Privacy Laws in India
The 2009 amendment to the Information Technology Act introduced basic privacy and data protection provisions. The privacy law in India now requires businesses and websites to apply due care while collecting and dealing with sensitive personal data or information. A civil provision is now available, prescribing damages for an entity that is negligent in using “reasonable security practices and procedures” while handling “sensitive personal data or information”, resulting in wrongful loss or wrongful gain to any person. Further, criminal punishment is also provided for persons who:
- Disclose sensitive personal information without the consent of the person or in breach of the relevant contract, with intention of, or knowing that the disclosure would cause wrongful loss or gain.
Dealing with Sensitive Information
While dealing or collecting personal information, reasonable security practices and procedures must be followed by all businesses, websites and ecommerce businesses. Sensitive personal information relates to information that identifies an individual. Sensitive personal information includes:
- Financial information such as bank account or credit card or debit card information
- Physical, physiological and mental health condition information
- Sexual orientation
- Medical records and history
- Biometric information
Sensitive personal data only deals with information of individuals and not information of entities.
Sensitive personal information can be collected by a business only if it obtains the prior consent of the provider of the information. The business must also provide an option for the user to not provide sensitive information. In such a case, the business has the right to cease providing goods and services for which the information is sought.