A passage to India: privacy law and the Indian landscape

Date published



India is the world's largest sourcing destination for the information technology (IT) industry. It accounts for approximately 67 per cent of the US$124-130 billion market and employs close to 10 million people.

With a population that includes an influential ‘start-up, millennial’ generation — heavily involved in IT — the question of privacy and cyber-risk stands at the forefront of the Indian landscape.

State of affairs

The Indian courts define ‘privacy’ as “the state of being free from intrusion or disturbance in one’s private life or affairs”.

The laws relating to privacy are not contained in one piece of legislation. They are instead dispersed among various limbs of legislation, relating to:

  • Information technology
  • Intellectual property
  • Criminal action
  • Contractual obligations.

The issue of privacy in India was highlighted by the Unique Identification Authority of India (UIDAI) government programme of 2009. This was the largest biometric identification program promoted by the government of the day and the biggest any country had ever seen.

Its collection of data ranged from:

  • fingerprints;
  • iris scans;
  • demographic data; and
  • photographs

against which a unique number was allotted.

The programme, however, ran into opposition. The government tried to make it mandatory and questioned how the personal information of citizens was susceptible to theft and/or hack.

The courts finally decided that this identity did not require mandatory enrolment by the citizens. However, many citizens completed the enrolment process.

To the fore

The issue of UIDAI has recently been brought to the forefront. The government has now stated that — if bank accounts were set up between July 2014 and August 2015 — the user must link the UIDAI to its bank account. Several other directives have also followed regarding the use of UIDAI for filing taxes etc.

The primary legislation on the topic is The Information Technology Act 2000 (the IT Act). This legislation provides for the right to claim compensation to the affected person in case of wrongful disclosure and misuse of personal data. It also covers violations of contractual terms in respect of personal data aside from its other provisions. The legislation provides for both civil and criminal recourse to the affected parties.

The IT Act should be read in conjunction with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the IT Rules). These rules provide for the protection of sensitive personal information of individuals. The provisions of the contract may also include obligations on privacy and confidentiality.

It is relevant to note that the obligations of parties under contract are determined by the company. The overarching framework on contracts in India is included under the Indian Contract Act 1872. It is relevant to note that breach of contract in India (including breach of privacy/confidentiality norms included under contract) may invite an action for damages and/or injunction.

Marshall Law

Section 46 of the IT Act provides for the appointment of an adjudicating officer. This individual has the power to hear disputes arising out of offences of a civil nature, as well as criminal offences described under the IT Act.

The adjudicating officer has the power to:

  • Award compensation as damages in a civil remedy
  • Impose penalties for the contravention of the IT Act.

For an aggrieved party, the first appeal court is the Cyber Appellate Tribunal. If a party is aggrieved by the decision of the Cyber Appellate Tribunal, a second appeal may be filed before the High Court having jurisdiction, within 60 days from the date of communication of the order.

Companies, partnerships, associations, sole proprietorships and also professionals may file proceedings under the IT Act or IT Rules, in order to have them adjudicated and damages to be awarded.

Compensation provisions 

The IT Act as part of its compensatory provisions provides for compensation in the event a body corporate is negligent in maintaining and implementing reasonable security practices which result in loss of data. The legislation provides for no ceiling limit with regard to the compensation that may be given.

The IT Act also states that — where information is disclosed without the permission of individual concerned — the act may be punishable by imprisonment for up to three years and a fine extending to INR 500 thousand. It also provides that an adjudicating authority should be headed by an individual not below the rank of an officer of the state government.

The matters that may be adjudicated under the Act must not exceed a pecuniary jurisdiction of INR 5 crores. The penalty and compensation to be awarded directly relates to the section under which the complaint is made. In the event an individual would seek to prefer an appeal he may do so in consonance with the Act.   


With the recent increase of cyber attacks and crime, India’s law on the subject would need to see several amendments being brought to the law in its current form.

The largest democracy in its quest to store the personal data of its citizens would definitely need to have in place a strong and effective defence by way of framework and legislation, when and if the need were to arise.

This article was written by Keanan Nagporwala, Associate of Tuli & Co.

Read other items in the London Market Brief - June 2017