NATIONAL LAW UNIVERSITY ODISHA

CYBER LAW PROJECT ON

COMPARATIVE ANALYSIS OF DATA PROTECTION LAWS

SUBMITTED TO:

DR. ANUP K PATNAIK (ADJUNCT PROFESSORS OF LAW)

SUBMITTED BY:

DIVYANSHU JAIN (2015/B.A.LL. B/020)

J SHIVAM KUMAR (2015/B.A.LL. B/022)

NIKHIL (2015/B.A.LL. B/028)

ROSHAN ADITYA SHARMA (2015/B.B.A.LL. B/045)

 CYBER LAW PROJECT PAGE |1

INDEX

INTRODUCTION ................................................................................................................................ 2

CHAPTER 1: DATA PROTECTION: AN INTRODUCTION ...................................................................... 3

1. Data protection and the Right to Privacy ............................................................................. 3

2. Principles for Data Protection .............................................................................................. 3

CHAPTER 2: DATA PROTECTION IN OTHER COUNTRIES ................................................................... 5

1. USA...................................................................................................................................... 5

2. EU ........................................................................................................................................ 5

3. UK ........................................................................................................................................ 6

4. Australia ............................................................................................................................... 7

CHAPTER 3: DATA PROTECTION FRAMEWORK IN INDIA ................................................................... 9

1. Information Technology Act, 2000...................................................................................... 9

2. The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011 .................................................................................. 9

3. Indian Penal Code .............................................................................................................. 11

4. Indian Contract Act, 1872 .................................................................................................. 11

5. Judgment in Justice K S Puttaswamy Versus Union Of India ........................................... 12

6. Further developments......................................................................................................... 12

CONCLUSION ................................................................................................................................. 13
 CYBER LAW PROJECT PAGE |2

INTRODUCTION
With the increase in the number of internet users and the massive amount of personal data
uploaded by these users, it is imperative to provide for protection of such data. Hence, several
countries have come up with their own legal frameworks to provide for the protection of such
data. Protection of such data is also an integral part of Right to Privacy and therefore, having a
legal framework is essential in this era of internet. Therefore, in this project, an attempt has been
made to understand the scope of ambit of data protection laws in India.

The following research questions have been put forth for the project:

 What is meant by data protection?

 What is the legal framework for data protection in India?
 How is the legal framework for data protection different in other countries?
 What are the basic principles which ought to be followed for proper data protection?

The Hypothesis in this project is that “there is a proper framework for protection of data in
India.”

Scope and limitations: In this project, the scope of the term data has been limited to personal
data only. Also, the project focuses more on the legal framework of the law than its application.
 CYBER LAW PROJECT PAGE |3

CHAPTER 1: DATA PROTECTION: AN INTRODUCTION

1. Data protection and the Right to Privacy

Data protection can be defined as those measures which have to be undertaken to protect
personal data and includes all measure for protection of personal data developed from earlier
traditions that protected privacy.1 Data protection can be summed up as those policy measures
which regulate the collection, storage, use, or dissemination of personal information.2 Data
protection is necessary because of the massive increase in the amount of personal information
available online. With respect to internet, the interpretations of data privacy, the phrase usually
refers to the privacy of information associated with an individual (personal data) or to the
privacy of the contents of electronically transmitted communications.3 A framework on the right
to privacy in India must therefore include privacy-related concerns around data protection.4

2. Principles for Data Protection

In response to Organisation for Economic Co-operation and Development (OECD) data
protection guidelines, a book “Data Protection Principles for the 21st Century”5 discussed the
various principles which should be applied to data protection. These principles can be
summarized as follows:

 The Collection principle states that the personal data should only be collected in
accordance with law without any deception only in ways that are apparent to or
reasonably discernible by the individual. The principle also suggests that a governmental
entity should only collect the data within its legal authority and with a legitimate purpose.

1
Patrick J, The Adequacy Standard Under Directive 95/46/EC: Does U.S. Data Protection Meet This Standard?
Murray Fordham International Law Journal Volume 21, Issue 3 1997 Article 10.
2
Id.
3
Adrienne D’Luna Directo, Data Protection in India: The Legislation of Self Regulation Northwestern Journal of
International Law & Business Vol. 35, No. 1
4
Planning Commission, Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief
Justice, Delhi High Court) < http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>
5
Cate, Fred H.; Cullen, Peter; and Mayer-Schonberger, Viktor, Data Protection Principles for the 21st Century
<http://www.repository.law.indiana.edu/facbooks/23>
 CYBER LAW PROJECT PAGE |4

 The Use principle suggests that the use of personal data should be allowed only after
measuring the degree and likelihood of benefits and harm possible and the measures in
place to guard against such harm. Consent should be required as a protection and such
consent must be clear, used to provide actual choice and when it is provided after being
given the proper information.
 The Data Quality Principle states that the personal data should be used only for the
purpose for which it was acquired for and only to the necessary extent.
 The Individual Participation Principle states that before using personal data which affects
the legal rights of an individual, such access must be sought from the user.
 The Openness Principle suggests that there should be a policy of openness regarding the
processing of the personal data of an individual.
 The Security Safeguards Principle states that personal data should be protected by
reasonable security safeguards during the processing and collection of data.
 The Accountability Principle states that the person who collects, uses, or otherwise
processes personal data should be a responsible steward of the data and, to that end,
should be accountable towards the following of the aforementioned principles.
 The Enforcement Principle states that each country should have adequate framework to
enact the aforementioned principles.
 CYBER LAW PROJECT PAGE |5

CHAPTER 2: DATA PROTECTION IN OTHER COUNTRIES

1. USA
The US regulates its data protection on a sector to sector basis and there is no dedicated law for
data protection in the country.6 The law with respect to data protection is governed by several
state and federal statutes. Depending upon the statute, the laws are enforced either by state or
federal authorities.

2. EU
The EU adopted the EU General Data Protection Regulation in April, 2016. It replaces the Data
Protection Directive 95/46/EC and is aimed at harmonizing data privacy laws across Europe.7
The main purpose of the regulation is to protect and empower all EU citizens data privacy and
the approach towards data privacy.8 The GDPR provides a stricter regime for data protection in
the EU as compared to the previous law.

The aim of EUGDPR is “the protection of natural persons with regard to the processing of
personal data and on the free movement of such data.”9 The scope of the Regulation is limited to
“the processing of personal data wholly or partly by automated means and to the processing
other than by automated means of personal data which form part of a filing system or are
intended to form part of a filing system.”10 The following are the salient features of the act

 ‘Personal data’ has been defined as “any information relating to an identified or

identifiable natural person (‘data subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more

6
Lisa J Sotto and Aaron P Simpson Hunton & Williams, United States in Data Protection & Privacy In 31
jurisdictions<https://www.huntonprivacyblog.com/wpcontent/uploads/sites/18/2011/04/DDP2015_United_States.pd
f>
7
European Union, GDPR Portal: Site Overview <http://www.eugdpr.org/>
8
European Union, GDPR Portal: Site Overview <http://www.eugdpr.org/>
9
EU General Data Protection Regulation (Regulation (EU) 2016/679)
10
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 2
 CYBER LAW PROJECT PAGE |6

factors specific to the physical, physiological, genetic, mental, economic, cultural or

social identity of that natural person;”11
 Article 5 provides the principles relating to processing of personal data. It provides that
the data should be lawfully processed in a fair and transparent manner. It further provides
that the data must be collected for legitimate purposes and must be used for the same.
Further, the article provides that the data must be kept accurate and must be processed
securely. 12
 Article 6 deals with Lawfulness of processing of data and provides that for consent of the
user providing the data. Article 7 deals in detail with the conditions for Consent.
 Article 13 and Article 14 provide for Information to be provided where personal data
have been obtained and have not been obtained from the data subject respectively.
 The regulations also provide for right to rectification13, right to be forgotten, 14 right to
access15 and right to restriction of processing16.

On a careful analysis, it is observed that the regulations are detailed framework which cover
most of the issues relating to data protection.

3. UK
The Data protection law in the UK is the Data Protection Act 1998. The DPA implements Data
Protection Directive 95/46/EC which was the law with respect to data protection in EU.17
However, since the aforementioned directive has been repealed, the status of law in UK is not

11
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 4 (1)
12
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 5
13
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 16
14
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 17
15
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 15
16
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 18
17
UK Data protection Act, 1998
 CYBER LAW PROJECT PAGE |7

very clear. The UK voted to leave EU in a referendum. Thus, whether the new GDPR will be
applicable or not in future would depend on the new law to be put in place.18

4. Australia
The legal framework for data protection in Australia is a mixture of state and federal laws. The
following form the complete system:

 The Federal Privacy Act 1988 (Cth) (Privacy Act)

 Australian Privacy Principles (APPs)
 The Privacy Act as amended by the Privacy Amendment (Enhancing Privacy Protection)
Act 2012
 Information Privacy Act 2014 (Australian Capital Territory) Information Act 2002
 (Northern Territory) Privacy and Personal Information Protection Act 1998
 (New South Wales) Information Privacy Act 2009 (Queensland) Personal Information
Protection Act 2004 (Tasmania)
 Privacy and Data Protection Act 2014 (Victoria).

These laws deal with handling of personal data by different sectors. The APPs19 are as follows:

1. Anonymity and Pseudonymity

2. Collection
3. Notification
4. Openness
5. Use and Disclosure
6. Direct Marketing (applicable only to organisations)
7. Data Quality
8. Data Security
9. Access and Correction
10. Identifiers (applicable only to organisations)

18
Law Business Research Ltd, Data Protection & Privacy - United Kingdom
<https://gettingthedealthrough.com/area/52/jurisdiction/22/data-protection-privacy-united-kingdom/>
19
<https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick-reference-tool>
 CYBER LAW PROJECT PAGE |8

11. Cross Border Data Flows

12. Access principles
13. Correction principles
Canada
Canada does not have a single law comprehensive enough to cover privacy.20 The Privacy Act
and the Personal Information Protection and Electronic Documents Act are the federal law
dealing with data protection. Other sectoral legislations are also present in the country.

20
Planning Commission, Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief
Justice, Delhi High Court) < http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>
 CYBER LAW PROJECT PAGE |9

CHAPTER 3: DATA PROTECTION FRAMEWORK IN INDIA

This part of the project deals with the legal framework with respect to Data Protection in India.
No specific legislation pertaining to data protection has been enacted in India.21 However, the
following are the relevant statutes and other legal instruments dealing with the same in some way
or the other.

1. Information Technology Act, 2000

The Information Technology Act, 2000 provides the following in relation to protection of data in
India.
 Section 43A of the IT Act, 200 was inserted vide Information Technology Amendment
Act, 2008. The section provides for Compensation for failure to protect any sensitive
personal data or information in a computer resource which it owns, controls or operates.
The section provides that such body corporate shall be liable to pay damages by way of
compensation, not exceeding five crore rupees, to the person so affected.22
 Section 72 provides penalty for breach of confidentiality and privacy which shall be
punishable with imprisonment for a term of upto two years, or with fine upto one lakh
rupees, or with both.23
 Section 72A provides for punishment for disclosure of information in breach of lawful
contract to be imprisonment for a term of upto three years, or with fine upto five lakh
rupees, or with both.24

2. The Information Technology (Reasonable security practices and procedures and

sensitive personal data or information) Rules, 2011
 Rule 3 of the aforementioned rules provide the definition of sensitive personal data as
follows:

21
CRID, First Analysis of the Personal Data protection Law in India JLS/C4/2005/15 <
http://ec.europa.eu/justice/data-protection/document/studies/files/final_report_india_en.pdf>
22
The Information Technology Act, 2000, Section 43A
23
The Information Technology Act, 2000, Section 72
24
The Information Technology Act, 2000, Section 72A
 CYBER LAW PROJECT P A G E | 10

“3. Sensitive personal data or information.— Sensitive personal data or information of

a person means such personal information which consists of information relating to;—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing
service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:

Provided that, any information that is freely available or accessible in public domain or
furnished under the Right to Information Act, 2005 or any other law for the time being in
force shall not be regarded as sensitive personal data or information for the purposes of
these rules.”25
Thus, it is observed that the scope and ambit of sensitive personal data is broad enough to
cover almost any information which a user might provide for any purpose.
 Rule 4 of the aforementioned rules provide that the person receiving the information
needs to provide privacy policy for handling of or dealing in personal information
including sensitive personal data. The rule also requires the person collecting data to
ensure that the same are available for view by such providers of information who has
provided such information under lawful contract.
 Rule 5 provides that the body corporate has to obtain consent before collecting personal
data. The rule also provides that the personal data shall be collected only for a lawful

25
2. The Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, Rule 3
 CYBER LAW PROJECT P A G E | 11

purpose and only if it is necessary to collect the same. Also, the information shall be
retained only for the period for which it maybe lawfully used and only for purposes for
which it has been collected. The rule also allows the provider of the information to
withdraw his consent at any time and on such withdrawal of consent, the body corporate
would have to option not to provide the good or service to the user.
 Rule 6 requires the body corporate to obtain prior permission of the provider of the
information for disclosure of sensitive personal data or information to any third party.
Further the rule prohibits the body corporate from publishing the personal data and the
third party to further disclose the data to any other person.
 Rule 7 provides that the sensitive personal data or information can be transferred to a
person who ensures the same level of data protection that as provided by the rules either
in India or anywhere in the world. The transfer is allowed where the transfer is necessary
for the performance of lawful contract or where such user has consented to transfer of
data.
 Rule 8 provides for security practices and procedures which the body corporate should
follow when dealing with personal data.

3. Indian Penal Code

Though the IPC does not address breaches of data privacy specifically, liability for such breaches
can be inferred from related crimes.26 To illustrate the same, w section 403 of the IPC which
provides for criminal penalty for dishonest misappropriation or conversion of “movable
property” for one’s own use can be invoked for a breach of data privacy.

4. Indian Contract Act, 1872

The Indian Contract Act can also provide for protection of data. The terms of the contract
between the data provider and the body corporate may be used for protection of data.27

26
Overview of Data Protection Laws in India
27
First Analysis of the Personal Data Protection Law in India
 CYBER LAW PROJECT P A G E | 12

5. Judgment in Justice K S Puttaswamy Versus Union Of India28

The Supreme Court in its landmark judgment on Right to Privacy observed the following in
relation to data protection observed that data protection relates closely with the protection of
one’s identity. Further, the Court observed that “Formulation of a regime for data protection is a
complex exercise which needs to be undertaken by the State after a careful balancing of the
requirements of privacy coupled with other values which the protection of data sub-serves
together with the legitimate concerns of the State. One of the chief concerns which the
formulation of a data protection regime has to take into account is that while the web is a source
of lawful activity-both personal and commercial, concerns of national security intervene since
the seamless structure of the web can be exploited by terrorists to wreak havoc and destruction
on civilised societies”29 Further, it was observed that th”e creation of such a regime requiresa
careful and sensitive balance between individual interests and legitimate concerns of the state.
The legitimate aims of the state would include for instance protecting national security,
preventing and investigating crime, encouraging innovation and the spread of knowledge, and
preventing the dissipation of social welfare benefits.”30

6. Further developments
The Ministry of Electronics and Information Technology (MeitY), Government of India has
constituted a Committee of Experts under the Chairmanship of Justice B N Srikrishna, Former
Judge, Supreme Court of India to study and identify key data protection issues and recommend
methods for addressing the same.31 The Committee will also suggest a Draft Data Protection Bill.

28
Justice K S Puttaswamy Versus Union Of India, Writ Petition (Civil) No 494 Of 2012 (SC)
29
Justice K S Puttaswamy Versus Union Of India, Writ Petition (Civil) No 494 Of 2012 (SC), Para 179
30
Justice K S Puttaswamy Versus Union Of India, Writ Petition (Civil) No 494 Of 2012 (SC), Para 5
31
The Ministry of Electronics and Information Technology, Press Brief on Data Protection Framework for India <
http://www.meity.gov.in/writereaddata/files/Press_Brief_Data_Protection_1Aug17.pdf >
 CYBER LAW PROJECT P A G E | 13

CONCLUSION
It has been observed that the data protection regulations in India are structurally similar to what
is present in the EU. However, the Indian law is not as stringent as the EU Law. Thus, we can
conclude that though there is a law for data protection in India, it lacks certain important aspects.

Also, it has been observed that the work for creating a new Data Protection Bill is underway,
and that it would be too soon to comment on the same. However, the researchers suggest that
principles as suggested by the OECD must be incorporated in the bill. Also, it is observed that
after the recent verdict of the Apex Court on Right to Privacy, a more stringent law can be
anticipated.

It is further suggested that each of the following principles are incorporated along with the
reasons for the same:

 The Collection principle

 The Use principle
 The Data Quality Principle
 The Individual Participation Principle
 The Security Safeguards Principle
 The Accountability Principle
 The Enforcement Principle

Thus, the Draft bill must be based on the EU law and these principles.