Law

Information and Communication Technology

Online Privacy and Data Protection Law

1|Page
 Role
Principal Investigator
Co-Principal
Investigator
Paper Coordinator
Content Writer/Author
Content Reviewer
Name Affiliation
Prof. (Dr.) Ranbir Vice Chancellor,
Singh National Law
University, Delhi
Prof. (Dr.) G.S. Registrar, National
Bajpai Law University Delhi
Dr. Aparajita Bhatt Assistant Professor,
National Law
University Delhi
Dr. Gurujit Singh Assistant Professor,
Guru Govind Singh
Indra Prastha
University, New
Delhi
Mr. Sunil Abraham Centre for Internet and
Society, Bangaluru

Items Description of Module

Subject Name Law
Paper Name Information and Communication Technology
Module Name/Title Online Privacy and Data Protection Law
Module Id XIX
Objectives 1. To understand the concept Privacy and online
Privacy issues.
2. To appreciate various modes of online violation of
privacy issue.
3. To analyse the Privacy regualtion of European
Union and India.
4. To understand the concept of data protection.
5. To explain the protection provided to data protection
under various jurisdictions.
6. To enumerate the principles laid down for collection
and processing of information
Prerequisites Basic knowledge of Cyberspace and cyber law

2|Page
 1. Introduction
The development of technology and overdependence of State and individuals for their social
economic activities on Information and Communication Technology (ICT) has its benefits as
well as demerits. It provides platform for proliferation of social and economic activities in
boundary less territory. Sharing crucial information of various natures through this medium
happens deliberately or innocently. The sophisticated technology through software and
hardware transmit, stores and process confidential information of private nature of subjects
with or without their permission, causing them social and economic loss. The social and
economic loss some times is beyond recovery for the States as well as subjects and therefore
it has resulted to worldwide attempts made by States in their respective jurisdiction to
regulate privacy and data protection. The current module is an attempt to understand the
concept of Privacy and Data protection. The difference is not clear cut as they are just like
twins, but not identical. The module discusses the traditional and online privacy and data
protection regulations with regards to the jurisdiction of United States, European Union and
India.

2. Concept of Privacy
2.1 Offline Privacy
The word ‘Privacy’ is derived from Latin word ‘privatus’ meaning ‘separated or deprived
from the rest, solitude’. The concept of privacy is not uniform around the globe due to
various reasons such as historial, cultural and religious beliefs and practices resuting to
different value system in the societies. An information which may be considered as private
information by one turns out to be public for others. However, irrespective of this inherent
difficulties ‘privacy’ is considered as the private information of individual’s life or conditions
outside the public domain. It covers the personal aspects of information related to individual
and denotes his or her right to decide the extent of his willingness to share with others. It is
right to be left alone.1 Hirshleifer emphasise that the concept of privacy is not to be
misunderstood as idea of secrecy. Rather the concept might be describe as autonomy within
society. It is broader concept than secrecy. It reflects the particular kind of social structure
togather with supporting social ethics.2 Prosser recognise the four categories of privacy
rights as (a) unresonably unjustifed breach the seculsion and solitude of another, (b) use of
1
William L. Prosser, 'Privacy' [1960] Cal. L. Review 383, 389.
2
Jack Hirshleifer, 'Privacy: Its Origin, Function and Future' (http://www.econ.ucla.edu 1979)
<http://www.econ.ucla.edu/workingpapers/wp166.pdf> accessed 10.07.2014.

3|Page
indvidual’s name for other’s advantage, (c) putting the private facts in public domain, and (d)
defaming.3 The concept of Privacy has been recognised as human rights in various
International Conventions like Universal Declaration of Human Rights4, International
Covenant on Civil and Political Rights5 and European Human Right Convention6.
Much water has flown under the bridge till date in the form of introduction of latest
shophisticated technologies right from internet in smart phones to terristerial Satelliates and
GPS technology penetrating individual’s social and private life. Due to overdependence of
human beings on latest technologies in their professional and personal life the concept of
privacy broadly covers a broad range of information as categoriesd below;
Privacy

Information Personal Privacy Territory Privacy

Bodily Privacy
Privacy relating to of like intrusion or
like Genetic
Credit Communication tresspassing at
information, mapping, DNA,
Drug testing, like Telephone home or
Medical Report, call details, workplace etc.
Governement Physical selves
etc. emails, sms etc. against consent.
Records etc.

2.2. Online Privacy

Internet or cyberspace is a boundary less space. Though, this space is in intangible form, but
its presence has been felt with the development of sophisticated technologies which changed
the pace of social economic development. Rapid expansion and development of sophisticated
technology has added online version of information which are private in nature to the
traditional forms of privacy information already available in the form of records. The new
version of privacy information includes the online activities of users during professional and
non professional access to internet. The online privacy information are the browsing habits of
the users, date and time of visit, queries on the search engine, address of the page last visited,
most visited websites, name and Uniform Resource Locator, users action at site, time spent at

3
Supra note 1.
4
Universal Declaration of Human Right, Article 12. No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right
to the protection of the law against such interference or attacks.
5
International Covenant on Civil and Political Rights, Article 17 of; (1).No one shall be subjected to arbitrary or
unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour
and reputation. (2)Everyone has the right to the protection of the law against such interference or attacks.
6
European Convention on Human Right, Article 8: Right to respect for private and family life: (1) everyone has
the right to respect for his private and family life, his home and his correspondence. There shall be no
interference by a public authority with the exercise of this right except such as is in accordance with the law and
is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing
of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others.

4|Page
each page, files uploaded or downloaded etc. These online activities are tracked by interested
group for their own advantage. In fact technology has introduced new means of storing and
exploiting privacy related information against the person concerned causing him social
humiliation and economic loss. The various means in the form of sophisticated technology
i.e., software allow compilation of information automatically from various activities of the
users. Some of the methods of collecting information in cyberspace are as follow;
1. The search engine Google’s ‘Web history’ stores one’s clicking behaviour. Another
advertising program of Google i.e., ‘AdSense’ use cookies to track the nature and
content of page visited. This helps them to analyze them the interest of the user.
Based on the analyses, they personalized the advertisement according to the choice of
users.7
2. The software package like ‘Sentry’ and ‘FamilySafe’ allow parents to keep a close
watch the online activities of the children. The online chatting, emails, websites
visited by children are monitored by the parents.8
3. Various technologies such as data mining, statically analyses, face recognition, voice
recognition are assembled from various sources like search engines, community sites,
4. photo tagging websites, discussion forums, deep pocket inspections etc. are used to
unsolicited data aggregation. The profiles or database generated are then used for
different business purposes (marketing, economic and social status of individuals
etc.).9
5. Cookies are software that is placed on user’s web browser while he accesses the
browser. It stored information relating to various activities performed by users at
times and places and transmit information to web browser. Every time the user access
website, the cookie updates activity of users to website. In fact, they create archive of
information relating to users activity right from the login name, password, and credit
card number, address to upload or download of information. The popular browsers
allow cookies with the option to the users to disable them completely or selectively by
incorporating a cookie manager who store the cookies and allow the users to manage
it as per his requirements. Some browsers allow the third party cookies. Most
7
European Commission, 'The Future of Online Privacy and Data Protection ' in, EU Study on the Legal analysis
of a Single Market for the Information Society: New Rules for a New Age? (1st, DLA PIPER, EU 2009)
<https://ec.europa.eu/digital-agenda/en/news/legal-analysis-single-market-information-society-smart-
20070037> accessed 15.08.2014.
8
Id.
9
Id.

5|Page
 browsers by fault have the third parties cookies such as mozila firefox, Internet
Explorer, Opera and Google Chrome.10 Advertising agencies use this technique to
track users across various sites. Placing the cookies help them to target users
according to their preference. The cross border nature of activities and access of
information create genuine private international issues as regulation of privacy and
the processing for data generation vary according to jurisdictions. Mostly the privacy
policies incorporate choice of law provisions indicating the law applicable to resolve
the privacy related issues. They are one sided agreements of the nature of click wrap
contract or browse Wrap contract. Therefore their legality is always an important
issue.
6. Spams are unsolcited emails sent to one’s email. They are kind of invasion to
communiation privacy. Genrally they are from unrecognised source and therefore
difficult to identify the messanger. Mostly they are used for commercial or pormoting
products and received number of times. They ususally contain offensive information
or contents, deceptive or fraudulent information and vioplate the privacy.
7. Phishing is unsolicited messages or emails that pretned to be from the authentic and
legitimate source such as bank, lottery competition. They lure user to give personal
and financial information therby causing economic and emotional loss.
8. Identity theft is unauthorised acces to one’s personal information such as name,
address, email etc. and pretneds to be authentic user. Posing as authentic user they
cause econmic loss or do wrongful actvities.
9. Web bug is an invisible object embeded to webpage or email to chack or track the
reader of the webpage or email.
All the above sophisticated nature of technologies in the form of software in some way
violate the privacy right of individuals “to be left alone” even in cyberspace.

10
Wikipedia, 'HTTP cookie' (http://en.wikipedia.org ) <http://en.wikipedia.org/wiki/HTTP_cookie> accessed
15.08.2014.

6|Page
 1. Google's web history option

2. specific software package to keep

track of cyber movements like ‘Sentry’
and ‘Family Safe’

3. data mining, big data

4. photo tagging, community sites,

discussion forum, deep pocket
inspections

5. cookies
•6. spam
•7.phishing
•8. Malware
•9. Identity theft
•10. web bug

7|Page
 3. Protection of Privacy
3.1 European Union
EU has adopted Data Protection Directives 95/46/EC11 and Electronic Privacy Directives (E-
Privacy) 2002/58/EC12 to regulate issues related to online privacy and data protection
respectively. The new Directive 2009/136/EC,13 amend the E-Privacy directive on some
important issues. The amended Article 6 (3) of new Directives provides that for marketing
electronic communication services or value added services, the provider of service may
process data to the extent and duration necessary for such services or marketing with the
permission of users. Users are vested with rights to withdraw their consent. Article 6 states
that traffic data generated by users at the time of electronic transactions should be erased
when they are no longer required for the purpose of transmissions. Therefore, till the time
payments are not processed, storing of information is allowed.14 Article 12 directs the
Member States to take consent of user or subscriber before their details are printed on the
public directory. The users should have the option to determine whether to include the
information in directory or not. Giving consent does not withdraw his right to verify or
withdraw the information. With regard to unsolicited communications, the amended Article
13 allow the automated calling and communication system or email for the purpose of direct
marketing on the prior permission of users. It further prohibits the email for direct marketing
which disguise or conceal the identity of the sender on whose behalf the communication is
made.15 Recital 24 states that spyware, web bugs, hidden identifiers and other similar device
enter the user’s computer or terminal without their knowledge at the time of user accessing
the websites. Such device should be allowed only for legitimate purpose with the consent of

11
Directives (EC) 95/46/EC On The Protection Of Individuals With Regard To The Processing Of Personal
Data And On The Free Movement Of Such Data Official Journal of the European Communities [1995] OJ LL
281 /31, available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN
accessed on 14.08.2014.
12
Directive (EC) 2002/58/EC Concerning The Processing Of Personal Data And The Protection Of Privacy In
The Electronic Communications Sector (Directive On Privacy And Electronic Communications) Official
Journal of the European Communities [2002] OJ LL 201/37, available at
http://www.privacycommission.be/sites/privacycommission/files/documents/directive_2002_58_ec.pdf accessed
on 14.08.2014.
13
The New Directive 2009/136/EC amend three directives i.e., Directive 2002/22/EC, Directive 2002/58/EC
and Directive 2006/2004. Directive (EC) 2009/46/EC, available at http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF accessed on 15.08.2014.
14
Directive 2002/58/EC, Article 6(2)
15
Directive 2009/136/EC, Article 13(4)

8|Page
the users. In case of Cookies the user should have the opportunity to refuse cookies or similar
device.16

The new Directive adopts the “technical implementing measures” for uniformity in
implementing measures when a personal data breach occurs.17 The provider of publicly
available electronic communication services has to report this to a specific national authority
within 24 hours after detection of breach. If it is not possible to inform within specified time
of 24 hours, than within three days information should be provided. The provider should also
inform the user or subscriber about the nature of information breached.

3.2 India
3.2.1 Privacy as Constitutional Right
Prior to Indian Constitution the scope and concept of privacy in India was determined under
the criminal law and tort law for issues like libel and slander. Apart from the existing
provision the Indian Constitution till 1960s did not define the concept of Privacy as right. The
court got the opportunity in case of Kharak Singh v. State of Uttar Pradesh18. The Court
was to decide the constitutionality of certain regulations relating to surveillance and
domiciliary visits of the police. The constitutionality of this provision was challenged under
the grounds that they violate the fundamental right to privacy under Article 21. The majority
opinion in this case refused to recognise the right to privacy as part of fundamental right;
however they recognize the common law right of citizens to enjoy the liberty of their houses.
Further the apex court in the case of Govind v. State of Madhya Pradesh19 was more
incline to consider the right to privacy as fundamental right. It is reflected in the opinion of
Justice Mathew that;
“Rights and freedoms of citizens are set forth in the Constitution in order to
guarantee that the individual, his personality and those things stamped with his
personality shall be free from official interference except where a reasonable
basis for the intrusion exists. … in this sense, many of the fundamental rights
of citizens can be described as contributing to the right to privacy”.20

16
Id., Recital 25
17
Directive 2009/136/EC , Article 4.
18
1964 SCR (1) 332
19
AIR 1975 SC 1378
20
Id.

9|Page
The emergence of new rights to privacy as the fundamental right created conflict between the
fundamental right to free speech and expression and fundamental right to privacy. The court
resolved or balanced the rights in case of R. Rajagopal v. State of Tamil Nadu21. The Court
held;
“(1) the right to privacy is implicit in the right to life and liberty guaranteed to
the citizens of this country by article 21. It is a right to be let alone. A citizen
has a right to safeguard the privacy of his own, his family, marriage,
procreation, motherhood, child bearing and education among other matters.
None can publish anything concerning the above matters without his consent
whether truthful or otherwise and whether laudatory or critical. If he does so
he would be violating the right to privacy of the person concerned and would
be liable in an action for damages. Position may, however, be different, if a
person voluntarily thrust himself into controversy or voluntarily invited or
raises controversy. (2) The rule aforesaid is subject to the exception, that any
publication concerning the foresaid aspects becomes unobjectionable if such
publication is based on public records including court records. This is for the
reason that once a matter becomes the public record, the right to privacy no
longer consist and it becomes a legitimate subject for comment for press and
media among others.”22

In the case of Mr. X v. Hospital Z23 the apex Court continued to balance the conflict by
recognizing that the medical records are generally considered to be private information of the
individual. This right is subject to exception in the case where the non discloser of medical
information could endanger the lives of other citizens. Further in the case of PUCL v. Union
of India24 the Court held that Telephone tapping without the proper safeguards in terms of
proper procedure established by law is in violation and invasion of individual’s right to
privacy. Apex court in this case ordered the creation of a review committee to review all
surveillance measure authorized under the Act. The court ordered that the procedure has to be
tested on the ground of article 14, 19, 21. Further in case of District Registrar and Collector
v. Canara Bank,25 the apex court ruled that the right to privacy exists and any unlawful
invasion of privacy would make the offender liable to consequences as per law. The
constitutional recognition of this right protects the privacy issue of individuals against the
unlawful government invasion. Though right to privacy is not an absolute right and may
lawfully restricted for the public order i.e., prevention of crime, disorder, protection of health,
morals, protection of rights and freedom of others.
21
1994 SCC (6) 632
22
Id.
23
AIR 1999 SC 495
24
(1997) 1 SCC 30; AIR 1997 SC 568
25
(2005) 1 SCC 496

10 | P a g e
3.2.2 Definition of Privacy
The concept of privacy has not been defined in so far in any enactments in India. The
protection against the misuse of privacy information is available in scattered form in various
Acts. The Information Technology Act 2000 has incorporated the concept in response to the
concern of European Union’s relating privacy data protection in India. The new Rules i.e.,
The Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011, defines the ‘personal information’ as it is any
information of natural person, which is capable of identifying that person directly or
indirectly with the help of other information available or likely available to body corporate.26
The Rules identifies the ‘sensitive information’ under Section 3 as any information which
consists of (a) Passwords, (b) Financial information such as bank account, credit card, debit
card number, (c) Physical, physiological and mental health condition, (d) Sexual orientation,
(e) Medical records and history, (f) Biometric information, (g) Any detail relating to the
above provided to Body corporate, (h) Any of the above information received by Body
corporate for processing, stored or processed under lawful contracts. However, The Rules
2011 does not apply to following two categories of information i.e., (i) information in public
domain, and (ii) any information which is furnished under the Right to Information Act, 2005
or any other law for the time being.27

Similarly, the Credit Information Companies (Regulation) Act (‘CICR’) 28 deals with privacy
and data protection in the form of ‘credit information’. Section 2(d) defines ‘credit
information’ as any information relating to (a) the amounts and the nature of loans or
advances, amounts outstanding under credit cards and other credit facilities granted or to be
granted, by a credit institution to any borrower; (b) the nature of security taken or proposed to
be taken by a credit institution from any borrower for credit facility granted or proposed to be
granted to him; (c) The guarantee furnished or any other non fund based facility granted or
proposed to be granted by accredit institution for any of its borrower; (d) The credit

26
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
information) Rules 2011, Section 2 (i).
27
Id., Section 3 proviso.
28
The Credit Information Companies (Regulation) Act Act came into force from 14 December 2006 by official
gazette notification as http://www.egazette.nic.in/EnhancedSearch.aspx. the was enacted with the twin purpose
of regulation of credit information collected by the Credit Institution and to facilitate efficient distribution of
credit by the financial, pubic financial institutions, financial corporation.

11 | P a g e
worthiness of any borrower of a credit institution; (e) Any other matter which the Reserve
Bank of India may, consider necessary for inclusion in the credit information to be collected
and maintained by credit information companies, and, specify, by notification in this behalf.

3.2.3. Privacy Regulation

There are no specific laws on the online privacy in India. However, the Indian Telegraph Act,
1885 under Section 5(2) empowers the government the right to intercept the messages. This
right is not unguided as the language the section itself reflects. The grounds mentioned are
the public emergency, public safety, sovereignty and integrity of India, the security of State,
friendly relations with the foreign States, public order or prevention of incitement to the
commission of offence. The reasons have to be in writing so that the arbitrariness of the
decision can be taken care in case of misuse of the provisions. In the case of People’s Union
of Civil Liberties v. Union of India,29 the apex court laid down the procedural safeguards,
which were incorporated by the Central Government by amending the Indian Telegraph
Rules, 1951 in 1999 by inserting Rule 419A to safeguards the right to privacy of the
individual. The new rule 419A restricts the power to phone taps to senior administrative
officers.

Similar provisions exist in IT Act in the form of Section 6930 and 69B31. These two sections
are operationalised by two set of Rules incorporated by way of Amendment to the IT Act i.e.,
The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic
Data or Information) Rules, 2009 and The Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Regarding online privacy violation the IT Act deals with them under following sections;
1. Section 43(c) penalise any person who introduce any computer contaminants or virus
into any computer system, or network to pay the compensation to the affected parties.

29
AIR 1997 SC 568
30
Information Technology Act, 2000, Section 69 deals with the Power of authorised officer under the direction
of Central Government or State Government to issue directions for interception and monitoring or decryption of
any information through any computer resource.
31
Id., Section 69B deals with the Power of any agency authorised by the Central Government to monitor and
collect traffic data or information through any computer resource for cyber security.

12 | P a g e
 2. Section 66A punish the person who sends offensive messages through communication
services such as emails, social media etc. The punishment with imprisonment for a
term which may extend to 3 years and fine.
3. Section 66B punish for dishonestly receiving stolen computer resource or
communication device for imprisonment which may extend to 3 years or fine of Rs. 1
lakh or with both.
4. Section 66C provides punishment for identity theft which may extend to 3 years and
fine of Rs. 1 lakh.
5. Section 66E provides punishment in the form of imprisonment for violation of privacy
of any person without his knowledge which may extend to 3 years or fine of Rs. 2
lakh or both.

3.2.4. Exception to privacy rule

Section 69 of the IT Act creates exception for the Central government or the State
government relating to the issue of privacy. The Act enumerates the grounds on the basis the
State can order the agency of the appropriate authority to intercept, monitor or decrypt any
information received, stored or transmitted. The grounds are mentioned under the Act are (a)
Interest of the sovereignty or integrity of India, (b) Defence of India, (c) security of State,(d)
Friendly relation with foreign state, (e) Public order, (f) Preventing incitement to the
commission of any cognizable offence. The Act requires the proper procedure to be adopted
before making use of the exception i.e., the reasons of interception, monitor or decrypt should
be reasonable and justified as per the law. Any of the above grounds or more than one ground
is justified enough for the use of exception. The Section allows the subscriber or intermediary
or any person in charge of the computer resources to facilitates and give assistance to provide
access to or secure access to the computer resources generating, transmitting, receiving or
storing such information, or intercept, monitor, or decrypt the information, provide
information stored in computer resources.32 Section 69B empowers the Central Government
or the State Government to monitor and collect traffic data or information to enhance cyber
security and for the identification, analysis and prevention of intrusion or spread of
“computer contaminant”33 in the country. In this regard the intermediaries or any person in

32
Id., Section 69(2)
33
Id., Meaning of the term has been referred to Section 43 (i) which means any set of computer instructions that
are designed (a) to modify, destroy, record, transmit data or programme residing within a computer, computer

13 | P a g e
charge of the computer resource shall facilitate the online access to the computer resource
generating, transmitting, receiving or storing such traffic data 34 or information.35 In case the
intermediary intentionally or knowingly creates barrier then it may be punished with an
imprisonment for a term which may extend to 3 years and liable to fine.36Central Government
has laid down the procedure in The Information Technology (Procedure and Safeguard for
Monitoring and Collecting Traffic Data or Information) Rules, 2009.

3. 2.5.National Policy of Privacy

Understanding the need to analyse the Privacy Rules, the Planning Commission, Government
of India, formed a committee under the Chairmanship of Justice A. P. Shah, former Chief
Justice of Delhi Court. After brainstorming session the committee submitted its report37 and
proposed a national privacy policy. The guiding principles of the proposed National Policy
are as follows;
1. Notice: Data controller shall give notice to individuals a clear, concise and simple
language notice to individual during collection and later on also. During the collection
of data such notice should incorporate the (1) kinds of personal information; (2)
purpose for collection; (c) use of information; (d) whether disclosure to third party or
not; (e) security safeguards against loss of information; (e) process of access and
correction of own personal information; (f) contact details of privacy officers.
Later on the requirement of notice in the following cases; (a) data breach to be
notified when applicable; (b) notification relating to the sue of information other than
the purpose; (c) notify the change in privacy policy of controller; (d) any other
information as per appropriate authority.
2. Choice and Consent: Option of in or out has to be given to the individuals regarding
every stage of data collection, processing, and disclosure except in case of authorised
agencies.

system or computer network; (b) by any means to usurp the normal operation of the computer, computer system,
or computer network.
34
Id., Section 69B Explanation - Traiffic data means any data identifying or purporting to identify any person,
computer system or computer network or location to or from which the communication is or may be transmitted
and includes communication origin, destination, route, time, data, size duration or type of underlying service or
any other information.
35
Id., Section 69B(2)
36
Id., Section 69B(4)
37
Report of the Group of Experts on Privacy, by Chief Justice A P Shah, available at
http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf accessed on 15.08.2014.

14 | P a g e
 3. Collection limitation: Limited information should be collected as per the purpose of
collection in lawful manner and with the consent of data subject.
4. Purpose limitation: Personal data collected and processed under direction of
controller should be adequate and relevant to the purpose for which it is processed.
Retention of data should be in compliance with the National Privacy Principle.
5. Access and Correction: Individual shall access information about them held with
Controller. Right to access also include right to correction, amendments or deletion in
case of inaccurate information.
6. Disclosure of information: Disclosure to third party allowed after the consent of data
subjects. Disclosure to law enforcement agencies must in accordance with the law.
7. Security: Data controller to secure personal information against loss, unauthorised
access, destruction, use, processing, modification, deanonymization, unauthorised
disclosure or other reasonably risks.
8. Openness: data controller should take all necessary steps to implementing and
adopting policies, practices, procedure and system in proportion to the sensitivity of
data.
9. Accountability: data controller to comply with measure which gives effect to privacy
principles.

3.3 Concept of Data Protection

Privacy and Data protection are not similar concepts, though they share some common
features. They are just like twins, but not identical.38 Data protection does not raise privacy
issues and not prohibitive if they are legitimately processed as per the directions of
appropriate authorities. The scope of data protection is narrow as well as broad than privacy
as both concepts aim to protect partially the rights and values of others. Though privacy is the
starting point to identify and determine the principles of data protection. 39 Privacy rights are
personal rights whereas data protection has proprietary value also.
The Cambridge English Dictionary defines ‘Data’ as information in the form of facts or
numbers, collected and examined scientifically to be used for the decision making. At

38
European Union, 'The Future of Online Privacy and Data Protection ' in (eds), Legal Analysis of a Single
Market for the Information Society: New Rules for a New Age? (1st, DLA PIPER, 2009), available at
https://ec.europa.eu/digital-agenda/en/news/legal-analysis-single-market-information-society-smart-20070037
accessed on 15.08.14.
39
Id. p. 4.

15 | P a g e
computer age it is information in electronic form that is stored and used by the computer with
the help of sophisticated software to analyse a situation and take decision. In the absence of
specific legislation on the data protection the Information Technology Act 2000 defines
‘Data’ as;
“a representation of information, knowledge, facts, concepts or
instructions which are being prepared or have been prepared in a
formalised manner, and is intended to be processed, is being processed or
has been processed in a computer system or computer network, and may
be in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory
of the computer.”40

The word ‘processed’ in the above definition is not defined by the Act. While personal
information can be in the form of verbal or non verbal, the data is properly stored and
analysed information for the commercial nature of decision making. Due to commercial
utility of the information analysed as data, it has proprietary values. There are reports in the
past of selling or misuse of data information without the permissions of individuals by
corporate houses for commercial benefits putting the integrity and security of individual in
danger.41

3.3.1 OECD Principles for Data collection;

The online activities allow plenty of information to disseminate and store in cyberspace. The
sophistication of technology recognises important information and creates data information.
The processing of data information is a major concern for the users of internet because many
of the times data is collected without prior permission or in case of consent the user does not
know the purpose for its use. The Organisation for Economic Development (OECD) has
introduced the guidelines for collection and processing of data information for the member
states in 1980s. Counties like USA and EU had participated actively. While EU adopted the
guidelines in its directives, the USA though participated actively but did not do much in this

40
Information Technology Act, 2008, Section 2(O).
41
The Economic Times, 'Toughen law enforcement: Indian BPOs need to be extra vigilant'
(http://articles.economictimes.indiatimes.com 2006) <http://articles.economictimes.indiatimes.com/2006-10-
05/news/27466453_1_indian-bpo-data-theft-bpo-industry> accessed 10.07.2014

16 | P a g e
regards. OECD has revised it guidelines relating to protection of data in 2013.42 Part two of
the report lays down 8 guiding principles for data collection as follows;
1. Collection Limitation Principle: Limited Data should be collected in a fair and lawful
manner.
2. Data Quality Principle: Data should be accurate and used only for the purpose for which
it was collected.
3. Purpose Specification Principle: Purpose of the data collection should be specified at
the time of collection.
4. Use Limitation Principle: Data should not be disclosed to others apart from the purpose
for which it is collected without the consent of subject or without the authority of law.
5. Security Safeguards Principle: Reasonable security safeguards should be taken to
protect data from any kind of alteration, destruction, unauthorised access, modification,
disclosure of data.
6. Openness Principle: Openness with regard to the collection and development of data
required.
7. Individual Participation Principle: Subjects should have right to (a) obtain information
relating to their data, (b) to have communicated to them the information within
reasonable time, (c) to give reasons if information is denied, (d) challenge the data in case
of wrong information and get erased it.
8. Accountability Principle: Accountability of maintain data as per above principles with
the data controller.43

3.4 Data Protection Laws

3.4.1 European Union
Directive of Data Protection 1995/46/EC regulates the data protection in EU. The directives
regulate the automated or non automated processing44 of personal data45. It allows the

42
OECD Report on Recommendations of the Councils Concerning Guidelines Governing the Protection of
Privacy and Trans-Border Flows of Personal Data, 2013, available at http://www.oecd.org/sti/ieconomy/2013-
oecd-privacy-guidelines.pdf accessed on 15.08.2014.
43
Id.
44
Directive 1995/46/EC, Article 2(b) - “ Means any operation or set of operations which is performed upon
personal data, whether or not by automatic means, such as collection, recording, organization, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking, erasure or destruction.”
45
Id., Article 2(a) - “any information relating to an identified or identifiable natural person (data subject); an
identifiable person is one who can be identified, directly or indirectly, in particular by reference to an

17 | P a g e
processing through wholly or partial automated methods.46 Article 7 requires some conditions
to be fulfilled for the processing of data such as:
1. The subject has given consent; or
2. Processing is part of the contract to which subject is a party or on the request of
subject prior to contract; or
3. Processing is in accordance with a legal obligation; or
4. Processing is necessary for to protect the interest of subject; or
5. Processing is necessary for the performance of task in the public interest or performed
under the official authority of controller or in a third party to whom the data are
disclosed; or
6. Processing is necessary for legitimate interest pursued by controller.

Further article 10 and 11 states that subject should be informed about the identity of
controller or his representatives and the purpose of the processing of data in case where he
himself provides the information or where the information is collected from somewhere else.
Subjects are vested with rights to access47 and object48 the information relating to processing
of his personal data. The right to access allow the data subject to direct the controller to
rectify, erase or blocking of data the processing which does not comply with the provisions of
directives. The recent ruling of European Court of Justice in the case of Google Spain SL. V.
Agencia Española de Protección de Datos (AEPD)49 directed the Google to withdrew the
information from their website. Court held that Individuals have the right under certain
conditions to ask search engines to remove links with personal information about them. This
applies where the information is inaccurate, inadequate, irrelevant or excessive for the
purpose of data processing. The case is popularly known as right to forgotten.

identification number or to one or more factors specific to his physical, physiological, mental, economic,
cultural or social identity;”
46
Id., Article 3(1)
47
Id., Article 12
48
Id., Article 14
49
C-131/12, case available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text&page
Index=0&part=1&mode=DOC&docid=152065&occ=first&dir&cid=437838 accessed on 17.08.2014.

18 | P a g e
Further the Directive allow the protection of data to be compromised in cases of (a) national
security, (b) defence, (c) public security, (d) prevention, investigation, detection and
prosecution of criminal offences, (e) monitoring or regulatory functions of State.50

3.4.2 India
3.4.2.1 Information Technology Act
The laws relating to data protection are in scattered form under various Acts.51 The
Information Technology Act 2000 (Amendment 2008) (IT Act) provides civil and criminal
remedy in case of any violation relating to data protection.
Section 43 of the Act lays down specifically various kinds of acts committed by any person
who without the prior permission of the owner or in charge of the computer, computer system
or computer network does any of the following activities having potential to affect directly or
indirectly the issue of privacy and data protection. The Section impose penalty by way of
compensation on any such person. The various acts enumerated under the Section are as
follows;
a. Accesses or secure access to any computer, computer system or network or computer
resource,52
b. Downloads, copies or extracts any data, computer data or information including any
information stored in removable storage medium,53
c. Introduces or causes to introduce any computer contaminants like computer virus into
any computer system54
d. Damages or cause to damage any computer, computer system or computer network,
data or computer data base or any other programme55
e. Disrupt or cause to disrupt of any computer56
f. Denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means57

50
Id., Article 13
51
Currently, there is no exclusive enactment in India on Privacy and data protection. However, the Bill Relating
to Privacy bill and Data Protection is pending before the parliament.
52
Information Technology Act, 2000, Section 43(a)
53
Id., Section 43(b)
54
Id., Section 43(c )
55
Id., Section 43(d)
56
Id., Section 43(e)
57
Id., Section 43(f)

19 | P a g e
 g. Provides assistance to any person to access a computer, computer system or computer
network in contravention of the provisions of this act, rules regulation etc.58
h. Charges the services availed of by a person to the account of another person by
tempering with or manipulating any computer, computer system or computer
network.59
i. Destroy, deletes or alters any information or diminish the value or utility of
information or affects it by any means60
j. Steals, conceal, destroy or alters or causes any person to do so with the intention to
cause damages61
As per Section 43A, if the Body Corporate involved in processing, dealing or handling any
“sensitive personal data or information”62, is negligent in implementing, maintaining the
“reasonable security”63 which causes the wrongful loss or wrongful gain to any person, then,
such Body Corporate will be liable to pay compensation by way of damages to the person so
affected. In pursuance of the power enshrined in Section 87(2) read with Section 43A of the
IT Act, the Central Government has made rules for the collection, procession and security
practice of the sensitive information in ‘The Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or information) Rules 2011’. The Rules
laid down the following procedure to be followed while collecting Privacy information as
follows;
a. It is imperative for the Body Corporate to make a privacy policy for handling of or
dealing in personal information including sensitive information. For collecting
sensitive information the consent has to be obtained in writing. Letter, fax, and email
from the provider of information are recognised mode of consent.
b. Privacy policy should be published on website of Body Corporate or any person
working on its behalf.

58
Id., Section 43(g)
59
Id., Section 43(h)
60
Id., Section 43(i)
61
Id., Section 43(j)
62
Sensitive Information has been defined in The Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or information) Rules 2011 Rules 2011.
63
Information Technology Act, 2000, Section 43A Explanation (ii) “Reasonable security practices and
procedure” means security practices and procedures designed to protect such information from unauthorised
access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the
parties or as may be specified in any law, such reasonable security practices and procedures, as may be
prescribed by the Central government in consultation with such bodies or associations as it may deem fit;

20 | P a g e
 c. The nature of sensitive information has to be recognized and informed the individuals
about the purpose of collection. The information should be collected for the lawful
purpose only. The relevance of information should relate to the function or activity of
the Body Corporate. While collecting the information the body corporate should take
the consent and awareness of purpose for the collection. The collection of information
should be with the consent of individuals and they should be aware of the purpose of
the collection of information.
d. The information collected should be used only for the purpose for which it has been
collected and it shall not be retain for longer than it is required.
e. The body corporate or person on their behalf shall provide an option to the provider of
the information to not to provide the data or information. Apart from that while
availing services at any time the provider shall have the option to withdraw its consent
and that shall be in writing.
f. Grievance of the provider related to the use of data should be address by the body
corporate in a time bound manner i.e., within a month from the date of receive of
grivennaces. Grievance officer should be designed for that purpose.
g. Disclose of the sensitive information by the body corporate to the third party cannot
be done without the prior permission of the provider of information. However, prior
permission is not required from the provider of information in case of Government
agencies mandated under the law for the purpose of verification of identity, or for
prevention, detection, investigation including cyber incidents, prosecution and
punishment of offences.
h. Transfer of information by the body corporate to other person or body corporate is
allowed in two conditions. First, the other body corporate located in India or outside
shall ensure the same level of data protection that is adhere to by the body corporate.
Second, the transfer is allowed only if it is necessary for the performance of the lawful
contract between the body corporate or any person on its behalf and provider of
information or where such person has consented to data transfer.
i. Reasonable security has to be maintained as per the requirement of IS/ISO/IEC 27001
on information Technology. In case a body corporate chooses to have independent
security management then it shall get the code of best practices duly approved and
notified by Central Government for effective implementation.

21 | P a g e
Chapter XI of the IT Act list out kinds of offences. Some of the offences directly or indirectly
dealing with the issue of privacy and data protection are as follows:
1. Hacking is a serious threat to privacy and data maintained by body corporate or
government agencies or individuals. Section 66 states that whoever with the intent to
cause or knowing that he is likely to cause wrongful loss or damage to the public or any
person destroys or deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means, commits the offence
of hacking.64 The punishment for hacking is imprisonment up to three years, or with fine
which may extend upto two lakh rupees, or with both.
2. Section 66 B provide punishment to any person who retains or receive dishonestly any
stolen information shall be punishable with imprisonment extended to a term of 3 years
or fine extending to one lakh or both. Section 66 C punish the person who fraudulently or
dishonestly make use the electronic signature, password or any other unique
identification feature of any person to imprisonment for three years extended and fine of
one lakh.
3. Further Section 72 provides that the penalty of Rs. 1 Lakh or imprisonment of a term
which may be extended to 2 years or both, in case where any person who under the Act
lawfully has been authorized secured access to any information without the consent of
the person concerned and discloses such information to any other person. This section
makes liable to Body Corporate or even public sector for the violation of privacy and
data related information. Further, Section 72A provides the punishment of imprisonment
of term extend to 3 years or fine of Rs. 5 Lakhs or both, in case any person or
intermediary while providing the services under the lawful contract has secured access to
personal information about the another person and knowingly intent to cause wrongful
loss or wrongful gain by disclosing the information without the consent of the person
concerned or breach the lawful contract relating to such material.

3.4.2.3 Credit Information Companies (Regulation) Act, 2005

The Credit Information Companies (Regulation) Act, 2005 (‘CICR’)65 was enacted with the
twin purpose of regulation of Credit Information collected by the Credit Institution and to

64
Id., Section 66
65
Act came into force from 14 December 2006 by official gazette notification as
http://www.egazette.nic.in/EnhancedSearch.aspx

22 | P a g e
facilitate efficient distribution of credit by the financial, pubic financial institutions, financial
corporation.
The CICR Act deals with the privacy and data protection in the form of ‘credit information’.
The Act regulates the functioning of Credit Information Company by making it mandatory
for the company to register under the Company Act, 1956.66 Credit institution means a
banking company and includes a banking company, subsidiary bank, co-operative bank, or
non banking institution, public financial institution, housing financial institution, company
engaged in the business of credit cards or similar cards etc.67The Act authorise the credit
information institutions to (i) Collect, process and collate information on trade, credit and
financial standing of borrowers of the credit institution, (ii) to provide credit information to
its specified users or to the specified users of any other credit information company, (iii) to
provide credit scoring to its specified users or specified users of any credit information
company or to other credit information companies, (iv) to undertake research project, (v) to
undertake any other business as specified by RBI.68

Chapter VI of the Act lays down the information privacy principles by the credit information
company. Section 19 requires that the accuracy and security of credit information to be
maintained by the credit information company or credit institution or specified user who is in
possession or control of such information against any loss or use or unauthorised disclosure.69
Section 20 suggests the privacy principles in relation to collection, processing, collating,
recording, preservation, secrecy, sharing and usage of credit information as follows:
1. Purpose principle70: The purpose for which the information may be used or restrict.
2. Determine the extent to check accuracy71: To check the veracity of information.
3. Preservation principle72: Preservation of information for such period for which such
information may be maintained.

66
Credit Information Companies (Regulation) Act, 2005, Section 2(e)
67
Id., Section 2(f)
68
Id., Section 14
69
Id., Section 19. A credit information company or credit institution or specified user, as the case may be, in
possession or control of credit information, shall take such steps (including security safeguards as may be
prescribed, to ensure that the data relating to the credit information maintained by them is accurate, complete,
due protected against any loss or unauthorised access or use or unauthorised disclosure thereof.
70
Id., Section 20(b) the purpose for which the credit information may be used, restrictions or such use and
disclosure thereof;
71
Id., Section 20(c ) the extent of obligation to check accuracy of credit information before furnishing of such
information to credit information company or credit institution or specified user , as the case may be;

23 | P a g e
The Act adopts the flexible approach as RBI may introduce any other principle and procedure
as may think fit depending on the nature of information.73 Section 21 allows any person who
applies for sanctions of credit to get a copy of his credit information on request. In case the
person wants to make any kind of alteration in the credit information he should be allowed to
do it. The Act impose penalty on the person who intentionally and knowingly gives a false
information is liable for imprisonment for a term extends to one year and liable to fine.
Subsection (2) of Section 20 makes it clear that any credit information company or credit
institution or any specified user wilfully perform any act engaged in any practices breach any
principles is punishable with file not exceeding one crore rupees.74 Sub section (5) impose
responsibility on every credit institution company, credit institution or specified user in case
of contravention or default in case committed by them is responsible for the default. It
extends to every person who is in charge of or responsible to the credit information company,
credit institution or specified user for the conduct of its business punishable accordingly.75

4. Summary
Privacy rights are important for the overall growth of personality. This concept has to be
defined properly and uniformly applied. This right is under threat due to development of
technologies and overdependence of human being on technologies. The technologies have
invaded the personal and public life of individuals. Privacy and Data protection right are
twins but not identical. They are related to each other. The privacy rights are not absolute.
The Indian courts through number of judgments have declared that it is fundamental rights.
The courts through various judgments have balanced this right to a great extent. The new
technologies introduce new means of privacy violation such as spamming, cookies, identity
theft. There is a need for a comprehensive policy on privacy. In Indian context it is scattered
in various Act. In the backdrop of ecommerce and BPO sector the Indian government has laid
down the Rules 2011. However, a comprehensive policy is required. The Information
Technology Act 2000 has number of civil and criminal liability to deal with the privacy data
violation. The Rule 2011 provides the procedure of data collections. Credit information Act

72
Id., Section 20(d) preservation of credit information maintained by every credit information company, credit
institution, and specified user as the case may be (including the period for which such information may be
maintained , manner of deletion of such information and maintenance of records of credit information);
73
Id., section 20(f) any other principles and procedures relating to credit information which the reserve bank
may consider necessary and appropriate and may be specified by regulation
74
Section 20(2)
75
Section 20(5)

24 | P a g e
deals with the protection of credit information. It impose penalty of civil and criminal nature.
It also laid down the principle to be followed regarding collection and use of information.
European Union has Directives relating to Privacy and Data protections. The objective of the
Directive is to harmonise the law in European Union.

25 | P a g e