Data Protection Regime in India – Challenges and Way Forward

data protection regime in India


With the rise in the use of Internet facilities and India trying to become a digital nation promoting digitization at all levels, the need for data protection has become an important issue. The Indian IT sector has a major contribution to the Indian economy and they provide services to a large number of people all over the world. With the rise of the telecom sector in India and the number of people using it, it has become evident that data protection has to be considered a necessity in India.

.data protection regime in India

What is data protection?

Data protection is the protection of any kind of data from potential misuse and securing it from unauthorized use. These are the practices, binding rules, and safeguards put in place to protect data from any kind of corruption and to regulate the collection, usage, transfer, and disclosure of data.

Most probable and repeated topics of upsc prelims

What is the need for data protection?

As per the latest reports, a majority of Indians become victims of cybercrimes every day in India. With a large number of Internet users in India, India is well on the path of becoming a digital economy attracting a large number of global players. The use of the Internet at a large scale has led to the collection, organization, and processing of a large scale of data directly or indirectly. This data collected can be used, edited, altered, and shared across the globe. The data can also be used to exploit people for personal gains. Till today, India has no particular law dedicated to deal with data protection in India. It has been noticed that a large number of countries have framed their data protection guidelines and legislations to secure the data of their citizens. Given such situational demands, Indians also need to have a data protection law to keep their data secure in the hands of those who are collecting it.

The Indian data protection regime

  • The Constitution of India by Article 21 guarantees the right to life and personal liberty of individuals. Article 21 is a fundamental right in the Constitution of India. The Supreme Court of India in 2017, in the decision of Justice K.S Puttaswamy and Anr versus the Union of India and Ors, held that the right to privacy forms an integral part of the constitution and Article 21 forms its source. However, the protection under Article 21 is not absolute and is subject to certain restrictions.
  • The Universal Declaration of Human rights (UDHR) through its Article 12(4) statutorily recognized privacy as an important part of an individual’s life. India is a signatory of the Universal Declaration of Human Rights(UDHR).
  • The relationship between privacy and data protection is of interdependence.
  • Although India has no specific data protection legislation in place, the existing framework dealing with data protection in India includes the Information Technology Act,2000 which has been amended in 2008(herein referred to as the “IT Act”) to deal with data protection in India. The amendments include Section 43A and Section 72A which give the right to compensation for improper disclosure of personal information.
  • In 2011, the Central Government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, known as “the Rules” under section 43A act of the IT Act to impose additional requirements on commercial and business entities in India connected to the collection and disclosure of sensitive personal data or information in India.
  • The IT Rules issued under the IT Act have prescribed a minimum standard for privacy and collection, disclosure, and transfer of information and reasonable security practices and procedures.
  • Entities in regulated sectors like financial and telecom sectors are governed by sectoral laws and are subject to obligations of maintaining the confidentiality of the customers’ personal data and information and to use them only in manners agreed with the customers.
  • However, these rules were not comprehensive and capable enough to deal with all privacy dimensions as India is moving forward as a digital economy.
  • The Government of India in 2017 appointed a committee of experts chaired by Justice B.N Srikrishna to study the various aspects related to data protection in India. Some of the recommendations of this committee are as follows:-
  1. The committee recommended that the processing of data i.e, collection, recording, analysis, and disclosure should be done only for “clear, specific and lawful purposes” and only data that is necessary should be collected.
  2. The committee suggested that data may be processed by the government if it is considered necessary for any function of Parliament or State Legislature. It allows the processing of data for preventing offense and ‘contravention of law’.
  3. The committee recommended giving the ‘right to be forgotten’ to those whose data is being processed.
  4. It also recommended that the copy of all personal data be stored in India and critical personal data can only be stored in Indian servers. It was also recommended that the cross-border transfer of data should be subject to model contract clauses.
  5. The committee recommended that the processing of sensitive personal data (e.g. passwords, financial data, biometric data, sexual orientation, etc) should be done only when explicit consent is given by those whose data is being processed.
  6. The committee recommended the setting up of a Data Protection Authority, which would act as a regulatory body to oversee and enforce data protection rights and shall have the power to make inquiries and take action against data processors.
  7. It also suggested recommendations to amend the Aadhar Act, 2016 in order to ensure the autonomy of the Unique Identification Authority of India(UIDAI) and “bolster data protection”.
  8. The committee also recommended amendments to the RTI Act that pertains to the disclosure of information in the larger public interest.
  • Following the recommendations, the Government of India came up with the Personal Data Protection Bill, 2019. The Bill is mainly based on the principles of the General Data Protection Regulations (GDPR), 2016 of the European Union(EU). The following are the important provisions of the Bill;-
  1. The Bill proposes to hinder any data breach by data processors or intermediaries by making data breach notification mandatory. In addition, the Bill proposes punishment for those committing data breaches in the form of a fine or imprisonment.
  2. The previous rules did not cover ‘geolocation information’ under the ‘sensitive personal data’ subject. The Bill proposes to include ‘geolocation information’ under this subject.
  3. The Bill endeavors to include the ‘right to be forgotten’ as an important criterion that would enable individuals to delink, delete or correct any information about them which can be misleading, embarrassing, and irrelevant.

Challenges to data protection in India

  • Lack of infrastructural facilities.
  • Obsolete laws make it difficult to protect the privacy of those whose data is being processed.
  • Difficulty in the classification of data under various heads. For e.g, it will be difficult to differentiate between personal data, sensitive personal data, and critical personal data.
  • There is a tussle between the right to privacy and the right of the governments at various levels to access such data when required for various purposes.
  • Data protection laws may hamper the growth of the digital economy in India.

Way forward

The importance of data processing in the present context cannot be negated but the concerns regarding the right to privacy and other issues have also serious grounds. Thus, there is a need to eliminate obsolete laws and use innovative measures to strike a balance between privacy, national security, and data protection. There is an urgent need for stricter laws to deal with data misuse. Regulatory measures can also be put in place to check the manner in which data is collected and processed. Data is considered to be the new currency. In such a situation where India is striving to be a digital economy, it is important that laws are regularly updated and new laws are put in place with the change in data collection and processing methods. Security and information-sharing need to be in perfect balance with each other.

Practise question

  1. Comment on the present data protection regime in India, the challenges it faces, and suggest some measures to ensure data protection in India.
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x