India: Privacy Policy & Policy Of Privacy – Data Protection Conundrums

Last Updated: 6 February 2018
Article by Suneeth Katarki and Ashi Bhat

1. Introduction.

The data protection regime in India is in a state of flux. The year of 2017 has been a humdinger of a year for data privacy laws. On August 24, 2017 the constitutional bench of Supreme Court1 decided that the right to privacy was, after all, a fundamental right.2 The Supreme Court also noted in the matter that "the government has initiated the process of reviewing the entire area of data protection, it would be appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place. We expect that the Union government shall follow up on its decision by taking all necessary and proper steps." Following the judgment in re Puttuswamy, the Committee of Experts on a Data Protection Framework for India chaired by Justice B. N. Srikrishna released a white paper on November 27, 2017.3 The Ministry of Electronics & Information Technology (MeitY) issued a press release on December 28, 2017 seeking public comments on the whitepaper by the end of January 31, 2018.

While the country is waiting for the government to issue new laws on data protection and privacy, the popular question right now seems to be what should be included in a privacy policy today.

2. Present position of law.

The extant law on privacy and data protection is very clear. Section 43A of the Information Technology Act, 2000 read with the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Sensitive Information Rules") requires every business in India, which collects, receives, possesses, stores, transmits, processes or can associate pretty much any other verb with 'personal information' directly under a contractual obligation with the provider of information4, to have a privacy policy5. Such privacy policy must provide the following6:

  1. clear and easily accessible statements of its practices and policies;
  2. type of personal and sensitive personal data or information collected by it;
  3. purpose of collection and usage of such information;
  4. disclosure of information including sensitive personal data or information collected;
  5. reasonable security practices and procedures adopted by it.

The general trend, unfortunately, has been to (i) use the privacy policy and terms of use provided by the website designer as a package, or borrow one from a competitor, or a friend and in one instance a neighbouring aunty's son's good friend, (ii) hide it at the bottom of the website in smallest font possible, and fill it with incomprehensible legalese with mountain-high clauses. Such lack of thought and casual handling has allowed Indian digital land to become lit with data and identity theft issues. The potential for mischief and crime are indeed very ripe.

3. Elements of privacy policy.

Privacy policy is akin to a pre-nuptial agreement. A one-size fits all privacy policy may not be sufficient. A privacy policy should be crafted with purpose and consideration. The essential elements of a privacy policy as per the extant data protection laws of India are as follows:

  1. Consent: The most crucial component of a privacy policy is 'consent'. In this regard the Supreme Court has in re Puttuswamy7 made the following observations:

    "497. It was rightly expressed on behalf of the Petitioners that the technology has made it possible to enter a citizen's house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual's choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. 498. If the individual permits someone to enter the house it does not mean that others can enter the house. The only check and balance is that it should not harm the other individual or affect his or her rights. This applies both to the physical form and to technology."

    No information must be used without the consent of provider of information. Normally organizations will make their privacy policy as comprehensive as possible to avoid liability. The privacy policy will be at the bottom of the website in tiny font. Ordinary presumption is that lengthy privacy policies filled with legal jargon make for a sturdy legal document. Once the user has proceeded to use the platform for its services or solutions, the action of the user is deemed as consent to the privacy policy. However, it is crucial to understand that these types of consent are bereft of two crucial components of the concept of 'consent' – notice and choice.

    Notice: The manner in which the privacy policy is presented to the user, i.e., not only the placement of privacy policy but also being able to reasonably prove that the user has had a chance to read and understand the terms in the privacy policy is a crucial requirement of consent. If the privacy policy is merely provided as a link at the bottom of the platform in small fonts, it may be argued by a user that he was never given any notice regarding the privacy policy. Thus, data controller must ensure that the privacy policy is provided in an easily accessible manner on the platform.

    Choice: The other vital component is choice8. It is not enough that users have been shown to have accepted the privacy policy through a click-wrap mode; they should have the ability to opt-in and/or opt-out of the information sharing requirements of the business. The present laws allow the data controller to withhold the provision of the goods of services for which the information is sought, if the provider of information does not provide or later chooses to withdraw his consent.9 However, if the opt-in opt-out option is not provided to the provider of information in cases where the information has been collected for a specific purpose but is also intended to be used for some other purpose, then there is a risk that the deemed consent of the user to the long-form privacy policy is construed as 'contracts of adhesion'10 and as unconscionable11 by the Indian courts. For e.g., a healthcare platform which seeks to use the medical information of its users for some other purpose like suggesting fitness equipment that may be most suitable for the information provider, then such information provider should be given two options in the privacy policy – one which allows the platform to use the information being collected for other specifically demarcated purposes, other which disallows the platform to use the information being collected for other specifically demarcated purposes. By providing these two options the platform has essentially ensured that the consent obtained from the user was informed and proper and avoid the risk of being construed as a contract of adhesion.
  2. Purpose of information collected12. The privacy policy needs to clearly specify the purpose of collection of the information.13 Only that personal information should be collected from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken14. An omnibus purpose which ambiguously refers to future commercial usage may not be favourably viewed by Indian courts, especially if the other elements of the privacy policy have not been met15.

    If there is a change of purpose, this must be notified to the individual. The information collected for a specified purpose cannot be retained for longer than it is required of the purposes16. Thus, once the personal information has been used in accordance with the identified purpose it should be destroyed by the data controller. However the privacy policy should clearly specify the manner in which the personal information is intended to be used.
  3. Disclosure of information. The type of information collected must also be clearly informed to the information provider. Technological advancement is not equivalent to technological literacy. It is not audacious to assume that many of the internet users are still unaware of the perils of data divulge. Therefore, it is vital that the information provider be informed about the nature of his personal information that is being collected. The data controller must also permit the providers of information, as and when requested by them, to review the information they had provided17. The other side of this aspect is that the data controller must also obtain prior permission if it intends to disclose the collected information to a third party18 except with government agencies mandated under law.
  4. Security practices. The Sensitive Information Rules19 mandates every data controller to have comprehensively documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of the business. This document is often confused by the business with their privacy policy which is not the case. The international standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is on such standard that may be adopted.

4. Conclusion.

"Digitalization has changed society. While data is becoming the "new oil", data protection is becoming the new "pollution control."20 With the increase of digital population in India, online services and businesses are being redefined every micro second. Technology combined with the vast mines of information available online has pushed the boundaries of standard business industries beyond recognizable horizon. Healthcare, finance, fitness and beauty, e-commerce, transportation, software solutions, music, arts, movies, etc., are evolving as an industry on a daily basis. The nature of services being offered by these industries are no longer limited to vanilla sale and purchase or a pure service model. However, nothing is more deleterious to a man's physical happiness and health than a calculated interference with his privacy21.

Considering that the digital population in India has grown substantially, data privacy and data protection are key issues at the moment. Every internet user leaves his/her digital footprints in the form of personal data when browsing the internet. This may range from, knowingly or unwittingly, providing their IP address, name, mobile number to personal and sensitive information like their sexual orientation, medical records, etc. This leaves the internet users vulnerable to crimes like identity theft, breach of privacy and financial crimes.

The pervasive question today is crafting a privacy policy that balances the privacy of the internet user with the burgeoning requirements of the businesses.

Businesses will do well to review their privacy policy to ensure that their notice and consent designs, i.e., their privacy policy and the manner in which the user is expected to consent to the same, have been designed in a manner which can withstand the test of time. Considering that despite certain flaws the mechanism of notice and choice continues to be used widely across many jurisdictions it may serve one well to ensure that their privacy policy and terms of use adapt the notice and choice mechanism.

Terms of use and privacy policy should be treated as an art form, rather than long form, i.e., craft the document carefully customizing it to the needs of the business and the general principles of law.


1. See Justice Puttuswamy v. UOI, Writ Petition (Civil) No. 494 of 2012 decided on August 24, 2017.

2. Previously, in the matter of M.P. Sharma v. Satish Chandra, District Magistrate, Delhi (1954) SCR 1077 and Kharak Singh v. State of Uttar Pradesh (1964) 1 SCR 332 it had been observed that the Indian constitution does not specifically protect the right to privacy. The submissions of the petitioners in Kharak Singh and M. P. Sharma matter were founded on the principles expounded in A. K. Gopalan v. State of Madras, AIR 1950 SC 27 where it was held that each provision contained in the chapter on fundamental laws as embodying a distinct protection. This principle was held not to be good law by an eleven judge bench in Rustom Cavasji Cooper v. UOI (1970) 1 SCC 248.

Also in Maneka Gandhi v. UOI (1978) 1 SCC 248, the minority judgment of Justice Subba Rao in Kharak Singh was specifically approved of and the decision of the majority was overruled. Apart from this there were several matters rendered by benches of smaller strength than those in M.P. Singh and Kharak Singh which affirmed the existence of a constitutionally protected right of privacy. Faced with this predicament and having due regard to the far-reaching questions of importance involving interpretation of the Constitution, it was felt that institutional integrity and judicial discipline would require a reference to a larger Bench. Thus, the matter was referred to a constitutional bench of Supreme Court in re Puttuswamy.

3. See 'White Paper of the Committee of Experts on a Data Protection Framework for India' available at on January 30, 2018. The Whitepaper recognizes in the foreword that the issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy. Instrumentally, a firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential

4. See Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology ACT, 2000 issued vide press note dated August 24, 2011.

5. In 2012, a Group of Experts on Privacy was constituted by the erstwhile Planning Commission under the Chairmanship of Justice AP Shah (Justice AP Shah Committee). The report of the Justice AP Shah Committee recommended a detailed framework that serves as the conceptual foundation for a privacy law in India, considering multiple dimensions of privacy. After a detailed deliberative and consultative exercise, it proposed a set of nine National Privacy Principles to be followed, broadly derived from the OECD Guidelines. The nine principles set out by the Justice AP Shah Committee are as follows: Principle 1: Notice; Principle 2: Choice and Consent; Principle 3: Collection Limitation; Principle 4: Purpose Limitation; Principle 5: Access and Correction; Principle 6: Disclosure of Information; Principle 7: Security; Principle 8: Openness; Principle 9: Accountability. See Report of the Justice AP Shah Committee, 21-27 (October 16, 2012).

6. See Rule 4 of the Sensitive Information Rules.

7. Ibid. See para 477 of the judgement.

8. See Rule 5 (7) of the Sensitive Information Rules. As per this provision the prior to the collection of information including sensitive personal data or information, the data controller must provide an option to the provider of information to not provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the data controller.

9. See Rule 5 (7) of the Sensitive Information Rules.

10. The term 'adhesion contract' has been defined under the Black's Law Dictionary as "a standardized contract form offered to consumers of goods and services on essentially 'take it or leave it' basis without affording consumer realistic opportunity to bargain and under such conditions that consumer cannot obtain desired product or services except by acquiescing in form contract. Distinctive feature of adhesion contract is that weaker party has no realistic choice as to its terms. Not every such contract is unconscionable."

11. See LIC of India and Anr. v. Consumer Education & Research center and Ors. AIR 1995 SC 1811; and Rakesh Chand and others v. State of Himachal Pradesh and others, [CWP (T) No. 781/2008, Decided on June 15, 2010]. Also see

12. See Rule 5 of the Sensitive Information Rules.

13. In re Puttuswamy, the Supreme Court notes vis-à-vis 'purpose limitation' (which is one of the nine principles proposed by the Group of Experts on Privacy) – "Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which it is processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles."

14. Rule 5 (5) of the Sensitive Information Rules stipulates that the information collected must be used for the purpose for which it has been collected.

15. Rule 5 (3) of the Sensitive Information Rules stipulates that while collecting information directly from the person concerned the body corporate or any person on its behalf must take such steps as are in the circumstances reasonable to ensure that the person concerned is having the knowledge of – (a) the fact that the information is being collected; (b) the purpose for which the information is being collected, (c) the intended recipient of the information; and (d) the name and address of the agency that is collecting the information and the agency that will retain the information.

16. See Rule 5 (4) of the Sensitive Information Rules.

17. See Rule 5 (6) of the Sensitive Information Rules.

18. See Rule 6 of the Sensitive Information Rules.

19. See Rule 8 of the Sensitive Information Rules.

20. Summary to the documentary 'Democracy: Im Rausch der Daten' (2015).

21. In re Kharak Singh, at page 359.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions