Understanding Data Privacy Laws in India: Is Obtaining Confidential Data an Offence?

Shivendra Pratap Singh


High Court Lucknow


Reading Time:

In an age where data is referred to as the “new oil,” the protection of confidential data and information is crucial. As a growing economy with a significant technological presence, India has recognized the importance of data protection. For those unfamiliar with the Indian legal context, understanding whether obtaining confidential data is an offence is vital, especially in the digital era.

The Indian Information Technology Act, 2000

Section 43A: Compensation for Failure to Protect Data

Introduced as an amendment in 2008, Section 43A of the IT Act holds any corporate body responsible if they are negligent in implementing and maintaining reasonable security practices, leading to wrongful loss or wrongful gain to any person. Here, “reasonable security practices” often pertain to the protection of sensitive personal data or information.

Section 66: Computer-related Offences

This section specifically penalizes anyone who fraudulently or dishonestly does any act referred to in sections 43 (which details computer-related offences like unauthorized access or data theft). If found guilty, the individual could face imprisonment, a fine, or both.

Section 72A: Punishment for Disclosure of Information in Breach of Lawful Contract

This provision was specifically introduced to tackle the unauthorized disclosure of personal information. If someone discloses personal information obtained under a lawful contract without the informant’s consent or in breach of the lawful contract, they can face imprisonment for up to three years, or a fine which may extend to INR 500,000, or both.

Personal Data Protection Bill, 2019

Introduced in December 2019, the Personal Data Protection Bill aims to establish a comprehensive framework for the protection of personal data in India. Although it is not yet law, it provides significant insights into the direction India is heading regarding data protection.

The Rights of the Data Principal

The bill gives several rights to the data principal (the person whose data is being collected). These include the right to access and correction, the right to data portability, and the right to be forgotten. Any infringement of these rights could lead to penalties.

Restrictions on Data Transfer

The bill lays down certain restrictions on the transfer of personal data outside India. Critical personal data, as defined by the government, can only be processed in India. However, some exceptions might apply based on the government’s discretion.

Implications for Entities Handling Confidential Data

Need for Robust Security Measures

Given the stringent regulations and hefty penalties for unauthorized access or disclosure of confidential data, entities handling such information must invest in robust data protection mechanisms.

Continuous Compliance and Monitoring

Entities should not just implement but continuously monitor and update their data protection measures in line with global best practices and local regulations.

Training and Awareness

It’s crucial to keep all stakeholders, including employees and third-party vendors, informed about the importance of data protection and the legal implications of mishandling data.


In India, the unauthorized access, sharing, or use of confidential data is indeed considered an offence, governed mainly by provisions in the Information Technology Act, 2000, and other emerging legal frameworks like the Personal Data Protection Bill, 2019. Given the heavy penalties and the growing importance of data privacy globally, entities should be proactive in ensuring compliance, securing data, and promoting awareness.