Posted on: July 14, 2020 Posted by: Pragati Dadas Comments: 0
Share this Article


In the Landmark judgement in Indian history, the Supreme Court unanimously ruled that the Right to Privacy is a fundamental right of every Indian citizen. Further, Justice Manohar Sapre said, “In my considered opinion, right to privacy of any individual is essentially a natural right, which every human being inherits by birth. Such right remains with the human being  till  their  last  breath.  It  is  indeed  inseparable  and inalienable from human being and extinguishes with human being”. Globalization has given wider acceptance to this cyber technology in the world. The lockdown due to this pandemic has given importance to work from home throughout the world. Also because of e-commerce, e-learning, e-courts, the day to day life runs very smooth. Any discussion on the  Data  Privacy  laws  shall  have  its  focus  on  basic  human  rights  and  fundamental rights of privacy. It also relates to Right to life and Personal liberty. Hence most of the citizens  are  concerned  about  their  data  privacy  like,  how  their  data  is  going  to  be collected?  Also, about  its  storage,  access,  handling  and  disposal  etc.  In  the  present netizen’s world, there are two different and extreme views:

  1. One school believes in the protection of the privacy on an individual in the real world and
  2. Other school believes that there is no privacy, when the citizens enter into the internet world, i.e., the web world. And it puts a question mark on one’s own personal existence and privacy even within his own territory, within his room and its four walls.

Right to Privacy in India:

Above all the traditional Indian legal philosophy, the KS Puttaswamy case stated that ‘privacy’ is a very basic need of every citizen and every citizen must be aware about that. The court recognized that it is an absolute and natural right of every citizen and upheld the view that privacy is a naturally accompanying right of the citizen to exercise control over his or her personality. The judgement also concludes that privacy is a necessary condition for the meaningful exercise of other guaranteed freedoms.

While giving out his judgement on KS Puttaswamy’s case Justice Chandrachud gave an expression with reference to John Stuart Mill’s essay ‘On Liberty’. He quoted “The only part of the conduct of any one, for which he is amenable to society, is that which concerns others. In the part which merely concerns himself, his independence is, of right, absolute. Over himself, over his own body and mind, the individual is sovereign.” While speaking of “struggle between liberty and authority”, the cruel actions of the majority could be reined by the recognition of civil rights such as the individual right to privacy, free speech, assembly and expression”.

In S R Bommai v. Union of India, the Supreme Court has stated that the provisions of an international covenant which explains and put into force the fundamental rights guaranteed by our Constitution, can clearly be relied upon by courts. In the view of our international commitment, this privacy rights composed of two aspects:

  1. recognition of right to privacy and
  2. right to protection of data and information relating to every single citizen to safeguard right to privacy.

Hence ‘right to privacy’ is recognized as the most fundamental right for the existence of a human being, by the judiciary over the world.

Legal Framework in India:

In  India,  for  the  protection  of  Data  Privacy  there  are  specific  provisions  have  been introduced  such  as,  Information  Technology  Act,  2000  (The  IT  ACT)  and  The Information Technology Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information)- SPDI. The SPDI RULES (Rule 3 of IT Rules, 2011) with IT ACT  can  be considered  as  “Data  Protection  Laws”.  As  per  the Information Technology Act, there exists some remedies and penalties against the data processing  entity  for  data  breach.  Data  breach  from  computer  systems,  including payment of compensation and punishment in case of wrongful disclosure and misuse of    personal    data,    are    governed    by    the Information    Technology    Act,    2000, specifically Sections 43-A and 72-A therein.

Provisions of the Indian Penal Code could also be used to deal with Cyber Crimes which affect privacy. Its liability will be fixed on the basis of general principles of Criminal Law. If the party who is conducting legal proceedings against someone in a lawsuit (prosecution) fails to demonstrate or prove the commission of an offence then there is no wiggle room for privacy protection under criminal law.

So, there is a void in the legislative framework when it comes to the protection of privacy rights in cyber space.

To protect the privacy of individuals in compliance with the international covenant, new  legislative  measures  were introduced  in  Lok  Sabha  on  11th   of  December,  2019 named as “Data Protection Bill, 2019” to provide the protection to personal data of individuals and established the Data Protection Authority for the same, which is holding the perfect balance between the individual interests and legitimate concerns of the state.

What comes under the Data Protection Bill, 2019?

The Personal Data Protection Bill, 2019 (PDPB) was introduced in Lok Sabha by the Ministry of Electronics  and  Information  Technology on December  11,  2019.  The  Bill regulates  Personal  Data  related  to  individuals,  and  the  processing,  collection  and storage of such data. Under the Bill, a data principal is an individual whose personal data  is  being  processed.  The  Bill  governs  the  processing  of  personal  data  by  both, government  and  companies  incorporated  in  India.  The  entity  or  individual  who decides the means and purposes of data processing is known as “data fiduciary”. The Bill also governs foreign companies, if they deal with personal data of individuals in India.

  • Applicability: The Bill governs the processing of personal data by:
  1. Government,
  2. Companies incorporated in India,
  3. Foreign companies dealing with personal data of individuals in India.

The Bill categorises certain personal data as sensitive data. This includes biometric data, financial data, caste, religious or political beliefs or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.

  • Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitation.
  • Right of the Individual:

Obtain confirmation from the fiduciary on whether their personal data has been processed.

Have personal data transferred to any other data fiduciary in certain circumstances.

Seek correction of inaccurate, incomplete, or out-of-date personal data and

Restrict continuing disclosure of their personal data by a fiduciary, if the consent is withdrawn or if it is no longer necessary.

  • Processing Personal Data without consent: The bill proposes processing of data by fiduciaries only if consent is provided by the individual. There are certain exceptions such as:

If required by the State for providing benefits to the individual,

To respond to a material emergency,

Legal proceedings,

Employment related,

Necessary for reasonable purposes such as prevention of fraud, mergers and acquisitions, recovery of debt etc.

  • Data Protection Authority: This authority protects the interests of individual, prevent misuse of personal data and ensure compliance with the bill and promote awareness about the Data Protection. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals against the order of the Tribunal can be filed at the Supreme Court.
  • Restriction on the transfer the data outside the India: Sensitive personal data may be transferred outside India for processing if explicit consent is given by the Individual, subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
  • Exemptions: The Central Government can exempt any of its agencies from the provisions of the Act:
  1. in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and
  2. for preventing incitement to commission of any cognizable offence (i.e. arrest without warrant) relating to the above matters.

Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as:

  1. prevention, investigation, or prosecution of any offence, or
  2. personal, domestic, or
  3. journalistic purposes.

However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.

  • Penalties and Compensation:
  1.  Failure of the data fiduciary to fulfill its obligations for data protection may be punishable with a penalty which may extent to Rs.5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
  2. Processing data in violation of the provisions of the PDPB is punishable with a fine of Rs.15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher.
  3. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.

Breach of Data:

  1. A data breach exposes confidential, sensitive, or protected information to an unauthorized person.
  2. A breach can have severe impacts: private persons are vulnerable to identity theft, companies can take severe financial damage if they fail to protect personal data of individuals along with damaging their reputation which has consequence in their relationship with investor, customers and public.
  3. Personal data is not just about your name, email address, password or birth date. In large, a person visits hundreds of websites every year and makes use of various digital services to carry out every day needs. In doing so an individual provides a lot of personal information affecting most aspects of life, from messages sent over social media, online shopping receipts, credit card statements, and personal associations. All of this data is very sensitive and can have very serious consequences on everything from your ability to board an airplane, get a driver’s license, a new job or how other people think of you.
  4. Some things are private yet still we are required to share it to participate fully in the digital society we live in today. This is why it’s so important for individuals to have control of what data is collected and how it’s used by companies.

Privacy Concerns for employers in Pandemic:

As   WHO   declared   the   COVID-19   Novel   Corona   Virus   outbreak   in   March employers  started  taking  a  wide  range  of  actions  to  deal  with  this  extraordinary situation. Even now, employers are taking extra care to protect the privacy of data of their  employees  and  also  client  contacts  as  well  as  business  contacts  in  order  to alleviate the risk and set the seal on smooth continuity of business in such a tough as well as challenging time. Companies are using certain methods to control the spread of COVID-19 such as,

  1. Temperature Recording and Physical Screening, 
  2. Collecting travel  history  and  all  the  related  information  from  visitors,  clients  and  business contacts.
  3. Self-declaration from the employees about their medical condition.

While the current situation poses a risk of doing business, it is important to maintain concurrence with Data Protection Laws. It will keep the Business relations unaffected even during such bad break.

Privacy Concerns for Location Tracking Applications:

The WHO has considered testing, isolation and contact-tracing methods to fight against the virus. So, the countries are taking help of technology to control the spread of this deadly virus. India also launched smartphone applications with different functionalities aiming to fight against Corona Virus. Just after the launch of applications the debate has started based on privacy concerns in relation to the misuse of the data collected by the applications.

    1. Aarogya Setu application: This application is launched by the Government of India on 2nd of April, 2020. The main task of this application is, it tracks the location of an infected person and notifies the other users, who are using the same application. The Data Protection Laws only provides a basic framework on data protection. In landmark case of KS Puttaswamy and Anr. V. Union of India and Ors., the Supreme Court of India has observed that if the state preserves the anonymity of an individual it could legitimately assert a valid state interest in preservation of public health to design appropriate policy interventions on the basis of the data available to it. It is mandatory for a user of the Aarogya Setu application to keep GPS and Bluetooth tracking always “ON” and this only thing has been criticized since the launch of this application as it could violate its users’ privacy and it could act as surveillance tool by the government.


  • Sprinklr application: Recently, the Kerala High Court in Sprinklr Contract Deal has caught the privacy-related short comings in the process and it is necessary for Sprinklr to immediately stop receiving identified personal data of the patients which is anyway not required for the purpose for which the data is being shared with them. So, High Court of Kerala restricted the Sprinklr from committing any act that may result in the breach of confidentiality of data collected under the contract with the State of Government of Kerala and exploiting such data directly or indirectly for commercial use or advertisement or representation to any third party that they have access to data relating to COVID-19 cases. The court also ordered Sprinklr to return all data to the State Government of Kerala after the contract is over and delete the remaining data which in its ownership.

As per the news on 23rd  of May, 2020 it came forward that  it  is  stated  in  the  Government’s  affidavit,  Sprinklr  has  only  limited technical access and there is no access to data.


According to Data Protection Bill, 2019 Consent of the individual would be required for processing of personal data. Based on the type of personal data being processed, organizations will have to review and update data protection policies, codes to ensure these are consistent with the revised principles such as update their internal breach notification    procedures,    implement    appropriate    technical    and organizational measures to prevent misuse of data, Data Protection Officer to be appointed by the Significant Data Fiduciary, and instituting grievance redressal mechanisms to address complaints by individuals.  Today, under the  restrictions imposed  by the COVID-19 lockdown, private sector companies have adapted to a work-from-home model. With courts moving to e-filing process as well, there is a tremendous increase in the amount of data transfer and transmission of sensitive personal information. The health and corporate sector and other stakeholders are taking steps to stop the spread of the virus and  information  such  as  data  tracking  and  mass  surveillance  could  prove  to  be effective in suppressing the spread of COVID-19.


  1. Section 43-A of The Information Technology Act,2000
  2. Section 72-A of The Information Technology Act, 2000
  3. The Information Technology Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information)
  4. The Personal Data Protection Bill, 2019.
  5. KS Puttaswamy and Anr. V. Union of India and Ors. WRIT PETITION (CIVIL) NO 494 OF 2012
  6. S.R. Bommai V. Union of India 1994 AIR 1918, 1994 SCC (3) 1
  7. Reference- Indian Penal Code, 1860
  8. News articles from
Pragati Dadas

Final year student at ILS Law College, Pune

Leave a Comment