The Supreme Court of India in Kharak Singh v. State
of U.P. (AIR 1963 SC 1295) recognised the Right to Privacy as an
integral part of the Right to Life and Personal Liberty which is a
fundamental right guaranteed to every individual.
In the case of R. Rajgopal v. State of Tamil Nadu
(1994 (6) SCC 632) the Supreme Court laid down that personal
information may not be published without consent whether truthful or
otherwise and whether laudatory or critical, unless they are part of
public records.
Similarly, Section 21 of the Juvenile Justice Act,
2000 Prohibits the publication of names and other particulars of
children which may lead to identification of the child involved in
proceedings under the Act.
The cyber law of India incorporated in the
Information Technology Act, 2000 (IT Act 2000) provides few
provisions regarding data protection and privacy aspects. The Act
defines Data as any information, knowledge, facts, concepts or
instructions being processed (or intended to be processed) in a
computer system or network. The disclosure of personal data is
prohibited and there are stringent provisions for protection of
sensitive personal data.
The IT Act 2000 was amended by the Information
Technology Amendment Act 2008 (IT Act 2008). The IT Act 2008
introduced Section 72A that confers protection against disclosure of
personal information in breach of a lawful contract.
Section 72A mandates that if any person or
intermediary has become privy to any personal information of another,
while providing services under the terms of a lawful contract, any
disclosure of such information to a third party, without the consent
of the person concerned and with the intention to cause or with
knowledge that he is likely to cause wrongful loss or wrongful gain,
or in breach of the contract is punishable with upto three years
imprisonment or fine upto five lakh rupees or both. The term
“intermediary” means a person who on behalf of another person
receives, stores or transmits that record or provides any service
with respect to that record.
Further, section 43A of the IT Act 2000 provides for
compensation by way of damages in case a body corporate handling any
sensitive personal data or information in a computer resource is
negligent in implementing and maintaining reasonable security
practices and procedures and thereby causes wrongful loss or wrongful
gain to any person.
Reasonable security practices and procedures have
been defined in the Section as those which are designed to protect
such information from unauthorised access, damage, use, modification,
disclosure or impairment to protect such information from
unauthorized access, damage, use, modification, disclosure or
impairment.
In April 2011, the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules 2011 were notified. These new rules
regulate the collection, disclosure, transfer and storage of
sensitive personal data and widen the scope of the regulation
provided in Section 43A.
Sensitive personal data is defined under the Rules
as information relating to a data subject’s:
(i) Password;
(ii) Financial information such as Bank account or
credit card or debit card or other payment instrument details;
(iii) Physical, physiological and mental health condition;
(iv) Sexual orientation;
(v) Medical records and history;
(vi) Biometric information;
(vii) Any detail relating to the above clauses as
provided to body corporate for providing service; and
(viii) Any of the information received under above
clauses by body corporate for processing, stored or processed under
lawful contract or otherwise
Information that is freely available or accessible
in the public domain, or furnished under the Right to Information Act
2005 or any other law in force, is not regarded as sensitive personal
data.
With regard to consent the said rules provide that
the consent has to be obtained from the provider of sensitive
personal data in writing through letter, fax or email regarding
purpose of usage before collection of such data. The information is
to be collected for a lawful purpose and only where it is necessary
to do so.
Privacy related provisions are also incorporated in
other Indian statutes as well. These include Indian Telegraph Act,
1885, Indian Contract Act, 1872, Specific Relief Act, 1963, Public
Financial Institution Act, 1983, Consumer Protection Act, 1986,
Credit Information Companies (Regulations) Act, 2005, etc. We would
discuss this issue more in our subsequent posts.