Last review date: 20 December 2024
The Indian Computer Emergency Response Team
Under the IT Act, the Government of India has appointed the Indian Computer Emergency Response Team (CERT-In) to collect, analyze, and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency measures for handling cybersecurity incidents, and coordinate cyber incident response activities. The CERT-In has issued the Cyber Security Directions that mandate all entities to report all cybersecurity incidents to the CERT-In within six hours of becoming aware of such incidents.
Data Protection Board of India
The DPDP Act envisions the establishment of the Data Protection Board of India (DPBI), an independent supervisory and enforcement authority responsible for overseeing compliance with the provisions of the DPDP Act. However, to date, the Government of India has not yet constituted the DPBI. Once established, the DPBI will operate as an online platform to investigate complaints, address breaches of personal data, issue directives, and impose penalties for violations of the DPDP Act and its subordinate legislations.
In India, there is no regulator that governs and regulates the processing of non-personal data.
Last review date: 20 December 2024
The Indian Computer Emergency Response Team
Moderately active
Data Protection Board of India
Not very
Last review date: 20 December 2024
There have been no notable enforcement activities in India from a broad privacy perspective.
That being said, CERT-In regularly disseminates information and shares security tips on cyber safety and security. It also operates an automated cyber threat exchange platform that collects, analyzes and shares tailored alerts with organizations across sectors, enabling them to take proactive threat mitigation actions.
Further, upon CERT-In being notified of a cyber security incident, it may issue directions and/or orders to the entities involved in the cybersecurity incident. Failure to furnish information or non-compliance with an order/direction from CERT-In may result in the imposition of penalties under the IT Act and any other laws as applicable.
Currently, there is no enforcement under the DPDP Act and the Central Government has not provided a timeline for the establishment of the DPBI. However, the DPBI is expected to be set up by the end of 2025. Once established, it may impose significant monetary penalties ranging from INR 10,000 (approximately USD 117) to INR 250 Crores (approximately USD 29,437,999), depending on the nature of the violation. Notably, the DPDP Act does not prescribe criminal sanctions for non-compliance.
Individual sectoral regulators, such as the Reserve Bank of India (RBI), have actively enforced data localization requirements applicable to regulated entities, such as payment system providers and licensed banks. For instance, regulated entities are prohibited from onboarding new customers until they have demonstrated full compliance with localization obligations.
Last review date: 20 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Not available in the jurisdiction
Last review date: 20 December 2024
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
☒ private remedies
Failure to comply with Privacy Rules is punishable by fines of up to INR 100,000 (approximately USD 1,203) and compensation to the affected person of up to INR 100,000 in the case of an individual (approximately USD 1,203) and INR 1,000,000 (approximately USD 12,027) in the case of a company.
The DPDP Act imposes penalties for non-compliance ranging from INR 10,000 (approximately USD 120) to INR 250 Crores (approximately USD 30,066,632), depending on the nature of non-compliance.
If an entity fails to comply with the directions of the CERT-In, the person responsible may be punished with imprisonment for a term which may extend to one year or with a fine of up to INR 10,000,000 (approximately USD 120,273) or both.