We have no dedicated statutory or constitutional privacy laws In India. However, the Supreme Court of India has interpreted Article 21 of Indian Constitution as the source of constitutional right to privacy in India. For some strange reasons, privacy rights and laws in India have always been ignored by Indian government. Even the proposed draft right to privacy bill 2011 of India remained another assurance till now.
Similar is the case regarding data protection laws in India. Till now we have no dedicated data protection laws in India. Clearly, data protection laws in India and privacy rights in India are urgently required to be formulated. Indian government must pay urgent attention to privacy rights, privacy laws and data protection laws in India.
The Supreme Court of India in Kharak Singh v. State of U.P. (AIR 1963 SC 1295) recognised the Right to Privacy as an integral part of the Right to Life and Personal Liberty which is a fundamental right guaranteed to every individual.
In the case of R. Rajgopal v. State of Tamil Nadu (1994 (6) SCC 632) the Supreme Court laid down that personal information may not be published without consent whether truthful or otherwise and whether laudatory or critical, unless they are part of public records.
Similarly, Section 21 of the Juvenile Justice Act, 2000 Prohibits the publication of names and other particulars of children which may lead to identification of the child involved in proceedings under the Act.
The cyber law of India incorporated in the Information Technology Act, 2000 (IT Act 2000) provides few provisions regarding data protection and privacy aspects. The Act defines Data as any information, knowledge, facts, concepts or instructions being processed (or intended to be processed) in a computer system or network. The disclosure of personal data is prohibited and there are stringent provisions for protection of sensitive personal data.
The IT Act 2000 was amended by the Information Technology Amendment Act 2008 (IT Act 2008). The IT Act 2008 introduced Section 72A that confers protection against disclosure of personal information in breach of a lawful contract.
Section 72A mandates that if any person or intermediary has become privy to any personal information of another, while providing services under the terms of a lawful contract, any disclosure of such information to a third party, without the consent of the person concerned and with the intention to cause or with knowledge that he is likely to cause wrongful loss or wrongful gain, or in breach of the contract is punishable with upto three years imprisonment or fine upto five lakh rupees or both. The term “intermediary” means a person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record.
Further, section 43A of the IT Act 2000 provides for compensation by way of damages in case a body corporate handling any sensitive personal data or information in a computer resource is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person.
Reasonable security practices and procedures have been defined in the Section as those which are designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment to protect such information from unauthorized access, damage, use, modification, disclosure or impairment.
In April 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were notified. These new rules regulate the collection, disclosure, transfer and storage of sensitive personal data and widen the scope of the regulation provided in Section 43A.
Sensitive personal data is defined under the Rules as information relating to a data subject’s:
(ii) Financial information such as Bank account or credit card or debit card or other payment instrument details;(iii) Physical, physiological and mental health condition;
(iv) Sexual orientation;
(v) Medical records and history;
(vi) Biometric information;
(vii) Any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
Information that is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law in force, is not regarded as sensitive personal data.
With regard to consent the said rules provide that the consent has to be obtained from the provider of sensitive personal data in writing through letter, fax or email regarding purpose of usage before collection of such data. The information is to be collected for a lawful purpose and only where it is necessary to do so.
Privacy related provisions are also incorporated in other Indian statutes as well. These include Indian Telegraph Act, 1885, Indian Contract Act, 1872, Specific Relief Act, 1963, Public Financial Institution Act, 1983, Consumer Protection Act, 1986, Credit Information Companies (Regulations) Act, 2005, etc. We would discuss this issue more in our subsequent posts.