This is a brief update on the data access framework in India. The Indian Government has fairly wide powers under extant Indian criminal and IT laws to request for data (though, in practice, demands in non-criminal matters are rare). Now, the underlying framework of law in India is undergoing a change, that may spark a re-evaluation of these powers.
Changes in Criminal Laws
You will recall our earlier update on the three (3) new upcoming criminal codes to replace the existing criminal framework of India. These laws are Bharatiya Nyaya Sanhita, 2023 ("New Penal Code"/ "BNS"), Bharatiya Sakshya Adhiniyam 2023 ("New Evidence Code"/ "BSA")) and Bharatiya Nagarik Suraksha Sanhita, 2023 ("New Criminal Procedure Code"/ "BNSS"). On Christmas last year, the three codes were granted the Indian President's assent leading it to materialize into law. On February 23, 2024, the Indian Ministry of Home Affairs issued notifications in the gazette appointing July 01, 2024 as the date on which these laws will come into force.
These amended criminal laws tweak and modify a number of concepts under Indian laws, and your DPIAs for India may need updating as a result of these coming into force.
Changes in Data Interception Laws
The Government has also taken steps to enhance guardrails for data requisitioned per Indian surveillance laws. The EU ruling in Schrems II had led to focus on such surveillance powers, including in India. Until now, the regulations under the (Indian) Information Technology Act, 2000, only mandated the relevant security agency seeking interception / monitoring of data to destroy such records every six (6) months, unless required for a legal proceeding. On February 26, 2024, the Ministry of Electronics and Information Technology extended this obligation to home affairs departments of central and state governments too (as the case may be).
(Some background: Prior approval of the Secretary of Government of India, Ministry of Home Affairs (Central Level), and/or Secretary of State Government (in-charge of the Home Department) (State Level) is required ("Competent Authorities") is required to issue data access orders. The Competent Authority can authorise a security agency to carry out enforcement of such an order. However, since the regulations only stipulated the security agency to destroy intercepted records, there was a gap in regulation. Post this amendment, Competent Authorities are also to destroy accessed data every six (6) months. Interestingly, two years ago, the Minister of Communications had in response to a query from a Member of Parliament confirmed that the Ministry of Home Affairs does not maintain records of intercepted information per the Interception Regulations.)
This is a welcome change that bolsters the case that data of foreign individuals is adequately protected under Indian laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
