At present, India does not have any express legislation governing data protection or privacy. However, the Information Technology Act 2000 (the ‘IT Act’) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 (the ‘IT Rules 2011’) framed thereunder, deal with the aspects pertaining to protection of data including sensitive personal data. Some of the main laws in India, which directly or indirectly deal with data protection, are enumerated below:
• the (Indian) Information Technology Act 2000; and
• the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011.
In India, privacy rights are recognised by the Constitution of India, which provides that no person shall be deprived of life or personal liberty except according to the procedure established by law. The Supreme Court of India has held in a number of cases that the right to privacy is implicit in the right to life and personal liberty guaranteed to citizens of India.
Sections 43A and 72A of the IT Act deal with the processing/protection of personal data in India. These two provisions deal with the issues relating to payment of compensation (civil) and punishment (criminal) in case of wrongful disclosure and misuse of personal data, and violation of contractual terms in respect of personal data. However, both these sections do not apply to data stored in a non-electronic medium.
‘Personal information’ means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
‘Sensitive data’ is defined as such personal information which consists of information relating to the following:
· financial information, such as bank account or credit card or debit card or other payment instrument details;
· physical, physiological and mental health condition;
· sex life;
· medical records and history;
· biometric information;
· any detail relating to the above items as provided to body corporate for providing service; and
- any of the information received under the above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
However, the following information shall not be regarded as sensitive data or information under the IT Rules 2011 any information that is:
· freely available or accessible in the public domain;
· furnished under the Right to Information Act 2005; or
· furnished under any other law.
Currently, data pertaining to the companies is not considered to be personal data under the provisions of the IT Act. However, there have been civil as well as criminal cases wherein the data of a company, eg a database of clients and customers, has been granted protection by the courts under the copyright law (The (Indian) Copyright Act 1957), despite the fact that such data is not protectable under the provisions of the IT Act.
The IT Act does not apply to personal data or data stored in a non-electronic medium.
The following information is also exempted as it does not fall under the category of sensitive data or information:
· any information that is freely available or accessible in the public domain;
· any information that is furnished under the Right to Information Act 2005; or
· any information that is furnished under any other law for the time being in force.
Government institutions not engaged in ‘commercial or professional activities’ are not covered under the IT Act.
The IT Act applies to the whole of India and also has extraterritorial effect in case of offences or contraventions committed outside India, by any person, if the act or conduct constituting such offences or contraventions involves a computer, computer system or computer network located in India....