Privacy in India: overview

A Q&A guide to privacy in India.

The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement.

To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Legislation

1. What national laws (if any) regulate the right to respect for private and family life and freedom of expression?

The Constitution of India, under the chapter on fundamental rights, guarantees the right to freedom of expression to the citizens of India. The right to freedom of expression is not absolute and is subject to certain reasonable restrictions, including in relation to:

  • Sovereignty and integrity of India.

  • Security of the state.

  • Friendly relations with foreign states.

  • Public order.

  • Decency or morality.

  • Contempt of court, defamation or incitement to an offence.

A remedy in form of a writ is available in the case of a breach of a fundamental right.

Article 21 of the Constitution of India also protects the life and personal liberty of persons in India. Indian courts have recognised that the right to privacy is part of the right to life and personal liberty, but the law is not well settled. A constitutional bench of the Supreme Court of India is expected to decide shortly on whether the right to privacy is guaranteed as a fundamental right under the Constitution of India.

Under section 43A of the Information Technology Act 2000 (IT Act), any person that is negligent in using reasonable security practices and procedures (RSPPs) in protecting sensitive personal data or information is liable to pay compensation for any wrongful loss or wrongful gain.

A service provider that discloses personal information without the consent of the data subject or in breach of an agreement with such subject, and with the intention to, or knowing that it is likely to cause wrongful gain or wrongful loss, faces three years' imprisonment or a fine of up to INR500,000, or both (section 72A, IT Act).

There are obligations of confidentiality under various laws relating to banking, telecommunications, healthcare and securities. Transfer of data under an outsourcing arrangement is restricted by banking laws. Transfer of customer accounting and user information, and remote access to such information from overseas, are prohibited under telecommunications laws.

 
2. Who can commence proceedings to protect privacy?

Any person who is affected by a violation of sections 43A and 72A of the Information Technology Act 2000 can commence proceedings to protect his privacy (see Question 1).

 
3. What privacy rights are granted and imposed?

The privacy rights granted protect personal information from unauthorised disclosure, disclosure in breach of contract, or negligence in using reasonable security practices and procedures in protecting such information.

Section 43 of the Information Technology Act 2000 (IT Act) (see Question 1) applies to the use of sensitive personal data or information (SPDI). SPDI refers to:

  • Passwords.

  • Financial information, such as bank account or credit card details.

  • Physical, physiological and mental health condition.

  • Sexual orientation.

  • Medical records and history.

  • Biometric information.

Section 72A of the IT Act (see Question 1) applies to all personal information. Personal information is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying such a person (Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011).

 
4. What is the jurisdictional scope of the privacy law rules?

The Information Technology Act 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) apply to India. This means that the data of subjects located outside India that are processed in India are not covered by privacy law rules. The transfer of sensitive personal data or information outside of India is only permitted if the recipient agrees to ensure the same level of data protection as under the IT Rules.

 
5. What remedies are available to redress the infringement of those privacy rights?

In the case of failure to use reasonable security practices and procedures, the remedy is compensation. No maximum amount of compensation has been prescribed.

Disclosure of personal information without consent or in breach of a contract is punished by up to three years' imprisonment or a fine of up to INR500,000 or both.

 
6. Are there any other ways in which privacy rights can be enforced?

It is possible to file a civil action for damages under the common remedy of confidentiality. It is also possible to file a complaint under the Penal Code for breach of trust, although the law is not well developed on this issue.

 

Contributor profiles

Stephen Mathias, Partner

Kochhar & Co

T +91 80 4030 8000
F +91 80 4112 4998
E stephen.mathias@bgl.kochhar.com
W kochhar.com

Professional qualifications. India, Lawyer

Areas of practice. Corporate; mergers and acquisitions; venture capital; technology and telecommunications.

Non-professional qualifications. BA, LLB (Hons), National Law School of India University

Recent transactions. The firm's technology law practice is the first of its kind in India, and largely represents multinational technology companies doing business in India. Its practice includes areas such as licensing, outsourcing, intellectual property, e-commerce, privacy and telecommunications. In the last five years, the firm has handled over 100 privacy assignments relating to compliance with India's privacy laws.

Languages. English, Hindi

Professional associations/memberships. International Technology Law Association; International Association of Privacy Professionals.

Naqeeb Ahmed Kazia, Associate

Kochhar & Co

T +91 80 4030 8000
F +91 80 4112 4998
E naqeeb.ahmed@bgl.kochhar.com
W kochhar.com

Professional qualifications. India, Lawyer

Areas of practice. Corporate; mergers and acquisitions; venture capital; technology and telecommunications.

Non-professional qualifications. BBA, LLB (Hons), School of Law, Christ University

Recent transactions. The firm's technology law practice is the first of its kind in India, and largely represents multinational technology companies doing business in India. Its practice includes areas such as licensing, outsourcing, intellectual property, e-commerce, privacy and telecommunications. In the last five years, the firm has handled over 100 privacy assignments relating to compliance with India's privacy laws.

Languages. English, Hindi, Kannada, Urdu

Professional associations/memberships. International Technology Law Association; International Association of Privacy Professionals.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248292490861", "objName" : "Privacy in India overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/2-621-3693?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-605a14e:15b15f9ebbb:1c0e", "analyticsSessionCookie" : "2-605a14e:15b15f9ebbb:1c0f", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }