DATA PROTECTION AND SECURITY

Over the last few years, there has been a considerable increase within the
amount of knowledge that's generated through the usage of varied electronic
devices and applications. Today’s businesses derive considerable value by
analyzing the ‘big data’ and sometimes determine their business strategies
supported such analysis. While there's no denying the business efficiency
involved, the burning question is ‘do individuals have an impact over the
way during which information concerning them is accessed and processed by
others. The right of privacy is that the right to be free from unwarranted
publicity, to measure a lifetime of seclusion, and to measure without
unwarranted interference by the general public in matters with which the
general people aren't necessarily concerned. It's been a standard law concept,
and an invasion of privacy gives a right to the individual to say tort-based
damage.

One of first cases on the this topic was Semayne’s Case1 in 1604

The Information Technology Act, 2000 has defined ‘Data’ under Section 2
(1) (o):

“Data means a representation of information, knowledge, facts, concepts or

instructions which are being prepared or have been prepared in a
formalised manner, and is intended to be processed, is being processed or
has been processed in a computer system or computer network, and may be
in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory of
the computer.”

1
Strutner v Dispatch Printing Co.
Right to Privacy

Article 21 of the Constitution of India provides that

“No person shall be deprived of his life or personal liberty except according
to procedure established by law”.

However, the Constitution doesn’t specifically recognize ‘right to privacy’ as

a fundamental right.

The matter of whether the ‘right to privacy’ is a fundamental right was first
considered in the case of M. P. Sharma and Ors. vs. Satish Chandra, District
Magistrate, Delhi and Ors.( 1954 SCR 1077), by the Hon’ble Supreme
Court, wherein the warrant issued for search & seizure under Section(s) 94
and 96 (1) of the Code of Criminal Procedure was challenged.

The Hon’ble Supreme Court held that the power of search & seizure was not
in contravention of any constitutional provision. The Court avoided giving
recognition to the right to privacy as a fundamental right guaranteed by the
Constitution of India.

Thereafter, in the case of Kharak Singh vs. State of Uttar Pradesh and Ors.
(1964) 1 SCR 334, the matter was, whether the surveillance by domiciliary
visits at night against an accused would be an abuse of the right guaranteed
under Article 21 of the Constitution, thus raising the question on whether
Article 21 was inclusive of right to privacy.

The Hon’ble Supreme Court held that such surveillance was, in fact, in
contravention of Article 21 of Constitution. The majority judges further held
that Article 21 doesn't expressly provide for a privacy provision, and thus the
proper to privacy couldn't be construed as a fundamental right.
This issue was once again raised in the case of K. S. Puttaswamy (Retd.) v
Union of India, (2015) 8 SCC 735 before the Hon’ble Supreme Court, the
‘Aadhaar Card Scheme’ was challenged on the ground that collecting and
compiling the demographic and biometric data of the residents of the country
that are to be used for various purposes is in breach of the fundamental right
to privacy embodied in Article 21 of the Constitution of India.

The Hon’ble Supreme Court referred the matter to a constitutional bench

consisting of nine judges.

The Hon’ble Supreme Court held that

“821. The reference is disposed of in the following terms:

(i) The decision in M P Sharma which holds that the right to privacy is
not protected by the Constitution stands over-ruled;
(ii) The decision in Kharak Singh to the extent that it holds that the right
to privacy is not protected by the Constitution stands over-ruled;
(iii) The right to privacy is protected as an intrinsic part of the right to life
and personal liberty under Article 21 and as a part of the freedoms
guaranteed by Part III of the Constitution.
(iv) Decisions subsequent to Kharak Singh which have enunciated the
position in (iii) above lay down the correct position in law.”

Personal data and data protection

Data is of two types:

a. personal and
b. non-personal data.
Personal means those characteristics, traits or attributes of identity that can
be used to identify an individual.  

Non-personal data includes aggregated data through which an individual

cannot be identified.  

Data protection means to protect or to minimise intrusion into the privacy of

an individual through different policies and procedures.

Concerns related to data collection

 The nature of data that is protected: The enactment that deals with
protection of data is the IT Act and the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal
information) Rules, 2011.
Rule 3 deals with what is primarily required to be protected is
‘personal information’ and ‘sensitive personal data or information’,
means the information related to:
(i) password;
(ii) financial information such as bank account or credit card or
debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) biometric information;
(vii) any information relating to the above clauses given to the body
corporate for providing service; and
(viii) any information relating to the above clauses given to the body
corporate for processing, stored or processed under lawful
contract or otherwise.
 The information that is freely available or accessible in public domain
is not regarded as sensitive personal data.

 Who can collect the personal data?: Rules 5 of the IT Rules prescribes
that the body corporate or any person on its behalf has to obtain a
consent in writing through a letter or fax or email from the provider of
sensitive data, regarding the purpose of usage of that sensitive data,
before collection of that sensitive data.
It further provides that, no corporate or any person on its behalf shall
collect sensitive personal data or information unless
a) the information is collected for a lawful purpose connected with
a function or activity of the body corporate; and
b) the collection of the personal data or information is considered
necessary for that purpose.
Further, it also provides that, while collecting the information, the
person sharing the information is required to be made aware of
(i) the fact that the information is being collected;
(ii) the purpose for which the information is being collected;
(iii) the intended recipients of the information; and
(iv) the name and address of:
(a) the agency that is collecting the information; and
(b) the agency that will retain the information.
 Duration for which the personal data can be stored: Rule 5 provides
that, any sensitive data or information cannot be retained longer than
is required for the purposes for which the information may lawfully be
used or is otherwise required under any law for the time being in
force. These information can be used only for the purpose it is
collected.
 Further prior to the collection of information it is required to provide
an option to the provider of the information to not to provide the data
or information that are to be collected. The provider of information
has the option to withdraw its consent given earlier, at any time.
 What is extent to which the personal data can be shared with third
parties?: Rule 6 provides that, the sensitive data can be shared by the
third party only after obtaining permission from the information
provider or the information provider and the body corporate had
agreed to a disclosure contract, where such disclosure is required for
the compliance of legal obligation.
However, no such consent from the information provider is required
where that information is shared with Government agencies, which is
mandated under the law to obtain information including sensitive
personal data or information for the purpose of verification of identity,
or for prevention, detection, investigation including cyber incidents,
prosecution, and punishment of offences.
 The obligations of the employers in relation to the personal data
collected of its employees: The employers collects sensitive personal
information of its employees such as health records, financial
information etc. Rule 8 provides that, if such personal information is
stored on a computer resource, then he is required to have in place a
comprehensive documented information security programme and
information security policies that contain managerial, operational,
technical and physical security control measures that are
commensurate with the information assets being protected.
Further, Rule 4 provides that a body corporate, which collects,
receives, possess, stores, information of its employees, is required to
have in place a privacy policy for handling of or dealing with such
personal information. The body corporate is further required to make
 the privacy policy available for the employees for their review and
publish the same on its website of body corporate and shall provide
for:
i. clear and easily accessible statements of its practices and
policies;
ii. type of personal or sensitive personal data or information
collected under rule 3;
iii. purpose of collection and usage of such information;
iv. disclosure of information including sensitive personal data
or information as provided in rule 6;
v. reasonable security practices and procedures as provided
under rule 8.

Provisions in Information Technology Act, 2000 related to data

protection and security

After its amendments in 2008, the IT Act, 2000 now consists of multiple
provisions dealing with data protection, mandatory privacy policies, and
penalties to be imposed on violations of such privacy policies.

Some relevant provisions of the IT Act are as follows:

1. Section 43 (a), (b) and (j): This Section provides that,

Any person, who without the permission of the owner or, any other
person who is in charge of a computer, computer system or computer
network:
(a) accesses or secures access to such computer, computer
system or computer network;
(b) downloads, copies, or extracts any data, computer data
base or information from such computer, computer system
 or computer network which includes information or data
held or stored in any removal storage medium;
(j) steals, conceals, destroys or alters or causes any person to
steal, conceal, destroy or alter any computer source code
used for a computer resource with an intention to cause
damage.
shall be liable to pay damages by way of compensation to the person
so affected.
2. Section 43A: This Section deals with ‘Compensation for failure to
protect data’, it provides that,
“Where a body corporate possessing, dealing or handling any
sensitive personal data or information in a computer resource which
it owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of
compensation to the person so affected.”
3. Section 66 C: This Section deals with ‘identity theft’ and provides
that,
“Whoever, fraudulently or dishonestly makes use of the electronic
signature, password or any other unique identification feature of any
other person, shall be punished with imprisonment for a term which
may extend up to three years and shall also be liable to pay a fine
which may extend up to Rupees One Lakh rupees.”
4. Section 66 E: This Section deals with ‘Punishment for violation of
privacy’ and provides that,
“Whoever, intentionally or knowingly captures, publishes or transmits
the image of a private area of any person without his or her consent,
under circumstances violating the privacy of that person shall be
 punished with imprisonment which may extend up to three years or
with fine not exceeding Two Lakh rupees or with both.”
5. Section 72: This Section deals with ‘Penalty for breach of
confidentiality and privacy’ and provides that,
“Any person who has secured access to any electronic record, book,
register, correspondence, information, document or other material
without the consent of the person concerned and thereafter, discloses
such electronic record, book, register, correspondence, information,
document or other material to any other person shall be punished
with imprisonment for a term which may extend to two years, or with
fine which may extend to One Lakh rupees, or with both.”
6. Section 72A: This Section deals with ‘Punishment for disclosure of
information in breach of lawful contract’ and provides that,
“Any person, including an intermediary who, while providing services
under the terms of a lawful contract, has secured access to any
material containing personal information about another person, with
the intent to cause or knowing that he is likely to cause wrongful loss
or wrongful gain discloses, without the consent of the person
concerned, or in breach of a lawful contract, such material to any
other person shall be punished with imprisonment for a term which
may extend up to three years, or with a fine which may extend up to
Five Lakh rupees, or with both.”
The IT Rules provides directions for body corporate holding sensitive
personal information of users to maintain certain specified security
standards.
The relevant provisions are as follows:
7. Rule 4 (Body corporate to provide policy for privacy and disclosure of
information), Rule 5 (Collection of information), Rule 6 (Disclosure
 of information) and Rule 8 (Reasonable Security practices and
procedure): already discussed in the previous topic.

Right to Information Act, 2005

The RTI Act was brought to enable citizens to access information under the
control of public authorities so as to promote transparency and accountability
within the working of every public authority.

Under Section 3, all citizens have right to information.

Under Section 4, every public authority has to maintain all the records.

Under Section 6, a person who desires to obtain any information can make a
request in writing or in electronic form, to:

i. The Central Public Information Officer or State Public

Information Office;
ii. The Central Assistant Public Information Officer or State
Assistant Public Information Officer.

Nevertheless, this Act also provides for exceptions to disclosure of

information:

Section 8 (1)(j): This Section deals with ‘Exemption from disclosure of

information’, sub-section (1) clause (j) provides that,

“The authorities are under no obligation to provide information to citizens

regarding inter alia information which relates to personal information, the
disclosure of which has no relationship to any public activity or interest, or
which would cause unwarranted invasion of the privacy of the individual
unless the Central Public Information Officer or the State Public
Information Officer or the appellate authority, as the case may be, is
satisfied that the larger public interest justifies the disclosure of such
information.

Provided that the information which cannot be denied to the Parliament or a

State Legislature shall not be denied to any person.”

The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 was introduced in Lok Sabhaon
December 11, 2019. The Bill seeks to provide for protection of personal data
of an individual, and establishes a Data Protection Authority.

 Applicability: The Bill provides for the processing of personal data

by:
(i) Government,
(ii) Companies incorporated in India, and
(iii) Foreign companies dealing with personal data of individuals in
India.

The Bill had categorised certain personal data as sensitive personal

data.  This includes financial data, biometric data, religious or political
beliefs, caste, or any other category of data specified by the
Government, in consultation with the Authority and the concerned
sectoral regulator.

 Obligations of data fiduciary: A data fiduciary is an entity or

individual who decides the means and purpose of processing
personal data. Such processing is going to be subject to certain
purpose, collection and storage limitations.  Additionally, all data
fiduciaries has to take certain transparency and accountability
measures such as:
 a. Implementing security safeguards (such as data encryption
and preventing misuse of data); and
b. Instituting grievance redressal mechanisms to address
complaints of individuals. 
They must also institute mechanisms for age verification and parental
consent when processing sensitive personal data of children.
 
 Rights of the individual: The Bill provides certain rights to the
individual:
i. Obtain confirmation from the fiduciary on whether their
personal data has been processed;
ii. Seek correction of inaccurate, incomplete, or out-of-date
personal data;
iii. Have personal data transferred to any other data fiduciary in
certain circumstances; and
iv. Restrict continuing disclosure of their personal data by a
fiduciary, if it is no longer necessary or consent is
withdrawn.
 
 Grounds for processing personal data: The Bill provides for
processing of data by fiduciary only if consent is provided by the
individual. However, in certain circumstances, personal data can be
processed without consent:
i. If required by the State for providing benefits to the
individual;
ii. For legal proceedings;
iii. For responding to a medical emergency. 
 Social media intermediaries: The Bill defines these to include
intermediaries which enable online interaction between users and
allow for sharing of information. 
 Data Protection Authority: The Bill provides for a Data Protection
Authority which may:
i. Take steps to protect interests of individuals;
ii. Prevent misuse of personal data; and
iii. Ensure compliance with the Bill.
It will consist of a chairperson and six members, with at least 10 years
of experience in the field of data protection and information
technology.  Orders of the Authority could be appealed to an
Appellate Tribunal.  Appeals from the Tribunal will go to the Supreme
Court. 
 Transfer of data outside India: Sensitive personal data may be
transferred outside India for processing if it is explicitly consented by
the individual, and subject to certain additional conditions. However,
such sensitive personal data should continue to be stored in India.  The
critical personal data shall only be processed in India.  
 Exemptions: The central government can exempt any of its agencies
from the provisions of the Act in following cases:
i. In interest of security of state, public order, sovereignty and
integrity of India and friendly relations with foreign states;
and
ii. For preventing incitement to commission of any cognisable
offence (i.e. arrest without warrant) relating to the above
matters.
Processing of personal data is also exempted for certain other purposes
such as:
 Prevention, investigation, or prosecution of any offence; or
  personal, domestic; or
 journalistic purposes 

However, such processing must be for a specific, clear and lawful

purpose, with certain security safeguards. 

 Offences:  Bill include following offences:

i. Processing or transferring personal data in violation of the
Bill, punishable with a fine of Rs 15 crore or 4% of the
annual turnover of the fiduciary, whichever is higher;
ii. Failure to conduct a data audit, punishable with a fine of five
crore rupees or 2% of the annual turnover of the fiduciary,
whichever is higher; and
iii. Re-identification and processing of de-identified personal
data without consent is punishable with imprisonment of up
to three years, or fine, or both.
 Sharing of non-personal data with government: The Central
Government may direct data fiduciary to provide it with any:
i. Non-personal data; and
ii. Anonymised personal data for better targeting of services. 
 Amendments to other laws: The Bill provides for the amendment of
the Information Technology Act, 2000 to delete the provisions related
to compensation payable by companies for failure to protect personal
data.