10:00 - 19:00

Our Opening Hours Mon. - Fri.


Call Us For Free Consultation





Laws on Data Protection in India: Lawyers Advice

 > Corporate Lawyer  > Laws on Data Protection in India: Lawyers Advice

Laws on Data Protection in India: Lawyers Advice

Individual’s Right to privacy and protection enjoys intrinsic status under the Indian Constitution
In India, till now we do not have any ‘enforced’ legislation particularly defining data protection and privacy. The Personal Data Protection Bill, 2019 introduced in the Parliament of India in December, 2019 is yet to be enforced. The key objective of the bill is to secure the confidentiality of individual’s personal data and further to establish a full-fledged authority for data protection in India. Well, the inception of this bill can be linked to the historic judgement pronounced by the nine-judge bench of the Hon’ble Supreme Court in Justice KS Puttaswamy & Another v. Union of India and Others, Writ Petition (Civil) Number 494/2012. There it was unanimously held that right to privacy is an intrinsic status. The judiciary widely interrelated right to life and personal liberty under Article 21 of the Constitution. It may be noted that the right to privacy has been granted paramount importance by the Indian court, and the same can only be fettered under special conditions relating to state’s security and public interest.

The Information Technology Act, 2000 secures against certain breaches relating to data from computer systems: –
Coming to laws, till now we as a country do not have any enforced legislation on data protection. However, we have the landmark, Information Technology Act, 2000 which guarantees protection against certain breaches relating to data from computer systems. The given act comprises provisions to secure data in computer system from unauthorised access. Although, the act creates individual liability for illegitimate application of computer systems, yet the given section dilutes the liability of certain entities under its Section 79. This means that entities like internet provider and network service providers, would not be held liable for the contravention of any third-party data if he substantiates that the offence was committed without his, “knowledge”, or he made “best efforts” to prevent the commission of such breach. Sections 65 of the act grants protection to any form of intentional destruction, alteration, or concealment of information technology source code. On the other hand, we have Section 66 making alteration of any residing information in the computer a criminal offence. Breaching the regulations declared under both the sections is punishable with imprisonment extending up to three years or a monetary compensation extending up to Rs. 5,00,000/-.

SDPI Rules and Transfer of sensitive personal data: –
The Government of India in the year 2011 introduced in the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 which is also known as the SDPI Rules. According to the SDPI rules, a corporate need to have privacy policy and further obtain required consent prior to collection or transfer of sensitive personal data. Also, as per the rule the corporate needs to inform the recipient regarding the data subject collected. While, the literal interpretation of the Information Technology Act suggests that the parties to a legal agreement may come out of the SDPI Rules. However, such interpretation would be serious contravention of the constitutional framework and a proper interpretation is that the SDPI Rules are compulsory.

The Indian Penal Code & Data Protection: –
Though the Indian Penal Code does not directly declare any punishment for the breach of data protection, but provisions of Section 403 inflict criminal penalty for conversion and misappropriation of tangible properties for one’s own use.

The Copyright Act and Data Protection: –
Under the Intellectual Property laws, we have the Copyright Act prescribing mandatory penalty for data piracy of copyright materials corresponding to the gravity of the offence. Under the said act, we have Section 63B providing who knowingly infringes copy of a computer program shall be penalised with an imprisonment of minimum seven days but up to a period of three years. This shall be complimentary with a minimum monetary penalty of Rs. 50,000 and with a maximum of Rs. 2,00,000, approximately. It may be important to note that Indian judiciary recognise copyrights in databases. Now, where an author holds a copyright on something under the act, the infringement with respect to data bases shall make the outsourcing entity have a recourse to the act also.

Individual’s Credit Information and Credit Information Companies Regulation Act, 2005 (CICRA): –
The Credit Information Companies Regulation Act, 2005 (CICRA) takes care of the credit information of individuals in India. According to given act, collection of data pertaining to individual’s credit information by the entities shall be in consonance with the norms enunciated by regulations of the act. Perhaps, for any leakage or alteration of the data the concerned entity shall be made liable. This act is clearly based on the Fair Reporting Act and Graham Leach Bliley Act making a tough framework for data pertaining to individuals credit information in India. The laws under the Credit Information Companies Regulation Act, 2005 providing stringent rules on data protection have been notified by the Reserve Bank of India.

Effort of private sector companies towards data protection in India: –
In India, not the government, but it is the private sector which has taken the initiative to provide comfort to the international clients and vendors. We have the National Association of Service & Software Companies (NASSCOM), an India based information technology trade group and the driving force behind most private sector’s initiatives and efforts to betterment of data protection. For instance, the National Association of Service & Software Companies (NASSCOM) has launched the National Skills Registry, a centralised databased for IT and BPO company employees. This database verifies the human resourced within the company. Further, we have the self-regulatory body introduced with the objective to establish, and enforce data protection standards for country’s Business Process Outsourcing industry.

It may be interesting to note that even without a specific legislation on data protection, our India based industry have well started the procedure of employing various measures in relation to data protection. Well, we also have the Banker’s Bank, The Reserve Bank of India providing stringent norms in certain areas of data protection. And, with the introduction of the Personal Data Protection Bill, 2019, it can be well said that India has taken an enormous step towards data protection norms. The hope of the mass regarding a particular law on data protection has been given wings with this bill. The same shall not only give momentum to the outsourcing corporates but also to the Foreign Direct Investment Policy at large.
Authored By: Adv. Anant Sharma & Aniket Pandey

No Comments

Leave a Comment