The Data Protection Regime in India


Information from individuals is often stated to be the fuel that will power our new digital economy. India has 560 million users and the second largest online market in the world. Due to the increase in internet penetration, debates around data theft and privacy have come to the forefront, and data protection has become a national priority.

Data protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one’s privacy caused by the collection, storage, and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency. This data is at a constant risk of breach, leakage, and misuse, with major implications in the form of identity theft, extortion and harassment, financial fraud, customer loss, brand damage, and even lawsuits and fines.

The Constitution of India does not patently grant the fundamental right to privacy. The Supreme Court of India has elevated the “right to privacy” to the status of a fundamental right under the Articles 14, 19 and 21 of the Constitution as a part of the right to “life” and “personal liberty”, when it delivered its landmark judgment in Justice KS Puttaswamy (retd) & Anr v Union of India and Ors[1] on 24 August 2017. In this judgment, the court recognized “Informational privacy” as a facet of the right to privacy and stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right.

Data protection regime in India

India presently does not have any express legislation governing data protection or privacy. Existing privacy obligations in India are contained in the Information Technology Act, 2000 and the Indian Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future.

The Information Technology Act, 2000, deals with sensitive personal data or information including financial, physical, health, biometric information, etc. The law prescribes civil and criminal sanctions for non-compliance with privacy obligations. There exist some remedies against the data processing entity for data breach from computer systems, including payment of compensation and punishment in case of wrongful disclosure and misuse of personal data, specifically under Sections 43-A and 72-A, which give a right to compensation for improper disclosure of personal information. However, there is no clear-cut notion of where the buck stops within that entity and there have not been cases awarding compensation so far.

The Information technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information), Rules 2011, deals with the collection and disclosure of sensitive personal data or information. Under these rules, body corporates are required to have a privacy policy, obtain prior consent for collection of personal data, have restrictions on data usage for lawful and necessary purposes and non-transferability of personal data. Therefore, there are tortious remedies available against private entities for any breach of sensitive personal data.

India is one of the latest entrants in the data protection arena, with The Personal Data Protection (PDP) Bill 2019, which is already approved by Union Cabinet of the Government of India. The PDP bill is largely modelled along the lines of the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, with one significant difference being the requirement for localization of data. The digital economy in India is expected to reach a valuation of $1 trillion dollars by 2022, which will attract numerous global players who must comply with this bill.

The Personal Data Protection Bill, 2019 (PDP Bill) is yet to be enacted by the Lok Sabha. This will be India’s first law on the protection of personal data and will repeal Section 43-A of the IT Act. The PDP Bill proposes a legal framework to provide for data autonomy, regulate the flow of data, to establish the right of the data providers, establishment of a framework for the processing of data, establishment of data protection authority, and to provide remedies and penalties for the violation or unauthorized processing or use of data and strict restrictions on the cross-border transfer of data.

A recent judgment delivered by the Supreme Court of the United Kingdom in WM Morrison Supermarkets PLC v. Various Claimants[2] lays down that vicarious liability shall not apply in cases of data breach. For the first time, there is now clarity on how employers can be held liable for any breach of confidential data by their employees. It reaffirms that where employers can demonstrate that they complied with their own obligations as a data controller, they will not be liable for the acts of employees that are carried out for their own personal motives outside of their duties.

It is also entirely likely that Indian courts, operating under the proposed Data Protection Act, will follow the precedent laid down by the Supreme Court of the United Kingdom.

In the Puttaswamy case[3], the Supreme Court of India had affirmed that the Right to Privacy is a constitutional right. This is the first time that the Supreme Court has expressly recognized the right of the individuals over their personal data, therefore, any party, complaining of privacy breach has the right to initiate appropriate legal proceedings, under writ jurisdiction for the enforcement of their rights against the state.

Penalties for Data Breach and Damages

India has been the second most cyber-attacks affected country between 2016 and 2018, according to a new Data Security Council of India (DSCI) report. The IT Act, the 2011 Rules and the PDP Bill, provides penalties for data breach. However, none of these statutes provide for vicarious liability of the employer arising out of the act or breach committed by the employee. Therefore, the courts depend on the general principles of tort law relating to vicarious liability to in fixing accountability for any breach, such as – The act committed by the employee should be within the scope of employment, be duly authorized by the employer and in the course of their employment. The key determinant in assessing liability would be whether sufficient and reasonable safety measures have been put in place before the data breach.

The PDP bill has asked companies to take explicit user content before processing or transferring sensitive personal user data outside India. There are penalties proposed for companies failing to undertake data protection impact assessment, conduct data audit and not appointing data protection officer. It remains to be seen whether the parliamentary committee whether it makes any changes in these stipulated penalties provided in the bill.


It is obligatory and timely to assess in the present scenario whether organizations have implemented sufficient safeguards for protecting data. One of the major reasons identified for data breach is lack of awareness, therefore, it is necessary to ensure whether adequate and reasonable safety measures are in place and that those personnel handling sensitive data are properly trained. A survey by Ernst and Young in 2018 titled Global Forensic Data Analytics Survey revealed that 60% of Indian companies were unaware of data privacy best practices such as General Data Protection Regulations (GDPR). According to the survey, only 31% felt that they were GDPR compliant.

Nowadays, there is a tremendous increase in the amount of data transfer and transmission of sensitive personal information as under the restrictions imposed by the COVID-19 lockdown, private sector companies have adapted to a ‘work from home’ model and the courts are moving to e-filing process as well. Thus, at this time, the notion of informational privacy as expressed in the Puttaswamy judgment assumes increased significance.

Informational privacy is “which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him” as described by Justice RF Nariman. In the same judgement, Justice Dr DY Chandrachud held that “informational privacy is a facet of the right to privacy” and that the “dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”.

In practical terms the biggest hurdle is for India to have its framework of domestic data protection laws officially adjudged and publicly perceived as adequate. It would be mandatory for all organizations to draw a roadmap towards setting higher data privacy standards.


[1] (2017) 10 SCC 1

[2] [2020] UKSC 12

[3] 2017) 10 SCC 1

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s