Need for Fast Track Implementation of Data Protection Law in India

Home     Articles      Need for Fast Track Implementation of Data Protection Law in India

Need for Fast Track Implementation of Data Protection Law in India

April 20, 2020

Need for Fast Track Implementation of Data Protection Law in India
Need for Fast Track Implementation of Data Protection Law in India

On date, India does not have a privacy law, but a personal data protection bill is pending before the Lok Sabha. It is India’s first attempt at regulating how personal digital data of citizens can be used by the government or any third party.

Of late, the Government of India has pointed its gun on Zoom and apps like tik-tok and ‘so on and so forth’. It becomes very important for India to implement a full-fledged Data Protection Law in a fast track mode. Until then, following is the current regulatory overview, which is more in bits & pieces, for collection and processing of data under Indian laws.

As stated above, India has not yet enacted any specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act, 2000 (“IT Act”) to include Section 43A and Section 72A, which gives a right to compensation for improper disclosure of personal information.

It may be noted that Rule 6 of the  Information Technology (Reasonable security practices and procedures and  sensitive personal data or information) Rules, 2011 (“Data Rules”) inter alia lays down that  disclosure of “sensitive personal data or information” (“SPDI”) by a body corporate to any  third party shall require prior permission from such person who has provided the  information, unless such disclosure has been agreed to in the contract between the  body corporate and provider of information, or where the disclosure is necessary  for compliance of a legal obligation.

Sensitive personal data or information of a person under SPDI means “such personal  information which consists of information relating to (i) password; (ii) financial  information such as Bank account or credit card or debit card or other payment  instrument details ; (iii) physical, physiological and mental health condition; (iv)  sexual orientation; (v) medical records and history; (vi) Biometric information;  (vii) any detail relating to the above clauses as provided to body corporate for  providing service; and (viii) any of the information received under above clauses  by body corporate for processing, stored or processed under lawful contract or  otherwise”.

The collector needs to evaluate if it collects any information which falls under  the category of ‘sensitive personal data or information’ and in the event that as  part of the registration process or for provision of services, the collector collects  ‘sensitive personal data or information’, then the collector needs to obtain prior  consent of the users and ensure the following:

  • The need to have a privacy policy in accordance with the parameters set out in the Data Rules.
  • The need to provide an opt out option to the provider of SPDI.
  • The need to maintain reasonable security practices and procedures in accordance with the requirements of the Data Rules.

Further, personal data is also protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. The   Supreme Court of India has recognised in a judgement the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognised that enforcing the right to privacy against private entities may require legislative intervention.

The IT Act also deals with the concept of violation of privacy in a limited sense; it provides that the privacy of a person is deemed to be violated where images of her private body areas are captured, published or transmitted without her consent in circumstances where she would have had a reasonable expectation of privacy and prescribes a punishment of imprisonment of up to 3 years and/or fine of up to INR 2.00 lakhs.

Further, In India, the Consumer Protection Act, 1986 (“CPA”) governs the relationship between consumers and service/goods providers. There is no separate consumer protection law that is specific to and regulates online transactions. Liability under the CPA arises when there is “deficiency in service” or “defect in goods” or occurrence of “unfair trade practice”. The CPA specifically excludes from its ambit the rendering of any service that is free of charge.

The data protection bill seeks to provide for protection of personal data. Chapter 6 of the Bill contains measures relating to transparency in processing of personal data and security safeguards that companies would have to undertake while processing of the personal data. The Bill also requires the companies to take consent of users before processing of their personal data and gives users the right to withdraw consent, update or erase their data. The bill, once implemented.

As heard, zoom sharing data with Facebook without explicit notice is a sign that is reflective of a deeper problem of accountability within the data protection space. There are no laws, and when laws do exist in bits and pieces as stated above, they are near impossible to impose and monitor. This should serve as a warning sign of practices and India should implement the full-fledged Data Protection Law with proper safeguards, consent mechanisms and robust mechanism for liability and penalization.

Author: Prashant Jain, Co-Founder & Partner.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter. For any queries, the author can be reached at

Updated as on April 20, 2020

Image generation credit:

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.