Jul 30,2019 | 20 min read

Data Privacy Laws In India by Advocate Dr. Gubbi Subba Rao

Author - Advocate Dr. Gubbi Subba Rao and Associate Aliza Abdin


Data privacy laws are those set of laws that forbid the use of a person’s data without once consent \ permission. The data may include any kind of information of a private individual that if fell in the wrong hands may be misused. To keep a check on the misuse of personal information, data privacy laws were introduced in various countries. Almost 80 countries worldwide have an adequate data privacy framework to stop the misuse of confidential and sensitive personal information. 

These laws are based on “Fair Information Practice” that was developed by the USA in the 1970s. All data privacy laws have some basic norm which usually includes the following: 

  1. It states that all the data collected by an organization or government must have a specific purpose that has to be shown,

  2. Any information collected or received by an organization cannot be misused or given for reuse to another organization or person without the approval of the law or of the person in question,

  3. Any information collected for a specific reason, cannot be used for any other reason without prior consent of the person in question,

  4. Any information collected or received cannot be tampered in any way,

  5. All information collected should be accurate and up to date, if any wrong information is released about a person- it is a crime in the eyes of law,

  6. Data collected when not in use should be deleted,


The first law on data privacy in India was the Information Technology Act, 2000. It came into force on 17th October, 2000. At that time it was the only act related to information/data, popularly known as the IT Act. It did not include many provisions for the protection and preservation of information and lacked the set of rules and regulations to ensure the safety and security of confidential information of an individual and hence new amendments were required to ensure law and order. 

And after various amendments, the Information Technology (Amendment) Act, 2008 was passed which introduced Section 43A in the IT Act:  

  1. “These 2011 Rules only apply to body corporates and persons located in India. Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages to the person(s) so affected.

  2. A list of items has been provided which are to be treated as “sensitive personal data” which include passwords, biometric information, sexual orientation, medical records and history, credit/ debit card information, etc. but any information which is freely available or accessible in the public domain is not considered to be sensitive personal data.

  3. Anybody corporate seeking such sensitive personal data must draft a privacy policy which has to be published on the website of the body corporate, containing details of information being collected and the purpose for its use.

  4. The body corporate must establish reasonable security practices for maintenance of confidentiality of such data; obtain consents from persons for collecting such sensitive personal data for lawful and necessary purpose.

  5. The purpose must be clear and information used only for such consent as given and data to be retained only till such time as needed.

  6. The 2011 Rules also provide Grievance Office who shall be responsible to address grievances of information providers within 1 month for resolution of such Grievances. Body corporates must have an audit of the reasonable security practices and procedures implemented by it by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant up gradation of its process and computer resources.

  7. The punishment for disclosure of information in breach of lawful contract and imprisonment under the IT Act may be for a term not exceeding three years, or with a fine which may be Indian Rupees 5 million or with both.”



Data Protection Bill 2018 is a data privacy law which was first drafted in 2010 and is yet to be enacted. After several changes in the first draft the bill was expected to be put in action before the parliament in June 2019 after the much awaited Lok Sabha elections, it has already been sent to the Ministry of Law for comments. 

After the landmark judgment of the Supreme Court in “Justice Puttaswamy v. Union of India, which stated that privacy is a fundamental right though not always absolute, a need for better and more stringent laws arose and that is why Data Protection Bill 2018 is important for the use and regulation of data privacy in India. 

It aims at putting individual permit authoritative to stop data sharing without consent. The bill states that the right to privacy is a fundamental right and none should dare to unlawfully misuse, collect or share any private sensitive information in any way. 

The main objective of the bill is to stop the flow of information from India to other countries which invited criminal activities. It has many stricter rules, regulations and punishments for those caught in such activities. This bill is very important for safe-guarding the interests of Indian citizens and keeping their information safe and out of the wrong hands. 


Since India is technologically advanced but inhabited by illiterate and unaware citizens, there is an urgent need for proper data privacy laws. Stricter laws are required to stop the flow of information of Indian citizens to foreign land, a recent such incident (the transfer of data of 5 lakh Indian Facebook users to Cambridge Analytica) shook the core of data privacy laws in India and called for a better and more advanced act. 

The Personal Data Protection Bill 2018 in India follows the application of the GDPR and has also taken nods from the legal frameworks in other countries and hence it is exactly what India needs right now. “Under Srikrishna Committee’s draft, the ‘right to be forgotten’, is defined differently — right to restrict or prevent continuing disclosure of personal data. The process of justifying why the consumer does not want to continue giving consent is also long-winded.”

Personal data has developed as the only obstruction for the growth of information technology and hence many steps are being taken to protect and eliminate the crimes taking place.

Need Free Legal Advice or Assistance Online?

For any Cyber Laws related matter, please Post Your Requirement anonymously and get free proposals OR find the Best Cyber Laws Lawyers and book a free appointment directly.


Consumer Protection Act 2019: A Comprehensive Analysis

Monthly Legal Bulletin September 2020

Template for Term Sheet

Employment During The Times Of Covid 19 By Darpa Pattnaik

Anticipatory Bail In The Indian Context By Ayantika Mondal

“Life of a Lawyer Living With The Covid Beast" By Advocate T S Sarath

Not Heard About CESTAT??

Software Maintenance Agreement

Partnership Dissolution Agreement


Dr Gubbi Subba Rao

We assist individuals, family and corporates in Indian & International disputes in legal matters,international arbitration and litigation before appropriate courts globally. We handle disputes under different jurisdiction courts globally.Membership: BAR ASSOCIATIONS IN EUROPEAN COUNTRIES , UAE, FAE EAST, etc. Appearances: INDIA, ASIA, UK, UAE, EUROPE, FAR EAST.Property Litigation,Company Laws & All Corporate Laws, Industrial & Labour Laws,Indirect Taxation-inclusive of Central Excise&Customs.