Data Protection Laws in India

15 Apr 2016

There is an increase in technology and e-commerce related problems with the advent in technology in the recent past. In view of the increase in cyber crimes, data stealing and with India being host to data outsourcing needs for many an effective mechanism for dealing with these crimes is required.

Unlike the EU and many other countries, India does not have any separate law which is exclusively deals with data protection. However, the courts on numeral instances have interpreted “data protection” within the ambits of “Right to Privacy” as implicit in Article 19 and 21 of the Constitution of India. 

Further Section 72 A of Information Technology Act, 2000 (Act) provides for ‘Punishment for disclosure of information in breach of lawful contract’ stating as follows: ‘Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both’

The sections mentioned above do not directly deal with data security. Later in 2011, after the enactment of the European Union’s stringent Data Protection Laws, the Government of India felt the need to implement such laws. Consequently, the Department of Information Technology notified “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011” (“Rules”) under section 43A of the Act vide notification no. G.S.R. 313(E) of 13 April 2011). 

As per Rule 3 of the Rules sensitive personal data2 or information3 of a person (hereinafter referred to as “Sensitive Personal Data”) means such personal information which consists of information relating to:


(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; 

(viii) any of the information received underabove clauses by body corporate for processing, stored or processed under lawful contract or otherwise

As per Rule 4 of the Rules the Body Corporate or any person who on behalf of Body Corporate collects, receives, possess, stores, deals or handles Sensitive Personal Data, is required to provide a privacy policy for handling of or dealing in the said Sensitive Personal Data and is required to ensure that the same is available for view by such providers of Sensitive Personal Data who have provided such information under lawful contract. Such policy is required to be published on website of Body Corporate or any person on its behalf and provide for: (i) clear and easily accessible statements of its practices and policies; (ii) type of Sensitive Personal Data collected under Rule 3. As per Rule 5(1) the Body Corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of Sensitive Personal Data regarding purpose of usage before collection of such information.

Further Rule 5(2) of the Rules provides that the Body Corporate or any person on its behalf shall not collect Sensitive Personal Data unless:

(a) the information is collected for a lawful purpose connected with a function or activity of the Body Corporate or any person on its behalf; and
(b) the collection of the Sensitive Personal Data is considered necessary for that purpose.

As per Rule 5(3) of the Rules while collecting information directly from the person concerned, the Body Corporate or any person on its behalf is required to take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of:
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.

Rule 5(4) states that Body Corporate or any person on its behalf holding Sensitive Personal Data shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

Rule 5(7) of the Rules provides that Body Corporate prior to the collection of information including Sensitive Personal Data, provide an option to the provider of Sensitive Personal Data to not to provide the Sensitive Personal Data sought to be collected. The provider of Sensitive Personal Data shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the Body Corporate.

As per Rule 6 of the Rules disclosure of Sensitive Personal Data by Body Corporate to any third party requires prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the Body Corporate and provider of information.

As per Rule 6(3) of the Rules the Body Corporate or any person on its behalf shall not publish the Sensitive Personal Data. Under Rule 6(4) the third party receiving the Sensitive Personal Data from Body Corporate or any person on its behalf shall not disclose it further.

As per Rule 7 of the Rules a Body Corporate or any person on its behalf may transfer Sensitive Personal Data, to any other Body Corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the Body Corporate as provided for under the Rules.


As per Rule 8(1) of the Rules Body Corporate is required to have in place not only appropriate technical and

organizational measures, but also have a comprehensive documented information security programme and information security policies that contain (in addition to technical and organizational measures) managerial, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Therefore, we can say that vide the aforesaid Rules the legislature has attempted to restrict illegal and harmful use of the personal data by the Body Corporates. They may further attempt to review Government policies and make them in accordance with the new standards created by the Rules. Under the Rules Government Agencies are exempt from obtaining such consent from individuals.

As mentioned above, India is yet to pass effective and concrete legislations for data protection. A new legislation dealing specifically with the protection of data and information present on the web is the dire need of the day. However, while drafting the laws, the legislature has to be cautious of maintaining a balance between the interests of the common public and tightening its grip on the increasing rate of cyber

1 As per Explanation (i) of Section 43A of the Act ‘Body Corporate’ means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

2 Under Clause 2(o) of the Act “data” is defined to mean a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
3 Under Clause 2(v) of the Act “information” includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche.


© 2023 Alliance of Business Lawyers. All rights reserved.

Terms of Use | Privacy Policy