WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Republic of India

Republic of India

Constitutional Privacy Framework

The Constitution of 1950 does not expressly recognize the right to privacy.[2807] However, the Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under Article 21, which states, "No person shall be deprived of his life or personal liberty except according to procedure established by law."[2808]

Data Protection Framework

There is a general right of personal privacy recognized in Indian law. Police must obtain warrants to conduct searches and seizures, except in cases where exigent circumstances exist. Police must justify warrantless searches in writing to the nearest magistrate with jurisdiction over the offense.[2809] However, the authorities in Jammu and Kashmir, Punjab, and Assam have special powers to search and arrest without a warrant.[2810] Invasion of privacy by private persons is not governed by the Constitution, though unlawful attacks on the honor and reputation of a person can invite an action in tort and/or criminal law.[2811]

There is no general data protection law in India, though some provisions exist in other regulations.[2812] The Public Financial Institutions Act of 1993 codifies India's tradition of maintaining confidentiality in bank transactions. Privacy in telecommunications has also been regulated by the Telecom Regulatory Authority of India (TRAI), which regulates all telecommunication services in the country. The Common Charter of Telecom Services for adoption by all Telecom Service providers provides, "All Service Providers assure that the privacy of their subscribers (not affecting the national security) shall be scrupulously guarded."[2813]

The rise of business process outsourcing (BPO) operations and call centers in India has placed the government under increasing pressure to implement a data protection law that conforms to US and European data protection standards.[2814] The National Association of Software and Service Companies (NASSCOM)[2815] has continued to urge the government to pass a data protection law to ensure the privacy of information supplied over computer networks and to meet international standards.[2816] Press coverage of the growing privacy concerns in the US over data sent to India as well as continued pressure from EU companies have lead NASSCOM and other industry leaders to move for increased privacy protection in India. This protection may take the form of a Safe-Harbor agreement similar to the US and EU privacy framework.[2817] NASSCOM has also identified State-specific data privacy laws with which Indian regulations must apply, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, and California's identity protection law, SB 1386.[2818] Foreign companies are currently relying on contractual obligations to impose privacy protection standards for customers.[2819]

The push for data protection laws comes in the wake of fraud and identity theft in the BPO industry. In February 2003, India convicted its first cyber-criminal when a Delhi High Court sentenced Arif Azim on the charges of online cheating. In this case, Arif Azim, while working for a call centre near Delhi stole credit card information that belonged to an American citizen and used it to order a color television and a cordless phone.[2820] In April 2005, a fraud scheme was discovered involving employees of an Indian call center.[2821] Employees convinced Citibank account holders in the United States to reveal their personal identification numbers, which were used to obtain more than USD 400,000.[2822] In a recent incident reported by the UK-based Channel 4 “Dispatches” documentary, an undercover TV investigator claims to have accessed credit card details of 100,000 customers of UK high-street banks from Indian call centres for as little as £5 each.[2823]

In 2006, an Indian technology firm, Acme Telepower Limited, accused its former employee of stealing data. Acme’s general manager of marketing said, “the employee worked in the company for four years and was on research projects. The financial loss (from the data theft) is not less than Rs 50 crore [9 million EUR].”[2824] Acme deals in specialized hardware and software integration. In response, Acme decided to move their R&D operations and new projects to Australia and shut down existing operations over a period of time. They have also decided to cancel a 7 million EUR investment plan in India.[2825]

In the summer of 2006, police in Bangalore arrested a former HSBC employee for the theft of funds from customers of HSBC bank in the UK. The former employee is being charged in India with stealing customer data that was sent to the employee's accomplices in the UK. Approximately twenty customers of HSBC reported that funds had disappeared from their accounts. This prompted an investigation by bank officials, who found that 310,000 EUR had been diverted by the employee and his associates.[2826]

To combat concerns about potential employee fraud, NASSCOM has created a “National Skill Registry,” a central database covering IT sector employees.[2827] The NASSCOM describes the purpose of the initiative “to maintain a central database of the educational qualifications and skill sets acquired by the person,” and mandates the employers, among other things, to “post information regarding any legal or criminal proceedings initiated against the employee.” Moreover, NASSCOM has taken extensive steps to ensure security of personal information. As of April 2007, there are approximately 100,000 registrants in the database.[2828] Recently, NASSCOM announced that a data privacy watchdog is to be set up in India to oversee the country's IT industry. This is a response to international concerns about the security of outsourced customer records and data. The Data Security Council of India (DSCI) is the name for this body. This will be an independent organization at arm's length from NASSCOM. [2829]

Wiretapping and Surveillance Rules

Wiretapping is generally regulated under the Telegraph Act of 1885, which gives the police authority to tap phones and intercept mail to aid an investigation.[2830] There have been numerous wiretap scandals in India, resulting in a 1996 decision by the Supreme Court that wiretaps are a "serious invasion of an individual's privacy."[2831] The Court also set out guidelines for wiretapping by the government that define who can tap phones and under what circumstances. Only the Union Home Secretary, or his counterpart in the states, can issue an order for a wiretap. The government is also required to show that the information sought cannot be obtained through any other means. The Court mandated the development of a high-level committee to review the legality of each wiretap.[2832] Recordings or transcripts of tapped phone calls are not generally accepted as primary evidence in Indian courts, however such evidence was admissible in terrorist cases under the Prevention of Terrorism Act (POTA) and the Unlawful Activities (Prevention) Act (UAPA).[2833] According to prominent NGOs, the mail of many NGOs in Delhi and in strife-torn areas continues to be subjected to interception and censorship, despite the Supreme Court prohibition of unauthorized taps.[2834] In recent years, the Government Enforcement Directorate, which investigates foreign exchange and currency violations, searched, interrogated, and arrested thousands of business and management professionals, often without search warrants.[2835]

In May of 2000, the government passed the Information Technology Act, a set of laws intended to provide a comprehensive regulatory environment for electronic commerce.[2836] The Act also addresses computer crime, hacking, damage to computer source code, breach of confidentiality and viewing of pornography. A variety of tools are provided to authorities to investigate cyber-crime. Section 69 allows for interception of any information transmitted through a computer resource and requires that users disclose encryption keys or face a jail sentence of up to seven years. The section also gives tremendous powers to the Controller of Certifying Authorities (CCA) to direct interception of any information transmitted through any computer resource. This direction is only to be given if the CCA is satisfied that it is necessary or expedient so to do in the interests of the following: the sovereignty or integrity of India, the security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of any cognizable offence.[2837] Section 44 imposes stiff penalties on anyone who fails to provide requested information to authorities. Section 80 allows deputy superintendents of police to conduct searches and seize suspects in public spaces without a warrant. This section in particular appears to be targeted at users of cybercafés, where an estimated 75 percent of Indian Internet users access the Web.[2838]

After widespread public outcry, sections requiring cybercafés to create detailed records about their customers' browsing habits were dropped; however, many sections of the Act place strict regulations on the use of computers and the Internet. The Act provides for censoring information on the Internet on public morality grounds and imposes strict penalties for involvement in the electronic publishing of materials deemed obscene by the government.[2839] The Act considers "unauthorized access to certain types of electronic information" a crime.[2840]

In October 2006, the Indian government approved draft amendments to the IT Act.[2841] The extensive recommendations suggest allowing public-private partnerships in e-governance delivery of services as well as allowing relationships between Controller of Certifying Authorities, Certifying Authorities and Subscribers, Data Protection and Privacy. The Expert Committee also recommended implementing reasonable security practices and procedures regarding the handling of sensitive personal data or information, gradation of severity and punishment of computer-related offences committed dishonestly or fraudulently. Finally the Expert Committee recommends amendments to the Indian Penal Code to cover online obscenity, child pornography and video voyeurism.[2842] The recommendations have been incorporated into Bill 96 of 2006,[2843] which is now before Parliament.

In March 2000, the Central Bureau of Investigation set up the Cyber Crime Investigation Cell (CCIC) to investigate offences under the IT Act and other high-tech crimes.[2844] The CCIC has jurisdiction over all of India and is a member of the Interpol Working Party on Information Technology Crime for South East Asia and Australia. Similar cells have been set up at the state and city level, for example in the state of Karnataka and the city of Mumbai. The National Police Academy in Hyderabad has prepared a handbook on procedures to handle digital evidence in the case of computer and Internet-related crimes.[2845] The government is also considering establishing an Electronic Research and Development Centre of India to develop new cyber-forensic tools. India's Intelligence Bureau is reported to have developed an e-mail interception tool similar to the Federal Bureau of Investigation's Carnivore system, which it claims to use in anti-terrorist investigations.[2846] In April 2002, India and the United States launched a cyber-security forum to collaborate on responding to cyber-security threats.[2847]

Moreover, the Indian government created the Indian Computer Emergency Response Team (CERT-IN) with a mission "[t]o enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration." It is a branch of the Department of Information Technology, Ministry of Communication and Information Technology. CERT-IN was constituted as the “nation's most trusted referral agency of the Indian Community for responding to computer security incidents,” with an underlying objective to “assist members of the Indian Community in implementing proactive measures to reduce the risks of computer security incidents." CERT-IN provides incident prevention and response service as well as quality management services.[2848]

Anti-Terrorism Measures

In March 2002, the Indian Parliament, in a rare joint session, passed the Prevention Of Terrorism Act (POTA) over the objections of several Opposition parties and in the face of considerable public criticism. The National Human Rights Commission, an independent government entity, criticized the measure, finding that the existing laws were sufficient to combat terrorism.[2849] The law codified the Prevention of Terrorism Ordinance that in turn built on the repealed Terrorists And Disruptive Activities (Prevention) Act (TADA). In September 2004, POTA was repealed following heavy criticism that its provisions were frequently misused against Muslims.[2850] However, many aspects of POTA, including the legal definition of terrorism and specific ordinances dealing with the financing of terrorism, were added onto the Unlawful Activities (Prevention) Act (UAPA).[2851]

POTA gave law enforcement sweeping powers to arrest suspected terrorists, intercept communications, and curtail free expression.[2852] Critics argued that the experience of TADA and POTA showed that the power had often been misused for political ends by authorities and that POTA had done little to curb those excesses. Chapter V of POTA dealt with the interception of electronic communications, which also created an audit mechanism that included some provision for judicial review and parliamentary oversight.

In certain high-risk states such as Jammu and Kashmir, search warrants are not required and the government from time to time bans the use of cellular telephones, long distance phones, and cybercafes. India's Enforcement Directorate, which investigates foreign exchange and currency violations, searches, interrogates, and arrests business professionals, often without a warrant.

On December 13, 2001, five heavily armed intruders and gunmen attacked the Indian Parliament. A case was duly registered, investigated and prosecuted under the provisions of POTA, enacted partly in response to this event. The trial court judge convicted the accused persons. On appeal, the New Delhi High Court held that intercepted telephone conversations of the three persons charged under POTA for plotting the attack on the Parliament were not admissible evidence, although the High Court had previously held that telephone conversations could qualify as admissible evidence under the Indian Evidence Act, the Indian Telegraph Act and the Indian Penal Code, and that trial court is allowed to consider the intercepts under these laws while deciding the case. The Central Bureau of Investigation appealed the High Court order and on September 5, 2003, the Supreme Court set the Delhi High Court judgment aside, allowed the appeal and decided that intercepted communications between the accused in the House of Parliament are admissible.

The Maharashtra Control of Organised Crime Act (MCOCA) was promulgated in 1999, reportedly to combat organized crime and terrorism. The Gujarat Control of Organised Crime Bill (GUJCOC), which is similar to MCOCA, was passed in 2004 after sections which gave blanket powers to district collectors and district superintendents of police to intercept and record telephonic and other means of communications were deleted following suggestions that they violated the privacy of citizens.[2853]

MCOCA's repeal has been the main demand of human rights activists. However, police officials feel that its provisions were justified. The Public Prosecutor for Greater Mumbai insists that MCOCA has been "sparingly used" and that there is "little allegation of misuse."[2854] According to another public prosecutor, however, "no judge in his right mind" would grant bail to a person indicted under MCOCA, since the provisions allowing bail practically mandate an indirect acquittal before trial.[2855] Other sources of contention among the legal and human rights communities are Sections 14 through 17 of MCOCA. These provisions deal with authorizing the interception of wire, electronic and telephonic communications. Nowhere is it specified that permission from a competent authority is required before an individual's privacy is invaded.[2856]

Recent Privacy Case Law

In February 2005, the Supreme Court found that unsolicited calls to mobile phones violated the right to privacy. The Court asked the legislature to take steps to protect cell phone users from unsolicited calls.[2857] The Court also sent notices explaining its decision to telecom operators and several multinational banks believed to be active in telemarketing of loans and credit cards through cell phone messaging.[2858]

In 2006, India’s High Court discussed situations where privacy can be intruded on. The Court expressed that intrusions into privacy may be by legislative provisions, administrative/executive orders, and judicial orders. The legislative intrusions must be tested on the reasonableness as guaranteed by the Constitution and for that purpose the court can go into the proportionality of the intrusion compared to the purpose sought to be achieved. Judicial warrants require the court to have sufficient reason to believe that the search or seizure is warranted and it must keep in mind the extent of search or seizure necessary for the protection of the particular State interest. In addition, the Court mentioned that there are rare exceptions such as where warrantless searches could be conducted but these must be in good faith, intended to preserve evidence or intended to prevent sudden danger to person or property.[2859]

Voting Privacy

Known as the world's largest democracy, voting in India is open to those 18 years or older, but is not mandatory. In May 2004, more than 670 million registered voters, voting at nearly 800,000 polling locations during several phases spanning weeks, completed their first all-direct recording electronic (DRE) -voting-technology election. There are 11 completely different scripts, alphabet systems, used throughout the Nation of India and the government recognizes 18 official languages. The Indian Census has identified more than 200 different dialects, which had to be accommodated by the voting system. The technology afforded more privacy for language minorities throughout the country. This achievement did not come without complications; more than 40 deaths occurred as a result of election violence. There were also reports of hired partisans taking control of some polling locations and employing the skills of computer science and engineering graduates to manipulate the technology at those sites. The problems identified with this election period were greatly minimized by the efforts of civil society groups who, with the assistance of government officials, were successful in getting public candidates to file disclosure affidavits, correcting voter registration lists, educating voters, and better enforcing election ethics laws.

Open government

The right to impart and receive information is derived from the right to freedom of speech and expression. The right to freedom of speech is found under Article 19(1)(a) of India’s Constitution. A citizen has a fundamental fight to use the best means of imparting and receiving information. The State is not only under an obligation to respect the fundamental rights of the citizens, but also equally under an obligation to ensure conditions under which the right can be meaningfully and effectively be enjoyed by one and all.[2860]

The Right to Information Act was approved by the Parliament in May 2005 and signed by the President in June 2005.[2861] Certain preliminary clauses went into effect immediately, but the entire Act came into force in October 2005. The Act replaces the Freedom of Information Act, 2002, which was adopted in January 2003 but never came into force. The Act has three main chapters, and its purpose is to provide to every citizen access to information under the control of public authorities, in order to promote openness, transparency and accountability in administration. Requests may be made in writing, orally, or through electronic means to the appropriate Public Information Officer. On receipt of a request under section 6 of the Act, the Public Information Officer shall, within thirty days of the receipt of the request, either provide the information requested or reject the request for any of the reasons specified in section 8 and 9. Section 8 and 9 exemptions include national security, public safety, Cabinet deliberations, legal advice or opinions, or trade secrets. The exemptions are all subject to override, if it is in the public interest to disclose the information.

The law was inspired by previous legislations from select states (among them Maharastra, Goa, Karnataka, Delhi etc) that allowed the right to information (to different degrees) to citizens about activities of any State Government body. Right to information laws were first successfully enacted by the Indian State governments: Tamil Nadu (1997), Goa (1997), Rajasthan (2000), Karnataka (2000), Delhi (2001), Maharashtra (2002), Madya Pradesh (2003), Assam (2002) and Jammu and Kashmir (2004). Any Indian states that do not have right to information laws are subject to India’s Right to Information Act.[2862]

The Right to Information Act guarantees the right of the public to inspect all information held by government agencies. However, the government claimed that the significant costs of collecting and copying so many records have forced it to charge higher fees to citizens who seek information. According to a BBC reporter, a farmer in Chhattisgarh sought information from a local government body regarding paddy field purchases; the authorities found and photocopied more than 90,000 documents and sent the farmer, who earns less than $1 per day, a bill for 182,000 rupees ($4,100). Prohibitive fees undermine the rights guaranteed by the law; however, authorities claim that fees are often waived for those who cannot afford to pay. Reports show that requests for information by poor citizens has surged since the passage of the Act, but Chhattisgarh Chief Minister Raman Singh suspects that well-to-do people are using the poor to get information "free" from the government, and he wants to amend the law to require information officers to inquire as to whether the information is “useful” to the particular requestor.[2863]

International Obligations

India joined the United Nations on October 30, 1945.[2864] It ratified the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICECR) on July 10, 1979.[2865] India is a founding member of the International Labour Organization (ILO), which came into existence in 1919, and has ratified 39 ILO Conventions.[2866]

[2807] India Constitution, available at <>.

[2808] Kharak Singh v. State of UP, (1964) 1 SCR 332. Subba Rao, J. stated that “[i]t is true our constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.”

[2809] See Indian Penal Code, 1860.

[2810] US State Department Human Rights Report 2004 – India, available at <>.
[2811] As the civil law pertaining to defamation is not codified, the courts have to apply the corresponding rules of the English Common Law. In 1994 the Supreme Court decided in the Auto Shankar case that every citizen has the right to safeguard his or her privacy and that nothing could be published on areas such as the family, marriage and education, "whether truthful or otherwise," without the citizen's consent, but carved an exception to this rule for material based on public records and information about public officials' conduct that is "relevant to the discharge of their duties"; see "Failure to Define Law on Privacy Could Cost Society Dear," Times of India, August 26, 2001.

[2812] A few of the proxy laws are Section 65, 66 and 72 of the Indian IT Act, the Indian Contract Act, Section 406 and 420 of the Indian Penal Code, and the Indian Copyright Act. See NASSCOM, “Regulatory Environment In India,” NASSCOM
[2813] Telecom Regulatory Authority of India, "TRAI for Introduction of Common Charter of Telecom Services By All the Service Providers" 2005, available at <>.

[2814] John Ribeiro, "Indian Law May Satisfy Data Protection Concerns," Computerworld, April 21, 2004, available at

[2815] The NASSCOM, a non-profit organization, is a premier trade body and the Chamber of Commerce of the IT software and services industry in India. It has played a major role on the recent policy on privacy and data protection issues including the recommendation on the proposed amendments in the IT Act. For details refer to NASSCOM’s website, NASSCOM <>.

[2816] "Inadequate Cyber Laws Hurting Indian Firms," Hindustan Times, May 25, 2005, available at
[2817] Margaret P. Eisenhauer, "Privacy and Security Law Issues in Off-shore Outsourcing Transactions," Hunton & Wiliams, February 15, 2005.
[2818] NASSCOM, "Indian Privacy Law," 2002, available at <>.
[2819] Ribeiro, supra.

[2820] "India Poised to Tighten Data Protection Law,", April 22, 2004, available at
[2821] Narayanan Madhavan, "India Plans IT Staff Registry to Help Stop Fraud," USA Today, May 17, 2005, available at <>.
[2822] Erica Lee Nelson, "India Fortifies its Data Security," The Washington Times, May 28, 2005, available at
[2823] Sue Turton, “Credit Card Fraud Busted,” Channel 4, October 5, 2006

[2824] India Times “Accused sold source code” Infotech, <>.
[2825] “IT Firm pulls out of India” <>.

[2826]“Indian Call Center Agent Arrested for HSBC Thefts” By Anthony Mitchell <>.

[2827] For more details See the National Skills Registry website, available at <>.
[2828] See NASSCOM Security Initiatives, available at <>.
[2829] Tom Young, “India to set up data privacy watchdog” June 8, 2007 <>.

[2830] US State Department 2006, supra.

[2831] Peoples Union for Civil Liberties (PUCL) v. The Union of India & Another, December 18, 1996, on Writ Petition (C) No. 256 of 1991; (1997) 1 SCC 301.
[2832] South Asia Human Rights Documentation Centre, Alternate Report and Commentary to the United Nations Human Rights Committee on India's Third Periodic Report under Article 40 of the International Covenant on Civil and Political Rights, July 1997, available at <>.

[2833] US State Department 2006, supra.
[2834] South Asia Human Rights Documentation Centre, supra.
[2835] US State Department 2004, supra.

[2836] Information Technology Act 2000, No. 21 of 2000. available at <>.

[2837] Id.

[2838] Siddharth Varadarjan Sarai Reader 2001: The Public Domain, "Policing the Net - The Dangers of India's New IT Act" <>.

[2839] Id.
[2840] US State Department 2004, supra.

[2841] See especially comments of the Parliamentary Affairs Minister P R Dasmunsi, Times of India, October 16, 2006, available at: Times of India <>.
[2842] The Expert Committee on the Amendments in the IT Act, 2000, available at <>.
[2843] Available at <>.

[2844] See Cyber Crime Investigation Cell homepage, <>.
[2845] Sardar Vallabhbhai Patel National Police Academy, "Inauguration of Police Training Network," <>.
[2846] Siddaharth Srivastava, "E-mail Users Beware, Big Brother is Watching," Times of India, December 24, 2001, available at <,_Big_Brother_is_watching>; see also "India: Interception of E-Mails, Electronic Data," BNA World Data Protection Report, March 2002.
[2847] Media Note. "United States and India Launch New Phase of Cyber Security Cooperation," US Department of State, November 10, 2004, available at <>.

[2848] See the Indian Computer Emergency Response Team website, available at <>.

[2849] National Human Rights Commission, "Prevention of Terrorism Bill, 2000: NHRC's Opinion," available at
[2850] "India Withdraws Anti-Terror Law," BBC News, September 17, 2004, available at
[2851] US State Department 2004, supra.

[2852] Prevention of Terrorism Act of 2002, Act No. 15 of 2002. available at

[2853] Ujjwal Kumar Singh, "Repeal of POTA," Economic and Political Weekly, August 14, 2004, available at

[2854] "Police Officials against Repeal of MCOCA, " The Hindu, June 3, 2004, available at
[2855] Neil Pate, "Scraping MCOCA Is not the Solution," Times News Network, June 01, 2004, available at
[2856] Neil Pate, supra.

[2857] Vir Singh, "India Moves to Silence Cell Spam," USA Today, April 13, 2005, available at
[2858] "India Seeks Curbs on Mobile Spam," BBC News, February 8, 2005, available at

[2859] M/s MK International, Ludhiana and other v. Union of India & Ors - CWP-5969-2006 [2006] INPHHC 7598 (September 21, 2006).

[2860] Praveen Dalal, “Data Protection Law in India: A constitutional perspective” (2005) . See also Dinesh Trivedi, M.P. and and Others V. Union of India and Others [(1997) 4 SCC 306].

[2861] Right to Information Act, No. 22 of 2005, available at <>.

[2862] Right to Information Act, 2005 <>

[2863] Alok Prakash Putul, “Indians Find Information Too Costly,” BBC News, March 13, 2006, available at <>.

[2864] <>.
[2865] UN Office of the High Commissioner for Human Rights, Status of Ratifications, available at <>.
[2866] Government of India, Ministry of Labour and Employment, “India and the ILO,” available at <>.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback