Reading time : 12 minutes
Data protection refers to a set of privacy laws, rules, and processes aimed at limiting the amount of personal data collected, stored, and disseminated that intrudes on one’s private. Personal data is information or data on a person who can be identified from such information or data, regardless of whether it is gathered by the government, a private entity, or an individual.
India’s Constitution does not expressly recognise the right to privacy as a basic right. However, the courts have incorporated the right to privacy into other existing fundamental rights, such as freedom of speech and expression under Article 19(1)(a) of the Indian Constitution and the right to life and personal liberty under Article 21. However, these Fundamental Rights under the Indian Constitution are subject to justifiable constraints imposed by the state under Art 19(2) of the Constitution. The constitution bench of the Hon’ble Supreme Court recently ruled in the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors. that the right to privacy is a fundamental right, subject to certification.
There is currently no explicit legislation in India addressing data protection or privacy. The Information Technology Act of 2000 and the (Indian) Contract Act of 1872 are the important data protection regulations in India. In India, a codified data protection law is expected to be enacted in the near future. The (Indian) Information Technology Act, 2000 addresses concerns such as civil compensation and criminal penalties for improper disclosure and misuse of personal data, as well as breaches of contractual agreements relating to personal data.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with protection of “Sensitive personal data or information of a person”, which includes such personal information which consists of information relating to:-
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information.
The regulations provide acceptable security standards and procedures that the body corporate or any individual collecting, receiving, possessing, storing, dealing, or handling information on behalf of the body corporate must follow when dealing with “Personal sensitive data or information.” In the event of a breach, the body corporate or any other person acting on its behalf will be held liable.
Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000
It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the information, provides that where the Government is satisfied that it is necessary in the interest of:
- the sovereignty or integrity of India,
- defence of India,
- security of the State,
- friendly relations with foreign States or
- public order or
- for preventing incitement to the commission of any cognizable offence relating to above or
- for investigation of any offence,
It may direct any relevant government agency to intercept, monitor, or decrypt, or cause to be intercepted, monitored, or decrypted, any information generated, transmitted, received, or stored in any computer resource, by an order. This clause gives the government the authority to intercept, monitor, or decrypt any information, including personal information, in any computer resource.
Where the information is such that it ought to be divulged in public interest, the Government may require disclosure of such information. Information relating to anti-national activities which are against national security, breaches of the law or statutory duty or fraud may come under this category.
Information Technology Act, 2000
The Information Technology Act of 2000 (hereinafter referred to as the “IT Act”) is a law that establishes legal recognition for transactions involving electronic data interchange and other forms of electronic communication, which are commonly referred to as “electronic commerce,” and which involve the use of non-paper-based methods of communication and information storage to facilitate electronic commerce.
under section 69 of the IT Act, any person, authorised by the Government or any of its officer specially authorised by the Government, if satisfied that it is necessary or expedient so to do in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, for reasons to be recorded in writing, by order, can direct any agency of the Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. The scope of section 69 of the IT Act includes both interception and monitoring along with decryption for the purpose of investigation of cyber-crimes. The Government has also notified the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, under the above section.
Penalty for Damage to Computer, Computer Systems, etc. under the IT Act :
Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing any of the following acts:
1. accesses or secures access to such computer, computer system or computer network;
2. downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
3. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
4. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
5. disrupts or causes disruption of any computer, computer system or computer network;
6. denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
7. charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person so affected.
8. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
9. steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.
Section 65 of the IT Act states that anyone who knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system, or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, faces up to three years in prison or a fine of up Rs 2,00,000 or both.
Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.
Amendments as introduced by the IT Amendment Act, 2008
Section 10A was inserted in the IT Act which deals with the validity of contracts formed through electronic means which lays down that contracts formed through electronic means “shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose”.
The following important sections have been substituted and inserted by the IT Amendment Act, 2008:
1. Section 43A – Compensation for failure to protect data.
2. Section 66 – Computer Related Offences
3. Section 66A – Punishment for sending offensive messages through communication service, etc. (This provision had been struck down by the Hon’ble Supreme Court as unconstitutional on 24th March 2015 in Shreya Singhal vs. Union of India)
4. Section 66B – Punishment for dishonestly receiving stolen computer resource or communication device.
5. Section 66C – Punishment for identity theft.
6. Section 66D – Punishment for cheating by personation by using computer resource.
7. Section 66E – Punishment for violation for privacy.
8. Section 66F – Punishment for cyber terrorism.
9. Section 67 – Punishment for publishing or transmitting obscene material in electronic form.
10. Section 67A – Punishment for publishing or transmitting of material containing sexually explicit act, etc, in electronic form.
11. Section 67B – Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc, in electronic form.
12. Section 67C – Preservation and Retention of information by intermediaries.
13. Section 69 – Powers to issue directions for interception or monitoring or decryption of any information through any computer resource.
14. Section 69A – Power to issue directions for blocking for public access of any information through any computer resource.
15. Section 69B – Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security.
16. Section 72A – Punishment for disclosure of information in breach of lawful contract.
17. Section 79 – Exemption from liability of intermediary in certain cases.
18. Section 84A –Modes or methods for encryption.
19. Section 84B –Punishment for abetment of offences.
20. Section 84C –Punishment for attempt to commit offences.
On 2nd September, 2020, the Ministry of Electronics and Information Technology (MEITY), Government of India invoking its power under section 69A of the Information Technology Act read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009 and in view of the emergent nature of threats, blocked 118 mobile apps. As per the notification issued by MEITY, these apps were engaged in activities which are prejudicial to sovereignty and integrity of India, defence of India, security of State and public order. Further, MEITY had received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India. The compilation of this data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which required emergency measures. This move by MEITY was to safeguard the interests of crores of Indian mobile and internet users. This decision is a targeted move to ensure safety, security and sovereignty of Indian cyberspace.
As per a report published by Statista, presently there are nearly 700 million internet users in India. This figure is projected to grow to over 974 million users by 2025. In fact, India was ranked as the second largest online market worldwide in 2019, coming second only to China.
The Personal Data Protection Bill, 2019
After the Supreme Court’s landmark judgment in the Justice KS Puttaswamy case, which held that privacy is a constitutional right, the MEITY formed a 10-member committee lead by retired Supreme Court judge B.N. Srikrishna for making recommendations for a draft Bill on protection of personal data. After working on it for a year, the committee submitted its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” along with the draft bill on personal data protection. The revised Personal Data Protection Bill, 2019 (Bill), was introduced by Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, in the Lok Sabha on December 11, 2019. Currently, the Bill is being examined by a 30-member team of the Joint Parliamentary Committee (JPC) and is asked to present its report in the winter session of the Parliament in December 2020.
The Salient features of the Bill
Post the ban of Chinese apps, an individual would naturally be concerned whether their personal data floating around, was secure. An individual would want to know what safeguards, norms are imposed under the Bill on collecting and processing of data, as well as the cross-border transfer of such data:
1. Application of the Act to processing of personal data – The Bill governs the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India by;
i. Government, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;
ii. Data fiduciaries or data processors not present within the territory of India, if such processing is— (a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or (b) in connection with any activity which involves profiling of data principals within the territory of India.
iii. However, it will not apply to anonymised data. Anonymisation in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority; Anonymised data means data which has undergone the process of anonymisation;
2. Kinds of personal data- The Bill has categorised data under three broad heads– Personal Data, Sensitive Personal Data, and Critical Personal Data.
i. Personal data includes data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual, collected online or offline.
ii. Sensitive Personal data includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
iii. Critical Personal Data means such personal data as may be notified by the Central Government to be the critical personal data.
3. Obligations of data fiduciary- ‘Data Fiduciary’ (knowns as Collector under GDPR) means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
‘Data Principal’ means the natural person to whom the personal data relates.
i. Prohibition of processing of personal data – Personal data can be processed only for specific, clear and lawful purpose.
ii. Limitation on purpose of processing of personal data – Every person processing personal data of a data principal shall process such personal data— (a) in a fair and reasonable manner and ensure the privacy of the data principal; and (b) for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.
iii. Limitation on collection of personal data- The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.
iv. Requirement of notice for collection or processing of personal data – Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information, namely:— (a) the purposes for which the personal data is to be processed; (b) the nature and categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data ( f ) the source of such collection, if the personal data is not collected from the data principal; (g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data shall be retained or where such period is not known, the criteria for determining such period; and any other information as may be specified by the regulations.
v. Quality of personal data processed – The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
vi. Restriction on retention of personal data – The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.
vii. Accountability of data fiduciary – The data fiduciary shall be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf.
viii. Consent necessary for processing of personal data – The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing. The Data Principal can withdraw its consent anytime. The burden of proof of having obtained consent is on the Data Fiduciary.
4. Restriction on transfer of Personal Data outside India
i. Personal Data can be processed and stored outside India
ii. Sensitive Personal Data should be stored in India and may be transferred outside India for processing, if explicitly consented to by the data principal for such transfer and subject to certain additional conditions such as:
a. the transfer is made pursuant to a contract or intra-group scheme approved by the Authority and it has made provisions for effective protection of the rights of the data principal under this Act, including in relation to further transfer to any other person;
b. the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation on the basis of its finding that— (i) such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements; and (ii) such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction; and
c. Critical personal data can only be processed and stored in India. Any critical personal data may be transferred outside India, only where such transfer is— (a) to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action or (b) to a country or, any entity or class of entity in a country or, to an international organisation, where the Central Government has deemed such transfer to be permissible under clause (b) of sub-section (1) and where such transfer in the opinion of the Central Government, does not prejudicially affect the security and strategic interest of the State. (3) Any transfer under clause (a) of sub-section (2) shall be notified to the Authority within such period as may be specified by regulations.
5. Exemptions- The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
6. Offences- Offences under the Bill include:
i. Any person who, knowingly or intentionally— (a) re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or (b) re-identifies and processes such personal data as mentioned in clause (a), without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.
ii. Offences under this Act shall be cognizable and non-bailable.
iii. Offences by companies: every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
iv. Offences by State: the head of such department or authority or body shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
i. Penalties for contravening certain provisions of the Act is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and
ii. Failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.
8. Amendments to other laws
The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data (Section 43A).
The Bill, as stated in its preamble, provides for protection of the privacy of individuals relating to their personal data, specifies the flow and usage of personal data, creates a relationship of trust between persons and entities processing the personal data, protecting the rights of individuals whose personal data are processed in order to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing such personal data. The Bill also seeks to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.
Author: Hitakshi jain
Editor: Kanishka Vaish, Senior Editor, LexLife India.