Judicial Interpretation Of Data Protection And Privacy In India

Judicial Interpretation Of Data Protection And Privacy In India

Manjari Shukla_JudicateMe


This Blog is written by Manjari Shukla from Symbiosis Law School, NoidaEdited by Ritika Sharma.



Modern times are taking Clive Humby, the British Mathematician’s quote, “Data is the new oil” up a notch. Why? Because data is treated as a valuable asset, which can be monetized, traded, or be invested in. Various services are also built on top of user data. It’s the latest product which has taken the market by a tornado. The worth of user data has also opened doors to various illegal casualties, caused as a result of an absence or a rigid legal framework. Most affected are countries like India, where the first and the second Industrial Revolutions were missed during the late 19th century, since it was being held as fodder for colonial industrialization, and the third one was missed since being at the initial independent growth stage, it was not affordable to have its economic policies conducive to technology and related innovations.

Where the beginning of the idea of objectifying user data was initiated, the beginning of the idea of a user data breach also initiated. The transmission of private user details into the public domain orchestrated the idea of personal privacy. Privacy is something put across the same table which chairs basic right to life and personal liberty. User information is closely intertwined with data privacy and one does not freely exist at the cost of another. As quoted by Edward Snowden, the American whistle-blower, if one argues about the right to privacy on the defense that they have nothing to hide is similar to arguing about freedom of speech on the defense that they have nothing to say.


As the world progresses, data, one of the most valuable assets in the world, has put a black shadow over users’ privacy. Parallels can be drawn as a matter of fact – where information is fuel for driving the transformative innovations in the present scenario, like the Internet of things, predictive statistics, artificial intelligence, various automation, etc. and furthermore, a huge player in advertisement industries, smartphone industries, sales industries, etc. People’s desires, buying preferences, political opinions, social opinions, sales choices, and every other detail comprises of user data. Broadly divided into two types, it’s personal or private, and non-personal or general. Personal data constitutes the delicate private information that can reveal a person’s identity and such details which can be used as leverage or for breach of that person’s security. On the other hand, any set of data which does not contain personally identifiable information. –no individual or living person can be identified by looking at such data. Business agglomerations and e-commerce sites hinge their sales policies on consumer-centric data, for increasing their relevance by many folds.

Claims from 2018 over the Facebook – Cambridge Analytica data breach, even suggest at user data having influence over a country’s elections. IT cells affiliated to various political organizations, procure user data for the formulation of community-centric advertisements and appeasements.


Unlike the European Union which has most recently passed the General Data Protection Regulation that became enforceable with effect from 25th May, 2018, there does not exist a dedicated law for data protection and privacy of individuals in India. The Information Technology Act, 2000 was formulated based on the United Nations Model Law on E-Commerce adopted by the United Nations Commissions on Internal Trade law on 30 January 1997 vide resolution A/RES/51/162, signifying the obligations of confidentiality through a plethora of laws. Protection related provisions and procedures to be followed to ensure the security of sensitive private user information lacked in it. Consequently, it caused the introduction of the Information Technology Bill, 2006 in the Indian Parliament which later formed the Information Technology (Amendment) Act, 2008 through which, the insertion of Section 43A and 72A in the IT Act was produced.

Section 43A of the ‘IT Act’ explicitly provides that whenever a corporate body holds or transacts deals with any delicate private data or information, and is neglectful in maintaining reasonable security to protect such storage, which thereby causes wrongful loss or wrongful gain to any person, then such body shall be liable to pay damages to the person/ persons so affected by it.

Further, Section 72A provides for the punishment for disclosure of information by breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure is made in breach of lawful contract.

Henceforth, the Central Government, in the exercise of the powers conferred by clause (ob) of sub-section (2) of Section 87 read with Section 43A of the IT Act, 2000 notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The main highlights of the 2011 Rules are as follows–

• The ‘Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011’ only apply to bodies corporate and persons located in India. This was illuminated vide a press note dated August 24, 2011 issued by the ‘Ministry of Communication and Information Technology’ wherein it was stated the 2011 Rules were applicable to a body corporate or any person located within India.

• ‘Rule 3’ of the 2011 Rules offers a list of items that are to be treated as “sensitive personal data”, and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as ‘DNA’, ‘fingerprints’, ‘voice patterns’, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. It is further clarified that any information is freely available or accessible in the public domain is not considered to be sensitive personal data.

• ‘Rule 4’ levies a duty on Body Corporates in quest of sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The ‘privacy policy’ should be evidently published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected, and the reasonable security practices that have been undertaken to maintain the privacy of such information.

• ‘Rule 5’ provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate:

  1. Obtain consent from the person/ persons providing information in writing or by Fax or by e-mail before collecting such sensitive personal data. Vide the press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology it was clarified that consent includes consent given by any mode of electronic communication;
  2. Information shall not be collected unless it is for a lawful purpose, and is considered necessary for the purpose. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required;
  3. Ensure that the person/ persons providing information are aware of the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies retaining and collecting the information;
  4. Retain the information for no longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force;
  5. Offer the person/ persons providing information an opportunity to review the information provided and make corrections if required;
  6. Before collection of the information, provide an option to the person/ persons providing information to not provide the information sought;
  7. Maintain the security of the information provided; and
  8. Designate a ‘Grievance Officer’, whose name and contact details should be on the website who shall be responsible to address grievances of information providers expeditiously. A maximum period of one month has been provided for the resolution of such grievances.

• ‘Rule 6’ states that a Body Corporate must necessarily seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if the request for such information is made by government agencies authorized under law or any other third party by an order under law.

• ‘Rule 8’ provides reasonable security processes and procedures that may be implemented by Body Corporates. International Standards (IS / ISO / IEC 27001) is one such standard that can be executed by a body corporate to maintain data security. It is relevant to note that an audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes substantial up-gradation of its process and computer resource.

A joint ‘Parliamentary Committee’ is currently considering the PDP Bill and a revised draft of the PDP Bill is expected to be issued during 2020. The bill proposes to protect user-information relating to the identity, characteristics trait, attribute of a natural person and “Sensitive Personal Data” such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs. Also, it provides for the creation of a Data Protection Authority of India, which will be responsible for protecting the interests of data principals, checking misuse of personal data and ensuring obedience with the new law.

The Right to Privacy, recognized as a fundamental right by the Supreme Court of India under Article 21, which necessitates protection of personal data as an essential facet of informational privacy says the draft Personal Data Protection Bill, 2018.


Justice KS Putthuswamy v. Union of India

In 2012, a petition was filed by a retired High Court Judge, to challenge the constitutional validity of the Aadhaar whether it was violative of the established Right to Privacy.

A nine-judge bench of the Supreme Court of India passed a landmark judgment on 24th August 2017, upholding the fundamental right to privacy under Article 21 of the constitution of India. It was also held that privacy is to be an integral component of Part III of the Indian Constitution, which lays down the fundamental rights of the citizens. The Supreme Court stated that the state must carefully balance the individual privacy and the legitimate aim, at any cost as fundamental rights cannot be given or taken away by law, and all laws and acts must abide by the constitution. The Court also declared that the right to privacy is not an absolute right and any invasion of privacy by state or non-state actor must satisfy the triple test i.e.

1) Legitimate Aim

2) Proportionality

3) Legality

State of Maharashtra v. Bharat Shanti Lal Shah

In this case, the constitutionality of MCOCA was challenged before the Bombay High Court. Vide its judgment the Bombay High Court struck down Sections 13- 16 of the Act on the grounds of lack of legislative competence and Section 21 (5) on the grounds of violation of Article 14 of the Constitution of India.

The High Court held that the State Legislature has no competence as the Parliament alone has the power to make laws with respect to Entry 31 of List I of Schedule VII read with Article 246 of the Constitution and that the Indian Telegraph Act was already holding the field on that point. Being aggrieved by the judgment of the Bombay High Court the State of Maharashtra has filed the present appeals.

The Supreme Court ruled that interception of conversation though constitutes an invasion of an individual’s right to privacy but it can be curtailed in accordance with procedure validly established by law.

R.Rajagopal v. State of Tamil Nadu

Petitioners include the editor, associate editor, printer and publisher of a Tamil magazine, Nakkheeran. The respondents include the State of Tamil Nadu, the Inspector General of Prisons, and the Superintendent of Prisons. The petitioners sought to prohibit the respondents from interfering with the publication of an autobiography of a prisoner, Auto Shanker, in Nakkheeran. The Supreme Court held that the petitioners have a right to publish what they allege to be the life story/autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorization. But if they go beyond that and publish his life story, they may be invading his right to privacy. The Constitution exhaustively enumerates the permissible grounds of restriction on the freedom of expression in Article 19(2); it would be quite difficult for courts to add privacy as one more ground for imposing reasonable restrictions.


Data is the new currency. It is considered the oil of the 21st century. With the dawn of information age and mass digitalization, there has been a generation of huge data. India, being the second-most populous country in the world, also with the second-largest smartphone user base, is by extension, one of the largest data markets in the world. In order to protect people’s privacy and make companies accountable, India needs a data protection law as soon as possible as it is a fundamental thing so that the users can demand from the domestic or foreign companies to share their data when needed. This is not a technology problem, but a policy problem.

Instrumentally, a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment, and equal access.

India lacks a coherent data protection law which makes us more vulnerable. The government should thus frame a robust law to gain confidence in people that their private data will not be misused and used without their permission.

The B.N Sri Krishna committee set to look into the law is a much-appreciated step in this direction. Now, the committee submitted its report also. The government should do the way forward with the utmost transparency and integrity in framing the law.


(1) www.scconline.com

(2) https://www.lexology.com/library/detail.aspx?g=d1edde8f-71b9-49cb-b333-35fcae73402b

(3) http://www.legalserviceindia.com/legal/article-276-evolution-of-right-to-privacy-in-india.html

(4) http://www.supremecourtcases.com/index2.php?option=com_content&itemid=5&do_pdf=1&id=23269

(5) Data Protection Laws Demystified, by Anghrija Chakraborty, Ashima Obhan and Amar K Sundram (OakBridge Publications)

(6) Practical Synthetic Data Generation: Balancing Privacy and the Broad Availability of Data, by Kaled El Emam, Lucy Mosquera, Richard Hoptroff(O’Reilly Media Publications)

Leave a Comment