Data Protection Laws in India: Their Evolution and Analysis
In today’s world, data holds immense value as most technology interactions, especially those on the internet, involve some sort of data exchange. This data can range from basic information about a movie to personal details about individuals. With the increasing amount of data being generated and processed daily, the need to protect it is also growing. Unfortunately, there have been numerous instances of data breaches, wherein large amounts of personal information have been leaked, violating people’s rights and exposing them to risks. It is crucial to address these risks quickly, and India’s legal framework must be strengthened in this regard. While the current framework does not offer robust protection to data, it can still be interpreted and used as a safeguard for the time being.
Despite the Supreme Court of India declaring the Right to Privacy as a Fundamental Right under Article 21 in 2017, there are still instances where privacy is violated through data leaks. In today’s world, where there are frequent online data breaches, data protection laws play a crucial role. The twenty-first century has witnessed a digital revolution, and India is no exception. Technology is crucial to a country’s development, and in the current scenario, we are heavily reliant on technology, making us vulnerable to data breaches. Third-party entities control a significant portion of our communication and privacy, posing an even greater risk. In the current digital landscape, nearly every activity involves some form of data exchange.
Purpose of Data Protection:
Section 2(o) of the IT Act of 2000 defines “data” as the physical representation of information that can be communicated, interpreted, or processed by humans or machines. “Data protection” refers to a set of laws, policies, and procedures that aim to safeguard individuals’ privacy by minimizing intrusion caused by the collection, storage, and dissemination of personal data. In India, despite the existence of various data protection laws, they seem to be insufficient in safeguarding individuals’ data, leading to a violation of constitutional rights, particularly the “Right to Privacy” guaranteed under Article 21 of The Constitution. The Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR) recognize “Privacy” as a fundamental right under Article 12 and Article 17, respectively. In a populous country like India, a data breach of this nature could have severe implications for both human and constitutional rights.
Data Protection Laws in India:
The Universal Declaration of Human Rights 1948 recognizes the Right to Privacy as a basic human right. In India, the IT Act, of 2000 is considered the most prominent act regarding Data protection.
- IT Act, 2000 – The IT Act is the primary law governing data protection in India. It provides a mechanism for justice in the event of a data breach by imposing penalties on the wrongdoer. Section 43 of the IT Act of 2000 addresses illegal access to and destruction of data, but only offers rudimentary protections against data protection violations in Section 43(b). Section 43(b) solely covers unauthorized access or harm to data on a computer system. However, the Information Technology (Amendment) Act of 2008 eliminated the ceiling on damages under Section 43, which used to be limited to one crore rupees, making them unliquidated. As a result, in certain circumstances, losses may be significantly higher than one crore rupees.
Under Section 43-A of the IT Act of 2008, a business that possesses, trades, or handles any sensitive personal data or information in a computer resource it owns, controls, or runs and causes unlawful loss or wrongful gain to any person may be held liable for failing to secure data. It must be demonstrated that the corporation failed to employ “reasonable security methods and procedures,” violating the liability requirements of this section. This provision also holds an intermediary accountable. Section 65 prohibits the intentional or knowing erasure, modification, or hiding of computer source code, while Section 66 provides protection against the loss, alteration, or destruction of personal data, but with unclear wording regarding the safeguarding of personal data. Both Sections 65 and 66 include criminal penalties of up to three years in prison or a fine of up to Rs 2, 00, 000. The IT Act contains various other sections that provide penalties for crimes described under the Act.
The IT Act of 2000 is outdated and contains several loopholes since it was enacted when India had little experience with the internet and technology. With the increasing need for data protection, there is a pressing need for new legislation to safeguard users’ data and prevent a loss of trust. The Data Protection Bill, 2021, was drafted and introduced in parliament, but it was ultimately rejected. Instead, a more comprehensive legal framework will be developed to address the present and future challenges of the digital ecosystem. The Data Protection Bill was first introduced in parliament in 2019 and underwent several modifications to include provisions for regulating social media and hardware companies, as well as elements on data localization and non-personal data. The primary objective of this legislation was to safeguard the digital privacy rights of India’s growing internet subscribers and nascent data economy.
- Indian Criminal Laws – Although data protection is not directly addressed by Indian criminal law, various provisions can be interpreted as data protection laws. Section 403 of the Indian Penal Code imposes a penalty on individuals who dishonestly misappropriate or convert “movable property” for their own use. Movable property refers to property that is neither linked to something nor land. While there is no established case law on this view, it could be argued that computer-related data and intellectual property fall under the category of movable property.
Furthermore, Section 405 of the Indian Penal Code deals with criminal breach of trust. According to this section, anyone who is entrusted with property or any dominion over property, dishonestly misappropriates or converts that property to their own use, or violates any direction of law or legal contract, commits a criminal breach of trust. Although these sections do not address data protection directly, they can be used to protect data and punish criminals. The language of these sections indicates that they were not originally intended for data protection, and their original purpose differs.
- Constitutional Law – The Indian Constitution provides implicit protection to data through Article 19, which recognizes the “Right to Privacy” as a fundamental right. Data breaches are considered a violation of citizens’ fundamental rights. The Supreme Court of India has recognized the Right to Privacy as a fundamental right in various cases. To comply with international human rights instruments such as the International Covenant on Civil and Political Rights, the International Covenant on Economic Social and Cultural Rights, and the Universal Declaration of Human Rights, the Indian Parliament has enacted several laws to protect acknowledged human rights. The Protection for Human Rights Act of 1993, for example, establishes a National and State Human Rights Commission and Human Rights Courts to provide greater human rights protection and deal with related or incidental issues.
- The Credit Information Company Regulation Act, 2005 – The Companies Act of 2005 mandates credit information companies, credit institutions, and specified users to process credit data with due diligence. Violation of this Act by any credit information company, credit institution, or specified user may result in punishment by the Reserve Bank of India. The Reserve Bank of India can be considered a data protection authority in the field of credit information based on this provision.
- Intellectual Property Rights Law Protection – In India, copyright protection is granted to all categories of computer software to prevent unauthorized copying and safeguard data from being used without permission. The Indian Copyright Act of 1957 prescribes mandatory penalties for copyright infringement based on the severity of the offence. It is important to note that computer programs themselves are not eligible for patent protection, except when they are combined with hardware.
In India and around the world, data leaks have occurred due to the vast amount of data held by service providers from various consumers. To increase transparency in the data collection and protection process, there should be more disclosure about the level of protection. Companies should also limit the amount of data they collect and allow consumers to modify or delete their data as desired.
The evolution of data protection laws in India has been a subject of increasing scrutiny and analysis. In the digital age, one of the significant concerns revolves around companies collecting vast amounts of data under the guise of creating databases, often leading to a breach of individual privacy. The widely debated case of WhatsApp and its data protection practices exemplifies the gravity of this issue. Furthermore, allegations of government collaboration with private companies for data collection have raised further questions about the extent of privacy infringement. Additionally, the prevalence of websites that gather personal information, monitoring users’ activities, preferences, and browsing history, has sparked crucial debates regarding the balance between convenience and safeguarding individual privacy. These multifaceted aspects shed light on the complex landscape of data protection laws in India and warrant a thorough analysis to ensure the safeguarding of individual privacy rights.
To effectively protect customer data, a new data protection law is necessary. India should learn from other countries successful data protection laws while developing its own. Current laws addressing data protection may not be sufficient since they were not originally intended for this purpose. With technology being the backbone of many developed and developing nations, protecting customer data is essential for both individual and national security.
In summary, the current state of Data Protection Laws in India is inadequate and requires revision. Although there are certain provisions, such as Fundamental Rights, Intellectual Property Laws, and IT Laws that can be interpreted to provide some protection for data, it is crucial to introduce new legislation that focuses specifically on data protection. As people’s dependence on data is increasing, it is becoming more essential to have better laws in place. Additionally, there have been increasing incidents of data breaches that put sensitive information at risk and violate the fundamental rights of people. Therefore, the need for new legislation is becoming more pressing. Until new laws are introduced, the existing laws can be interpreted to provide some protection.
- Constitution of India 1950, art. 21
- Justice K.S. Puttaswamy (Retd) v Union of India (2018) Writ Petition (Civil) No. 494/2012
- Information and Technology Act 2000, s 2(o)
- Mubashshir Sarshar, ‘Laws relating to Data Protection in India’ https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.864.2806&rep=rep1&type=pdf
- Akanksha Prakash, ‘What is the purpose of Data Protection law in India?’ (Business Today, 9 July 2021)
- Universal Declaration of Human Rights 1948, art. 12
- Information and Technology Act 2000, s 43
- Information and Technology Act 2000, s 43(b)
- Information Technology Act 2000, s 43
- Information and Technology (Amendment) Act 2008, s 43A
- Information and Technology Act 2000, s 65 & 66
- Indian Penal Code 1860, s 403
- Indian Penal Code 1860, s 22
- Indian Penal Code 1860, s 405
- Constitution of India 1950, art. 19
- Universal Declaration of Human Rights 1948, art. 12