Privacy Compliance under Information Technology Act 2000 in India
India does not have a specific law on protection of Privacy. However, based on relevant Supreme Court decisions, a Constitutional right of Privacy is recognized under “Fundamental Rights” and this applies to violations by the Government.
In the past there have been a few attempts at passing a Privacy Law but they have not fructified.
However, the Information Technology Act 2000 first notified on 17th October 2000 and more specifically, the amendments made in 2008 and notified on 27th October 2009 (ITA 2008) have provided protection for “Personal Information” and “Sensitive Personal Information” in “Electronic Form” with civil and criminal penalties for violation.
The provisions of Section 43A, 72A directly relate to protection of Sensitive Personal data and Personal data respectively. Section 43A imposes Civil Penalties on Body Corporates for not practicing “Reasonable Security Practices” which refer to the contractual agreement with a data supplier.
Section 72A imposes Criminal Penalties for breach of privacy in violation of any contract with a data subject.
Both Section 43A and 72A are based on the underlying contracts and hence if a Data Processor in India has entered into any contract with a Data Subject or a Data Data Vendor from abroad or India which impose any Privacy protection and Data Protection obligations, such obligations are supported by the ITA 2000/8.
Additionally, Section 43 and 72 also provide civil and criminal protection for mishandling of data causing wrongful loss to any person.
ITA 2000/8 also provide for a redressal mechanism through an “Adjudication Process” as regards Claims for damages in terms of compensation. The “Adjudicator” also has suo moto powers to conduct investigations and impose penalties for any contravention of the provisions of ITA 2000/8.
The enforcement mechanism however is not considered efficient and needs improvement. Indian Courts can be approached for civil claims of over Rs 50 million.
The Criminal action needs to be pursued by the Police. Criminal Courts have the jurisdiction for imposing penalties under ITA 2000/8.
In both the civil and criminal remedies, “Compounding” is permitted and hence a negotiated settlement is also possible between the complainant/victim and the respondent/accused.
Since remedies under ITA 2000/8 are based on contractual obligations, the Business Associate Contracts that Indian Companies sign with data controllers abroad which may impose privacy obligations under laws such as HIPAA or DPA can easily be enforced under the Indian laws.
It is therefore considered that despite the possible delays in the judicial process, there is adequate Privacy and Data Protection provisions contained under ITA 2000/8 when personal data to be protected in is electronic form.
A Copy of Information Technology Act 2000 as amended upto date and the rules notified, are available at www.ita2008.in