India

Basis

This guidance is based on Personal Data Protection Bill of 2019 (PDPB)

Who Does This Privacy Law Apply To?

2. The provisions of this Act,—
(A) shall apply to—
(a) the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—
(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India.
(B) shall not apply to the processing of anonymised data, other than the anonymised data referred to in section 91.

What Data Does This Privacy Law Apply To?

(27) "person" includes—
(i) an individual,
(ii) a Hindu undivided family,
(iii) a company,
(iv) a firm,
(v) an association of persons or a body of individuals, whether incorporated or not,
(vi) the State, and
(vii) every artificial juridical person, not falling within any of the preceding sub-clauses;
(28) "personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
(36) "sensitive personal data" means such personal data, which may, reveal, be related to, or constitute—
(i) financial data;
(ii) health data;
(iii) official identifier;
(iv) sex life;
(v) sexual orientation;
(vi) biometric data;
(vii) genetic data;
(viii) transgender status;
(ix) intersex status;
(x) caste or tribe;
(xi) religious or political belief or affiliation; or
(xii) any other data categorised as sensitive personal data under section 15.

When Was This Privacy Law Enacted?

Approved by the cabinet ministry of India on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11 December 2019.

Where Does This Privacy Law Have Jurisdiction?

India residents' personal data; any entity doing business in India.

How Must Data Be Protected?

24. (1) Every data fiduciary and the data processor shall, having regard to the nature, scope and purpose of processing personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, implement necessary security safeguards, including—
(a) use of methods such as de-identification and encryption;
(b) steps necessary to protect the integrity of personal data; and
(c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodically in such manner as may be specified by regulations and take appropriate measures accordingly.

OWASP-Recommended Security Controls:

Access Control

• If state data must be stored on the client, use encryption and integrity checking on the server side to catch state tampering

Data Integrity

• Securely implement transaction authorization to protect the transaction integrity

Data Protection

• Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks

How Long Can Data Be Retained Under This Privacy Law?

COVID-19 Apps In This Region

External Links

• Personal Data Protection Bill of 2019 (PDPB)