Data Protection Laws in India

Introduction
The concept of Privacy dates back to the dawn of human civilization. However, the idea of Privacy is
difficult to grasp. The term “Privacy” has taken on a variety of meanings for different academics, and
those definitions shift as society itself does. It is possible to trace back its history by looking at
arguments in the Constituent Assembly, when Privacy and secrecy were debated. Post-independence
India’s Constitution does not explicitly acknowledge the Right to Privacy, but precedents in the courts
have allowed it to develop. In the instance of Kharak Singh[1], it was acknowledged for the first time.
The “Indian Evidence Act, the Information Technology Act, the Indian Penal Code, Criminal Law,
Indian Telegraph Act, Indian Easement Act, and Family Law” are all examples of legislation that
include provisions that pertain to Privacy.1
“Right to Privacy,” according to Black’s Law Dictionary, includes “various Rights recognized as
inherent in the concept of ordered liberty.”
These freedoms protect people’s Right to fundamentally choose how they want to live their lives and
interact with their families, other people, and their interpersonal connections and activities. It also
refers to the freedom of the individual to decide what information about him or her is made public; he
or she is the exclusive owner of that information.

K.S. Puttaswamy v. UOI 2 ( August 2017): According to Article 21, the Court highlighted the Rights
to life and personal freedom.
R. Rajgopal v State of T.N 3: Recognized a person’s Right to safeguard his Privacy in a plethora of
matters.

PUCL v UOI 4: the Right to Privacy was recognized in the light of Article 17 of ICCPR and Article 12
of UDHR.

 Ram Jethmalani v UOI5: the SC recognized the Right to Privacy as an integral part of Article 21. The
Right to Privacy is a fundamental Right covered within the ambit of Right to life and personal liberty
under Article 21 which can be curtailed via procedure established by Law which is just, fair and
reasonable as laid down in Maneka Gandhi v UOI (AIR 1978 SC 597).

 State of Maharashtra v Bharat Shanti Lal Shah6 :the Supreme Court laid down that the Right to
Privacy can be curtailed in accordance with the procedure validly established by Law.
Govind v. State of MP7 : it was held that the fundamental Right explicitly guaranteed to a citizen has
plethora of zones and that the Right to Privacy is itself a fundamental Right, and it must be subject to
restriction on the basis of compelling public interests.

1
https://www.khuranaandkhurana.com/2022/11/09/privacy-and-data-protection-laws-in-india/#:~:text=The
%20%E2%80%9CIndian%20Evidence%20Act%2C%20the,these%20Laws%20in%20great%20length.
(27/05/2023; 19:45)
2
 (2017) 10 SCC 1
3
1994 SCC (6) 632.
4
AIR 1997 SC 568.
5
(2011) 8 SCC 1
6
(2008) 13 SCC 5
7
1975 SCR (3) 946
IT Laws

The sharing or receiving of personal information in spoken, writing, or electronic form is not
protected by a stand-alone legislation in India. Although there are safeguards, they are spread over a
variety of Laws, regulations, and policies.
IT (Amendment Act of 2008) and IT (Sensitive Personal Data or Information) Rules of 2011 include
the most significant clauses. For online trade and cybercrime, this is India’s most important Law in
the country. Because of their name, SPDI (Sensitive Personal Data or Information) Rules only cover
Data and information sent electronically; they do not cover Data and information obtained via non-
digital methods.
The Information Technology Bill, 2006 was finally introduced as a result, and the IT (Amendment)
Act, 2008 followed, with its provisions taking effect on Oct 27, 2009. It inserted Sec 43A in IT Act, as
per which, if: “a corporate body possesses or deals with any sensitive personal Data or information,
and is negligent in maintaining reasonable security to protect such Data or information, which thereby
causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay
damages to the person(s) so affected.”8
Sec 72A: “the punishment for disclosure of information in breach of Lawful contract and any person
may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding
up to five lakh rupees, or with both, in case disclosure of the information is made in breach of Lawful
contract.”
Punishment is stated in Sec 72: “any person who, in pursuance of any of the powers conferred under
the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book,
register, correspondence, information, document or other material without the consent of the person
concerned, discloses such electronic record, book, register, correspondence, information, document or
other material to any other person, shall be punishable with imprisonment for a term which may
extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with
both.” 
Sec 75: Anyone who commits an offense or violation outside of India shall be held to the same
standards as anyone who commits an offense or violation in India.

The Indian government established a Committee of Experts, headed by Justice B.N.

Srikrishna, to investigate Data Privacy problems in India during the K.S. Puttaswamy v. UOI
case. The report and draft Personal Data Protection Bill were given to Ministry of Electronics
and Information Technology in July 2018 after the white paper’s open consultation. Expert
Committee suggestions and stakeholder input were used to draft Personal Data Protection Bill
2019. It was developed following extensive engagement and consultation with a variety of
stakeholders, including Indian Law enforcement, which opposes “Data colonialism” by
significant Western technology companies like Google and Facebook and wants access to
Data stored in the US for national security investigations. As a replacement for Sec. 43-A of
the IT Act of 2000, this bill would eliminate all provisions pertaining to company liability for
Data breaches and Privacy violations. In the event that the legislation is passed, Data
fiduciaries and Data processors will need to:

 Inform the Data principals of the collecting of their Data.

8
https://www.khuranaandkhurana.com/2022/11/09/privacy-and-data-protection-laws-in-india/#:~:text=The
%20%E2%80%9CIndian%20Evidence%20Act%2C%20the,these%20Laws%20in%20great%20length.
  Request permission before processing a Data subject’s personal information.
 Gather and maintain proof that a notification was made and permission was
obtained.
 Enable users to access, amend, and delete their Data as well as withdraw their
permission.
 Permit customers to transmit their Data to other firms, including any conclusions
drawn by such businesses from that Data.
 alter organizational procedures to safeguard Data, such as by adhering to
Privacy
 by-design principles and putting in place security measures

Further, the Law stipulates that all “sensitive personal Data” must be kept in India and that
“essential personal Data” cannot be sent outside. As it would disrupt market-driven choices
and compel businesses to utilize local Data storage service providers, this has been
condemned as being Protectionist.

SPDI:
The SPDI Rules encompasses provisions to regulate9:
a.Processing of Personal Data/Information and/or Sensitive Personal Data/Information
b.Prescribing security practices and procedures for handling Personal Data/Information and/or
Sensitive Personal Data/Information
The SPDI Rules are applicable only to body corporates and individuals acting on behalf of body
corporates. Any company including a firm, sole proprietorship or other association of individuals
engaged in commercial or professional activities come within the ambit of ‘body corporate’. The
provisions of the IT Act and SPDI Rules apply to all body corporates collecting, receiving,
possessing, storing, dealing or handling the personal information of natural persons in India 10.
a. If a body corporate is located in India: SPDI Rules are applicable.
b. If a body corporate is located outside of India: SPDI Rules are applicable only if the body corporate
has a computer, computer system or computer network located in India.
The SPDI Rules define Personal Information as “any information that relates to a natural person,
which, either directly or indirectly, in combination with other information available or likely to be
available with a body corporate, is capable of identifying such person. Sensitive Personal Data or
Information has been defined as personal information which consists of information relating to 11:
a. Password
b. Financial information
c. Physical, physiological and mental health conditions
d. Sexual orientation
9
https://tsaaro.com/blogs/it-act-spdi-rules-data-protection-regime-of-india/ (27/05/2023; 20:07)
10
Ibid.
11
Ibid.
e. Medical records and history
f. Biometric information
The following information is disregarded as sensitive personal information/data and is excluded from
data protection obligations:
a.Information that is freely accessible in the public domain
b.Information availed under the Right to Information Act, 2005.

Privacy Policy12:
It is important to note that the obligation of publishing a privacy policy is applicable for all types of
personal information or data collected and is not limited to the collection of sensitive personal
information. Body Corporates while collecting personal information should publish a privacy policy
which must include:

a. a clear and easily accessible statement on its practices and policies

b. type of information collected

c. purpose of collection and usage of such information

d. policy on disclosure with third parties

e. reasonable security practices and procedures adopted.

Consent letter13
Where a body corporate is collecting any sensitive personal data, the body corporate or any person
on its behalf is required to obtain consent from the provider of information through a letter, email,
fax or any other electronic mode. While obtaining consent, the body corporate should ensure that
the provider of information knows the following metrics:

a. the fact that the information is being collected from them;

b. the purpose of the collection;

c. the intended recipients (eg. third parties with whom the information might be shared); and

d. the name and address of the body corporate or person on behalf of the body corporate who is
collecting such information.

Greivance Officer14
A body corporate must appoint a grievance officer whose name and contact details are to be
published on the website. The grievance officer shall ensure that the grievances and discrepancies of
the provider of information are resolved in a time-bound manner and within one month from the
date of receiving the grievance. The SPDI Rules do not stipulate any specific qualifications or
eligibility criteria for the appointment of the grievance officer.

12
https://tsaaro.com/blogs/it-act-spdi-rules-data-protection-regime-of-india/
13
https://tsaaro.com/blogs/it-act-spdi-rules-data-protection-regime-of-india/
14
Ibid.
Standard Security Practices15:
A body corporate shall be deemed to have complied with reasonable security practices and
procedures if they adopt:

a. The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques –

Information Security Management System – Requirements”; or

b. Any code of best practices duly approved & notified by the Central Government.

Disclosure16
Before disclosing/sharing sensitive personal data or information with any third party, the body
corporate shall require the prior consent of the provider of information[Rule 6, SPDI Rules, 2011].
Such consent can be escaped in the following circumstances:

a. Where the provider of information has already consented to such disclosure in the contract
entered between the body corporate and provider.
b. Where the disclosure is necessary for compliance with a legal obligation.
c. Where the disclosure is being made to a Government Agency mandated under law to obtain
such information.
d. Where the disclosure is directed by any order under any law.
e. Publication of sensitive personal information by the body corporate or by the third party
receiving the information is strictly prohibited.

Transfer17
A body corporate can transfer sensitive personal data to another body corporate located in India or
any other country under any of the following circumstances[Rule 7, SPDI Rules, 2011]:

a. The receiving entity adheres to the same level of data protection security measures as
adhered by the body corporate transferring the information; or
b. The transfer is necessary for the performance of a lawful contract between the provider of
information and body corporate.

Conclusion
In the current era of globalization, it has become much easier than it was ever earlier to save and
transfer Data. However, it has become easier to exploit Data and breach the Privacy of the
masses. The Personal Data Protection Bill of 2019 was introduced in Parliament as an attempt to
bring in a comprehensive center level Law on the issue but the same has not yet become a reality.
Data Privacy is extremely important in all spheres of life but most importantly in the corporate world.
India needs to take the issue seriously as it is not at par with other leading nations of the world when it
comes to Data Privacy issues.

15
ibid
16
ibid
17
https://tsaaro.com/blogs/it-act-spdi-rules-data-protection-regime-of-india/