Privacy and Data Protection Laws in India (Part 1)

India does not have a comprehensive legislation for the protection of privacy of an individual. Article 21 of the Constitution of India has been extended to include the right to privacy as a fundamental right available under the Constitution. However, being a fundamental right, it can only be enforced only against the State. The legal framework in India with respect to the enforcement of the right to privacy of an individual against other individuals is still in its nascent stage.

In today’s knowledge based society where data is critical and easily accessible to everyone, it becomes even more pertinent to have privacy and data protection laws in place to counter the increasing risk of misuse of personal data. Various initiatives have been taken in this regard by the government as well as certain NGOs. The Centre for Internet and Society, a NGO, had also submitted a citizens’ draft of the Privacy (Protection) Bill, 2013 majorly outlining law in relation to data protection, interception and surveillance.

A draft bill on the Right to Privacy was prepared by the Ministry of Personnel, Public Grievance and Pensions and the Department of Personnel and Training and submitted to the Cabinet in 2011. Despite multiple discussions on the draft bill, the same was never enacted. A Committee was also set up by the Planning Commission to deliberate and provide suggestions for a proposed Privacy Act in India. The Committee, chaired by Justice A. P. Shah, submitted its report in 2012. The Committee was of the opinion that “any proposed framework for privacy legislation must be technologically neutral and inter operable with international standards.”

The Law as it stands

The law relating to data protection and privacy in India as prevailing today is encompassed in the Information Technology Act, 2000 (“Act”) and the rules made thereunder. A brief synopsis of the extant law in this regard is provided below:

Protection under the Act

The Act extends penalty for the breach of privacy and confidentiality. However, up till 2008, this remedy was available only against persons who were conferred under the Act, secured access to any electronic record, book, register, correspondence, information, document or material without the consent of the persons concerned, and such person has disclosed the material. Thus, this remedy had a limited scope and was not concerned with the protection of data in a private transaction.

This deficiency was cured to some extent vide the Information Technology (Amendment) Act, 2008 which, among other things also extended certain protections to the right to privacy. Section 43A and Section 72A imposed liability to compensate for failure to protect data, and punishment for the disclosure of information in breach of a contract respectively. While Section 43A was enforceable only against body corporates, i.e. any enterprise engaged in commercial or professional activities, including any company, firm, sole proprietorship or any other association of persons, Section 72A provided remedy against any person for a breach of privacy/confidentiality pursuant to a lawful contract.

The Act, vide Section 43A and 72A provide for remedies in case of breach of privacy and confidentiality as detailed below:


Body corporates are liable to compensate any person who is affected as a result of their negligence in maintaining ‘reasonable security practices and procedures’, thereby causing any wrongful gain or wrongful loss to any person. Reasonable security practices and procedures would mean such practices and procedures to protect the unauthorized access, use, damage, etc. of any sensitive personal data[1] and information as agreed between the parties. Where no such agreement exists between parties, it would mean such practices and procedures as prescribed by law[2]. A body corporate shall become liable if it was negligent in maintaining any sensitive personal data or information that it possesses, deals or handles with in a computer resource which it owns controls or operates.


The Act has conferred powers on the following persons to have access to the computer and data without any consent of the persons concerned:

  1. Controller of Certifying Authority, or
  2. Any person authorized by the Controller to exercise such power.
  3. Any person authorized by the appropriate government to access the protected system.
  4. The operational staff of the Certifying Authority (only on a ‘need-to-know’ basis)

This Section is applicable only to the above mentioned persons. A penalty that may extend up to Rs. 1,00,000/- (Rupees One Lakh) and/or imprisonment which may extend to 2 (two) years shall be imposed on such persons for disclosing the material that they have secured access to.


This provision makes it an offence to disclose any material containing personal information about another person without the consent of the person concerned or in breach of a lawful contract, with the intention or knowledge that it is likely to cause wrongful gain or wrongful loss. Any person who is guilty of such disclosure shall be punished with imprisonment for a term which may extend to 3 (three) years and/or imposed with a fine that may extend to Rs. 5,00,000/- (Rupees Five Lakhs). It may be noted that the liability under this provision is also extended to any such person who on behalf of another receives, stores or transmits an electronic record[3] or provides any service with respect to any electronic record such as network service providers, web-hosting service providers, search engines, online payment sites, etc. (“intermediary”). The primary difference between Section 72 and Section 72A is their applicability – Section 72 can be enforced against the lawful authority, while 72A is enforceable against any person who discloses the information in breach of a lawful contract or without the consent of the person concerned. It is interesting that the penalty for unauthorized disclosure by private persons is greater than penalty for unauthorized disclosure by lawful authority.

Our next post outlines the right to privacy in respect of data protection as provided under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Megha Manjunatha

[1] As defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[2] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[3] As per the Act, electronic record means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche. [Section 2(t) of the Act]

One thought on “Privacy and Data Protection Laws in India (Part 1)

Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: