Image source:

This article is written by Jaya Vats from Vivekananda Institute of Professional Studies, Delhi. In this article, the author discusses the relation between Data Privacy and Intellectual Property Rights. The article lies in the concept of Data protection and the right to privacy.


Over the last few years, there has been a substantial increase in the amount of data produced by the use of various electronic devices and applications. Today’s companies derive significant value from the analysis of ‘big data’ and also describe their business strategies based on such research. Although there is no denying the business efficiency involved, the burning issue is ‘do individuals influence how information relating to them is obtained and handled by others.’

Download Now

The development of technology and the dynamism of the legal system offer an insight into privacy and data security concerns in this recent period. Privacy has become a concern of any person as a result of technological progress, and it also puts a limited focus on data security. Intellectual Property Rights (IPR) management is an integral aspect of every data management program. The builder of a database or other data resource will have an interest in who owns that resource and how others can use it. Anyone who will use the tool with data provided in part by others would want to ensure that any legal, ethical, and professional responsibilities that one may have with the data provider are met. Data protection emphasizes individual liberty and the freedom of this individual is threatened by interference by the stranger. It is necessary to stop the activity of the stranger to the activity of the person by any means. 

What are some of the important data protection laws in India?

Because personal information is a manifestation of the individual’s personality, Indian courts, including the Supreme Court of India, have recognized that the right to privacy is an essential part of the right to life and personal liberty, a fundamental right granted to every citizen under the Constitution of India. As such, the right to privacy is of utmost importance to the Indian judiciary and can only be enhanced for legitimate reasons such as national protection and public interest. However, like the constitution of India, there are a variety of other legal frameworks that talk about data security and these are as follows:

  1. Information Technology Act, 2000(“IT Act”): The IT Act allows for the defense of such infringements with data from computer systems. This law includes provisions to prevent the unauthorized use of data, files, and resources. This section shall include personal responsibility for unauthorized or unlawful use of computers, computer systems, and stored information. The above portion, however, does not take into account the responsibility of operators of Internet access or network service providers, or companies handling data. As a consequence, data storage, transmission, and protection agencies such as manufacturers and providers of services outside the scope of this section are outside the scope of this section. The responsibility of the organizations is further reduced in Section 79 by including the conditions for “information” and “best efforts” before the quantum of penalties. This assumes that the network service provider or the outsourcing service provider will not be responsible for the violation of any third party data made available to him because it shows that the violation or infringement has been committed without his knowledge or that he has exercised sufficient due diligence to avoid the execution of such an offense or infringement. A variety of provisions relating to ‘data protection’ have been incorporated like Section 43, Section 43A, and Section 72A of the act talks specifically about data security.
  2. Intellectual Property Laws: The Indian Copyright Act provides for compulsory prosecution for the infringement of intellectual content concerning the seriousness of the offense. Section 63B of the Indian Copyright Act provides that anyone who intentionally makes use of an infringing copy of a computer program on a computer shall be imprisoned for a minimum duration of six months and a maximum of three years in jail. It is important to note here that the Indian courts recognize copyright in data. It has been argued that compiling a list of clients/customers created by a person by devoting time, resources, labor and skills amounts to “literary work” in which the author has copyright under the Copyright Act. As such, if an infringement happens for records, the parent outsourcing company can also have recourse under the Copyright Act.
  3. Indian Penal Code, 1860: Indian Criminal Law does not explicitly discuss data privacy infringements. Responsibility for these infringements must be derived from similar offenses under the Indian Penal Code. For example, Section 403 of the Indian Penal Code imposes a criminal penalty for dishonest misuse or conversion of “movable property” for one’s usage.
  4. Credit Information Companies Regulation Act, 2005(“CICRA”): As per the CICRA, credit information about individuals in India must be obtained in compliance with the privacy requirements set out in the CICRA Regulation. Entities gathering and storing data shall be responsible for any potential misuse or modification of such data. Based on the Fair Credit Reporting Act and the Graham Leach Bliley Act, the CICRA has defined a strict structure for information on credit and finance for individuals and companies in India. The Reserve Bank of India has recently notified the terms of the CICRA Regulations providing for strict data privacy rules.

Importance of data licensing

The value of data increasingly is recognized by companies as a business asset that is to be protected and used through licensing to third parties in today’s highly technological environment. Therefore businesses and their lawyers will enter a variety of agreements covering data and IP rights protection and care. Where one party wants to use a data feed or has built a database that he wants to license, data problems can be the focus of the particular transaction. Data problems, in particular technology service arrangements, also arise as a side factor in other licenses and trade transactions. Since data may be protected with one or more IP rights, the use of data by third parties requires the authorization of the data owner or the license to the data sub-license by a party authorized by the owner. While similar to other types of IP licenses in certain respects, data licenses have several unique licensing issues, such as:

  • Ownership of and use of data
  • The processing of source derived and use information

It is because a party, for example, a service provider, may, among other reasons: For example, receiving or collecting and compiling data from another party or generate information or data on behalf of that other party from the data of the other party. For example, if a seller processes and generates data from the customers ‘ data relating to the provision of services to the customer by the seller, the parties will probably have a conflicting interest. In this case, the vendor may wish to analyze and use customer data to provide customer services or if possible processes and aggregates customer information for commercial use, by creating new products and services, by use of processed data to improve internal operations, products, or services or by authorized third parties to use the data. In general, the customer would like to keep their data confidential or use of data to its benefit is prohibited and allow access to all new data sets arising from the processing of the customer data by the vendor and where feasible, ownership.

Data licensing should also include the way data are distributed, stored, and regulated and policies, practices, and protocols on data protection, especially when the data contains financial, technological, or commercial information that is sensitive or personal. A key negotiated point is the ownership of the authorizing authorization and the permitted use of data by the licensee in any data licensing transaction.

Public domain dedication license

The license that grants public domain-like rights and/or acts like waivers is Public-domain-equivalent licenses. They allow copyrighted works available without restrictions by anyone while avoiding the complications of the assignment or compatibility with other licenses. Publicly available information does not necessarily have to be publicly available — not from the copyright point of view at all. Despite this, the terms “public content” and “public domain content” often describes all content accessible to the public interchangeably. Copyright protects certain types of content: primarily littoral, dramatic, musical, artistic, architectural, as well as film or sound recording. To properly include books, computer programs, compilations, and Tables within the sphere of the term, Indian Copyright Law defines literary works. The law does however not use the fact that content is or is not available to the public (or to some general public section) as a criterion to determine whether or not it is within the public domain. The determination that contents are publicly available or not, on the other hand, is dependent on whether or not copyrights are protected. (The copyright statute does not contain the term ‘public domain’ itself)

The content enters the public domain only if copyright ceases to be contained in protected content. The most common way to do so is by the expiry of the copyright term in the content. In India, copyright would generally remain for 60 years after the death of its author or 60 years following its publication, depending on the nature of its content. As such, the content enters the public domain once this term has ended. (The released version may, in some cases, not belong to the Public Domain when text is edited; the translation may also not be in the Public Domain if public domain work is translated). Copyright-protected content may also enter into the public domain if the copyright owner gives up copyright — in Section 21 of the Indian Copyright Act of 1957, copyright can be given up. Public information or publicly available content is not only publicly available, publicly-accessible, or publicly accessible in the public domain. The reproduction of information that is publicly available would ordinarily require a license, unless (a) public information was publicly available from a copyright standpoint, (b) the relevant statute was explicitly exempted from alleged infringement by unauthorized reproduction, (c) copyright by the unauthorized principle of copyright. 

Attribution license 

This license enables others to distribute, adapt, and build on your work, even commercially, as long as the original creation is credited to you. This is the most suitable license available. Maximum dissemination and utilization of authorized materials are suggested. Artistic Commons licenses provide a structured way for all artists from big organizations to give their artistic work public permission under copyright law. The attribution clause is contained in all Creative Commons licenses. This means that a statement that creates the work you bought from, whether it is a text, an image, a video, or any other item, is required to be included. Indicate this in your attribution statement if you have changed the work in any way.

Open database license

The Open Database License is one of the most widely used free licenses for open data worldwide. This license agreement allows users to freely share, modify, and use data while maintaining the same freedom for others. “The most important highlights of the license included authorization for the extraction and utilization of information, the creation and creation of derivatives, collective database, temporary and permanent reproductions, and the dissemination to the public of knowledge by whatever means and in whatever form.” In the link between open data and licenses, Intellectual Property rights play an essential role. The copyright law guarantees the rights of copyright holders to reproduce, alter, distribute, and publicly display a tangible product. The owner/copyright holder may give legal permission to use his or her product subject to conditions and limitations. Otherwise, the holder of the copyright may exercise his rights in court and receive payment for improper use of his product/property. In general, the protection of copyright for data and information prevents and restricts the use, reuse, and redistribution of third parties. Authors can obtain a free data license to enable users to freely share, edit, and use data in case of open data, to make the terms of copyright protection very clear.

How IPR promotes and ensures data privacy

As the right approach to the work of the computer-related databases, the parity between ‘data protection’ and ‘intellectual property law’ needs to be analyzed. Under Section 63B of the Indian Copyright Act, any person who is aware of an infringing copy of the program on a computer is liable for infringement. The right of an individual to intellectual property is based on the elements ‘work, competence, and judgment.’ In the case of law on certain works of literature, fiction, music, art, and film, the preservation of the owner’s right to that work is important. However, data privacy and security of databases under the Copyright Act are difficult to distinguish. Data protection is intended to protect the privacy of individuals, while the security of databases has a slightly different purpose, namely to protect the ingenuity and investment made in the collection, verification, and presentation of databases. Legal principles of access, anonymity, ownership, and facts are common to all relationships. 

However, these principles can also be used to evaluate the rights and responsibilities of professional and business record keeping participants. Property law may apply to records as legal objects, which are evidence of a legal relationship, rather than merely physical objects. Access and intellectual rights and responsibilities provide examples of the complex interests of participants in record keeping. Privacy protection must be balanced with the need to retain identity information over time to establish rights and obligations. The use of the rights and responsibilities method applies responsibility for the development, recording, and protection of evidence to a variety of parties within a system of relationships, including the author and receiver, data subjects, and third parties, which are similarly relevant to the online world. Likewise, ‘data security’ and ‘intellectual property rights’ are rights concerns. It deals with four forms of personal: personal details, physical data, contact privacy, and territorial data. There are several conceptual discussions about the intellectual property rights model, the moral right model, the trade secrecy model, which is at the core of the ‘right basic solution.’ In generalizing the concept of intellectual property, the right of the author must be established as the legal right of the individual to control the use or disclosure of personal data. The author also pointed to ‘govt’ in this matter. A versatile and sensitive approach to the security of personal data, including the adoption of property rights solutions, should be adopted.

Ownership of big data and its relevance with IPR

As per IBM, 2,5 quintillion data are generated every day in the present state. The data collection, generation, processing, and transfer of Big Data should be equally versatile, given the dynamic nature of the digital area. “It is also believed that 90 percent of the existing data in today’s world has been generated over the last 2 years. Big data is often used to include data explosion and its easy access-both in structured and unstructured form. It can be divided into three parameters to achieve an accurate definition of big data:

  1. Speed – This term measures the rate of data change in real-time. The rationale for this argument is that all the data that is being generated comes from existing data and thus generates a data network. It analyses the various speeds at which data operation happens and analyzes the relationship between the two data sets of changes.
  2. Variety – Data comes in every shape and size in today’s sense. This description includes the various formats in which structured and unstructured data are entered. The data is usually stored at an individual level and is not often accessible for review, which makes it difficult to interpret, integrate, and analyze the data.
  3. Volume – This term is specifically for unstructured data from social media and other media formats. With the rise in sensor and machine-to-machine data being collected, it allows huge data volumes to be used for analytics, helping to draw the necessary conclusions.

Big data is extremely valuable from a business, a society, or a government perspective, as the more data available the more accurate the research will be. This in effect would boost decision-making, operating performance, size savings, and risk management. Data can’t create a digital revolution in its raw form, however. It must be properly collected and stored to affect it. If obtained, a proper way of evaluating it is important and correct conclusions need to be drawn and properly communicated. Intellectual property plays a vital role in the creation of this method-from proprietary hardware to the copyrighted software that handles and analyzes data collection and storage. As soon as a company wants to perform analytics, the final result is classified as a secret by Intellectual Property rules. Any reports released using the results of this analytics are therefore covered in compliance with IP legislation by default.

Thus, intellectual property is an immaterial asset that is central to the function of a corporation, which is hard to place a price on, unlike any fixed asset. This makes it impossible to reach the full depth and breadth of Intellectual Property, which ensures that it can not be abused, exchanged, or enjoyed. But with tighter Intellectual Property laws worldwide, this dynamic asset has more structure. Now how does the Intellectual Property rights Secure Big Data? It does so by:

  1. Copyright – The real details can not be patented, as in the case of patents. There is a great deal of ingenuity in data representation and analysis, and the processing of the database is special and thus falls within the scope of security.
  2. Commercial secrecy – The data obtained and the analyzes and processes behind them are safeguarded as a commercial secret because they are specific for each organization. Economic interest and fair measures are made to keep the matter confidential, which dictates whether or not it is a trade secret. Big data is provided in compliance with IP law in this regard.
  3. Patents – Data can not be patented in its raw form, but it can be covered in compliance with patent laws when processed and analyzed. Here, there is a case for putting the structures in place for such a thorough study that a good deal of creativity is required. However, the patent system has traditionally been a weak control center for data and processes.

However, intellectual property restrictions do exist. Every country operates under its system for intellectual property with offices operating independently. Therefore, individual innovations are difficult to track, and, more importantly, their safety under specific legislation is monitored. This then leaves a gray area in terms of Intellectual Property ownership and its rights. Big data growth is expected to rise in multiples over the next two years, which will require tighter and more standardized Intellectual Property controls. The starting point is to decide the need for security, but the data must be collected and tables to be fully successful. When data is collected around the world, inconsistencies can be found and summarized easily.

Data privacy and current legislations in India

Proprietary rights are covered both by the Constitution of India and by various legislative provisions. Article 21, for example, has two parts, i.e. the personal aspect of the right to privacy and the commercial dimension of the right to livelihood. Data privacy is a vital means of subsistence and can not be taken away without due process of law. Where the same is breached by any individual, liability can be sought following Article 21. Likewise, Article 300A of the Constitution confers on all individuals the right to possess and enjoy their land. Therefore, a person can not be deprived of his property except by the force of law. Any violation of this right can be prosecuted by a court of law. 

On the substantive hand, Section 22 of the Indian Penal Code, 1860 (IPC) provides an expansive description of the word ‘movable property,’ which includes all corporal properties. The word ‘include’ in the section implies that information stored in the form of paper data and on a computer can be conveniently and safely treated as a movable material because it is capable of moving from one location to another. In the case of R K Dalmia v Delhi Administration, the Supreme Court held that the word ‘property’’ was used in the IPC in a far wider context than the phrase ‘movable property.’ There is no valid reason to restrict the scope of the word ‘land’ to the moveable property only when it is used without any qualification. Whether an offense specified in a specific section of the IPC can be committed in respect of any specific type of property may depend not on the meaning of the word ‘property’ but on whether that particular type of property may be subject to the actions protected by that provision. There is also nothing that removes the data property from the concept of an IPC object.

The Information Technology Act, 2000 defines the data referred to in Section 2(1)o) as a representation of information, knowledge, facts, concepts or instructions which are prepared or prepared in a formalized manner and which are intended to be stored, stored or processed in a computer system or computer network and may be in any form (including computer printouts, magnets, etc.). In the same way, the term computer database means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are prepared or prepared in a formalized manner or generated by a computer, computer system or computer network and intended for use in a computer, computer system or computer network. The concepts of data and computer records, along with the requirements on their security and compliance, are adequate to tackle data property infringements in cyberspace.

Section 2(o) of the Copyright Act, 1957 specifies that, unless the purpose otherwise requires, literary work contains computer programs, tables, and compilations, including computer databases. The Copyright Act, 1957, therefore, also provides for the protection of data content. The same is evident if we give an objective and up-to-date interpretation of the provisions of the Copyright Act. Indeed, the protection of intellectual property rights (IPR) in data property is not easy to create, but difficulty does not imply a lack of protection. It is for the person concerned to prove the same thing that is entirely possible in the current Indian legal system.

TRIPS agreement and data protection

The terms of the TRIPs Agreement are of the most comprehensive and thorough sort, as they cover all types of TRIPs collectively. Article 9(1) of the Agreement provides that Members shall comply with Articles 1 to 21 of the Berne Convention, 1971, and the Appendix thereto. Article 9(1) of the Agreement provides that the Member States shall comply with Articles 1 to 21 of the Berne Convention, 1971, and the Appendix thereto. Nevertheless, the members do not have any privileges or responsibilities under this Agreement about the rights granted under Article 6bis of that Convention or the rights obtained therefrom. Therefore, while the TRIPS uses Berne as a minimum norm, it deviates from Berne in two respects. TRIPS is broader than Berne, in that it covers ‘information and databases;’ but at the same time, TRIPS is also narrower than Berne, in that it does not require conformity with the moral rights set out in Article 6bis of Berne. Nevertheless, the Member may have to continue to meet the current obligations that the Member can owe to each other under the Berne Convention.

This ensures that if two members of the TRIPs Agreement already extend immunity to each other in the form of ‘moral rights’ of writers under the Berne Convention, the TRIPs Agreement does not prohibit them from doing so. The TRIPs Agreement acknowledges the security of ‘data’ in Article 10(2) of the TRIPs Agreement. Article 10(2) of the Agreement specifies that ‘data compilation’ or ‘other material,’ whether in machine-readable or in any other form, which ‘because of the selection or arrangement’ of its contents constitutes intellectual production, shall be covered as such. Also, the Article specifies that such rights, which shall not apply to the data or material itself, shall be without prejudice to any copyright found in the data or material itself. 

A closer look at the articles shows the following facts:

  1. It is the ‘compilation’ of data or other content covered under the TRIPs Agreement. It should be remembered that the ‘compilation’ of the subject matter of copyright is protected by almost all judicial systems. This is also protected by the Berne Convention. Therefore, if the data is compiled in a specific way, it can not be used in the same manner. Furthermore, the scope of this article has been extended to non-data items by the use of the words ‘other materials.’
  2. The collection can be in a machine-readable form or some other form. The former category includes storing data in computers and their equivalents, while the latter category includes storing data in conventional paper mode. The management of data properties in computers and their equivalents often needs the same security in the area of information technology law. It may be the reason why the Government is preparing to change the original Information Technology Act, 2000. The correct solution, however, seems to be to implement the requisite ‘explanatory clauses’ in the Indian Copyright Act, 1957 and to make minor reasonable changes to the Information Technology Act, 2000. This can not, in any event, be pushed ahead by the Information Technology Act alone. Where data stored on or parallel to a device is misused, the provisions of the Information Technology Act can be brought into effect following the Copyright Act, depending on the extent of the infringement or infringement. It should be remembered at this stage that the Copyright Act, 1957, also covers ‘databases’ as ‘literary works’ under Section 2(o) of the Copyright Act. The concept of ‘literary work’ must be remembered that it is ‘inclusive’ in nature and can include more categories. Furthermore, the compiling definition employed herein is inclusive of nature itself, one of which is compiling databases. Therefore at least two ways of compilation are included in the word ‘compilation,’ as used in Section 2(o). The first is the collection for copyright conferences and the second for data security. Therefore, if the term ‘original creative works’ has been used in Article 13(1)(a) of the Copyright Act, it is not only included but also multi functionally. The literary work should not be confused with copyright alone. Inclusivity of the literary work implies the entire Copyright Act; Section 13(1)(a) of the Copyright Act is not to be viewed as a result. Briefly, the Copyright Act preserves copyright and archive initial compilations. Copyright and data security are the same things, it is incorrect to say. Those two are separate IPRs that are expressly covered by not only the TRIPS but the Copyright Act as well. The wrong treatment of copyright databases and related criteria has generated a situation in which the Indian government is preparing separate data security legislation. The current requirement is only to issue an explanatory statement clarifying this position. Nonetheless, the concept of literary work may also take into account certain items that are not data-inherent. The TRIPS Agreement and the Copyright Act specifically accept and propose this possibility.
  3. The data protection argument exists only on the grounds of the collection or arrangement of the contents by the use of creative creations. Therefore, if there is no intellectual effort involved in the collection or arrangement of the objects, the same can not be covered as the data property. Nevertheless, the same would also apply to the defense of copyright, as the defense will not depend on the nature of the materials, but on their representation as such. It must be pointed out at this stage that the assertion of copyright does not depend on the formality of registration. So long as the contents are presented originally, copyright protection will also be given. If the contents are organized using some creative effort, the same may be asserted either as copyright or as a database. This can reasonably be inferred that all databases are capable of defending copyright, but not all copyrightable content is suitable for data protection. It indicates that copyright security is easier to obtain than data protection. This argument should not be misinterpreted as meaning that copyrightable content can be completely stripped of any intellectual shadow. It just means that the ‘price’ standard is more stringent and stricter in the case of data protection than in the case of copyright. Therefore, the same content does not qualify for data protection, but it may also be protected by copyright. The argument is further strengthened by the use of the word ‘as such’ in Article 10(2) (ref. 12) of the TRIPs Agreement. So either the work is protected as a database or it can qualify as copyright for protection.
  4. Database security is not available for the data or content itself but is available in the form of selection or arrangement specifically for intellectual development. The privilege in databases is, however, without exception to any copyright in the data or content itself. Again, it demonstrates that a person who owns the data has two rights. On the one side, he has a right in the form of databases that are available in the form of collection or arrangement in the intellectual creations. On the other hand, he has a right to the copyright of the very data or content itself which is available to him. In short, the right to data protection is only available in the type and manner of intellectual selection or arrangement and not in the data or material itself, while copyright is available in the data or material itself because the same is the term. The Copyright Act, 1957, therefore, properly covers both the databases and copyrights.

The current structure of the data security system is therefore adequate to comply with the provisions of both the Indian Constitution and the TRIPs Agreement. The ideal solution to any issue is not to pass a plethora of laws, but to enforce them in a comprehensive and committed manner. The courts must enforce current laws in a progressive, up-to-date, and fair manner. It must be understood that it is not the enforcement of the statute, but the intention, the will and the commitment to embrace and execute it in its true letter and spirit that can bestow the highest, most effective, and most effective security for every reason. Enforcement of these rights includes a qualitative effort, not a quantitative one. 

The need for data privacy

The compelling and much sought-after demand for the protection of electronic information and data generated by various stakeholders has again set in motion the process of thought, and India is faced with a situation in which it must determine whether to implement new amendments to the existing IT Act, 2000 or to enact separate legislation for the same reason. Data protection legislation must address the following constitutional issues on a priority basis before any statutory enactment procedure is initiated:

  • Realspace and cyberspace privacy rights of interested parties.
  • Requirements for freedom of access U / A. 19(1)(a).
  • Demands for the right to know people U / A. 21.

If these concerns are sidelined in the pursuit of data protection, they may have catastrophic results because the data protection legislation(s) will be vulnerable to infringements of constitutionality on the grounds of infringement of Articles 19(1)(a) and 21 of the Constitution. The requirement for the promulgation of any legislation dealing with data security is therefore to bear in mind the demands of such freedoms. 

Right to privacy

In India, this right has become an integral element in the right to life and democracy and the right to freedom of speech. This right is the most fundamental feature of human life. Every individual is eligible for the ‘personal domain’ of the State or other actors without unjustified intervention or monitoring. Despite the widespread recognition of the privacy obligation, international human rights protection mechanisms have not fully developed the specific content of this right. The lack of consistent interpretation of the substance of this right contributed to its implementation and enforcement difficulties. In conjunction with Tort Law, a new claim for litigation on claims arising from the unlawful infringement of privacy has emerged as a separate and distinctive principle of privacy.

This right has two aspects firstly, the general privacy law which allows damages arising from an illegally infringing of privacy to be treated wrongfully, and secondly the constitutional recognition of privacy rights that safeguard personal privacy from illegal government invasions. But this right acquired a constitutional status in recent times. India is a signatory to the Civil and Political Rights International Treaty of 1966. The ‘right to confidentiality’ in Article 17 thereof. In almost the same words Article 12 of the 1948 Universal Declaration of Human Rights. No part of our municipal law is contrary to Article 17 of the International Convention. Accordingly, in compliance with international law Article 21 of the Constitution must be read. Furthermore, the rights to privacy in cyberspace must be taken into account. Legal activists have brought in Articles 19 and 21 the right to privacy within the sphere of basic rights. The judiciary has accepted the right to privacy as an essential part of the right to life and personal liberty. The Supreme Court of India has interpreted the right to life as a right to a dignified life in the case of Kharak Singh V. State of U.P, in particular, the minority judgment of Subba Rao J. In Govind v. State of M.P., Mathew J, the majority judgment, held that the right to privacy was itself a fundamental right, but subject to certain limitations based on compelling public interest. Data security in its various judgments, as defined by the Apex Court, implies various things for different citizens. The right to be left alone, to be paid for the data, and to have freedom of action is privacy.

Important provisions of the IT Act, 2000

As laid down in the IT Act 2000, India’s concern for data security and the privacy rights of its people is expressed in the information technology sector as accessible even to private persons:

  1. Jurisdiction over the Long Arm: Section 1(2) read with Section 75 of the Act specifies that the rules of the Act are applied externally. Therefore if through a device, computing system, or computer network in India, a person (including a foreign national) violates the data and privacy of a person, he will be liable under the provisions of the Act.
  2. Manipulation of the computer: Data and a person’s privacy rights are also impacted if the source documents of his computer are destroyed. The person tampering with such computer source documents shall be punished with imprisonment of up to 3 years or a fine which may be extended to Rs 2 lakh or both.
  3. Responsibility of network service provider: A network service provider shall be liable for infringement of the data and privacy rights of a third party where information or data of a third party is made available to a third party for the commission of an offense or infringement. An individual has the right to protect the privacy of his or her own family, marriage, procreation, pregnancy, child-bearing, and education, among other things. Without his permission, whether real or otherwise, and whether laudatory or critical, no one can publish anything concerning the matters referred to above. If they are, they breach the data subject’s rights to privacy and are responsible for damages in a lawsuit. The network service provider is not, however, held liable if it shows or performs sufficient due diligence to preclude such a commission that the crime or contravention was committed.
  4. Unauthorized usage: If a person makes unauthorized use of another person’s device, computer system, or computer network by accessing, uploading, adding computer pollutants, destroying, disturbing, refusing access, etc., he or she may immediately infringe the privacy of the owner. Such an individual shall be responsible to the person concerned for compensation for damages not exceeding the number of rupees. Data and privacy, therefore, include the right of an individual to be free from restrictions or intrusions on his or her person or property, whether directly or indirectly brought about by calculated measures.
  5. Hacking of the computer: If any individual causes wrongful perdition or harm, by destroying, removing, or modifying information or private information that is resident in the computer resources of the owner, or through other means damaging or affecting the owner’s value or utilities, the person commits hacking and therefore violates the owner’s data and privacy rights. The hacking person shall be punishable by up to 3 years ‘ imprisonment or fine, which can be up to Rs 2 lakh or both. However, if he proves that he has committed the act unintentionally, an innocent person shall not be held responsible.

Freedom of information

The right to provide and obtain information is a kind of right to freedom of speech and expression. A person has a fundamental right to use the best means of supplying and receiving information. The State has a duty not only to respect the fundamental rights of citizens but also to ensure conditions under which all can be enjoyed in a meaningful and effective manner. At the same time, Article 19(2) allows the State to make any law in so far as it imposes fair restrictions on the exercise of the rights granted by Article 19(1)(a) of the Constitution in the interests of the sovereignty and dignity of India, the protection of the State, ties of goodwill with foreign states, public order, morality, contempt of court, defamation and incitement.

Data protection rights may, therefore, be challenged in a given case against freedom of information, and the facts and circumstances of each case shall govern that position. For example, Section 8(1)(d) of the Right to Information Act, 2005 states that no citizen data including business confidence, business secrets, or intellectual property, which would harm a third party’s competitive position, are to be disclosed, regardless of anything contained in this Act, unless the competent authority is satisfied that a larger p is to be disclosed As a general rule, the freedom of access does not require the disclosure of data security access. The same may, however, be disclosed if the greater public interest so warrants. Each case will, therefore, be governed by its facts and circumstances.

However, it should be noted that Article 19 freedoms, including Article 19(1)(a), are only applicable to the people of India. Indian people. Under this article, an alien or foreigner doesn’t have any rights as he is not an Indian citizen. Therefore, to give immunity to non-citizens, Article 21, which is available to any citizen or non-citizen, needs to be contingent and implemented.

What is the liability of companies

The relation between ‘data security’ and ‘corporate affairs’ is often based on the right basic approach. In many ways, the company is greatly affected. It is very important that the data is accessed, disclosed, shared, and processed. In the private sector, data processor or computer controller custody has played an important role. It is sometimes the responsibility of the private organization to share or not share. That is the dispute with the regulatory authority between private and public organizations.

When anyone wishes to view information or order a product electronically, the information is required to be submitted. Upon the submission of this material, the question arises whether or not the data held by the authority meets public policy. For example, in this context, under the banking sector, it is the responsibility of the banker not to reveal the information in their hands, which results in a violation of the duty of confidentiality and confidentiality owed to the client. The scope of the right to privacy of banking clients has been limited in so far as it conflicts with the right to information and public information.

In another area, the Securities and Exchange Board of India Act (1992) establishes the Securities and Exchange Board of India ( SEBI) to govern and regulate the use of individual credit information. The Act provides for reactive government access through the Security Exchange Board of India, which is empowered to have broad access to private sector data related to the securities market. As a safeguard for unauthorized reactive access, SEBI is only permitted to inspect if it has reasonable grounds to believe that: an insider or fraudulent company is engaged in trading, unfair trading practices are used, securities transactions are dealt with in a manner that is detrimental to the investor, the intermediary or any person associated with the securities. The Act reinforces reactive information access and disclosure by penalizing any person who does not provide the information requested.

So when the data and privacy law of an individual is infringed on by a corporation, anyone who was responsible for conducting their business and the corporation at the time the violation was committed and was liable to be prosecuted and punished accordingly shall be guilty of the violation. Nevertheless, this person is not responsible if he has shown that he or she has exercised all due diligence to prevent this crime without his or her comprehension. These provisions provide adequate protection of private persons against violations of data and privacy rights. It is appropriate to issue a notice to the effect that the IT Act properly protects data and privacy rights under these provisions. The fact that no good data and privacy security exist under the IT Act is sometimes overlooked.

Benefits of data privacy 

  1. Holding your data safe would also help you stay ahead of your competitors. It increases investor trust, which is healthy for your company, by protecting your clients’ details. You need appropriate, up-to-date applications and strict data policies to protect your data. This helps avoid potential threats or attacks from compromising your sensitive information.
  2. Data privacy can make it difficult for hackers to access sensitive information. This could include important business information such as names, addresses, phone numbers, email accounts, bank details, health records, etc. Through safeguarding valuable and confidential data, you can deter criminals from carrying out identity theft, phishing scams, or other forms of fraudulent activity.
  3. Privacy protection includes maintaining a high degree of security for personal data and all relevant activities related to the collection, storage, processing, access to transmission, sharing, and disposal of data. Historically, enterprises have not provided extensive, effective data protection controls applied across the entire enterprise, across all end devices. Breaches that adversely affect the data subjects can be avoided by introducing security measures for personal data.
  4. Organizations that do not enforce privacy safeguards and eventually suffer infringements will lose trust, which in turn will result in lower revenues and fewer customers. Therefore, data privacy plays a very important role here.
  5. A company that is viewed as protecting user data and respecting the privacy of users will certainly be rewarded with consumer loyalty.

Data protection is the process of ensuring that data and important information are not compromised or corrupted. It may be challenging for many, but it allows for benefits such as boosting investment returns, improved customer loyalty, and more efficient operations.

Issues and challenges 

It is mostly argued that India must implement a ‘rights-based’ data security model as opposed to the existing ‘consent-based’ model. In the consent-based model, the data controller is free to access, process, and exchange data with any third party as long as the consent of the user has been obtained. However, not all are aware of the practical implications of indiscreet data sharing at the time of consent. On the other hand, the ‘rights-based’ model allows users to have greater rights over their data while allowing the data controller to ensure that users’ rights are not abused. This leads to greater control for users over their data. In the case of K. S. Puttaswamy (Retd.) v Union of India, the Hon’ble Supreme Court has set a triple condition for the intervention of the State with fundamental rights. When a State may interfere to protect legitimate State interests, (a) there must be a law in place to justify an infringement of privacy, which is an express provision of Article 21 of the Constitution; (b) the form and substance of the law enforcing a restriction must fall within the area of reasonableness specified by Article 14, and (c) The means adopted by the legislature must be proportionate to the object and the needs to be met by the law. The decision of the Hon’ble Supreme Court empowers the people of India to seek judicial redress in the event of a violation of their data privacy rights. It may have an effect on the privacy and security policies of tech firms in India. Users may not only pose charges based on misconduct but may also invoke their constitutional right to privacy.

But the problem arises as to:

  1. What is the essence of the data covered by the Indian legislature?
  2. Who would retrieve the personal data?
  3. To what extent personal data can be shared with third parties?
  4. Personal data can be stored for what length?
  5. What are the responsibilities of employers concerning the personal data obtained by their employees?

It is obvious from above that the need for an hour is detailed legislation governing the collection and distribution of personal data. No detailed regulations are regulating the processing of personal data which are not per se ‘sensitive personal data or details.’

Critical analysis

In the past decade, the notion of data security has been significant, but India has several decades of privacy jurisprudence. Most of them are focused on privacy as a result of harm caused by data breaches. In 2017 the Supreme Court in Justice K. S. Puttaswamy (Retd.) v Union of India ruled that the Indian Constitution contained a fundamental right to privacy. The jurisprudence changed. When determining the case, although the court has provided a lengthy case law, it has been the absence of a ‘doctrinal formulation’ which may help to establish whether privacy is constitutionally covered that was central to the Court’s opinion’s current case law. Therefore, the jurisprudence of privacy has shifted from being treated as a privilege to be an end in itself. Besides, the judgment also declared information protection to be part of the right to protection. It held that data privacy is a fundamental right. 

The government introduced in December 2019, in Parliament, the Personal Data Security Bill (DPB), to establish the first cross-sectoral data protection legal structure in India. The bill aims to protect the privacy of individuals through a protective mechanism governing the collection and use of information by businesses rather than the protection of the privacy of the information with a view to the potential harm of the violation of that privacy. It focuses in particular on the control of data usage activities. The bill would greatly expand the government’s position in the data economy, dilute data property rights and increase state surveillance powers without providing appropriate checks and balances as the current system is unlikely to adequately protect privacy. The Personal Data Protection Bill, 2019, followed a long line of case law on privacy in India that was influenced by global developments as well as the country’s constitutional jurisprudence. This ambiguity has become necessary due to two factors that have become increasingly relevant: (1) strident claims of loss of privacy following the implementation of the government’s Unique Biometric Identification Project (Aadhaar) and (2) simultaneous global developments. 

At the same time in 2013 in a new law, the General Data Protection Regulation ( GDPR) the European Union (EU) agreed to harmonize and reform its previous database protection structure. The earlier framework was based on the European Data Protection Directive of 1995 on the protection of personal data. It was felt that this regulatory framework would lead to a fragmented data protection framework within the EU. The GDPR underwent extensive rounds of consultations and finally came into force in 2018. This effort to create a comprehensive EU data protection regulation has had an impact on the debate in India. In July 2017, the Government formed a Committee to review and draft legislation on data protection issues in response to calls for substantive data protection legislation. 

A study on the legislative structure for data security as well as a draft Personal Data Protection Bill (2018), was published in the Committee, chaired by Justice B.N. Srikrishna. This draft proposal is primarily based on the existing privacy protection framework in other jurisdictions, including the GDPR and APEC. Overall this concept will allow the Indian economy to take advantage of advances in the processing of personal data within a more precise and realistic framework for protecting personal data. A proactive approach to data protection is important. The bill significantly enhances the state without properly protecting privacy in characterizing privacy as the target rather than as a way of protecting other essential social ends that are unique to India’s political economy. 

A more detailed and realistic regulatory system can be established only through a realistic cost and benefit evaluation for India. In India, data protection regulations are urgently needed, and even if a bit flawed, they are better than no data protection regulations. This bill is a positive initial step towards having specific regulatory principles and, ideally, comprehensive laws and regulations will continue to be well balanced, as has been the case with car safety standards since the early 19th century. The principles of data protection regulations in the EU, California, Canada, and India would be similar if DPB became effective. A company that learns to meet one jurisdiction’s regulations can easily comply with another’s regulations. Similar to ISO 9000, uniform standards would foster international trade. For citizens, nations, and multinationals, an orderly digital market would be a win-win.


  1. Data can not be collected and stored without consent: Companies that violate this principle would also breach Indian constitutional rules on informational privacy, as well as the property rights of users. Around the same time, consenting persons must be able to take responsibility for their decision. Data owners will be held responsible for the damage of the sort mentioned above. However, they should not be forced to take preventive measures against any possible misuse of data. The regulation would tackle market deficiencies broadly. Redirecting to a broadly focused approach would entail a move away from responsibilities such as privacy by design and recruitment of data protection officers.
  2. The remaining preventive regulatory responsibilities will be stratified based on an assessment of their costs and benefits: Obligations for firms that do not process data intensively or that do not process sensitive personal data should be reduced in a manner that is commensurate with the risks of their activities. One such reduction could be to eliminate the requirement that companies have to process data manually to make use of the exemptions.
  3. Legislative uncertainty must be decreased: The ambiguity of the bill must be minimized to improve business certainty. There are currently three major problems in the bill that may lead to considerable regulatory confusion. Second, there is a lack of a sufficiently consistent description of sensitive personal data. Second, it does not define conditions for the acceptance of cross-border data transfers. Second, it grants the government the power to allow the exchange of non-personal data without any restriction on the use of that power or the payment of compensation.
  4. It should be balanced with adequate provisions specified in the legislation itself that the government has the right to exonerate any government entity from the demands of the bills. The government should not be given the power to decide which agencies are exempted and the power to decide which safeguards would apply to those agencies.
  5. Data should be handled equally and lawfully.
  6. A highly consultative decision-making mechanism should follow the data protection authority and Government. In this case, this is significantly more relevant than for other regulators due to the applicability of the bill’s cross-sectoral regulations.

Landmark judgments

The Hon’ble Supreme Court considered first in the matter of M.P. Sharma and Ors. V Satish Chandra, whether the right to privacy is a fundamental right, wherein a search and seizure warrant was issued under Sections 94 and 96(1) of the Code of Criminal Procedure. The Hon’ble Supreme Court held that the power of search and seizure did not contravene any constitutional provision. Besides, the Hon’ble Supreme Court refrained from recognizing the right to privacy as a fundamental right guaranteed by the Constitution of India by observing that a  search and seizure power is an overarching State’s social security power, and it is necessarily regulated by law, in all systems of jurisprudence. When the constitution-makers have thought it appropriate not to subject such a regulation to constitutional restrictions by recognizing a fundamental right to privacy, which is analogous to the fourth amendment, we have no justification for importing it into a completely different fundamental right, through some difficult process of construction. It is not valid to presume that the legislative requirement for searches will breach constitutional rights under Article 20(3). It is not valid.

Subsequently, in the case of Kharak Singh v State of Uttar Pradesh and Ors, the case considered by the Hon’ble Supreme Court was whether surveillance of the accused by night home visits would constitute an abuse of the right guaranteed under Article 21 of the Constitution of India, thus raising the question as to whether Article 21 included the right to privacy. The Hon’ble Supreme Court held that such supervision was, in fact, contrary to Article 21. 

Moreover, the majority of judges held that Article 21 does not expressly provide for a provision on privacy and therefore the right to privacy could not be interpreted as a fundamental right. The Hon’ble Supreme Court has observed that having regard to our best consideration of the matter, we are clearly of the opinion that the freedom guaranteed by Article 19(1)(d) is not infringed by surveillance of the movements of the suspect. Nor do we consider that Article 21 has any relevance in the context of the case, as suggested by the learned counsel for the petitioner. As noted, the privacy right is not the right enshrined in our Constitution and therefore a violation of a fundamental right, guaranteed under Part III, does not constitute an effort to evaluate individual movements in the manner in which privacy is being invaded.

Nevertheless, Hon’ble Mr. Justice Subba Rao’s minority opinion acknowledged privacy as an essential aspect of the rights of the citizen in the case of A.K. Gopalan vs The State Of Madras, thus observing the following as follows: It is described as freedom relating to or relating to, a person or the body of the individual; and, in this sense, personal liberty is the antithesis of physical restraint or coercion. The expression is wide enough to take the right to be free from restrictions on its movements. The term “coercion” in the modern age can not be interpreted in a narrow sense. Indeed, our Constitution does not expressly declare the right to privacy a fundamental right, but that right is an essential ingredient of personal liberty. Therefore we would see the right of personal freedom in Article 21 as an individual’s right, whether it be imposed directly or indirectly by calculated measures, to be free from constraints or interference with his person.

Subsequently, in the case of Gobind v State of M.P questioned the police’s right to carry out home surveillance to violate the right to privacy as enshrined in Article 21 of the Indian Constitution. The Hon’ble Supreme Court held that police legislation was not following the essence of personal freedom and also accepted the rights to privacy as a fundamental right guaranteed by India’s Constitution, but favored and denied the evolution of the right to privacy on a case-by-case basis. The Supreme Court of Hon’ble stated that A case-by-case implementation process would in any case inevitably entail the right to privacy. Therefore we do not find the right to be absolute, even if the right to personal freedom, the right to travel freely on India’s territory, and freedom of speech create an indépendant right to privacy as an emanation from these rights, which one can define as a basic right.

In the case of People’s Union for Civil Liberties (PUCL) v Union of India, the Hon’ble Supreme Court held that they have no reservation in upholding, under Article 21 of the Constitution, the right to privacy is part of the right to “living” and “personal freedom.” When facts constitute a right to privacy in a particular case, Article 21 will be drawn. Such a right can only be extended “except a legal procedure.”

In the landmark judgment of Justice K.S.Puttaswamy(Retd) Vs.  Union Of India, the ‘Aadhaar Card Scheme’ was challenged in this case on the basis that it violates a constitutional right to privacy enshrined in Article 21 of the India Constitution to collect and collect demographic and biometric data on the country’s citizens for various purposes. The judgment notes that private life will form an integral part of Part III of the Indian Constitution, which recognizes citizens’ fundamental rights. 

The Supreme Court has also said that the state should balance the protection of personal data and the legitimate purpose with care, at any expense, because fundamental rights can not be granted or revoked by law and the constitution must be complied with by all laws and acts. The Court also claimed that the right to privacy is not an absolute right and any violation by the State or the non-governmental agent of privacy must comply with the threefold test i.e. the presence of a  valid objective, uniformity, and legal status. The decision that was adopted by all nine judges in this judgment was:

  • The decision not to protect the right to privacy under the Indian Constitution is overruled as mentioned under the case of  M.P. Sharma V. Satish Chandra ; 
  • The decision in Kharak Singh V. State of UP to the extent that it considers that the right to privacy is not protected by the Constitution is also overruled;
  • Under Article 21 of the Indian constitution, the right to privacy is guaranteed as an intrinsic part of the right to life and personal freedom and as part of the freedoms enshrined in Part III of the Constitution.


Data protection is a fundamental human right and computer systems contain large amounts of sensitive data. The information technology legislation defines the responsibilities for the non-authorized access to computers, computer systems, computer networks/resources or unauthorized alteration, deletion, addition, modification, destruction, duplication or transmission of data, etc. for data breaches and privacy. Chapters IX and XI of this Act define the liability. 

Data protection could include financial information, health data, business proposals, intellectual property, and sensitive information. Today, however, any information relating to anyone from anywhere can always be accessed, but this represents a new threat to privacy and secrecy. Globalization has made technology worldwide acceptable. Different countries have implemented different legal frameworks according to the growing requirements, such as the DPA (Data Protection Act) 1998 UK, ECPA (Data Protection Act (1986) US, etc. The constitution recognizes the right to privacy, but it is entirely at the mercy of the justice system to grow and develop. In the connected world, if somebody is committed to putting it out without extremely repressive methods, it is very difficult to prevent information from escaping into the public domain. The Information Technology (Amendment ) Act 2008 addresses data protection and privacy, but not in full. The IT Act needs to lay down specific standards for the methods and the purpose of assimilating privacy and personal information. In conclusion, the IT Act is confronted with the issue of data protection and separate legislation is essential for the protection of personal data, striking an effectively balanced relationship between personal freedoms and privacy.


LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here