Sie sind auf Seite 1von 12


India, being one of the largest telecommunication sector and the outsourcing industry, the
demand for the data protection increases every other day. The crimes relating to the computer
data is very high as the internet does not create any barrier with regard to the physical
boundaries. The computer data is facing a lot more resentment due to absence of proper
legislative framework.
Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize
intrusion into ones privacy caused by the collection, storage and dissemination of personal data.
Personal data generally refers to the information or data which relate to a person who can be
identified from that information or data whether collected by any Government or any private
organization or an agency.

In the current scenario, the data protection can be achieved through privacy rights in Indian
Constitution and the Information Technology Act as well as through property rights in Copyright
Act, 1957; Indian Contract Act, 1872 and the Indian Penal Code, 1860.


The Indian Constitution do not expressly grants the right to privacy but this can be inferred under
Article 19 (Freedom of Speech and Expression); Article 21 (Right to Life and Personal Liberty)
and Article 14 (Equality and Equal Protection of laws). But these rights are subject to reasonable
restrictions given under Article 19(2) which can be imposed by the State.
Judicial Activism has brought right to privacy within Article 21 which talks about Right to Life
and Personal Liberty. Article 21 provides that no person shall be deprived of his life or personal
liberty except according to procedures established by law. On the basis of this provision, the
Supreme Court observed that those who feel called upon to deprive other persons of their
personal liberty in the discharge of what they conceive to be their duty must strictly and
scrupulously observe the forms and rules of the law.
The Supreme Court in Kharak Singh v State of UP
observed that the right to privacy is an
essential ingredient of life and personal liberty. Similary PUCL v Union of India
the Court
observed that privacy is a part of life and personal liberty as enshrined in Article 21 and the said
right cannot be curtailed except by the procedure established by law. In Gobind v State of MP

the Supreme Court observed that privacy-dignity claims deserve to be examined with care and
to be denied only when an important countervailing interest is shown to be superior. If the Court
does find that a claimed right is entitled to protection as a fundamental privacy right, a law
infringing it must satisfy the compelling State interest test.
The court however ruled in Malak singh v State of P & H
, that while exercising surveillance
over reputed bad characters, habitual offenders, and potential offenders the police should not
encroach upon the privacy of a citizen so as to offend his rights under Article 21 and Article 19
(1) (d). Similarly, in Pooran Mal v Director of Inspection (Investigation) of Income Tax, New
Delhi held that evidence collected by an illegal search cannot be excluded on ground of invasion
of privacy because there is no specific fundamental right to privacy. This decision given by
Supreme Court weakens the right to privacy because it allows the public authorities to obtain

AIR 1963 SC 1295
(1997) 1 SCC 301
(1975) 2 SCC 148
AIR 1981 SC760,

evidence illegally. In V.S Kuttan Pillai v Ramakrishnan
, the court held that general warrant for
searching and seizing listed documents would not entail invasion of privacy even if the search
did not yield any result because of counter availing state interests.
It has been held in State of Punjab v. Baldev Singh
that for a search of a person the safeguards
provided Sec. 50 of the Code of Criminal Procedure are mandatorily to be followed. The
invasion of a person has been given a protection through insistence on a procedural safeguard but
the court has not ruled that evidence obtained in breach of Sec. 50 safeguards would be
impermissible evidence.
In R. Rajagopal v State of Tamil Nadu, the Court held that the petitioners have a right to publish
what they allege to be the lifestory/ autobiography of Auto Shankar insofar as it appears from the
public records, even without his consent or authorization. But if they go beyond that and publish
his life story, they may be invading his right to privacy, then they will be liable for the
consequences in accordance with law. Similarly, the State or its officials cannot prevent or
restraint the said publication. It stated that A citizen has a right to safeguard the privacy of his
own, his family, marriage, procreation, motherhood, child bearing and education among other
matters. None can publish anything concerning the above matters without his consent- whether
truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the
right to privacy of the person concerned and would be liable in an action for damages.
In case of Peoples Union for Civil Liberties (PUCL) v. Union of India
right to privacy of an
electoral candidate was held not violated by publications of details of his criminal antecedents
and/or his assets and liabilities. The right to be informed of the electorate was held superior to
candidates desire for secrecy.
It has been held that a doctors disclosure of a persons incurable physical ailment (HIV) to the
relatives of the one to whom he was to get married was not violative of right to privacy. Doctor-
patient relationship, though basically commercial, is professionally; a matter of confidence and,
therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation,
public disclosure of even true private facts may amount to an invasion of the Right of Privacy

AIR 1980 SC 185
AIR 1999 SC 2378
AIR 2003 SC 2363

which may sometimes lead to the clash of one person's "right to be let alone" with another
person's right to be informed.

It was held that in divorce proceedings an order to undergo medical examination on strong
grounds of necessity to establish a contention was held not invasive of right to privacy. Public
policy requirements was permitted to prevail over private interests.

In District Registrar and Collector v. Canara Bank
, the court struck down Sec. 73 of the Indian
Stamp Act, 1899 as amended by the Andhra Pradesh Act (17 0f 1986) as permitting an
overbroad invasion of private premises or the homes of persons in possession of documents in a
power of search as seizure without guidelines as to who and when and for what reasons can be
empowered to search and seize, and impound the documents. The court, however held that no
right to privacy could be available for any matter which is part of public records including court
Three inferences can be drawn from the above decision which is as follows:
Right to privacy exists and the unlawful invasion is punishable
Constitutional recognition exists for right to privacy
Right to privacy is not an absolute right.

X v. Hospital Z AIR 1999 SC 495
Sharda v. Dharmpal, AIR 2003 SC 3450
(2005)1 SCC 496

The Chapter IX and XI of the Information Technology Act, 2000 provides for contraventions to
unauthorized access to computer, computer system, computer network or resources, unauthorised
alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of
data, computer database, etc.

Section 43 of the IT Act, imposes a penalty of INR 10 million inter alia, for downloading data
without consent. The same penalty would be imposed upon a person who, inter alia, introduces
or causes to be introduced any computer contaminant or computer virus into any computer,
computer system or computer network.
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys,
or alters any computer source code used for a computer, computer programme, computer system
or computer network, when the computer source code is required to be kept or maintained by law
for the time being in force, shall be punishable with imprisonment up to three years, or with fine
which may extend up to INR 200,000, or with both.
Earlier, the IT Act under Section 66 defined the term hacking and provided penalty for the
same. However, the term "hacking" has now been deleted by the introduction of the IT
Amendment Act, 2008. The substituted Section 66 now reads as If any person, dishonestly or
fraudulently does any act referred to in Section 43, he shall be punishable with imprisonment for
a term which may extend to three years or with fine which may extend to five lakh rupees or
with both.
Section 72 of the Act penalizes persons who have been given powers under the Act for breach of
privacy and confidentiality. The Act reads as under:
Any person who, in pursuance of any of the powers conferred under this Act, rules or regulations
made thereunder, has secured access to any electronic record, book, register, correspondence,
information, document or other material without the consent of the person concerned discloses
such electronic record book, register, correspondence, information, document or other material to


any other person shall be punished with imprisonment for a term which may extend to two years,
or with fine which may extend to one lakh rupees, or with both.
This is the only Section requiring the consent of the concerned person but, given its limited
scope, it would be difficult to consider that it could provide a sufficient level of personal data

The Information Technology (Amendment) Act, 2008 has included provisions relating to the
issue of data protection. Section 43-A of the Act deals with compensation for negligence in
implementing and maintaining reasonable security practices and procedures in relation to
sensitive personal data or information.
The provision runs as follows:
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages
by way of compensation, to the person so affected.
Section 72-A as introduced through the Information Technology (Amendment) Act, 2008
provides for the punishment for disclosure of information in breach of lawful contract.
Moreover, section 75 of the Act talks about extra- territorial jurisdiction. According to this
Section, the provisions of the IT Act shall apply to any offence or contravention committed by
any person irrespective of his nationality, provided the act or conduct constituting the offence or
contravention involves a computer, computer system or computer network in India.
Section 75 of the Act, addresses the issue of cyber crimes and not data protection. While when
having a look at section 43A and 72A, it can be understood that the provisions do not talk about
the territorial application. Thus, it can be easily concluded that when the sata is being transmitted
outside India no protection as such is available.


The provisions purportedly for data protection juts out as an ugly patch work on the
Information Technology Act and does not offer any comprehensive protection to personal data in

The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the
lacuna of data protection laws in the country.
But the above provisions do not meet the demand
of data protection in present India. The Amendment Act does not confer extra-territorial
jurisdiction in relation to data protection as compared to Data Protection Act of UK as well as
HIPPA (Health Insurance Portability And Accountability Act Of 1996) in US.
Moreover, the Information Technology Act, 2000 is a general legislation with the objective of
legal recognition of transactions through electronic means and electronic filing of documents
with the Government Agencies and notDATA PROTECTION legislation. Thus, it deals with
protection of data in a piecemeal fashion


Article 300A provides that no person shall be deprived from his right to property except by the
authority of law. But the main thing is that it can only be claimed against the state or against the
entity of the state, so to avail this section one has to prove that the entity (if that is a person that
he cannot be counted as an entity, it is only if the violation is done by some company or bank
and that too if government owed) is one of government.

The Copyright Act, 1957 defines literary work under section 2(o) as follows:
literary work includes computer programmes, tables and compilations including computer
Moreover, Section 63B states that any person who knowingly make use of an infringing copy of
a computer programme shall be punishable with imprisonment which shall not be less than seven
days but which may extend to three years and fine which shall not be less than fifty thousand
rupees but which may extend to two lakh rupees.
It is important to note that the Copyright Act, 1957 protects computer databases and not data.
However, it is difficult to bring out the difference between the database protection and data
protection. The database protection includes computer database stored on tape, disk or other
electronic means, would generally be a compilation and capable of protection as a literary work.
But data protection is aimed at protecting the informational privacy of individuals.

Similarly, Indian Penal Code, 1860 does not expressly provides a specific provision for data
protection but can be used effectively for data theft. The punishment relating to theft and
misappropriation are applicable to computer databases as they are moveable property.
An alternative solution has also been provided by the Indian Contract Act, 1872. When a party is
guilty of breach of contract, the party committing breach of contract is liable to pay
compensation for loss or damage caused to the other party and the other party may claim specific
performance of the contract against the party in default. Thus, the companies may include
clauses relating to data protection and their privacy in their contracts.


As per Credit Information and Company Regulation Act, 2005, the credit information of the
individuals has to be collected as per the privacy norms. This is the first Act which defines
personal data and provides for security. The scope of this Act does not cover whole of data
Further even under the common law, the right privacy of individuals was recognised. If the
information has the necessary quality of confidence or it was imparted in the circumstances
that imported an obligation of confidence. Now, the conversion with a lawyer or a doctor will be
considered to have this quality of confidence, but a general conversation with a friend will not.


In India, the efforts at complying with the demands of adhering to privacy laws have originated
mainly from the private sector rather than the Government. In the absence of a specific
legislation, the Indian software and outsourcing industry has been taking initiatives on its own
that would provide comfort to the foreign clients and vendors.
The National Association of Service & Software Companies (NASSCOM) is India's national
information technology trade group and has been the driving force behind many private sector
efforts to improve data security. For example, NASSCOM has created a National Skills Registry
which is a centralized database of employees of the IT services and BPO companies. This
database is for verification (with independent background checks) of the human resources within
the industry. Further, a self regulatory organisation has been launched which will establish,
monitor and enforce privacy and data protection standards for Indias business process
outsourcing (BPO) industry. The organisation has already completed its initial round of
funding and the final rollout phase including industry membership is underway.
Further, due to absence of any specific legislation on data protection BPOs have included self-
regulatory bye-laws for data protection such as ISO 17799 standards to standardize the security
of information. In addition, many of the BPOs are having certifications which comply with the
Sarbanes Oxley Act, the Safe Harbor Act, the Gramm Leach Bliley Act for financial services, the
Fair Debt Collection Practices Act for banking and the Healthcare Insurance Portability and
Accountability Act for healthcare.


If we compare the present stage of data processing laws in India with the countries of Europe and
USA then we find that these countries are far ahead of India in this respect. Those countries have
particular and comprehensive laws relating to data protection and privacy. There is one another
thing which is to be noted that different type of data should be divided into different categories
as per the utility and importance of data. So, we are required to frame a scheme that should be
based on the categorical division of data as like USA, and even in the UK, although there is no
such categorical division but still some type of data is defined as sensitive data; for the disclosure
of this sensitive data. The provisions of the IT Act are basically or the destruction/extraction of
data, there is great lack of comprehensive guidelines in this regard and the companies are
required to rely on their private contracts, which process is in itself complex lengthy. There are
no special provisions related to the privacy of an individual, only sec 72 deals with the violation
of privacy, and that is confined only to those persons on whom the power is conferred by this act.
Although there is one proposed Data Protection Bill, 2013 which deals with the collection use
and disclosure of the personal data. Some of the provisions are taken from the European
Directive on the Data Protection. In the act no category wise division of data was made, in this
regard we have to take inspiration from US laws.
So, a comprehensive data protection law is the need of the hour in India, although to follow the
foreign law of either UK or USA in totality will not be a good option. We have to divide
different type of data into different categories and then different degrees of protection should be
provided to different type of data. But that should be contained in one act, not in different
scattered pieces of legislation. We also required to prepare practical guidelines that what type of
personal data can be provided to others in specific circumstances, and what should not so there
may not be complexities as like in the case of UK. If we go for the enactment of a
comprehensive data protection laws then it would reduce the instances of data theft and more and
more foreign companies and firms would be interested in growing their business in India; it
would work like a boom to the sector of Information Technology in India.