Page 23 - KDU Law Journal Volume 4 Issue 2
P. 23
KDU Law Journal Volume 04 Issue II
September, 2024
Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information)
Rules, 2011 45
The regulatory framework on data privacy in India was initially
governed by the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011. These rules were introduced under the Information
Technology Act of 2000 and have been a cornerstone of India’s
approach to data privacy. The rules seek to regulate the collection,
use, and disclosure of sensitive personal data or information and
mandate certain security measures for its protection. Additionally,
they outline requirements for obtaining consent from individuals
to collect and use their personal data and establish a framework for
transferring such data outside India.
Transfer of information under Rule 7 of IT Rule 2011 is particularly
46
significant in the age of globalization, where data is often transferred
across international borders. The rule requires organizations to
ensure that the personal data they transfer is subject to the same
level of protection as it would be in their home jurisdiction and to
obtain the necessary consent from individuals for such transfers.
This provision upholds individuals’ privacy rights even in an
increasingly interconnected world.
45 Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011, Gazette Notification dated 11 April 2011,
th
https://www.meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
46 Rule 7- Transfer of Information- A body corporate or any person on its behalf may
transfer sensitive personal data or information including any information, to any other body
corporate or a person in India, or located in any other country, that ensures the same level of
data protection that is adhered to by the body corporate as provided for under these Rules.
The transfer may be allowed only if it is necessary for the performance of the lawful contract
between the body corporate or any person on its behalf and provider of information or where
such person has consented to data transfer. Supra note 45.
law.faculty@kdu.ac.lk
16