Categories
Blog

Data Protection Regime in India

Privacy has been considered an international human right, as is enumerated under Article 12 of the Universal Declaration of Human Rights[1] and Article 17 of International Covenant on Civil and Political Rights.[2] India being a signatory to these international instruments, is under an obligation to protect privacy of the individuals. The current legal framework in India with respect to privacy and data protection is scattered in different legislations, rules and regulations, which individually deal with certain aspects of data protection.

The most important piece of legislation with respect to data protection is the Information Technology Act, 2000 (IT Act). Section 43A of the Act imposes civil liability on the body corporates if, while dealing with sensitive personal data or information, they are found to be negligent in implementing reasonable security practices and procedures and this leads to wrongful loss or gain to any person[3]. Furthermore, Section 72A imposes criminal liability on any person for disclosing personal information of an individual to a third party, without the consent of such individual[4]. These provisions are to be read with the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[5] [SPDI Rules], which defines sensitive personal data or information[6] and provides the procedures to be followed by a body corporate for collection[7], disclosure[8] and transfer[9] of information. The Rules further provides what constitutes reasonable security practices and procedures[10].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Furthermore, the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (Cert-In Rules) impose an obligation on the service providers, intermediaries, data centers and corporate entities to mandatorily notify, in case of certain type of ‘Cyber Security Incidents’.

With respect to the protection of financial data, the Credit Information Companies (Regulation) Act, 2005 (CICRA) requires that the credit information of individuals in India has to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have also been made liable for any possible leak or alteration of this data.

With respect to the protection of health data, the Digital Information Security in Healthcare Act (DISHA), 2018 aims to protect the privacy of patients by protecting their medical data. It lays down the procedure for sharing of personal health records, through digital medium, between various healthcare service providers. Further, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2020 impose an obligation on the registered medical practitioner to comply with the relevant provisions of the IT Act, data protection and privacy laws[11].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The Indian Contract Act, 1872 also become applicable if the privacy and confidentiality clauses enumerated in the agreement are breached by either party.

The Indian Penal Code, 1860 becomes applicable in the realm of data protection regime, as when there is a theft of data, prosecution can follow for the offenses of theft[12], misappropriation of property[13] or criminal breach of trust[14] under the Code.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The most significant development in India has been the case of Justice K S Puttaswamy v Union of India[15], wherein the nine-judge bench of the Apex Court unanimously held that the right to privacy is an intrinsic part of personal liberty under Article 21 of the Indian Constitution. This highlighted the need for a data protection legislation dealing with all the direct and incidental aspects. The latest step towards this has been the Personal Data Protection Bill of 2019 which is currently being reviewed by the Joint Parliamentary Committee. Once this Bill becomes a law, India will have a single piece of legislation exclusively dedicated to privacy and data protection.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

[1] Universal Declaration of Human Rights, 1948, art. 12.

[2] International Covenant on Civil and Political Rights, 1966, art. 17.

[3] Information Technology Act, 2000, s. 43A

[4] Information Technology Act, 2000, s. 72A.

[5] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

[6] Id, rule 3.

[7] Supra note 66, rule 5.

[8] Supra note 66, rule 6.

[9] Supra note 66, rule 7.

[10] Supra note 66, rule 8.

[11] Applicability of the Regulations.

[12] Indian Penal Code, 1860 , s. 378 and s. 379.

[13] Indian Penal Code, 1860, s. 403.

[14] Indian Penal Code, 1860 , s. 405, s. 408 and s. 409.

[15] Justice K S Puttaswamy v. Union of India, (2017) 10 SCC 1.