The Data Protection Regime in India

Information from individuals is often stated to be the fuel that will power our new digital economy. India has 560 million users and the second largest online market in the world. Due to the increase in internet penetration, debates around data theft and privacy have come to the forefront, and data protection has become a national priority.

Data protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency. This data is at constant risk of a breach, leakage and misuse, with major implications in the form of identity theft, extortion and harassment, financial fraud, customer loss, brand damage, and even lawsuits and fines.

The Constitution of India does not patently grant the fundamental right to privacy. The Supreme Court of India has elevated the “right to privacy” to the status of a fundamental right under the Articles 14, 19 and 21 of the Constitution as a part of the right to “life” and “personal liberty”, when it delivered its landmark judgment in Justice KS Puttaswamy (retd) & Anr v Union of India and Ors[1] on 24 August 2017. In this judgment, the court recognized “Informational privacy” as a facet of the right to privacy and stated that every person should have the right to control the commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right.

Data protection regime in India

India presently does not have any express legislation governing data protection or privacy. Existing privacy obligations in India are contained in the Information Technology Act, 2000 and the Indian Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future.

The Information Technology Act, 2000, deals with sensitive personal data or information including financial, physical, health, biometric information, etc. The law prescribes civil and criminal sanctions for non-compliance with privacy obligations. There exist some remedies against the data processing entity for data breach from computer systems, including payment of compensation and punishment in case of wrongful disclosure and misuse of personal data, specifically under Sections 43-A and 72-A, which give a right to compensation for improper disclosure of personal information. However, there is no clear-cut notion of where the buck stops within that entity and there have not been cases awarding compensation so far.

The Information technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information), Rules 2011, deals with the collection and disclosure of sensitive personal data or information. Under these rules, body corporates are required to have a privacy policy, obtain prior consent for collection of personal data, have restrictions on data usage for lawful and necessary purposes and non-transferability of personal data. Therefore, there are tortious remedies available against private entities for any breach of sensitive personal data.

India is one of the latest entrants in the data protection arena, with The Personal Data Protection (PDP) Bill 2019, which is already approved by Union Cabinet of the Government of India and yet to be enacted by the Lok Sabha. The PDP Bill proposes a legal framework to provide for data autonomy, regulate the flow of data, to establish the right of the data providers, establishment of a framework for the processing of data, establishment of data protection authority, and to provide remedies and penalties for the violation or unauthorized processing or use of data and strict restrictions on the cross-border transfer of data.

The PDP bill is largely modelled along the lines of the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, with one significant difference being the requirement for localization of data. Prior to GDPR, the EU had framed two major laws- Privacy Shield and Safe Harbour. The Safe Harbour Privacy Principles were drafted in the late 90s precisely between 1998 and 2000. It was designed to ensure data transfers between the EU and the US compiled with European Data Directive 1995. After 15 years of existence, the European Court of Justice (EUCJ) invalidated EC’s Safe Harbour Decision on October 6, 2015 and with EU’s new GDPR regulation, Privacy Shield lost its relevance and context.

The General Data Protection Regulation (GDPR) is a regulation of the European Union that protects natural persons (i.e. data subjects) regarding the processing and free movement of their personal data. This regulation has laid out very strict norms on how private information of individuals should be handled and processed. The GDPR is applicable globally.

Europe is a substantial marketplace for the ITeS, BPO and pharmaceutical industry in India. The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD. Thus, for the Indian IT industry to keep continuing to do business in Europe, it needs to lean on the GDPR. The PDP Bill is significantly parallel to the GDPR. The PDP Bill is India’s first attempt to domestically legislate the mechanisms for the protection of personal data and aims to set up a Data Protection Authority in the country. Through the proposed law, the Government of India is rooting for data sovereignty by mandating certain class of data to be stored within Indian borders.

Penalties for Data Breach and Damages

India has been the second most cyber-attacks affected country between 2016 and 2018, according to a new Data Security Council of India (DSCI) report. The IT Act, the 2011 Rules and the PDP Bill, provides penalties for data breach. However, none of these statutes provide for vicarious liability of the employer arising out of the act or breach committed by the employee. Therefore, the courts depend on the general principles of tort law relating to vicarious liability to in fixing accountability for any breach, such as – The act committed by the employee should be within the scope of employment, be duly authorized by the employer and in the course of their employment. The key determinant in assessing liability would be whether sufficient and reasonable safety measures have been put in place before the data breach.

The PDP bill has asked companies to take explicit user content before processing or transferring sensitive personal user data outside India. There are penalties proposed for companies failing to undertake data protection impact assessment, conduct data audit and not appointing data protection officer. It remains to be seen whether the parliamentary committee whether it makes any changes in these stipulated penalties provided in the bill.


It is obligatory and timely to assess in the present scenario whether organizations have implemented sufficient safeguards for protecting data. One of the major reasons identified for data breach is lack of awareness, therefore, it is necessary to ensure whether adequate and reasonable safety measures are in place and that those personnel handling sensitive data are properly trained. A survey by Ernst and Young in 2018 titled Global Forensic Data Analytics Survey revealed that 60% of Indian companies were unaware of data privacy best practices such as General Data Protection Regulations (GDPR). According to the survey, only 31% felt that they were GDPR compliant.

Nowadays, there is a tremendous increase in the amount of data transfer and transmission of sensitive personal information as under the restrictions imposed by the COVID-19 lockdown, private sector companies have adapted to a ‘work from home’ model and the courts are moving to e-filing process as well. Thus at this time, the notion of informational privacy as expressed in the Puttaswamy judgment assumes increased significance.

Informational privacy is “which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him” as described by Justice RF Nariman. In the same judgement, Justice Dr DY Chandrachud held that “informational privacy is a facet of the right to privacy” and that the “dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”.

In practical terms, the biggest hurdle is for India to have its framework of domestic data protection laws officially adjudged and publicly perceived as adequate. It would be mandatory for all organizations to draw a roadmap towards setting higher data privacy standards.

[1] (2017) 10 SCC 1


Deeksha Shukla


Deeksha Shukla is a third-year law student at University of Allahabad, Faculty of Law. Setting higher data privacy standards in India is what she believes in. Writing well researched and articulated legal blogs in a straightforward and sophisticated manner is her contribution to ‘Data Protection Regime in India’. Apart from legal writing, she does sketching and writes poems.

One response to “The Data Protection Regime in India”

  1. Excellent article Deeksha . Keep it up .


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: