Q: should India implement a GDPR-like data protection
Rabindra Jhunjhunwala, partner at Khaitan & Co.
Since 2000, India has seen exponential growth in the IT
enabled services industry and in business processing
outsourcing. The country's current data privacy and protection
legal regime lacks a dedicated law and an exclusive regulator.
Data privacy and protection is governed primarily through
sections 43A and 72A of the Information Technology Act, 2000
(IT Act), along with the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011 (SPDI Rules) under section 43A of
the IT Act.
Enforcement under the current legal regime has been dismal.
Recently, the Supreme Court recognised privacy as a fundamental
right under article 21 of the Indian Constitution, and also
directed the government to bring out an exclusive law on data
privacy. With the Cambridge Analytica debacle and the Supreme
Court's directions as...