Right to Privacy: Data Protection Laws in India

Image for representative purposes.

Image for representative purposes.

Whether it be personal data or digital data, online hackers, spammers, had opened a Pandora’s box of issues with data security which needed urgent judicial intervention.

New Delhi: There are no second thoughts on the fact that the case which would witness the historic verdict on Thursday by a nine judge bench determining whether Right to Privacy is a constitutional right or not, has its root in the Aadhaar case.

The constitutional validity of Aadhaar was challenged not only on the basis of the vulnerability of biometrics but also on how data leaks were becoming the new norm. Whether it be personal data or digital data, online hackers, spammers, had opened a Pandora’s box of issues with data security which needed urgent judicial intervention.

Data protection is one of the most important part of the right to privacy as a data protection law will protect your personal information, which is collected, processed and stored by "automated" means or intended to be part of a filing system.

In this backdrop and with a few hours to go for the Right to privacy verdict, News18 takes you through the various data protection laws of India:

No separate Law like the EU

Unlike the European Union, India does not have any separate law which is designed exclusively for the data protection. However, the courts on several occasions have interpreted "data protection" within the ambits of "Right to Privacy" as implicit in Article 19 and 21 of the Constitution of India.

However, the Ministry of Electronics and Information Technology (MeitY) has appointed an expert group headed by former Supreme Court judge BN Srikrishna to draft a data protection law.

The decision to constitute the group was communicated by the UIDAI to the Supreme Court as part of its arguments in the Right to Privacy case.

Did the First Occurrence on Data Protection Law Happen During Aadhaar Case?

The Centre on July 21 told the Supreme Court that data of users was integral to the Right of Life and Personal Liberty guaranteed under the Constitution and it would come out with regulations to protect it.

It said that there was a need for intervention by the state in the matter as data was connected to the personality of the user. This specific submission was made before a five judge constitution bench headed by Justice Dipak Misra which was judging the controversial case of 2016 privacy policy of WhatsApp messaging application.

Information Technology Act

The strongest legal protection provided to personal information in India is through section 43A of the Information Technology Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 developed under the section.

The provision requires a body corporate who 'receives, possesses, stores, deals, or handles' any ‘sensitive personal data’ to implement and maintain ‘reasonable security practices’, failing which they are held liable to compensate those affected. The Rules under section 43A contain the following major requirements:

Body corporates must provide a privacy policy to all 'providers of information' (Rule 4);

They must obtain consent in letter, fax, or email from the 'provider of information' before collecting, using or disclosing any sensitive personal information (Rule 5(1));

Sensitive personal information may only be collected for lawful and necessary purposes (Rule 5(2)(a))

While collecting the information, they must ensure that the individual is informed of the a) fact that the information is being collected; b) the purpose for which the information is being collected; c) the intended recipients of the information; d) the name and the address of the agency collecting information, and the agency that will retain the information (Rule 5(3));

Information should only be used for stated and agreed to purposes (Rule 5(5));

Individuals should be provided with the option to opt in or out of services prior to the collection of sensitive personal information and should have the ability to withdraw consent at any point in time (Rule 5(7));

Individuals should be allowed to review, update, and correct any sensitive personal information that they have provided wherever necessary (Rule 5(6));

Body corporates are allowed to retain sensitive personal information only as long as is lawfully necessary (Rule 5(4));

Before a body corporate is allowed to disclose or publish sensitive personal information to a third party, consent must be obtained from the individual who the information belongs.

The only circumstances under which a body corporate may disclose information is (i) if it is required to do so by a contract with the provider of the information or through the law; or (ii) if it is to be disclosed to a governmental agency mandated under law (Rule 6(1)); and

Body corporates must implement security practices and standards which require: a) a comprehensively documented information security programme; b) information security policies must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected (Rule 8)


Penalty is in the form of a civil liability

Any corporates who fail to observe data protection norms may be liable to pay compensation if they are negligent in implementing and maintaining reasonable security practices and thereby cause wrongful loss or wrongful gain to any person.

, body corporates may be exposed to criminal liability under Section 72A of the IT Act if they disclose personal information with the intent of causing wrongful loss or obtaining a wrongful gain.

This Act includes the disclosure of personal information given in confidence as an unfair trade practice (as defined under section 2 (r)) and includes mental or emotional harm resulting from damage to property, among other things, as a harm.

Next Story