India started legislation on Data Protection first with ITA 2000. Initially there was no distinction between protection of non personal data and personal data and ITA 2000 was considered the legislation for “Cyber Security”. At that time “Compliance” was related to “Compliance of ITA 2000” and the framework being used for the IISF 309 (Indian Information Security Framework developed by Naavi). Many were using the ISO 27001 framework also while IISF 309 focussed on the ITA 2000/8 compliance directly.
Subsequently during the 2008 amendments, sections such as Section 43A were added to the ITA 2000 and the demand for special compliance provisions related to Personal Data was addressed.
After the demand for more focussed “Privacy Protection” arose from the Supreme Court decisions on Aadhaar and later the Puttaswamy judgement and the recommendations of the Justice Srikrishna Committee, the thought of having a replacement law for Section 43A was mooted. Halfway down the PDPB 2019 draft was changed to DPA 2021 trying to bring at least the data breach notification of non personal data into the personal data legislation. This was discarded in the latest DPDPB 2022.
Links to fdppi.in (9)
naavi.orgNaavi.org | Towards building Cyber Jurisprudence in India
ujvala.comUjvala Consultants Private Limited | Since 1994 on the path of Innovation
Naavi.org | Towards building Cyber Jurisprudence in India