1.

1 Introduction

“Privacy is not something that I'm merely entitled to, it's an absolute pre-requisite.”

- Marlon Brand1

The aforesaid quote of Marlon Brando emphasises the importance of privacy in an

individual’s life. Though human beings are recognised as social creatures, every human
being needs his or her own space for a peaceful living. With the advent of computers in
human life, its parameters started changing. What was real, started taking the form of virtual.
Computers have opened the avenues to infinite possibilities. With the rise of internet, the
virtual world started shrinking and communication techniques became extremely cost
effective and time efficient. However, in this ever-shrinking world, the risks of intrusion on
individual privacy and private as well as proprietary information has seen an unprecedented
increase.2

Privacy being a fundamental human right, protects human dignity and other values like
freedom of association and freedom of speech. Privacy has emerged as one of the most
important human rights of the modern age3.

Privacy is recognized around the world in different regions and cultures. It is protected in the
Universal Declaration of Human Rights, the International Covenant on Civil and Political
Rights, and in many other international and regional instruments recognizing human rights.
Almost every country in the world includes the right of privacy in its Constitution. The least
these provisions include are the rights of inviolability of the home and secrecy of
communications.

1
Marlon Brando, Jr. (April 3, 1924 – July 1, 2004) was an American actor, film director, and activist
2
The Economist, Our Ever-shrinking World, 23rd October 2001, Available at
http://www.economist.com/node/379555,
3
Nikolay Omelchenko, Protecting Human Rights in Digital Age, The Human Being in Contemporary
Philosophical Conceptions, pg. 287,
1
 The Courts have identified that right in other provisions, in the countries where privacy is not
specifically recognized in the Constitution. 4 Ever since it was first articulated by Justice
Brandeis in 1898, the concept of privacy has evolved in the United States. The definition of
privacy by Justice Brandeis, “The right to be let alone”, has been influential for nearly a
century. Further and more sophisticated legal inquiry into the meaning of privacy was
encouraged since 1960s, till about 1980s, due to the proliferation of information technology
and concurrent developments in the law of reproductive and sexual liberties. In the digital
environment of present times, where personal information can be transported and distributed
around the world in seconds, the vision of Justice Brandeis of being “let alone” does not
suffice to define the concept of privacy.5

Societies and governments have also recognized their importance with the growth and
development of new technological advancements. Demands for specific rules governing the
collection and handling of personal information is prompted by the surveillance potential of
powerful computer systems.

One can trace the genesis of modern legislation in this area to the first data protection law
enacted in Germany in 1970. Laws made in Sweden (1973), the United States (1974),
Germany (1977), and France (1978) followed the trend. Ideas about privacy became more
complex at the end of year 2000. It reflected, the rapid and remarkable advances that the
computers have made in storage, manipulation, and sharing of data.6

4
Prof. S.N. Parikh, Nature and scope of the right to privacy and the problem of the protection of this right in
India: Comparative Perspective to USA and UK, page 20
5
Ibid
6
Richard Hixson, Privacy in a Public Society: Human Rights in Conflict 3, 1987. See also, Barrington Moore,
Privacy: Studies in Social and Cultural History, 1984.
 The concept of privacy is often discussed but seldom defined. As per the view of Raymond
Wacks, Tom Gerety, and Stephan, the concept of privacy is vague, perhaps too vague for
definition or description. The concept of privacy is different from the ‘right to privacy’. 7 The
claims to privacy made by a society will be protected only up to that extent which is
determined by law. There is no single definition or analysis or meaning of the term the term
‘privacy’ though it is used frequently in ordinary language as well as in philosophical,
political and legal discussions. Detailed historical background in sociological and
anthropological discussions, about how extensively privacy was valued and preserved, are
found in various cultures. History has a deep-rooted recognition of privacy.

When we talk about privacy today, we often talk about personal autonomy, since it relates to
information about an individual. Privacy entails an individual's right to control the collection
and use of his or her personal Information, even after he has disclosed it to others.
Individuals expect that the professionals or companies will collect the information they need
to deliver a service and use it for that sole purpose, when they provide information to a
doctor, a merchant, or a bank. They also expect that they have the right to object to any
further use. The key to preserving the autonomy of an individual, by ensuring the protection
of his privacy interests, is the implementation of principles of fair information practices like,
notice, choice, access, security, and enforcement.

Policy issues that are often defined in terms of invasion of privacy, are raised by the use of
new technology. Priscilla M. Regan, a critic has noted that the demarcation between public
and private realms has been considerably blurred by the use of computers to manage
information. The hiding of the monarchies of privacy by the influx of technological
advances, has only enhanced the problem of intrusion on privacy. The aforesaid contention

7
W. A. Parent, Recent Work on the Concept of Privacy, American Philosophical Quarterly, Vol. 20, No. 4 (Oct.,
1983), pg. 341-355, Available at https://www.jstor.org/stable/20014016,
3
 is further supported by a similar, and ever present condition, which Arthur Miller noted in
1971, by stating that, “It is essential to expose the ways computer technology is magnifying
the threat to informational privacy - a threat that we have faced in some form ever since
man began to take notes about himself and his neighbours.” Henry Perritt, another legal
scholar, has observed that “In the long run, adoption of information technologies will blur
the boundaries between citizen and agency and between agency and court. Blurring of these
boundaries may necessitate rethinking the definitions of some of the basic events that define
the administrative process, public participation, and judicial review.”8

The internet has given birth to many facilities in recent times. A world of information,
entertainment, and shopping is made available at our fingertips by websites. With the help of
electronic mail, instant messaging, and chatrooms, we can communicate with friends, family,
and strangers in ways we never dreamed of a decade ago.

But it is also necessary to see that the internet has become a vital tool for data recovery,
communication, and business transactions in daily workflow. Companies use internet to
attend new clients and customers and to serve the existing ones. Individuals use it to
communicate and to stay in touch with others. However, there is always a threat that the
internet can render one’s information susceptible to interception, misappropriation, or other
loss. This danger is present, despite there being the ease in collecting and processing
information and the depth and richness of the data available on the internet. Companies’ and
individual’s data is exposed by the internet to the danger that third parties may access private,
confidential data, resulting in potential liability. The importance of a company’s as well as
individuals’ privacy and security is underlined by the privacy and security concerns
generated by the internet.

8
Henry H. Perritt Jr., The Electronic Agency and the Traditional Paradigms of Administrative Law, 44 Admin. L.
Rev. 79, 80 (1992).
 In the new millennium, personal information is an important currency globally. The
monetary value of personal data is large and ever growing. The corporate world is moving
quickly to profit from this trend of data currency. Companies have invested heavily in
softwares which facilitate the collection of consumer information and view this information
as a corporate asset. Individual Americans are already participating in the commodification of
their personal data since strong conception of personal data as a commodity is emerging in
the United States. Once personal data becomes a commodity, question arises regarding the
necessity of legal limitations on data trade. Some legal scholars have advocated imposing a
ban on data trade, rather than restricting transferability and have been interested in protecting
information privacy. However, many countries, have been suspicious of treating personal
data as a form of property.9 Contrary to this, other legal scholars have advocated
prophetization of personal information, without enough sensitivity to privacy concerns. As a
result, such scholars usually see no need for imposition of legal limitations on data trade that
is, no need for “inalienability”, which, means “any restriction on the transferability,
ownership or use of an entitlement”. 10

Indian government has identified the militarisation of space and cyber security as one among
the five medium term threats or challenges faced by the country. The spectre of cyber
securities and their connection with international terrorism and security policies is a major
issue which needs to be addressed. This represents problem for Indian national security and
data protection for which solutions must necessarily rely on international cooperation.

Though the law of the land, the Constitution of India, does not contain a provision granting a

9
Anita L. Allen, Coercing Privacy, 40 Wm. & Mary L. Rev. 723, 750-57 (i999); Julie E. Cohen, Examined Lives:
Informational Privacy and the Subject as Object, 52 Stan. L. Rev. 1373, 1423-28 (2000).
10
Patricia Mell, Seeking Shade in a Land of Perpetual Sunlight: Privacy as Property in the
Electronic Wilderness, Il Berkeley Tech. L.J.I, 26-41 (1996).
5
 direct right to privacy, ‘Right to Privacy’ has been recognized by the Indian Judiciary as
being an implicit fundamental right in Article 21 and Article19(1)(a)11 of the Constitution.
Right to privacy has several dimensions and the aspect of privacy which is most likely to get
affected in cyberspace is the informational privacy. Currently, there are no laws in India
requiring websites to disclose how they collect the information about the visitors and the way
it is used. Online businesses are largely free to use data obtained on their websites without
any control by the consumer. Consumers in India have no statutory right to control the
dissemination of their personal information to others by third parties.

Under Indian laws, the concept of ‘data’ is embodied in Section 2(1)(o) of the Information
Technology Act, 200012 i.e. the “IT Act” and the term ‘data protection’ is defined under the
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal information) Rules, 2011.

The Government of India has recently taken several steps to ensure greater focus on these
issues. National Cyber Security Policy, 2013 was notified by the Government of India with
the goal of comprehensively addressing the cyber security domain from a national
perspective. Main goal of the Cyber Security Policy is to make the cyberspace more secure
and resilient for citizens, businesses, and for the Government. By creating a National Critical
Information Infrastructure Protection Centre (NCIIPC), the policy provides for the
establishment of national and sectoral mechanisms to ensure cyber security. Computer
Emergency Response Team (CERT-In) is envisaged to act as the nodal agency for
coordination of all cyber security and crisis management efforts. It is also intended to act as
the nodal organisation for coordination and operationalization of sectoral CERTs in specific
domains in the country.

11
Ibid, Pg.26.
12
Protection of life and personal liberty, The Constitution of India (As On 31st July, 2018), Published by the
Government of India Ministry of Law and Justice Legislative Department Pg. 27,
Many countries are seriously engaged in attending to their cyber security concerns and
strategies. The EU, US, Russia, UK, Germany, New Zealand, China, Brazil, South Africa,
Denmark, South Korea, France, Singapore, Malaysia, Australia, Sweden, are on the long and
ever increasing list of countries actively engaged in ensuring a safe and secure cyber
environment for their citizens. The international community is also engaged in carrying out a
variety of regular and periodical discussions on this subject.

This research study examines various laws existing for protection of personal data at the
international and regional level with a comparative analysis of Indian laws with other
developing and developed nations. The study is categorised in different sections with focus
on the legally binding instruments of India and other nations. It examines the non-binding,
yet influential, measures adopted by international agencies and it further examines the arena
of data protection under the Indian legal system.

The aim of this research work is to highlight and suggest the areas, which require
modifications and to demonstrate which obligations India should have under existing
international and regional laws to implement and respect the basic principles of data
protection.

1.2 Rationale and Significance of the Study

Indian data protection law lays behind the international curve. The Indian legal regime on
this subject largely consists of: (a) Compensatory provisions for Data protection for failure
to protect sensitive personal information; and (b) Criminal provisions for disclosure of
personal identity without the data subject’s consent or in breach of contract, trusts, etc.

7
However, both the foresaid provisions apply only in cases of wrongful gain or loss from the
disclosure or breach. Statutory rules on cyber securities in India apply only if the parties
have not agreed to their own security standards. Further, the only consequence of non-
compliance entails the payment of compensation if the breach results in wrongful gain or
wrongful loss.

There have been three recent major changes to the privacy framework in India. First, on 24 th
August 2017 the Supreme Court of India held that the right to privacy is a fundamental right
guaranteed under the Constitution of India. This is a right available to the residents of India
against the arbitrary action of the State. Second, the Ministry of Information Technology
appointed a panel of experts to study India’s data protection framework and suggest a draft
data protection law that will be taken up for consideration by Parliament. The committee
under the chairmanship of Justice B.N. Srikrishna, has submitted a detailed report to the
Government of India in July 2018. Third, the Government of India has published the
Personal Data Protection Bill, 2018. However, the Bill is yet to take the form of a
comprehensive privacy legislation.

Thus, aforesaid steps taken by the Government of India are evident to establish the rational
and significance of the research work.

Statutory Provisions in India

Following is the short introduction of the various laws on the cyber securities and data
protection in India:

Sr. Title of
Year Gist of the Enactment
No. Enactment
Information It is an instrument to address the misuse of e-
1 2000
Technology Act information and subsequent securities, proposed to
 be provided to the e-transactions. It attempts to
define the different aspects of cyber law in the
country.
Under Section 43A of the IT Act, a body corporate
who is possessing, dealing or handling any sensitive
personal data or information, and is negligent in
implementing and maintaining reasonable security
practices resulting in wrongful loss or wrongful
gain to any person, is made liable to pay damages
to the person so affected. It is important to note that
Information there is no upper limit specified for the
2 Technology 2008 compensation that can be claimed by the affected
(Amendment) Act party in such circumstances.

Under Section 72A of the IT Act, disclosure of

information, knowingly and intentionally, without
the consent of the person concerned and in breach
of a lawful contract has been made punishable with
imprisonment for a term extending to three years
and fine extending to INR 5,00,000.
Information
Technology The Rules provide for checks and balances and
(Procedures and procedure to conduct interception. Similarly, the
Safeguards for Information Technology (Procedure and Safeguard
3 2009
Interception, for Monitoring and Collecting Traffic Data or
Monitoring and Information) Rules, 2009 govern the activities of
Decryption of monitoring and collection of traffic data.
Information) Rules
Information The Rules require corporate entities collecting,
4 2011
Technology processing and storing personal data, including

9
 (Reasonable sensitive personal information to comply with
Security Practices certain procedures. It distinguishes both ‘personal
and Procedures and information’ and ‘sensitive personal information’.
Sensitive Personal
Data or
Information) Rules
The Press Note provides that any Indian
outsourcing service provider/organisation providing
‘Press Note’,
services relating to collection, storage, dealing or
issued by the
handling of sensitive personal information or
Ministry of
personal information under contractual obligation
Communications
5 2011 with any legal entity located within or outside India
and Information
is not subject to collection and disclosure of
Technology,
information requirements, including the consent
Government of
requirements, provided that they do not have direct
India
contact with the data subjects (providers of
information) while providing their services.

Apart from the aforesaid special enactments governing the subject, this study deals in detail
with various other laws of India in Chapter III.

Judicial Approach to Right to Privacy in India

The Supreme Court and High Courts have read the right to privacy into the other existing
fundamental rights, i.e., Freedom of Speech and Expression under Article 19(1)(a) and Right
to Life and Personal Liberty under Article 21 of the Constitution of India, though the
 Constitution of India does not expressly provide for right to privacy as a fundamental right.
However, the fundamental rights under the Constitution of India are subject to reasonable
restrictions that may be imposed by the State, as provided under Article 19(2) of the
Constitution.13

In 1963 in the case of Kharak Singh v. State of U.P. the Supreme Court considered the ambit
and scope of this right to privacy right when the power of surveillance conferred on the
police by the provisions of the U.P. Police Regulations were challenged as being violative of
Articles 19(1)(d) and Article 21 of the Constitution. The Court rejected the argument of
infringement of freedom guaranteed under Article 19(1)(d) of the Constitution, held that the
attempt by the police to ascertain the movements of an individual was held not an
infringement of any fundamental right.

In Gobind v State of M.P. the Supreme Court held that Right to Privacy is covered under
Article 21 and can be restricted only in accordance with procedure established by law.

In A. Raja v. P. Srinivasan the Madras High Court granted injunction restraining defendants
from publishing pictures of plaintiff’s wife and children alleging that plaintiff was a corrupt
public official. The Court held it as an invasion on plaintiff’s privacy.

However, in Indu Jain v. Forbes Incorporated 14 the Delhi High Court took a restrictive view
on privacy and held that this right is only available against the State instrumentalities and is
not available against the private parties.

In Shashank Shekhar Mishra v. Ajay Gupta, the Delhi High Court, in the light of Article 21,

13
S. K. Verma, Raman Mittal, Legal Dimensions of Cyberspace, 202 (1st edition, 2004).
14
Indu Jain v. Forbes Incorporated, IA 12993/2006 in CS(OS) 2172/2006 (Delhi High Court, 12.10.2007).
11
restrained the defendant from disclosing any personal or private information of the plaintiff
or his family members on his laptop to anyone else. It was held that even a public authority
has no right to invade the right to one’s privacy except in accordance with the procedure
established by law.

In Peoples Union for Civil Liberties v. Union of India, Constitutional validity of Section 5(2)
of the Telegraph Act, 1885 was challenged in the light of Article 21 and Article 19(1)(a). In
that PIL, incidents of telephone tapping of political persons were the crux of the challenge. It
was held by the Supreme Court that telephone tapping is a form of “technological
eavesdropping”. It was further held that such tapping infringed the right to privacy. Justice
Kuldeep Singh laid down the rule that telephone tapping which amounted to intrusion into
privacy, can be adopted in the gravest of grave situations where national security is
endangered and not otherwise. Right to privacy was held to be a part of right to life under
Article 21.

S.P. Gupta v. President of India, the petitioner, who was a judge of a High Court, had sought
the disclosure of certain correspondence between the Law Minister, Chief Justice of Delhi
and Chief Justice of India, regarding the non-appointment of a judge for a further term and
the transfer of a High Court Judge. It was held by the Supreme Court that non-disclosure of
information can be justifiable only if disclosure would be injurious to the public interest. It
was also held that the injury to the reputation, i.e. the privacy of a public official should not
be a consideration while deciding the justifiability of such disclosure.

The Supreme Court considered the scope and ambit of right to privacy, i.e., the right to be
left alone in R. Rajagopal v. State of T.N. 15 While deciding the right to privacy of a
condemned prisoner, Justice B.P. Jeevan Reddy held that though the right to privacy is not
enumerated as a fundamental right, it can certainly be inferred from Article 21 of the
Constitution. The Court

15
R. Rajagopal v. State of T.N., (1994) 6 SCC 632.
 further held that the right to privacy is implicit in the right to life and liberty under Article 21.
It includes the “right to be left alone”.

By its judgment in Shreya Singhal’s case, the Apex Court recently struck down Section 66A
of the Information Technology Act, 2000 which provided for punishment for sending
offensive messages through communication service. The Section was held to be violative of
Article 19(1)(a) and not saved under Article 19(2).

In the case of Justice K S. Puttaswamy vs Union of India, 16 the Supreme Court passed a
judgment in August 2017, in which fundamental rights, as provided in the Constitution of
India, were interpreted to include the right to privacy. Consequent to this judgment, the
Government of India is under obligation to ensure that its actions do not violate a citizen’s
privacy and that such rights do not get violated as a result of its inaction, which includes
failure to enact suitable legislation.

1.3 Aims and Objectives of the Study

Data protection law in India is currently facing many problems due to absence of proper
legislative framework. There has been a great hike in the number of cybercrimes on a global
scale. The theft and sale of stolen data is happening across the globe where physical
boundaries pose no restriction or in fact seem non-existent.

India, being the largest host of outsourced data processing in the world, has the threat of
becoming the epicentre of cybercrimes. This is mainly due to the absence of any appropriate
legislation. However, the effective solution can only be had from robust legislative
provisions.

16
Supra, Footnote 12.
13
Hence the aims and objectives of this study may be summarised as under:

a. To study the concept of data protection and cyber security.

b. To analyse various Constitutional provisions on the privacy and rights of individuals
and other entities.
c. To study the framework provided by the Information Technology Act, 2000 as well
as Rules framed and Notifications issued by the Government for the protection and
security of data.
d. To comprehend the approach of Indian judiciary towards essential aspects of data
protection.
e. To study the impact of data insecurity, data theft, data loss and other malpractices on
various business areas and thereby demonstrate the need for a robust data protection
framework.
f. To critically appraise the existing data protection mechanism in India vis-a-vis other
nations.
g. To suggest changes in the existing framework for incorporating effective provisions
for protection of data, thereby making India a safer destination for the exchange of
data.

1.4 Statement of Research Problem

There is abundance of exchange of data in India, due to the large number of internet users.
There is an immediate need to frame rules and regulations to protect this data. However, due
to lack of awareness, education, strict legal sanction and effective and efficient redressal
mechanism, there is a constant threat of misuse and violation of privacy.

1.5 Hypotheses

Following Hypotheses are sought to be tested on the basis of the data and information
collected through this research:
 a. Current legal framework in India in respect of data protection is inadequate to cater to
the needs of privacy of persons.
b. Existing judicial framework in India in respect of data protection is insufficient to
address the grievances of parties aggrieved by data protection issues.
c. There is a need for separate legislation in the form of an Act for protection of data in
India.

1.6 Research Methodology

Doctrinal Method of Research

For the purpose of this study, the Researcher has applied doctrinal method, whereby research
is carried out, on the basis of facts and data stored in the library and archives. It involves
analysis of case laws, arranging, ordering and systematizing legal propositions and study of
legal institutions. Thee expressed thought is systematically analysed and various aspects
thereof are taken into consideration.

Doctrinal sources include the primary sources as well as secondary sources. Accordingly, the
data for the work has been collected from primary sources like the legal and regulatory
regimes in India and other nations, with examination of legislations and their enforcement.
Thus, the starting from legislations and statutes, several documents and notifications issued
by authorities dealing with the data protection and privacy laws have been referred in this
research.

On the other hand, the secondary sources include books and research articles published by
various authors, journals, media releases and websites, for the purpose of fulfillment of
present doctrinal research. Further, opinions of commentators and experts on the data
protection laws and privacy laws in India, and reports of Government of India have also been
examined in secondary sources.

In order to make this research more relevant to the existing needs of actual players in the
arena of data protection, the Researcher has adopted the empirical research technique of
‘interview’.

15
 Interactions have been made with several stakeholders like, corporate officials, banks, legal
professionals, police officers, who are actively functioning in the field of data protection. For
the ease of understanding, the Researcher had given interview schedule to the aforesaid
population. Interview schedule is appended herewith at ‘APPENDIX A’. However, since this
research is predominantly a doctrinal research, in this study the Researcher has cumulatively
included the outcome of his interaction with those stakeholders. The genesis of research
methodology is contained in Chapter VI of this research work.

Thus, though this research is majorly doctrinal, it not just an armchair research and includes
actual interaction at ground level with the parties directly involved in data protection.

Following models are used for the purpose of carrying out this research:
Historical Model

Past knowledge is considered to be pre-requisite for present knowledge. Without the

knowledge of the past institutions, it is difficult to understand their true nature at present.
This model is used to trace the origin of some of the institutions such as, regulations and
provisions of laws relating to data protection and privacy in national and international legal
regime, etc.

Descriptive Model

This model is used for collection of data, since mere collection of data does not constitute
research, unless the data are properly interpreted to find the causal connections and relations.
Thus, this method is employed for the interpretation of the data.

Analytical Model

This model is used to critically analyse the existing legal provision adopted, so far, by the
present legal scenario of India and other countries which deals with data protection and
privacy laws and their impact.

Findings
Cyber law, also known as Internet law or digital law, encompasses the legal issues related to
the use of the internet and digital technologies. This area of law addresses various aspects such
as cybercrime, data protection, privacy, intellectual property, and online transactions. Here are
some key findings and developments in cyber law:
1. Data Protection and Privacy:
o GDPR (General Data Protection Regulation): Implemented in the European
Union in 2018, GDPR sets strict guidelines on data protection and privacy,
significantly influencing global data protection laws.
o CCPA (California Consumer Privacy Act): Effective from 2020, this U.S.
state law provides California residents with rights over their personal data,
including the right to know, delete, and opt-out of data sale.
2. Cybercrime:
o Computer Fraud and Abuse Act (CFAA): A U.S. law enacted in 1986, it
addresses various forms of cybercrime including hacking and unauthorized
access to computer systems.
o Budapest Convention on Cybercrime: An international treaty aimed at
addressing cybercrime through harmonization of national laws, improving
investigative techniques, and increasing cooperation among nations.
3. Intellectual Property:
o Digital Millennium Copyright Act (DMCA): A U.S. law that criminalizes the
circumvention of digital rights management (DRM) technologies and protects
copyright owners from digital piracy.
o TRIPS Agreement (Trade-Related Aspects of Intellectual Property Rights):
Administered by the World Trade Organization, it sets down minimum
standards for many forms of intellectual property regulation as applied to
nationals of other WTO members.
4. Online Transactions and E-Commerce:
o Electronic Signatures in Global and National Commerce Act (E-SIGN Act):
A U.S. federal law that facilitates the use of electronic records and signatures in
interstate and foreign commerce by ensuring the validity and legal effect of
contracts entered into electronically.
o UNCITRAL Model Law on Electronic Commerce: Provides a legal
 framework for electronic commerce, encouraging the use of electronic
communications and storage of information.
5. Emerging Issues:
o Artificial Intelligence and Machine Learning: The legal implications of AI,
including issues of liability, transparency, and accountability.
o Blockchain and Cryptocurrencies: Regulatory approaches to blockchain
technology and digital currencies, addressing issues such as fraud, money
laundering, and consumer protection.
o Cybersecurity: Laws and regulations aimed at protecting critical infrastructure,
businesses, and individuals from cyber threats. This includes the NIST
Cybersecurity Framework and the Cybersecurity Information Sharing Act
(CISA).
6. Jurisdiction and Enforcement:
o The borderless nature of the internet poses challenges for jurisdiction and
enforcement. Countries are working towards cooperative agreements and treaties
to handle cross-border cyber issues effectively.
These developments reflect the dynamic and evolving nature of cyber law as it adapts to new
technologies and threats. Understanding these key areas is crucial for navigating the legal
landscape of the digital age.

Legislative Response to Cyber Laws in India

Though privacy is a basic human right recognized all over the world, it is the most flagrantly
violated right of the individual in cyberspace. People enjoy having their own private space
and want to maintain the space. Following are the key aspects of privacy:

a. Privacy is the interest that individuals have in sustaining a ‘personal space’, free from
interference by other people and organizations.17
b. Privacy has multiple dimensions, which include privacy of the physical person,
privacy of personal behaviour, privacy of communications, and privacy of personal

17
Clarke, Roger, Information Privacy on the Internet Cyberspace Invades Personal Space, Available at
http://www.anu.edu.au/people/Roger.Clarke/DV/IPrivacy.htm,
 data. The last two are commonly bundled together as informational privacy.
c. Individuals claim that their data should not be automatically available to other
individuals and organizations. Individuals also reasonably expect that, where their
data is possessed by another party, the individuals must be able to exercise a
substantial degree of control over that data and its use; and
d. Systematic use of personal data systems in the investigation or monitoring of the
actions or communications of one or more persons is called data vigilance.18

It is necessary to view the Indian legal regime from the aforesaid viewpoint. The problems
related to the same are also increasing every day and India is facing a tremendous increase in
cybercrimes, and data theft with the rapid growth of technology and e-commerce in India.
Being the host and the biggest platform of data outsourcing, India requires an effective and
well formulated mechanism for dealing with these malpractices. Data Protection laws may be
defined as the laws which are enacted for safeguarding and protecting the data.19

In this chapter, an endeavour has been made to deal with various laws of India, which play a
vital role in the legal regime governing data privacy and data protection.

3.2 Legislations Governing Cyber Security and Data Protection in India

India has come a long way in its quest for achieving a hassle-free and citizen-oriented legal
framework in the field of information technology. Though there is a need for drastic reforms
in this area of laws, it would be interesting to see the journey and evolution of Indian laws in
the field of information technology and data protection.

a. The Constitution of India

Though the Constitution of India is not a legislation in strict sense of the term, it is the
framework within which all laws made by the legislature of India are required to operate. The
Constitution is thus the cornerstone on which all laws are founded.

Article 21 and Right to Privacy

18
Ibid.

19
Vaibhavi Pandey, Data Protection Laws in India: The Road Ahead, ICCA, Available at
http://www.mondaq.com/india/x/408602/data+protection/DATA+PROTECTION+LAWS+IN+INDIA+THE
+ROAD+AHEAD,
 Though the Constitution of India does not contain a provision granting a general right to
privacy, it has been recognized by the Indian judiciary as implicit in Article 21 20 and Article
19 (1) (a) of the Constitution in many cases.

The scope and ambit of the right of privacy or right to be left alone was considered by the
Supreme Court in R. Rajagopal v. State of T.N.21 during 1994. In this case the right of privacy
of a condemned prisoner was in issue. By interpreting the Constitution in light of case laws
from the United Kingdom and United States, it was held that though the right to privacy was
not enumerated as a fundamental right, it could certainly be inferred from Article 21 of the
Constitution. In another significant case People's Union of Civil Liberties v. the Union of
India,22 it was held by the Supreme Court that tapping a person’s telephone line violated his
right to privacy, unless it was required in the gravest of grave circumstances such as public
emergency.23 Though a detailed account of evolution of Indian judicial perspective on the
right to privacy has been given in Chapter V, this Chapter deals with the provisions contained
in various laws governing this right, including the Constitution, being the mother of all laws
of India.

It is provided under Article 21 of the Constitution of India that “No person shall be deprived
of his life or personal liberty except according to procedure established by law.” However,
‘right to privacy’ is not specifically recognised by the Constitution of India as a fundamental
right. Article 21 of the Constitution guarantees every citizen the fundamental right to life and
personal liberty which has been interpreted by the Indian courts, to include the right to
privacy. This right further extends to data in electronic forms, which is specified by the
Indian courts in the terminology ‘informational privacy.

Hon’ble Supreme Court, in the case of Justice K. S. Puttaswamy (Retd.) v Union of India,
dealt with right to privacy in detail which is popularly known as the ‘Aadhaar card case’. In
this case, the Aadhar card scheme was challenged on the ground that collecting and
20
Article 21- Protection of life and personal liberty, Constitution of India.
21
R. Rajagopal v. State of T.N., (1994) 6 SCC 632.

22
(1997) 1 SCC 318.
23
Shyamkrishna Balganesh and Niranjan Maitra, Cryptography, Privacy and National Security Concerns,
Law Relating to Computers, Internet and E-commerce, 2nd Edn., 2001, p. 377.
compiling the demographic and biometric data of the residents of the country to be used
for various purposes is a breach of the fundamental right to privacy embodied in Article 21
of the Constitution of India. On the backdrop of the ambiguity in prior judicial precedents on
the constitutional status of right to privacy, the Hon’ble Supreme Court referred the matter to
a constitutional bench consisting of nine judges.

In the landmark judgment, the Supreme Court upheld the Constitutional validity of the
Aadhar Act and made it clear that right to privacy is included in article 21 of the
Constitution. Going a step ahead, it was also held by the Supreme Court that informational
privacy is an important facet of right to privacy. This terminology of ‘informational privacy’
necessarily implies the privacy of individual’s information, i.e. data.

Article 19(1) and Right to Privacy

In State of Uttar Pradesh V. Raj Narain, the Supreme Court held that it is not in the interest
of the public to ‘cover with a veil of secrecy the common routine business of the State and it
is the responsibility of the official to explain and the justify their acts. It is the chief safeguard
against oppression and corruption.

The right to impart and receive information is an important and intrinsic facet of the right to
freedom of speech and expression as guaranteed under 19 of the Constitution. Every citizen
of India has a right to use the best means of imparting and receiving information. It is the
duty of the State to respect the fundamental rights of the citizens, and the State is also under
an obligation to ensure conditions under which the right can be meaningfully and effectively
enjoyed by one and all. At the same time, Article 19(2) permits the state to make any law in
the interest of sovereignty and integrity of India, the security of state relations with other
state and thereby impose reasonable restriction on the exercise of rights conferred by Article
19(1) of the Constitution. Thus, the data protection rights have to be tested against principles
of Article 19(2) in a given case and the facts and circumstances of each case will govern the
availability of this right.

Though the right to information is indisputably a fundamental right, it is always subject to the
reasonable restrictions. Right to information is a facet of “right to speech and expression” as
provided in Article 19(1)(a). Right to know has set a transparency and determines
accountability in the working of public department. Implementation of Right to Information
Act, 2005 has led to reduction in corruption in public departments.

3.3 Other Statutes Governing Data Protection and Cyber Security

The primary set of legislations governing data privacy in India are the Information
Technology Act, 2000 (the “IT Act”) and the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the
“Privacy Rules”).

“Sensitive Personal Data or Information” (“SPDI”) Rules is a subset of Indian laws

regulating the processing of personal information. As per SPDI Rules, sensitive personal data
or information comprises of, amongst other things, information relating to passwords,
financial information, medical records, sexual orientation, and biometric information. Non-
sensitive personal information is still an unregulated area in India. Due to the vagueness of
consent under the Indian legal framework, the requirement for consent often creates chances
of implied consent. The applicability of Indian laws is not clear, when it comes to conferring
extra- territorial jurisdiction on the courts of law. For example, if a citizen of India shares his
personal

information with a company in the USA, while he is travelling in the USA, it is questionable
whether the IT Act or the Privacy Rules would apply to such collection of information or the
breach of privacy of such citizen and his personal data.

On this backdrop, it is necessary to deal with the IT Act and the Privacy Rules in detail.

a. Information Technology Act, 2000.

The preamble of the Information Technology Act, 2000 provides its aims and objectives as
under:

“An Act to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication,
commonly referred to as electronic commerce, which involve the use of
 alternatives to paper-based methods of communication and storage of
information, to facilitate electronic filing of documents with the Government
agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Banker’s Books Evidence Act, 1891 and the Reserve Bank of
India Act, 1934 and for matters connected therewith or incidental thereto.”

Following are some of the criticisms experienced by the IT Act. This will help to understand
the extent of preparedness of the IT Act to address various cyber issues:

a. It is widely propagated that the IT Act was passed without inviting the detailed views
from the public and without having any discussions regarding its desired purpose. Several
experts are of the opinion that the hurried manner, in which it was passed by the
Parliament of India is one of the main reasons for the inadequacy of this important
legislation. It is also argued by the experts that sufficient time was not given for a
public debate, before enacting this important legislation governing this significant area of law.

b. As seen above, the IT Act, in its preamble and aims states that it intends to give legal
recognition to e-commerce. It is clear that the intent of the legislature while enacting this
Act was not to regulate cybercrime. Curbing the malpractices of cybercrime is also one of
the major needs of time. Thus, the intent of the legislature poses great inadequacies to
effectively deal with cases of cybercrime.
c. It is also widely professed by critics of the IT Act that cyber harassment, cyber stalking
and cyber nuisance are the various types of cyber tort, which are not contemplated in the
IT Act.
d. It is clear that cybercrimes have a universal nature. Due to this cross-border reach and
penetration of cybercrimes, jurisdiction is also one of the debatable issues in the cases of
cybercrimes. The territorial barriers seem to vanish due to the ever-growing arms of
cyber space. Therefore, conventional methods should give way to new methods of
dealing with this menace. The IT Act of 2000 is silent on these issues.
 Government’s Power to Interfere with the Personal and Professional Data

Section 69 of the IT Act provides as under:

“If any person or officer authorized by the Government is satisfied that it is
necessary or expedient so to do in the interest of sovereignty or integrity of India,
defense of India, security of the State, friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable
offence relating to above or for investigation of any offence, for reasons to be
recorded in writing, by order, can direct any agency of the Government to
intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted
any information generated, transmitted, received or stored in any

computer resource.”

Thus, Section 69 provides for interception and monitoring as well as decryption for the purpose
of investigation of cybercrimes. This is an absolute intrusion in the privacy of an individual. The
Information Technology (Procedures and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009, have also been notified by the Government of India
under the abovementioned Section 69. These Rules deal with the blocking of websites. These
powers of interception are certainly required to be curtailed by means of defining the ambit and
limit of the intrusion. The limits imposed by the Supreme Court and various High Courts have
been dealt with in Chapter V of this thesis.

Penalty for Damage to Computer, Computer Systems, etc.

Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, for doing any of
the following acts:
“If any person without permission of the owner or any other person who is in charge of a
computer, computer system or computer network;
a. accesses or secures access to such computer, computer system or computer network;
b. downloads, copies or extracts any data, computer database or information from such
computer, computer system or computer network including information or data held or stored
 in any removable storage medium;
c. introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
d. damages or causes to be damaged any computer, computer system or computer network,
data, computer data base or any other programmes residing in such computer, computer
system or computer network;

Summary

The Data Protection Bill has imposed several compliance requirements and has proposed a
stringent penalty scheme to act as a deterrent for non-compliance. Hence, the Government of
India must ensure that the final law should meet the adequacy standards as prescribed by
similar legislations of other nations as well as the GDPR, to enable mutual cross border
transfer of data.

The Supreme Court judgement in the Aadhaar Case must also have some impact on the final
form of the Act. Considering that certain provisions of the proposed Act will only take effect
after a period of time, it will allow data fiduciaries to prepare their systems and processes to
ensure compliance.

Despite all the aforesaid shortcomings and despite the requirement of further clarifications on
some provisions, the Researcher is of the view that the Data Protection Bill, 2018 is the most
prominent step towards a comprehensive law on personal data protection in India. It is
beyond doubt that the Bill will play a pivotal role in governing the new era of digital
revolution in India and shall pave a road to India’s becoming a global hub for data exchange.
 BIBLIOGRAPHY

Primary Sources

Indian Laws and Reports

 Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016.
 Bankers’ Books Evidence Act, 1891.
 Code of Criminal Procedure, 1973.
 Companies Act, 2013.
 Constitution of India.
 Contract Act, 1872.
 Copyright Act, 1957.
 Credit Information Companies Regulation Act, 2005 (CICRA).
 Extradition Act, 1962.
 Indian Evidence Act, 1872.
 Indian Penal Code, 1860.
 Information Technology (Amendment) Act, 2008.
 Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011.
 Information Technology Act, 2000.
 Personal Data Protection Bill, 2018.
 Prevention of Money Laundering Act, 2002.
 Prevention of Terrorism Act, 2002.
 Right to Information Act, 2005.

International Instruments and Laws

 American Convention on Human Rights, 1969.

 Clean Information Policy of USA.
 Communication Deficiency Act, 1996.
 Computer Fraud and Abuse Act, 1986.
 Data Protection Act, 1998 (USA).
 Data Protection Act, 2018 (UK).
 Data protection Convention 108 of 1981.
 EU Charter of Fundamental Rights.
 European Convention on Human Rights (ECHR), 1949.
 Federal laws of USA.
 General Data Protection Regulation (GDPR).
 International Covenant on Civil and Political Rights, 1966.
 State laws of USA.
 UN Charter on Human Rights, 1945.

Reports/Guidelines
 EC, “Towards a General Policy on the Fight Against Cyber Crime”, Communications from the
Commission to the European Parliament.
 European E-Commerce Directive, 2000.
 Identification and Designation of European Critical Infrastructures and the Assessment of the
need to improve their Protection”, EC: Council Directive 2008/114/EC, of 8 December 2008,
EC, Brussels, Belgium (2008).
 Justice Srikrishna Committee Report.
 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah).

Secondary Sources:

Books

 A.H. Robertson, The Law of International Institution in Europe, p.43, (1963).

 Ayanda and Taiwo. 2006. The Impact of Information Technology on Library Management: A
Marketing Perspective. Advances in Management, 5(1):141-150.
 Broderick, Terry R, Regulation of Information Technology in the European Union, (The
Hague: Kluwer Law International, 2000).
 Burrows, Andrew & Peel, Edwin, Contract Formation and Parties, (New York: Oxford
University Press, 2010).

28