India's personal data protection framework is at its nascent stage presently since it does not cover a very large body of potential abuse scenarios.

But India does have a statutory framework prohibiting and penalising some misuses of data. (See our presentation for existing penalties https://youtu.be/W53BOJDumcU).

IT Act read with The Rules

Prescribe prohibitions as well as mandatory affirmative action with personal data. There are present both user-compensation provisions as well as statutory fines and sentences.

The bottom line is that if the wrong to user can be traced back to negligent security practices to deal with the user's data, the corporate is liable.



The relevant sections of the Act covering what we've explained above in simple words are as follows:

Section 43A: if a body corporate is negligent in maintaining reasonable security practices and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Section 72A: any person who, while providing services under the terms of lawful contract, has secured access to any personal information of an individual with the intent to cause wrongful gain or wrongful loss, discloses such information without the consent of such individual, to any other person, then such person committing such act shall be punished with imprisonment for a term which may extend up to 3 (three) years, or with fine which may extend up to INR 5,00,000 (Indian Rupees Five Lakh only), or with both.

Aadhaar Act 2016

The government has practically made it mandatory for every citizen to share their personal data with it. By linking "Aadhaar card" verification to avail most government or affiliate government facilities.

The Unique Identification Authority of India (UIDAI) which collects all this information is bound by confidentiality obligations under the Aadhaar Act.

The Act can also, in 10 broad ways, catch individuals or corporates messing with user's personal data and penalise them. (See our presentation).



But so far as comprehensive protection of India's constitutional guarantee to privacy (under Article 21) we are a long way off. It is only the enforcement of the pending Personal Data Protection Bill, 2019 (The PDP Bill) which can re-assure protection of personal data of individuals in India.

With the enactment of the PDP Bill, Section 43A will be omitted. The PDP Bill will be the comprehensive law on data protection and data privacy in India

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.