Skip to main content
SearchLoginLogin or Signup

Database Protection

This is a collection of codified Indian legislation that pertains to database protection.

Published onApr 01, 2020
Database Protection


Although the Copyright Act does not directly protect databases, judicial pronouncements have recognized copyright protection for databases in the cases discussed below. This protection is granted to databases by including it within the definition of ‘literary works’ under sec 2(o) of the act, after the amendment of 1999.

The Copyright Act provides for both civil and criminal remedies for infringement. Section 55 provides for civil remedies and declares that the owner would be entitled to it by way of injunction. damages, accounts or otherwise as maybe directed by law. Similarly, Section 63-70 provides a range of criminal penalties for infringing copyrights which are typically punishable with terms of imprisonment that may extend upto three years along with a fine. Section 52 of the act enables the person against whom such complaint is made to show that one or more of the circumstances outlined in that provision exists and that therefore there is no infringement.

The proposed new Section 65A criminalises the circumvention of an effective technological protection measures applied for the purpose of protecting any of the rights conferred by this act.

The Indian Penal Code, 18602

The IPC gives an inclusive definition of the term 'movable property'. The definition is wide enough and can be expanded to include data or information, therefore attributing protection to databases as well. There is no such indication given within the purview of IPC which would exclude databases from coming under the same. Therefore, offences such as misappropriation of property, theft or criminal breach of trust that apply for protection of property, can be invoked for the protection of databases and can be awarded with either punishment or fine, depending upon the facts and circumstances

The Information Technology Act, 20003

Any misappropriation of the computer network, system, resources, database is termed as cyber contraventions and the person indulging in the same is heavily penalized under the Act. Section 43A provides protection against body corporates, while Section 72A provides for punishment for disclosure of information in breach of lawful contract. However, it is implicit that these provisions are not dealing with database protection directly.There are provisions which are even though not directly related to database protection, are important to be noted in this regard. They are listed below:

  • Newly inserted Section 67B of the IT Act 2008 attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children. This seeks to carve out a limited domain of privacy for children from the would be sexual predators. Along with that, the Draft Intermediary Due Diligence Guidelines, 2011 also require the intermediaries to notify the users not to store, update, transmit, and store any information that is ‘pedophilic’ or is ‘harming minors in any way’. The intermediary is required to inform the police about such information and preserve the records for 90 days.

  • Section 66E has been inserted in the IT Act which penalises the capturing,publishing, and transmission of images of the ‘private area’ of any person without their consent ‘under circumstances violating the privacy’ of that person. The offence is punishable with imprisonment of upto three years or with a fine of upto Rupees two lakh or both.

  • Section 66C makes it an offence to ‘fraudulently or dishonestly’ make use of the electronic signature, password, or other unique identification feature of any person.

  • Section 66D makes it an offence to ‘cheat by impersonation’ by means of any ‘communication device’ or ‘computer resource’. Both these offences under Section 66C and 66D are punishable with imprisonment of upto three years or with a fine of upto one lakh.

  • Section 69 is the new section dealing with the power to issue directions for interception or monitoring or decryption of any information through any computer resource. In October 2009, the central government notified the rules under section 69 which lay down the procedures and safeguards for interception, monitoring and decryption of information which further thickened the regime. Under the rules, the secretary in the Ministry of Home Affairs has been designated as the ‘competent authority’ with respect to the central government, to issue directions pertaining to interception, monitoring, decryption. Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any subscriber or intermediary or any person who fails to assist the agency.

  • The government has also newly inserted section 69B to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. Rules have been issued as well under this section which are although similar to section 69, hold important differences. Under both section 69 and 69B within seven days of its issue, a copy of direction issued must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act.

  • Section 67C mandates intermediaries to maintain and preserve certain information under their control for durations which are to be specified by law. Any intermediary who fails to retain such electronic records may be punished with imprisonment upto three years and a fine.

  • The Ministry of Information and Technology, published draft rules under section 43A which has already been discussed, to define ‘sensitive personal information’ and to prescribe reasonable security practices that body corporates must observe in relation to the information they hold. Rule 3 of these rules designate the type of information that is classified as sensitive personal information. Rule 4 of the draft enjoins a body corporate or its representative who collects, receives, possess, stores, deals or handles data to provide policy for handling of or dealing in user information including sensitive personal information. Rule 6(2) requires any information to be disclosed to any third party by an order under the law for the time being in force. Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices.

  • Section 72 of the IT Act imposes penalty on ‘any person’ who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the act or rules, discloses such information without the consent of the person concerned, is punishable with imprisonment for a term which may extend to two years or with fine which may extend to one lakh rupees, or with both.

  • Section 46 of the IT Act empowers the Central Government to appoint adjudication officers to adjudicate whether any person has committed any of the contraventions describes under Chapter IX of the act and to determine the quantum of compensation payable.

  • Section 61 bars ordinary civil suits from jurisdiction over matters which the adjudicating officers have been empowered to decide under this act.

  • Section 47 provides that in adjuding the quantum of compensation, the adjudicating officer shall have due regard to various factors.

  • Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it to dispose of the appeal finally within six months from the date of receipt of appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order.

  • Section 78 of the IT Act empowers the police officers of the rank of inspectors and above to investigate into offences under the IT Act.

The Indian Contract Act, 18724

Databases can be protected through contractual clauses, in order to specify the rights pertaining to license, transfer, use, etc. If any party commits a breach, the other party becomes entitled to receive the compensation for any loss or damage that is caused due to the same. In some of the cases, the court may also direct ‘specific performance’. License does not pass the ownership of the database to the user. Companies may adopt sui generis protection of their database by providing for copyright protection or by using PETs (Privacy enhancing technologies).

The Consumer Protection Act, 19865

According to the act a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non commercial purpose. Consumer privacy is concerned with the manner in which information is disclosed by a consumer to a vendor is collected and used. Specific issues would include - behavioral advertising, spyware, identity management, security breach. The OECD guidelines drafted in 1980 provide a useful set of fair information practices within which privacy of consumers must be evaluated. There are various professional bodies having their privacy guidelines which their members must abide by.

  • Advocates - Rules of professional conduct have been framed under the Advocates Act and establishes a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. The Evidence Act, 1872 further buttresses the confidentiality of clients by making information passed between lawyer and client.

  • Medical Practitioners - The Medical Council of India notified the Indian Medical Council (Professional conduct, etiquette and ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breach. Every physician is required to maintain medical records pertaining to indoor patients for a period of 3 years from the date of commencement of the treatment.

No comments here
Why not start the discussion?