Database

Browse Database
Restrictions on data

INDIA

Since 2009

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Department of Telecommunications, Ministry of Communications & IT, Government of India, “License Agreement for Provision of Internet Services”

Department of Telecommunications, Ministry of Communications & IT, Government of India, "License Agreement for Provision of Unified Access Services after Migration from CMTS"
The Internet Service Provider licence and Unified Access Services Licence identify several categories of records that must be made available and provided for security purposes to the Telecom Authority or authorized Intelligence Agencies. (more information available under data retention subchapter)
Coverage Internet Service Providers
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill would require that data breaches be reported to the Indian Data Protection Authority "as soon as possible and not later than the time period specified by the authority." The period of time in question is to be specified on a later date.

Additionally, "upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm."
Coverage Horizontal
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill would require that "significant data fiduciaries" appoint a Data Protection Officer to oversee compliance with the law; comply with annual independent audits of their processing of personal data; and conduct impact assessments for new technologies or large-scale profiling or use of personal data.
Coverage Horizontal
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill would require that "significant data fiduciaries" perform impact assessments, "where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data [subjects]"
Coverage Horizontal
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Personal rights to data privacy
Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill would provide data subjects with the right to be forgotten, which would give them authority to restrict how companies use data that they previously shared, although the Bill would not require companies to delete such data altogether.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.
Coverage Horizontal
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Data retention
Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill would prohibit "significant data fiduciaries" from retaining personal data longer than "may be reasonably necessary to satisfy the purpose for which it is processed."

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.
Coverage Horizontal
Restrictions on data

INDIA

Since 2005

Chapter Data policies  |  Sub-chapter Data retention
Rules for Record Keeping and Reporting
Banking information must be stored for 10 years "from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be".
Coverage Financial services
Restrictions on data

INDIA

Since January 2010

Chapter Data policies  |  Sub-chapter Data retention
Department of Telecommunications, Ministry of Communications & IT, Government of India, “License Agreement for Provision of Internet Services”

Department of Telecommunications, Ministry of Communications & IT, Government of India, "License Agreement for Provision of Unified Access Services after Migration from CMTS"
Retention requirements for service providers are found in the Internet Service Provider licence and Unified Access Services Licence (UASL), which are grounded in the Indian Telegraph Act of 1885. Internet Service Providers are required to retain a complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months. Moreover, all commercial records with regard to the communications exchanged on the network must be maintained for a year.

In addition, the licences identify several categories of records that must be made available and provided for security purposes - which therefore implies that records should be kept. These include:
- a log of all users connected and the service they are using,
- a log of every outward login or telnet through an Internet Service Providers computer,
- copies of all packets originating from the Customer Premises Equipment of the Internet Service Provider,
- a complete list of subscribers must be made available on the Internet Service Provider website with password controlled access,
- a complete list of Internet leased line customers and their sub-customers (including, name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email),
- the geographical location of any subscriber,
- further information.
Coverage Internet Service Providers
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
Draft Personal Data Protection Bill, 2018
Under a draft Personal Data Protection Bill, processing of personal data can only be done with a free, informed, specific and clear consent of the data subject which is capable of being withdrawn. For "senstive personal data", a subset of of personal data including passwords, financial data, and health data, among other, explicit consent is required. The bill defines explicit consent as consent that must be specific, having regard to whether the data principal can choose to not consent to certain purposes of processing of their personal data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.
Coverage Horizontal
Restrictions on data

INDIA

Since April 2011

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules provide that cross-border data flows of sensitive personal data or information can be made:
- provided that such transfer is necessary for the performance of a lawful contract between the body corporate (or any person acting on its behalf) and the provider of information, or
- provided that such transfer has been consented to by the provider of information.
Coverage Horizontal
Restrictions on data

INDIA

Since April 2018, due to come into force in October 2018

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
Royal Bank of India Directive
In April 2018, the Royal Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.

Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. In is not clear when the RBI's position will be clarified.
Coverage Payment firms
Restrictions on data

INDIA

Reported in September 2018

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill would require one copy of all personal data to which the law applies to be stored on a server located in India. The bill also gives the Indian government the authority to classify information as "critical personal data," which may only be stored within India. This would broadly apply to any data, "collected, disclosed, shared, or otherwise processed within the territory of India," meaning, for example that it could capture all personal data provided by foreign entities to Indian IT companies for processing, even if such foreign entities do not process Indian citizens' data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.
Coverage Horizontal
Restrictions on data

INDIA

Since 2015

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
Guidelines for Government Departments On Contractual Terms Related to Cloud Services
In 2015, India’s Ministry of Electronics and Information Technology (MEITY) issued guidelines for a cloud computing empanelment process under which cloud computing service providers may be provisionally accredited as eligible for government procurements of cloud services. The guidelines require such providers to store all data in India to qualify for the accreditation.
Coverage Cloud computing
Restrictions on data

INDIA

Since 2012

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
National Data Sharing and Accessibility Policy
India’s National Data Sharing and Accessibility Policy requires that “non-sensitive data available either in digital or analog forms but generated using public funds” must be stored within the borders of India. The policy states that data belongs to the "agency/department/ministry/entity which collected them and reside in their IT enabled facility.”
Coverage Horizontal
Establishment restrictions

INDIA

Since 2010

Chapter Business mobility  |  Sub-chapter Other restrictive practices related to business mobility
Minimum salary requirement
India relaxed the visa norms for hiring by Indian IT companies. This means that now the IT-industry can hire foreign professionals 'as per requirement' instead of the earlier cap of '20 employees per project'. However, in view of the fact that there was a large influx of low-skilled workers in the sector from the neighboring countries, the government has stipulated that the foreign service supplier in the sector will have to give a declaration to the effect that his/her annual salary is in excess of USD 25,000 per annum. This condition has been introduced to ensure the entry of only high-skilled foreign professionals into the industry.
Coverage IT-sector