Data Privacy Breaches and Criminal Liabilities in India
- ByAdmin --
- 12 May 2025 --
- 0 Comments
In the digital age, data privacy breaches are becoming increasingly common, and they raise significant concerns about the protection of personal information. With the increasing reliance on technology, data is continuously collected, processed, and shared by various entities, often leading to privacy risks. In India, data privacy and security have gained considerable attention, and the legal framework governing data protection is evolving to address these concerns. This article discusses data privacy breaches and the criminal liabilities associated with them under Indian law.
Legal Framework for Data Privacy in India
India's legal framework for data privacy is primarily governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (under the Information Technology Act, 2000) and the Personal Data Protection Bill, 2019 (PDPB), which is currently under parliamentary review. These laws aim to regulate the collection, storage, and processing of personal data to protect citizens’ privacy rights.
Information Technology Act, 2000 (IT Act, 2000)
The IT Act, 2000 is the main statute in India for addressing cybercrimes and data protection. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under this Act set out guidelines for the processing of sensitive personal data and require entities to adopt reasonable security practices.
Under the IT Act, the Section 43A provides a legal framework for compensating individuals who are affected by a data breach, while Section 72A specifically criminalizes the disclosure of personal information without consent, with a penalty for violation.
Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019 (PDPB), which is currently being reviewed, aims to regulate the processing of personal data in India. It draws inspiration from the European Union's General Data Protection Regulation (GDPR) and intends to provide stricter guidelines on data privacy, consent, and penalties for violations.
The PDPB includes provisions for criminal liabilities for violations related to the processing of personal data. If passed in its current form, the Bill would significantly alter the landscape of data privacy and security in India.
Data Privacy Breaches and Types of Violations
A data privacy breach occurs when personal information is exposed, accessed, or disclosed without the consent of the individual to whom the data pertains. Data privacy breaches can take many forms, including:
- Unauthorized Access: When individuals or entities gain access to personal data without permission, such as through hacking, phishing, or employee misconduct.
- Data Theft: The illegal acquisition of personal data, often with the intent to misuse it for financial gain, identity theft, or fraud.
- Data Disclosure: When an organization shares personal data with third parties without the consent of the data subject, or in violation of their privacy policies.
- Failure to Secure Data: When entities fail to implement reasonable security measures to protect personal data, making it vulnerable to unauthorized access or breaches.
Criminal Liabilities for Data Privacy Breaches
Under Indian law, data privacy breaches can lead to both civil and criminal liabilities. The penalties depend on the nature of the violation, the severity of the breach, and whether it was intentional or caused by negligence. Below are some of the provisions under Indian law that impose criminal liabilities for data privacy breaches:
Under the Information Technology Act, 2000
- Section 43A: This section makes it mandatory for companies to implement reasonable security practices to protect sensitive personal data or information. If an entity fails to protect such data, it can be liable for compensation to the affected individuals. Though this section is mainly civil, a breach can also lead to reputational damage and criminal investigations in extreme cases.
- Section 66E: This section criminalizes the violation of privacy through the capturing, publishing, or transmitting of personal information without consent. The punishment for violating this provision can be imprisonment for up to three years or a fine of up to ₹2 lakh, or both.
- Section 72A: This section criminalizes the disclosure of personal information by an intermediary without the consent of the person to whom the information pertains. This section covers situations where an employee or an intermediary reveals personal data that was entrusted to them. The punishment can be imprisonment of up to three years or a fine of ₹5 lakh, or both.
Under the Personal Data Protection Bill, 2019
If passed, the PDPB will introduce a more comprehensive framework for criminal liabilities in case of data breaches. Some provisions include:
- Section 91 (Penalties for Non-Compliance): Organizations that fail to adhere to the guidelines set forth in the PDPB, such as not obtaining consent for processing data or mishandling personal data, can be subjected to significant penalties. These penalties can be financial, but criminal action can also be initiated against individuals responsible for such violations.
- Section 92 (Criminal Penalties): The PDPB stipulates criminal penalties for the unlawful processing of data, including the unauthorized processing of sensitive personal data and selling or transferring such data. Violators can face imprisonment for up to three years and a fine, or both.
- Section 93 (Punishment for Re-identification): In cases where personal data has been anonymized or de-identified and later re-identified without consent, the Bill proposes severe penalties, including up to five years of imprisonment and a fine.
Ethical and Legal Considerations
The growing incidents of data breaches in India highlight the importance of adopting stronger data privacy laws. There are several factors that must be taken into account for effective enforcement of data privacy laws:
- Consumer Awareness: A significant portion of data breaches arises due to lack of awareness among consumers regarding how their data is used. Educating individuals about their rights under the IT Act and PDPB is crucial.
- Corporate Responsibility: Companies need to ensure that they are following best practices in securing personal data and comply with data protection regulations.
- Government Role: The Indian government must act swiftly to pass the PDPB, which is currently in limbo, to address gaps in the current data privacy framework.
Conclusion
Data privacy breaches in India can lead to severe criminal liabilities under existing laws such as the Information Technology Act, 2000, and will likely see more stringent provisions once the Personal Data Protection Bill, 2019 becomes law. Companies and individuals involved in the collection, storage, and processing of personal data must ensure they adhere to security measures to prevent breaches. With rapidly advancing technology, addressing data privacy concerns through effective legislation and enforcement is essential for safeguarding citizens' rights and maintaining trust in digital platforms.
RELATED Blog
0 comments