A nine-judge bench of the Supreme Court headed by Chief Justice JS Khehar, ruled on August 24, 2017 that the Right to Privacy is a fundamental right for Indian citizens under the Constitution of India (mostly under Article 21 and additionally under Part III rights). Thus no legislation passed by the government can unduly violate it.

A right to privacy is explicitly stated under Article 12 of the 1948 Universal Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.

While the Centre had argued that right to privacy is not a fundamental right, the petitioners had contended that when a citizen gives his biometrics and personal details to the government and when in turn it is used by commercial organisations, it is a breach of privacy.

The trigger is the government's Aadhaar scheme, which collects personal details and biometrics to identify beneficiaries for government welfare schemes. A bunch of petitions was filed in the Supreme Court in 2015 terming Aadhaar a breach of privacy. The petitioners argued that Aadhaar enrolment was the means to a totalitarian state and an open invitation for personal data leakage.

The apprehension expressed by the Supreme Court about the collection and use of data is the risk of personal information falling into the hands of private players and service providers. The apprehension is best expressed in the words of Justice Chandrachud on the nine-judge Bench:
I don't want the state to pass on my personal information to some 2,000 service providers who will send me WhatsApp messages offering cosmetics and air conditioners... That is our area of concern. Personal details turn into vital commercial information for private service providers.

Both the government and service providers collect personal data. This adds to the danger of data leakage.

Privacy being a protection from possible abuses of personal information or searches by the state, while Data Protection is the tool the law uses to make sure that an individual is protected from abuse of his personal information by another individual.

Article 21 protects the right to privacy and promotes the dignity of the individual.

Telephone tapping is an invasion of right to privacy and freedom of speech and expression and also Government cannot impose prior restraint on publication of defamatory materials against its officials and if it does so, it would be violative of Article 21 and Article 19(1)(a) of the Constitution.

Privacy and data protection require that information about individuals should not be automatically made available to other individuals and organizations. Each person must be able to exercise a substantial degree of control over that data and its use. Data protection is legal safeguard to prevent misuse of information about individual person on a medium including computers. It is adoption of administrative, technical, or physical deterrents to safeguard personal data.

Privacy is closely connected to data protection. An individuals data like his name, address, telephone numbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys and on various websites.

Passing of such information to interested parties can lead to intrusion in privacy like incessant marketing calls. The main principles on privacy and data protection enumerated under the Information Technology Act, 2000 are defining data, civil and criminal liability in case of breach of data protection and violation of confidentiality and privacy.

Data protection is one of the most important part of the right to privacy as a data protection law will protect your personal information, which is collected, processed and stored by automated means or intended to be part of a filing system.

Unlike the European Union, India does not have any separate law which is designed exclusively for the data protection. However, the courts on several occasions have interpreted data protection within the ambit of Right to Privacy as implicit in Article 19 and 21 of the Constitution of India

The strongest legal protection provided to personal information in India is through section 43A of the Information Technology Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 developed under the section.

The provision requires a body corporate who 'receives, possesses, stores, deals, or handles any sensitive personal data to implement and maintain ‘reasonable security practices', failing which they are held liable to compensate those affected. The Rules under section 43A contain the following major requirements:

Body corporate must provide a privacy policy to all providers of information (Rule 4); They must obtain consent in letter, fax, or email from the provider of information before collecting, using or disclosing any sensitive personal information (Rule 5(1));

Sensitive personal information may only be collected for lawful and necessary purposes (Rule 5(2)(a))

While collecting the information, they must ensure that the individual is informed of the:

1. fact that the information is being collected;
2. the purpose for which the information is being collected;
3. the intended recipients of the information; d) the name and the address of the agency collecting information, and the agency that will retain the information (Rule 5(3));

Information should only be used for stated and agreed to purposes (Rule 5(5));
Individuals should be provided with the option to opt in or out of services prior to the collection of sensitive personal information and should have the ability to withdraw consent at any point in time (Rule 5(7));

Individuals should be allowed to review, update, and correct any sensitive personal information that they have provided wherever necessary (Rule 5(6));

Body corporate are allowed to retain sensitive personal information only as long as is lawfully necessary (Rule 5(4));

Before a body corporate is allowed to disclose or publish sensitive personal information to a third party, consent must be obtained from the individual who the information belongs.

The only circumstances under which a body corporate may disclose information is:

1. If it is required to do so by a contract with the provider of the information or through the law; or
2. If it is to be disclosed to a governmental agency mandated under law (Rule 6(1)); and

Body corporate must implement security practices and standards which require:

1. Comprehensively documented information security programme;
2. Information security policies must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected (Rule 8)

The IT Act does not provide any definition of personal data. Data protection consists of a technical framework of security measures designed to guarantee that data are handled in such a manner as to ensure that they are safe from unforeseen, unintended, unwanted or malevolent use.

Civil liability and data protection The Information Technology Act, 2000 provides for civil liability in case of computer database theft, computer trespass, unauthorised digital copying, downloading and extraction of data, privacy violation, etc.

Criminal liability and data protection The Information Technology Act, 2000 provides for criminal liability in case of computer database theft, privacy violation, etc

Violation of confidentiality and privacy The terms violation of confidentiality and privacy are described under the IT Act.

Section 66-E very eloquently explains violation of privacy as whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person.

Section 72 provides for penalty for breach of confidentiality and privacy as meaning any person securing access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record book, register, correspondence, information, document or other material to any other person

Conclusion
Privacy is a basic human right and computer systems contain large amount of data that may be sensitive.

Chapters IX and XI of the Information Technology Act define liabilities for violation of data confidentiality and privacy related to unauthorised access to computer, computer system, computer network or resources, unauthorised alteration, deletion, addition, modification, destruction, duplication or transmission of data, computer database, etc. The data protection may include financial details, health information, business proposals, intellectual property and sensitive data.

However, today we can access any information related to anyone from anywhere at any time but this poses a new threat to private and confidential information. Globalisation has given acceptance to technology in the whole world. As per growing requirement different countries have introduced different legal framework like DPA (Data Protection Act), 1998 UK, ECPA (Electronic Communications Privacy Act of 1986) USA, etc. from time to time.

In USA some special privacy laws exist for protecting student education records, children online privacy, individuals medical records and private financial information. In both countries self-regulatory efforts are facilitating to define improved privacy surroundings.

The right to privacy is recognised in Indian Constitution but its growth and development is entirely left at the mercy of the judiciary. In today's connected world it is very difficult to prevent information to escape into the public domain if someone is determined to put it out without using extremely repressive methods. Data protection and privacy has been dealt with in the Information Technology Act, 2000 but not in an exhaustive manner.

The IT Act needs to establish setting of specific standards relating to the methods and purpose of assimilation of right to privacy and personal data. We may conclude by saying that the IT Act is facing the problem of protection of data and a separate legislation is much needed for data protection striking an effective balance between personal liberties and privacy.