Page 23 - KDU Law Journal Volume 4 Issue 2
P. 23

KDU Law Journal                                  Volume 04 Issue II
                                                               September, 2024
              Information  Technology (Reasonable Security Practices
              and Procedures and Sensitive Personal Data or Information)
              Rules, 2011 45
              The regulatory framework on data privacy in India was initially
              governed by the Information  Technology (Reasonable Security
              Practices and Procedures and Sensitive Personal Data or Information)
              Rules, 2011. These rules were introduced under the Information
              Technology Act of 2000 and have been a cornerstone of India’s
              approach to data privacy. The rules seek to regulate the collection,
              use, and disclosure of sensitive personal data or information and
              mandate certain security measures for its protection. Additionally,
              they outline requirements for obtaining consent from individuals
              to collect and use their personal data and establish a framework for
              transferring such data outside India.
              Transfer of information under Rule 7  of IT Rule 2011 is particularly
                                             46
              significant in the age of globalization, where data is often transferred
              across international borders.  The rule requires organizations to
              ensure that the personal data they transfer is subject to the same
              level of protection as it would be in their home jurisdiction and to
              obtain the necessary consent from individuals for such transfers.
              This provision upholds individuals’ privacy rights even in an
              increasingly interconnected world.







              45  Information Technology (Reasonable Security Practices and Procedures and Sensitive
              Personal  Data  or  Information)  Rules,  2011,  Gazette  Notification  dated  11  April  2011,
                                                               th
              https://www.meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
              46  Rule 7-  Transfer of Information- A body corporate  or any person on its behalf may
              transfer sensitive personal data or information including any information, to any other body
              corporate or a person in India, or located in any other country, that ensures the same level of
              data protection that is adhered to by the body corporate as provided for under these Rules.
              The transfer may be allowed only if it is necessary for the performance of the lawful contract
              between the body corporate or any person on its behalf and provider of information or where
              such person has consented to data transfer. Supra note 45.
               law.faculty@kdu.ac.lk
                                          16
   18   19   20   21   22   23   24   25   26   27   28