By Shilpi Saurav Sharan
In the modern world, the average person lives and transacts online as easily as they do offline. However, they are not being regulated or held accountable in the same manner. Protection is needed on two fronts. Firstly, there is a need for preventive protection. For instance, an enormous digital footprint is left in the wake of an individual’s activity on the Internet which has a large potential for misuse. There is a grave need to secure, anonymize and protect such data. At the same time, cyberspace and navigation of cybercrime continue to be uncharted territory in India, from a legal perspective. There is an absence of regulation and stringent cyber security laws in India, which in turn minimizes the scope of penalization of online offences. Accordingly, there is an urgent need that the extant laws should identify, regulate, and enable swift prosecution of online offenders.
India is now one of few major economic powers in the world to not yet have a comprehensive, modern data protection law regime. Considering India’s desire to foster a global image of a digital economy with a booming data services industry, the Government must move fast to introduce a framework that brings it on par with its partners on the international stage. Unlike other laws, data protection laws cannot work in isolation in a domestic setting and must necessarily play well with its international counterparts1. As our country adopts digitalization, it also adopts a responsibility to guarantee privacy of its citizens’ digital footprints, identities and data online. Data protection and privacy are fundamentally interlinked, and constitute a very crucial and most sensitive space in the legal world at present times.
Legislations governing Privacy and Data Protection in India
The laws governing privacy and data protection in India are as follows:
1. Constitution of India
Article 21 of the Indian Constitution is a fundamental right that guarantees the protection of life and personal liberty, to all its citizens, which covers the individual’s right of privacy under its ambit to rule and govern and provide justice on violation of the same. Even the Preamble of India ensures the Liberty of thought, expression, belief, faith and worship.
On August 24th, 2017, the Supreme Court, in the decision of Justice K.S. Puttaswamy (retd.) &Anr vs. Union of India and Ors.2, held that privacy is a constitutionally protected right which arises out of Article 21 of the Indian Constitution. The protection under Article 21 is not absolute and is subject to certain restrictions. For instance, the right could be restricted if there is a law created by the legislature to restrict the same (such law should promote a legitimate state interest, should not be arbitrary and should be proportionate to the object of the law). The Hon’ble Supreme Court relied on the word “Liberty” mentioned in the Preamble and Article 21 to declare Right to Privacy a fundamental right, which widely includes the notion of data protection, as threat or un-authorized access to any person’s data, in the absence of his explicit consent, directly and grossly amounts to infringement of Right to Privacy, for which a person can directly knock on the doors of Hon’ble Supreme Court of India, under Article 32, or the relevant State High Court, under Article 226 of the Constitution.
2. Indian Penal Code, 1860
The IPC codifies the criminal law of India, enunciating the penalties and punishments for the various crimes committed within the territory of India. Some of the provisions which relates to the Right to Privacy and data protection are as follows:
a) Section 354-C: It deals with the offence of Voyeurism, i.e. if a man watches a women engaging in a private act, where privacy is keenly expected, captures her images and publishes it by any means, it shall be punishable with imprisonment of one year, which may extend to three years on the first conviction, and it shall be a minimum of three years and maximum of seven years upon a second offence.
b) Section 354-D: It deals with the offence of Stalking, i.e. if a man without any justifiable cause follows a women without consent, or follows her over social media, or sends objectionable messages to her, despite the woman expressing her disinterest, thereby causing her mental agony and annoyance, he shall be punished with imprisonment of three years for the first conviction, and upto five years along with fine for the second conviction. This offence is also punishable under the provisions of Information Technology Act, 2000.
c) Section 379: It deals with the offence of (data) Theft, i.e. if any person in the absence of consensual agreement, access or copy any private data of any individual dishonestly from his possession illegally, it would come under the ambit of Theft (of data), and shall be punishable with imprisonment extendable to three years or fine or both.
d) Section 383: It deals with the offence of Extortion, if any person puts another person in fear to deliver any valuable documents or data to him, otherwise he will defame that person, and such data or documents are vitally private, then it is punishable with imprisonment extendable to three years or fine or both.
e) Section 471: It deals with the offence of using as genuine a Forged Document or electronic record, which, if it infringes the privacy or data protection of any individual, shall be punishable with imprisonment which may extend to two years or fine or both.
3. Copyright Act, 1957
The Act was enacted during the pre-independence era, but after being adopted in our legal system it widely protects the intellectual rights of the owner of a creative work. It mainly protects the literary, dramatic, musical and artistic works of the author, during the lifetime and sixty years after the death of the author or owner. If anyone copies, replicate or uses the creation of the author, without his explicit permission for some commercial gain or some other use which includes publishing, circulating or transmitting the said work. For such infringement of the private and exclusive rights of the author, the Act provides civil as well as criminal remedies.
4. Indian Contract Act, 1872
The terms of a contract may be used to include or exclude certain aspects of privacy and data protection and can, therefore, become an important tool to protect and safeguard the Right to Privacy and data protection in India.
5. Information Technology Act, 2000
In India, the primary act regulating activity over the internet is the Information Technology Act, 2000 (“IT Act”) along with the rules framed thereunder. The application of the IT Act is not confined to India per se. As per Section 1(2) read with Section 75 of the IT Act, it has extraterritorial application in respect of an online offence or contravention committed outside India by any person. The Act specifically deals with cybercrime, fraud and cheating via e-commerce.
Some of its provisions for curbing crimes committed in cyber space, which are extensively linked with data protection and privacy are as follows:
a) Section 43A: Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
b) Section 66: It deals with the offence of ‘Hacking’, which is the unauthorized access to a computer resource or data without the owner’s consent, which causes injury to the image of that person or goodwill of a body corporate as defined under Section 43A. It shall be punishable with imprisonment which may extend up to three years or with fine up to five lakh rupees or both.
b) Section 66C: It deals with the offence of fraudulently using the password of any person, as today the computer resource of any person contains his/her private data which is expected not be observed or recorded by an anonymous individual without permission, and if he/she does so, it shall be punishable with imprisonment with may extend to three years or fine up to Rs.1 lakh.
c) Section 66E: It deals with the offence of ‘violation of privacy’, and states that whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.
d) Section 67: It deals with the offence of publishing or transmitting obscene material via any electronic form, which is objectionable in nature or compels any person to commit any crime or omit any duty which he is legally bound to do. It shall be punishable with imprisonment which may extend up to three years in the first conviction and five years in the second conviction, and also fine which may extend to ten lakh rupees.
e) Section 67A– It deals with the offence of publishing or transmitting a material containing sexually explicit act, etc. in electronic form, which shall be punishable with imprisonment which may extend to five years and fine up to ten lakh rupees and in the subsequent conviction, imprisonment for a term which may extend to seven years and also fine up to ten lakh rupees.
f) Section 72A: Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.
The IT Act further provides for the formation of a Controller of Certifying Authorities to regulate the issuance of digital signatures. It has also established a Cyber Appellate Tribunal for the resolution of disputes. The Cyber Appellate Tribunal has, for the purposes of discharging its functions under the IT Act, the same powers as are vested in a civil court in India.
Enforcement Agency: The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 has establishes the Indian Computer Emergency Response Team (“CERT-In”) as the nodal agency to handle various cyber incidents and take emergency measures for their containment. Individuals and organizations may voluntarily report cyber security incidents and concerns to CERT-In and seek technical and other assistance and support3.
The Information Technology Rules
Under various sections of the IT Act, the Government has issued several sets of Information Technology Rules (the IT Rules) to broaden its scope and application. These IT Rules focus on and regulate specific areas of collection, transfer and processing of data, and include, most recently, the following:
a) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which require entities holding users’ sensitive personal information to maintain certain specified security standards;
b) the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, which prohibits content of a specific nature on the internet, and govern the role of intermediaries, including social media intermediaries, in keeping personal data of their users safe online;
c) the Information Technology (Guidelines for Cyber Cafe) Rules, 2011 which require cybercafés to register with a registration agency and maintain a log of users’ identities and their internet usage; and
d) the Information Technology (Electronic Service Delivery) Rules, 2011 which allow the overnment to specify that certain services, such as applications, certificates and licences, may be delivered electronically4.
Penalties for non-compliance are specified by Sections 43 and 72 of the IT Act.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
The Department of Information Technology notified the 2011 Rules on April 11, 2011 vide notification no. G.S.R. 313(E). The main highlights of the 2011 Rules are as follows–
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 only apply to bodies corporate and persons located in India. This was clarified vide a press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology wherein it was stated the 2011 Rules were applicable to a body corporate or any person located within India1.
- Rule 3 of the 2011 Rules provides a list of items that are to be treated as “sensitive personal data”, and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. It is further clarified that any information freely available or accessible in the public domain is not considered to be sensitive personal data.
- Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate:
- Obtain consent from the person(s) providing information in writing or by fax or by e-mail before collecting such sensitive personal data. Vide the press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology it was clarified that consent includes consent given by any mode of electronic communication;
- Information shall not be collected unless it is for lawful purpose, and is considered necessary for the purpose. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required;
- Ensure that the person(s) providing information are aware about the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies retaining and collecting the information;
- Retain the information for no longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force;
- Offer the person(s) providing information an opportunity to review the information provided and make corrections, if required;
- Before collection of the information, provide an option to the person(s) providing information to not provide the information sought;
- Maintain the security of the information provided; and
- Designate a Grievance Officer, whose name and contact details should be on the website who shall be responsible to address grievances of information providers expeditiously. A maximum period of one month has been provided for resolution of such grievances.
- Rule 6 provides that a Body Corporate must seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if request for such information is made by government agencies mandated under law or any other third party by an order under law.
- Rule 8 provides the reasonable security processes and procedures that may be implemented by Body Corporates. International Standard (IS / ISO / IEC 270001) is one such standard which can be implemented by a body corporate to maintain data security. It is pertinent to note that an audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resource.
Exceptions to Right to Privacy and Data Protection
The Right to Privacy under Article 21 of our Constitution, is a fundamental right, but it is pertinent to note and mention that, a fundamental right is not an absolute right, that means it may be abridged or suspended during exceptional circumstances. It is similar with respect to the Right to Privacy, however, Article 21, according to Hon’ble Supreme Court of India, cannot be suspended even during Emergency situations. Certain exceptions to privacy are as follows:
a) Procedure Established by Law– Article 21 provides that, no person shall be deprived of right to life, except according to procedure established by law, which itself makes the intention of legislature clear that although the right is fundamental, it is not an absolute right.
b) Public Security- Section 5 (2) of the Indian Telegraph Act, 1875 provides the grounds for interception of communication, which will not be treated as infringement of privacy. Public security signifies a situation of imminent risk where the general public may be at risk. Investigating authorities and the State are obliged to instantly act in such a scenario, hence if the right to privacy of any individual is infringed by the invocation of the aforesaid provision, under justifiable circumstances, it will not treated as violation of right to privacy.
c) Public Duty– A public servant, acting in his official capacity and in discharge of his public functions stands legally immune to allegations of violation of right to privacy. However, if it is proved that the action is arbitrary in nature or biased or is inspired by personal antagonism and is against the rule of law, action may be taken against such public servant, for professional misconduct or moral turpitude.
Privacy Rights in India
The Constitution of India does not list the right to privacy as a fundamental right. However, this right is granted to the citizens of India basis the interpretation of the Supreme Court’s landmark judgment in 2017 in the case of Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India And Ors5. Herein, the Hon’ble Supreme Court primarily interpreted Article 21 of the Constitution viz. the fundamental right to life of Indian citizens, as being inclusive of the right to privacy and inter-alia, the right to protection of citizens’ data and informational privacy.
Shortly following this pronouncement, the Srikrishna Committee, under the chairmanship of the (former) Justice of the Supreme Court, B.N Srikrishna, was empanelled. The Srikrishna Committee was the result of the realisation instilled for improvement in the legal framework of data privacy laws in India so as to give stimulus to the fundamental right to privacy owed to Indian citizens. The Committee tabled its report on the need for new data protection law in India, accompanied by the draft Personal Data Protection Bill, 2018. The draft Bill sought to regulate the flow and usage of personal data, the various entities processing the personal data, protect the fundamental rights of individuals whose personal data was processed, create a framework for accountability, processing of data, cross-border transfer and provide remedies for contravention. Prominently, it sought to establish a Data Protection Authority of India for the said purposes. The draft Bill, 2018, has since been revised and thereafter has been tabled and is currently pending approval before the Indian Parliament as the Personal Data Protection Bill, 2019 (“PDP Bill”).
Newly Proposed Personal Data Protection Bill, 2019
The PDP Bill was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology (“Ministry”) on December 11, 2019, and is largely modelled after the European Union’s GDPR. A joint parliamentary committee has recently finalized and adopted a revised version of the PDP Bill on November 22, 2021. This proposed statute shall govern the processing of personal data by the Indian Government, Indian companies and foreign companies.
Section 3(28) of the PDP Bill defines “personal data” to mean “…data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling…”.
Some of the interesting developments proposed under the PDP Bill include the creation of a Data Protection Authority (“DPA”) similar to the European Union as well as the categorization of personal data to be protected. For instance, the PDP Bill provides for data localization through a three-tiered structure. Data transfer/localization restrictions will not apply to personal data, however, restrictions shall imposed on “sensitive personal data” and “critical personal data” (as defined by the Indian Government).
Sensitive personal data is defined to include “special categories of personal data” including financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the Indian Government, in consultation with the DPA and the concerned sector-specific regulator. While the same may be transferred outside of India, it must continue to be stored in India. Further, “critical personal data” cannot even be transferred outside India. However, to a limited extent, data transfers to countries or organizations deemed to provide an adequate level of protection are permitted. Further, the PDP Bill prescribes various obligations for data fiduciaries (including social media intermediaries) on how they shall obtain, deal/process and retain personal data. It makes them accountable for the compliance of the obligations in respect of the processing of personal data undertaken by it or on its behalf. For instance, when processing sensitive personal data of children, data fiduciaries are accountable for putting in place mechanisms for age verification and parental consent.
Further, there are stringent penalties prescribed for processing or transferring data in violation of the PDP Bill. The maximum financial penalty for a violation under the PDP Bill has been capped at INR 15 crore. Also, processing of de-identified personal data/re-identification without consent is punishable with imprisonment of up to three (3) years, or fine or both by the DPA. The PDP Bill seeks to establish an appellate tribunal to adjudicate the first appeals against the DPA’s decision, and the second appeal can be filed before the Supreme Court of India.
In light of the above, it may be concluded that while the Indian IT Act and the supplementary legislation, rules and regulations have been developed and come a long way since their original inception, they are not enough to secure data protection and guard against modern ever-evolving cyber threats. There are numerous difficulties and instances to consider in providing for data protection and privacy laws in India, such as the paradoxical issue of preserving the anonymity of personal data while striving to identify the true culprit of an online crime due to identity theft and spoofing, thereby allowing anyone sitting anywhere in the world to conduct crimes to the point where they endanger the nation’s security. While there is a need for new data protection law in India and a strong argument to be made in the favor of the PDP Bill, at the same time, it may be said that over the years the Indian Government has advanced from minimal policing of cyber and data security in India to over-policing. Many critics have vocalized their concerns regarding the over-reaching powers granted to the Indian Government under the PDP Bill, for instance, to prescribe what constitutes critical personal data, and many foreign entities consider the changes proposed thereunder to be too strict for compliance. Thus, while the Indian Government may be likely to adopt the version of the PDP Bill recommended by the Joint Parliamentary Committee, several major issues remain to be debated on the front of data protection in India6.
Post the Right to Privacy Case and subsequent introduction of the PDP Bill, it was believed that the right to privacy, being a fundamental right, will be more strengthened and the law will protect individuals against unfair invasion of their privacy. However, the Report by the Joint Parliamentary Committee on the PDP Bill has created further uproars. While the Winter Session of the Parliament ended on December 23, 2021, it is unlikely that the Report will be further discussed or any recommendations carried out this year, given that the changes and deviation from the original PDP Bill are notable in the Report. The ultimate outcome of the right to privacy is dependent on the discussions and modifications made in the PDP Bill, based on the recommendations by the Joint Parliamentary Committee. Since this proposed legislation will be India’s first comprehensive data protection law, it will be interesting to see how the Government proposes to modify the PDP Bill and protect the right to privacy of the individuals, while balancing national security and interests of India which necessitates infringement in certain cases within the contours of law already laid down by the Supreme Court of India7.
 Revamping India’s outdated data laws by Rupinder Malik.. Available at: https://economictimes.indiatimes.com/small-biz/policy-trends/one-of-the-last-few-countries-without-modern-data-protection-law-why-india-needs-an-urgent-revamp/articleshow/91556170.cms
 2017) 10 SCC 1.
 Privacy and Data Protection in India: An Analysis by Yashraj Bais. Available at: https://doij.org/10.10000/IJLMH.112146
 The Privacy, Data Protection and Cybersecurity Law Review: India by Subramaniam & Associates. Available at: https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/india#footnote-010
 (2017) 10 SCC 1.
 Data Protection and Privacy – Cyber Security Laws in India by Ahlawat & Associates. Available at: https://www.lexology.com/library/detail.aspx?g=1420296c-80b2-45d1-b585-7feed520563b
 India: Update On Data Protection Law by Alpha Partners. Available at: https://www.mondaq.com/india/privacy-protection/1146570/update-on-data-protection-law?type=popular
Key Features and Issues in the Digital Personal Data Protection Bill, 2022
Personal Data Protection Bill retracted by Central Government