Indian Laws on Privacy of Digital Information of Users

When we log on to the Internet, innovative technologies present the assurance of an easier life, and also an apprehension of abuse by criminal minds. The statement of United Nations High commissioner for Human Rights, Navi Pillay “Internet privacy as important as human rights” and further the resolution called on the 193 UN member states as “to review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, with a view to upholding the right to privacy of all their obligations under international human rights law”, exhibits the importance of digital privacy and law.

Internet is the social behavior of global society; India is no exception to it, data protection and privacy depend on ‘The Information Technology Act 2000′, and this article cannot be completed without the reference of Art 21 and Art 19. While there is no express indication to a right to privacy into the Constitution of India, an interpretation of Supreme Court of India considered it under article 21, life with dignity, and freedom of expression under article 19.

The Information Technology Act, 2000 (IT Act, 2000)

IT Act 2000 was the first constructive attempt on data protection legislation in India; it was the result of  the United Nations General Assembly Resolution A/RES/51/162 on 30th January, 1997 regarding the Model Law on Electronic Commerce.

The prime objective of IT Act 2000 is to provide legal frame work for electronic documents, digital signature, offence and legal remedy. It has two folds, it enunciated compensation (civil liability), and punishment (criminal procedure), both in public and private domain.

The Information Technology Amendment Act 2008, initialize data protection regime in India.    it  was the off spring of data protection laws in European Union, which obligates it’s member States to prohibit to send personal data to third party unless same genesis of laws are in place.

Image Source: Judicial Learning Center

Data Protection and Privacy

Section 43A (Penalty and compensation, for damage to computer, computer system, etc) is an important provision in the act which is based out on negligence, implementing reasonable security practices and procedures, wrongful loss and wrongful gain and compensation. This section envisages civil liability in terms of penalty and compensation If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network – accesses or secures , downloads, copies or extracts, introduces or causes to be introduced a computer virus, damages or causes to be damaged, disrupts or causes disruption, destroys, deletes or alters any information or computer or computer systems.

Sections 65 is the penal provision, as tampering with computer source documents, which establishes imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both, who knowingly or intentionally conceals, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force.

Section 66 is the hot cake in recent time, it deals with Computer related offences, Section 66 read with section 43 execute a criminal mandate as if any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. The word used in the section dishonestly or fraudulently in relation to section 43 for curtaining hacking to computer or unauthorized use of protected information.

Section 72, Penalty for breach of confidentiality and privacy, – Directly demonstrate privacy protection with a penal provision. Section says “Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Section 43A and Section 72A, protected the data even outside the India, but the expectation of corporate are too high, ‘The information technology amendment Act, 2008 was aimed to rectify such lacunas in our country, still much more is needed.

The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules 2011 has been notified by Ministry of Information and Technology under Section 43A to define ‘sensitive personal information’ and to stipulate ‘reasonable security practices’.

Right to Information Act 2005 (RTI Act)

RTI Act is not an erosion to right to privacy. Indeed RTI Act established a safeguard against the violation of privacy under section 8(j), which exempt from disclosure of personal information, which is not serving any public purpose. further under section 11, establish a procedure where PIO intends to disclose any information on a request made under this act, which relates to or has been applied by a third party and has been treated as confidential by that third party, and such objections in writing or oral by third party shall be kept in view while taking a decision about disclosure of information.

Does it mean the present laws related to data protection and privacy are sufficient?

The answer is not affirmative, in the light of public policy, and transparency. Although there are various amendments and judicial pronouncements to strengthen data protection, but still the existing law is not competent to cope with emerging technologies.  Issues like conflict of jurisdiction, IPR protections, domain names, still need to be addressed and the training to investigations agencies is also an important part. I can remember an interesting case where in a CD was being seized by police personal for evidence, and to preserve the CD the Investigation Officer made a hole in it and then tagged it into the file, before producing in the court of law.

About the author: Naveen Kumar Shelar is an advocate and a legal consultant, who founded the online law firm –The law office. He is an author of several academic & professional legal books and management articles, and established an NGO called “Nayaya A Voice For Justice”  to ensure that nobody is deprived of an opportunity to seek justice merely for want of funds or lack of knowledge.