents listed under this schedule include register of stock options, register of directors and key managerial personnel, disclosures made under applicable company laws etc.
As per the SEBI Listing Regulations, documents set out in Schedule I and II can be kept in electronic mode. The complete list of documents under each schedule is set out in the SEBI Listing Regulations.
Coverage Listed (Public) Companies
INDIA
Since April 2022
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Indian Computer Emergency Response Team Direction No. 20(3)/2022-CERT-In
Direction 5 of Direction No. 20(3)/2022-CERT-In mandates data centres, virtual private server providers, cloud service providers, virtual private network service providers to mandatorily collect and retain certain subscriber related information in accurate manner, for a minimum period of five years after the subscriber is no longer availing the underlying services. These data sets include subscriber names, period of hire including dates, IPs allocated and used, e-mail address along with IP and time stamp used at time of registration, purpose of availing the services, verified address and contact numbers, and ownership pattern of subscribers. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also maintain KYC information and records of financial transactions for period of 5 years. Specific to transaction records, Direction No. 20(3)/2022-CERT-In state that information must be maintained accurately in such a way that individual transaction can be reconstructed along with the relevant constituents such as IP addresses, time zones, transaction ID, public keys or equivalent identifiers, addresses or accounts involved, nature and date of transaction, amount transferred, etc.
Coverage Data centres and virtual private server, cloud service, virtual private network service, virtual asset service, virtual asset exchange and custodian wallet providers
Sources
- https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
- https://www.mondaq.com/india/social-media/1233722/new-cert-in-directions-overview-and-implications
- https://internetfreedom.in/cert-in-guidelines-on-cybersecurity-an-explainer/
- https://www.lexology.com/library/detail.aspx?g=899f3b94-c31f-4983-868f-5ee5abbf78c8
- Show more...
INDIA
N/A
Pillar Cross-border data policies |
Sub-pillar Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
India has not joined any agreement with binding commitments to open transfers of data across borders.
Coverage Horizontal
INDIA
N/A
Pillar Domestic Data policies |
Sub-pillar Framework for data protection
Lack of comprehensive data protection law
While India does not yet have a data protection law, it has sectoral laws on data protection applicable to internet service providers, telecom service providers, banking information and certain corporate entities. For internet service providers and telecom service providers requirements are set out in the Internet Service Provider License and the Unified Access Services License respectively and for banking information, data protection requirements are set out in the Prevention of Money-laundering (Maintenance of Records of the Nature and Value of Transactions, the Procedure and Manner of Maintaining and Time for Furnishing Information and Verification and Maintenance of Records of the Identity of the Clients of the Banking Companies, Financial Institutions and Intermediaries) Rules, 2005.
Coverage Horizontal except certain sectors such as internet service providers, telecom service providers, certain corporate entities, banking information
INDIA
Since April 2011
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Rule 7 of Information Technology Rules 2011 states that export of sensitive personal data or information within or outside India is permissible provided that the same standards of data protection required in India are adhered to, and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Sensitive personal information includes passwords, financial information such as bank account or credit/debit card details, sexual orientation, physical, mental health condition, biometric information, among others.
Coverage Horizontal
INDIA
Since April 2018
Pillar Cross-border data policies |
Sub-pillar Local storage requirement
Reserve Bank of India Directive
In April 2018, the Reserve Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. The RBI has further clarified that for cross border transaction data consisting of a foreign component and domestic component, a copy of the domestic component may be stored abroad, if required.
With respect to processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity such as settlement processing after payment processing done outside India, this must be undertaken on a real time basis pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad but in respect of domestic payment transactions, the data must be stored only in India.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. The RBI has further clarified that for cross border transaction data consisting of a foreign component and domestic component, a copy of the domestic component may be stored abroad, if required.
With respect to processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity such as settlement processing after payment processing done outside India, this must be undertaken on a real time basis pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad but in respect of domestic payment transactions, the data must be stored only in India.
Coverage Financial sector
Sources
- https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0
- https://m.rbi.org.in/Scripts/FAQView.aspx?Id=130
- https://in.reuters.com/article/india-data-localisation-exclusive/exclusive-india-proposes-easing-local-data-storage-rules-for-foreign-payment-firms-document-idINKBN1K20K6
- https://www.mondaq.com/india/financial-services/1098560/guidelines-for-storage-of-payment-data
- Show more...