Data Protection: The Legal Framework

Published On: 12th October, 2023

Authored By: Muskaan Verma
University School of Law & Legal Studies, GGSIPU, Dwarka

Data Protection: The Legal Framework


Privacy has been considered an international human right, as is enumerated under Article 12 of the Universal Declaration of Human Rights[1] and Article 17 of the International Covenant on

Civil and Political Rights[2]. India being a signatory to these international instruments, is under an obligation to protect the privacy of the individuals. The several laws, rules, and regulations that make up India’s existing legal framework for privacy and data protection each deal with a distinct facet of data protection.


Data protection refers to the practices, measures, and regulations put in place to safeguard personal and sensitive information from unauthorized access, disclosure, alteration, or destruction. It encompasses a range of principles and processes designed to ensure the privacy, integrity, and security of data.


The fundamental right to privacy is not expressly guaranteed by the Indian Constitution. However, the courts have read the right to privacy into the other existing fundamental rights, i.e., freedom of speech and expression under Art 19(1)(a) and the right to life and personal liberty under Art 21 of the Constitution of India. However, these Fundamental Rights under the Constitution of India are subject to reasonable restrictions given under Art 19(2) of the Constitution that may be imposed by the State. Recently, in the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors.,[3] the constitution bench of the Hon’ble Supreme Court has held the Right to Privacy as a fundamental right, subject to certain reasonable restrictions.

Indian corporations handle and have access to virtually all types of sensitive information about people throughout the world thanks to the development in the IT and BPO sectors. It contains information about credit cards, finances, and even medical history. These data are kept on electronic media and may be compromised if their staff got their hands on it. These data have been taken on numerous occasions. Concerns over data privacy have been raised by these recent developments in the Indian IT industry.

As citizens and customers, people must have the tools necessary to exercise their right to privacy and safeguard both their personal information and themselves against misuse. Particularly when it comes to our personal information, this is the case. Protecting our fundamental right to privacy is the goal of data protection. The law intended to safeguard your personal information that is gathered, processed, and kept through “automated” means or is intended to be a part of a file system is known as data protection. Data protection laws are crucial in modern societies because they constrain and direct the actions of businesses and governments while also giving us the freedom to control our information and safeguarding us against misuse.

The Information Technology Act, 2000 (IT Act) and Indian Contract Act, 1872 are currently the data protection legislation in India and recently the Digital Personal Data Protection Act has been passed by the government thought it will be implemented at a later stage. The Act only applies to digitally store personal information, and it only covers the processing of personal information outside of India if it is “in connection with an activity related to offering goods or services to data principals within the territory of India.”


The Information Technology Act, 2000, or IT Act, is a piece of legislation that the Indian Parliament proposed and released on October 17, 2000. This Information Technology Act is based on the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model) which was suggested by the General Assembly of the United Nations by a resolution dated 30th January 1997. It is India’s most significant law addressing cybercrime and e-commerce.

This law’s primary goal is to facilitate legal and reliable electronic, digital, and online transactions as well as to lessen or eliminate cybercrimes. There are 90 sections and 13 chapters in the IT Act. The last four sections which start from ‘section 91 – section 94’, deal with the revisions to the Indian Penal Code 1860.

Section 43A of the Act imposes civil liability on the body corporates while dealing with sensitive personal data or information, they are found to be negligent in implementing reasonable security practices and procedures and this leads to wrongful loss or gain to any person.

Furthermore, anyone who divulges a person’s personal information to a third party without that person’s authorization is criminally responsible under Section 72A. These provisions are to be read with the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [SPDI Rules], which defines sensitive personal data or information and provides the procedures to be followed by a body corporate for collection, disclosure, and transfer, of information. The Rules further provide what constitutes reasonable security practices and procedures

The IT Act states that to be liable the organization or individual must have been negligent in maintaining ‘reasonable security practices and procedures’. According to the IT Act, “reasonable security practices and procedures” are those that are created to guard against unauthorized access, damage, or modification of data. These security practices can be specified in an agreement between the parties, any law in force at the time (currently no specific data protection law). These acceptable security standards may be imposed by the government or by professional associations recognized by the government in the absence of an agreement between the parties or legislation.

The IT Act was amended in 2008 to make the owner of an IP address responsible for the content accessed or distributed through it and it makes corporations responsible for implementing effective data security practices and liable for breaches.

Additionally, there are the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules), which outline the data controller’s specific responsibilities, the terms under which personal data must be processed, and India’s data protection laws. In India, data protection regulations also apply to particular industries.


Data security and privacy are currently pressing issues in India due to the country’s significant expansion in its digital population. Every internet user who uses the web leaves digital traces in the form of personal information. This could involve knowingly or unknowingly disclosing a person’s IP address, name, mobile number, or private and sensitive information like their sexual orientation and medical history. Internet users become more open to crimes including financial fraud, identity theft, and invasions of privacy.

The creation of a privacy policy that strikes a balance between Internet users’ privacy and the expanding needs of businesses is the fundamental problem at hand today. Terms of Service and Privacy Statement should be seen as an art form rather than a lengthy document, i.e., a document carefully tailored to the needs of businesses and the general principles of law.


[1] Universal Declaration of Human Rights, 1948, art. 12.

[2] International Covenant on Civil and Political Rights, 1966, art. 17.

[3] (2017) 10 SCC 1


Leave a Comment

Your email address will not be published. Required fields are marked *