In India there is no such specific laws for protection of Data , the privacy and protection of Data are governed by the IT Act "Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011"

The Data is broadly divided into 2 categories:

  • Personal Data
  • Sensitive Personal Data.

As per the It Act Data  is defined as representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formularized manner or is intended to be processed or have been processed in a computer system or computer network and may be any form or stored internally in the memory of the computer.

Sensitive personal data includes information like  Passwords, Bank Account details, Credit/debit card details, Present and past health records, Sexual orientation & Biometric data

Apart from the IT Act 2000 the Indian Constitution also protects individual's right to life and personal liberty under Article 21 and under Article 19(1)(a)  it provides freedom of speech and expression which means that the person has to express himself. The interpretation for Article 19(1)(a) and Article 21 is that the both Articles says that right to privacy is the fundamental right.

In the Supreme court judgment of  Kharak Singh vs The State Of U. P. & Others it as stated by majority that right to privacy is a fundamental right but there are certain restrictions on the basis of compelling public interest.

Another Supreme Court case "R. Rajagopal alias R.R. Gopal and Another Vs.State of Tamil Nadu and Others2" It was held  that  the petitioners have a right to publish what they allege to be the life story/autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorization. But if they go beyond that and publish his life story, they may be invading his right to privacy. The Constitution exhaustively enumerates the permissible grounds of restriction on the freedom of expression in Article 19(2); it would be quite difficult for courts to add privacy as one more ground for imposing reasonable restriction.

And the most recent judgment of by the Supreme Court on Privacy is Justice K. S. Puttaswamy v Union of India3 this case was decided by the majority judges. The constitutional bench held that right to privacy is a fundamental right but having some restrictions.

In this case it was asked whether the Indian Constitution even has a fundamental right to privacy, since it is not explicitly stated.  The nine-judge bench said that Indians do have this fundamental right, and that Aadhaar would have to be tested against it.

The data protection is important because there are various data of individual which are online and should not be automatically available to individual. The protection of Data is important to prevent the misuse of information.

The privacy and data protection are connected, if the personal information of any individual is shared without his/her consent will lead to violation of privacy.

The Law which covers the principle of privacy and data protection is the Information Technology Act

The IT Rules 2011 governs the personal data and the Sensitive personal Data or information. That under Section 43-A of the IT Act it is stated that  the compensation for negligence in implementing and maintaining 'reasonable security practices and procedures' in relation to 'sensitive personal data or information' ("SPDI"),  and Section 72-A of the IT Act mandates punishment for disclosure of 'personal information' in breach of lawful contract or without the information provider's consent.

As per the definition given by the IT Rules 2011,

  "Personal information  has been defined under the Rules as "any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person"

Sensitive personal data  exists as the concept of sensitive personal data or information under the Rules.  Rule 3 specifies that the following types of data or information shall be considered as personal and sensitive:

  • Passwords
  • Bank Account details
  • Credit/debit card details
  • Present and past health records
  • Sexual orientation
  • Biometric data

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

These rules are applicable to body corporate or any person located in India and rules lay out specific provisions related to SPDI. In India currently this is the most detailed provisions for protection of SPDI.

As there is Privacy Bill is still pending to become law and that bill covers all the concepts of personal data, Sensitive Personal Data and includes new category of Data known as critical Personal Data. But for now the IT Rules governs the protection of the same.

Information Provider

Any person who provides information to the body corporate is known as the provider of information. The information provider has certain rights, that the information which is collected by the body corporate will only be collected after the consent of the information provider, the provider will have right to withdrew the consent and can abstain for  giving consent and such withdrawal should be in writing to the body corporate.

Collection & Disclosure

The data is collected by the body corporate only after the consent of the individual and such SPDI should be used for lawful purpose only, and there can be instances where the information provider should be given an opportunity to provide alternative information instead of SPDI

It is mandatory for the body corporate to take reasonable steps to protect the information. Further the body corporate is not allowed publishing any sensitive personal data or information. But there are certain exceptions to this. Two exceptions are:

  • When there is contract between the body corporate and the information provider to disclose such information.
  • for any legal obligation

Information provider should be allowed to amend or review the SPDI at any point of time for the information which is provided.

Transfer of SPDI

The SDPI can be transferred by the body corporate, but before transferring the information the t body corporate should check that the other side is having same or equal quality of data protection which is with the body corporate according to the rules stated. Further the information can be shared with the government agencies under the law to obtain information.

Disclosure to Third Party

For transferring the information of the information provider to the third party apart from the government agencies the body corporate should ask for the permission of the same. The body corporate can only provide information by them if it is prior mentioned in the contract.

Privacy Policy

It is mandatory for the corporate body to provide privacy policy in which it should be written  very clear that what type of information is collected ,the purpose for collection such information should be clear, details should be given for disclosure of sensitive personal information to third party, required precaution must be taken by the organization to protect data.

Grievance Officer

The Rules mandate that the body corporate should appoint a grievance officer to address the complaint and the contact details of the grievance officer must be available on the website of the body corporate.

Difference between the Draft bill and the SPDI Rules

  • SPDI rules apply to the body corporate and the individual located in India, whereas the bill apply to the government private entities incorporated in India and incorporated outside India.
  • The SPDI can be processed only after the consent of the information provider, whereas according to the bill along with consent, functions of the state, compliance under law or order of court, prescribed emergencies or any other purpose as specified by the Authority.
  • According to the Rules the data provider has right to withdrew consent and can abstain from giving consent. As per the bill the onus of the personal data will be on the data collector and not the data provider and that the data provider have right to access the data and right to forgotten data.
  • In the rules there are no such provisions as to where the data is to be kept or stored within the territory of India, whereas as per the bill the data needs to be stored within the territory of India.
  • That according to the Rules the data can be transferred to the third party provided the third party is having same level of data protection. And for the bill it allows the cross border transfer of Personal Data and Sensitive Personal Data where (i) transfer of data is according to standard contractual clauses or intra-group schemes that have been approved by the Authority; or (ii) the Central Government in consultation with the Authority has prescribed a country or section within a country or a particular international organization where such transfers are permissible based on the adequacy of the data protection framework in such country; or (iii) a particular transfer is approved by the Authority on grounds of necessity. Along with (i) and (ii) mentioned above, the data provider's consent will be required to transfer the Personal Data and Sensitive Personal Data.
  • As per the bill there will be separate authority for taking the applications for data protection.

Data privacy is the basic human right and there is a need of stringent law to govern it. It is important to have data protection law so that there is proper process and regulation of data, protection of rights of individual, so that there is enforcement of rules against unauthorized access and penalties if someone goes against the policies.


1 1963 AIR 1295, 1964 SCR (1) 332

2 (1994) 6 SCC 632.

3 WP (C) 494/2012

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.