Data Privacy Related information

1. ICLG.com

1.1 What is the principal data protection legislation?

 Currently, India does not have a comprehensive and dedicated
data protection legislation. Some provisions of the IT Act, 2000,
as amended from time to time and the IT (Reasonable security
practices and procedures and Sensitive Personal Data or
Information) Rules, 2011 (SPDI Rules) framed under it deal
with protection of personal information (PI) and sensitive
personal data and information (SPDI)

 In 2019, the govt presented the Personal Data Protection Bill,

2019 (PDP BILL) in Parliament, which was later referred to a
Joint Parliamentary Committee (JPC) for a detailed review. On
Dec 16, 2021 the JPC tabled its report with various
recommendations and modifications to the PDP Bill, which,
inter alia, includes expansion of the scope to cover both personal
and non-personal data.

1.2 Is there any other sector specific legislation that impacts data
protection?
 There is no sector specific legislation, however there are
regulations, directives and licence conditions issued by sectoral
regulators in relation to payment systems, telecoms, healthcare,
etc., that stipulate certain data protection obligations.

1.3 Personal data define

 The SPDI rules define “personal information” as “any
information that relates to a natural person which, either directly
or indirectly, in combination with other information available or
likely to be available with a body corporate, is capable of
identifying such person.”

 The DP Bill defines “Personal data” as “data about or relating to

a natural person who is directly or indirectly identifiable, having
regard to any characteristic, trait, attribute or any other feature
of the identity of such natural person, whether online or offline,
or any combination of such features with any other information,
 shall include any inference drawn from such data for the
purpose of profiling.

1.4 Processing defines:

 The IT and SPDI Rules do don’t define the term “processing”.
However, the DP Bill defines it in relation to personal data, as
“an operation performed on personal data, and may include
operations such as collection, recording, organisation,
structuring, storage, adaptation, alteration, retrieval, use
alignment or combination, indexing, disclosure by transmission,
dissemination or otherwise making available, restriction, erasure
or destruction.”

1.5 Sensitive personal data

 The SPDI Rules define SPDI to mean:
“Any such personal info which consists of info relating to:
o Passwords
o Financial info such as bank ac or credit card or debit card
or other payment instrument details
o Physical, physiological and mental health condition
o Sexual orientation
o Medical records and history
o Biometric information
o Any detail relating to the above causes as provided to
controller for providing service; and
o Any of the info received under above clauses by controller
for processing, stored or processed under lawful contract
or otherwise.

Provided that, any information that is freely available to

accessible in public domain or furnished under the Right to
Information act 2005 or any other law for the time being in
force shall not be regarded as sensitive personal data or
information for the purposes of SPDI Rules.

The DP Bill widens and amends the definition to include

certain additional categories such as: transgender status,
intersex status; caste or tribe, and religious or political
belief or affiliation, however, “password” has been
excluded from the definition.
1.6 “Data breach”
 The IT Act and the rules made thereunder do not define the term
“data breach”.  However, under the Indian Computer
Emergency Response Team and Manner of Performing
Functions and Duties Rules, 2013, “cyber security incidents”
have been defined to mean “any real or suspected adverse event
in relation to cyber security that violates an explicitly or
implicitly applicable security policy resulting in unauthorized
access, denial of service or disruption, unauthorized use of a
computer resource for processing or storage of information or
changes to data, information without authorisation”.
 The DP Bill defines “data breach” to include “personal data
breach and non-personal data breach”.  “Personal data breach”
has been defined as “any unauthorised including accidental
disclosure, acquisition, sharing, use, alteration, destruction or
loss of access to, personal data that compromises the
confidentiality, integrity or availability of personal data to a data
principal”.  “Non-personal data breach” has been defined as
“any unauthorised including accidental disclosure, acquisition,
sharing, use, alteration, destruction or loss of access to non-
personal data that compromises the confidentiality, integrity or
availability of such data”.  

1.7 What are the key principles that apply to the processing of
personal data?
 Transparency
According to the SPDI Rules, collecting entities are required to
ensure that a provider of SPDI has knowledge of: the fact that
SPDI is being collected; the purpose of collection of SPDI; the
intended recipients of SPDI; and the name and address of the
agency collecting and retaining SPDI.  Further, before the
disclosure of a data subject to any third party, the consent of
such person is required to be obtained.

Information Technology rules clearly state that data controllers

and data processors are required to provide a privacy policy
 when they deal with personal data and also the sensitive
personal information and to make sure that this policy is
available to the data provider by a lawful contract. Moreover,
the policy mention shall be published on their website by the
body corporate or person acting on their behalf which shall
include:

Practices and policies of the data controller,

Types of data collected by the body corporate is personal or

sensitive,

Purpose of collection and processing of the data,

Disclosure of the data including sensitive personal data, when it

is required in certain specified conditions, and
Proper and reasonable security systems and practices, according
to the rules.

 Lawful basis for processing

Under the SPDI Rules, consent is required to be obtained for

collecting and processing SPDI.

 Purpose limitation

The SPDI Rules provide that SPDI should only be collected

for a lawful purpose connected with a function or activity of
the body corporate or any person acting on its behalf.

 Data minimisation

While there is no express principle of data minimisation, the

SPDI Rules provide that collection of SPDI is permitted only
if it is considered necessary for that purpose.

 Retention

The SPDI Rules provide that SPDI is not permitted to be

retained for longer than is required for the purposes for which
 the SPDI may lawfully be used or is otherwise required under
any other law for the time being in force.
1.8 Right to complain to the relevant data protection authority(ies)
 There is no dedicated data protection authority at present.
Providers of SPDI may register their grievances with
respect to the processing of SPDI with the “grievance
officers” of the collecting entities appointed under the
SPDI Rules. Also, complaints regarding the payment of
compensation in lieu of failure to protect SPDI may be
raised by aggrieved persons before the adjudicating officer
appointed under the IT Act. Further criminal proceedings
in respect of unlawful disclosure of SPDI may be instituted
with police authorities. Cyber security incidents relating
to unauthorised access to IT systems/data and compromise
of information may also be reported by affected
individuals or organisations to the Computer Emergency
Response Team – India (“CERT-IN”).

 The DP Bill proposes that complaints in relation to

contravention of the DP Bill’s provisions be made by a
data principal to the data fiduciary’s designated data
protection officer (“DPO”) (in case of a significant data
fiduciary (“SDF”)) or grievance redressal officer. Such
complaints may also be made to the DPAI.

1.9 Other key rights

 Under the IT Act and SPDI Rules, it must be ensured by
the collector that the provider of SPDI has knowledge
about the fact that information is being collected, the
purpose for which it is being collected, the intended
recipients of the information, and the names and addresses
of the agency that is collecting and retaining the
information.

 Separately, the Consumer Protection Act, 2019

(“Consumer Protection Act”) defines “unfair trade
practice” as a trade practice that adopts any unfair method
or unfair or deceptive practices including, inter alia,
disclosing to another person any PI given in confidence by
 the consumer.  In relation to this, there are provisions under
the Consumer Protection Act that allow a “recognised
consumer association” (i.e., any voluntary consumer
association registered under an existing law) to file a
complaint in respect of such unfair trade practices on behalf
of the consumer.

1.1.1 What additional obligations apply to the processing of children’s

personal data?
 The IT Act and the SPDI Rules do not contain specific
provisions on the processing of children’s personal data.

 However, according to the Indian laws (namely the Indian

Contract Act, 1872 read with the Indian Majority Act,
1875), persons below the age of 18 years cannot
independently enter into a contract.  Thus, entities
processing SPDI of children are required to obtain consent
from the parent/legal guardian of such children

1.1.2. Is the appointment of a Data Protection Officer mandatory or

optional? If the appointment of a Data Protection Officer is only
mandatory in some circumstances, please identify those circumstances.

 The current legal framework relating to data protection

does not contemplate the appointment of a DPO.  Having
said that, the SPDI Rules speak of the appointment of a
grievance officer to redress the grievances of the provider
of SPDI with respect to the processing of her/his SPDI in a
timely manner.  All entities that process SPDI of natural
persons in India are required to comply with this
requirement.

 The DP Bill envisages mandatory appointment of a DPO

by SDFs only and in case of other data fiduciaries, such
entities are required to appoint a grievance officer for
redressal of disputes raised by data principals.
1.1.3 What are the sanctions for failing to appoint a Data Protection
Officer where required?
 Under the current legal framework, there is no sanction or
penalty per se for failing to appoint a grievance officer. 
However, appointment of a grievance officer is a step
towards demonstrating compliance with reasonable security
practices and procedures contemplated under the IT Act
and SPDI Rules.  In the case that an entity is negligent in
adhering to reasonable security practices and procedures, it
may be exposed to a claim for compensation under the IT
Act if the provider has suffered a “wrongful loss”.
 With respect to the DP Bill, in the case that an SDF fails to
appoint a DPO, it shall be liable to a penalty as may be
prescribed, but not exceeding INR 5 Crores (approx. USD
650,000) or 2 per cent of its annual worldwide turnover of
the preceding financial year, whichever is higher.  In case
of any other data fiduciary, if it fails to appoint a grievance
officer, it shall be liable to a penalty of up to INR 25 Lakhs
(approx. USD 30,000).  Additionally, a claim for
compensation can be made by an affected data principal.

1.1.4 What are the responsibilities of the Data Protection Officer as

required by law or best practice?

 Under the IT Act and SPDI Rules, the grievance officer is

required to provide redressal to grievances of providers of
SPDI expeditiously, within a maximum of 30 days.

1.1.5 What is the permitted scope of corporate whistle-blower hotlines

(e.g., restrictions on the types of issues that may be reported, the
persons who may submit a report, the persons whom a report may
concern, etc.)?
 All listed companies and certain other classes of companies
are required to establish a vigil (whistle-blowing)
mechanism to report ethical concerns to management,
under the Companies Act 2013 (“CA 2013”) read with the
 Companies (Meetings of Board and its Powers) Rules
2014.  It is stipulated, under the CA 2013, that the vigil
mechanism should provide for adequate safeguards against
the victimisation of persons who use such mechanism, and
make provision for direct access to the chairperson of the
audit committee or the director nominated to play the role
of audit committee (in case of companies that are not
required to have an audit committee).

 Additionally, a similar requirement is provided, under the

Securities and Exchange Board of India (Listing
Obligations and Disclosure Requirements) Regulations,
2015 (“SEBI LODR”), on listed entities to devise an
effective whistle-blower mechanism enabling stakeholders,
including individual employees and their representative
bodies, to freely communicate their concerns about illegal
or unethical practices.  Under SEBI LODR, the vigil
mechanism shall provide for adequate safeguards against
victimisation of director(s) or employee(s) or any other
person(s) who avail themselves of the mechanism, and
shall also provide for direct access to the chairperson of the
audit committee in appropriate or exceptional cases.

1.1.6 Is there a general obligation to ensure the security of personal

data? If so, which entities are responsible for ensuring that data are
kept secure (e.g., controllers, processors, etc.)?

 Entities processing SPDI are required to adhere to reasonable

security practices and procedures as prescribed under the
SPDI Rules. This includes implementing standards such as
IS/ISO/IEC 27001 prior to processing any SPDI, and
preparing and deploying information security programmes
complying with the stipulated requirements.

 Comparatively stricter obligations have been proposed under

the DP Bill in relation to ensuring the security of personal
 data. These include preparing policies relating to privacy by
design, complying with data audit requirements and
maintaining specified processing-related records.

1.1.7 Is there a legal requirement to report data breaches to the

relevant data protection authority(ies)? If so, describe what details
must be reported, to whom, and within what timeframe. If no legal
requirement exists, describe under what circumstances the relevant
data protection authority(ies) expect(s) voluntary breach reporting.
Cyber security incidents such as unauthorised access to IT
systems/data and the compromising of information must be
reported by entities, i.e., service providers, intermediaries,
data centres, and body corporates to CERT-IN. Such
incidents were required to be reported, along with prescribed
details, within a reasonable time from the occurrence or
noticing of the incident, in order that there is scope for timely
action. However, CERT-IN has, on 28 April 2022, issued a
new direction (“Direction”). According to the Direction,
certain specified types of cyber incidents (such as targeted
scanning/probing of critical networks/systems, compromise
of critical systems/information, unauthorised access of IT
systems/data, etc.) are required to be mandatorily reported by
service providers, intermediaries, data centres, body
corporates and government organisations to CERT-IN within
six hours of noticing such incidents or being brought to notice
about such incidents. There are other requirements like
synchronisation of system clocks, appointment of point of
contact and maintenance of logs. Certain additional
compliances have been prescribed for entities engaged in
particular types of business like virtual private networks,
cloud services, virtual assets, etc. This Direction will come
into effect after 60 days following the date of its issuance.

Separately, mandatory requirements to report data breaches

within 72 hours of becoming aware of such breach to the
DPAI have also been proposed under the DP Bill.
Additionally, it is also envisioned that non-personal data
breaches will be regulated under the upcoming framework.
 However, it is yet to be seen how the difference in timelines
for data breach notification under the DP Bill and the
Direction issued by CERT-IN will be harmonised.
1.1.8 Is there a legal requirement to report data breaches to affected
data subjects? If so, describe what details must be reported, to whom,
and within what timeframe. If no legal requirement exists, describe
under what circumstances the relevant data protection authority(ies)
expect(s) voluntary breach reporting.
 No mandatory requirement to report data breaches to affected
data subjects is prescribed under the IT Act and related rules.
However, authorities like CERT-IN may report such data
breaches to the general public and relevant stakeholders,
including for resolving and preventing cyber security
incidents and cyber security breaches and for promoting
awareness.

1.1.9 What are the maximum penalties for data security breaches?

 Negligent disclosure of PI may result in a claim for

compensation against the disclosing entity under the IT Act.
Further unlawful disclosure of PI with criminal intent is
punishable with imprisonment for a term of up to three years
or a fine of up to INR 5 Lakhs (approx. USD 6,700).

2. iPleaders

2.1 Maneka Gandhi v. Union of India

 In this case, the interpretation of Article 21 by the Hon’ble
Supreme Court was done in a broader sense. This case
interpreted the Right to Life in a different and wide way that
made the Right to Privacy fall within the ambit of the right to
life.

2.2 R. Rajagopal and Anr. v. State of Tamil Nadu (Auto-Shanker Case)

 Privacy Jurisprudence evolved again in the post-liberalisation
era in the Auto-Shanker Case. This was the first case to
explain the evolution and scope of the right to privacy. The
Hon’ble Supreme Court after examining the whole
 jurisprudence, scope and evolution of the right to privacy by
discussing the Govind’s case held that though the right to
privacy is not directly expressed under the right to life and
personal liberty guaranteed by Article 21 but is a part of it
and no more just a matter of public record.
2.3 Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and
Ors.
 On August 24, 2017, in a landmark nine-judge bench ruling,
the Apex Court in Justice K.S. Puttaswamy (Retd.) & Anr.
Vs. Union of India & Ors., unanimously declared the right to
privacy as an intrinsic part of the right to life and personal
liberty under Article 21 of the Constitution. In the this case,
Chandrachud J., notes that any invasion of life or personal
liberty must meet the three requirements of (a) legality, i.e.
there must be a law in existence; (b) legitimate aim, which he
illustrates as including goals like national security, proper
deployment of national resources, and protection of revenue;
and (c) proportionality of the legitimate aims with the object
sought to be achieved.

 It is important to note that past decisions of the Supreme

Court in (i) M.P. Sharma Vs. Satish Chandra, District
Magistrate, Delhi [(1954) SCR 1077] which held that right to
privacy is not protected by the Constitution and (ii) in Kharak
Singh Vs. State of U.P [(1964) 1 SCR 332] to the extent that
it held that right to privacy is not protected by the
Constitution, stand over-ruled by the judgement in Justice
K.S. Puttuswamy (Retd) case.

 The nine-judge Constitutional bench was set up to decide this

case unanimously. It was held by the Hon’ble Supreme Court
that the right to privacy is intrinsic of the right to life and
personal liberty enshrined under Article 21. It also is a part of
rights guaranteed under Part III of the Constitution of India.
  This decision of the Supreme Court empowers the citizens to
seek judicial relief in case their data privacy rights are
breached. 

2.4 Existing data protection framework in India

 Constitution of India
The Constitution of India grants privacy of data by
recognizing the right to privacy. The right to privacy has been
held as an intrinsic part under Article 21 by the Hon’ble
Supreme Court which protects the private data as a private
property of a citizen. Since the protection of the database falls
under the right to livelihood, then it cannot be violated and
taken away except according to the due procedure of law. 

Moreover, the existing legal framework also recognizes one’s

right on his/her private property, without restrictions and no
one can violate it, even the state cannot deprive the citizen of
this right, except according to the due process of law. So,
one’s data is protected by the Fundamental Rights under
Article 21.

 Indian Contract Act, 1872

The Indian Contract Act provides the parties to have a clause

in their contracts which protects the data like a confidentiality
clause, etc. under Section 27.

 Information Technology Act, 2000 and rules made

thereunder

This act also covers data protection. It provides a legal

framework to stop the misuse of the database and attracts
heavy penalties to stop cybercrimes. And after the
amendment of 2008, it has added more laws related to data
protection and privacy policies. The relevant laws under this
act for data protection are:

Section 43 A – This Section explicitly provides for data

protection. It clearly states that if any corporate body
handling or possessing any sensitive personal data or
information in its computer, was not careful in implementing
a proper security system and had lost or shared the data. If
because of the negligence of a corporate body results in any
wrongful loss or wrongful gain to any person then will be
held liable to pay damages as compensation not less than five
crore rupees.

SPDI Rules – These rules are for Sensitive Personal Data or

Information, which were notified by the government in 2011.
While handling sensitive information body corporates and
companies are required to follow and adhere to these rules
strictly:

Rule 3 – This rule defines SPDI. The data such as password,

financial information (bank account or credit card), physical,
physiological and mental health conditions, medical records
or history, Biometric information, any information regarding
these is provided to body corporate and any other information
received by the corporate body under a lawful contract is
termed as Sensitive Personal Data or Information (SPDI).

Rule 4 – This rule makes it compulsory for the corporate

bodies or a person on behalf of the body to collect, receive
any information and handle such information of the provider
of information, they should provide a privacy policy for
handling sensitive information and should also see that the
information provided is under a lawful contract. The policy
should be mentioned on the website also.

Rule 5 – This rule states the various provisions governing the

collection of data-

That the companies and the other corporate bodies shall not
collect any sensitive or personal data without the consent in
writing to give data from the owner.

Personal and sensitive data should only be collected for a

lawful purpose and is very necessary.

The information collected should only be used for the

purpose it has collected for and not for any other use.
 The companies and corporate bodies will not be liable or
responsible for the authenticity and reliability of personal
data.

If the provider has given the information then he must also be

given an option to withdraw the consent at any point of time
he feels so.

The data should be kept secured and the companies should

also introduce a grievance redressing body to address all the
discrepancies or problems arising out of the given data.

Rule 8 – This rule clarifies that if a company or a corporate

body collects any such sensitive or personal information then
it must implement a proper security system. And clause 2 of
this rule mentions one such ISO security standard for data
protection but it is not mandatory to follow this only if they
follow the best security system than the one mentioned.

Section 72 – It states that if any person who secures access to

any electronic record, book, register, correspondence,
information, document or any such material without the
permission or consent of the person who owns the above
mentioned, also if the person disclosed such electronic
record, book, register, correspondence, information,
document, or any such material to another person without the
permission or consent of the owner then, he/she shall be
punished with an imprisonment of not less than two years or
with fine, not less than rupees one lakh, or maybe both.

Section 72 A – This section states that if any person or

intermediary secures access to any personal information
about another person while providing services of a lawful
contract, without consent or permission, to cause wrongful
loss or wrongful gain then such person shall be punished with
imprisonment not less than three years or with a fine of up to
five lakh rupees or with both.

 Indian Penal Code, 1860

 The Indian Penal Code has been amended and enforced to
prevent data theft. It is effective in preventing data theft.
Offences under this code includes, misappropriation of
property, theft, or criminal breach of trust which leads to
imprisonment and fine. Though these offences apply only to
the movable property as this Code has recognised data as part
of the definition of ‘movable property’ to include corporeal
property of “every description”, except land and things that
are attached to the earth permanently and hence data theft
constitutes an offence within the meaning of the Indian Penal
Code. Hence, the computer data or databases are protected
under the IPC as they are movable in nature.

3. Indianlawoffices.com
3.1 Present scenario in India
 Article 21 of the Constitution guarantees every citizen the
fundamental right to personal liberty which includes the right
to privacy and by extension private data not available in
public domain. This right extends to data in electronic forms
and the Information Technology Act, 2000 (“IT Act”) vide
Section 66E dealing with punishment for violation of privacy,
facilitates protection of such data.

 Copyright to a database (rights associated with the labour and

investment involved in compiling data, verifying it and
presenting and using it in a format which creates a value in
such data) is protected under the Copyright Act, 1957
(“Copyright Act”) and the provisions of the IT Act which
deal with protection of data along with penal provisions
dealing with compensation and violation of the same act as a
deterrent in respect of a person seeking to divulge the data
without the express consent of the person whose data has
been provided.

 The IT Act 2000, which finally came into existence in 2000,

includes laws and policies concerning data security and
cybercrimes. Apart from the IT act, the Indian Copyright Act
of 1972 deals with copyright issues in computer programmes.
However, according to many privacy experts and privacy
 professionals, the Bill is not adequate enough to provide data
protection. In absence of specific laws, the Indian Judicial
System offers a few proxy laws and other indirect safeguards.
Some of the proxy laws are:

 Indian Penal Code - Section 406 (Punishment for Criminal

Breach of Trust) & Section 420 (Cheating and dishonestly
inducing delivery of property)

 Indian Contract Act- Breach of contract

3.2 Judicial Pronouncements on Right to privacy and data protection

laws in India
The right to privacy judicial activism has brought the right to
privacy within the realm of fundamental rights by
interpreting Articles 19 and 21. The judiciary has recognised
right to privacy as a necessary ingredient of the right to life
and personal liberty. The Supreme Court of India has
interpreted the right to life to mean right to dignified life in
Kharak Singh vs State of Uttar Pradesh, especially the
minority judgment of Subba Rao, J. In Gobind v. State of
M.P., Mathew J., delivering the majority judgment asserted
that the right to privacy was itself a fundamental right, but
subject to some restrictions on the basis of compelling public
interest.

 Right to privacy relating to a person’s correspondence has

become a debating issue due to the technological
developments. In R.M. Malkani v. State of Maharashtra, the
Supreme Court observed that, the Court will not tolerate
safeguards for the protection of the citizen to be imperilled by
permitting the police to proceed by unlawful or irregular
methods. Telephone tapping is an invasion of right to privacy
and freedom of speech and expression and also Government
cannot impose prior restraint on publication of defamatory
materials against its officials and if it does so, it would be
violative of Article 21 and Article 19(1)(a) of the
Constitution. In People’s Union for Civil Liberties v. Union
 of India, the Supreme Court held that right to hold a
telephonic conversation in the privacy of one’s home or
office without interference can certainly be claimed as right
to privacy. In this case the Supreme Court had laid down
certain procedural guidelines to conduct legal interceptions,
and also provided for a high-level review committee to
investigate the relevance for such interceptions. But such
caution has been thrown to winds in recent directives from
the government bodies as is evident from phone tapping
incidents that have come to light. In State of Maharashtra v.
Bharat Shanti Lai Shah, the Supreme Court said that
interception of conversation though constitutes an invasion of
an individual’s right to privacy but it can be curtailed in
accordance with procedure validly established by law.

 In R. Rajagopal v. State of T.N., the Supreme Court held that

the petitioners have a right to publish what they allege to be
the life story/autobiography of Auto Shankar insofar as it
appears from the public records, even without his consent or
authorisation. But if they go beyond that and publish his life
story, they may be invading his right to privacy. The
Constitution exhaustively enumerates the permissible
grounds of restriction on the freedom of expression in Article
19(2); it would be quite difficult for courts to add privacy as
one more ground for imposing reasonable restriction.

 In Destruction of Public & Private Properties v. State of A.P.,

the Supreme Court said that media should base upon the
principles of impartiality and objectivity in reporting;
ensuring neutrality; responsible reporting of sensitive issues,
especially crime, violence, agitations and protests; sensitivity
in reporting women and children and matters relating to
national security; and respect for privacy. Casting couch is a
very popular tool used by media nowadays which directly
hammer the individual privacy. There is no guideline to
handle this issue. Privacy frame will provide solution to solve
this problem.
 In People’s Union for Civil Liberties (PUCL) v. Union of
India, the Supreme Court observed that by calling upon
contesting candidate to disclose the assets and liabilities of
his/her spouse the fundamental right to information of a voter
or citizen is thereby promoted. When there is a competition
between the right to privacy of an individual and the right to
information of the citizens, the former right has to be
subordinated to the latter right as it serves larger public
interest. The question arises as to what extent a voter has a
right to know about a candidate’s privacy. The voter’s right
to know about a candidate’s privacy can be protected and
flourished by removing the drawbacks of laws relating to
voter’s right to information. Privacy means the right to
control the communication of personally identifiable
information about any person. It requires a balancing attitude;
a balancing interest.

 In Mr. X v. Hospital Z, the Supreme Court held that doctor-

patient relationship though basically commercial, is
professionally a matter of confidence and, therefore, doctors
are morally and ethically bound to maintain confidentiality.
In such a situation public disclosure of even true private facts
may sometimes lead to the clash of one person’s right to be
let alone with another person’s right to be informed. In
another case the Apex Court said that the hospital or doctor
was open to reveal such information to persons related to the
girl whom he intended to marry and she had a right to know
about the HIV-positive status of the appellant. The Court also
held that the appellant’s right was not affected in any manner
in revealing his HIV-positive status to the relatives of his
fiancé. In matrimonial cases the petitioner would always
insist on medical examination. In Selvi v. State of Karnataka,
the Court held that narco-analysis, lie detection and BEAP
tests in an involuntary manner violate prescribed boundaries
of privacy. A medical examination cannot justify the dilution
of constitutional rights such as right to privacy. In Bhabani
Prasad Jena v. Orissa State Commission for Women, the
Supreme Court said that if DNA test is eminently needed to
 reach the truth, the court must exercise the discretion of
medical examination of a person.

 In Sharda v. Dharmpal, the Supreme Court said that though

the right to personal liberty has been read into Article 21, it
cannot be treated as an absolute right. To enable the court to
arrive at a just conclusion a person could be subjected to test
even though it would invade his right to privacy. It concluded
that one has to maintain a balance between the rights of a
citizen and the right to privacy. It ultimately requires a
healthy and congenial interrelationship between the social
good and the individual liberty.

 Privacy and data protection Privacy and data protection

require that information about individuals should not be
automatically made available to other individuals and
organisations. Each person must be able to exercise a
substantial degree of control over that data and its use. Data
protection is legal safeguard to prevent misuse of information
about individual person on a medium including computers. It
is adoption of administrative, technical, or physical deterrents
to safeguard personal data. Privacy is closely connected to
data protection. An individual’s data like his name, address,
telephone numbers, profession, family, choices, etc. are often
available at various places like schools, colleges, banks,
directories, surveys and on various websites. Passing of such
information to interested parties can lead to intrusion in
privacy like incessant marketing calls. The main principles on
privacy and data protection enumerated under the
Information Technology Act, 2000 are defining data, civil
and criminal liability in case of breach of data protection and
violation of confidentiality and privacy.

 District Registrar and Collector v. Canara Bank, the Supreme

Court said that the disclosure of the contents of the private
documents of its customers or copies of such private
documents, by the bank would amount to a breach of
 confidentiality and would, therefore, be violative of privacy
rights of its customers.

4. Economic Laws Practice Advocates and Solicitors Research Paper

 The right to privacy is not new. It has been a common law

concept, and an invasion of privacy gives a right to the
individual to claim tort-based damages. One of first cases on
the said topic was Semayne’s Case (1604). The case related
to the entry into a property by the Sheriff of London in order
to execute a valid writ. Sir Edward Coke, while recognising a
man’s right to privacy famously said that “the house of
everyone is to him as his castle and fortress, as well for his
defence against injury and violence, as for his repose”. The
concept of privacy further developed in England in the 19th
century and has been well established in today’s world. In
case of Campbell v. MGN, the court held that if “there is an
intrusion in a situation where a person can reasonably expect
his privacy to be respected, that intrusion will be capable of
giving rise to liability unless the intrusion can be justified”.