Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Legal framework

Although not specifically referenced in the Constitution, the right to privacy is considered a 'penumbral right' under the Constitution, i.e. a right that has been declared by the Supreme Court as integral to the fundamental right to life and liberty. In addition, although no single statute confers a crosscutting 'horizontal' right to privacy, various statutes contain provisions that either implicitly or explicitly preserve this right. The following sections provide an overview of both constitutional and statutory safeguards to privacy in India.

Constitutional protections for privacy

Although the Indian Constitution does not contain an explicit reference to a right to privacy, this right has been read into the Constitution by the Supreme Court as a component of two fundamental rights:  the right to freedom under Article 19 and the right to life and personal liberty under Article 21.

Part III of the Constitution of India (Articles 12 through 35) is titled 'Fundamental Rights'; it lists several rights that are regarded as fundamental to all citizens of India (some fundamental rights, notably the right to life and liberty apply all persons in India, whether they are citizens or not). Article 13 forbids the state from making "any law which takes away or abridges" the fundamental rights. 

Article 19(1)(a) stipulates that "All citizens shall have the right to freedom of speech and expression". However, this is qualified by Article 19(2) which states that this will not "affect the operation of any existing law, or prevent the state from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right [...] in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence".

Thus the freedom of expression guaranteed by Article 19(1)(a) is not absolute, but a qualified right that is susceptible, under the constitutional scheme, to being curtailed under specific conditions.

The other important fundamental right from the perspective of privacy jurisprudence is Article 21, which reads: "No person shall be deprived of his life or personal liberty except according to procedure established by law."

Whereas Article 19 contains a detailed list of conditions under which freedom of expression may be curtailed, Article 21 only requires a "procedure established by law" as a pre-condition for the deprivation of life and liberty. However, in the celebrated case Maneka Gandhi vs. Union of India,1 the Supreme Court held that any procedure "which deals with the modalities of regulating, restricting or even rejection of a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, 'procedure' must rule out anything arbitrary, freakish or bizarre."

Shortly after independence, in a case challenging the constitutionality of search and seizure provisions, the Supreme Court dealt a blow to the right to privacy in India, holding that

"When the constitution makers have thought fit not to subject [search and seizures] to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it into a totally different fundamental right."2

Notwithstanding this early setback, five decisions by the Supreme Court in the following five decades have established the right to privacy in India as flowing from Articles 19 and 21.

The first was a seven-judge bench decision in Kharak Singh vs. The State of U.P.3, decided in 1964. The question for consideration in this case was whether "surveillance" under Chapter XX of the U.P. Police Regulations constituted an infringement of any of the fundamental rights guaranteed by Part III of the Constitution. Regulation 236(b), which permitted surveillance by "domiciliary visits at night", was held to be in violation of Article 21. The meanings of the expressions "life" and "personal liberty" in Article 21 were considered by this court in Kharak Singh's case. Although the majority found that the Constitution contained no explicit guarantee of a "right to privacy", it read the right to personal liberty expansively to include a right to dignity. It held that "an unauthorised intrusion into a person's home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man -an ultimate essential of ordered liberty, if not of the very concept of civilization".

In a minority judgment in this case, Justice Subba Rao held that

"the right to personal liberty takes in not only a right to be free from restrictions placed on his movements, but also free from encroachments on his private life. It is true our Constitution does not expressly declare a right to privacy as a fundamental right but the said right is an essential ingredient of personal liberty. Every democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person's house, where he lives with his family, is his 'castle'; it is his rampart against encroachment on his personal liberty".

This case, especially Justice Subba Rao's observations, paved the way for later elaborations on the right to privacy using Article 21.

In 1972, the Supreme Court decided one of its first cases on the constitutionality of wiretapping. In R. M. Malkani vs. State Of Maharashtra,4 the petitioner's voice had been recorded in the course of a telephonic conversation where he was attempting blackmail. He asserted in his defence that his right to privacy under Article 21 had been violated. The Supreme Court declined his plea, holding that

"The telephonic conversation of an innocent citizen will be protected by courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants."5

The third case in the series, Govind vs. State of Madhya Pradesh6 (1975), decided by a three-judge bench of the Supreme Court, is regarded as being a setback to the right to privacy jurisprudence. Here, the court was evaluating the constitutional validity of Regulations 855 and 856 of the Madhya Pradesh Police Regulations, which provided for police surveillance of habitual offenders including domiciliary visits and picketing of the suspects. The Supreme Court desisted from striking down these invasive provisions holding that

"It cannot be said that surveillance by domiciliary visit would always be an unreasonable restriction upon the right of privacy. It is only persons who are suspected to be habitual criminals and those who are determined to lead a criminal life that are subjected to surveillance."

The court went on to make some observations on the right to privacy under the constitution:

"Too broad a definition of privacy will raise serious questions about the propriety of judicial reliance on a right that is not explicit in the Constitution. The right to privacy will, therefore, necessarily, have to go through a process of case-by-case development. Hence, assuming that the right to personal liberty, the right to move freely throughout India and freedom of speech create an independent fundamental right of privacy as an emanation from them, it could not be absolute. It must be subject to restriction on the basis of compelling public interest. But the law infringing it must satisfy the compelling state interest test. It could not be that under these freedoms the constitution-makers intended to protect or protected mere personal sensitiveness."

This case is important since it marks the beginning of a trend in the higher judiciary to regard the right to privacy as "not being absolute". From Govind onwards, "non-absoluteness" becomes the defining feature and the destiny of this right.

This line of reasoning was continued in Malak Singh vs. State Of Punjab & Haryana7 (1980) where the Supreme Court held that surveillance was lawful and did not violate the right to personal liberty of a citizen as long as there was no "illegal interference" and it was "unobtrusive and within bounds". 

Nearly fifteen years separate this case from the Supreme Court's next major elaboration of the right to privacy in R. Rajagopal vs. State of Tamil Nadu8 (1994). Here the court was involved in balancing citizens' right to privacy against the right of the press to criticize and comment on the acts and conduct of public officials. The case related to the publication by a newspaper of the autobiography of Auto Shankar, who had been convicted and sentenced to death for committing six murders. In the autobiography, he had commented on his contact and relations with various high-ranking police officials - disclosures which would have been extremely sensational. Sometime before the publication, he appears to have been induced to write a letter disclaiming his authorship of the autobiography. On this basis, the Inspector General of Prisons issued a letter forbidding the newspaper from publishing the autobiography, claiming that the publication of the autobiography would violate the prisoner's privacy. Curiously, neither Shankar himself nor his family were made parties to this petition. The Court decided to presume, somewhat oddly, that he had neither written his autobiography nor authorised its publication. The court then proceeded on this assumption to enquire whether he had any privacy interests that would be breached by unauthorised publication of his life story. The right to privacy of citizens was dealt with by the Supreme Court in the following terms: 

"(1) The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a 'right to be let alone'. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish anything concerning the above matters without his consent - whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.

(2) The rule aforesaid is subject to the exception that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media."

On this reasoning, the court upheld the newspaper's right to publish Shankar's autobiography, even without his consent or authorisation, to the extent that this story could be pieced together from public records. However, if they went beyond that, the court held "they may be invading his right to privacy and will be liable for the consequences in accordance with law." Importantly, the court held that "the remedy of the affected public officials/public figures, if any, is after the publication."9

The final case that makes up the 'privacy quintet' in India was the case of PUCL vs. Union of India10(1997), a public interest litigation in which the court was called upon to consider whether wiretapping was an unconstitutional infringement of a citizen's right to privacy. The case was filed in light of a report brought out by the Central Bureau of Investigation on the tapping of politicians' phones, which disclosed several irregularities in the tapping of telephones. On the concept of the 'right to privacy' in India, the court made the following observations:

"The right privacy - by itself - has not been identified under the Constitution. As a concept it may be too broad and moralistic to define it judicially. Whether right to privacy can be claimed or has been infringed in a given case would depend on the facts of the said case."

However, the court went on to hold that "the right to hold a telephone conversation in the privacy of one's home or office without interference can certainly be claimed as right to privacy". This was because

"conversations on the telephone are often of an intimate and confidential character [...] Telephone conversation is an important facet of a man's private life. Right to privacy would certainly include telephone conversation in the privacy of one's home or office. Telephone tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law."

The court also read this right to privacy as deriving from Article 19. "When a person is talking on telephone, he is exercising his right to freedom of speech and expression," the court observed, and therefore "telephone-tapping unless it comes within the grounds of restrictions under Article 19(2) would infract Article 19(1)(a) of the Constitution."

This case made two important contributions to communications privacy jurisprudence in India. The first was its rejection of the contention that 'prior judicial scrutiny' should be mandated before any wiretapping could take place. Instead, the court accepted the contention that administrative safeguards would be sufficient. Secondly, the court prescribed a list of procedural guidelines, the observance of which would save the wiretapping power from unconstitutionality. In 2007, these safeguards were formally incorporated into the rules framed under the Telegraph Act.11 

Thus, to conclude this section, it may be observed that the right to privacy in India is, at its foundations, a limited right rather than an absolute one. This limited nature of the right provides a somewhat unstable assurance of privacy since it is frequently made to yield to a range of conflicting interests - rights of paternity, national security, etc. - which happen to have a more pronounced standing in law.

In March 2002, the National Commission to review the working of the Constitution submitted its report and recommended amending the Constitution to include a slew of new rights including the right to privacy. The new right to privacy would be numbered Article 21-B and would read:

"21-B(1) Every person has a right to respect for his private and family life, his home and his correspondence.

(2) Nothing in clause (1) shall prevent the State from making any law imposing reasonable restrictions on the exercise of the right conferred by clause (1), in the interests of security of the State, public safety or for the prevention of disorder or crime, or for the protection of health or morals, or for the protection of the rights and freedoms of others."12

There has so far been no move to amend the constitution to give effect to this recommendation.

Statutory protections for privacy

Although such a move is under consideration,13 India does not currently have a sui generis statute that safeguards privacy horizontally across different contexts. However, various statutes, dealing with issues as diverse as banking and finance, professional ethics of lawyers, doctors and chartered accountants, and information technology and telephony, contain provisions that either explicitly or implicitly protect privacy and offer victims remedies for their breach. Details of some of these sector-specific privacy provisions are provided in later sections of this report. In this section we propose to deal mainly with privacy protections under the Information Technology Act, with special focus on Data Protection provisions and certain other miscellaneous laws which protect privacy.

The Information Technology Act 2000

The Information Technology Act 2000 contains a number of provisions which can be used to safeguard against online/computer related privacy. The Act provides for civil and criminal liability with respect to hacking (Sections 43, 66) and imprisonment of up to three years with fine for electronic voyeurism (Section 66E), phishing and identity theft (66C, 66D), and offensive email (66A). Disclosure by the government of information obtained in the course of exercising its interception powers under the IT Act is punishable with imprisonment of up to two years and a fine (Section 72).14 Section 72A of the IT Act penalizes the unauthorized disclosure of 'personal information' by any person who has obtained such information while providing services under a lawful contract. Such disclosure must be made with the intent of causing wrongful loss or obtaining a wrongful gain and is punishable by imprisonment, which may extend to 3 years or a fine of Rs. 500,000 or both.

In addition to these sections, the Act also contains provisions with respect to Data Protection which are described below.

Data protection

Section 43A of the IT Act, newly introduced in 2008, makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who "possess, deal or handle" any "sensitive personal data" to implement and maintain "reasonable security practices", failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

There are three key aspects of this section that bear highlighting:

"It is only the narrowly-defined 'body corporates'15 engaged in "commercial or professional activities" that are the targets of this section. Government agencies and non-profit organisations are entirely excluded from the ambit of this section.16

- 'sensitive personal data or information' is any information that the Central Government may designate as such, when it sees fit to.

- The "reasonable security practices" which the section obliges body corporates to observe are restricted to such measures as may be specified either "in an agreement between the parties" or in any law in force or as prescribed by the Central Government.

In April 2011, the Ministry of Information and Technology notified the Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules 201117 under Section 43A in order to define 'sensitive personal information' and to prescribe 'reasonable security practices' that body corporates must observe in relation to the information they hold. By defining both phrases in terms that require executive elaboration, the section and the rules in effect pre-empt the courts from evolving an iterative, contextual definition of what would count as a reasonable security practice in relation to data. Various elements of these rules are discussed in the next sections.

Sensitive Personal Information: Rule 3 of these Rules designates the following types of information as 'sensitive personal information':

(i)   password

(ii)   financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii)  physical, physiological and mental health condition;

(iv) sexual orientation;

(v)   medical records and history;

(vi)  medical records and history;

(vii) Biometric information;

(viii)any detail relating to the above clauses as provided to body corporate for providing service; and

(ix)  any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Mandatory privacy policies for body corporates: Rule 4 enjoins a body corporate or its representative who "collects, receives, possess, stores, deals or handles" data to provide a privacy policy "for handling of or dealing in user information including sensitive personal information". This policy is to be made available for view by such "providers of information".18 The policy must provide details of:

(i)    Type of personal or sensitive information collected under sub-rule (ii) of rule 3;

(ii)   Purpose, means and modes of usage of such information;

(iii)  Disclosure of information as provided in rule 6.19

Prior Consent and Use Limitation during Data Collection: Body corporates are forbidden by the rules from collecting sensitive personal information, unless: (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose.20

They and "any person" holding sensitive personal information are forbidden from "keeping that information for longer than is required for the purposes for which the information may lawfully be used".21

This however does not apply to "any information that is freely available or accessible in the public domain or accessible under the Right to Information Act, 2005 or any other law for the time being in force."

In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the "provider of information". The body corporate is required to "take such steps as are, in the circumstances, reasonable"22 to ensure that the individual from whom data is collected is aware of:

- the fact that the information is being collected;

- the purpose for which the information is being collected;

- the intended recipients of the information;

- the name and address of the agency that is collecting the information; and

- the agency that will hold the information. 

During data collection, body corporates are required to give individuals the choice to opt-in or opt-out from data collection.23 They must also permit individuals to review and modify the information they provide 'wherever necessary'.24 Information collected is to be kept securely,25 used only for the stated purpose26 and any grievances must be addressed by the body corporate "in a time bound manner".27

Unlike 'sensitive personal information' there is no obligation to retain other personal information only for as long as is it is required for the purpose collected.

Limitations on Disclosure of Information: The Rules require a body corporate to obtain prior permission from the provider of such information obtained either "under lawful contract or otherwise" before information is disclosed.28 The body corporate or any person on its behalf shall not publish the sensitive personal information.29 Any third party receiving this information is prohibited from disclosing it further.30

However, this rule is subject to the exception that information is to be provided without prior consent to "government agencies" for the purposes of "verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences". In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to "state that the information thus obtained will not be published or shared with any other person".31

Sub-rule (2) of Rule 6 requires "any information" to be "disclosed to any third party by an order under the law for the time being in force." This is to be done "without prejudice" to the obligations of the body corporate to obtain prior permission from the providers of information.32

Independent of these rules pertaining to "disclosure", body-corporates may "transfer" sensitive data or personal information without consent "to any other body corporate or a person in India, or located in any other country that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules". The transfer may be allowed only where it is determined to be "necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer" (Rule 7).     

Reasonable Security Practices: Rule 8 of the Rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:

a)    a comprehensive, documented information security programme;

b)    information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

In case of an information security breach, such body corporate will be "required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies".

The Rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on Information Technology, Security Techniques, Information Security Management System Requirements, a body corporate will be deemed to have complied with reasonable security practices and procedures.

The Rule also permits "Industry associations or industry clusters" who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of Sub-Rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of Section 43A.

Penalties and Remedies: Non-observance of the data protection Rules and general negligence with respect to personal data attracts civil liability.

As mentioned above, under Section 43A, any body corporates who fail to observe data protection norms may be liable to pay compensation if:

a)      it is negligent in implementing and maintaining reasonable security practices, and thereby

b)      causes wrongful loss or wrongful gain to any person33;

In addition, Section 45 of the Act provides for compensation or penalty of up to Rs. 25,000 to any person affected by the non-compliance with rules framed under this section (including the data protection Rules).

Claims for compensation are to be made to the adjudicating officer appointed under Section 46 of the IT Act.34

In addition, body corporates may also be exposed to criminal liability under Section 72A as described above, if they disclose information with the intent of causing wrongful loss or obtaining a wrongful gain.

Enforcement of privacy laws and complaints under the Act

India does not have a national regulatory body to specially oversee the enforcement of privacy protections. However several sector-specific tribunals and adjudicatory authorities are empowered to determine issues of privacy that arise within their jurisdiction.

Thus, for instance, the State Information Commission and the Central Information Commission established under the Right to Information Act, 2005 adjudicate issues relating to privacy that arise in the course of requests for information under that act. More than 700 decisions of the Central Information Commission between 2005 and 2011 directly reference the word 'privacy' - indicating that this is a frequent venue for the determination of a range of privacy issues in India.35 The District, State and National Consumer Dispute Redressal Commissions can act as fora for the redressal of consumer privacy complaints.36

The Human Rights Act 1993 grants victims or their representatives the right to approach the Human Rights Commission for relief for the violation, or the negligence in the prevention of violation of a human right by a public servant (Section 12 of the HRA). Human rights have been defined in the act to mean "the rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in [the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights]." Since, as mentioned above, the right to privacy is considered a fundamental right attached to the right to life and is also explicitly affirmed in Article 17 of the ICCPR, this is definitely a subject on which the Human Rights Commission could provide a forum for redress.

Since the Information Technology Act contains the clearest provisions relating to data protection and privacy in India, it would be instructive to examine briefly the enforcement mechanism under that Act. As noted above, violation of privacy and data protection under the Information Technology Act entails both civil and criminal remedies. We provide a brief overview of the adjudicatory apparatus for both.

Civil Complaints under the IT Act: Section 46 of the Information Technology Act empowers the Central Government to appoint "Adjudication Officers" to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (including contravention of the data protection Rules described above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the Secretaries of the Department of Information Technology of each of the States or Union Territories as the "Adjudicating Officer" with respect to each of their territories.37

However, a pecuniary limit has been placed on the powers of Adjudicating Officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. 5 crores (fifty million rupees). In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the "competent court", under the Code of Civil Procedure. (Section 46A, IT Act) The AO is empowered with all the powers of a civil court - including the powers of summoning and enforcing attendance of witnesses, requiring the discovery and production of records, compounding complaints etc (Section 46, IT Act).

Although the powers of the AO under the Act are very extensive, they have been used very sparingly in the 11 years since the passage of the IT Act. No compilation of the orders of AOs of various states exists either online or offline and they are only sparingly reported in newspapers.38 Among the cases that do get reported, however, there are encouraging signs of the Act being used to provide compensation to those who suffer due to data breaches by companies.

In April 2010, the Adjudicating Officer of the State of Tamil Nadu passed an order for compensation against a leading bank for its failure to install a foolproof internet banking system.39 An amount of Rs. 4,60,000 had been illegally transferred out of the complainant's account and subsequently withdrawn by unknown persons. The AO observed that as a there was "unauthorized access to the petitioner's account [...], loss of data and account information of the petitioner, damage to electronic information of the petitioner which resulted in financial loss, denial of access to his account". Further, the AO held that "The respondent bank has failed to put in place a foolproof internet banking system with adequate levels of authentication and validation which would have prevented unauthorized access [...] that has led to serious financial loss to the petitioner". Pursuant to this determination, the respondent bank was ordered to pay an amount of Rs. 1,285,000 " which included the amount lost, interest, litigation expenses and travel expenses of the complainant.

In May 2011, the same bank was ordered by the same Adjudicating Officer to pay an amount of Rs. 237,850 for a similar incident where the complainant's money was illegally transferred out of his account.40

The IT Act provides for the constitution of a Cyber Appellate Tribunal to hear appeals from cases decided by the adjudicating officer.

Within twenty-five days of the copy of the decision being made available by the Adjudicating Officer, the aggrieved party may file an appeal before the Cyber Appellate Tribunal.

Section 57 provides that the appeal filed before the Cyber Appellate Tribunal shall be dealt with as expeditiously as possible and it shall endeavour to dispose of the appeal finally within six months from the date of receipt of the appeal. According to the tribunal's website, the CAT currently has 12 cases listed as "pending" before it.41 It has disposed 8 cases, 7 of which were disposed on the same day42 The case was remanded back to an Adjudicating Officer for determination of facts. Some of these cases complain of privacy violations or seek reliefs which have implications on privacy. For instance, in Mascon Global Limited vs. CCA, Google etc, disposed by the CAT on May 28, 2010, the appellant had sought details about an email account from Google which was purportedly being used to send defamatory emails. The CAT remanded the case to the Adjudicating Officer, which, according to the tribunal, was the appropriate forum to decide the case.43

In another case, widely reported in the press, a man filed a complaint of hacking against his estranged wife alleging that she had, with the aid of her professional colleagues, hacked into his and his father's email account in order to obtain evidence in support of a dowry harassment case that she had filed against them.44 The Adjudicating Officer in the first instance had dismissed the complaint, believing her assertion that the man and his father had themselves given her the password - a contention which was not denied by the complainant.45 On appeal, however, the man contended that he had not, in fact, given his wife the password. The CAT ordered the case to be re-heard by the AO.46 Although the complaint alleged "hacking" by the woman, the case in fact refers to a privacy grievance of the complainant.

Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the Cyber Appellate Tribunal on any question of fact or law arising out of such order.

Criminal Complaints for privacy offences under the IT Act: No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation by the police, charge sheet, trial, decision, sentencing and appeal.

Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act. Many states have set up dedicated cybercrime police stations to investigate offences under this Act47. Thus, for example, the State of Karnataka has set up a special cybercrime police station that is responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka.48

Offences punishable with imprisonment of up to 3 years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which 'affect the socio-economic conditions of the country' or those committed against a child under 18 years of age or against women cannot be compounded.49

According to the latest (2009) statistics from the National Crime Records Bureau (NCRB), there has been a steady rise in the number of complaints lodged and arrests made (both privacy and non-privacy related) with respect to offences under the IT Act.50  In 2009, for instance, 420 complaints were registered as against a figure of 288 for the previous year, marking an increase of 41%. In the same period, the number of arrests made went up from 178 to 288, marking an increase of 41%.51

Of these, the NCBR categorizes 10 complaints in 2009 as pertaining to "breach of confidentiality/privacy" as against 9 complaints in the previous year. 5 arrests were made in 2009 with respect to these offences. However, this figure does not exhaust the number of privacy complaints in the country. In many cases, violations of privacy may instead arise from "hacking with a computer system", which, according to NCBR statistics, accounted for the largest number of complaints (233) and arrests (107) made under the IT Act in 2009.

Right to Information Act 2005 (RTI Act)

India has had the good fortune of being home to a number of very resilient civil society movements which have over the years tenaciously fought for and achieved transparency. It was owing to the efforts of one of these movement spearheaded by the Mazdoor Kisan Shakti Sanghatan (MKSS), and joined by various organizations across the nation, that India finally passed the Right to Information Act in 2005, which has ushered in an unprecedented era of openness in government affairs.

The RTI Act 2005 confers on citizens the right to inspect and take copies of any information held by or under the control of any 'public authority'.52 Information is defined widely and includes "any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force". The Act requires every "public authority" to designate an officer in each of its administrative units as "Public Information Officer" (PIO), who is charged with the task of receiving and responding to requests under this act. 

The drafters of the act anticipated conflicts on grounds of privacy. The preamble to the act notes that "revelation of information in actual practice is likely to conflict with other public interests including [...] preservation of confidentiality of sensitive information". Accordingly, provisions have been made in the act to harmonize these competing claims to the extent that this is possible.

Section 8 (j) of the act exempts from disclosure any "personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual" unless the relevant authority "is satisfied that the larger public interest justifies the disclosure of such information". Further, Section 11 of the act requires the PIO to give notice and invite objections from a third party, if information which "relates to or has been supplied by a third party and has been treated as confidential by that third party" is sought to be disclosed. Objections received from such parties would be considered whilst making a decision to disclose. Even where objections have been received, disclosure may be allowed if public interest outweighs in importance any possible harm or injury to the interests of such third party. However, trade or commercial secrets protected by law may not be disclosed, regardless of any public interest.

Persons who have been denied information on the above grounds have the option to appeal this decision before the next higher ranking officer to the PIO, and thereafter to tribunals specially constituted under the act - the State Information Commission and the Central Information Commission. At each stage, if information has been denied on grounds that it relates to third parties, the authority in question must give a reasonable hearing to the third party.

As is evident from the foregoing account, the Act has put in place a robust buffer against unwarranted intrusion. Personal information, the disclosure of which would cause an "unwarranted" intrusion into privacy, and information which "relates to a third party" may not be disclosed unless an overwhelming countervailing public interest is demonstrated.

More than providing mere statutory comforts, these provisions have proven, in practice, to be rugged shelters against unwarranted attempts to intrude on privacy. In the six years since the enactment of the RTI Act, over seven hundred decisions by the Central Information Commission alone directly reference the term 'privacy'.

Illustratively, in the following instances, the CIC has denied requests for information on grounds of unwarranted intrusion of privacy where the following were requested: call records of third parties53, copies of "annual confidential reports" of other employees54, bank statements of a partner of a firm55, copy of a CBI charge sheet against an officer of an organization56, details of all passengers who were on a particular flight57, income tax returns of a third party58, specimen signature of a third person59, medical records of the appellant's wife60, and number of employees of an organization who had committed suicide61.

In a famous case, an applicant sought information from the Census Department on the religion and faith of Sonia Gandhi - the President of the largest party currently in power in India. Both the Central Information Commission - the apex body adjudicating RTI appeals, as well as the Punjab and Haryana High Court, upheld the denial of information as it would otherwise lead to an unwarranted incursion into her privacy. 62

In several cases, the CIC has astutely balanced the competing interests of transparency and privacy and has ordered disclosure where public interest was manifestly at issue. The CIC has ordered disclosure of a list of public servants being prosecuted for offences by the Central Vigilance Commission63. It has ordered disclosure of details of the number of beneficiaries from a particular village under a loan scheme and amount disbursed by a public sector bank, whilst ordering the names of the beneficiaries to be withheld64. Students have been able to obtain copies of their mark sheets in public exams.65  

As welcome as these rulings are, there are, however, a number of disconcerting cases where the determination has raised questions of privacy. In an interesting case, Mr. Ansari Masud A.K vs. Ministry Of External Affairs (2008)66, the Central Information Commission held that "details of a passport are readily made available by any individual in a number of instances, for example to travel agents, at airline counters, and whenever proof of residence for telephone connections etc. is required. For this reason, disclosure of details of a passport cannot be considered as causing unwarranted invasion of the privacy of an individual and, therefore, is not exempted from disclosure under Section 8(1)(j) of the RTI Act."67 This is despite the fact that nothing in the Passport Act itself authorizes disclosure of any documents under any circumstances. In another case, the CIC ordered disclosure of the names, nationalities and results of all foreign students admitted to the Delhi University, overruling the objection of the PIO of the university.68

The CIC has dithered in formulating a uniform theory on what counts as 'personal information', disclosure of which would amount to an "unwarranted intrusion into privacy". It has, in different contexts, forbidden the revelation of individuals' names as intrusive69, while permitting disclosure in others cases70. Details of criminal prosecution of co-employees have on different occasions been either disclosed71 or withheld72. In cases where it has achieved a consistence in rulings, the determination is frequently adverse to privacy. For instance, there is by now a strong line of CIC decisions permitting the disclosure of passport details of third parties73, and qualifications (including copies of certificates) of co-workers.74

Since 2009, the CIC - or more accurately Shailesh Gandhi, one of the Information Commissioners of the CIC " has attempted to formulate a coherent theory on what constitutes 'personal information' under the RTI Act. In one of his more recent decisions, Mr.V R Sharma vs. Ministry Of Labour And Employment75, he reiterated his position76 that in order to qualify as 'personal information', certain criteria would have to be met:

1.    It must be personal information: Words in a law should normally be given the meaning given in common language. In common language, we would ascribe the adjective 'personal' to an attribute which applies to an individual and not to an institution or a corporate. Therefore, it flows that 'personal' cannot be related to institutions, organisations or corporates. Hence Section 8(1)(j) of the RTI Act cannot be applied when the information concerns institutions, organisations or corporates.

2.    The phrase 'disclosure of which has no relationship to any public activity or interest' means that the information must have been given in the course of a public activity. Various public authorities in performing their functions routinely ask for 'personal' information from citizens, and this is clearly a public activity. Public activities would typically include situations wherein a person applies for a job, or gives information about himself to a public authority as an employee, or asks for a permission, license or authorisation, or provides information in discharge of a statutory obligation.

3.    The disclosure of the information would lead to unwarranted invasion of the privacy of the individual. The State has no right to invade the privacy of an individual. There are some extraordinary situations where the State may be allowed to invade the privacy of a citizen. In those circumstances special provisions of the law apply usually with certain safeguards. Therefore, where the State routinely obtains information from citizens, this information is in relationship to a public activity and will not be an intrusion on privacy.

In the instant case, the CIC applied this formula to permit the disclosure of Annual Confidential Reports of certain employees of the Ministry Of Labour And Employment. In the course of its decision, the CIC also made some worrying observations about the balance between privacy and transparency. "The concept of 'privacy,'" it observed, "is a cultural notion related to social norms, and different societies would look at these differently. Therefore, referring to the Data Protection Act 1988 of the UK or the laws of other countries to define 'privacy' cannot be considered a valid exercise to constrain the citizen's fundamental right to information in India. Parliament has not codified the right to privacy so far, hence, in balancing the right to information of citizens and the individual's right to privacy, the citizen's right to information would be given greater weightage." As a statement of policy this last assertion has worrying implications, since it could potentially undo the delicate balance between transparency and privacy that Parliament sought to put in place through the RTI Act. Equally, the CIC's bald assertion that all information "routinely collected by the state" would not be intrusive is menacing especially in this era of the "ethnographic state" which believes in maintaining minute details about each of its citizens. Although the other four Information Commissioners have not adopted this formula yet, it is possible that by dint of repetition, it may sediment itself to become an axiom of CIC jurisprudence.

While there are statutory mechanisms protecting the privacy of citizens under the Right to Information Act, unfortunately this does not provide them a complete shield against transparency " this is particularly evident in the case where the state embarks on transparency initiatives of its own invention. Several states for instance have websites with lists of citizens in various contexts such as employment guarantee and public distribution systems.77 In one particularly egregious instance, the State Government of Karnataka, overcome in its enthusiasm to weed out duplicate ration cards and promote transparency, announced a plan to "post on its website all details of [15 million] ration cardholders in the state." These details posted on the website would include the "ration card number, category of card (BPL/APL), names and photographs of the head and other members of a family, address, sources of income, LPG gas connection and number of cylinders in village/taluk/district wise." One is even uncertain whether this following remark by an official, quoted in the newspaper account, was meant purely in jest: "This would also work as a marriage bureau. "For instance, a boy can see a photograph of a girl on the website and see whether she suits him," an official said".78

While the RTI Act provides an important safeguard against the violation of privacy, with official avenues for redress for the citizen, ad hoc "transparency" initiatives of this kind leave the citizen with absolutely no recourse. There are, sadly, no statutory safeguards against the oppressive transparency of the state. It is unimpeachable (except possibly through writ petitions) decisions of this kind, rather than the threats under the RTI Act, which pose a real "transparency" threat to privacy in India.

Code of Civil Procedure 1908 (CPC)

Section 30 of the CPC empowers courts to make orders relating to discovery and issue summonses to persons (witnesses or parties) to produce documents.

Order XI of the CPC sets down procedures relating to "discovery" and provides for a party to compel the opposite party to list documents held in their possession "relating to any matter in question in such suit", to afford facilities to inspect them and to produce them in court. The court may also order copies of documents held in one party's possession to be delivered to the other party. If a plaintiff fails to comply with an order for the discovery of documents, then his suit may be liable to be dismissed for want of prosecution. Similarly, if a defendant fails to comply, he would be liable "to have his defence, if any, struck out, and to be placed in the same position as if he had not defended". In this context, the Supreme Court has held that "the power to order production of documents is coupled with discretion to examine the expediency, justness and the relevancy of the documents to the matter in question."79 In another case, the Gujarat High Court held that "The provision is not available to an applicant to make a fishing or roving inquiry."80

Order XVI of the CPC lays down the rules to be observed in summoning witnesses to give evidence or produce documents. A witness may be summoned to produce documents on an application by a party or on the court's own motion. If a person to whom such a summons has been issued fails, without lawful excuse, to produce the document summoned and the court 'sees reason to believe that such evidence or production is material - it may issue a warrant, either with or without bail, for the arrest of such person, and may make an order for the attachment of his property to such amount as it thinks fit.         

Section 162 of the Evidence Act provides that "a witness summoned to produce a document shall, if it is in his possession or power, bring it to the Court, notwithstanding any objection which there may be to its production or to its admissibility. The validity of any such objection shall be decided on by the court." In State Of Punjab vs. Sodhi Sukhdev Singh, the Supreme Court held that

"The provisions of Order XI of the Code of Civil Procedure must be read subject to Section 162 of the Indian Evidence Act and where a privilege is claimed at the stage of inspection, the court is precluded from inspecting the privileged document in view of Section 162 of the Act."81

Criminal Procedure Code 1973 (CrPC)

Section 91 of the CrPC empowers courts or police officers to requisition, by written order, the production of documents that are "necessary or desirable" for the purpose of "any investigation, inquiry, trial".

This section, however, limits the application of this power by exempting any "letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority." Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this latter section, it is only a "District Magistrate, Chief Judicial Magistrate, Court of Session or High Court" who can order the production of documents "in the custody of a postal or telegraph authority" if she determines that it is "wanted for the purpose of any investigation, inquiry, trial".  However, subordinate courts and officers, such as "any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police" can require the postal or telegraph authority to search for and detain such documents in their custody, pending the order of a higher court. [Section 92(2) CrPC].  

If a court "has reason to believe"82 that a person to whom a summons to produce documents has been or would be issued, would not produce the document, it may issue a search warrant against such a person. However, only a District Magistrate or Chief Judicial Magistrate may issue a warrant with respect to anything in the custody of the postal or telegraph authority.83 [Section 93 CrPC].

Section 175 of the Indian Penal Code makes it an offence for a person to "intentionally omit to produce a document which he is legally bound to produce". In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six months with or without a fine of one thousand rupees.

Indian Evidence Act 1872

The Indian Evidence Act exempts certain witnesses from disclosing documents to courts. These 'privileges' apply irrespective of whether the proceedings are civil or criminal in nature.

Section 122 of the Evidence Act provides that married couples shall not be compelled or permitted to disclose any communications made between them during marriage without the consent of the person who made the communication. This, however, does not apply in suits "between married persons, or proceedings in which one married person is prosecuted for any crime committed against the other."

Similarly, Section 126 forbids "barristers, attorneys, pleaders or vakils" from disclosing, without their client's express consent, the contents of a) any communication made to them b) any document with which they have become acquainted or c) any advice tendered by them to the client if such information was received by them "in the course and for the purpose of" their employment.

Section 127 extends the scope attorney-client privilege to include any interpreters, clerks and servants of the attorney or barrister. They are also not permitted to disclose the contents of any communication between the attorney and her client.

Section 129 enacts a reciprocal protection and provides that clients shall not be compelled to disclose to the Court any "confidential communication which has taken place between him and his legal professional adviser."

As with the matrimonial privilege, the attorney-client privilege also comes with exceptions. Thus the following kinds of communications are exempted from the privilege:

- any communication made in furtherance of any illegal purpose;

- any fact observed by any barrister, pleader, attorney or vakil [representative], in the course of his employment as such showing that any crime or fraud has been committed since the commencement of his employment.

Section 131 of the Evidence Act further cements the legal protection afforded to married couples, attorneys and their clients by providing that "No one shall be compelled to produce documents in his possession, which any other person would be entitled to refuse to produce if they were in his possession" unless that person consents to the production of such documents.

Section 123 of the Evidence Act declares that "No one shall be permitted to give any evidence derived from unpublished official records relating to any affairs of State, except with the permission of the officer at the head of the department concerned, who shall give or withhold such permission as he thinks fit." Despite many rulings on the subject, it is still unclear how wide or narrow the ambit of 'affairs of state' is. Does it include everything that the state does so that all records maintained by the state pertain to affairs of the state, or does it only pertain to those confidential matters, disclosure of which would be detrimental to public interest, national defence or good diplomatic relations? Specifically, for instance, if the government maintains routine records about individuals in the course of governance, would these count as "official records relating to affairs of state"? In a few pre-independence cases, it was held that records of income tax returns submitted to income tax officials were not 'affairs of state' and hence no privilege could be claimed with respect to them.84

Although subsequent amendments to the Income Tax Act conferred confidentiality on these records, in an era when the government has begun to maintain minute records of every aspect of citizens' lives, it still begs the question on what kind of documents may be declared privileged.

Section 124 similarly shields public officers from being compelled to disclose communications made to them in official confidence, when the public interest would suffer by the disclosure.

Section 130 exempts witnesses who are not a party to a suit from being compelled to produce their "title-deeds to any property, or any document in virtue of which he holds any property as pledgee or mortgagee, or any document the production of which might tend to criminate him, unless he has agreed in writing to produce them with the person seeking the production of such deeds or some person through whom he claims".           

As noted previously, in all the aforementioned situations, Section 162 of the Evidence Act provides that the witness must bring the document to court and then state his objections to the court.

The provisions of the Evidence Act should be read in light of Article 20(3) of the Indian Constitution, which enacts a rule against self-incrimination and provides that "No person accused of any offence shall be compelled to be a witness against himself". This operates as an additional threshold limit on the power of criminal courts to order the production of documents. In a very early case, the Supreme Court held that "compelled production of incriminating documents by an accused person [...] is testimonial compulsion within the meaning of Article 20(3) of the Constitution."85 Accordingly the court held that it was impermissible to issue summons for the production of documents under Sections 91 and 92 of the CrPC. However, the court went on to hold that "a search and seizure of a document under the provisions of [Section 93] of the Code of Criminal Procedure is not a compelled production thereof within the meaning of Article 20(3) and hence does not offend the said Article." In other words, although a criminal court cannot summon an accused to produce an incriminating document, the court may order instead, his house to be searched in order to retrieve the same document.

In State Of Maharashtra vs. The Nagpur Electric Light Company86, the Supreme Court held that summons could not be issued to the store keeper and assistant accountant of a company to produce documents that would incriminate the company, since even incorporated entities were "persons" who were entitled to the protection of Article 20(3).

Footnotes

  • 1. (1978) 2 SCR 621
  • 2. M. P. Sharma v Satish Chandra, AIR 1954 SC 300 (1954), http://indiankanoon.org/doc/1306519/ (last visited Oct 9, 2011). The court regarded the element of judicial supervision inherent in search orders issued under the CrPC as being sufficient safeguard against constitutional violations. "When such judicial function is interposed between the individual and the officer's authority for search, no circumvention thereby of the fundamental right is to be assumed. We are not unaware that in the present set up of the Magistracy in this country, it is not infrequently that the exercise of this judicial function is liable to serious error, as is alleged in the present case. But the existence of scope for such occasional error is no ground to assume circumvention of the constitutional guarantee."
  • 3. (1964) 1 SCR 332
  • 4. AIR 1973 SC 157, 1973 SCR (2) 417
  • 5. Ibid
  • 6. (1975) 2 SCC 148
  • 7. AIR 1981 SC 760
  • 8. (1994) 6 S.C.C. 632
  • 9. Ibid
  • 10. AIR 1997 SC 568
  • 11. Rule 419A of the Telegraph Rules stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.
  • 12. Chapter 3: Fundamental Rights, Directive Principles And Fundamental Duties, in Report of the National Commission to Review the Working of the Constitution (M.N. Venkatachaliah ed., 2002), http://lawmin.nic.in/ncrwc/finalreport/v1ch3.htm (last visited Oct 3, 2011).
  • 13. Two different ministries of the Central Government are reportedly at work on drafts of a proposed privacy bill. In October 2010, the Department of Personnel and Training (DoPT), under the Ministry of Human Resources circulated an 'Approach paper' that outlined elements of a privacy legislation for the country. Independent of this exercise, in May-June 2011, the Law Ministry announced that it was at work drafting a privacy bill "to provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information" Abantika Ghosh, Right to privacy may become fundamental right, Times Of India, June 4, 2011,http://articles.timesofindia.indiatimes.com/2011-06-04/india/29620422_1_... (last visited Oct 3, 2011).
  • 14. For a more elaborate treatment of the IT Act's protections of privacy, and the manner in which they have been used, See Prashant Iyengar, Privacy and the Information Technology Act in India, SSRN eLibrary (2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1807575 (last visited Oct 3, 2011).
  • 15. Section 43A defines "'body corporate" as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
  • 16. This does not necessarily mean that these entities are exempt from taking reasonable care to safeguard information that they collect, maintain or control - only that remedies against the government must be sought under general tort law, rather than under the IT Act.
  • 17. Available at http://www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511%281%29.pdf , last accessed September 15th, 2011
  • 18. 'Provider of data' is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally - and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.
  • 19. This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6.
  • 20. Rule 5 of the Rules
  • 21. This is perhaps a bit vague, since the potential 'lawful uses' are numerous and could be inexhaustible. It is unclear whether "lawful usage" is coterminous with "the uses which are disclosed to the individual at the time of collection". In addition, this rule is framed rather weakly since it does not impose a positive obligation (although this is implied) to destroy information that is no longer required or in use.
  • 22. Sub-Rule 5(3). One wonders about the convoluted language used here when a simpler phrase like "take reasonable steps" alone might have sufficed - reasonableness has generally been interpreted by courts contextually. As the Supreme Court has remarked, "'Reasonable' means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973
  • 23. Sub-Rule 5(7)
  • 24. Sub-Rule 5(6). It is unclear what would count as a 'necessary' circumstance and who would be the authority to determine such necessity.
  • 25. Sub-Rule 5(8)
  • 26. Sub-Rule 5(5)
  • 27. Sub-Rule 5(9)
  • 28. Sub-Rule 6(1) There are two problems with this rule. First, it requires prior permission only from the provider of information, and not the individual to whom the data pertains. In effect this whittles down the agency of the individual in being able to control the manner in which information pertaining to her is used. Second, it is not clear whether this information includes 'sensitive personal information'. The proviso to this rule includes the phrase 'sensitive information', which would suggest that such information would be included. This makes it even more important that the rule require that prior permission be obtained from the individual to whom the data pertains and not merely from the provider of information.
  • 29. Sub-Rule 6(3)
  • 30. Sub-Rule 6(4)
  • 31. This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?
  • 32. This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.
  • 33. "Wrongful loss" and "wrongful gain" have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled. The section also includes this interesting explanation: 'Gaining wrongfully, losing wrongfully' - A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property". Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a "wrongful gain".
  • 34. For a more detailed discussion of redressal mechanism under the IT Act, including the powers of the Adjudicating Officer, see infra under 'supervisory Authority for Privacy Law'.
  • 35. See infra, 'Right to Information laws' for a discussion about this volume of cases.
  • 36. See 20.4 infra
  • 37. See G.S.R.240(E) New Delhi, the 25th March, 2003 available at < http://www.mit.gov.in/content/it-act-notification-no-240>
  • 38. Thus in a document dated December 2010, the IT Department of New Delhi (NCR) claimed that it had disposed of 5 cases.  It is not clear whether this is the total number of cases ever decided or whether this only pertains to 2010. Govt. of NCT of Delhi: IT DEPARTMENT ACHIEVEMENTS (Legal Section), (2010), http://goo.gl/GEq26 (last visited Oct 3, 2011).
  • 39. Umashankar v. ICICI Bank, Tuticorin, (2010), http://www.naavi.org/cl_editorial_10/umashankar_judgement.pdf (last visited Sep 26, 2011
  • 40. Thomas Raju v. ICICI Bank, Anna Nagar, (2011), http://www.naavi.org/cl_editorial_11/civil_jurisdiction_3_16052011.pdf (last visited Sep 26, 2011).
  • 41. Current Cases, Cyber Appellate Tribunal, India (2011), http://catindia.gov.in/CurrentCases.aspx (last visited Oct 3, 2011).
  • 42. Judgments, Cyber Appellate Tribunal, India (2011), http://catindia.gov.in/Judgement.aspx (last visited Oct 3, 2011).
  • 43. Mascon Global Limited v. CCA, Google etc,, (2010), http://www.mit.gov.in/sites/upload_files/dit/files/Appeal-7.pdf (last visited Oct 3, 2011).
  • 44. Mubarak Ansari, Estranged wife hacks man's email, Sakal Times, August 25, 2011, http://www.sakaaltimes.com/sakaaltimesbeta/20110825/4640115296625293785.htm (last visited Oct 3, 2011).
  • 45. Ibid
  • 46. Vinod Kaushik v. Madhvika Joshi, (2011), http://catindia.gov.in/pdfFiles/Appeal_No_2.pdf (last visited Oct 3, 2011).
  • 47. An incomplete list of cyber crime cells of police in different states can be viewed at .
  • 48. Home and Transport Secretariat, Notification no. HD 173 POP 99 Bangalore, Dated 13th September 2001 Available at < http://cyberpolicebangalore.nic.in/pdf/notification_1.pdf>
  • 49. Section 77A of the Information Technology Act.
  • 50. Crime in India - 2009, (2010), http://ncrb.nic.in/CII-2009-NEW/Compendium2009.pdf (last visited Oct 3, 2011).
  • 51. Chapter 18: Cyber Crime, in Crime in India - 2009 175-180 (2010), http://ncrb.nic.in/CII-2009-NEW/Compendium2009.pdf (last visited Oct 3, 2011).
  • 52. 'Public authority' is defined widely to include most bodies established and constituted by the state and even bodies which are "owned, controlled or substantially financed" by the state. [Sec 2(h)]
  • 53. Mr.S.Rajamohan v Bsnl, Chennai, (2009), http://indiankanoon.org/doc/1864526/ (last visited Oct 12, 2011).
  • 54.
  • 55. Ms. Kanchan Vora v Union Bank Of India, (2008), http://indiankanoon.org/doc/456808/ (last visited Oct 12, 2011).
  • 56. Shri P. Thavasiraj v Dept. Of Atomic Energy, (2008), http://indiankanoon.org/doc/1718696/ (last visited Oct 12, 2011).
  • 57. K.P. Subhashchandran v National Aviation Company, (2008), http://indiankanoon.org/doc/1067875/ (last visited Oct 12, 2011).
  • 58. Mrs.Shobha R. Arora v. Income Tax (2006), Mumbai, Ms. Neeru Bajaj Vs. Income Tax (2007), Bimal Kanti Datta v Income Tax Department, (2008), http://indiankanoon.org/doc/292462/ (last visited Oct 12, 2011).
  • 59. M.Nagaraju v Department Of Post (2008), http://indiankanoon.org/doc/215697/ (last visited Oct 12, 2011).
  • 60. Dheeraj Gehani v Ministry Of Defence (2009), http://indiankanoon.org/doc/163722/, (last visited Oct 12, 2011).
  • 61. Shri.Chetan Kothari vs Bhabha Atomic Research Centre (2011), http://indiankanoon.org/doc/425930/ (last visited Oct 12, 2011).
  • 62. High Court dismisses appeal seeking information on Sonia Gandhi's religion, NDTV, November 29, 2010, http://www.ndtv.com/article/india/high-court-dismisses-appeal-seeking-in... (last visited Apr 12, 2011)
  • 63. Shruti Singh Chauhan v Directorate Of Vigilance, (2008), http://indiankanoon.org/doc/1128532/, /(last visited Oct 12, 2011). Holding that "Information about alleged wrongdoing of Public servants,- verified by a process of investigation,- cannot be termed as private information which must be hidden from the Sovereign Masters of this democracy- the Citizens."
  • 64. Madasamy v State Bank Of India(2008), http://indiankanoon.org/doc/1430405/, (last visited Oct 12, 2011).
  • 65. Mr. D. Radha Krishna v. Union Public Service Commission (2008), http://indiankanoon.org/doc/1822201 (last visited Oct 12, 2011).
  • 66. .Ansari Masud A.K v Ministry Of External Affairs (2008) http://indiankanoon.org/doc/1479476/, (last visited Oct 12, 2011). In a previous case, the CIC ordered disclosure of passport details of a doctor against whom there had been allegations of medical malpractice. Sanjiv Kumar Jain v Regional Passport Office, (2006), http://indiankanoon.org/doc/1888134/  (last visited Oct 12, 2011).; Mr.Pritpal Singh Sawhney v. Ministry Of External Affairs (2011), http://indiankanoon.org/doc/1773560, (last visited Oct 12, 2011).
  • 67. Id
  • 68. Amit Chamaria v University Of Delhi (2008) http://indiankanoon.org/doc/98221/ (last visited Oct 12, 2011).
  • 69. See Madasamy v State Bank Of India, supra; Mr. Satish Kumar v.Union Public Service Commission (2011) http://indiankanoon.org/doc/882947 (last visited Oct 12, 2011). (Ordering disclosure of marks lists of successful candidates without revealing their names)
  • 70. Ms. Usha Rao v University Of Hyderabad (2008), http://indiankanoon.org/doc/836580/(last visited Oct 12, 2011). (Ordering the names of members of a selection panel constituted to appoint a Hindi lecturer to be revealed). See also Amit Chamania's case supra. Prof. Harish Chandra v Banaras Hindu University, (2008), http://indiankanoon.org/doc/1302334, (last visited Oct 12, 2011) (ordering the revelation of names of recipients of a deceased colleague's pension)
  • 71. See Shruti Singh Chauhan's case supra.
  • 72. See Thavasiraj's case supra, See also, Mr. K. C. Panday v. Municipal Corporation Of Delhi, (2008), http://indiankanoon.org/doc/959771 (last visited Oct 12, 2011). (Disclosure of whether Vigilance clearance has been obtained with regard to all emloyees)
  • 73. See Supra n. 79 and accompanying text
  • 74. M. Rajamannar v IGNOU (2009)  http://indiankanoon.org/doc/1312655, (last visited Oct 12, 2011) (Ordering the delivery of copies of third persons' educational certificates)
  • 75. Mr.V R Sharma vs Ministry Of Labour And Employment (2011), http://indiankanoon.org/doc/1640569/ (last visited Oct 12, 2011).
  • 76. As of this writing, the same paragraphs have been quoted identically in some 78 decisions of the CIC by Shailesh Gandhi. beginning in Mr. Mahesh Kumar Sharma v Govt. Of Nct Of Delhi
  • 77. Ayaskant Das, Ration card details now online to prevent fake registration, Times of India, September 24, 2011, http://timesofindia.indiatimes.com/city/noida/Ration-card-details-now-on... (last visited Oct 23, 2011).
  • 78. Nagesh Prabhu, A way to check bogus ration cards, The Hindu, September 18, 2010, http://www.thehindu.com/todays-paper/tp-national/tp-karnataka/article696... (last visited Oct 23, 2011).
  • 79. Sasanagouda v Dr. S.B. Amarkhed And Others, AIR 1992 SC 1163 (1992), http://indiankanoon.org/doc/1169196/ (last visited Oct 9, 2011).
  • 80. Mr. Pushkar Navnitlal Shah v Mrs. Rakhi Pushkar Shah, AIR 2007 Guj 5 (2006), http://indiankanoon.org/doc/412225/ (last visited Oct 9, 2011).
  • 81. The State Of Punjab v Sodhi Sukhdev Singh, AIR 1961 SC 493 (1960), http://www.indiankanoon.org/doc/1910029/ (last visited Oct 9, 2011).
  • 82. There have been a number of decisions by various High Courts and the Supreme Court on the meaning of the expression 'reason to believe'. In most of these cases, the court has held that the expression requires more than the mere 'subjective satisfaction' of the judge or officer issuing the search order. Thus, for instance, in Melicio Fernandes v. Mohan (AIR 1966 Goa 23), the Bombay High Court at Goa held that the expression "contemplates an objective determination based on intelligent care and deliberation involving judicial review, as distinguished from purely subjective consideration"
  • 83. If a court inferior to these courts issues such a search-warrant, the entire proceedings would be void under Section 461 of the CrPC.
  • 84. Venkatachella v. Sampatu Chettiar (1909) ILR 32, Jadabaram v. Bulloram (1899) ILR 26 Cal 281
  • 85. M. P. Sharma v Satish Chandra, AIR 1954 SC 300 (1954), http://indiankanoon.org/doc/1306519/ (last visited Oct 9, 2011).
  • 86. 1961 CriLJ 200