lawyers in India

Data Protection Law In India

Written by: Pankaj Kumar - Student of 4th year student, Bangalore Institute of Legal Studies, Bangalore
Army Law
Legal Service
  • The purpose of this article is to throw light upon various provisions in Indian laws relating to data protection. A comparative analysis with foreign laws has also been made so as to know the lacuna on Indian laws. The critical analysis of the proposed bill on data protection has also been made.

    Maintaining of data bases is not as much difficult task as maintaining its integrity, so in this era the most concerned debate is going on to innovate a perfect method of data protection. With the advancement in technological development, there took place a transition in the standard of crimes. In the present era most of the crimes are being done by the professionals through the easiest medium i.e. computers and electronic gadgets. Just by the single click, the criminals are able to get the secured information. The lust of information is acting as a catalyst in the growth of cyber crimes.

    It is the very big headache for the business houses, financial institutions and the governmental bodies so as to give adequate protection to their huge databases. In the absence of any particular stringent law relating to data protection, the miscreants are gaining expertise in their work day by day.

    Though this world simplified our life style but it left certain anomalies in procurement of its object which resulted in involuntary disclosure of data. This can be analyzed from theses illustrations:
    1. On every login to the e-mail account in the cyber cafes, the electronic trail of password remained left there unsecured.
    2. On every use of credit card for purchasing purpose, the trail of brand preference, place of shopping etc. left behind.
    3. On every login to internet, there left behind an electronic trail enabling website owners and advertising companies to get access to the preference and choices of the users by tracking them.
    4. Employees are under seizing, as employers routinely use software to access employee’s e-mail and their move.
    5. Phone call signals of the police are easily tracked by the naxalites enabling them to know about the police plans.
    6. Source code theft is the most preferred act of the miscreants.
    7. Unsolicited e-mails are also a usual practice of gathering personal information of the users.
    8. Movement across the web can be tracked by placing cookies and then retrieving such a way that allows building detailed profile of the user’s interest, spending habits and lifestyle.
    9. Through hacking, the hackers can whimsically alter anyone’s account.

    Thus it can be easily pointed out that how easy we are providing room to the miscreants to enhance and simplify their acts and how safe is it to avail the services of the digital world.

    Data protection under foreign law

    Many countries other than India have their data protection laws as a separate discipline. They have well framed and established laws, exclusively for the data protection.

    U.K Law
    U.K. parliament framed its Data Protection Act (DPA) in the year 1984 which thereafter repealed by the DPA of 1998. This Act is basically instituted for the purpose of providing protection and privacy of the personal data of the individuals in UK. The Act covers data which can be used to identify a living person. This includes names, birthday, anniversary dates, addresses, telephone numbers, fax numbers, e-mail addresses etc. It applies only to the data which is held or intended to be held, on computers or other equipments operating automatically in response to instructions given for that purpose or held in a relevant filing system.

    As per the Act, the persons and organizations which store personal data must register with the information commissioner, which has been appointed as the government official to oversee the Act. The Act put restrictions on collection of data. Personal data can be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. The personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.

    U.S Law
    Though both U.S and the European Union focus on enhancing privacy protection of their citizens, U.S takes a different approach to privacy from that of the European Union. US adopted the sectoral approach that relies of mix of legislation, regulation, and self regulation. In U.S, data are grouped into several classes on the basis of their utility and importance. Thereafter, accordingly a different degree of protection is awarded to the different classes of data.

    Several Acts were also passed in order to stabilize the data protection laws in the United States. The privacy Act was passed in the year 1974 which provided for establishing standards for when it is reasonable, ethical and justifiable for government agencies to compare data in different databases. Another Electronic Communications Privacy Act was passed for restricting the interception of electronic communications and prohibiting the access to stored data without the consent of the user or the communication service.

    Further the Children's Online Privacy Protection Act was passed by the US Congress in October 1998 requiring website operators to obtain parental consent before obtaining personal information from children, and a Consumer Internet Privacy Protection Act required an ISP to get permission of the subscriber before disclosing his personal information to third parties.

    However, the existing federal laws is not suffice to cover the broad range of issues and circumstances that make the new digital environment a threat to personal privacy. Furthermore, the US Government has been reluctant to impose a regulatory burden on Electronic Commerce activities that could hamper its development and has looked for an answer in self regulation.

    Data protection under Indian Law

    Our constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. In the year 2000, effort has been made by our legislature to embrace privacy issues relating to computer system under the purview of IT Act, 2000. This Act contains certain provisions which provide protection of stored data. In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’ so as to provide protection to the personal information of the person.

    Under IT Act, 2000

    Section 43

    This section provides protection against unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of data are also covered under the same penalty. Clause ‘c’ of this section imposes penalty for unauthorized introduction of computer viruses of contaminants. Clause ‘g’ provides penalties for assisting the unauthorized access.

    Section 65

    This section provides for computer source code. If anyone knowingly of intentionally conceals, destroys, alters or causes another to do as such shall have to suffer a penalty of imprisonment or fine up to 2 lakh rupees. Thus protection has been provided against tampering of computer source documents.

    Section 66

    Protection against hacking has been provided under this section. As per this section hacking is defined as any act with an intention to cause wrongful loss or damage to any person or with the knowledge that wrongful loss of damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.

    Section 70

    This section provides protection to the data stored in the protected system. Protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as a protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable for punishment of imprisonment which may extend to ten years and shall also be liable to fine.

    Section 72

    This section provides protection against breach of confidentiality and privacy of the data. As per this, any person upon whom powers have been conferred under IT Act and allied rules to secure access to any electronic record, book, register, correspondence, information document of other material discloses it to any other person, shall be punished with imprisonment which may extend to two years or with fine which may extend to one lakh rupees or both.

    Law of contract

    These days’ companies are relying on the contract law as a useful means to protect their information. The corporate houses enters into several agreements with other companies, clients, agencies or partners to keep their information secured to the extent they want to secure it. Agreements such as ‘non circumvention and non-disclosure’ agreements, ‘user license’ agreements, ‘referral partner’ agreements etc. are entered into by them which contains confidentiality and privacy clauses and also arbitration clauses for the purpose of resolving the dispute if arises. These agreements help them in smooth running of business. BPO companies have implemented processes like BS 7799 and the ISO 17799 standards of information security management, which restrict the quantity of data that can be made available to employees of BPO and call centers.

    Indian Penal code

    It imposes punishment for the wrongs which were expected to occur till the last decade. But it failed to incorporate within itself the punishment for crimes related to data which has become the order of the day.

    The Personal Data Protection Bill, 2006

    Upon the footprints of the foreign laws, this bill has been introduced in the Rajya Sabha on December 8th 2006. The purpose of this bill is to provide protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent and for matters connected with the Act or incidental to the Act. Provisions contained in this Act are relating to nature of data to be obtained for the specific purpose and the quantum of data to be obtained for that purpose. Data controllers have been proposed to be appointed to look upon the matters relating to violation of the proposed Act.

    On comparing the Indian law with the law of developed countries the proper requirement for the Indian law can be analyzed. Data are not of same utility and importance; it varies from one another on the basis of utility. So we require framing separate categories of data having different utility values, as the U.S have. Moreover the provisions of IT Act deal basically with extraction of data, destruction of data, etc. Companies cannot get full protection of data through that which ultimately forced them to enter into separate private contracts to keep their data secured. These contracts have the same enforceability as the general contract.

    Despite the efforts being made for having a data protection law as a separate discipline, our legislature have left some lacuna in framing the bill of 2006. The bill has been drafted wholly on the structure of the UK Data Protection Act whereas today’s requirement is of a comprehensive Act. Thus it can be suggested that a compiled drafting on the basis of US laws relating to data protection would be more favourable to the today’ requirement.
    Being one of the most concerned topics of discussion in the modern era, legislatures are required to frame more stringent and comprehensive law for the protection of data which requires a qualitative effort rather than quantitative.

    # Praveen Dalal, Data Protection Law in India
    # Asian School of Cyber Laws, study material on Diploma course of Cyber Laws.
    # http;//
    # Data Protection Law In India

    The author can be reached at: [email protected] / Print This Article

    How To Submit Your Article:

    Follow the Procedure Below To Submit Your Articles

    Submit your Article by using our online form Click here
    Note* we only accept Original Articles, we will not accept Articles Already Published in other websites.
    For Further Details Contact: [email protected]

    Divorce by Mutual Consent in Delhi/NCR

    Mutual DivorceRight Away Call us at Ph no: 9650499965

    File Your Copyright - Right Now!

    Copyright Registration
    Online Copyright Registration in India
    Call us at: 9891244487 / or email at: [email protected]