See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/323958405

‘Privacy and Data Protection Laws in India: A Right-

Based Analysis

Article · October 2016

CITATIONS READS

0 5,637

2 authors:

Dr. Jayanta Ghosh Uday Shankar

West Bengal National University of Juridical Sciences Indian Institute of Technology Kharagpur
26 PUBLICATIONS   0 CITATIONS    9 PUBLICATIONS   16 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

National Human Right Commission View project

Rajiv Gandhi School of Intellectual Property Law View project

All content following this page was uploaded by Dr. Jayanta Ghosh on 23 March 2018.

The user has requested enhancement of the downloaded file.

Bharati Law Review, Oct – Dec, 2016 54

PRIVACY AND DATA PROTECTION LAWS IN INDIA: A RIGHT-

BASED ANALYSIS
Mr. Jayanta Ghosh 
Dr. Uday Shankar
Abstract
The advancement of the technology and the dynamism of legal
world provides outlook of privacy and data protection issues in
this recent era. Privacy is something that is not to interfere to the
interest of others. Privacy is became a concern of every individual
due to technological advancement and it also emphasizes
narrowly for protection of data. Data protection emphasis
individual liberty and these individual’s liberty is under threat by
the interference of the stranger. The activity of the stranger to the
individual’s activity by any means is required to halt. The basic
legal requirement of any new phenomenon can be validate
through the constitution. The constitution of India has given more
emphasis on right rather than duty. For giving emphasis data
protection, it consider as a right based approach. As India is
developing state, it need some time for the effectiveness or
implementation of the new area of law. The data protection issue
mainly attracted by these areas which are Right to Privacy, Right
to Information, Information Technology, Indian penal Code,
National Security, Intellectual property, Corporate Affairs,
Consumer etc. The objectives of the research work is to examine
the present legal status of privacy and data protection in India as
a matter of right. The constitutionality of privacy & data
protection has given so much of importance in these recent days.
For the reason it is required to provide a special status in the legal
framework. The efficacy of present legal framework is need to
analyze to give a sophisticated protection of the privacy issues. It
explore the nature of right has been get affect to an individual by
encroachment of data protection in relation with other law. The
idea to put forward this theme is to associate the idea of India
with other countries.
Keywords: Data Protection, Constitution, Privacy, Information
Technology, Indian Penal Code, Intellectual Property,


Research Scholar, Rajiv Gandhi School of Intellectual Property Law, Indian
Institute of Technology Kharagpur, West Bengal, India.

Assistant Professor, Rajiv Gandhi School of Intellectual Property Law, Indian
Institute of Technology Kharagpur, West Bengal, India.
Bharati Law Review, Oct – Dec, 2016 55

Introduction
Rights, an inherent and inalienable characteristic of human
society, have been reduce into a visible and implementable
document in international and national sphere.1 Some rights find
explicit mention in such documents while others are introduce
through interpretative tool due to integral linking with such
rights. Among all these, right to privacy is one of the most
important and acceptable personal right. It provides power to
individual snooping from others. Right to privacy finds reference
in the Universal Declaration of Human Rights and International
Covenants of Civil and Political Rights, Convention on the Rights
of the Child.2 Right to Privacy is the most integral part of human
life.3 In India, this right has been identified as integral feature of
right to life and liberty and right to freedom of speech expression.4
Every person is eligible to a ‘personal domain’ free from
unjustified interference or surveillance by the State or other
actors. Notwithstanding the pervasive recognition of the obligation
to protect privacy, the specific content of this right was not fully
developed by international human rights protection mechanisms.
The lack of clear expression of the content of this right has
contributed to difficulties in its application and enforcement.5 As
the right to privacy is a qualified right, its interpretation raises
challenges with respect to what organizes the private sphere and
in establishing notions of what constitutes public interest. As

1 Prakash Shah, “International human Rights: A perspective from India,” Fordham

International Law Journal, Vol. 21, Issue 1, Article 3, (1997): 24- 38.
2 Article 12, “No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against such
interference or attacks.” Accessed October 21, 2016,
http://www.un.org/en/documents/udhr/, Article 17 (1), “No one shall be
subjected to arbitrary or unlawful interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honour and reputation.”
Accessed October 21, 2016,
http://www.ohchr.org/en/professionalinterest/pages/ccpr.aspxArticle 16 (1)
No child shall be subjected to arbitrary or unlawful interference with his or her
privacy, family, or correspondence, nor to unlawful attacks on his or her honour
and reputation. Accessed October 21, 2016,
http://www.ohchr.org/en/professionalinterest/pages/crc.aspx.
3 Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law
Review, Vol. 4, No. 5 (1890): 193-220.
4 Article 21 & 19 (1)(a) of the Indian Constitution, See also Udai Raj Rai,
Fundamental Rights and their enforcement, PHI Learning Private Limited, New
Delhi, (2011) p.19. See also Kharak Singh v. The State of U.P. and Ors. AIR 1963
SC 1295
5 UNESCO, Global Survey on Internet Privacy and Freedom of Expression, (2012):
51.
Bharati Law Review, Oct – Dec, 2016 56

matter of public interest, the right of human being encroached

through the medium of communication. Privacy of
communications concludes that individuals are able to exchange
information and ideas in a space that is beyond the reach of other
members of society, the private sector, and ultimately the State
itself. These rights of individual only to exercise their right to
privacy in communications system.6
Mid of the last century witnessed documentation of a right which
relates with non-interference in one’s personal life. It has acquired
significance with the commodification of technology. Technology
has transcended every sphere of human life7. Intrusion in human
life through advanced technology has become every day
phenomenon. It is happening either through voluntary disclosure
or involuntary acquisition of information. The surveillance
potential of powerful computer systems prompted demands for
specific rules governing the collection and handling of personal
information. The genesis of modern legislation in this area can be
traced through privacy of individual to the first data protection
law in the world.8The data protection is the species of the Privacy
and it is international phenomenon now a days.9The idea of
establishing rights perspective data protection as a human rights.
If an individual have the right to privacy then it also carries the
right to protect data. The data protection is a developing area due
to the technological advancement of this time.10
Concept of Data Protection
The concept of data protection is taking the important place in
worldwide. Gradually all nations are embracing the concepts of
Data protection and implementing laws regulating the use and
abuse of personal information.11 This terminology of “data

6 S.K. Sharma, Privacy Law: A Comparative Study (Atlantic Publishers &

Distributors: 1994).
7 Austin, Lisa Michelle, “Privacy law and the question of technology.” Ph.D. Thesis,

University of Toronto; 2005, ProQuest Dissertations and Theses.

8 David Flaherty, "Protecting Privacy in surveillance societies", University of North

Carolina Press, (1989).

9 Lee A. Bygrave, “Privacy and Data Protection in an International Perspective,”
Stockholm Institute for Scandinavian Law, (2010).
10 Nicholas D. Wells, Poorvi Chothani and James M. Thurman, Information

Services, “Technology, and Data Protection,” The International Lawyer, Vol. 44,
No. 1, International Legal Developments Year in Review: 2009 (2010): 355-366.
11 Section 2 (o) of the Information Technology Act, 2008 provides "Data" means ‘a

representation of information, knowledge, facts, concepts or instructions which

are being prepared or have been prepared in a formalized manner, and is
intended to be processed, is being processed or has been processed in a
computer system or computer network, and may be in any form (including
Bharati Law Review, Oct – Dec, 2016 57

protection” is deriving from the German term “Datenschutz”12. The

data protection concept is more of less connected with the
individual’s privacy.13 It is typically reserve for a set of norms that
serve a wider range of interests than simply privacy protection14.
It is not privacy only which are been taken into consideration for
data protection. There are variety of other, partly overlapping
concepts have been invoked too, particularly those of “freedom”,
“liberty” and “autonomy”15. In the concern the first and foremost
condition come in mind for the individual that data protection is a
right or not.16 An emerging issue in this area is the extent to
which such laws should protect organizations and groups. This
data protection concept mostly accepted about the individual’s
information protection. The scope of the data protection is also the
protection of information laws to "data subjects" defined narrowly
as "living individuals". Thus in matter of corporate body, such as
a limited company, has no right of access to any information

computer printouts magnetic or optical storage media, punched cards, and

punched tapes) or stored internally in the memory of the computer”.
12 Further on the origins of “Datenschutz”, Smitis, S. (ed.),
“Bundesdatenschutzgesetz, Nomos Verlagsgesellschaft, Baden-Baden,” 6th
edition, (2006): 62–63.
13 Lutha R Nair, “Data Protection Efforts in India: Blind leading the Blind?,” The
Indian Journal of Law & Technology VOL 4 (2008).
14 Bygrave, L.A., “Data Protection Law: Approaching Its Rationale, Logic and
Limits,” Kluwer Law International, The Hague / London / New York (2002).
15 Westin, A.F., “Privacy and Freedom,” Atheneum, New York (1970); Miller, A.,
“The Assault on Privacy: Computers, Data Banks and Dossiers,” University of
Michigan Press, Ann Arbor (1971). The title of Westin’s seminal work, Privacy
and Freedom, is a case in point. Indeed, as pointed out further below, “privacy”
in this context has tended to be conceived essentially as a form of autonomy –
i.e., one’s ability to control the flow of information about oneself.
16 In the case of The Central Public Information Officer, Supreme Court of India v.
Subhash Chandra Agarwal & Anr. It is been held that “the right to access public
information and processing of this information by the state agencies and
governments, in democracies is an accountability measure empowering citizens
to be aware of the actions taken by such state "actors". This transparency value,
at the same time, has to be reconciled with the legal interests protected by law,
such as other fundamental rights, particularly the fundamental right to privacy.
Certain conflicts may underlie particular cases of access to information and the
protection of personal data, arising from the fact that both rights cannot be
exercised absolutely in all cases. The rights of all those affected must be
respected, and no single right must prevail over others, except in clear and
express circumstances. There are two types of information seen as exceptions to
access; the first usually refers to those matters limited only to the State in
protection of the general public good, such as national security, international
relations, confidentiality in cabinet meetings, etc. The second class of
information with state or its agencies, is personal data of individual citizens,
investigative processes, or confidential information disclosed by artificial or
juristic entities, like corporations, etc. Individuals' personal data is protected by
the laws of access to confidential data and by privacy rights.”
Bharati Law Review, Oct – Dec, 2016 58

concerning itself because the organization is not a data subject,

and information about it is not personal data.17
Therefore, data protection issues authoritative value are consider
a debatable matter. The state or non-state actor or the individual
who will protect it as a matter of right. In non-state actor the two
essential aspect of data protection are as, firstly, the narrower
meaning based on the argument that legislation should extend to
organizations, particularly smaller enterprises, because
information about the organization may indirectly be information
about the organization’s owners and controllers. Second, the
broader meaning, that organization have legitimate rights in
respect of information about them held by others in the same way
that individuals have.18
The concept of Data protection has some directive in different
countries. The European Union has sophisticated Data Protection
Law.19 Under EU law, personal data can only be gather legally
under strict conditions, for a legitimate purpose. Furthermore,
persons or organizations that collect and manage your personal
information must protect it from misuse and must respect certain
rights of the data owners that guaranteed by EU law. The absence
of generic privacy legislation in the U.S. is a major concern to the
EU nations and this will make determination that the U.S.
ensures an adequate level of protection unlikely. While there are
concerted efforts in the administration calling for privacy
legislation covering various types of data20 the large number of
bills in Congress dealing with privacy issues suggests that the
U.S. may continue to take a piece-meal approach to privacy
legislation.21
Constitutional Status
The constitution of India has some provisions like, ‘Freedom of
Speech and Expression’22and ‘Right to Life and Personal Liberty’.23

17 Supra Note 13.

18 Supra Note 13.
19 Handbook of European Union Data Protection laws, Accessed October 21, 2016,
http://fra.europa.eu/sites/default/files/fra-2014-handbook-data-protection-
law-2nd-ed_en.pdf.
20 Secretary of Health and Human Services, Shalala made recommendations to
Congress on the Confidentiality of Individually-Identifiable Health Information
on September 11, 1997.
21 Rebecca Vesely “Cop-friendly Approach to Handling Medical Data,” Wired News
12 (September 1997) Accessed March 20, 2014,
http://www.wired.com/news/news/politics/story/6824.html.
22 Article 19 (1) (a) of the Indian Constitution
23 Article 21 of the Indian constitution.
Bharati Law Review, Oct – Dec, 2016 59

These provisions has its effect to the right to privacy as a

fundamental right. There are number of cases24 also which
establishes the right to privacy as a fundamental right. The
conceptuality of this proposition has also connected with the new
dimension of the ‘Data Protection’. The linkage between this
privacy and data protection are interdependent to each other. The
right of data protection is the closely related with the
‘information’25 of an individual.
The study of constitutional provisions to understand the
relationship of privacy with explicitly scripted rights along with
interpretation accorded by the apex court of the country.26 It
explores the issue of data protection dealt under different
legislations.27 Finally it builds a case of treating an issue of data
protection from a right-based perspective.
As a matter of human right, Sir John Simmons says, “Human
rights are rights possessed by all human beings [at all times and
in all places], simply by virtue of their humanity….[They] will have
the properties of universality, independence [from social or legal
recognition], naturalness, inalienability [from social or legal
recognition], naturalness, inalienability, non-forfeit ability, and

24 R Rajagopal v. State of Tamil Nadu AIR 1995 SC 264; Sharda v. Dharampal, AIR
2003 SC 3450; District Registrar and Collector v. Canara Bank, (2005)1 SCC
496; State of Karnataka v. Krishnappa AIR 2000 SC 1470; State v. N. M. T. Joy
Immaculate, AIR 2004 SC 2282; X v. Hospital Z AIR 1999 SC 495; Kottabomman
transport Corporation Limited v. State Bank Of Travancore and others, AIR 1992
Ker. 351; Registrar and Collector, Hyderabad and Anr. v. Canara Bank Etc AIR
2004 SC 935;
25 In a case, The CPIO, Supreme Court of India v. Subhash Chandra Agarwal and
Anr. the Information Technology Act 2008, laid down the Definition of 2(f)
"information" means ‘any material in any form, including records, documents,
memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks,
contracts, reports, papers, samples, models, data material held in any electronic
form and information relating to any private body which can be accessed by a
public authority under any other law for the time being in force’.
26 It has held that in a case of Ram Jethmalani & Ors v. Union of India, (2011) 8
SCC 1. “Right to privacy is an integral part of right to life, a cherished
constitutional value and it is important that human beings be allowed domains
of freedom that are free of public scrutiny unless they act in an unlawful
manner. Revelation of bank account details of individuals, without
establishment of prima facie grounds to accuse them of wrong doing, would be a
violation of their rights to privacy. State cannot compel citizens to reveal, or
itself reveal details of their bank accounts to the public at large, either to receive
benefits from the State or to facilitate investigations, and prosecutions of such
individuals, unless the State itself has, through properly conducted
investigations, within the four corners of constitutional permissibility.”
27 Justice A P Shah Committee Report, “Report of the Group of Experts on
Privacy”, (2012), Accessed October 21, 2016,
http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.
Bharati Law Review, Oct – Dec, 2016 60

imprescriptibility. Only so understood will an account of human

rights capture the central idea of rights that can always be
claimed by any human being”.28 Therefore the idea to protect the
human right is also the protection of data. The universality and
the independence of the data protection is an essential matter for
an individual. These data protection also leads to right to privacy.
The most significant and illumination discussion is that privacy
and data protection has a different link to each other. These
linkage or shadows of different areas that are interrelated with
these regime. Like the privacy is a concept related to seclusion,
solitude and isolation, although it is not synonymous with these
terms; far beyond the purely descriptive aspects of privacy like
withdrawal from the company, curiosity, and influence of
others, implying the right to exclusive control of access to
individual realms. The pathfinder of this developmental right as
an activism in the part of the court are also being highlighted as a
matter of right.
The rights of an individual can be acquire naturally, so that the
right to privacy has also to be attain naturally. The jurist Herbert
Hart in his influential article, ‘Are There Any Natural Rights?’
distinguishes between ‘general rights’ and ‘special rights’.29
Special rights arise out of ‘special transactions [or] special
relationships’ such as promises, contracts, or membership in a
political society, whereas general rights belong to ‘all men capable
of choice...in the absence of those special conditions which give
rise to special rights’.30 By this view that the data protection is a
general or special right are also being taken into consideration in
this work.
Analysis of the Right Based Approach
The scrutinizing of right based approach of the ‘data protection’
issue can only done through the different laws. The objectives of
this approach is that to analyze the stand point of the ‘data
protection’ regime in India. The issue of data protection assumed
great importance in recent days and the development of internet-
enabled services which, in turn, led to the boom in outsourcing of
data processing, business process, call-center services,
accounting functions and other business operations. However, the
technology has been develop, to tackle the advancement the laws

28 Beitz (2004): 196, Simmons (2001).

29 H L A Hart, “Are There Any Natural Rights?” The Philosophical Review Vol 64,
NO 2 (1955): 175-191,
30 Ibid, pp.183-188.
Bharati Law Review, Oct – Dec, 2016 61

are also improvise. Therefore data protection explore how far the
information, details and data of individuals and organizations are
protected under the laws of India, especially under the
Constitution of India.31
The emphasis is laid on the protection available under the
Constitution of India since it is the “basic and ultimate source”
from which all other laws derive their validity and force. These
three must address for discussion of constitutional aspect
concern, (1) Privacy rights of interested persons in real space and
cyber space. (2) Mandates of freedom of information under Article
19 (1) (a). (3) Mandates of right to know of people at large under
Article 21. It categorically speaks about the right to privacy, right
to information, right to know and electronics governance, trade
secret, intellectual property etc. in the light of different view point.
For the purpose of justifying relationship with rights this research
work has done. In addition, another gap of this work is that there
is no equilibrium between information and Data processes.32 The
right based approach can only be justify through the discussion
with other laws these are hereunder:
Data Protection & Right to privacy
The ‘data protection’ and ‘right to privacy’ has much more similar
to each other. The ‘data protection’ can only be possible if the
encroachment of privacy is being stopped. Privacy law in general,
and informational privacy in particular, have always been closely
linked to technological development.33 In their seminal 1890
article ‘The Right to Privacy’, Warren and Brandeis lament the
‘instantaneous photographs and newspaper enterprise that have
invaded the sacred precincts of private and domestic life; and
numerous mechanical devices threaten to make good the
prediction that “what is whispered in the closet shall be
proclaimed from the house-tops”.34 This is the genesis of the
privacy matter. Now a days this is being developed in ‘data
protection’. The idea of ‘Data Protection’ has its different aspects.
The different aspects of data protection as a right like, the right

31 Dr. Amit Ludri, Law on protection of personal & official information in India, The
Bright Law house, New Delhi, 1st Edition, (2010).
32 Praveen Dalal, “Data Protection laws in India: A Constitutional
Perspective,”Accessed October 21, 2016,
http://ipmall.info/hosted_resources/gin/PDalal_DATA-PROTECTION-LAW-IN-
INDIA.pdf.
33 Graham Greenleaf and Sinta Dewi Rosadi, “Indonesia’s data protection
Regulation 2012: A brief code with data breach notification,” Privacy Laws &
Business International Report, Issue 122, (2013): 24-27.
34 Supra Note 3.
Bharati Law Review, Oct – Dec, 2016 62

of access to data banks, the right to check their exactness,

the right to bring them up to date and to correct them, the
right to the secrecy of sensitive data, the right to authorize
their dissemination: all these rights together today constitute
the new right to privacy.35 Hence in this matter the linkage of
‘Data Protection’ and ‘Privacy’ status are very much appropriate as
a right based approach.
The evolution of the Constitutional right to privacy began in the
early 1950s in the context of police surveillance of the accused
and domiciliary visits to a person’s home. The domiciliary visits
could be conducted any time, night or day, to monitor whether
persons were engaging in suspicious criminal activity. In a case
M.P Sharma v. Satish Chandra36, Supreme Court held that the
contention that search and seizure violated Article 19(1) (f) of the
Constitution. The Court took the view that a mere search by itself
did not affect any right to property, and though seizure affected it,
such effect was only temporary and was a reasonable restriction
on the right to privacy. Then the right to privacy has been
developed in the Constitutional sphere of India under the Article
19 (1) (a) and Article 21. In the other context the right to liberty
under Article 21 of the Constitution is also addressed by Subba
Rao, J in case of Kharak Singh v. State.37
In another landmark case38, the Supreme Court of India further
developed the law of privacy by holding that domiciliary visit of the
police and disclosure of the information. These disclosure of the
information approaching the modern data protection concern. In
R Rajagopal v. State of Tamilnadu39the petitioner was the editor,
printer and publisher of a Tamil weekly magazine published in
Madras who sought an order restraining the State of Tamilnadu
from interfering with the authorized publication of the
autobiography of Auto Shankar, a condemned prisoner awaiting
the death penalty which was based on public records. In this
case40 Jeevan Reddy, J reaffirmed that the right to privacy is
implicit in the right to life and liberty guaranteed in Article 21 of
the Constitution. The Court also affirmed that the ‘right to be let
alone’ for every citizen of this country to safeguard their privacy.

35 I. N. Walden and R. N. Savage, “Data Protection and Privacy Laws: Should

Organizations Be Protected?”The International and Comparative Law Quarterly,
Vol. 37, No. 2 (1988): 337-347.
36 AIR 1954 SCR 1077.
37 AIR 1963 SC 1295.
38 Govind v. State of Madhya Pradesh, AIR 1975 SC 1378.
39 (1994) 6 SCC 632.
40 (1994) 6 SCC 632.
Bharati Law Review, Oct – Dec, 2016 63

Therefore the ‘right to privacy’ has its own way to develop the
matter of ‘data protection’. In the same way both the idea has
been come under the matter of right under the Constitution of
India.
Data Protection & Right to Information Act, 2005
In India, Right to Information come with that contention that, “the
practical regime of right to information for citizens to secure
information under the control of public authorities in order to
promote transparency and accountability…… for matters
connected therewith or incidental thereto”41. This is the preamble
of the Act 2005 and the Section 2(j) speaks about the definition of
‘right to information’.42 Now the issue arise that ‘data’ which was
kept with the public authority are safe or not. The digital data as
per clause (iv) of Section 2(j) is being maintaining properly or not
is really in doubt.
The ‘data protection’ in this Act is concern are being taken care as
a matter of right to the individual. In a case, Bannett Coleman v.
Union of India43 the court held that ‘it is indisputable that by
freedom of press meant the right of all citizens to speak, publish
and express their views,’ and ‘freedom of speech and expression
includes within its compass the right of all citizens to read and be
informed’. In Indian Express Newspaper (Bombay) v. Union of
India44, the Court held that, “the basic purpose of freedom of
speech and expression is that all members should be able to form
their beliefs and communicate them freely to others. In sum, the
fundamental principle involved here is the people’s right to know”.
Therefore the linkage between these two contexts can only be
made by the judgment of the apex court. In the same way PUCL v.
Union of India45 held that the right to information was further be
elevated to the status of a human right, necessary for making
governance transparent and accountable. The Supreme Court has
consistently held that the right to information is inherent in

41 Ministry of Law & Justice (2005a), Accessed October 21, 2016,

http://lawmin.nic.in/legis.htm.
42 "Right to Information" means ‘the right to information accessible under this Act
which is held by or under the control of any public authority and includes the
right to: (i) Inspection of work, Documents, Records; (ii) Taking notes, Extracts
or Certified copies of documents or records; (iii) Taking certified samples of
material; (iv) Obtaining information in the form of Diskettes, Floppies, Tapes,
Video cassettes or in any other electronic mode or through printouts where
such information is stored in a computer or in any other device’.
43 AIR 1973 SC 60.
44 (1985)1 SCC 641.
45 (2004) 2 SCC 476
Bharati Law Review, Oct – Dec, 2016 64

Article 19 of the constitution, thereby it is justified that the

linkage between these two contexts are very much related to right
base approach.
Data Protection & Information Technology (Amendment) Act
200846
The ‘data protection’ and the ‘Information Technology Act” has its
own implication with each other relation. The objectives of the
Act47 clearly speaks about the protection of the cyber relation
matters. It provides for protection against certain of breaches in
relation to data from computer systems. The said Act48 comprises
provisions to prevent the unlawful use of computers, computer
systems and data stored therein. There are several provisions has
been inserted which are related to the ‘data protection’. The new
section 43A49 and Section 72A50 of the Act clearly speaks about
the protection of data.
This 2008 Amendment Act51 represent a significant steps towards
combating the multitude of crimes of the cyber age. The changes
introduced in the statutory data protection in Indian laws thereby
finally ceding to the demand of the US and European nations over
the past decade. The service provider are now facing
imprisonment for the disclosure of the ‘personal information’52 in

46 Information Technology (Amendment) Act 2008, Accessed October 21, 2016,

http://www.cyberlawconsulting.com/itact2008amendments.pdf.
47 Ibid.
48 Ibid.
49 Section 43A, It represents a radical change in the law which may have taken
place due to the industry’s contention that there was no adequate protection of
data in India as compared to Europe and that this was adversely affecting
outsourcing. Under this provision when a body corporate processing, dealing or
handling any sensitive personal data or information in a computer resource
which it owns, controls and operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby cause
wrongful loss and wrong full gain to anybody corporate shall be liable to pay
damages by way of compensation to the person so affected.
50 “Section 72A. Save as otherwise provided in this Act or any other law for the
time being in force, any person including an intermediary who, while providing
services under the terms of lawful contract, has secured access to any material
containing personal information about another person, with the intent to cause
or knowing that he is likely to cause wrongful loss or wrongful gain discloses,
without the consent of the person concerned, or in breach of a lawful contract,
such material to any other person, shall be punished with imprisonment for a
term which may extend to three years, or with fine which may extend to five
lakh rupees, or with both.’’
51 Supra Note 46.
52 Under the Personal Data (protection) Bill 2013, Section 2 (p) “personal data”52
means any data which relates to a natural person if that person can, whether
directly or indirectly in conjunction with any other data, be identified
from it and includes sensitive personal data.
Bharati Law Review, Oct – Dec, 2016 65

violation of contractual obligation. Moreover, the disclosure of

‘sensitive personal information’53 makes the perpetrator liable to
pay damage.
Therefore, as a matter of right data protection has been given
same the status. The technological development in the matter of
the main focus given to analyze the EU Data Protection legislation
and the stands of Indian Information Technology amendment Act
200854. It talks about the corporate exercise of the Data like excess,
share, discloser, publication security measure and the penalty in
the light of the Information Technology Act 200855. Another is IT
Rules 2011 is also gives the impression of right concern implication
in its provisions.56The importance of the outsourcing business in
India, and how this may impact the flow of business from European
Union companies. The recently notified regulations relating to
protection of sensitive personal data are also being discuss in this
article and it also examines the Indian regulations, contrasting
their provisions, at certain points, with the UK Data Protection Act
1998.57 Hence, the main right base approach are asserted to
individual right of data protection.
Data Protection & Indian Penal Code
The Indian Penal Code has its roots in the time of British rule in
India. The first introductory draft was formulated in 1860s under
the chairmanship of Lord Macaulay. By this the relation with ‘data
protection’ with the provision of ‘Indian Penal Code’ are not that
much satisfying the all need. The Indian Criminal law does not
specifically address breaches of data privacy. Under the Indian
Penal Code, liability for such breaches must be inferred from
related crimes. For instance, Section 403 of the India Penal Code
imposes criminal penalty for dishonest misappropriation or
conversion of “movable property”58 for one’s own use. When it

53 Under the Personal Data (protection) Bill 2013, Section 2 (x) “sensitive personal
data”53 means personal data as to the data subject’s – (i) Biometric data; (ii)
Deoxyribonucleic acid data; (iii) Sexual preferences and practices; (iv) Medical
history and health; (v) Political affiliation; (vi) Commission, or alleged
commission, of any offence; (vii) [Ethnicity, religion, race or caste]; and (viii)
[financial and credit information].
54 Supra Note 46.
55 Supra Note 46.
56 Information Technology Rules 2011, Accessed February 20, 2015,
http://www.ijlt.in/pdffiles/IT-(Reasonable%20Security%20Practices)-Rules-
2011.pdf.
57 Raghunath Ananthapur, “India‘s New Data Protection Legislation”, Volume 8,
Issue 2, (2011).
58 ‘Movable p1roperty’ has been defined as property which is not attached to
anything and is not a land.
Bharati Law Review, Oct – Dec, 2016 66

come under the liability part of other then the question arise on
opposite that whose right are to be protected. The Section 405 and
Section 409 speaks about whoever misappropriates some other
person’s property is punishable under criminal breach of trust. In
another Section 378 no one can dishonestly take any movable
property out of the possession of any person without that person’s
consent, if he does so then he is said to commit theft and is
punished but there is not any particular act regarding electronic
data protection to till date. In this concern there are two way to
addresses the legal right which one may can undergo. Actually the
crime is done against the state only. Hence the right of the state to
maintain law and order it’s a serious concern. In Penal Code
penalties are mention and in civil actions laws for damages
including the amount of damages, must be determined by the
verdict of a jury59. The idea to mention this are very much relevant
for addressing the right issue. The relationship of the ‘data
protection’ and ‘Indian Penal Code’ on addressing the right are
appropriate. In this texture the state also come under the purview
to protect the data of an individuals.
Data Protection & National Security
The ‘data protection’ and ‘national security’ are very much
relevant in the contemporary world scenario. The importance of
the National security and law enforcement agencies in every
country plays very vital role regarding ‘data protection’.60 For
instance, the story has come out in the year 201361, that a fellow
Edward Snowden has releases the privacy related data of United
State. By this story a hue and cry situation arises that whether an
individual doesn’t have privacy at all. The data access by any
individual if it is exposed in the public domain then what kind of
privacy will prevail. If this situation arise, the developed country
will be the most powerful according to their technological
advancement and what would be the situation of developing
country.62 The national security are not at all played any role in
this situation. For the purpose of making the parity with this

59 Denis O'Brien, “The Right of Privacy,” Columbia Law Review, Vol. 2, No. 7
(1902): 437-448.
60 Law Enforcement, National Security, and Privacy, Accessed March 25, 2015,
http://cis-india.org/internet-governance/blog/law-enforcement-national-
security-privacy.pdf.
61 The Hindu, Published in June 24, 2013,Accessed October 21, 2016,
http://www.thehindu.com/news/international/world/edward-snowden-and-
the-nsa-files-story-so-far/article4846529.ece?css=print.
62 Daniel J. Solove & Paul M. Schwartz, “Privacy, Information and Technology,”
Wolter Kluwer Law & Business Publisher in New York, (2011), 79-256.
Bharati Law Review, Oct – Dec, 2016 67

situation the idea to put forward the right base approach are very
much important in nature.
In similar situation national security and law enforcement are
often excluded from laws, or are broadly accepted purposes for
which such access is permissible. This proved to be the case in
every country, even in those nations with the most well developed
data protection regimes. For example, Dan Svantesson writes that
Australian laws ‘taken together ... provide Australian law
enforcement and national security agencies with broad access to
private-sector data.’63 The result is that data collection and use for
national security and law enforcement purposes is often excluded
from oversight applicable to other data processing activities or
subject to far less transparent standards and oversight regimes.64
The protection against the authority to individuals are necessary
to examine the right based approach. In that authority like police
can track a cell phone except in a limited set of time-sensitive
situations and emergencies. The latest technology has given every
moment snooping to the enforcement agencies, and the geo-
location of every individual. The issue is that discusses the
cellular location technology that police use to monitor citizens
who use cell phones. Specifically, this commentary will examine
cell site, Global Positioning System, and Wi-Fi technology. The
other issue will show that legislation is needed in this area
because cell phone tracking is a widespread practice that may
eventually replace federally regulated wiretapping to some
degree.65 Now the matter is that for the purpose of national
security reason to some extent this encroachment is genuine, but
on the other hand the personal privacy related issue also peep
into the door.
In Case of District Registrar and Collector, Hyderabad v. Canara
Bank66 the Supreme Court contended that the search and seizure
by the enforcement agency of any registers, books, records,
papers, documents or other proceedings for the purpose of
collecting evidence and discovering the fraud and omission of
stamp duty payable or not of an individuals are come under the
infringement situation, secrecy and confidentiality must be

63 Dan Jerker B. Svantesson, “Systematic Government Access to PrivateSector

Data in Australia,” 2/4 International Data Privacy Law, (2012): doi:
10.1093/idpl/ips021
64 Supra Note 27.
65 Stephen Wagner, Stopping Police in Their Tracks: Protecting Cellular Location
Information Privacy In The Twenty-First Century, 12 Duke Law & Technology
Review 200
66 AIR 2005 SC 186.
Bharati Law Review, Oct – Dec, 2016 68

maintain.
Now according to establishing the right, individual liberties such
as privacy and Data protection is an essential phenomenon for
tackling the policies of cybercrime and cyber security which day
by day is increasing67. The concern of Data protection and the
human rights are in the same periphery. It involves the privacy
and data protection in the every countries. The philosophical
debate of the ‘security vs. privacy’ dichotomy ‘interest vs. right’ or
‘value vs. value’ hinges on the idea that balancing is always
needed according to some weighing rule which limits one in favour
of the other. This has also gives the idea of Data, Data Controller,
Data Processer, Data Storage and the proposed regulation.68
Data Protection & Intellectual Property Law
The parity between the ‘data protection’ and the ‘intellectual
property law’ are need to be analyze as a right based approach in
concern of the computer related database work.69 It is been
recognized under section 63B of Indian Copyright Act provides
that any person who knowingly makes use on a computer of an
infringing copy of computer program shall be liable for
infringement. The intellectual property right of an individual are
based on the ‘labour, skill and judgment’ factors. If any literary,
dramatic, musical, artistic and cinematographic works are
recognized by law, then the protection of the right of owner of that
work is essential. However, it is difficult to differentiate between
data protection and database protection under the Copyright
Act70.
Data protection is aimed at protecting the informational privacy of
individuals, while database protection has an entirely different
function, namely, to protect of the creativity and investment put
into the compilation, verification and presentation of databases.
The legal concepts of access, privacy, ownership and evidence are
generic to all relationships. However these concepts can also be
used to analyze the rights and obligations of recordkeeping
participants professional and business. Property law can apply to

67 VaishaliSharma,“YouHaveZeroPrivacy,Get OverIt:(DataProtectionLaw InIndia,

Analyzed In A Comparative Framework)”, Accessed October 21, 2016,
http://thegiga.in/LinkClick.aspx?fileticket=4I_C-RPOQMg%3D&tabid=589 .
68 Maria Grazia Porcedda“Data Protection and The Prevention Of Cybercrime: The
Eu As An Area Of Security? European University Institute, Florence Department
of Law,” Accessed October 21, 2016, http://ssrn.com/abstract=2169340.
69 Supra Note 10.
70 THE COPYRIGHT(AMENDMENT)ACT,20l2, Accessed October 21, 2016
http://www.wipo.int/edocs/lexdocs/laws/en/in/in066en.pdf.
Bharati Law Review, Oct – Dec, 2016 69

records as right-duty things, which evidence the legal

relationship, rather than as mere physical objects. Access and
intellectual rights and obligations provide examples of the
different needs of recordkeeping participants. Privacy protection
has to be balanced with the need to retain identity information
over time to establish rights and obligations. Using the rights and
obligations approach attributes the responsibility for the creation,
documentation and preservation of evidence to a range of parties
within a web of relationships, which include the author and
recipient, data subjects and third parties that are equally
applicable to the online environment.71
In similar way ‘data protection’ and ‘Intellectual Property right’
matters for rights. It speaks about four type of privacy:
information privacy, bodily privacy, privacy of communication &
territorial privacy.72 There are some model talks about intellectual
property right model, moral right model, trade secrecy model
which is the core of ‘right base approach’. In the matter of
generalizing the concept of intellectual property the right of the
author need to be established as legal right of an individual to
control uses or discloser of personal data. In this matter also the
author pointed to ‘govt. should adopt a flexible and responsive
approach to the protection of personal data including the
acceptance of property right-related solution.73
Data Protection & Corporate affairs
The ‘data protection’ and ‘corporate affairs’ is also making the
relationship of right base approach. The corporate are really very
much affected in different aspects. The access, disclosure, share
and processing of the data is very much important. The custody of
data processor or data controller has played vital role in the
corporate sector. Sometimes the private organization has the
responsibility to share or not to share. Here lies the conflict that
private and public organization with the enforcement agency. The
commercial online whenever anybody wants to access any
information or order any product, then the information are asking
to submit. Now the question arise after submission of this

71 Property, privacy, access and evidence as legal and social relationships,

Accessed October 21, 2016,
http://download.springer.com/static/pdf/977/chp%253A10.1007%252F1-
4020-4714-
2_5.pdf?auth66=1424433931_1c7e42dfa070decb666a36746471f322&ext=.pdf.
72 Available at, http://gilc.org/privacy/survey/intro.html (Accessed October 21,
2016).
73 M M S Karki, “Personal Data Privacy & Intellectual Property,”Journal of
Intellectual Property Rights, Vol 10. (2005): 59-63.
Bharati Law Review, Oct – Dec, 2016 70

information the data which kept the authority is follows the public
policy or not. In this light the banking sector, the banker has the
obligation not to disclose the information in their possession,
which resulting in a breach of the duty of secrecy and
confidentiality owed to the client. The scope of the right to privacy
of banking customer was curtailed as it conflicted with the right to
information and public information74.
In another sphere, The Securities and Exchange Board of India
Act (1992)75 establishes the Securities and Exchange Board of
India (SEBI) to govern and regulate the use of individual’s credit
information.76 In the Act77, reactive access by the government is
mediated through Security Exchange Board of India, which is
empowered with broad access to private-sector data related to the
securities market. As a safeguard to unauthorized reactive access,
SEBI is permitted to undertake inspection only if it has
reasonable grounds to believe that: a company has been indulging
in insider trading or fraudulent, unfair trading practices are being
used, transactions in securities are being dealt with in a manner
detrimental to the investor, or an intermediary or any person
associated with the securities market is contravening any
provision in the Act.78 The Act re-enforces reactive access to and
disclosure of information by penalizing any person who fails to
furnish the required information.79
In another segment of corporate affairs, the Credit Information
Companies Regulation Act, 200580(“CICRA”), the credit
information pertaining to individuals in India have to be collected
as per privacy norms enunciated in the CICRA regulation. Entities
collecting the data and maintaining the same have been made
liable for any possible expose or alteration of this data. Based on
Fair Credit Reporting Act and Graham Leach Bliley Act81, the
CICRA has created a strict framework for information pertaining
to credit and finances of the individuals and companies in India.

74 Mr. K.J. Doraisamy v. The Assistant General Manager, State Bank of India and
others, (2007) 136 Comp Cases 568 (Mad).
75 SECURITIES AND EXCHANGE BOARD OF INDIA ACT 1992, Accessed October
21, 2016, http://www.sebi.gov.in/acts/act15ac.pdf.
76 Ibid.
77 Ibid.
78 Ibid.
79 Ibid
80 CREDIT INFORMATION COMPANIES REGULATION ACT, 2005
http://www.equifax.com/international/india/pdfs/Credit_Information_Compan
ies_Act.pdf (Accessed October 21, 2016).
81 Accessed October 21, 2016,
http://www.dataquick.com/wp-content/uploads/2013/02/GLB-outline.pdf.
Bharati Law Review, Oct – Dec, 2016 71

The Regulations under CICRA which provide for strict data

privacy principles have recently been notified by the Reserve Bank
of India. In the light of this, the ‘data protection’ and ‘corporate
affairs’ are also possess same direction to the ‘right based
approach’.
Data Protection & Consumer
The consumer relation with the organization is a very vital to
articulate the ‘data protection’ matter. In the case of Shakankarlal
Agarrwalla v. State Bank of India82, the Calcutta High Court held
that a banker is under an obligation to secrecy. According to Lord
Halsbury’s laws of England, “it is implied term of the contract
between a banker and his customer that the banker will not
divulge to third person without the express and implied consent of
the customer either the state of the customer’s account or any of
his transactions with the bank or any information’s relating to the
customer acquired through the keeping of his account unless the
banker is compelled to do so by order of a court or the
circumstances give rise to a public duty of disclosure or protection
of the banker’s own interest requires it.” Therefore the idea to put
forward the relation of the banker and customer must be
maintain.
In the other way, due to e-commerce data protection is in danger
and the misuse is growing day by day. The only issue is relating to
collection, storage, accuracy and use of data provided by internet
users. The most concern about this is BPO fraud, all this fraud
come under the penal provision of the IT Act.83 This phenomenon
are only because of the customer relation with the authority. If the
authority i.e. the service provider maintain the proper privacy
policy then this situation will not arise. But the unfortunate part
is that the authority are not at all bother about this kind of
privacy policy. The enforcement agencies also not aware of all
such kind of violation of rights. The privacy issue along with the
data protection only be satisfy by the well-equipped ‘right based
approach’.
Conclusion
The analysis of different themes highlighted data protection has
treated as a right on different perspective. All the Subjects like
right to privacy, right to information, information technology,

82 AIR 1987 Cal 29.

83 Adv. Swati Sinha, “Data Protection Law in India-Needs and Position,” Accessed
February 21, 2015, http://www.legalserviceindia.com/article/l368-Data-
Protection-Law-In-India.html.
 Bharati Law Review, Oct – Dec, 2016 72

Indian Penal Code, corporate affairs and consumer were giving

special emphasis to accept the fact data protection as a right. The
purpose of the problem is strengthening the outlook of data
protection as a right in this technological liberalization age. The
scope of technology day by day increasing to maintain this
increasing phenomenon, it is requiring strengthening data
protection regime for the protection of individual liberty. Idea to
have this research work is to establish right to privacy and data
protection right as a fundamental right and after analysis; it is
justified to treat as right. From others interference and
Infringement of individual liberty can only be satisfied the entire
legal requirement as a right of data protection. Institutional status
of data protection can give a universal approach to data
protection. To give special status to data protection as a right, the
facets of data protection like data collection, processing, storage,
security and access should provide a platform together in legal
framework. The awareness about the right base approach of data
protection and privacy has to spread worldwide unanimously.



View publication stats