Practical Aspects of Data Protection in India - IPleaders
Practical Aspects of Data Protection in India - IPleaders
This article is written by Abhishek Verma. This article has been edited by Ojuswi (Associate,
Lawsikho).
Table of Contents
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 1/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
1. Introduction
2. Data protection
3. Concept of data : Indian perspective
4. Judicial pronouncements on privacy : an intrinsic part of data protection
4.1. M.P. Sharma and Ors. v. Satish Chandra, District Magistrate, Delhi, and Ors.
4.2. Kharak Singh v. State of Uttar Pradesh and Ors.
4.3. Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors.
5. Regulations in India for data protection
5.1. Personal Data Protection Bill, 2019 (“PDP Bill”)
5.1.1. Applicability of the PDP Bill
5.1.1.1. Personal data
5.1.1.2. Sensitive personal data
5.1.1.3. Critical personal data
5.1.1.4. Anonymized data
5.1.2. Offences and punishments under the PDP Bill
5.2. The Information Technology Act, 2000
5.2.1. Section 43. Penalty and compensation for damage to the computer, computer system, etc.
5.2.2. Section 43A. Compensation for failure to protect data
5.2.3. Section 66C. Punishment for identity theft
5.2.4. Section 66E. Punishment for violation of privacy
5.2.5. Section 72. Penalty for breach of confidentiality and privacy
5.2.6. Section 72A. Punishment for disclosure of information in breach of lawful contract
5.3. Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Information) Rules, 2011
5.3.1. Rule 4. Body corporate to provide policy for privacy and disclosure of information
5.3.2. Rule 5. Collection of information
5.3.3. Rule 6. Disclosure of information
5.4. Indian Telegraph Act, 1885
5.4.1. Section 24. Unlawfully attempting to learn the contents of messages
5.4.2. Section 25. Intentionally damaging or tampering with telegraphs
5.4.3. Section 26. Telegraph officer or other official making away with or altering, or unlawfully
intercepting or disclosing, messages, or divulging purport of signals
5.4.4. Section 30. Retaining a message delivered by mistake
6. Conclusion
7. References
Introduction
“Data is the new oil” phrase was coined in 2006 by Clive Humby, a British mathematician
and data science entrepreneur. In this digital era, data is the most valuable asset. Data is
information whether it is qualitative or quantitative, stored in electronic or physical form.
Data plays a vital role in decision-making in almost every sector and at every level when
gathered completely and accurately, and corroborated with other relevant data in a timely
manner. When properly refined, usable data quickly becomes a decision-making tool
allowing companies to react to market forces and enabling them to be proactive and
intentional in their decision-making.
As it has been seen, the government used to conduct various surveys to collect data to
further formulate policies and take help in important decision-making at various levels. In
the same way in the current era, corporates take help from the data collected through
tracking the activities of the general public regarding the goods and services they are
looking for or what kind of product they might be interested in, upon analyzing certain
factors such as their buying habits, age, sex, culture, weather conditions, etc. to make
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 2/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
important decisions in marketing their products and services to their relevant target
customers.
Organisations need data to have a better understanding of the market, purchasing patterns,
the budget of people, and demand for products based on geography, age, and other factors.
And now the question arises of what kind of information they look for and how is that
information processed and forwarded to those organisations.
Every time we search for anything or browse any website, we become a source of data for
companies. Companies not only track our online activities but also sell that data to other
relevant companies so that those companies could take the help of those leads and try to
convert them into sales.
And certainly, there are many instances where the storage or usage of data becomes
immoral or violates the privacy of people. So there arises the need to regulate the usage of
data by legislating certain laws or regulations to prevent the violation of the privacy of
people.
In this article, we will be focussing on the current status/position of data protection in India
by studying and analysing the relevant provisions that regulate the collection, use and
disclosure of data and the case laws dealing with the illegal use of data.
Data protection
Data protection is the process of safeguarding or protecting data from any kind of
unauthorised or illegal use. In other words, data protection is the protection from any sort
of use of personal data without the permission of the concerned person whose data is being
used, except or otherwise the said data is being used by any competent authority and
without any violation of the rights provided under the law. The data protection regulations
try to balance the usage of data to be used as a resource and the privacy of individuals.
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 3/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
According to Section 2(1)(o) of the Information Technology Act, 2000 (the “IT Act”) “data”
means “a formalised representation of concepts, information, facts, knowledge, or
instructions that are being processed, is being processed or has been processed in a
computer system or computer network, and maybe in any form (including computer
printouts, magnetic or optical storage media, punched cards, punched tapes), or stored
internally in the memory of the computer.”
The electronic consent framework issued by the Digital Locker Authority defines ‘data’ to
mean “Any electronic information stored by a public or private service provider (such as a
government service department, a bank, or a document repository, for example). This could
apply to both static and transactional documents. Data, on the other hand, is not limited to
electronic information; it also includes information saved in physical forms, such as on a
sheet of paper.”
These are not the only definitions that define the scope of data under the Indian legal
system, data has been defined in other regulations also which give the same meaning, in
other words, they may slightly differ in scope.
Although India had not been vigilant specifically regarding data protection in the past years,
through some landmark judicial pronouncements on the ‘right to privacy’, we can witness
some developments in Data Protection in India as privacy is the key element in the concept
of ‘Data Protection’.
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 4/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
Whether a warrant issued under Section 94 and 96(1) of the Code of Criminal Procedure
for search and seizure violates the right to privacy of a person.
The power of search and seizure is necessary to protect social security and is not in
contravention of any of the provisions of the constitution of India.
Also, the right to privacy was not mentioned as a fundamental right by the constitution-
makers.
Whether the domiciliary visit at night for surveillance against the accused violates
Articles 21 and 19(1)(d) of the Indian Constitution?
Was the act of maintaining history sheets of the previously accused person and keeping
track of their movements violative of Article 19(1)(d) and 21 of the Indian Constitution?
Although in the view of the majority of judges, Article 21 of the Constitution of India
does not include any provision for privacy and the right to privacy cannot be considered a
fundamental right.
Regulation 236(b) of the UP Police Regulations that authorises Domiciliary visits by the
state is unconstitutional as it violates Article 21 of the Indian Constitution.
The court determined that keeping a close eye on a suspect and secretly filming their
activities did not obstruct their physical movement and that a psychological barrier to
action was not protected under Article 19(1)(d).
Furthermore, it did not violate the suspect’s ‘personal liberty’ as defined by Article 21.
The ‘Aadhar Card Scheme’ was challenged in this case because it violated citizens’ right to
privacy by collecting and utilising their biometric information for other purposes. The
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 5/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
petitioner stated that the right to privacy is a basic right that should be protected under the
Indian Constitution Article 21. In response, the respondents argued that the Constitution
merely recognizes personal liberty and that citizens have a limited right to privacy.
The Constitutional bench of nine judges was formed to determine the issue unanimously.
The Supreme Court ruled that the right to privacy is integral to the right to life and personal
liberty guaranteed by Article 21. It is also a part of the rights protected by Part III of the
Indian Constitution. It was also stated that the state has an obligation to preserve the
privacy of its residents. As a result, the ‘Aadhar Card Scheme’ was found to have violated
residents’ right to privacy.
Citizens can now seek court remedies if their data privacy rights are violated, thanks to this
judgment of the Hon’ble Supreme Court. This decision also has ramifications for Indian tech
businesses’ norms and laws.
In this light, it is essential to look at regulations that deal with data protection laws in India.
The following section highlights a few of these legislations.
The bill has been deliberated for over two years now. A total of 188 amendments have
been recommended out of which 91 amendments are significant, while others are subject to
some minor editing of legal nature in different sections.
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 6/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
The bill will broaden the scope by providing a comprehensive data protection framework
that will apply to all forms of personal data processing, as well as processing activities
carried out by both the government and private bodies, including corporations.
(iii) Foreign Companies dealing with the personal data of individuals in India.
This bill not only regulates the data collection and usage of internet-based companies but
also brick-and-mortar companies.
Personal data
According to the bill, personal data means “data relating to a natural person about an
attribute, characteristic, trait, or any other factor that aids in the identification of that
person.” The bill also establishes a distinction between Critical and Sensitive Personal Data.
It includes biometric data, financial data, political affiliations, health data, sexual
orientation, transgender status, caste or tribe, religious and sex life, etc.
It means any such data which will be notified by the Central Government as critical personal
data.
Anonymized data
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 7/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
1. Transferring or processing personal data in violation of the Bill shall be punishable with a
fine of Fifteen Crore Rupees or four percent of the annual turnover of the fiduciary,
whichever is higher, and;
2. Failure to undertake a data audit will result in a fine of Rupees. 5 crores or 2% of the
fiduciary’s annual turnover, whichever is higher.
According to the bill, the Data Protection Authority will be composed of a chairperson and
six members with experience of at least ten years in the fields of data protection and
information technology. Appeal from the orders of the Authority can be filed to an Appellate
Tribunal and appeals from the Tribunal will go directly to the Supreme Court.
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 8/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
person, shall be punished either with imprisonment for a term up to three years or a fine up
to rupees one lakh or both.
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 9/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
Also, the collected information shall not be used for any other purpose.
This list of above-enumerated legislations is not exhaustive, there are other laws also that
somehow, directly or indirectly, regulate the collection and usage of data.
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 10/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
Conclusion
Data is used by almost every entity and it has become an essential tool to take important
business decisions, when they use the data of any third person they have an obligation not
to make any inappropriate or illegal, or immoral use of that data. Although, currently in
India, there is no such specific regulation for Personal Data Protection as General Data
Protection Regulations (GDPR) in the European Union. But a panel has drafted and proposed
a Personal Data Protection Bill in 2019 which was reviewed by a Joint Parliamentary
Committee that has already submitted its final recommendations and the bill is now subject
to some amendments. Apart from a specific Act for the protection of personal data, there
are many other laws that directly or indirectly, regulate the collection, usage and disclosure
of personal data. However, there still is a dire need for proper legislation that matches up to
the growing pace of requirements in the area of data protection.
References
http://elplaw.in/wp-content/uploads/2018/08/Data-Protection-26-Privacy-Issues-in-
India.pdf
https://www.khaitanco.com/sites/default/files/2021-
04/Data%20Protection%20in%20India%20Overview.pdf
https://blog.ipleaders.in/judicial-interpretation-of-data-protection-and-privacy-in-india/
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and
various opportunities. You can click on this link and join:
https://t.me/lawyerscommunity
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 11/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
Did you find this blog post helpful? Subscribe so that you never miss another post! Just complete this form…
Name
Email Address
10-6=?
SUBSCRIBE!
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 12/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
LawSikho
LawSikho
Register now
Name
Your Name
Email
Your Email
Which country are you from?
Select your country Select your country
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 13/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
+962 - JO (Jordan)
+81 - JP (Japan)
+254 - KE (Kenya)
+996 - KG (Kyrgyzstan)
+855 - KH (Cambodia)
+686 - KI (Kiribati)
+269 - KM (Comoros)
+1869 - KN (Saint Kitts And Nevis)
+850 - KP (Korea Democratic Peoples Republic
Of)
+82 - KR (Korea Republic Of)
+965 - KW (Kuwait)
+1345 - KY (Cayman Islands)
+7 - KZ (Kazakstan)
+856 - LA (Lao Peoples Democratic Republic)
+961 - LB (Lebanon)
+1758 - LC (Saint Lucia)
+423 - LI (Liechtenstein)
+94 - LK (Sri Lanka)
+231 - LR (Liberia)
+266 - LS (Lesotho)
+370 - LT (Lithuania)
+352 - LU (Luxembourg)
+371 - LV (Latvia)
+218 - LY (Libyan Arab Jamahiriya)
+212 - MA (Morocco)
+377 - MC (Monaco)
+373 - MD (Moldova, Republic Of)
+382 - ME (Montenegro)
+1599 - MF (Saint Martin)
+261 - MG (Madagascar)
+692 - MH (Marshall Islands)
+389 - MK (Macedonia, The Former Yugoslav
Republic Of)
+223 - ML (Mali)
+95 - MM (Myanmar)
+976 - MN (Mongolia)
+853 - MO (Macau)
+1670 - MP (Northern Mariana Islands)
+222 - MR (Mauritania)
+1664 - MS (Montserrat)
+356 - MT (Malta)
+230 - MU (Mauritius)
+960 - MV (Maldives)
+265 - MW (Malawi)
+52 - MX (Mexico)
+60 - MY (Malaysia)
+258 - MZ (Mozambique)
+264 - NA (Namibia)
+687 - NC (New Caledonia)
+227 - NE (Niger)
+234 - NG (Nigeria)
+505 - NI (Nicaragua)
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 16/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
+31 - NL (Netherlands)
+47 - NO (Norway)
+977 - NP (Nepal)
+674 - NR (Nauru)
+683 - NU (Niue)
+64 - NZ (New Zealand)
+968 - OM (Oman)
+507 - PA (Panama)
+51 - PE (Peru)
+689 - PF (French Polynesia)
+675 - PG (Papua New Guinea)
+63 - PH (Philippines)
+92 - PK (Pakistan)
+48 - PL (Poland)
+508 - PM (Saint Pierre And Miquelon)
+870 - PN (Pitcairn)
+1 - PR (Puerto Rico)
+351 - PT (Portugal)
+680 - PW (Palau)
+595 - PY (Paraguay)
+974 - QA (Qatar)
+40 - RO (Romania)
+381 - RS (Serbia)
+7 - RU (Russian Federation)
+250 - RW (Rwanda)
+966 - SA (Saudi Arabia)
+677 - SB (Solomon Islands)
+248 - SC (Seychelles)
+249 - SD (Sudan)
+46 - SE (Sweden)
+65 - SG (Singapore)
+290 - SH (Saint Helena)
+386 - SI (Slovenia)
+421 - SK (Slovakia)
+232 - SL (Sierra Leone)
+378 - SM (San Marino)
+221 - SN (Senegal)
+252 - SO (Somalia)
+597 - SR (Suriname)
+239 - ST (Sao Tome And Principe)
+503 - SV (El Salvador)
+963 - SY (Syrian Arab Republic)
+268 - SZ (Swaziland)
+1649 - TC (Turks And Caicos Islands)
+235 - TD (Chad)
+228 - TG (Togo)
+66 - TH (Thailand)
+992 - TJ (Tajikistan)
+690 - TK (Tokelau)
+670 - TL (Timor-leste)
+993 - TM (Turkmenistan)
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 17/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
+216 - TN (Tunisia)
+676 - TO (Tonga)
+90 - TR (Turkey)
+1868 - TT (Trinidad And Tobago)
+688 - TV (Tuvalu)
+886 - TW (Taiwan, Province Of China)
+255 - TZ (Tanzania, United Republic Of)
+380 - UA (Ukraine)
+256 - UG (Uganda)
+1 - US (United States)
+598 - UY (Uruguay)
+998 - UZ (Uzbekistan)
+39 - VA (Holy See (vatican City State))
+1784 - VC (Saint Vincent And The Grenadines)
+58 - VE (Venezuela)
+1284 - VG (Virgin Islands, British)
+1340 - VI (Virgin Islands, U.s.)
+84 - VN (Viet Nam)
+678 - VU (Vanuatu)
+681 - WF (Wallis And Futuna)
+685 - WS (Samoa)
+381 - XK (Kosovo)
+967 - YE (Yemen)
+262 - YT (Mayotte)
+27 - ZA (South Africa)
+260 - ZM (Zambia)
+263 - ZW (Zimbabwe)
No results
Phone
Your Phone
I want to know more about the lawsikho courses
Yes
No
Register now
Bootcamp starting in
4
Days
19
HRS
34
MIN
26
SEC
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 18/19
9/12/22, 10:25 PM Practical aspects of data protection in India - iPleaders
LawSikho
LawSikho
https://blog.ipleaders.in/practical-aspects-of-data-protection-in-india/ 19/19