The SPDI Rules: An Early Attempt At Data Protection In India And Its Limitations

Sudhanwa Sandeep Joshi, Government Law College, Mumbai

ABSTRACT

The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11th 2023 – yet a year later, its rules remain unnotified, rendering it unenforceable.1 Therefore, the currently applicable legislative framework for data protection in India remains Section 43A of the Information Technology Act, 2000 as well as its notified rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). This paper attempts to explore one of the earliest legislative recognitions of the right to privacy, and evaluate it against modern yardsticks as well as basic data protection principles. It touches upon its advantages – such as the incorporation of OECD Guidelines, which gave it international credibility, as well as its disadvantages – such as blanket exemptions for the Government, as well as the largely procedural nature of the rules. It attempts to demonstrate why there is a need to implement the new data protection regime at the earliest, while at the same time lauds the SPDI rules as a novel and novice attempt at implementing a data protection regime in India.