Data Protection- Position in India

Prof. Yuvraj Patil

 Introduction

 Data Protection is not a subject in any of the three list in

Schedule VII of the constitution of India.
 But Entry 97 of List 1 states: “ any other matter not
enumerated in List II & List III..”
 Data Protection a Central Subject.
 Data protection Law in India is very scattered & found
under the provisions of different statutes.
 1. Constitution of India, 1950

1. Art 19 (1) (a)” Freedom of Speech & Expression”

Restrictions- the right to privacy is limited against
defamation, decency or morality.
2. Art .21- “No person shall be deprived of his life or
personal liberty except according to procedures
established by law”
Cont..

State v. Charulata Joshi

(1999) 4 SCC 65
The SC held that: “ The constitutional right to freedom of
speech & expression conferred by Article 19(1) (a) of the
constitution which includes the freedom of the press is not
an absolute right. The press must first obtain the
willingness of the person sought to be interviews & no
court can pass any order if the person to be interviewed
expresses his willingness”
Cont..
R. Rajgopal V. State of Tamil Nadu
AIR 1995 SC 264
 A citizen has a right to safeguard the privacy of his own,
his family, marriage, procreation, motherhood, child
bearing & education among other matters.
 None can publish anything concerning the above matter
without his consent- whether truthful or otherwise &
whether laudatory or critical.
Cont..

 The rule aforesaid is subject to the exception, once a

matter becomes a matter of public record, the right to
privacy no longer subsists.
Cont…
Mr. ‘X’ v. Hospital ‘Z’
(1998) 8 SCC 296
Right of privacy may, apart from contract, also arise out
of a particular specific relationship, which may be
commercial, matrimonial or even political. Doctor- patient
relationship, though basically commercial, is
professionally, a matter of confidence &, therefore,
doctors are morally & ethically bound to maintain
confidentiality. In such a situation, public disclosure of
even true private facts may amount to an invasion of the
right of privacy which may sometimes lead to be
informed.
2. Law of Contract: Indian Contract Act, 1872

 Contract Law – useful means to protect their information.

 ‘Confidentiality & privacy clauses’
 3. Indian Penal Code.

 The IPC provides for punishment for “criminal Breach of

Trust” & Cheating & dishonestly inducing delivery of
property.
 Section 405. Criminal breach of trust
 Whoever, entrusted with property, or with any dominion
over property,-
A) dishonestly misappropriates or converts to his own
use that property, or
Cont..

B) dishonestly uses or disposes of that property in violation of any

direction of law prescribing the mode in which such trust is to be
discharged, or of any legal contract, express or implied, which he has
made touching the discharge of such trust, or willfully suffers any
other person so to do, commits "criminal breach of trust".
Illustration
A is a warehouse-keeper. Z going on a Journey, entrusts his furniture to
A, under a contract that it shall be returned on payment of a stipulated
sum for warehouse room. A dishonestly sells the goods. A has
committed criminal breach of trust.
Cont..

 Section 406. Punishment for criminal breach of trust

Whoever commits criminal breach of trust shall be

punished with imprisonment of either description for a
term which may extend to three years, or with fine, or
with both.
 4. The Public Financial Institution, 1993

 This Act codifies India’s tradition of maintaining

confidentiality in bank transactions.
 In India the Bankers have an obligation to maintain
secrecy of account.
 Transport Corporation Ltd. V. State Bank of India
AIR 1992 Ker. 351,
It was held that among duties of the banker towards the
customer is the duty of secrecy, which arises out of the
banker customer relationship.
 5. The Indian Telegraph Act

 Wiretapping is regulated under the telegraph Act, 1995.

due to numerous phone tap scandals,
 The SC in PUCL vs. The UoI & others, defined wiretaps,
as “serious invasion of an individual’s privacy". except on
the occurrence of any public emergency or public
Interest.
 6. Information Technology Act

1. Section 43A: Compensation for failure to protect data.

Where a body corporate, possessing, dealing or handling

any sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent
in implementing and maintaining reasonable security
practices and procedures and thereby causes wrongful
loss or wrongful gain to any person, such body corporate
shall be liable to pay damages by way of compensation, ,
to the person so affected.
Cont..

2) Sec. 66E: Punishment for violation of privacy.

Whoever, intentionally or knowingly
a. captures,
b. publishes or
c. transmits the image of a private area of any person
without his or her consent, under circumstances violating
the privacy of that person, shall be punished with 
imprisonment which may extend to three years or with
fine not exceeding two lakh rupees, or with both
Cont..

3) Section 67C: Preservation and retention of

information by intermediaries.
(1) Intermediary shall preserve and retain such
information as may be specified for such duration and in
such manner and format as the Central Government may
prescribe.
(2) Any intermediary who intentionally or knowingly
contravenes the provisions of sub section (1) shall be
punished with an imprisonment for a term which may
extend to three years and shall also be liable to fine.
Cont..

4) Sec. 72 A: disclosure of information in breach of lawful

contract.-
Save as otherwise provided in this Act or any other law for the time being
in force, any person including an intermediary who, while providing
services under the terms of lawful contract, has secured access to any
material containing personal information about another person, with the
intent to cause or knowing that he is likely to cause wrongful loss or
wrongful gain discloses, without the consent of the person concerned,
or in breach of a lawful contract, such  material to any other person shall
be punished with imprisonment for a term which may extend to  three
years, or with a fine which may extend to five lakh rupees, or with both.
Master Circular on Credit Card operations - 2009:

Protection of customer rights

 -Right to privacy
 -customer confidentiality
 Card issuing bank to maintain a Do Not Call Registry
(DNCR) of customers as well as non-customers
 BPO Policies: BS7799 & ISO17799

 Even though the government has delayed the implementation of a

legal framework for prosecution of data & privacy breaches, Indian
BPO companies have implemented processes such as the BS7799 &
the ISO17799 standards for information security management, which
restrict the quality of data that can be made available to employees of
BPO & call centres.
 ISO 17799-
Initially developed from BS7799-1, ISO 17799 is an international
standard that sets out the requirements of good practice for
Information Security Management
Cont..

 NASSCOM (National Association of Software and Servicing

Companies )
-NASSCOM was set up in 1988, at Mumbai to facilitate business and
trade in software and services and to encourage advancement of
research in software technology.
- It is a not-for-profit organization, registered under the Indian
Societies Act, 1860.

- headquartered in New Delhi.

Cont..

- NASSCOM is a global trade body with more than 1200

members, which include both Indian and multinational
companies that have a presence in India.
- NASSCOM is the premier trade body and the chamber of
commerce of the IT-BPO industries in India.
NASSCOM FORUMS

 Data Security Council of India (DSCI)

DSCI is a not-for-profit organization, established with the key
objective of building a credible and committed body to uphold a high
level of data privacy and security standards.
The Personal Data Protection Bill, 2006: Pending

- Upon the footprints of the foreign Laws, this bill has been
introduced in the Rajya Sabha on December 8th 2006.
- The purpose of this bill is to provide protection of
personal Data & information of an Individual Collected
for a particular purpose by one organization, & to prevent
its usage by other organization for commercial or other
purposes & entitle any individual to claim compensation,
 Conclusion

The need for a law on data protection is paramount if India

is to sustain investor confidence, especially among foreign
entities that send large amounts of data to India for back-
office operations. Data protection is essential for
outsourcing arrangements that entrust an Indian company
with a foreign company’s confidential data or trade
secrets, and/or customers’ confidential and personal data.