Scroll Top



Data protection refers to a collection of privacy laws, policies, and procedures that minimize privacy invasions brought on by the gathering, storing, and sharing of personal information. Whether it is used by the government or a private entity, personal data is any information about a person who can be identified from such information. The fundamental right to privacy is not mentioned in the constitution of India. However, the judges have involved this right in other pre-existing fundamental rights, such as the right to life under Article 21 of the Indian Constitution[1] and the freedom of speech under Article 19(1)(a) of the Constitution[2]. However, the state may place reasonable limitations on these Fundamental Rights at times.

Our country currently has no explicit laws when it comes to privacy. The existing data protection laws in India are the Information Technology Act,of 2000 and the Contract Act of 1872. In addition to this, the country’s regulatory framework for data protection and privacy is provided by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011[3].  Personal data is also protected under Article 21 of the Constitution of India[4], which states that everyone’s right to privacy is a fundamental freedom guaranteed by the constitution.

 IT ACT, 2000

There aren’t many provisions in the IT Act of 2000 that address crimes involving personal data; the pertinent parts are 43A, 72, and 72A[5]. Any corporate entity that has access to personal or sensitive data and is negligent in putting in place and maintaining reasonable security measures and procedures is subject to liability under Section 43A[6], and if it causes any loss or wrongful gain to anyone, it may be required to make restitution to that person.[7] The IT Act, 2000 was amended in 2008 to add Section 69A[8]. It provides the ability for the central government to block public access to any internet material (websites or mobile apps).A website may be blocked by the government under Section 69A if it poses a threat to India’s security, sovereignty, integrity, cordial relations with other nations, or public order. Section 72 deals with the punishment for violating confidentiality and privacy.[9]


The Information Technology Rules, 2011, which protect sensitive personal data or information of a person, cover the following categories of personal information: password; financial info, such as bank account or cards or other payment details; sexual orientation; health records and background; and biometric identification.[10] On the other hand, the Indian Contract Act is mainly founded on common law principles and gives the parties a contract room to include relevant measures for data protection, such as confidentiality clauses and other similar provisions. The aforementioned regulations, while a step toward a particular data protection law, are insufficient. Only protected data as stated by the Rules is covered by these Rules. There is no comprehensive law that governs and controls every action involving data and has strict guidelines for data protection.

The rapidly advancing technology has outpaced the ability of the current data protection legislation to keep up. In India, where there has recently been a dramatic increase in cyberattacks, cybercriminals are always coming up with new techniques to acquire private information. The pandemic has hastened the digital environment by years, which has made things worse, and remote labour has boosted hackers’ attack surfaces. While regulatory bodies race to keep up, organizations are left wondering how they can manage this constantly shifting privacy situation.


When a change to the Information Technology Act of 2000 was suggested in 2008, the concept of a data protection policy in India was first raised in the Indian Parliament. Appropriate data protection remedies and preventive measures have also been implemented over time into many sectoral policies and standards. The foundation for single statute legislation for data protection in India was laid in 2017 by the widely reported Supreme Court decision in K.S. Puttaswamy v. Union of India[11], which recognized “privacy” as integral to the right to life and liberty guaranteed by Article 21 of the Indian Constitution, making the “right to privacy” a fundamental right[12].

Following this instance, it was thought that stricter laws were needed to protect people’s data and privacy. As a result, the Central Government established a data protection committee chaired by former Supreme Court judge Justice Srikrishna[13] in August 2017, and the committee produced an exhaustive white paper on the importance of data protection on July 27, 2018. The committee then released the draught Personal Data Protection Bill (“PDPB”), 2018 in July 2018. The PDPB was sent to the Joint Committee of the Parliament (“JPC”) for revision in 2019 due to several issues with its implementation. 

Following that, the JPC spent around two years examining and debating the subtleties of the PDPB amid the global epidemic. The PDPB was renamed the Data Protection Bill 2021 (“DPB”) in its latest version, and it included several significant revisions.[14] The DPB was expected to be tabled in Parliament during the February 2022 budget session; however, the new version of the legislation drew strong criticism and pushback from a variety of stakeholders, including within the JPC as well as domestic and international business houses, for being more focused on the protection of state interests rather than the protection of personal data and privacy. As a result, the DPB’s future is uncertain, with several media sources claiming that the Indian government is planning to abolish the DPB in favor of an entirely new data protection law.[15]


In today’s time, our personal information is required for security purposes. We all offer the precise information requested by legitimate institutions. Our information is given on the understanding that it is secure and won’t be disclosed to an unidentified third party without our consent. However, the notorious netizens have developed to the point where they can now obtain our personal information by employing their purported hacking abilities. Because they are aware that the laws have not yet been adequately formulated and that even if they are caught, they won’t face severe penalties, such miscreants in India aren’t even frightened to perpetrate such offenses. This is because India has no regulations governing data protection.

As stated in this research, India had taken a few measures and amended the IT Act 2000, we still require a distinct piece of legislation to deal with such circumstances. India continues to struggle to maintain a strong and specific data protection law. The urgent need of the day is for new legislation that focuses primarily on the protection of data and information found online. However, the legislature must exercise caution while formulating the laws to strike a balance between the interests of the general public and strengthen its control over the rising incidence of cybercrime. A robust Data Protection law must be created immediately so that the nation’s residents do not live in continual fear of their details getting leaked and getting misused. We also need to do this so that international businesses that want to enter the Indian market won’t be hesitant to do so. After all, no business would ever devote time and resources to a nation that lacks adequate data and privacy protection.

Author(s) Name: Aditi Singh (Dr. Ram Manohar Lohiya National Law University, Lucknow)


[1] Constitution of India, 1950, art.21

[2] Constitution of India, 1950, art.19(1) (a)

[3] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[4] Constitution of India, 1950, art.21

[5] Information Technology Act, 2000, ss 43A, 72, and 72A

[6] Information Technology Act, 2000, s 43A

[7] Anurag Vaishnav, ‘The Personal Data Protection Bill, 2019: All you need to know’ (PRS Legislative Research, 23 December 2019) <> accessed 19 June 2022

[8] Information Technology Act, 2000, s 69A

[9] Information Technology Act, 2000, ss 69-72

[10] S.S. Rana & CoAdvocates, ‘Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011’ (Mondaq, 5 September 2017) <> accessed 19 June 2022


[11]Justice K S Puttaswamy v Union of India (2017) Writ Petition (Civil) No. 494/2012

[12] Constitution of India, 1950, art.21

[13]Report of the Joint Committee on the Personal Data Protection Bill, 2019’ (PRS Legislative Research) <> accessed 20 June 2020

[14] Khaitan Legal Associates, ‘The Journey of India’s Data Protection Jurisprudence’ (Lexology, 11 April 2022) <> accessed 20 June 2022

[15] Aditi Phadnis & Neha Alawadhi, ‘JPC members record dissent towards parts of Personal Data Protection law’ (Business Standard, 23 November 2021) <> accessed 20 June 2022