Data Protection and Privacy – Cyber Security Laws in India

Posted On - 12 January, 2023 • By - King Stubb & Kasiva

The term “Data Protection” means a systematic framework of laws, policies, guidelines and rules framed by the government and regulatory agencies in order to protect the privacy of individuals and prevent data manipulation caused by malpractices like unconsented and unlawful storage and dissemination of data.

The cyber security laws in India find their relevance and mention through various data protection laws in India as well as the right to privacy as a part of the right to life which is a fundamental right under Articles 19 and 21 of the Constitution of India[1]. However, just like all other fundamental rights, the Cyber Security and Data Protection laws in India are also subject to reasonable restrictions.

The Cyber Security laws and data protection laws in India do not expressly find any statutory backing but the data privacy laws in India are covered under the Information Technology Act, 2000 and the Indian Contract Act, 1872. Moreover, the Personal Data Protection rules are also part of the cyber security and data protection laws in India which govern corporate entities for privacy concerns.

Indian Statutes governing data privacy

As specified above, there are no specific statutes governing data privacy and protection in India. However, the legal issues dealing with penal provisions and compensatory measures are dealt thoroughly in the Information Technology Act, 2000 which explains the ambit of data privacy laws in India along with Indian Contract Act, 1872.

However, in India, the Ministry of Electronics and Information Technology has been working on developing and introducing a Personal Data Protection (PDP) Bill which is aimed to provide a complete set of data protection and privacy laws in India. There are various recommendations brought forward for data privacy laws in India which are as follows:

  • The ambit of PDP has to be widened to include private, personal, and non – personal data.
  • The implementation structure of PDP would be rolled out in phases.
  • The hardware manufacturers whocollect data from consumers and assimilate and store it would be required to comply with the rules and regulations.
  • Social media and leading players would be deemed as “significant data fiduciary” and would have to comply with rules and regulations of data protection and privacy laws in India.

According to Section 72A of the IT Act, 2000, penal nature has been given to wilful or accidental disclosure of information pertaining to an individual has been made a punishable offense with a fine upto Rs. 5,00,000/- and a penalty upto three years or both.

Governmental Interference with Data

Section 69 of the Information Technology Act states that any authorised individual by the government or an officer of the government may direct any authority or agency to intercept, monitor, and enable surveillance of data or privacy of an individual if the act so done is for maintaining peaceful relations with other countries, securing public order and national interest, preventing the commission of cognizable offenses and many other reasons.

However, according to the above-mentioned section, it has been made mandatory to record reasons in writing for doing so. Moreover, various websites which carry illicit content or may run contrary to national interest have also been blocked by the government using section 69A of the IT act.

This has led to the government becoming a watchdog for both personal data protection as well as rights of citizens, along with imposing reasonable restrictions for the purpose of national security.

Penalty for breaching confidentiality and privacy of citizens

According to Section 72 of the act, a penalty for breach of confidentiality is provided and the section further states that any individual who, in compatibility with any of the powers presented under the IT Act Rules or Guidelines made there under, has tied down admittance to any electronic record, book, register, correspondence, data, report or other material without the assent of the individual concerned, reveals such material to some other individual, will be culpable with detainment for a term which might stretch out to two years, or with fine which might reach out to Rs 1,00,000.

Information Technology Amendment Act, 2008 – A way forward

The amendment to the IT act in 2008 has brought a revolution to the concept of the law of contracts in India and has granted validity to contracts through electronic mediums – also known as E – contracts.

Moreover, it has amended various sections such as section 43A which has provided a compensatory measure for failure to protect data, section 66 – which talks about offenses related to computers, and many others such as sections 66B, 66C, 66D,etc. According to section 66, if any individual dishonestly or fraudulently commits any act declared as an offense under the Act or section 43, the imprisonment may range up to 3 years or a fine up to Rs. 1,00,000/- or both.

There have been various steps taken to ensure data collection by social media sources and hardware devices is not misused and is done in accordance with cyber security laws in India to prevent the pilferage of sensitive information of people from being abused in hands of malware and viruses.

Conclusion

The data protection and privacy laws in India have witnessed a huge shift in the paradigm towards the development of a safe technological arena where the data and privacy of individuals are not at stake or are not flouted.

The IT act along with Personal Data Protection Rules have thoroughly worked towards creating a safe social, electronic and technological arena where the privacy and data of individuals are not exploited at the hands of hardware manufacturers, applications, social media platforms and other technologies like spyware.

Imposition of monetary compensations, fines and even imprisonment has also acted as a deterrent for many organizations which may undertake data pilferage and has added to the security of individuals’ private sphere.


[1]Justice K S Puttaswamy (Retd) and Another v. Union of India and Others (2017) 10 SCC 1