Data protection laws

Privacy and Data Protection Laws in India – Part III

Further to our Part II, this Part seeks to outline the key provisions under other extant regulations in India that seeks to address the issue of data protection and individual’s right to privacy.

Protection under other regulations

Apart from the Act, there are several laws that address the issue of the data protection and individual’s right to privacy and which prescribe severe punishments in case of contravention of the provisions by any person.

Provisions relating to individual’s right to privacy

The Indian Penal Code, 1860

  1. Section 228A (1) of the Indian Penal Code, 1860, prescribes that it is a punishable offence to print or publish the name of any matter which may make known the identity of a person against whom an offence under Sections 376 (punishment for rape), 376A (punishment for causing death or resulting in persistent vegetative state of victim), 376B (sexual intercourse by husband upon his wife during separation), 376C (sexual intercourse by a person in authority), 376D (gang rape) and 376E (punishment for repeat offenders) has been committed.
  2. Section 354C of the Indian Penal Code, 1860 prescribes that ‘Voyeurism’ (any man who watches, or captures the image of a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator or disseminates such image) is a punishable offence.
  3. Section 354D of the Indian Penal Code, 1860 prescribes that ‘Stalking’ (any man who follows a woman and contacts, or attempts to contact such woman to foster personal interaction repeatedly despite a clear indication of disinterest by such woman; or monitors the use by a woman of the internet, email or any other form of electronic communication,) is a punishable offence.

The Juvenile Justice (Care and Protection of Children) Act, 2015

Section 74 (1) of the Juvenile Justice (Care and Protection of Children) Act, 2015 prescribes that reporting in any newspaper, magazine, news-sheet or audio-visual media or other forms of communication regarding any inquiry or investigation or judicial procedure, that may disclose the name, address or school or any other particular, which may lead to the identification of a child in conflict with law or a child in need of care and protection or a child victim or witness of a crime, involved in such matter, under any other law for the time being in force and publishing of picture of such child is a punishable offence.

The Protection of Children from Sexual Offences Act, 2012

Section 23 of the Protection of Children from Sexual Offences Act, 2012 prescribes that making report or presenting comments on any child from any form of media or studio or photographic facilities without having complete and authentic information, which may have the effect of lowering his reputation or infringing upon his privacy, is a punishable offence. Further, it also prescribes that reports in any media disclosing the identity of a child including his name, address, photograph, family details, school, neighbourhood or any other particulars which may lead to disclosure of identity of the child is also a punishable offence.

The Credit Information Companies (Regulation) Act, 2006

The Credit Information Companies (Regulation) Act, 2006 provides that the credit information related to individuals should be collected as per the privacy principles laid down in the said act. If there is any leakage of the data, then the entities responsible for collecting and maintaining the data will be held liable in case of any breach.

Provisions relating to individual’s right to data protection

The Indian Penal Code, 1860

  1. Sections 378 (theft), 380 (theft in dwelling house, etc.) and 381 (theft by clerk or servant of property in possession of master) of the Indian Penal Code, 1860 prescribes that ‘theft’ (whoever, intending to take dishonestly any moveable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft) is a punishable offence.
  2. Sections 403 and 404 of the Indian Penal Code, 1860 respectively prescribes that ‘Dishonest misappropriation of property’ and ‘Dishonest misappropriation of property possessed by deceased person at the time of his death’ is a punishable offence.
  3. Sections 405, 407, 408 and 409 of the Indian Penal Code, 1860 respectively prescribes that ‘Criminal breach of trust’, ‘Criminal breach of trust by carrier, etc.’, ‘Criminal breach of trust by clerk or servant’ and ‘Criminal breach of trust by public servant or by banker, merchant or agent’ is a punishable offence.
  4. Sections 411, 413, 414, 415, 416, 418, 420, 424 and 425 of the Indian Penal Code, 1860 respectively prescribes that ‘Dishonestly receiving stolen property’, ‘Habitually dealing in stolen property’, ‘Assisting in concealment of stolen property’, ‘Cheating’, ‘Cheating by personation’, ‘Cheating with knowledge that wrongful loss may ensue to person whose interest offender is bound to protect’, ‘Cheating and dishonestly inducing delivery of property’, ‘Dishonest or fraudulent removal or concealment of property’ and ‘Mischief’ is a punishable offence.

To Conclude

Considering the omnipresent nature of electronic data, it is important that the data protection and privacy laws are in line with the international standards. Various international guidelines or frameworks in respect of the law relating to privacy, such as OECD Privacy Guidelines, EU Data Protection Directives, APEC Privacy Framework mandate the following requirements in general for the purpose of privacy protection:

  1. Accountability – Organization’s accountability towards personal information that is collected.
  2. Notice – Notice in clear language to be given for collection of information, policy and notification.
  3. Choice and Consent – Choice and consent to be taken from the provider of the information for collection and use of the personal information.
  4. Collection Limitation – Restricting the collection of the personal information only for the purpose for which it is collected.
  5. Use Limitation – Restricting the use of the personal information for the stated purpose only.
  6. Disclosures – Terms on which the personal information is disclosed to third parties and/or any other reason for such disclosure.
  7. Access and Correction – Provider of the information’s access to his information and right to update or correct his information.
  8. Security/Safeguards – To prevent loss, misuse, unauthorized access of the personal information collected.
  9. Data Quality – To ensure that the information collected is accurate, complete and up-to-date.
  10. Enforcement – To assure adherence to policies and resolution of complaints.
  11. Openness – Policies should be clearly published and available.

It is evident from the above that although the current legal framework in India still needs to evolve to ensure harmony with the international standards especially when it comes to accountability, data quality and enforcement of the data protection as per the international standards, the provisions of the Act and the rules made thereunder address the data protection and privacy concerns to a considerable extent.

The A. P. Shah Committee was also of the view that a comprehensive legislation be enacted for right to privacy, wherein data protection would constitute a part of the legislation. The Committee, in its report, opined that “In India, there exist at least 50 laws, rules, regulations and executive orders that articulate privacy principles, practices, and related offences for different verticals such as finance, health, e-governance, telecommunication etc. The Privacy Act will be used to harmonize, but not homogenize these different policy documents to ensure that there is consistency, and compliance with the defined National Privacy Principles.”

It is amply clear that the Act and the rules made thereunder do not protect the privacy of the information and/or data by a body corporate but are more on the lines of deterring the breach of privacy by extending protection in case of happening of such breach. Regrettably, even today there is no protection against breach of privacy by individuals.

The need for a comprehensive legislation to address the right to privacy and privacy protection cannot be underestimated.

– Megha Manjunatha

[This is the last of a series of 3 posts that seeks to consolidate the extant regulations in India addressing the issue of data protection and individual’s right to privacy .]