Overview of Data Privacy laws in India

Privacy implies not to interfere in the interest of others. The technological advancement has led to privacy becoming a cause of concern for every individual. Data protection stresses individual liberty which comes under menace by the interference of a stranger. The access of a stranger to the individual’s activity by any means needs to be ceased by law. The Constitution of India has highlighted the importance on the enjoyment of rights rather than the compliance of duty. A rights-based approach is considered for data protection.

There is no explicit legislation in India related to data protection nor is it a party to any convention on the protection of personal data. Nevertheless, India is a party to many international declarations and conventions including the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which acknowledge the right to privacy. The data protection issue attracts the Right to Privacy, Right to Information, Information Technology, Indian penal Code, National Security, Intellectual property, Corporate Affairs, and much more. The constitutionality of privacy & data protection has been provided considerable significance in these recent days. The effective enforcement of the current legal framework is essential for the proper protection of privacy issues.

India has not yet ratified any particular legislation on data protection but, the Information Technology Act (2000) or referred to as the IT Act, 2000 was amended to include Sections 43-A and Section 72-A that have a strong bearing on the legal regime for data protection. Section 43-A and Section 72-A of the IT Act came into force on 27 October 2009. These provide for the right to compensation for improper disclosure of personal information.

Section 43-A reads as follows:

“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”

Section 72-A provides for punishment of disclosure of information in breach of a lawful contract. It reads as follows:

“Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.”

The central government has also issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43-A of the IT Act. These came into effect on 11 April 2011. The Rules have inflicted some additional obligations on commercial and business entities in India regarding the collection and release of sensitive personal data or information which have some similarities with the GDPR (General Data Protection Regulation) and the Data Protection Directive

The government has introduced a biometric-based unique identification number for residents of India known as ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 and rules and regulations issued in the Act. The Act came into force on 12 September 2016. Entities in regulated sectors such as financial services and telecom sectors are subject to obligations of confidentiality under sectoral laws which necessitate them to keep customer personal information private and use them for prescribed purposes or only in the manner settled with the customer.

Internet Security and Personal data are also protected through secondary safeguards developed by the courts under common law, principles of equity, and the law of breach of confidence. In the landmark case of Justice K.S. Puttaswami & another Vs. Union of India, the judgment of which was passed in August 2017, the Supreme Court of India has recognized the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been accepted as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be protected for privacy. The court stated that every person should have the right to control the commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This was the first time that the Supreme Court expressly credited the right of individuals over their data. Fundamental rights are enforceable against the state and its instrumentalities and the Supreme Court in the same judgment recognized that enforcing the right to privacy against private entities may require legislative involvement.

Consequently, the Government of India established a committee to propose a draft statute on data protection. The committee recommended a draft law and the Government of India has issued the Personal Data Protection Bill, 2019 based on the draft proposed by the committee. This is the country’s first bill on the protection of personal data and will repeal Section 43-A of the IT Act.

The Bill encompasses mechanisms for the protection of personal data and recommends the setting up of a Data Protection Authority of India for the same. The Bill aims to:

“to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.”

A combined parliamentary committee is presently considering the PDP Bill and a revised draft of the PDP Bill is anticipated to be issued in 2020. The PDP Bill would then have to be passed by both houses of Parliament and be notified in the official gazette before it becomes a law.

Other general legislation impacting data protection:

  1. The Copyright Act (1957):  Since the Act provisions intellectual property rights in diverse kinds of creative work including literary works, and the term “literary work” legally comprises computer databases, copying a computer database, or copying or distributing, a database could amount to copyright infringement under the Act. Clearly, there is a difference between database protection and data protection.  Database protection protects the creative investment in collecting, presentation and verification of databases, while data protection aims to protect the privacy of individuals by restricting access.
  • The Indian Penal Code (1860):  This could be used to prevent theft of data.  The offences of theft and misappropriation theoretically apply only to movable property under the IPC, but the term “movable property” has been defined to include corporeal property of every description except land or property that is permanently attached to the earth.
  • The Indian Constitution:  Article 21 of the Constitution protects an individual’s right to life and personal liberty.  The Supreme Court of India, in a nine-judge bench decision in August 2017,  held that citizens enjoy a fundamental right to privacy that is inherent to life and liberty. 

In addition to the above, invasion or breach of privacy also results to an action in tort. Also, there are some sector-specific legislation that influences data protection.

The National Association of Service & Software Companies (NASSCOM), which is a non-profit industry association and the apex body for the Indian IT BPM industry leads the private sector initiatives to protect and boost data privacy regulation in the country.

The Business Process Outsourcing Units implement self-regulatory processes, such as the BS 7799 and the ISO 17799 standards, to regulate information security management and restrict the quantity of data made accessible to employees.

The Reserve Bank of India issues guidelines, regulations and circulars from time to time, to maintain the secrecy and privacy of client information, and it also established a body called the Banking Codes and Standards Board of India to develop a set of voluntary norms which banks must enforce themselves through internal grievance redressal mechanisms within each bank.

The Medical Council of India has set out the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002).  These rules administer various issues, including doctor-patient confidentiality, the collection of personal data from patients, issues of consent, and the extent to which invasive procedures may be conducted.

These regulations apply supplementary to the IT Rules. Although they provide a certain degree of security, the lack of legislative enforcement and foresight mean that they are enforced in varying degrees by each institution and do not come with guaranteed parliamentary sanction.

The several agencies performing cyber security operations in India, such as the National Technical Research Organisation, the National Intelligence Grid and the National Information Board, require robust policy and legislative and infrastructural support from the Ministry of Electronics and Information Technology, and from the courts, to enable them to do their jobs properly.

— Simran Khurana intern at Ravindra Vikram Law Associates

The content here is for educational purposes only. User access at your own volition. Click the link to read the full Disclaimer.

error: Content is protected !!
Visit Us On FacebookVisit Us On TwitterVisit Us On InstagramVisit Us On YoutubeVisit Us On LinkedinCheck Our Feed