All you need to know about data privacy laws in India

March 21, 2017
data privacy laws

This article on data privacy laws in India is written by Debapriya Majumder, pursuing M.A. in business law from NUJS, Kolkata.

We are living in a time when we are no longer required to stand in long queues in front of banks for banking services and can avail any product at our doorstep after placing an online order. This is the boon of information technology. In the last decade, Information Technology has grown by leaps and bounds. It has created a positive impact on the employment sector, education sector, banking sector, economy as well our day to day activities. With the evolution of the internet and its expansion in accessibility, we see a new world where there is better communication, accessibility, knowledge sharing and transparency. But as it is said, every good will have some disadvantage. Similarly, our increasing dependency on internet has increased illegal activities like cyber-crime, data piracy etc.

Data privacy refers to the authority or determination of the information holder as to what extent the data or information shall be made accessible to the third party. The majority of information is sensitive in nature. They include data of various nature, like economical, defense, medical, financial, educational etc. Information holders, who are generally organizations, have the major responsibility of protecting the data as there are chances that if it falls into wrong hands, they might be misused and cause harm to the owner of the information. The harm caused to the owner of the information may extend from the leakage of the bank details of an individual to causing threat to the security of a nation. This explains the importance of ensuring the privacy of sensitive data or information.

In this era of globalization, data privacy is a concern for various jurisdictions around the world. The United States have drafted their legislation on data privacy sectoral wise or based on the different sections of the population. The legislations majorly drafted are:

In the year 1995, European Union adopted the Directive 95/46/EC, for regulating the security of private data. Directives of EU are like guidelines which paves a way or shows the direction to the member countries in order to frame their own law on any particular subject. In an electronic transaction, one provides sensitive details like bank account number, name, address etc. to a 3rd party. Personal data security ensures that they are being gathered under absolute security and with legitimate reasons. When there are variety of legislative laws on the same subject followed by different countries it becomes difficult for the businesses to comply with them and run business. Hence, EU has published directives, so that there is a standardized format of the data privacy laws followed by the member states.

Though proposed in January 2012, the first regulation and directive got published by the EU in the year 2016. The regulation is supposed to be effective from the year 2018. Comparing the data privacy law of US and EU, it can be concluded that in US the laws are framed keeping in mind the requirements of different sectors of the society. While in EU, there has been more emphasis on securing the personal data scattered over the electronic source. This is an aftermath effect of the second world war.

In India, data privacy is regulated by various legislations like Constitution of India, Contracts Act etc.

Under Constitution of India, data privacy is considered under the right to privacy. There has been several judgements given by the honorable courts, considering the data privacy under this fundamental right.

Under Contracts Act, the data security is included under the clause of the contract. When there is a transaction agreement between two or more parties, they include the clause of data privacy where it is mentioned how the person shall be compensated if there is any kind of leakage of the data. In addition to the compensation, it is also mentioned who is responsible to what extent in order to secure the data, what shall be the enforcement mechanism and what shall be the redressal mechanism.

In the year 2011, the Ministry of Communication and Information Technology has published the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which is currently the guiding law of data privacy in India. Few important points from the Rules are as follows (the below content is as mentioned in the legislation):

  1. Password
  2. Financial information such as Bank account or credit card or debit card or other payment instrument details
  3. Physical, physiological and mental health condition
  4. Sexual orientation
  5. Medical records and history
  6. Biometric information
  7. Any detail relating to the above clauses as provided to body corporate for providing service
  8. Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise


Further, there are rules like “Information Technology (Intermediaries guidelines) Rules, 2011” which also guide in securing the data privacy in our country.


Cases on Data Privacy in India –


Concluding, the assurance of data security is a concern for all jurisdiction around the world. Along with other benefits, strengthening the law in this sector shall help in the growth of domestic as well as international business


Exit mobile version