Author: | Published: 17 Oct 2018

Q: should India implement a GDPR-like data protection law?


Rabindra Jhunjhunwala, partner at Khaitan & Co.

Since 2000, India has seen exponential growth in the IT enabled services industry and in business processing outsourcing. The country's current data privacy and protection legal regime lacks a dedicated law and an exclusive regulator. Data privacy and protection is governed primarily through sections 43A and 72A of the Information Technology Act, 2000 (IT Act), along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) under section 43A of the IT Act.

Enforcement under the current legal regime has been dismal. Recently, the Supreme Court recognised privacy as a fundamental right under article 21 of the Indian Constitution, and also directed the government to bring out an exclusive law on data privacy. With the Cambridge Analytica debacle and the Supreme Court's directions as...