Laws for Data Protection in India

Author: Shreya Singh; Amity University, Lucknow


We are living in a time where the security of individual information has gotten unpreventable. Nations everywhere in the world are refreshing their laws for handling information. The headway of the innovation and the dynamism of the lawful world gives a standpoint of security and information assurance issues. Data protection stress individual freedom and these person’s freedom is under danger by the obstruction of the outsider.

Up till now, Information Technology Act, 2000 and other general laws to guarantee information insurance were utilized by India. Recently, India has been making its fundamental stride towards drafting its first Data Protection Bill which was submitted to the government. The Union Minister of Electronics and Information Technology (Ravi Shankar Prasad), in January of 2019, had instructed the public power that the data security law is settled and soon will be presented in the parliament.


This expression of “data protection” is deducted from the German expression “Datenschutz”[1]. The idea for the protection of data is pretty much associated with the individual’s privacy.[2] For a lot of guidelines, it is normally held that the service, not just information insurance but a broader extent of interests.[3]. For information insurance, It isn’t just security which are been contemplated. There is an assortment of other, somewhat covering ideas that have been summoned as well, especially those of “opportunity”, “freedom” and “autonomy”[4]. In the worry, the most important condition strikes a chord for the person that information security is a privilege or not. In this area, the degree to which such laws ought to ensure associations and gatherings is an arising issue. It is this data protection idea that acknowledged in most parts the person’s data protection. The degree of the data affirmation is also the protection of information laws to “information subjects” described scarcely as “living people”. In this manner in the matter, the corporate body, similar to a limited association, has no advantage of admittance to any information concerning itself because the affiliation isn’t a data subject, and information about it isn’t near and dear data.[5]

III. CASE: K.S. Puttaswamy (Retired) v Union of India[6] (“Puttaswamy”)

In the landmark case of Puttaswamy v. Union of India, the S.C of India with a bench of 9 judges gave over its decision on the 24th day of August in the year 2017. “Privacy is a constitutionally protected right ensured in India” was collectively decided by the apex court in a 547 pages wide judgment.


  • Because the security privilege is being abused a request was recorded in the High Court testing the constitutionality of Aadhaar by Justice K.S. Puttaswamy (Resigned) in the year 2012.
  • The Applicant contended before the court (nine-judge bench) that this privilege was an individualistic right, ensured by the right to life and dignity under Article 21 of the Indian Constitution. The Respondent presented that the Constitution just perceived individual freedoms which consolidated the privilege to security to a limited degree.
  • Primarily the case came before a three-judge bench of the Court which was referred to a larger bench as per the order dated 11 August 2015
  • To determine if there was privacy as a fundamental right within our Indian Constitution the matter was further requested to be heard by a bench of 9-judges by a 5-judges bench on 18 July 2017


Under Article 21 of our Indian Constitution, the right to privacy as an important part of the right to life and liberty is guaranteed in the constitution, this was recognized collectively by the 9-judge bench of S.C. As it is not absolute that’s why exposed to some limitations, Fundamental Right status was given to Right to Privacy.


It is a milestone judgment in the domain of both traditional and digital privacy. The sentiments however assorted prompted a similar end for example overruling every one of the past decisions and acknowledging protection as a central right. The Court thought about point-by-point contentions on the idea of major rights, its established understanding, the hypothetical and philosophical bases of security, and other small angles before giving it the situation with a key right. The way that security is complete in any event when an individual is in the open arena legitimizes the idea of our popular government. A striking component of this joint judgment is the point-by-point treatment of issues of computerized protection which are of expanding significance, both in India just as universally. Likewise, the judgment clarifies that the Indian Government is presently worried to set up an online information insurance system to secure the protection of the person which is extraordinary as India is falling behind in online information security system for example appropriate laws and guidelines concerning assortment, protection, and consistency of individual information and related implementation instruments.


As of now, there is no particular law comparable to information collection, stockpiling, information mining, and information protection in India. There are a few enactments and subordinate enactments which cover this subject. Among such Laws significant ones are:

  1. The Constitution of India
  2. Information Technology Act, 2000
  3. Indian Contract Act, 1872
  4. Copyright Act
  5. Indian Penal Code, 1860

The Indian Constitution perceived the privacy right which as such is an option to have a security of information. One of the essential highlights of our Constitution is that it Ensuring common freedoms to the residents of India as certain Fundamental Rights is one of the essential highlights of the Indian Constitution. Currently, the resident guaranteeing private data will be considered as data as his private property to press his work and subsequently, protection of such informational index falls inside the extent of the strategies for Right to Livelihood under Article 21. A resident’s right to Livelihood can’t be removed besides by fair treatment of law. Additionally, our current legitimate system perceives residents’ privilege on his/her property, with no limitations, and the state, can’t deny the option of having private property besides by fair treatment of law. To have the information security right of a resident accordingly can be very much considered inside the extent of Fundamental Rights under Article 21.

There are several cases[7] likewise which build up the privacy right as a crucial right. The reason for this recommendation has likewise associated with the new element of ‘Information Protection’. The linkage between this security and information assurance are associated with one another. The privilege of data protection is firmly related to the ‘information’[8] of a person.

The Supreme Court of India concurred with the study of the constitutional provisions to comprehend the relationship of privacy with expressly prearranged rights alongside the translation.[9] It investigates the issue of the protection of data managed under various legislations.[10] Finally, it constructs an instance of treating an issue of information insurance from a right-based viewpoint.


The Parliament acquired this Act (Data Technology Act, 2000) as one piece of enactment to give a lawful structure to a whole virtual eco framework, for example, web-based business, electronic agreements, messages, etc. After over 20 years of this act’s passing, the web-based business has developed significantly in all parts of the business and the working of the authorities as well as in circles of life working and it is probably going to develop at a further fast speed in the coming times. Under such conditions the IT Act, 2000 has gotten further important as compared to any time in recent memory as it balances different parts of utilizations of IT. Data Protection is one of the movements that is covered under this Act. The IT Act gives structure to prevent misappropriation of PC network frameworks, data set and forces substantial punishments against Cyber Crimes in the Act.

As per Section 43 A of the IT Act  “Any such body corporate will be held accountable for paying damages in way of compensation to any such person who has suffered an unfair misfortune or illegitimate addition as a result of carelessness in carrying out and keeping up sensible security practices and techniques by a body corporate, having, managing, or dealing with any delicate, individual information or data in a PC asset that it possesses, controls, or works.”

Also, Section 72 A talks about the punishment if the information is disclosed in a breach of any lawful contract. -A punishment of imprisonment (term may extend to 3 years), or fine (it may extend to 5 lakh rupees), or both shall be imposed on any individual including a go-between, who discloses any material containing individual data about someone else, which he gained access to while offering types of assistance under the details of a legal agreement, to cause or realizing that he is probably going to cause illegitimate misfortune or improper increase, without the permission of the person concerned, or in breach of a legal agreement.

In this way, any such individual that is having or managing individual information or data either commits to be or not be careless and also as a commitment to have responsible security practices and strategies consequently, any improper Laws or unfair increase does not happen to any individual.

Further, the Government of India advised another arrangement of rules named the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the IT Act with a target to guarantee responsible or practical security practices and techniques. These rules need to be adhered to as well as followed while taking care of delicate individual information by Companies and any other body corporates and different associations.


This Act (Indian Contract Act) is by and large dependent on the custom-based law standards and this Act also gives the gatherings to an agreement some space to have proper provisions in the agreement for ensuring information like classification condition, privacy, and so on.


Under the Copy Right Act of 1957, a revised PC information base is remembered for the meaning of scholarly work and in this way replicating of PC data set among encroachment of Copy Right Act which draws in criminal cures.

From the above enactment, it can be seen that the legitimate arrangements identifying with information insurance are spread over in different enactments, there are a few enactments to these enactments. There is no extensive enactment for information assurance. Along these lines in the landmark judgment of the Hon’ble Supreme Court on account of Justice K. Puttaswamy Vs. Association of India, S.C (Supreme Court) noticed that under the Chairmanship of Justice B.N. Sri Krishna a committee was selected by the Indian government, which is pursuing drafting an enactment for information security, and a draft enactment to the Government of India was required to be presented by the board.


IPC Act, 1860 as changed is said to be a punitive law that has been authorized in the nation to forestall information burglary. IPC has altered information as a feature of the meaning of ‘portable property’ accordingly any misappropriation or robbery of information currently comprise an offense inside the importance of the IPC.


With time data protection laws are getting more rigid. Nonetheless, the public authority of a nation has all-out power over any information and the control is given through exemptions for any standard. Assuming a case falls inside any of the special cases, and close to home information can be handled superseding the information subject’s assent. These special cases can be deciphered generally.

The information subjects should be cautious since any data in the public space can be gotten to by anybody.

The individual data gave to banks, organizations or any power should be checked intently so even in the event of penetration the information subject is least affected. We likewise need to remember that if our data is spilled and we endure misfortunes we may never get sufficient pay. Shockingly, the actions to defend information are exorbitant and it will be hard for independent companies to agree with them. The consequence of this may be a break inconsistency or the deficiency of little enterprises. We trust that solid measures are taken so any information penetrate is stayed away from.

[1] Further  on  the  origins  of  “Datenschutz”,  Smitis,  S.  (ed.), “Bundesdatenschutzgesetz,  Nomos  Verlagsgesellschaft,  Baden-Baden,”  6th edition, (2006): 62–63.

[2] Lutha R  Nair, “Data  Protection Efforts in India: Blind leading the Blind?” The Indian Journal of Law & Technology VOL 4 (2008).

[3] Bygrave,  L.A.,  “Data  Protection  Law:  Approaching  Its  Rationale,  Logic and Limits,” Kluwer Law International, The Hague / London / New York (2002).

[4] Westin,  A.F., “Privacy and Freedom,”  Atheneum,  New  York  (1970); Miller,  A., “The Assault on Privacy: Computers, Data Banks and Dossiers,” University of Michigan Press, Ann  Arbor (1971).

[5] Supra Note 2.

[6]  WP (C) 494 of 2012.

[7] R Rajagopal v. State of Tamil Nadu AIR 1995 SC 264; Sharda v. Dharampal, AIR 2003  SC  3450; District  Registrar and  Collector  v.  Canara Bank,  (2005)1  SCC 496; State of Karnataka v. Krishnappa AIR 2000 SC 1470; State v. N. M. T. Joy Immaculate, AIR 2004 SC 2282; X v. Hospital Z AIR 1999 SC 495; Kottabomman transport Corporation Limited v. State Bank of Travancore and others, AIR 1992 Ker. 351; Registrar and Collector, Hyderabad and Anr. v. Canara Bank Etc AIR 2004 SC 935; 

[8] Supreme Court of India v. Subhash Chandra Agarwal and Anr; Civil Appeal no. 10044/2010

[9] Ram  Jethmalani & Ors v. Union of India, (2011)  8 SCC  1. 

[10] Justice  A  P  Shah  Committee  Report,  “Report of the Group of Experts on Privacy”, (2012), Accessed October 21, 2016,