2- There should be transparency and openness in privacy and security practices and it
must also be easily understandable and accessible.
3- There should be limit of dissemination of material for what purpose material is being
stored.
4- Data must be secured securely and safely.
5- There should be access and accuracy while handling personal data in usable formats
and that must also be appropriate keeping in view the sensitivity of data.
6- There must be strict adherence to accountability principles and they must also ensure
that they also consumer privacy will of Rights accordingly.
APEC PRIVACY FRAMEWORK42
There is group of 21 countries which follows privacy framework of APEC to promote E-
commerce self regulation is very crucial part of APEC privacy program. Keeping in view
the requirements and socio- economic situation of countries APEC adopts practical aspect
of data protection. There are several integral part of APEC privacy framework which
includes Cross-Border Privacy Rules (CBPRs), Agencies dealing with information and
enforcement across borders, self-regulatory organisations (SROs) etc.
3.4. INDIAN LAW RELATING TO DATA PROTECTION
For having deep insight of legislative tendency we must evaluate privacy perception of
people. Legislation is affected by tendency and perception of people because laws are often
reflection of people’s perception and it is not operated in vacuum.
Survey shows that British and American are much conscious about their information and
privacy while Indian is not much bothered about it. If we compare British and American
42
APEC Privacy Framework. Available at: http://www.apec.org/Groups/Committeeon-Trade-and
Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx accessed on 23/03/2016
33
�perception, we find that British are more conscious than American and that is reflected in
their laws. Survey makes inquiry whether in Indian Laws Data Protection finds place or
not and it comes to conclusion that although there is no dedicated legislation dealing with it
but it is covered up to some extent under various laws. Survey also compares Data
Protection relate laws with European Laws and comes to conclusion that European Laws
are much developed than ours. Survey also points out that perception of Data Protection
and Privacy is higher among western countries that of India. This has nothing to do with
legislation of Data protection because that is survey and I T Law was not enacted keeping
in to consideration the perception of Data Protection and Privacy of Indian. Apart from that
I T Law is not only applicable to Citizen but it is also applicable to Multinational
Corporations as well as other entities. Besides this, this Article has not taken into
consideration recent Amendments and Rules which has taken place .While enacting
comprehensive legislation we will have to take in to consideration our domestic
requirements as well as global with a view to have concrete and robust I T Law which
may serve our country better and also cope up with Global requirements.43
THE RIGHT TO PRIVACY BEFORE THE CONSTITUTION
Prior to constitution came in effect that is 26th JANUARY 1950, none of the rights were
guaranteed what has been guaranteed after Constitution came in force. In fact it can be said
that the position as citizen of India as a legal status came with the arrival of the
Constitution. Prior to constitution Privacy issues were subject of ordinary laws, especially
criminal law. The criminal Law provided protection from infraction of Chastity of women,
property, and dwelling house etc and made it punishable. Law of torts was also a proper
mechanism in case there is violation of civil rights of individual.
CONSTITUTIONAL PROVISIONS
Constitution of India does not expressly provides fundamental Right to privacy however
Supreme court have interpreted privacy as fundamental right in Article 19(1)(a) and Right
to life and personal liberty under Article 21. However certain reasonable restrictions have
been imposed under Article 19(2) of constitution by state.
43
First Analysis of the Personal Data protection Law in India :Final Report PREPARED BY: CRID –
University of Namur Report delivered in the framework of contract JLS/C4/2005/15 between CRID
and the Directorate General Justice, Freedom and Security
34
�JUDICIAL INTERPRETATION
Indian courts through their judgements have time and again addressed privacy issues.SC
through judicial activism has on various occasions balanced the civil rights of individual
and requirement and well being of the society. The common genus running through all the
judgements of SC is that courts have been very proactive to declare Right to privacy, either
as fundamental right or common law right. But courts have been vigilant while recognising
right to privacy in watertight compartment and they have recognised it case to case basis.
As Justice Mathew put it, “The right to privacy will, therefore, necessarily, have to go
through a process of case by case development.” (Govind v. State of Madhya Pradesh44,).
Example of few such decisions is following.
SC evolved Right to privacy in case of Kharak Singh v The State of U.P45 In this case SC
stated that ‘It is true our Constitution does not expressly declare a right to privacy as a
fundamental right, but they said right is an essential ingredient of personal liberty.’
After few years of judgement of Kharak Singh case Right to privacy once again came to be
decided in the case of Govind v. State of Madhya Pradesh, in case several regulations were
challenged as being violative of fundamental rights and hence unconstitutional. While
pronouncing judgement Matthew.J. Said
“Rights and freedoms of citizens are set forth in the Constitution in order to guarantee that
the individual, his personality and those things stamped with his personality shall be free
from official interference except where a reasonable basis for intrusion exists. ‘Liberty
against government’ a phrase coined by Professor Corwin expresses this idea forcefully. In
this sense, many of the fundamental rights of citizens can be described as contributing to
the right to privacy.”
However this pronouncement was not sweeping one and it was also stated that this right is
not absolute one and can be curtailed by states on the basis of compelling public interest.
After SC delivered its judgement in the Govind case SC had met with a occasion to balance
the right to free speech and right to privacy in the case of R. Rajagopal v. State of Tamil
44
AIR 1975 SC 1378
45
AIR 1963 SC 1295
35
�Nadu 46 . In this case certain order was given by State of Tamil Nadu to a magazine
publisher to not interfere with publication of Autobiography of Death row convict Auto
Shankar, which was likely to disclose the criminal connection between criminals and police
officers. In this case SC prepared three set of questions in order to solve this matter.
1. Whether a citizen of this country can be prevented by writing his biography etc. By
other citizen
2. Even if they are written whether such unauthorised writing infringe the citizen’s
right to privacy.
3. Whether fundamental Right guaranteed under Art. 19(1) (a) entitles the press to
publish such unauthorised account of a citizen's life and activities and if so to what
extent and in what circumstances?
In the case of Mr. ‘X’ v. Hospital ‘Z47’, SC was required to make pronouncement on the
ambit and scope of Right to privacy of medical records of blood donors. In this case
accused was alleged that he had disclosed the fact of victim being HIV + patient without
prior permission of donor. Because of this disclosure lady who was blood donor met with
divorce and social stigma.SC while discussing the case held that although medical records
are strictly private and they are not open to be disclosed yet doctor s and hospitals may
make exceptions in certain cases, where medical information is so vital that it can endanger
the life of others.
In 2005 SC pronounced a very important judgement relating to privacy issue in the case of
District Registrar v. Canara Bank 48 . In this case SC has an occasion to consider the
constitutionality of a provision Andhra Pradesh Stamps Act. This particular provision
provided that Collector or any other person authorised on behalf of him may enter any
place for inspection of records , registers, data contained in computers, documents, books
etc, if as a result it appears to the court that fraud has been played or omission has occurred
about any duty which is payable to government. The main issue in this case was what is the
position of data which is stored by financial institution like bank and customer? After
elaborate and extensive SC found impugned provision as unconstitutional on the ground
that it has been unable to qualify the test of reasonableness contained in Art.14, 19 and 21.
46
AIR 1995 SC 264
47
AIR 1999 SC 495
48
(2005) 1 SCC 496
36
�SC vehemently laid down that if there is provision which affects Right to life and personal
liberty as contained in (whether it be financial record or any other matter), in order to be
constitutional it must qualify criteria laid down by Maneka Gandhi v. UOI49. There is three
test or standards laid down by Maneka case:
1-There must be procedure
2-The procedure must be in compliance with Fundamental rights conferred under Art.19
which be appropriate for given situation.
3-It must also be in consonance with Art.14
Apart from this court also that concept of privacy is not linked with place rather than it is
linked with citizen. Court finally held that it is immaterial as to where documents are
contained (whether it be bank or home), if documents are belonging to citizen they are
protected under right to privacy
In PUCL v. Union of India50, action of state in intercepting calls etc. was challenged. Sc
while deciding the scope and ambit of this case found that there are procedural lapses while
intercepting the calls and provided safeguards to be followed, even if it be in consonance of
Provision relating to interception in Telegraph Act, 1885. In coming to this conclusion
court observed that intercepting telephone calls is serious infringement of one’s right to
privacy. It is true that in spite of being democratic country it has certain types of
intelligence mechanism but citizen’s right to privacy must be protected in all respect. .”
The court held: “Telephone-tapping would, thus, infract Article 21 of the Constitution of
India unless it is permitted under the procedure established by law.”The Supreme Court
placed restrictions on the class of bureaucrats who could authorise such surveillance and
also ordered the creation of a ‘review committee’ which would review all surveillance
measures authorised under the Act.
3.5. DATA PROTECTION AND INFORMATION TECHNOLOGY ACT, 2000
The Information Technology Act, 2000 deals with compensation and punishment in civil
and criminal cases respectively. It occasions when there is wrongful disclosure and misuse
of personal data and violation of contractual terms in respect of personal data.
49
AIR 1978 SC 597
50
(1997) 1 SCC 30
37
�APPLICABILITY OF I T ACT, 2000
The IT Act and corresponding IT rules have extraterritorial applicability. However through
a press release dated 24 August 2011, the government clarified that the UT rules only apply
to bodies corporate or persons located in India. Therefore, the IT rules do not apply to
foreign corporations or persons located outside India, or when information is collected
from persons located outside India. The press release further clarified that the provisions of
IT rules governing collection and disclosure to not apply to bodies corporate collecting data
from data subjects (that is, a data processor) on behalf of another entity (that is a data
controller) under a contract between the data processor and the data controller, however,
the provisions relating to transfer of sensitive personal data information continue to apply
to data processors.
Under Section 43A of the Information Technology Act, 2000, a body corporate who is
possessing, dealing or handling any sensitive personal data or information, and is negligent
in implementing and maintaining reasonable security practices resulting in wrongful loss or
wrongful gain to any person, then such body corporate may be held liable to pay damages
to the person so affected. It is important to note that there is no upper limit specified for the
compensation that can be claimed by the affected party in such circumstances.
Under Section 72A of the Information Technology Act, 2000, the person who will
knowingly and intentionally disclose the information without the consent of the person
concerned and who will breach lawful contract, will be punished with imprisonment for a
term exceeding to three years and fine extending to INR 5, 00,000.
In the present scenario data protection in most of cases is governed by contractual
relationship among the parties and parties are free to decide their term of contracts, terms
of personal sensitive data which may not be transferred out of India or outside India.
Section 69 of Information Technology Act, 2000 is an exception to the general rule of
maintenance of privacy and secrecy of the information and provides that where the
Government is satisfied that it is necessary in the interest of: The sovereignty or integrity
of India, Defence of India, Security of the State, Friendly relations with foreign States or
38
�Public order or For preventing incitement to the commission of any cognizable offence
relating to above or For investigation of any offence,
It may by order, direct any agency of the appropriate Government to intercept, monitor or
decrypt or cause to be intercepted or monitored or decrypted any information generated,
transmitted, received or stored in any computer resource. This section empowers the
Government to intercept, monitor or decrypt any information including information of
personal nature in any computer resource. Where the information is such that it ought to be
divulged in public interest, the Government may require disclosure of such information.
Information relating to anti-national activities which are against national security, breaches
of the law or statutory duty or fraud may come under this category.
PENALTY FOR DAMAGE TO COMPUTER, COMPUTER SYSTEMS, ETC.
UNDER THE IT ACT
Section 43 of the IT Act, imposes a penalty of INR 10 million inter alia, for downloading
data without consent. The same penalty would be imposed upon a person who, inter alia,
introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network.
TAMPERING WITH COMPUTER SOURCE DOCUMENTS AS PROVIDED FOR
UNDER THE IT ACT, 2000
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals,
destroys, or alters any computer source code used for a computer, computer programme,
computer system or computer network, when the computer source code is required to be
kept or maintained by law for the time being in force, shall be punishable with
imprisonment up to three years, or with fine which may extend up to INR 200,000, or with
both.
COMPUTER RELATED OFFENCES
Earlier, the IT Act under Section 66 defined the term hacking and provided penalty for the
same. However, the term “hacking” has now been deleted by the introduction of the IT
Amendment Act, 2008. The substituted Section 66 now reads as “If any person,
dishonestly or fraudulently does any act referred to in Section 43, he shall be punishable
39
�with imprisonment for a term which may extend to three years or with fine which may
extend to five lakh rupees or with both”.
PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The
Section provides that any person who, in pursuance of any of the powers conferred under
the IT Act Rules or Regulations made there under, has secured access to any electronic
record, book, register, correspondence, information, document or other material without the
consent of the person concerned, discloses such material to any other person, shall be
punishable with imprisonment for a term which may extend to two years, or with fine
which may extend to INR 100,000, or with both.
PERSONAL DATA PROTECTION BILL 200651
On December 8, 2006 the Personal Data Protection Bill, 2006 was introduced in the Rajya
Sabha by M.P Vijay J. Darda. The bill was introduced to to provide compensation and
damages to individual whose personal data was being used by various organizations for
direct marketing and other economic benefits without the consent of the individual to
whom the data belongs. The Bill is intended to apply to both the Government and Private
organizations engaged in the collection of data.
The main objective of the Personal Data Protection Bill, 2006 is to provide for the
protection of personal data and information of an individual collected for a particular
purpose by one organization, and prevents its usage by other organizations for the purpose of
direct marketing and other economic benefit. The Bill attempts to rectify the perceived
lacuna in the law which has permitted the sale of databases of personal data from
organizations which collect data in the course of the business operations to organizations
who wish to use the data for direct marketing. These sales of data have led to the menace of
continuous marketing calls in India. The Bill entitles an individual to claim compensation
or damages due to disclosure of personal data or information of any individual without his
consent.
51
Vishwanathan , Aparna; Cyber Law 2012 LexisNexis Page 203
40
