Data Protection Laws in India
Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency.
The Constitution of India does not patently grant the fundamental right to privacy. However, the courts have read the right to privacy into the other existing fundamental rights, ie, freedom of speech and expression under Art 19(1)(a) and right to life and personal liberty under Art 21 of the Constitution of India. However, these Fundamental Rights under the Constitution of India are subject to reasonable restrictions given under Art 19(2) of the Constitution that may be imposed by the State. Recently, in the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors., the constitution bench of the Hon’ble Supreme Court has held Right to Privacy as a fundamental right, subject to certain reasonable restrictions.
India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future.
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.
Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with protection of “Sensitive personal data or information of a person”, which includes such personal information which consists of information relating to:-
Financial information such as bank account or credit card or debit card or other payment instrument details;
Physical, physiological and mental health condition:
Medical records and history;
The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with “Personal sensitive data or information”. In case of any breach, the body corporate or any other person acting on behalf of body corporate, the body corporate may be held liable to pay damages to the person so affected.
Information Technology Act, 2000
The Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) is an act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternative to paper-based methods of communication and storage of information to facilitate electronic filing of documents with the Government agencies.