Data Protection Law Indian and Foreign Perspective

India is a country with vast population, and due to this there has been data protection laws in
order to look after the transfer of data occurs. These are the data which is often tagged as
‘personal data’ which is generally being given to any government organisation or any private
organisation by the concerned person, and if the information is used is can led to that specific
person. Due to the presence of immense number of people there have been constant cases of
cyber crimes such as data theft and hacking of documents being uploaded online. Also Indian
being a country with large amount of data outsourcing and data processing hence in order to
curb these evils India have a specific law that concerns for data protection know as
‘Information and Technology Act 2000’. Although this law is not that helpful in lieu with
protection of data from being stolen. The cyber crimes can only be stopped if there are large
number of protection laws and people being made properly aware regarding these laws. The
IT and BPO sector of India handle and access all types of sensitive and personal data of
people around the word. This is not the condition with European countries since they have
very stringent data protection laws where in every single data if transfer is been done with the
approval of the concerned government which is not the case in India. Hence this article with
provide a brief knowledge about Data Protection laws in India and its comparison with that of
Foreign Countries.
However, in India there is no data protection laws, the only law which deals with data
protection is IT act 2000 and The Contract Act 1872. The Information and Technology act
deals with both the perspective of law i.e. Civil and Criminal. Various sections are being used
time to time in getting compensation in case of any breach of privacy and the section which
implicitly protects the Personal information of the concerned person is Section 43A of IT Act
2000. It says “a body which possess or deals with any sensitive data and in dealing which it
causes wrongful loss or wrongful gain to any person, then the concerned body is responsible
to pay damages to the person so affected.” It is also to be taken in notice that there is no
upper limit specified for payment of the required compensation. In 2011 the Government of
India notified Information Technology rules. These rules were concerned with protection of
‘Sensitive personal data’, which includes password, banking details, medical records etc.
These rules provide for practises and procedure needed to be taken care of in handle,
receiving, collecting or dealing in any ‘Sensitive personal data’ and in case of breach of these
rules the body incorporated will be liable to pay compensation to the concerned party.
The other section which somewhere deals with data protection is Section 72A which say “ in
case if a company or body responsible for collecting data discloses the concerned information
in lieu of a lawful contract which forbids this, shall be liable to pay compensation which may
extend to 5 Lakhs Indian Rupee and also a mandatory terms of imprisonment which may
extend to three years. The point here to be noted the intention behind disclosure of such
information is not of any concern i.e. it may be intentional or it may have been leaked
unintentionally, the body will still be liable under Section 72A of IT Act 2000.
On the other hand, there is Section 69 which is considered as an exception of the above-
mentioned rules. This section state that ‘ where by if the Government of India think that it is
essential in the interest of sovereignty or integrity of India, defence of India, Security of
India, Friendly relations with other state, or for investigating in any matter’ it may direct the
required body to provide it with the required information including the information of
‘personal nature’. Information which are considered to be anti-nationals, fraud comes under
this category. This section is mainly used in order to curb cyber crimes by using the essential
details required but those details can only be used by the prior approval by the government of
India.
Apart from these sections there is Section 72 which deals with Penalty for Breach of Privacy
which states that ‘any person who by virtue of the power conferred under IT Act rules and
has access to computer records, electronic books etc and discloses these information without
the consent of the concerned person shall be liable for jail term which may extent to two
years and apart from this he/she needs to pay fine which may amount up to one lakh Indian
Rupees. Following the year 2008, there were several amendments done in Information
Technology Act 2008, in lieu of which several Sections were also inserted namely:
 Section 10A which deals with the contracts that are made via electronic mode and its
validity.
 Section 43A, this was long awaited as there was no specific section which provides
for compensation to the party in matter of failure of protecting data.
 Section 66A, although was struck down by Hon’ble Supreme court in Shreya Singhal
vs Union of India1 but deals with offensive messages send via Social media or any
electronic platform.
These are some of the sections which were added in 2008 amendments, there are although
many more, the core of the added section were to protect people in falling under trap of cyber
crime and yes this can be say that the steps taken in 2008 were somewhere Government of
India’s first step towards implementing laws related to Data protection.
Now as this article is about data protection law related to India and Foreign perspective, until
now we have discussed the laws that are effective in India only. As we move ahead, we’ll be
discussing laws with respect to foreign country, what laws they have for data protection how
those laws difference from our and some more perspective on the same line.
As we move towards comparison of Indian data protection laws with that of Foreign
perspective one thing that needed to be taken care is that India lacks a lot in these laws. This
can be said by viewing the various approach of several develop country towards there data
protection laws. For example in India we although don’t have any data protection laws but
what ever laws we have, they focus uniformly on all the companies that are responsible for
storing data or dealing with those data’s, whereas the case in not same in United States
where, they have classified data in different forms rather in different classes. Now these
classes have different legislations that protects them individually. For example, if they are
classified in A and B then the laws that will govern class A will be different from that of laws
that will govern class B.
Looking with the perspective of United Kingdom’s data protection law they have a uniform
Act which was implemented in year 1998. In this law the body which is concern with storing
of the personal data of several people should get itself registered with the Information
commissioner, who in turn is elected by the government to look after these laws and its
working. In India we do not have any such post which solely be concerned with data
protection also in India we can get data easily from any body for as many times as we want
1
(2013) 12 SCC 73
but the case is not the same in UK. There the data can be asked for only one or two times that
to looking at the circumstances as to whether the data asked if required or not. Not only this
the data cannot be further asked after being asked for one or two times even if it is needed for
judicial purposes. This practise thus helps in protecting the data that is concerned with
general public.
Many times Indian IT Act2000, is compared with that of OECD guidelines on privacy and
transborder flow of personal data or with United States Safe Harbour approach but the thing
that is to be made sure is that whether the IT Act 2000 deals with data protection or is just
protecting some of the aspect. The answer is NO it is not a proper data protecting act rather it
protects its partially in like it deals with cybercrime, protecting digital signatures and things
like this. There is no where any discussion about interborder data transfer. Although Supreme
Court in India in Justice K.S Puttaswamy vs. Union of India2 gave a detailed judgment over
Right to privacy and also gave guidelines regarding it but these guidelines will be of no use if
there is no specific law that deals with Data protection as it is European union or in United
states.
Therefore, in comparison with foreign countries India lacks behind in data protection laws
and this issue needed to be addressed as soon as possible since this is the peak time of
International outsourcing companies to come in India and bloom its business but looking at
the condition of our laws it is a type of hurdle in dealing with these companies since they deal
with cross border personal data’s. This is not a job which can be done overnight rather it’ll
take some time to implement these law as people needs to be properly addressed with what is
data protections law, how it works, how to transfer data cross border securely before it
become too late and this blooming industry of outsourcing come to an end. It is further noted
that EU has made a list of countries with which it will import data without following long
procedures and sadly India is lacking its criteria to be on that list and by making a proper data
protection law, it can surely be on verge of success in dealing with these matters
internationally. This drafting of law of transborder data transfer will not only benefit India as
a particular but will also help several developing countries which are on verge on developing
their respective law. So, in this way these countries will not start from scratch and by
implementing similar law with respect to that of Indian laws it will more or less benefit our
own country in dealing in transborder. But in order to draft a model law there needed to be a
agreement with any international organisation relating to this transborder data flows but there
can’t be any particular organisation which can help us out since privacy of data is not a
subject matter of any single law rather it a branch of several laws such as human rights,
consumer protection laws etc.
So, in this article we have discussed about what is data protection laws, how it is important in
dealing internationally, which body in India deals with it, does India have a proper data
protection laws or not, and more specifically its comparison with foreign countries which
show us where we stand internally in terms of data privacy or transferring data
internationally. And the answer which we got is Yes India do lack in these laws and we have
also discussed about the consequences of not implementing these laws in the meantime.
Further, these issues needed to be taken care as soon as possible since matching the standards
of dealing with EU or not been on the list OECD is definitely not a good news, since being in
2
(2017) 10 SCC 1
dealing terms with these organisation will not only improve our standard internationally but
will also help our country in several aspects since most of the developed nations are part of
these organisation. In the end implementing these data protection laws needed to addressed
immediately and rather than only focusing on cybercrimes, privacy of personal data, digital
signatures etc transborder transfer of personal data needed to be taken in notice and once we
implement these law it will only yield result that will be in favour of our country.