Data protection: Why a comprehensive law is needed

India doesn’t have a comprehensive and specific legislation on data protection, but certain guidelines on data protection can be inferred from the Information Technology Act, 2000, and rules issued thereunder, namely the Information Technology (Reasonable Security Practice and Procedures and Sensitive Personal Data or Information) Rules, 2011. The IT Act under Section 43A provides that where a body corporate possesses/deals with sensitive personal data or information in a computer resource that it owns, controls or operates and is negligent in maintaining reasonable security procedures, such body corporate will be liable to pay damages by way of compensation to such person(s) so affected. Section 75 mandates that provisions of this Act shall apply to an offence/contravention committed outside India by any person if the conduct constituting an offence involves a computer/computer network located in India. Notably, Section 72A of the Act provides for a fine and/or imprisonment when there is disclosure of personal information in breach of a contract or without consent of the person the information is obtained from.