Data Protection Laws in India


Data safety and privacy protection are a set of policies, procedures, and cyber laws in India that aim to minimize the incursion into privacy caused by the storage, collection, and dissemination of personal data. 

Personal data is the information and data that is related to a person who can be identified from the information, whether it is collected by any private, government organization, or agency. 

The Constitution of India does not grant the fundamental right to privacy, and the right to privacy has been read into the existing fundamental rights by the courts. Right to life, personal liberty, freedom of speech, and expression of the Constitution of India are subject to reasonable restrictions that the State can impose under Art 19(2) of the Constitution. 

India does not have legislation that governs data safety and protection. Although there aren’t any direct cyber security laws in India, there are laws in India that deal with data protection: the Indian Contract Act, 1872, and Information Technology Act, 2000. There have been a few amendments to the IT act lately, and the law on data protection will be introduced in India shortly.

The Information Technology Act, 2000 takes up the issues related to the payment of Civil compensation and Criminal punishment in case of misuse and false disclosure of personal data and violation in respect of personal data.

The Government of India has notified that the Information Technology (Reasonable Security, Practices, Procedures and Sensitive Personal Data or Information) Rules, 2011 deals with the protection of sensitive and personal information of a person, which includes:

  • Financial information such as bank account or credit/debit card or other payment details,

  • Passwords,

  • Sexual orientation,

  • Physical and mental health conditions,

  • Biometric information

  • Medical records and history

The rules provide the security procedures and practices, which any person collects, receives, deals, possesses, stores, or handles the information that is required to follow while dealing with Personal data. 

Find Cyber and Data Protection Lawyers And Prioritize Your Safety With Rest The Case.

Data Protection Bill 2019:

India stands way behind when it comes the data protection infrastructure. Data Protection Bill 2019, which took five years in the making, was made to safeguard the national privacy issue. However, the government withdrew the bill while assuring a new bill to the table. The reason was the panel's suggestion of 81 amendments and 12 recommendations.

Information Technology Act, 2000

The Information Technology Act, 2000 referred to as the "IT Act," provides legal recognition for the transactions that are carried out through electronic data interchange and other electronic communication known as "electronic commerce," which uses the alternative to paper-based methods and storage of information to facilitate the filing of documents.

Penalty for Damage to Computer Systems under the IT Act

Section 43 of the IT Act penalizes without prescribing any upper limit for doing any of the following acts:

  1. Accesses or secures access to a computer system or computer network;
  2. Downloading, copying, or extraction of any data, or information or computer database from the computer, computer system, or network, including data that is held or stored in any removable storage medium;
  3. Introduce any computer virus or contaminant into any computer system or network;
  4. Damages to any computer system, computer network, computer database, data, or any other programs that reside in such computer system or computer network;
  5. Disrupting any computer system or computer network;
  6. Denies any person authorized to access any computer system or network by any means;
  7. Charging the services that a person avails to another person by tampering or manipulating the computer system or network.
  8. Destroys, deletes, or alters any information that is there is a computer resource or diminishes the value by any means;
  9. Steal, destroy, conceal, or alter any computer source code used for a computer resource to cause damage.

Important Sections in IT Amdendant act 2008

Section 66 states that if any person fraudulently or dishonestly does any act referred to in section 43, the person shall be imprisoned for three years or with a penalty of Rs 5,00,000 or even both.

Amendments as introduced by the IT Amendment Act, 2008

Section 10A was put into the IT Act because it deals with the validity of the contracts that are formed through electronic means that shall not be deemed unenforceable.

The following important sections have been substituted and inserted by the IT Amendment Act, 2008:

  1. Section 43A – Compensation for failure to protect personal and sensitive data.
  2. Section 66 – Computer Related Offences
  3. Section 66A – Punishment for sending offensive messages. 
  4. Section 66B – Punishment for dishonestly receiving the stolen computer resource or any communication device.
  5. Section 66C – Punishment for any kind of identity theft.
  6. Section 66D – Punishment for cheating by using computer resources.
  7. Section 66E – Punishment for violating privacy.
  8. Section 66F – Punishment for cybercrime and terrorism.
  9. Section 67 – Punishment for transmitting or publishing obscene material in electronic form.
  10. Section 67A – Punishment for transmitting of material containing sexually explicit acts in electronic form.
  11. Section 67B – Punishment for publishing or transmitting material that depicts children in a sexually explicit act.
  12. Section 67C – Retention and Preservation of information by intermediaries.
  13. Section 69 – Powers to issue directions to monitor or decrypt any information in computer resources.
  14. Section 69A – Blocking public access to any information in any computer resource.
  15. Section 69B – Power to authorize, monitor, and collect traffic information for cyber privacy and security through any computer resource.
  16. Section 72A – Punishment for disclosure of data in breach of any lawful contract.
  17. Section 84A –Encryption methods.
  18. Section 84B –Punishment for offenses.
  19. Section 84C –Punishment for attempt to commit cyber offenses.


Data Protection is a set of policies, procedures, and privacy laws that aim to minimize the incursion into privacy caused by personal data storage, collection, and dissemination. Personal data is the information and data that is related to a person who can be identified from the information, whether it is collected by any private, government organization, or agency. The laws in India that deal with data protection are the (Indian) Contract Act, 1872, and Information Technology Act, 2000. Law on data protection is going to be introduced in India soon.

Found this interesting? Read more such blogs and improve your legal knowledge with Rest The Case.