The internet has now embellished as an integral part of everyone's daily
routine. It has taken over the world, from basic communications to online
shopping. Companies have also chosen to carry on their operations via the
internet. As a result, e-commerce has grown in popularity. Many government
procedures are now conducted online, and e-finance has exploded in popularity in
the last year. The popularity of internet has been growing on and on thus
increasing the perils in association to it.
In the twenty-first century, when information reigns supreme, data is a valuable
asset. Data is the driving force behind the world's growth in the modern era.
This is where the Data Protection Laws come into play. Many countries have
passed laws based on these principles.
This paper examines the current state of data protection laws in India and
around the world, as well as the Indian legal aspects of the Data protection
and the Privacy.
What is cyber law?
Cyber law comprises of two words cyber and law. Cyber is used as a prefix in
this, a term in connection with information technology as to compute in
the internet. It is a relationship between modern computing and technology. Law
is a a set of procedural rules and regulations which has entrenched in the
society to follow to ensure peace and harmony. There are various subjects for
which laws are made, one of them is cyber law. Cyber law is the law which
governs the legal prospects of the Internet and also administers the digital
information, software or the security.
The suitable introduction to Cyber Law is: It is 'paper laws' in the 'paperless
world'. It comprises of laws on how to retrieve and utilize the internet and
even provides with rules in order to protect the online privacy as well. The
term cyber law is a wide terms which includes various subjects like legal
informatics and electronic elements, including information systems, computers,
software, and hardware. It's the legal structure to tackle with the Cybercrimes.
Importance of cyber laws
As of early 2021, the number of people that use the internet is over 4.66
Billion. With that number increasing by 7% annually. This also means every day
can account for almost 8,75,000 new users This instantaneous increase of
usage of cyberspace has made it necessary to have cyber laws.
As with time
technology is a growing on and on cyberspace which had initially started as an
information tool, today has now become form for communication and commerce as
well. The Technology is developing every single day it has become a core part
of our lives, for every small thing we require cyberspace which in turn has led
to the inevitable increase in the cyber crimes.
We have seen in this time of COVID-19 all the things going online, businesses
going online, the studies going online and what not, this time also saw an
increase in the usage of e-commerce which in turn has made necessary that there
are proper regulatory practises set up to ensure that no malpractices take place
in the cyberspace. The cyber laws restrict the people from the cyber criminal
activities or it least tries to reduce the pace of the cyber crimes. Cyber law
provides with a security for all data and properties of individuals,
organisations and the government. It also helps to restrain the illegal
activities while assessing it. It governs the actions and reactions on the
Advantages Of Cyber law
The cyber law ensures that all the online transactions are safe and
protected it keeps a track of all the electronic records. It has also aided in
establishing the electronic governance over the cyberspace as call recognition
is granted to the old transactions taking place through electronic media which
also in turn made the digital signature is legal which has turned to view a
turning point in the legislation of India.
Has also helped the various government departments by facilitating the e-filing
of the documents and also authorising the and also giving the bankers the
authorisation for in order to keep records in the configuration of electronic
and granting the allowance of electronic fund transfers between various
institutions. The cyber laws led to the birth of new security agencies like
cyber cell which in turn monitors the cyber traffic and provide software as well
hardware security and blocking the unwanted content from the internet.
Difference between cyber and the conventional crime
The basic different betwixt the two terms is obviously the use of technology,
which is the main under he cyber crime however it can only act as a small aid
in the crimes which are conventional.
For conducting a cybercrime one is usually highly educated professionals,
hackers, organised ideological people where as the conventional crimes are
conducted by the petty unorganised gang, usually the poor and illiterate strata
of the society.
In a conventional crime the criminals tend to leave an evidence behind which
reaches to them whereas cybercrime has a less chance as hackers leave behind any
traces which could lead back to them.
The scale of attacking in the cybercrime is very higher as the compare to a
conventional one, like the robber will be able to rob one or two banks in a
Week or so whereas the cybercriminal would be able to rob the 100s of bank with
just a click.
The Cybercrime allows to be conducted by sitting anywhere from world, it isn't
essential to be there at the crime place necessarily. The cybercriminal could be
anywhere even at a place where there are no law regulations the actions.
The cybercrime is conducted at a machine speed, in minutes multiple sites can be
targeted and the data could be hacked from their profiles.
Reasons for cyber crime
'human beings are vulnerable so rule of law is required to protect them'.
This saying can be applied to the cyberspace as well. The Cyberspace is a
vulnerable space where the computers are there, therefore Cyber Law is a
requirement that serves as a deterrent to cybercrime. There are a number of
grounds that the cyberspace is a space which is suspectible where the computers
could lead to the cybercrimes.
One of the logics is that a computer is the tool which has a distinct quality to
huge amount of data during a very compact space which enables the extraction of
an information or any data by the hackers smartly in flash and use that data
for their own use. Another reason is that the hackers have a very easy access to
the system. The skilled hackers have the capability to get an unauthorised
access to the system by infringing the access codes, retina images, voice
recognitions and many more which could incite to fooling the biometric system
thus allowing the hackers to access the system.
The computers are able to work
through an operating system, which in turn is made up of millions and millions
of code which are difficult to break by a human mind, thus it is thought that
there is no loophole in it and thus nothing wrong would happen in that stage
which is being misused through the hackers. Even a single small loophole in the
operating system is detected by the hackers which in turn they exploit, thus
this complexity becomes a reason for cybercrimes. Cybercrimes could also be a
result of negligence act.
A negligent act can turn into a profound concern as it implies a direct welcome
to hack the operation for the hackers. It is necessary to be a little bit of
vigilant and avoiding any negligence as it would be a cause to cyber crimes. A
reason for cybercrimes can also be that the evidence can be lost. The hackers
can remove the traces of their breaching which in turn makes it difficult to
reach to the hackers, which in turn makes the system a little bit more prone to
the cyber attacks.
The evolution of the technology is one of the biggest reasons
of cyber crime, invoking people to try new things and learn them thus leading to cybercriminal activities. Some cybercriminal activities arise out of revenge. A
person would be hurt by the other person because of any reason which would
entice him to take a step against the person and he would take help of the
cyberspace to do so.
Scope of cyber law
The cyber laws is a subject of wide range. There are different cyber laws which
serve different types of purposes. The cyber crimes can happen with individuals
or as an organisation or against the government. As an individual one can get
involved in online harassment or stalking, child pornography whereas cyber
terrorism, threats, misuse of power against national security could be cyber
crimes involving the government.
It deals with various aspects like protecting
the privacy and the various rights like the freedom of speech And right to
information, preventing any kinds of frauds dealing with a lot of spammers and
a jurisdiction over the e-commerce.
The cyber laws can be divided into various
A fraud can be committed online like identity theft, credit card theft and other
financial Crimes, the Cyberlaws that have been made which in turn protecting
the victim from the fraud committed, the person who commits the fraud can face
criminal charges and the victim can also initiate the civil action in opposition
to the person committing fraud. People fall for various scams through which the
criminals are able to get the money from their accounts, this is generally
termed as phishing
- Copyrighting Issues
The internet comprises of an enormous amount of data which is available to
anyone anywhere and anytime as per the convenience. But if someone tries to copy
the any type of information which is accesible on the internet and claims it
has its own then cyber laws have a provision for protecting the hardwork of an
individual or an organisation who has put the data or information on the
- Online Harassment and Stalking
Many people especially the girls are the victims of online harassment and
stalking, this has been becoming a very huge issue, almost everyday we see in
news that someone was caught for the same, various cyber laws have been enacted
for the same.
- Trade Secrets
Cyber law also helps in protecting the trade secrets of the businesses which
are doing the work online as it provides various provisions for it. It helps the
e-commerce to initiate a legal action in case the trade secrets are in
- Data Protection
People who are being dependent on the cyber law to ensure the protection of the
information that is personal. Even the organisations as well as the companies
also depend on it to preserve its data confidentiality.
Impact of Cyber Crimes
The cyber crimes can have huge impact on the individual, business, economy and
the country's security as well. Nowadays everyone is extremely reliable on
cyberspace to do all the work be it transferring money or shopping thus making
them subjected to a higher risk of getting into some kind of fraud. A survey
conducted in 2011by Norton CyberCrime revealed that over 74 million people of
The United States were victims of cybercrime in 2010, which caused financial
losses of almost $32 billion.
In India also the citizens are being persuaded to be cashless, using various
apps to make payments via apps like Paytm, Bhim and many more. But with the
emergence of all the trends of being cashless and using the Internet for the
purpose of money has increased the chances of a person falling prey to an online
scam or fraud if he full knowledge is not with him and smart ample to utlize
them carefully. The companies face the risk which is similar of suffering from
the financial losses as a result of the various cybercrimes its exposed to.
The risk doesn't confine to financial losses even to leakage of personal
information of a human being too. The social networking sites act as an open
platform to take a peak at anyone's life which can be dangerous in one way or
other. The hackers have the capability to hack in anyone's account and take any
information and use it in any manner which puts a huge strain on the people on
how to freely use the networking sites. The people start losing trust in the
sites and various platforms as the people hear or see the experience about the
scams or frauds or phishing. This puts a risk on all the e business as no one
would be ready to make transactions with them because of the fear.
Cyber crimes also affect the national security as nowadays all the work of the
country is done using the advanced technologies and network which in turn can
help the terrorists to intrude into any other country's security networks and
obtain the necessary information to cause harm to that specific country. They
could even breach the country's data and destroy it or add any kind of
misinformation to the records of the country, these things could jeopardise the
nation's security, integrity and peace.
What is data?
Data has been defined as "a representation of information, knowledge, facts,
concepts or instructions which are being prepared or have been prepared in a
formalized manner, and is intended to be processed, is being processed or has
been processed in a computer system or computer network, and may be in any form
(including computer printouts magnetic or optical storage media, punched cards,
punched tapes) or stored internally in the memory of the computer" as per the
Information Technology Act.
In simple words data can be explained as a accumulation of the facts; the facts
can be numbers, measurements, observations or passwords to anything. It has
also been defined as "any electronic information that is held by a public or
private service provider (like a government service department, a bank, a
document repository, etc. This includes the static documents as well as the
transactional document" under the electronic consent structure which is
provided by the Digital Locker Authority.
Data can be a Personal Data, it is
the information which is associated with a person who is precised. This in turn
helps make a person identified through the data. It appends the attributes of a
specific person, like Your Name, Address, Email Address, Phone number, Aadhar
card number, your IP Address or can be anything like the health record held by
a doctor or by the hospital.
The data is very important therefore many people try to extort the the data.
Data Theft is when data is extorted through illegal means from one system to
other which in turn provide benefits to the person who extorted the info. It's
breach of privacy of one person which can lead to harsh repercussions for
individuals and businesses. The data theft can be performed by means of USB
Drive, Email, Remote sharing & Malware Attacks. The data theft can be prevented
through various methods like using strong passwords to protect the data,
installing firewall systems, wireless networks should be secured,the data should
be kept encrypted, one could be assuring that the system is updated and one
properly can handle and dispose the sensitive data.
Data is defined as a formalised portrayal of information, knowledge, facts,
concepts, or instructions that's intention is to be processed, is being
processed, or has been processed in a computer system or computer network, and
may be in any form (including computer printouts, magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the computer's
memory under the Informatization Act. In simple terms, data can be defined as a
collection of facts.
What is data protection?
A synchronisation of strategies and procedures which is applied to safeguard the
privacy, accessibility and the righteousness of the data is termed as data
protection. This synchronisation staves off any kind of possibility of data
loss, theft, or corruption and in occurrence of a breach it can help in
lessening the damage caused.
This also gives a capability of restoring the data
to the exact functional state before the corruption or breach had taken place.
It is a correlation of technology and data, how data is collected and it's
circulation. It coves the subjects of immutability, preservation and deletion
of the data and not only it's availability. It's tries to put a balance between
providing privacy and protection.
The term data protection and term data privacy are two terms which are
interconnected to each other.
The term data privacy is more like prescribing how
data should be collected and handled depends upon the sensitiveness and
significance of data being provided. Data privacy is administered through the
regulations of data protection. Data privacy provides with who gets the access
to the data however the data protection is protecting the the datas from the
people who don't gain access to the data.
The data protection is done on all levels be it personal or corporate or
government, the technique and scale of doing this on the different levels can be
different according to the situation needs whom to give access and from whom to
protect. A few perceptions are needed to be observed in process of data
protection. In the process at whatever level being conducted, it needs to be
within a precise limit, excess of everything is detrimental and the data has to
be unerring and relevant in nature.
There must a specific rationale behind the
data protection and it should be done through proper security and appropriate
rights have to be provided with to the authorised. The data being protected
must be done with the assent of whosoever concerned. A proper endurance is
required to be given by the data protectors about the accountability of the
Importance of Data protection
The paramount reason for the data protection is which acts as an asset by
safeguarding all types of valuable data and avoiding any unwanted access to it
by anyone. It also helps in maintaining a line of privacy for example in a
company an employee provides personal details to the HR department who keeps the
data to itself and doesn't allow any unauthorised access or when a client shares
the details, which when protected increases the trust and confidence of clients
in organisation that in turn helps the organisation to sustain in the society.
It directs as a safety shield in opposition to the hackers and thus not falling
to any types of fraudulent activities like scams, phishing, theft and many more.
It helps in order to prevent any financial loss on personal level of on business
level. It's a crucial component of a business especially the ones whose
most work is done online, they are at a greater risk that their website or the
platform gets hack and all the data is accessed by the unauthorised like the
It also encourages better management of work as the data
protection requires good management of work and also encourage to have moral
ethics. This also in turn leads to increase in business profits and reduces the
risks in a lot of ways, thus making the business more successful and increasing
their customer base. This also encourages people to take initiatives and start
their own businesses.
To a large extent, there have been challenges. which also attaches with data
protection process like at the present moment there doesn't exist a global
agreement on data protection so it's sone as per the needs of oneself which
sometimes may lead to be not in other people favour. Its costly as well as time
consuming process and to ensure the protection process is correct and there is
no downside to it a professional is required to do the same. The technology is
changing everyday new new things are coming up which makes it difficult to adapt
and implement the new changes on a daily basis.
Data protection laws in India
Its an arrangement of privacy policies, laws and the procedures that focus on
reducing any kind of interfering into anyone's personal data. In India there are
no specific laws for data protection and privacy.
The Privacy's Right of an individual is not as such a provision of the
constitution of India, but the courts have an observation that the privacy is
a right with in relation to other fundamental rights that is right of freedom
of speech and expression and right to life and personal liberty. But these
both rights are condemned to some restrictions which may be laid by the
"No person shall be deprived of his life or personal liberty except according to
the `procedure established by law" is given under the Article 21. This
doesn't not precisely certifies the right to privacy as one of the fundamental
rights. The Right To Privacy as a part of fundamental right has come a very long
way. The issue of right to privacy as a part of the fundamental rights under
the Indian Constitution which has been tabled through various cases and every
court has provided with its own different opinions in the different cases.
This issued was presented for the very first time under the case of M. P.
Sharma and Ors. V Satish Chandra, District Magistrate, Delhi and Ors
India's Supreme Court refrained from giving the status of the fundamental
rights of right of privacy. It had said that in the case of R. Rajagopal and
Anr. V State of Tamil Nadu that "The right to privacy is implicit in the
right to life and liberty guaranteed to the citizens of this country by Article
21. It is a "right to be let alone". A citizen has the right to privacy
The question Is right to privacy a Fundamental Right under Article 21 of Indian
Constitution, was first of all answered in the famous case of Kharak Singh v
State of U.P. and others in which a stern elucidation of the word "life
And personal Liberty " was created and it was ruled that Right to privacy,
wasn't a part of the fundamental rights guaranteed by the Indian Constitution.
But, this question took a different turn with the landmark judgment of Maneka
Gandhi v Union of India
. This case gave the term "personal liberty" widest
possible elucidation. Thus creating right to privacy as a vital component of
right to life under the Indian Constitution's Article 21.
Eventually also in the case of People's Union for Civil Liberties (PUCL) v Union
of India the Supreme Court had observed that the "We have, therefore, no
hesitation in holding that right to privacy is a part of Rights to "life" and "personal liberty" enshrined under Article 21 of the Constitution." Once the
facts in a given case constitute a right to privacy, Article 21 is attracted.
The said right cannot be curtailed except according to procedure established by
The issue was also pondered upon by the SC in one of the landmark case of K. S. Puttaswamy (Retd.) v Union of India
. In the case the court has held that
Privacy is a constitutionally protected right that stems primarily from Article
21 of the Constitution's assurance of life and personal liberty. Privacy issues
arise in a variety of contexts from the other aspects of freedom and dignity recognised and guaranteed by Part III's fundamental rights."
This case had put
up a challenge against to government's Aadhaar scheme which is a kind of a
uniform based on biometrics identity card, which the government
had proposed to make necessity in order to grant an access to all the
services and benefits provided by the government. The Supreme Court faced the
challenges on the base that the scheme was in violation of the right to
It is one of the latest judgement of the SC that ruled that the Right to privacy
is a fundamental right granted to the citizens of India through Indian
Constitution. The acknowledgment of right to privacy as a fundamental right is a
proof that as a nation we are moving in a right direction in order of setting up
a designated system which would provides techniques for protecting personal
data and avoiding data theft in any manner.
The judgement resulted in making the Aadhar Card
being appraised and safeguarding the personal data of people
which is precious in any form is kept safe from any breaches or is in privacy
reaching no ones hand. This had also directed a remarkable step that the data
which is stored with many other government agencies should also be evaluated and
keeping it safe.
This had radically changed the way of the government to view
its citizens' privacy in practice and as well as the prescription. It
necessitated the governments to initiate various structural reforms and try
to bring in transparency and openness in the procedures to commission and
execute the surveillance projects, and thus building a mechanism of judicial
oversight over surveillance requests.
Indian Contract Act
The common law principles are the basis of the Indian Contract Act. It gives
provision where the participants of the contract can add relevant clauses in the
accord for data protection like a confidentiality clause. This is provided under
the Section 27. clause provides with that a person would be compensated in case
of data leakage The clause provides with that a person would be compensated in
case of data leakage of any manner and also lays down what mechanism is to be
imposed with the person who is behind the data leakage depending upon to what
extent it is leaked. The companies enter into several agreements on a regular
basis which help them in a smooth running of the business thus they relay on
this proviso to protect their confidential information of their clients.
Indian Penal Code 1860
An amendment was made to this act which made the term data as a segment of the
definition of movable property thus making data theft or its misappropriation as
a crime as per the act. The computer data or databases are movable in nature
thus getting protection under the act. It has been proved really effective in
prevention of data theft. It could cover a few topics in the connection of the
data protection , but being a very old statue it doesn't able to cover a lot of
subjects like breaches of data privacy. The data has been incorporated in the
term moveable property but is data is to be in consideration it's part in all
the sections or not is still a question to ponder upon by the courts.
Copyright Act 1957
This act provides protection to the Intellectual Property Rights of all kinds of
works including the literary, dramatical, artistic work. With an amendment to
the act the database of the computer has been included in the term literary
work. The amendment is a benefit to the customers as no other institution other
than the service providing company can legally make use of the information
provided by them in any manner.
So if a a particular data base is being copied and shared among others or is
being used for one owns need then it leads to a copyright infringement which
would thus lead to civil or criminal remedies. Under this act it is difficult to
differentiate between the data protection and data base protection as data
protection is mainly for protecting of the personal data however the database
protection is protection of ones work performed or art being created. This act
provides punishment under section 63B for the piracy of copyright data. The
punishment can be a term in jail or fines of varying amounts.
Information technology Act 2000
This act was introduced as a legal framework to administer the virtual ecosystem
which comprises of e-commerce, electronic contracts, e-mails and so on and on.
The act had been passed on long back the virtual ecosystem has grown to large
extents since then thus making this act more and more relevant in nature. It
gives a legal status to all the transactions helped out through the method of
electronic manner, usually called e commerce.
It is an alternative to a paper
based way of communicating and storing of data with various government
institutions. This act cover the subject of data protection to some extent,
providing with laws to prevent misappropriation of Data and imposing various
fines. It also provides with payment to compensate both civil and criminal in
the event of misusing the data which is personal or it's disclosure in wrongful
means or violating any terms of agreement in relation to personal data
protection. The act had undergone a major amendment in 2008.
The sections in
relation to data protection are:
The act has a provisio under the section 43 that grants protection in case
there is any kind of unauthorised access of a system by levying a heavy penalty
up to One Crore. It also covers any kind of download or extraction or copy of
the unauthorised data.
A punishment fee of up to 5 crore fine can be imposed under section 43 A if
there is any kind of negligence in the implementation and maintenance of
proper security practices by a corporate body who is in possession or deals or
handles with data which is of sensitive nature and the negligence in turn leads
to any loss or gain which is wrongful in any manner. The corporate body would be
liable to pay the compensation in the form of penalty.
Anyone who knowingly or intentionally conceals, destroys, or alters any computer
source code used for a computer, computer programme, computer system, or
computer network, when the computer source code is required to be kept or
maintained by law for the time being in force, faces a sentence of up to three
years in prison, a fine of up to Rs 2,00,000, or both, according to Section 65
of the IT Act. As a result, computer source documents have been protected from
any kind of tampering.
Section 66 provides with that anyone who has committed any conduct as
to referred to in section 43 dishonestly or fraudulently shall be punished. It
has been designed to protect against hacking. According to this section, hacking
is defined as any kind of act committed with intention to cause wrongful loss or
damage to another person, or with knowledge that wrongful loss or any damage
could be caused to another person, and information stored in a computer
resource must be destroyed, deleted, altered, or its value and utility
diminished. The hacker can face a three-year prison sentence or a fine of two
lakh rupees lower limit, or both, under this clause.
Anyone who uses a digital signature, password, or any other unique
identification feature of another person unlawfully or dishonestly shall be
punished with three years in prison and a fine of up to Rs.100,000.00 under
Section 66A of the Act, which deals with identity theft. Identity theft is
addressed in Section 66 C, which states that anyone who unlawfully or
dishonestly uses another person's electronic signature, password, or any other
unique identification feature is subject to imprisonment for up to three years
and a fine of up to INR 1,00,000.
Shreya Singhal v. Union of India
 is a 2015 Supreme Court of India decision
on the issue of online speech and intermediary liability in India, handed down
by a two-judge bench. Section 66A of the ITA2000, appertaining to restrictions
on online speech, was declared unconstitutional by the Supreme Court on the
grounds that it violated Article 19(1)(a) of the Indian Constitution. The Court
added that the Section was not saved because it was a reasonable restriction
on freedom of speech under Article 19 of the Constitution (2).
The SC struck
down the Section 79 and the governing rules of it. It was decided that the
intermediaries which are online can only be required to remove content as an
when served with a government order or an order psssed by the court. In India,
the case is regarded as a moment which is watershed for online free speech.
Individuals (Shreya Singhal), NGOs, and businesses challenged the provisions in
the Supreme Court through a series of writ petitions. The various petitions were
grouped together and heard by Justices Chelameswar and Nariman in a two-judge
Section 69 acts as an exception to the general rule of maintaining information
privacy and secrecy provides that where the Government have a satisfaction
which is a necessary in the interest of the integrity or sovereignty of India
or defence or security of the State or in any case as the government deems fit
to. This provides the authority to intercept, monitor, or decrypt any
information in any computer resource, including personal information, the
government may demand disclosure of information when it is in the public
interest to do so by the government.
Section 69 of the Information Technology Act of 2000 covers both interception
and monitoring, as well as decryption, for the purpose of investigating
cybercrime in India. The Information Technology (Procedures and Safeguards for
Interception, Monitoring, and Decryption of Information) Rules, 2009, were also
published under this section. The Information Technology (Procedures and
Procedures) Act has been published by the government. It provides for the
various grounds upon which the government can interfere with the data.
In the interest of India's sovereignty and integrity, defence, security,
friendly relations with foreign states, or public order, or to prevent
instigation to the commission of any cognisable offence relating, Section 69A
allows the Centre to block public access to an intermediary.
This act sets out penalty in case the confidentiality and privacy of data of
someone is breached under Section 72. Any person who, without the consent of
the person concerned, secures access to any electronic record, book, register,
correspondence, information, document, or any other material in pursuance of any
of the powers conferred under the IT Act Rules or Regulations made thereunder,
discloses such material to any other person shall be punished with imprisonment
for a term up to two years, or a fine up to Rs 1,000,000. Furthermore, section
72A states that disclosing information without the consent of the person
concerned and in violation of a lawful contract is punishable by up to three
years in prison and a fine of up to Rs 5,00,000.
The provisions of the IT Act will apply to an offence or contravention committed
outside India by any person if the act or behaviour constituting such offence or
contravention includes a computer, computer system, or computer network located
in India under the Section 75 of the IT Act.
Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011
These rules have been inflicted by the government with an objective of ensuring
reasonable security practices and procedures these rules have to be complied by
the companies and other a legal entity that deals with sensitive personal
information in any manner.
The Rules exclusively cover the protection of sensitive data which is personal in nature or information of a person
includes information about a person's personal data Passwords; Financial
information, Physical, physiological, and mental health conditions; Sexual
orientation; Medical records and history.
The regulations provide acceptable
security standards and processes which any individual or any the body corporate
collecting, receiving, possessing, storing, dealing, or information being
handled on behalf of the body corporate must follow when dealing with "Personal
sensitive data or information." In the circumstances of a contravention, the
body corporate or any other person acting on its behalf may be held liable to
pay damages to the person who has been harmed.
Rule 3 establishes a list of items that are considered sensitive personal data,
including financial information, sexual orientation, and credit or debit card
information. Companies and other body corporates are required to create a
under Rule 4, which must be accessible on the body corporate's website.
It also states that the Companies and other body corporates shall not acquire
sensitive personal data without first receiving consent in writing, by fax or
e-mail from the provider indicating the explanation for why data is being
collected. Even the personal information or sensitive data shall not be
collected unless and until it is for a lawful purpose and the collection is
required to carry out that specific purpose. The information gathered will only
be used for the purpose for which it was gathered and will not be kept for any
longer than is necessary.
Rule 6 requires the Body Corporate to obtain the consent of the parties
concerned provider before revealing sensitive data to a third party, unless the
parties have agreed otherwise agreed to such disclosure through any other
means. However it can be disclosed without prior consent to the government
entities mandated by law or as an order under the law a third party, unless the
parties have agreed otherwise, who will be bound not to reveal it. Rule 8
clarifies that if a firm or other corporate body has adopted and recorded the
standards of these security measures, they are regarded to have conformed with
reasonable security practises.
Under section 69A of the IT Act, the government has also notified the
Information Technology (Procedures and Safeguards for Blocking for Access to
Information) Rules, 2009, which deal with website blocking. Various websites
have been blocked by the government.
However the IT act and the rules prescribed is not adequate for the data
protection as they have a very limited scope and it has various loopholes
attached to it. There is no definition of a data breach of consent in the act.
Only a 'body corporate' can collect and distribute information under the
provisions of the IT Act. It doesn't have an overarching provision stating that
interception can only take place in circumstances of public emergency or public
safety. Furthermore, Any person may be prosecuted under section 69 of the IT Act
or intermediary who fails to assist the specified agency with the interception,
monitoring, decryption, or provision of information retained on a computer's
hard drive is subject to a fine and a sentence of imprisonment of up to seven
The IT Act's rules and provisions aimed to protect sensitive personal
data or information like information about passwords final in financial
information et cetera whereas the information that is readily available in the
public domain is not considered personal data and information that is highly
sensitive. The vast majority of the provisions only apply to "sensitive
personal data and information" gathered by "computer resource." Consumers can
only initiate enforcement action in relation to a specific section of the
regulations, which are limited to corporate entities that engage in automated
There is no mechanism for data localization, which was a major source of concern
and the cause for the Chinese applications' ban in India. Although the preceding
rules was a step toward creating a specialised data protection law but they
are insufficient. Only protected data as described in the Rules is dealt with
under these Rules. There is no comprehensive legislation that governs and
regulates all data-related activities and has severe data-protection rules.
India requires a robust data privacy law to meet these restrictions.
The Personal Data Protection Bill, 2006
The decision in K. S. Puttaswamy (Retd.) v Union of India
 prompted the
creation of the Personal Data Protection Bill, which is currently a proposed
Legislation on data protection in India. It has yet to be passed by Parliament,
but it gives us a good idea of how India's data protection laws have
progressed. A committee was established to explore data privacy problems in July
2017 by The Ministry of Electronics and Information Technology which was
presided by Justice B. N. Srikrishna, a retired Supreme Court judge.
2018, the committee submitted the draft PDP Bill, 2018 which was approved by
the Indian cabinet ministry on 4 December 2019 as the PDP Bill 2019 thus tabled
in the Lok Sabha on December 11th , 2019. The Bill is being examined by a Joint
Parliamentary Committee (JPC) with the help of professionals and stakeholders as
of March 2020 who is in charge by Meenakshi Lekhi.
The Bill aims to protect individuals' privacy in relation to their personal
data, specify the flow Establishing a trust relationship between persons and
entities processing personal data, as well as protecting personal data the
fundamental rights of individuals whose personal data is processed. It also
creates a framework for organisational and technical measures in data
processing, establish norms for social media intermediaries thus facilitating
cross-border data transfer.
Its purpose is To keep personal information safe and
secure information collected for a specific purpose by one organisation and to
prevent its use for commercial or other purposes by any other organisations. It
also allow individuals to seek compensation or damages for disclosure of
personal data or information without their consent.
The proposed legislation divides data into three categories:
- critical for defence and intelligence services, as well as payments data
from foreign banking services like Visa and Mastercard
- sensitive for health, religion, political orientation, biometrics,
genetics, sexual orientation, and financial data of individuals and
- personal for health, religion, political orientation, biometrics,
genetics, sexual orientation, and financial data of individuals.
While the regulation prevents the sharing and processing of essential data
outside of India, it establishes restrictions on sensitive data processing and
requires the user's agreement.
In addition, the bill proposes to establishes a national Data Protection
Authority (DPA) to govern and regulate data fiduciaries under section 41 of the
It is an ultimate regulatory authority to be chosen by the government as
well as being in charge of ensuring data fiduciaries to follow the law. The body
would also push for "Data Localization," which requires that Indians' personal
information be stored in India.
The DPA is proposed as the regulatory and enforcement agency in the Bill. The
Authority will comprises of a chairperson and six other members with at least
ten years of experience in data protection, information security, data privacy,
data science, and related topics. The bill provides with the Data Protection
Authority's authority, operations, and administration.
The DPA can impose fines on data fiduciaries if they fail to comply with data
processing responsibilities under this bill or DPA directives; or requirements
for cross-border data storage and movement.
A penalty of more than 5 crore
rupees can be imposed if DPA is not notified quickly. Furthermore, anyone who
discloses, gets, transfers, sells, or proposes to sell personal sensitive data
faces a five-year prison sentence or a charge or fine of up to three lakh
The individuals who are harmed as a result of data breaches are
compensated. If the data breach was caused by the data fiduciary's carelessness
or breach, the compensation is decided by a DPA adjudicating officer. The
adjudicating officer's decision might be challenged in the Appellate Tribunal.
This bill attempts to regulate how government bodies and business entities
established in India and abroad process personal data of persons. Only the
processing of data is permitted with consent of the individual, in the event of
an emergency medical situation, or when the state is delivering advantages to
Individuals have many rights in relation to personal data, including the
ability to request Corrections or gaining access to private companies' data. The
certain types of data processing, such as processing in the interest of national
security, processing for legal processes, and so on, are exempted under the
bill. It also makes it essential to keep a copy of data within India's borders.
Certain sensitive personal information must be kept entirely in India.
The bill specifies three exceptions in which data can be accessed without
- to provide individuals with the benefit of state services,
- to take legal action against individuals, and
- in the event of a medical emergency.
The requirements will also not apply to state-run investigation agency and
investigative journalists who have the required protections in place. For the
public order and security of nations, as well as to improve its services, the
government can request Non-Personal data from data fiduciaries at any moment
according to the bill as stated section 35.
The bill also tries to include the concept of "Data Sovereignty," which allows
the government to have access to crucial data if it believes it is necessary to
protect India's sovereignty and integrity or to prevent any cognizable offence
under section 2 of the Indian Penal Code. The bill aims to harmonise India's
data protection laws with European standards.
It has, however, drawn various
criticisms of its operation as well as the function of the government in it.
Like as quoted by Justice B.N. Srikrishna:
The Data Protection bill stands with
much more stringency than EU laid GDPR norms, provides the Centre with wide
powers with regards to the DPA and appointment of Adjudicating officers. It also
has many grey areas and undefined words like 'interest of sovereignty and
integrity of India', 'public order' that can potentially be exploited to create
an Orwellian State
The Data Principal must first notify the Data Fiduciary, who must then notify
the DPA if the Data Fiduciary is satisfied that the breach is likely to cause
harm to the DP. As a result, the Officers of Data Fiduciaries and
the Adjudicating officer will have a lot Authority in the face of this bill.
Section 20 as per the bill provides the Data Principal the "Right to be
Forgotten." However, he must demonstrate that his right or interest in blocking
or restricting continuous exposure of his personal data outweighs any other
citizen's right to freedom of speech and expression or right to information.
The bill contains a number of exceptions.. If it is required to prevent a
cognizable offence relating to the state's security, sovereignty and integrity,
friendly relations among states, or public order, the Central Government can
exclude any agency of the federal government Bill's provisions in writing.
Certain types of personal information, as an example that used for research,
statistics, and journalism, are also exempt. It also does not apply to personal
data processed by a natural person for personal or domestic purposes. However,
such information should not be used for commercial purposes.
Eventhough the bill provides a skeletal structure for data protection and seeks
to protect data, it contains some flaws. It requires data fiduciaries to collect
data in a fair and reasonable manner that respects the privacy of individuals
but it does not specify what constitutes a fair and relational conduct of
personal data processing, which could lead to fairness and reasonability
principles. This could result in fairness and reasonability principles varying
across data fiduciaries and processing similar types of data in the same
Data protection under foreign law
Other than India, many countries treat data protection as a distinct discipline.
They have well-crafted and well-established data protection legislation such as:
Analysis and Suggestions
- According to UNCTAD (United Nations Conference on Trade and Development),
107 countries (66 of which are developing economies) have enacted data and
privacy legislation. Data protection laws are becoming more common around the
world, and many of these laws have comprehensive guidelines-based frameworks.
- PIPEDA was enacted in Canada (The Personal Information Protection and
Electronic Documents Act). This entails that businesses that collect data during
the course of their business activities disclose the purpose of the data
collection to the data owners and obtain their consent before proceeding.
- CalOPPA (California Online Privacy Protection Act), enacted in 2004, set
a precedent in the United States by requiring websites to post privacy policies
that detail data collection and use. From the year 2020, a new law known as the
CCPA (California Consumer Privacy Act) will be enacted. It requires businesses
to notify users of data processing and to take extra precautions to protect user
- GDPR is one of the most popular stringent data protection laws in the
world (General Data Protection Regulation) in European Union. It is founded on
the principles of consent, transparency, protection, and user control, and it
could result in a fine of up to 4% of the company's annual revenue.
- Another piece of European Union legislation is the ePrivacy Directive and
Regulation, which requires websites to obtain user consent before launching
- In 2014, South Africa passed the POPI (Protection of Personal Information
Act), which establishes requirements for customer consent to direct marketing
outreach and sets standards for responsible data processing.
- In 2017, China passed a Cyber Security Law. It harmonises data protection
in China and aids in the protection of sensitive data held by Chinese citizens.
- Despite the fact that Australia's Privacy Act was enacted in 1988, it
has undergone significant revisions to make it better for citizens. It
establishes Information Privacy Principles (IPPs) for Australian citizens and regulates
government and private sector data collection.
- The Data Privacy Act of 2012 established data protection laws in the
Philippines. It applies to all businesses that handle personal information
about Filipino citizens and residents. It is based on the principle that all
data processing should be transparent, proportional, and for a legitimate
- Germany has a strict BDSG regime (Bundesdatenschutzgesetz). It
establishes strict guidelines that businesses must follow in order to adopt and
maintain data security measures in IT system.
- Argentine Republic completed the PDP (National Directorate of Personal
Data Protection) and raised the stakes for data privacy significantly. It gives
people the ability to request the deletion and transfer of their data for the
- As an outcome,, all of the world's major economies are enacting new data
protection and privacy rules and legislation to safeguard their citizens'
sensitive personal data. Which is how Intern is assisting in the creation of
a better, data-protected world.
Everyone feels the Data protection is required. laws all over the world. People
are concerned about the security of their personal information. This is why data
protection legislation is gaining graspness all over the globe. People are
working to get the government to pass newer data protection laws that will give
them more transparency and security over their personal sensitive data. The
Indian system is attempting to enact data protection laws, and a draught bill
has already been drafted; however, it is urgent that this bill be brought before
parliament and codifing it as soon as possible.
While we may enact laws across the country, it's also critical that the citizens
of the country are data aware
citizens who understand how their data is used
by many companies for monetary gain. With the advancement of technology, it will
be necessary to amend these data protection laws on a regular basis while
maintaining their rigidity. After reviewing laws from other countries, I believe
the European GDPR establishes a gold standard for data protection legislation.
It also imposes stiff penalties on businesses that fail to take the necessary
precautions to protect the personal data of its citizens. While a large number
of countries have enacted data protection and privacy legislation, many
countries around the world still lack legislation to protect their citizens'
personal data. It is unquestionably the right time for these countries to
draught and implement data protection legislation.
The current IT Act regulations are clearly insufficient for the people of India.
With such a large population, it is difficult to regulate all of the data
generated by citizens in India. In a world where data breaches occur on a daily
basis, India must provide security for the protection of its citizens' personal
sensitive data. It is critical that all stakeholders align their policies with
data protection requirements, encourage the adoption of privacy, and ensuring
that the protection of data authority is implemented effectively. Examine the
possibility of obtaining consent at the time of data collection.
The proper requirement for Indian law can be analysed by comparing it to the law
of developed countries. Data does not all have the same utility and importance;
it differs from one another based on utility. As a result, we must frame
separate categories of data with different utility values, as the United States
has done. Furthermore, the provisions of the IT Act primarily deal with data
extraction, destruction, and other related issues.
Companies were unable to obtain complete data protection through this method,
forcing them to enter into separate private contracts to keep their data safe.
These contracts are enforceable in the same way that a general contract is.
Despite the efforts of creating a law for the protection of Data as a separate
discipline, our legislature has leaves some kind of gaps in the bill of 2006.
The bill is based entirely on the framework of the UK Data Protection Act, as
the current requirement is for a comprehensive Act. As a result, it's possible
that a compiled drafting based on US data protection laws would be more
favourable to today's requirement.
With exponential increase in the manner of people consuming and generate data
around the world, data will become more valuable by the day. With data fueling
growth, it will be critical to safeguard citizens' data. Governments all around
the globe will have to adapt to rapidly changing technologies and amend or
develop new laws to protect people's sensitive personal data.
A concerted effort by the government and its data-savvy
improve the world's data
, making it more transparent and open to new policies and laws. Though
the concept of data protection is not new, the increasing trend of technological
dependence and use of personal data necessitates the creation of a new law to
deal with tracking and controlling technologically savvy individuals and organisations by establishing guidelines to prevent misuse of personal data.
People who use the internet to share data or transfer information for e-commerce
transactions or other forms of communication value their privacy and associate
it with personal freedom, and thus have the right to control data about them. To
meet the emerging challenges, every e-privacy organization's practises must be
benchmarked against national and international standards for privacy and fair
Although customers readily share personal information
when conducting online transactions or exchanging communications, it is the
responsibility of the State of monitoring and protect its citizens' interests.
Because there isn't any specific law in India dealing with protection of Data,
the courts consistently fail to protect the information shared with companies by
punishing them for breach of trust.
As a result, it is critical and urgent that the Protection of Personal Data Bill
2019, which is currently pending in parliament for approval and ascension by the
president, be passed and approved as soon as possible in order to protect
citizens' personal data from being misused.
- Survey conducted by Global digital population as of January 2021
- Hart said
- Defined under 2(1)(o) of the IT act.
- As defined by the digital locker authority
- Article 19(1)(a) Of the Indian Constitution
- Article 21 Of the Indian Constitution
- Article 21 Of the Indian Constitution
- M. P. Sharma and Ors. V Satish Chandra, District Magistrate, Delhi and Ors.
1954 AIR 300, 1954 SCR 1077
- R. Rajagopal and Anr. V State of Tamil Nadu 1995 AIR 264, 1994 SCC (6) 632
- Kharak Singh v State of U.P. and others 1963 AIR 1295, 1964 SCR (1) 332
- Maneka Gandhi v Union of India 1978 AIR 597, 1978 SCR (2) 621
- People's Union for Civil Liberties (PUCL) v Union of India AIR 1997 SC 568,
JT 1997 (1) SC 288, 1996 (9) SCALE 318, (1997) 1 SCC 301, 1996 Supp 10 SCR 321,
1997 (1) UJ 187 SC
- K. S. Puttaswamy (Retd.) v Union of India. (Civil) No 494 of 2012; (2017)
10 SCC 1; AIR 2017 SC 4161
- Shreya Singhal and Ors. v. Union of India AIR 2015 SC 1523
- K. S. Puttaswamy (Retd.) v Union of India. (Civil) No 494 of 2012; (2017)
10 SCC 1; AIR 2017 SC 416