Database

A draft Personal Data Protection Bill would provide data subjects with the right to be forgotten, which would give them authority to restrict how companies use data that they previously shared, although the Bill would not require companies to delete such data altogether.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

A draft Personal Data Protection Bill would prohibit "significant data fiduciaries" from retaining personal data longer than "may be reasonably necessary to satisfy the purpose for which it is processed."

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

Banking information must be stored for 10 years "from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be".

Retention requirements for service providers are found in the Internet Service Provider licence and Unified Access Services Licence (UASL), which are grounded in the Indian Telegraph Act of 1885. Internet Service Providers are required to retain a complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months. Moreover, all commercial records with regard to the communications exchanged on the network must be maintained for a year.

In addition, the licences identify several categories of records that must be made available and provided for security purposes - which therefore implies that records should be kept. These include:
- a log of all users connected and the service they are using,
- a log of every outward login or telnet through an Internet Service Providers computer,
- copies of all packets originating from the Customer Premises Equipment of the Internet Service Provider,
- a complete list of subscribers must be made available on the Internet Service Provider website with password controlled access,
- a complete list of Internet leased line customers and their sub-customers (including, name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email),
- the geographical location of any subscriber,
- further information.

Under a draft Personal Data Protection Bill, processing of personal data can only be done with a free, informed, specific and clear consent of the data subject which is capable of being withdrawn. For "senstive personal data", a subset of of personal data including passwords, financial data, and health data, among other, explicit consent is required. The bill defines explicit consent as consent that must be specific, having regard to whether the data principal can choose to not consent to certain purposes of processing of their personal data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules provide that cross-border data flows of sensitive personal data or information can be made:
- provided that such transfer is necessary for the performance of a lawful contract between the body corporate (or any person acting on its behalf) and the provider of information, or
- provided that such transfer has been consented to by the provider of information.

In April 2018, the Royal Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.

Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. In is not clear when the RBI's position will be clarified.

A draft Personal Data Protection Bill would require one copy of all personal data to which the law applies to be stored on a server located in India. The bill also gives the Indian government the authority to classify information as "critical personal data," which may only be stored within India. This would broadly apply to any data, "collected, disclosed, shared, or otherwise processed within the territory of India," meaning, for example that it could capture all personal data provided by foreign entities to Indian IT companies for processing, even if such foreign entities do not process Indian citizens' data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

In 2015, India’s Ministry of Electronics and Information Technology (MEITY) issued guidelines for a cloud computing empanelment process under which cloud computing service providers may be provisionally accredited as eligible for government procurements of cloud services. The guidelines require such providers to store all data in India to qualify for the accreditation.

India’s National Data Sharing and Accessibility Policy requires that “non-sensitive data available either in digital or analog forms but generated using public funds” must be stored within the borders of India. The policy states that data belongs to the "agency/department/ministry/entity which collected them and reside in their IT enabled facility.”

Under the Supervisor of Banks’ Regulation No. 357 on Information Technology Management, breach notification obligations apply in the financial sector.

Israel's Privacy Protection Act requires that public agencies, financial institutions and companies mainting five or more databases must appoint a data security officer. Addtionally, each database needs to have a “database manager”, who by default is the company’s CEO.

As of May 2018, the Privacy Regulations also require that the data security officer must be directly subordinate to the database manager, or to the manager of the entity that owns or holds the database, to ensure his/her independence.

According to Israel's Privacy Regulations (Data Security) 5777-2017 at least once every 18 months the owners of high-level security databanks must conduct a survey of the databank’s data security, analyze the security risks, and correct the errors identified. Such owners are also responsible for testing the susceptibility of the databank systems to internal and external security risks.

The Protection of Privacy Regulations of 2001 permit transfers to: EU Member States; other signatories of Council of Europe Convention 108; and a country “which receives data from Member States of the European Community, under the same terms of acceptance”. Transfers to other countries are permitted:
- subject to data subject consent;
- from an Israeli corporate parent to a foreign subsidiary; or
- provided the data importer enters into a binding agreement with the data exporter to comply with Israeli legal standards concerning the storage and use of data.

Furthermore, the Privacy Protection Regulations (Data Security) 5777-2017 stipulate that engaging an outsourced data processing provider requires pre-engagement due-diligence review of the risks entailed in the engagement. The contractual engagement shall address issues such as the purposes for which the data will be used, the type of data processing to be performed, the period of engagement and return of the data upon conclusion of the engagement.

On the 13 of May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if the information is outdated or irrelevant, the so-called right to be forgotten. Although the court ruling only applies to the 28 European Member States, four other countries - Iceland, Liechtenstein, Norway and Switzerland - are de facto making use of it.