Skip to main content
SpringerLink
Log in

India

  • Chapter
  • First Online:
Data Protection Law

  • 1237 Accesses

Abstract

India has neither prepared or implemented specific data protection or privacy laws. Since 2011, the Indian Parliament has presided over a Privacy Bill, and today there continues to be little progress on implementing dedicated privacy laws. In 2017, India released a White Paper in relation to a data protection framework for the country, which sought community comment in relation to future privacy and data protection. The White Paper highlights many of the principles that other nations and the EU have currently adopted in their respective data protection laws. India has based the community feedback by looking to the EU, United States of America, Australia, Canada and Singapore, to assist and guide the development of specific privacy laws in their country. However, the current approach is neither close to the EU, Singapore or Australia’s model. The current approach taken by India sits well outside what is being considered the global standard, but has similarities to Indonesia. Arguably, one of the dilemmas for India in the continued delay in establishing specific data protection laws, may come at a cost to their Internet economy. This is because, India has one of the largest Internet economies in the world, that has developed from their online outsourcing industry. Arguably, India, as it has sought, and is seeking to continue to position itself as an attractive destination for business and data processing (Kessler, D, Ross, S, Hickok, E A Comparative Analysis of Indian Privacy Law and the Asia-Pacific Economic, Cooperation Cross-Border Privacy Rules, National Law School of India Review, Vol. 26, No. 1 (2014), pp. 31–61). The courts in India have interpreted data protection in accordance with the right to privacy in accordance with Article 19 and 21 of the Constitution of India (Justice K S Puttaswamy, and ANR v Union of India and Ors, No. 494 of 2012). Chapter 6 will demonstrate how India’s current approach is far from specific or coherent and rather based on industry sectors. Due to the limited scope of India’s privacy and data protection laws, this Chapter only discusses the key concepts and principles such as Personal Information, Right to be Forgotten, Data Controller, Public and Private, Consent and Collection. The Chapter will also discuss the principles and concepts similar to other chapters and include Cross-Border Transfer, Retention, Enforcement, Commissioner, Controller Functions, Codes of Practice and Standards, along with a brief outline of the Proposed New Privacy and Protection Law and Supporting Laws. The Chapter concludes by summarizing the key principles of the proposed data protection and privacy laws.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Information Technology Act 2000, http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf, accessed 16 December 2017.

  2. 2.

    Pavan Duggal, India’s information Technology Act, http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan002090.pdf, accessed 30 November 2018.

  3. 3.

    Ibid.

  4. 4.

    Kharak Singh vs The State of U.P. (1964) 1 SCR 332.

  5. 5.

    Ibid.

  6. 6.

    Ibid.

  7. 7.

    R. M. Malkani vs State of Maharashtra 1975.

  8. 8.

    Govind vs. State of Madhya Pradesh 1975 (1975) 2 SCC 148.

  9. 9.

    Ibid.

  10. 10.

    Ibid.

  11. 11.

    Ibid.

  12. 12.

    R. Rajagopal v. State of Tamil Nadu (1994) 6 SCC 632.

  13. 13.

    Ibid.

  14. 14.

    Ibid.

  15. 15.

    PUCL v. Union of India AIR [1997] SC 568.

  16. 16.

    Ibid.

  17. 17.

    Shri S. K. Chaurasiya vs Central Vigilance Commission [2010].

  18. 18.

    Ibid.

  19. 19.

    Ibid.

  20. 20.

    Ibid.

  21. 21.

    Kessler,. D, Ross., S, Hickok, E A Comparative Analysis of Indian Privacy Law and the Asia-Pacific Economic, Cooperation Cross-Border Privacy Rules, National Law School of India Review, Vol. 26, No. 1 (2014), pp. 31–61.

  22. 22.

    Government of India. Ministry of Personnel, PG & Pensions, Department of Personnel Training, Approach Paper for a Legislation on Privacy, (2010) http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach, accessed 20 November 2018.

  23. 23.

    Kessler,. D, Ross., S, Hickok, E A Comparative Analysis of Indian Privacy Law and the Asia-Pacific Economic, Cooperation Cross-Border Privacy Rules, National Law School of India Review, Vol. 26, No. 1 (2014), pp. 31–61.

  24. 24.

    Ibid.

  25. 25.

    Ibid.

  26. 26.

    Ibid.

  27. 27.

    Ibid.

  28. 28.

    Ibid.

  29. 29.

    Ibid. The “Approach Paper for a Legislation on Privacy” and “The Report of the Group of Experts on Privacy” contain analysis of the privacy protections found under the Information Technology Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. The Approach Paper notes that even though the Information Technology Act protects personal data to some extent, the provisions are not comprehensive enough as they speak only to digital data. The Report of the Group of Experts on Privacy notes that the Rules fall short of meeting the standards defined by the National Privacy Principles in the Report as the Rules do not address or require anonymization of data when appropriate, do not require Body Corporate to provide notice of changes in purpose of collection or use, do not address the destruction of data, require Body Corporate to provide notice of breach of information to affected individuals, require Body Corporate to provide notice to changes in its privacy policy, and require Body to conduct an external audit on all policies and practices to ensure accountability.

  30. 30.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017).

  31. 31.

    Ibid.

  32. 32.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017).

  33. 33.

    Ibid.

  34. 34.

    The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, section 2.

  35. 35.

    Ibid.

  36. 36.

    Ibid, section 3.

  37. 37.

    The Aadhaar Act also provides for Aadhaar based authentication services wherein a requesting entity (government/public and private entities/agencies) can request the Unique Identification Authority of India (UIDAI) to verify/validate the correctness of the identity information submitted by individuals to be able to extend services to them.

  38. 38.

    The Information Technology Act 2000 and Information Technology Rules 2011.

  39. 39.

    The Right to be Forgotten poses a legal dilemma in India, https://www.livemint.com/Industry/5jmbcpuHqO7UwX3IBsiGCM/Right-to-be-forgotten-poses-a-legal-dilemma-in-India.html, accessed 2 October 2018.

  40. 40.

    Case C-131/12 Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Consteja González, 95–96.

  41. 41.

    Sri Vasunathan v The Registrar General, 2017 SCC Online Kar 424.

  42. 42.

    Ibid.

  43. 43.

    Justice K.S. Puttaswamy (Retd.)& Anr v Union of India & Ors., (2017) 10 SCALE 1.

  44. 44.

    Ibid.

  45. 45.

    The, Information Technology Rules 2011, section 5(9).

  46. 46.

    Ibid.

  47. 47.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017).

  48. 48.

    The Information Technology Act 2000.

  49. 49.

    The The Information Technology Act 2000 and, Information Technology Rules 2011, section 5(2) & (3).

  50. 50.

    Ibid.

  51. 51.

    Information Technology Act 2000, section 7.

  52. 52.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017), p. 78.

  53. 53.

    Ibid.

  54. 54.

    Justice K.S.Puttaswamy(Retd) vs Union Of India 26 September, 2018.

  55. 55.

    Ibid.

  56. 56.

    The Information Technology Rules 2011, 7.

  57. 57.

    Ibid, 4 and 7.

  58. 58.

    The Information Technology Rules 2011, 6.

  59. 59.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017), p. 24.

  60. 60.

    Ibid, 25.

  61. 61.

    Selby, J Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both? International Journal of Law and Information Technology, (2017) pp. 213–232.

  62. 62.

    Ibid.

  63. 63.

    The Rules, section 5(4).

  64. 64.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017), p. 118.

  65. 65.

    Information Technology Act 2000.

  66. 66.

    Ibid, for the purposes of this section,—(i) “computer contaminant” means any set of computer instructions that are designed—(ii) “computer data base” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; (iii) “computer virus” means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, daia or instruction is executed or some other event takes place in that computer resource; (iv) “damage” means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.

  67. 67.

    Kessler,. D, Ross., S, Hickok, E A Comparative Analysis of Indian Privacy Law and the Asia-Pacific Economic, Cooperation Cross-Border Privacy Rules, National Law School of India Review, Vol. 26, No. 1 (2014), pp. 31–61.

  68. 68.

    The specific issues identified include, to the Collection requirement, the protection to include jail personal information, rather than be limited personal information. The Purpose requirement could be expanded from limit use of collected information, to include both data transfers and disclosures. The APEC requirement and Correction Principles would likely require the large modifications. This expanded section could contain descriptions of processes for individuals to confirm that a Body Corporate or control of an individual’s personal information, and under what circumstances the individual can obtain information from the Body Corporate, as how and under stances an individual can request changes to that information. The Opt Out right, where individual to provide information and can withdraw consent, it W to provide examples of when such a right applies and d such as APEC’s example of a company that is centralizing resources data and does not need to provide an opt-out. The Redress Mechanism that India requires would need to include the third party accountability in the redress of discrepancies. Finally, Disclosure of Information Collection requirement, the protections would need personal information, rather than be limited to sensitive information.

  69. 69.

    Information Technology Act 2000, 70B.

  70. 70.

    Ibid, 72.

  71. 71.

    Ibid.

  72. 72.

    Ibid, 73, any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to 2 years, or with fine which may extend to one lakh rupees, or with both.

  73. 73.

    Ibid, 43, 44 and 45.

  74. 74.

    Ibid, 46(5).

  75. 75.

    Ibid, 48(1).

  76. 76.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017), p. 118.

  77. 77.

    Ibid.

  78. 78.

    Information and Technology Act 2000, 17 and 18.

  79. 79.

    Ibid.

  80. 80.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017), pp. 167–172.

  81. 81.

    The Information Technology Rules 2011, 4.

  82. 82.

    Ibid, 7.

  83. 83.

    Ibid, 8(4).

  84. 84.

    Ibid, 8.

  85. 85.

    Draft Data Privacy Bill, http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/889LS%20AS.pdf, accessed 16 December 2017.

  86. 86.

    Ibid.

  87. 87.

    Ibid.

  88. 88.

    Ibid.

  89. 89.

    Lakshmikumaran and Sridaran, Data Principal and Data Fiduciary in the Personal Data Protection Bill 2018, https://www.lexology.com/library/detail.aspx?g=f0522766-30c6-4c07-ab5a-fb924a74f5cc&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=australian+ihl+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2018-11-27&utm_term, accessed 22 November 2018.

  90. 90.

    Ibid.

  91. 91.

    Bhattacharya, A India’s first data protection bill is riddled with problems (2018)

    https://qz.com/india/1343154/justice-srikrishnas-data-protection-bill-for-india-is-full-of-holes, accessed 25 November 2018.

  92. 92.

    Ibid. Amba Kak Policy Advisor software company Mozilla in India.

  93. 93.

    Ibid.

  94. 94.

    Ibid.

  95. 95.

    Ibid. Shweta Mohandas, Programme Officer at the Centre for Internet and Society.

  96. 96.

    Chairmanship of Justice B.N. Srikrishna A Free and Fair Digital Economy Protecting Privacy, Empowering Indianshttp://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf, accessed 25 November 2018.

  97. 97.

    Ibid.

  98. 98.

    Ibid.

  99. 99.

    Ibid.

  100. 100.

    Bharuka, D, Indian Information Technology Act 2000, Criminal Prosecution Made Easy for Cyber Pshycos, Journal of the Indian Law Institute, Vol. 44, No. 3 (2002), pp. 354–379.

  101. 101.

    Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection (2017).

  102. 102.

    Ibid.

  103. 103.

    Ibid.

  104. 104.

    Ibid.

References

Download references

Author information

Authors and Affiliations

  1. Victoria University, Melbourne, VIC, Australia

    Robert Walters

  2. Faculty of Law, University of New South Wales, Kensington, NSW, Australia

    Leon Trakman

  3. University of Western Australia, Crawley, WA, Australia

    Bruno Zeller

Authors
  1. Robert Walters
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Leon Trakman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bruno Zeller
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Walters, R., Trakman, L., Zeller, B. (2019). India. In: Data Protection Law. Springer, Singapore. https://doi.org/10.1007/978-981-13-8110-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-8110-2_6

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-8109-6

  • Online ISBN: 978-981-13-8110-2

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation