DATA PROTECTION LAWS IN INDIA: A CRITICAL ANALYSIS

Fundamentals of Intellectual Property Rights 6.6

Submitted by

Anshuman Pandey

UID- SM0116008

Third Year, Sixth Semester

Faculty Incharge

Ms. Juri Goswami

Research Associate

National Law University and Judicial Academy, Assam

 Table of Contents

Table of cases iii

Table of statutes iii

Table of Abbreviations iii

Introduction v

Abstract: v

Overview: v

Objectives(s) vii

Scope and Limitations vii

Review of Literature vii

Research Questions viii

Research Methodology viii

Data Protection and Current Legislations in India 1

Revamping the Data Protection Framework in India 2

State's duty to protect national security 2

India's prowess in IT enabled services 3

TRIPS Agreement and Data Protection 4

The Needs and Modes of Data Protection 7

Principles of Data Protection 7

Conclusion 8

Bibliography ix

2
Table of cases
1. Justice K.S. Puttaswamy (Retd.) v. Union of India……………………………………….1
2. Bajaj Auto Limited v. TVS Motor Company Limited …………….
……………………………...7
3. Bayer Corporation v. Union of India …………………………………………………………..…
7
4. Biswanath Prasad Radhey Shyam v. Hindustan Metal Industries…….
……………………….3
5. Cadila Pharmaceuticals Ltd v. Instacare Laboratories Pvt Ltd…………………….......…6,7
6. Lallubhai Chakubhai Jariwala v. Chemical & Co……………………..
……………………….3
7. Novartis v. Union of India …………………………………………………………...
…….6

Table of statutes
1. Indian Copyright Act, 1957
2. Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act,
2016
3. Credit Information Companies (Regulation) Act, 2005; Credit Information Companies
Regulations, 2006;
4. TRIPS Agreement
5. Telecom Commercial Communication Preference Regulations, 2010.
6. Clinical Establishments (Central Government) Rules, 2012;
7. Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002.

Table of Abbreviations
AIR All India Reporter
Cal. Calcutta
ed. Edition
Ibid Same as above footnote
ILR Indian Law Reporters
Kant. Karnataka
Mad. Madras

3
 p. Page number
Pat. Patna
S.C.C. Supreme Court Cases
SCR Supreme Court Record
v. Verses
Vol. Volume
TRIPS Trade-Related Aspects of Intellectual
Property Rights
EU European Union
NASSCOM The National Association of Service &
Software Companies
BPO Business Process Outsourcing
MNC Multi National Company
IT Information Technology

4
Introduction

Abstract:
Often confused with trade secrets and confidentiality, privacy refers to the use and
disclosure of personal information and is only applicable to information specific to
individuals. Since personal information is a manifestation of an individual personality, the
Indian courts including the Supreme Court of India, have recognised that the right to privacy
it as an integral part of the right to life and personal liberty 1, which is a fundamental right
guaranteed to every individual under the Constitution of India guaranteed under article 21.
As such, the right to privacy has been given paramount importance by the Indian judiciary
and can only be fettered with for compelling reasons such as, security of the state and public
interest.

Overview:

The 21st century has been described as the 'information age' due to the extensive use of
information and almost everyone is constantly connected to the internet. The analysis of
large and complex sets of data has become a specialized science called 'Big Data' analytics
providing never before insights to alleviate societal problems relating to areas such as
health, food security, transport and urban planning. Governments of the day are launching
specialised programmes focused on this digital revolution, like “Digital India” initiative taken
by the Government of India.

Both the public and the private sector are engaged in amassing personal data which seems
to be generated ceaselessly. While there are justifiable uses that are vastly beneficial, such
centralization of data, profiling of individuals and increased surveillance, has led to concerns
relating to erosion of privacy of individuals, ability to impact public decision-making process
and national security.2

Various countries have been over the years trying to formulate strategies to counter or
control the negative affects of this digital aggregation. The EU has adopted a rights-based

1
Justice K.S. Puttaswamy (Retd.) v. Union of India, WRIT PETITION (CIVIL) No. 494 of 2012.
2
B.L. WADHERA, LAW RELATING TO INTELLECTUAL PROPERTY, 5th Edition, 2011, Universal Law
Publishing Co., New Delhi.

5
approach to privacy where personal privacy of an individual is the central pillar of the
protection regime. The US being a laissez faire culture, has mainly focused on individual's
right to be left alone by the State and thus the legislations have been regarding personal
information being processed by the government, where processing of personal information
by the private sector has been left open through a notice and choice model. China on the
other hand has adopted a centrally dominant model where personal information has been
perimetered within the country through legislation on grounds of national security.

The expression “data” is very wide in ambit and scope. It covers not only the personal
aspects but also the commercial aspects. The former is protected in the form of privacy
rights whereas the latter is protected as proprietary rights. The privacy rights are protected
under Article 21 of the Constitution of India. Similarly, proprietary rights are protected
under both the constitution of India and under various Statues like Indian Copyright Act,
1957, the IT Act, 2000, etc.

6
 Objectives(s)

The objectives of this research work is to:

1. To understand the concept of data protection and data storage policies in India.
2. To study the developments related to the data protection in India.
3. To understand and compare the data protection laws with the TRIPS agreement.

Scope and Limitations

The scope of this research paper is limited to critical analysis the data protection laws in
India and the study of the recent development in the field of the data protection laws.

Review of Literature

● This article3 gives a very comprehensive knowledge about the data protection laws in
India and it critically analyze the laws with provide the protection of data. The research
work highlights the major threats that India face due to the lack of data protection laws in
India. The article enshrines the laws and principles, which contributes to the evolution of
the laws relating to privacy and data protection, researcher tried to show the paradigm
shift in the concept of data protection laws.
● This research work4 contains in depth analysis of the data protections laws in India. The
research work also provides with the comparison between the Indian Laws relating to the
Data Protection and the TRIPS Agreement. It provided the researcher with the
background and evolution of the data protection laws in India. However, the research
work is limited to the Data Protection Laws and TRIPS agreement perspective and lacks
the elaborative explanation on the topic. Still it proves to an essential asset in completing
the research article.
● This book5 gives an insight on the laws relating to the patents. It also discusses about the
legislative history of the law relating to the Intellectual Property Rights. It also gives
3
NIRVAAN GUPTA, INDIA: DATA PROTECTION LAWS, (Mondaq).

4
PRAVEEN DALAL, DATA PROTECTION LAW IN INDIA: THE TRIPS PERSPECTIVE, Journal of Intellectual Property
Rights (Vol. 11 2006).

5
B.L. WADHERA, LAW RELATING TO INTELLECTUAL PROPERTY, 5th Edition, 2011, Universal Law Publishing Co.,
New Delhi.

7
 emphasis on various international convention on Data Protection and how theses
conventions have helped in the development of law related to IPR in India. It also
explains about the data protection and what are the various evolutions that took place in
recent years.

Research Questions

1. Whether there is any legislations regarding data protection in India?

2. What are the different factors that contributed for the evolution of data protection laws in
India?
3. Whether India comply with the International Conventions regarding the data protection?

Research Methodology

Approach of Research:

In this project, doctrinal research is used. Doctrinal Research is a research in which

secondary sources are used and materials are collected from libraries, archives, etc. Books,
journals, articles were used while making this project.

Type of Research

Explanatory type of research is used in this project, because the project topic was a critical
analysis so various concepts were needed to be explained.

Sources of Data Collection

Secondary source of data collection was used which involves in collection of data from
books, articles, websites, etc. No surveys or case studies were conducted.

8
Data Protection and Current Legislations in India

In India since the digital era has triggered the concerns for the data protection has started.
For mitigating against privacy concerns and national security concerns, the Indian legislature
and governments have over the years passed some specific laws in this regard:

i. General Application: Information Technology (Reasonable Security Practices and

Sensitive Personal Data or Information) Rules, 2011
ii. Govt. Collection of Data: Aadhaar (Targeted Delivery of Financial and other
Subsidies, Benefits and Services) Act, 2016; Aadhaar (Data Security) Regulations,
2016
iii. Banking Sector: Credit Information Companies (Regulation) Act, 2005; Credit
Information Companies Regulations, 2006; circulars of Reserve Bank of India
including KYC circulars; Master Circulars on credit cards, etc.; Master Circulars on
Customer Services; Code of Bank's commitment to Customers
iv. Telecom Sector: Unified License Agreement issued to telecom service providers by
the Department of Telecommunications; Telecom Commercial Communication
Preference Regulations, 2010.
v. Healthcare Sector: Clinical Establishments (Central Government) Rules, 2012;
Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations,
2002.6

It may appear that the aforesaid data protection regime in India is similar in scope to the US
data protection regime as it is applicable to specific sectors with a target audience. Having
said that, the core differentiator is the fact that in the US the data protection laws are
focused on 'protection from the State' and mostly do not have an application relative to the
private sector, while in India, such a distinction is not present and the principle driver seems
to be protection of data simpliciter being equally applicable to public and private sector.

In India there are no specific legislations that deals with the privacy and data protection and
the protection can be derived from various laws that deals with information technology,
intellectual property, contractual relations, cyber world etc.

6
NIRVAAN GUPTA, INDIA: DATA PROTECTION LAWS, (Mondaq)
http://www.mondaq.com/india/x/744160/Data+Protection+Privacy/Data_Protection_Laws_India

9
10
 Revamping the Data Protection Framework in India
While the previously mentioned specific legislations exist, the complexity, dynamism and all-
encompassing reach of the digital revolution require a far more comprehensive regulatory
regime to mitigate the concerns that are present.

Essentially, it appears that there were three main drivers for revamping the existing data
protection framework in India:

Justice Puttaswamy Judgment: A nine -judge bench of the Supreme Court of India delivered
a landmark judgment in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors.7,
wherein it was held that the right to privacy is an intrinsic part of the fundamental right to
life and personal liberty under Article 21 (in particular and in all fundamental rights in Part III
which protect freedoms in general) of the Constitution of India. It was held that the
Constitution of India must evolve with the circumstances of time to meet the challenges
thrown up in a democratic order governed by the rule of law and that the interpretation of
the Constitution of India cannot be frozen on the perspectives present when it was adopted.
The Supreme Court acknowledged that the concept of the right to privacy has evolved from
the basic right to be let alone, to a range of negative and positive rights. The Court
recognised 'informational privacy' as an important aspect of the right to privacy that can be
claimed against state and non-state actors, but such a right is not an absolute right and may
be subject to reasonable restrictions. Further, the Court has laid down a test to limit the
possibility of the State clamping down on the right, i.e., such an action must be sanctioned
by law, it must be necessary to fulfil a legitimate aim of the State, the extent of the State
interference must be 'proportionate to the need for such interference' and there must be
procedural safeguards to prevent the State from abusing its power8.

State's duty to protect national security

India is a vast country with multiple cultures, religions and linguistic diversity and such
diversity presents its own challenges for the State. This is further complicated by its geo-
political location, due to which India has ranked third on the list of countries suffering from
terror attacks. For tackling the internal and external security challenges, the State

7
2017 (10) SCALE 1
8
PRAVEEN DALAL, DATA PROTECTION LAW IN INDIA: THE TRIPS PERSPECTIVE , Journal of Intellectual Property
Rights (Vol. 11 2006).

11
 necessarily needs to have the ability to engage in real-time surveillance of its data subjects if
the need arises. For such surveillance to be effective, the State must have the ability to
access the data centres, however, in today's digital world, the physical site of the data may
be outside India.

India's prowess in IT enabled services

India had a 55% share of the US$185-190 billion global outsourcing business in FY18. With
the advent of the General Data Protection Regulation in the EU with the effect from May 25,
2018, transfer of data from the EU to another non-EU country will need to pass either:

(i) the adequacy test, or

(ii) be in accordance with standard contractual clauses offering enough safeguards in
relation with the data.
Although, the transfer of data from EU nations at present is being undertaken under the standard
contractual clauses, due to the sheer size of economic activity and the pervading global
protectionist environment, a view may be taken that India's data protection regime is not in
sync with the EU requirements despite the contractual clauses being in place citing difficulty
in enforcing the contractual clauses in absence of a regulatory framework. This threat is
mitigated if India fulfils the adequacy test, i.e., India has adequate level of data protection
framework in place. For this test, the European Commission will examine the data protection
rules in place in India, data protection rights and their effective administration, data
protection authority, powers vested with such authority, international commitments with
regard to data protection and a periodic review of the aforesaid criteria. In the present list of
countries determined to be 'adequate', India does not figure, however, countries like
Argentina, Canada, Israel, Isle of Man, New Zealand and the United States have been
determined as 'adequate'. Accordingly, it may be strategically prudent for India to bring its
own regulatory framework on data protection in line with the EU (which has been trail-
blazing the global data protection practices).

In India, the efforts at complying with the demands of adhering to privacy laws have
originated mainly from the private sector rather than the Government. In the absence of a
specific legislation, the Indian software and outsourcing industry has been taking initiatives
on its own that would provide comfort to the foreign clients and vendors. The National
Association of Service & Software Companies (“NASSCOM”) is India's national information
technology trade group and has been the driving force behind many private sector efforts to

12
improve data security. For example, NASSCOM has created a National Skills Registry which is
a centralized database of employees of the IT services and BPO companies. This database is
for verification (with independent background checks) of the human resources within the
industry. Further, a self-regulatory organisation has been launched which will establish,
monitor and enforce privacy and data protection standards for India’s business process
outsourcing (“BPO”) industry. The organisation has already completed its initial round of
funding and the final rollout phase including industry membership is underway. Additionally,
many BPO service providers in India have engaged in voluntary self-regulation and adopted
stringent security measures to reduce the risks of misuse of non-public personal data. 9 To
reduce the risks of misuse of non-public personal data, the BPO companies in India have
adopted one or more of the following stringent security measures:

• Posting of armed guards outside office premises.

• Restricting entry by requiring microchip-embedded swipe cards.
• Prohibiting bags and briefcases in the work area.
• Making provisions that computers in workstations have no printers or devices for
removable storage.
• Banning or restricting agents or visitors from carrying mobile phones to the production
floor.
• Forbidding phone calls to and from either family or friends in employee workstations.
• Disallowing image capturing devices like cell phones, scanners or photocopiers.
• Restricting or prohibiting internet and e-mail access at workstations and inside most BPO
companies.
• Encryption of key information, such as passwords and, thus, s unseen by employees.
• Monitoring employees via closed-circuit television. The previously mentioned
protections to tighten security are an attempt by the Indian industry to ease customer
concerns over theft of private information.

TRIPS Agreement and Data Protection

TRIPS Agreement and Data Protection, the provisions of TRIPS Agreement are the most
extensive and rigorous in nature as these protect all forms of IPRs collectively. The present
article addresses only the 'data protection' aspect; hence, it is confined exclusively to

9
Ibid.

13
Section 1, i.e. copyright and related rights. 10 Article 9(1) of the Agreement provides that
Members shall comply with Articles 1 through 21 of the Berne Convention, 1971 and the
Appendix thereto. The members, however, shall not have any rights or obligations under
this Agreement in respect of the rights conferred under Article 6bis of that Convention or of
the rights derived therefrom. Thus, although TRIPS utilises Berne as a minimum standard, it
deviates from the Berne in two aspects. TRIPS is broader than Berne, in that it protects
`software and databases'; but at the same time, TRIPS is also narrower than Berne, in that it
does not require compliance with moral rights provided by Berne Article 6bis. 11 The member
will, however, have to continue to fulfill the existing obligations that Members may owe to
each other under the Berne Convention. 12 It means that if two Members of TRIPS
Agreement are already extending protection to each other in the form of 'moral rights' of
the authors under the Berne Convention, then the TRIPS Agreement will not prevent them
from doing so.

The TRIPS Agreement recognises protection of 'data' in Article 10(2) of the TRIPS
Agreement. Article 10(2) of the Agreement provides that 'compilation of data' or 'other
material', whether in machine-readable or other form, which 'by mason of the selection or
arrangement' of their contents constitute intellectual creations shall be protected as such
The Article further provides that such protection, which shall not extend to the data or
material itself, shall be without prejudice to any copyright subsisting in the data or material
itself.

A closer perusal of the Article reveals the following facts:

i. It is the 'compilation' of data or other material, which is protected under TRIPS

Agreement. It must be noted that 'compilation' of a subject matter of copyright is
protected under almost all the legal system. This is also protected in the Berne
Convention. Thus, if a data is compiled in a particular manner, the same cannot be
used in the similar manner. Further, by using the words 'other materials' the ambit of
this Article has been extended to even non-data items.

10
Article 9 and 10 of the TRIPS Agreement.
11
Gin B Elaine, International Copyright Law: Beyond the WIPO and TRIPS debate, Journal of Patent
Trademark Office Society, 785 (October 2004).
12
Article 2(2) of the TRIPS Agreement.

14
 ii. The compilation may be either in a machine-readable form or in some other form. The
previous category includes storing of data in computers and its parallels, whereas the
latter category includes storing of the data in the traditional paper mode. The storing
of data property in computers and its parallels necessitates protection of the same in
information technology law as well. This may be the reason that the government is
planning to amend the existing Information Technology Act, 2000. The proper
approach, however, seems to be to incorporate necessary 'explanatory provisions' in
the Indian Copyright Act, 1957 and making minor suitable amendments in the
Information Technology Act, 2000. In no case, it should be pressed forward through
Information Technology Act alone. If a data stored in a computer or its parallels is
misused, the provisions of the Information Technology Act can be pressed in to
service along with the Copyright Act, depending upon the nature of violation or
contravention. At this point it may be noted that the Copyright Act, 1957 already
protects 'databases' as `literary works' under Section 2(o) of the Copyright Act, 1957.13
As it already protects 'databases' as 'literary works' under Section 2(o) of the
Copyright Act. It must be noted that the definition of `literary work' is 'inclusive' in
nature and is capable of encompassing more categories. Secondly, the concept of
compilation used in this section is itself inclusive in nature and the compilation of
databases is one of them. Thus, the expression `compilation', as used in Section 2(o),
includes at least two forms of compilation. One is compilation for the purpose of
conferment of copyright and the other is compilation for the purpose of data
protection. Thus, when the Section 13(1) (a) of the Copyright Act uses the expression
'original literary works', it is used not only in an inclusive manner but also in a
multifunctional manner. It should not be confused to mean the literary work vis-à-vis
copyright only. The inclusive nature of the literary work is permeating the entire
Copyright Act and it cannot be allowed to be whittled down while interpreting
Section 13(1)(a) of the Copyright Act. In short, the Copyright Act protects original
compilations as both copyright and databases. It would be wrong to suggest that
copyright and data protection are one and the same thing. These two are different IPR,
which are expressly protected not only under the TRIPS Agreement but also equally
under the Copyright Act. The erroneous treatment of databases as copyright and with
similar parameters has created a position where the Indian government is planning to

13
Section 2(o) provides that unless the context otherwise requires, literary work includes computer programme,
tables and compilations including computer databases.

15
 make a separate law for data protection. The present requirement is only to issue an
explanatory notification clarifying this position. In fact, the definition of literary work
is capable of accommodating other materials as well, which may be non-data in
nature. This possibility has been expressly recognised and provided by both the
TRIPS Agreement and the Copyright Act. 14
iii. The claim for data protection originates only because of the selection or arrangement
of the contents by using the intellectual creations. Thus, if there is no intellectual
endeavour involved in the selection or arrangement of the contents, then the same
may not be protected as data property. The same will, however, still be entitled to the
protection of copyright, since the protection is not dependent upon the quality of the
contents but their expression as such. It must be mentioned at this point that the claim
of copyright is not dependent upon the formality of registration. The moment the
content are expressed in an original manner, the same will get the protection of
copyright.15

The Needs and Modes of Data Protection

The compelling and much sought out demand for providing protection to the electronic
information and data provided by various interested parties has again set in motion the
thought process and India is facing a situation where it has to decide whether it should bring
new amendments to the already existing IT Act, 2000 16 or to enact a separate law for the
same. A law on data protection must address the following Constitutional issues on a
priority basis before any statutory enactment procedure is set into motion:

i. Privacy Rights of the interested persons in real space and cyber space.
ii. Mandates of freedom of information under Article 19(1)(a).
iii. Mandates of rights to know of people under Article 21.

Principles of Data Protection

The Copyright Act, 1957 and Information Technology Act, 2000, protect the data protection
laws in India. In order to avoid the civil and criminal liability following principles are to be
followed by the private individuals:

14
Ibid.
15
Ibid.
16
The act primarily deals with e-governance and e-commerce.

16
 i. The data should be processed fairly and lawfully.
ii. The data should be obtained for specific and lawful purpose.
iii. The data should be adequate, relevant and not excessive.
iv. The data should not be kept for longer than necessary.
v. The data should be processed in accordance with the rights of the data subjects.
vi. Measures should be taken against unauthorised or unlawful processing.
vii. It should not be used in a manner not authorised by the holder of the ‘data property.’

Conclusion
The concerns and apprehension of the MNCs regarding lack of data protection in India are
farfetched and unwanted. Evolution of the laws and coming of the new technology and
institutions, there is dire need for the laws related to the data protection in India. Various
case laws has contributed to the evolution of data protection laws in India. Data protection
is a necessity in India as the ball has already been set rolling by the European Union;
however, a balance needs to be achieved in protecting privacy without throttling the
economic juices. Therefore, it is necessary not only theoretical framework but there is also
the need to setup regulatory machinery which should actively engage in providing solutions
for enterprise, big and small so the implementation is not challenging and cost effective.

17
Bibliography

List of Books
● V K Ahuja, LAW RELATING TO INTELLECTUAL PROPERTY RIGHTS, 2 nd ed.
2013, Lexis Nexis, New Delhi.
● B.L. Wadhera, LAW RELATING TO INTELLECTUAL PROPERTY, 5 th ed. 2011,
Universal Law Publishing Co., New Delhi.

List of Articles
● B.L. WADHERA, LAW RELATING TO INTELLECTUAL PROPERTY, 5th Edition,
2011, Universal Law Publishing Co., New Delhi.

● Scoot McBride, “The Data Protection Laws: India Needs to Legislate”, 4 NLJ (2010),
The National Law Journal.

● W C Eric, “Breaking the law to break into the black: Data Protection a dire Need”, 11
IPLR (2007).

● Nirvaan Gupta, India: Data Protection Laws, (Mondaq).

● Praveen Dalal, Data Protection Law in India: The TRIPS Perspective, Journal of
Intellectual Property Rights (Vol. 11 2006).

18