Data Protection and Privacy Issues in India

Section 2(1)(o) of the Information Technology Act, 2000 (the “IT Act”) has defined "data" to mean “a representation of information, knowledge, facts, concepts or instructions which are being prepared or processed in a computer network.

Indian Jurisprudence on Right to Privacy

• Article 21: the Constitution of India does not specifically recognize ‘right to privacy’ as a fundamental right under Article 21, though interpreted by court.
• ‘Right to privacy’ is a fundamental right was first considered in the case of M. P. Sharma and Ors. vs. Satish Chandra, District Magistrate, Delhi and Ors.
• Thereafter, in the case of Kharak Singh vs. State of Uttar Pradesh, the matter whether the surveillance by domiciliary visits at night against an accused would be an abuse of the right guaranteed under Article 21 of the Constitution of India, thus raising the question as to whether Article 21 was inclusive of right to privacy.
• The Supreme Court held that such surveillance was, in fact, in contravention of Article 21.
• Subsequently, in the case of Gobind vs. State of M.P. the Court accepted right to privacy as a fundamental right guaranteed by the Constitution of India.

Concerns and Difficulties

• Absence of Data Protection Mechanism: India does not have a comprehensive data protection mechanism the main enactment that deals with protection of data is the IT Act and the Information Technology.
• Collection of Personal Data: Rules 5 of the IT Rules prescribes that nobody - corporate or any person - on its behalf shall collect sensitive personal data unless collected for a lawful purpose.
• Duration of Storing Data: Anybody - corporate or persons holding sensitive personal data or information on its behalf - cannot retain it for longer than is required for the purposes for which the information may lawfully be used.
• Third Party Disclosure: The body (corporate) receiving the information can disclose sensitive personal data or information to any third party, provided prior permission from the provider of such information has been received.
• Obligation of Employers: If employer stores such personal information on a computer resource, such employer, if a body corporate, is required to have in place a comprehensive documented information security programme and information security policies for managing.