Mapping the Data Protection Regime in India
Data protection encompasses laws, rules, and processes that limit the collection, storage, and sharing of personal data to safeguard privacy. Indian Constitution does not explicitly establish privacy as a fundamental right, but through Supreme Court cases, privacy has been linked to existing rights like freedom of speech (Article 19(1)(a)) and right to life (Article 21). Until August 2023, India lacked specific data protection regulations. Instead, data protection was governed by the Information Technology Act, 2000; Indian Contract Act, 1872; Information Technology Rules for Sensitive Data, 2011; and Intermediaries Guidelines for Digital Ethics, 2021. While these rules outlined security measures for handling such data, they proved inadequate for modern data protection challenges. India required a comprehensive and specialized data protection framework to address these evolving issues. The efforts to enact a robust framework began with the introduction of the Personal Data Protection Bill, 2018 (“PDP Bill 2018”) and paved the way through the Personal Data Protection Bill, 2019; The Digital Personal Data Protection Bill, 2022 and finally operationalized in 2023 through the Digital Personal Data Protection Bill, 2023 which got ratified as the Digital Personal Data Protection Act, 2023 (“the Act”). This article maps the data protection regime in India from the PDP Bill of 2018 to the Act of 2023. PARTICULARS PERSONAL DATA PROTECTION BILL, 2018 DIGITAL PERSONAL DATA PROTECTION ACT, 2023 Applicability Applies to:processing of personal data where such data has been collected, disclosed, shared, or otherwise processed within the territory of India; processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law;processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India or in connection with any activity which involves profiling of data principals within the territory of India. Applies to: digital personal data and data collected offline and later digitized.processing of personal data outside India if it is for offering goods or services to Data Principals within the territory of India.Does not:personal data processed by an individual for any personal or domestic purpose.personal data that is made or caused to be made publicly available by (a) the Data Principal to whom such personal data relates; (b) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. Categorization of Data A comprehensive reading of the Bill highlights three categories of data, i.e., personal data, sensitive personal data, and critical personal data. A comprehensive reading of the Act indicates that there is no categorization of data into sensitive personal data and critical personal data. Categorization of Data Fiduciaries Section 38 of the Bill, clearly classified certain data fiduciaries as significant data fiduciaries. Section 10 of the Act classifies certain data fiduciaries as significant data fiduciaries. Consent and Notice Section 8 and 12 of the Bill provide for consent and notice for such consent are required before processing the personal data.The notice must include all the specifications mentioned in Section 8 of the Bill, which includes, but is not limited to – (i) the purposes for which the personal data is to be processed; (ii) the categories of personal data being collected; (iii) the details of the data protection officer; (iv) the right of the data principal to withdraw such consent; (v) the procedure for such withdrawal, etc.Section 8(2) provides for translation of notice into “multiple language”, however, does not mandate it and neither does it specify the languages. Section 5 and 6 of the Act specifies that consent and notice for such consent are required before processing the personal data.Notice must include – (i) a description of personal data to be processed and the purposes of processing; (ii) the manner in which a data principal is to withdraw such consent and right to grievance redressal under Section 13; and (iii) the manner and right to make complaints to the Board.Section 5(3) mandates the requirement to translate such notice into local Indian languages, as specified under the Eighth Schedule to the Indian Constitution. Deemed Consent Does not provide for the concept of “deemed consent” Introduced the concept of deemed consent under the head of “certain legitimate uses” in Section 7.Data Principal is ‘deemed’ to have given consent for processing where the data principal voluntarily provides personal data to the data fiduciary.The Act provides a list wherein data principals will be deemed to have given consent for processing personal data. Such legitimate uses include but is not limited to: (a) when the Data Principal voluntarily provides personal data to a Data Fiduciary; (b) when such personal data is provided for the State and any of its instrumentalities to provide or issue subsidy, benefit, service, certificate, licence or permit as may be prescribed; (c) performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; (d) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; (e) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; (f) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; (g) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. Limitation on Data Collection/ Data Minimization Section
Key Changes under the Foreign Direct Investment Policy (“FDI Policy”) on the Space Sector
Background India accounts for only 2 percent of the currently valued global space economy which is about USD 360 billion despite being among the few spacefaring nations in the world. The Union minister of the State (Independent Charge) for Science and Technology, Dr. Jitendra Singh while inaugurating the IN-SPACe Technical Centre, stated that their target is to take the space economy from 2 percent to 10 percent by the year 2030, targeting a five-fold increase. The vision is to have a 15 percent share in the global space economy by 2047. To realize this vision, there was a need to provide scope for Non-Governmental Entities to participate in the Indian space program and play a key role in boosting India’s market share in the Global Space Economy. In India, players in the private sector industry have been very limited to being vendors or suppliers to the government’s space program. The need to promote private entities to establish themselves as independent players was also emphasized. The Indian Space Policy 2023 was notified as an overarching, composite, and dynamic framework to implement the vision for unlocking India’s potential in the Space sector through enhanced private participation. This policy aims at augmenting space capabilities; enabling, encouraging, and developing a flourishing commercial presence in space; using space as a driver of technology development and derived benefits in allied areas; pursuing international relations, and creating an ecosystem for effective implementation of space applications among all stakeholders. The Government of India to foster growth and innovation and with the vision to promote ease of doing business facilitating greater participation by foreign investors in the Space sector of the economy decided to liberalize the FDI Policy by prescribing liberalized thresholds for various sub-sectors/activities. These amendments to the Policy are expected to attract more foreign and domestic investment in India’s booming space industry. Extant FDI Policy on the Space Sector: 100% FDI was permitted in the establishment and operation of Satellites only through the Government Approval route. Further, such foreign investments were subject to the sectoral guidelines of the Department of Space/ISRO. New Policy on the Space Sector: The Department for Promotion of Industry and Internal Trade (“DPIIT”) vide a Press Note announced the review of the FDI Policy on the Space sector in India to streamline the FDI regulations and pave the way for enhanced participation and collaboration in various segments of the space industry. The proposed reforms seek to provide clarity for FDI in Satellites, Launch Vehicles, and associated systems or subsystems, the Creation of Spaceports for launching and receiving Spacecraft, and manufacturing of space-related components and systems. Pursuant to the significant amendments, now the satellites sub-sector has been divided into three different activities with defined limits for foreign investment in each such sector, subject to the sectoral guidelines issued by the Department of Space from time to time, as follows – (a) For Manufacturing and Operations, Satellite Data Products, and Ground Segment and User Segment, investments up to 74% fall within the Automatic Route, while investments beyond 74% will fall within the Approval Route, i.e. require Government Approval; (b) For Launch vehicles and associated systems and subsystems, Creation of Spaceports for launching and receiving Spacecrafts, investments up to 49% fall within the Automatic Route, while investments beyond 49% will fall within the Approval Route, i.e. require Government Approval; (c) For Manufacturing of components and systems/sub-systems for satellites, ground segment, and user segment, investments up to 100% fall within Automatic Route and there is no requirement of Government approval. Further, the amended policy provides clear definitions of various activities within the space sector including satellite manufacturing and operations, satellite data products, ground segment, user segment, launch vehicles, creation of spaceports, and manufacturing of components and systems/subsystems. Conclusion: Evidently, this policy is the Government’s attempt to encourage investment, innovation, and technology transfer in the Space sector through the private sector. It is aimed at bringing about a new era of opportunities and growth in India’s space industry. With the enhanced contribution from both domestic as well as foreign investors, the country can strengthen its position in the global market as a global hub for space technology and innovation. The increased private sector participation would help in generating employment and enabling modern technology absorption enabling companies to set up their manufacturing setups in India duly encouraging the Make in India (MII) initiative of the Government. The information contained in this article is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. The application and impact of laws can vary widely based on the specific facts involved. As such, it should not be used as a substitute for consultation with a competent adviser. Before making any decision or taking any action, the reader should always consult a professional adviser relating to the relevant article posting. – Kinjal Champaneria, Partner, and Shakshi Bafna, Associate, Solomon & Co. About Solomon & Co. Solomon & Co., (Advocates & Solicitors) was founded in 1909 and is amongst India’s oldest law firms. The Firm is a full-service firm that provides legal services to Indian and international companies and high-net-worth individuals on all aspects of Indian law.
