Data protection and privacy core tenets


Without strong data protection laws, privacy as a right will be of little value


  • As India awaits the judgment of a nine-member Bench headed by Chief Justice of India J.S. Khehar on whether privacy is a fundamental right, the moment is ideal for the country to define and reconstruct some of the elementary definitions and laws associated with ‘privacy’.
  • The concept of ‘data privacy’ is not explicitly mentioned under the Indian laws, the judiciary of India have, over time, entwined the concept of privacy with the interpretation of right to life and personal liberty as provided under Article 21 of the Constitution.

Need for data protection:

  • The companies’ databases are under constant risk of cyberattacks
  • To prevent data being misused by third parties for fraud, such as phishing, scams, and identity theft.
  • Privacy should be at the core of legislation.
  • The present time is said to be the ‘age of data’ with private companies-ranging from social media platform to e-mail services and messaging applications-storing humongous volumes of information, a lot of it outside India’s borders.
  • With 391.50 million internet subscribers, as on December 31, 2016, and the government’s robust aim of doubling the internet penetration across the country by 2020, there is a pressing need to educate the masses on their privacy rights, benefits and threats of collection and processing of their data.
  • Both Facebook and WhatsApp have more than 200 million active users in India, with India recently surpassing the United States in terms of the number of Facebook users.
  • Data-colonising companies use the collected information in myriad ways. Individuals have limited control over how data collected from them are used, in many cases; they do not even have undisputed ownership of their own personal information.

European Union Regulations:

  • To protect the privacy of its individual user, the European Union is to implement the General Date protection Regulation (GDPR) in May 2018.
  • Aimed at harmonizing data privacy laws across Europe, it will impose stiff penalty of upto 40% of the company’s worldwide turnover in the event of a breach.
  • Many companies will also have to ensure that even their vendors are fully compliant with the GDPR as a condition for running their businesses.
  • Recognition of privacy as an individual right in India, without similar enforceable regulations, will be akin to raking water up a hill.


  • Security of personal data must be ensured and any breach must be duly notified immediately through robust grievance mechanisms.
  • If a person requires removal, alteration and correction of data, the same should be allowed.
  • Any contravention by entities (Government or Private) must be duly punished with imprisonment or hefty fines.
  • Mass surveillance and individual profiling without cause should be barred.
  • National interest should prevail over individual rights in narrowly defined exceptions where government can intervene.
  • Collection of data by governments and agencies, need to keep in mind that the Internet and the more virulent Darknet are being increasingly used these days by criminals for illegal trade, trafficking, and money laundering.
  • Regulations that impinge on the effectiveness of our intelligence and law enforcement agencies as they battle these challenges would significantly compromise our social harmony and national security.
  • The legislative framework regarding the issue of data protection and privacy is dated and is presently viewed under the Information Technology Act.

Information Technology Act of India:

May 2000 saw the rise of IT Bill, it received assent of President in August 2000 and became an Act. Cyber laws are contained under the IT Act, 2000.

  • AIM- to provide legal infrastructure for e-commerce in India.
  • The Information Technology Act, 2000 also aims to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. The Act states that unless otherwise agreed, an acceptance of contract may be expressed by electronic means of communication and the same shall have legal validity and enforceability. Some highlights of the Act are listed below:
  • Chapter II deals with Use of Digital Signature to authenticate an electronic record.
  • Chapter-III of the Act details about Electronic Governance and provides inter alia amongst others that where any law provides that information or any other matter shall be made available in an electronic form; and accessible so as to be usable for a subsequent reference.
  • Chapter-IV of the said Act gives a scheme for Regulation of Certifying Authorities. The Act recognizes the need for recognizing foreign Certifying Authorities and it further details the various provisions for the issue of license to issue Digital Signature Certificates.
  • Chapter-IX of the said Act talks about penalties and adjudication for various offences. The penalties compensation not exceeding Rs.1,00,00,000 to affected persons.The Act talks of appointment of any officers not below the rank of a Director to the Government of India or an equivalent officer of state government as an Adjudicating Officer who shall adjudicate whether any person has made a contravention of any of the provisions of the said Act or rules framed there under. The said Adjudicating Officer has been given the powers of a Civil Court.
  • Chapter-X of the Act talks of the establishment of the Cyber Regulations Appellate Tribunal, which shall be an appellate body where appeals against the orders passed by the Adjudicating Officers, shall be preferred.
  • Chapter-XI of the Act talks about various offences and the said offences shall be investigated only by a Police Officer not below the rank of the Deputy Superintendent of Police. These offences include tampering with computer source documents, publishing of information, which is obscene in electronic form, and hacking.
  • The Act also provides for the constitution of the Cyber Regulations Advisory Committee, which shall advice the government as regards any rules, or for any other purpose connected with the said act. The said Act also proposes to amend the Indian Penal Code, 1860, the Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, The Reserve Bank of India Act, 1934 to make them in tune with the provision of IT Act.

The Information Technology (Amendment) Act 2008:

The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5th February 2009. It dealt with various changes as summarized below-

  • DATA PROTECTION –with no specific reference to Data Protection in 2000 Act, the ITA 2008 introduced two sections addressing Data Protection, Section 43A (Compensation for failure to protect data), and Section 72A (Punishment for disclosure of information in breach of lawful contract.
  • INFORMATION PRESERVATION- Section 67C refers to the Preservation and Retention of Information by Intermediaries. According to Central Government, any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall not be liable to fine.
  • Section 69 gives power to issue directions for interception or monitoring or decryption of any information through any computer source.
  • Section 69B authorizes to monitor and collect traffic data or information through any computer resource for Cyber security.

The privacy (Protection) Bill, 2013

  • The Bill focuses on the protection of personal and sensitive personal data of persons.
  • There are specific provisions in the bill related to collection, storage, processing, transfer, security, confidentiality, and disclosure of sensitive personal data in the Bill.
  • The consent of the data provider is necessary.

Article 21

  • Article 21 of the Constitution of India states that “No person shall be deprived of his life or personal liberty except according to procedure established by law”.
  • Article 21 interprets that the term ‘life’ includes all those aspects of life which go to make a man’s life meaningful, complete and worth living.

What is needed to be done in context of Right to Privacy?

  • In view of the increased security required specifically for territorial privacy and data privacy, there should be a provision added to the Constitution of India.
  • A provision that deals with multiple dimensions of privacy such as personal, territorial, communication and data/information
  • Such a provision would bring clarity as to the extent of the right to privacy.
  • There is a dire need for a comprehensive privacy legislation which would ensure the protection of personal and sensitive data of people.
  • There is also the need for an established regulatory body.
  • This could be structured along similar lines as that of the data protection commissioner offices, which exist in Canada, Ireland, and other developed informational economies.


  • Given the rising internet penetration and growing emphasis on Digital India, it is imperative to protect the sanctity of data generated by citizens. A legislative framework to address the growing concerns around data protection and privacy is the need of present day.
Print Friendly and PDF