India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872, which deals with the contractual relationship between the parties. It may be noted that a codified law on the subject of data protection is likely to be introduced in India in the near future.
It is pertinent to note that there is also no interference by the Government of India until and unless the information sought by the Government falls in any one of the category of exceptions, provided under the Constitution of India, as mentioned hereinafter:Ø in the interests of the sovereignty and integrity of India,
Ø the security of the State,
Ø friendly relations with foreign States,
Ø public order,
Ø decency or morality,
Ø in relation to contempt of court,
Ø defamation, or
Ø incitement to an offence.
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.
Under the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is to be noted that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
Under the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable punishment of imprisonment for a term extending to three years and fine extending to INR 5,00,000 (Approx. US$ 10750).
As of now, it can be said that the issue of data protection is more of a matter governed by the contractual relationship between the parties than the law. It is important to note that the parties are free to enter into contracts to determine their relationship defining the terms personal data, personal sensitive data, data which may not be transferred out of or to India and mode of handling of the same under the provisions of the Indian Contract Act, 1872. The entire data handling of the personal data and the personal sensitive data will depend upon the contract between the foreign entities and Indian entities.
It is advised that the Norwegian entities should enter into contracts to set out safeguards that may not be too dissimilar to those used in Norway to set out the contractual obligations between them for protection/processing of personal data.