The document summarizes recent legal and regulatory changes in India that have driven increased focus on privacy and data protection. It outlines (i) the Supreme Court's recognition of privacy as a fundamental right, (ii) a whitepaper proposing a new data protection law meeting international standards, (iii) a draft digital health law regulating personal data in healthcare, (iv) an RBI order requiring payment data localization in India, and (v-vi) new rules for prepaid payment instruments and the extraterritorial implications of the EU's new General Data Protection Regulation. The changes indicate India is moving to strengthen data privacy laws and compliance.

1. PRIVACY & DATA PROTECTION UPDATE
The last year has seen a sea change in the way businesses in India perceive privacy and data protection laws.
Below is a quick summary of multiple legal and regulatory changes that have driven this change.
(i) The Supremes Endorsement of Privacy as a Fundamental Right
A nine-judge bench in Puttaswamy and Anr. v. the Union of India, unanimously held that right to privacy
is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of
the freedoms guaranteed by Part III of the Constitution, overruling a plethora of previous decisions. The
Supreme Court further has clarified that any law which encroaches upon privacy will have to withstand
constitutional scrutiny. Any such law or regulation must meet the three-fold requirement of (i) legality;
(ii) necessity and (iii) proportionality. The fate of various Government initiatives, including the Aadhar
project, depends on its ability to satisfy the Puttaswamy test.
(ii) White Paper on a new Indian Data Protection Law
In November 2017, the government-constituted Srikrishna Committee released a whitepaper on the
underlying framework of a possible data protection legislation in India. With its wide-ranging comments
and focus on compliance with international standards of data protection, the Whitepaper has left many
with a sense of cautious optimism. Reports suggest that the Committee is in the last leg of finalising the
Report, which shall no doubt be subject to close scrutiny in the light of the European Union’s General
Data Protection Rules coming into effect in late May 2018. The Ministry of Law & Justice has indicated
that a new data protection law will be enacted in the next few months.
(iii) Digital Information Security & Healthcare Act
While the process of enacting a comprehensive data protection legislation is presently underway in India,
the Ministry of Health & Family Welfare has published a draft of the Digital Information Security in
Healthcare Act. The draft addresses the treatment of “digital health data” by “clinical establishments” (a
term that includes both public and private organisations). While still work in progress, DISHA imposes
privacy and confidentiality obligations on clinical establishments that include the use of physical and
technical measures and processes, having in place procedures for data breaches, and ensuring training
and oversight of their personnel. The draft addresses the collection, storage, treatment, ownership, and
transmission of and access to digital health data and further, carves out the rights of owners of the digital
health data.
(iv) The Data Localization Order
A formal notification was issued by the RBI on April 6, 2018 (the “Direction”) that provides that all system
providers shall ensure that the entire data relating to payment systems operated by them are stored in a
system only in India. Clearly, the RBI has cast a wide net on the data it wants supervisory access over.
The RBI has spelt out in the Direction that it is referring to not only data stored with the system providers,
but also with their service providers, intermediaries and third-party vendors and other entities in the
payment ecosystem. Further, this data should include full end-to-end transaction details, information
collected, carried and processed as part of the message or payment instruction.
System providers have been given a period of six months (which will end on October 15, 2018) to comply
with the Direction and are required to submit a System Audit Report duly approved by the Board of the
system providers to the RBI by December 31, 2018.

2. (v) The Information Technology (Security of Pre Paid Instruments) Rules
On March 8, 2017, the Ministry of Electronics & Information Technology released a set of draft
information Security rules for PPIs. The Rules as presently drafted impose the following obligations on
PPI issuers :
i) Adopt and implement an information security policy;
ii) Ensure that the Privacy Policy adopted by entities is in an easy understandable format. The Privacy
Policy among other details must specify the type of information collected, purpose for such
collection, use of information collected;
iii) Carry out risk assessments to identify and assess the risks associated with the security of the
payment systems operated by it;
iv) Ensure that customers are identified through adequate due diligence procedures at the time of
issuance of a PPI;
v) Ensure that end-to-end encryption is applied to safeguard the data exchanged;
vi) Adequate processes in place to ensure that all interactions with customers or other service
providers in relation to accessing payment accounts or initiating payments can be appropriately
traced;
vii) Designate a grievance officer for receiving complaints from customers;
viii) Establish a mechanism for monitoring, handling and follow-up of cyber incidents, cyber security
incidents and cyber security breaches.
(vi) The Long Arm of the new European Data Protection Law
The GDPR comes into effect on May 25, 2018. While the GDPR applies to entities based in the EU, it also
applies to businesses based out of the EU that either offer good or services to customers in the EU or
monitor the behaviour of customers in the EU. With this, many companies that have a tangential business
connection with theEU could be required to comply with theGDPR. If the GDPR applies, it couldmandate
the appointment of data protection officers within organisations and “representatives” in EU countries
in which customers are based, remodelling of privacy policy frameworks to ensure that “explicit consent”
is sought from customers and the identification of clear data breach processes.
Organisations should be warned of the possibility of heavy penalties, up to 4% of their worldwide annual
revenue, for non-compliance.
Do reach out to our Privacy Group, should you have any comments or questions.
Mathew Chacko Aadya Misra Ankita Hariramani
mathew@spiceroutelegal.com aadya.misra@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com