Protection of Personal Data and Privacy: The Indian Prospective

This article is written by our intern Ankita Wani, who is pursuing LLM from A.K.K. New Law Academy, SPPU University.



"Privacy is not an option, and it shouldn't be the price we accept for just getting on the Internet." - Gary Kovacs, former CEO of Mozilla. The digital age has brought immense convenience and connection, but it has also raised critical concerns over personal data protection and privacy. The COVID-19 pandemic further amplified this issue, as individuals and businesses shifted online, relying heavily on digital platforms for work, communication, and daily activities. This dependence highlighted the urgent need for robust legal frameworks to safeguard personal data and prevent its misuse.

In India, the legal landscape concerning data privacy has evolved significantly in recent years. This article explores the key developments, including landmark judgments, legislative enactments, and ongoing challenges, to understand how India is navigating the complex landscape of data protection and privacy in the digital era.


Join our Telegram or WhatsApp group and never miss a single update.



Data protection encompasses the systems and protocols implemented to safeguard any important information from unauthorized access, theft, or loss. A comprehensive data protection strategy involves proactive monitoring of data movements to identify and mitigate potential risks effectively. For instance, encryption protocols can be employed to secure sensitive data during transmission and storage.

On the other hand, data privacy, also referred to as information privacy, emphasizes an individual's right to control their personal data, including its collection, storage, and utilization by organizations. Privacy is considered a fundamental human right, vital for upholding individual autonomy and fostering a free society. An example of data privacy in action is the requirement for explicit user consent before collecting and processing personal information for targeted advertising purposes.

Failure to uphold data protection and privacy principles can have severe repercussions, such as identity theft, invasive marketing practices, and infringements on individual freedoms. Therefore, it is imperative for organizations and policymakers to prioritize data protection measures and enact robust privacy regulations to mitigate these risks.



The European Union's General Data Protection Regulation (GDPR) stands as a global benchmark for data protection standards. Enacted in 2016 and enforced in 2018, the GDPR mandates stringent measures for handling personal data, including prompt reporting of data breaches and significant penalties for non-compliance. Its impact extends beyond the EU borders, influencing data protection laws and practices worldwide.

In addition to the GDPR, other regions and countries have also enacted data protection regulations tailored to their specific contexts. For example, the California Consumer Privacy Act (CCPA) in the United States grants consumers greater control over their personal information held by businesses operating in the state. Similarly, the Personal Data Protection Act (PDPA) in Singapore imposes obligations on organizations to secure and manage personal data responsibly.

These global initiatives reflect a growing recognition of the importance of data protection and privacy in the digital age. As businesses operate in increasingly interconnected and data-driven environments, adherence to international data protection standards becomes imperative to foster trust and accountability among users and stakeholders.

You may like: Difference Between Ownership And Possession, Jurisprudence




The right to privacy, although not explicitly mentioned in the Indian Constitution, has been recognized as an intrinsic part of Article 21, which guarantees protection of life and personal liberty. This landmark interpretation came about in a series of judgements, beginning from M.P. Sharma vs. Satish Chandra (1954), Kharak Singh vs. State of U.P (1964), Govind vs. State of Madhya Pradesh (1975), PUCL vs. Union of India (1997), and culminating in K.S. Puttaswamy v. Union of India (2017), among others. These judicial pronouncements have affirmed the constitutional basis for the right to privacy and its critical importance in upholding individual freedoms in India.


The Information Technology (IT) Act, 2000, serves as a foundational legislative framework for addressing data protection and privacy concerns in India. Section 43 A of the IT Act specifically addresses compensation for failures to protect data by corporate entities handling sensitive personal data. This provision imposes legal obligations on organizations to implement robust data protection measures and compensates individuals for privacy breaches.


The watershed moment in India's data privacy jurisprudence occurred with the landmark judgment of the Supreme Court in K.S. Puttaswamy v. Union of India in 2017. This judgment elevated privacy to the status of a fundamental right, laying the foundation for comprehensive data protection legislation in India.
In this case, the petitioner challenged the legality of Aadhaar, a unique identification program that assigns a 12-digit random number to Indian residents. Concerns were raised about the program's potential for mass surveillance and the lack of robust data protection safeguards.
While acknowledging the petitioners' arguments, the court issued directions to the government to implement safeguards to ensure its proportionate use. This included measures to strengthen data protection and limit the scope of Aadhaar's usage to prevent misuse and unauthorized access to personal data.
The judgment not only affirmed the constitutional basis for the right to privacy but also emphasized its critical importance in safeguarding individual autonomy and dignity in an increasingly digitized society. By recognizing privacy as a fundamental right, the Supreme Court acknowledged the need for robust legal frameworks to protect personal data from unauthorized access, misuse, and exploitation.
Also read: Difference Between Contract of Indemnity and Guarantee (Contract Law)


4. Enactment of DPDP Act, 2023

Following the landmark Puttaswamy judgement, the Indian government established the Sri Krishna Committee in 2017 to recommend a framework for data protection. The Committee's recommendations formed the basis for the Draft Personal Data Protection Bill, introduced in 2018. After public consultations and revisions, the Parliament of India finally passed the Digital Personal Data Protection Act (DPDP Act) in 2023. This Act is a crucial step towards establishing a comprehensive legal framework for data protection in India.

Rights and Duties of Individuals Prescribed Under The Act

Under its sections 12-14, the DPDP Act grants individuals several key rights regarding their personal data, including:

1. Right to access information (Section 11).

2. Right to Correction and Erasure of Personal Data: (Section 12).

3. Right to Grievance Redressal: (Section 13).

4. Right to Nominate another individual who can exercise rights on one’s behalf in the event of death or incapacity.  (Section 14).

Additionally, under its section 15, the Act also places obligations on organizations handling personal data, such as:

1. No impersonation while providing personal data.

2. No suppression of material information when submitting personal data for unique identifiers, documents, addresses, or identity proof.

3. No registration of false or frivolous complaints.

4. Providing authentic and verifiable information when exercising the right to correction or erasure.

5. Complying with all provisions of existing laws when exercising Data Principal rights.

Obligations of Data Fiduciary, Section 8

The Data Fiduciary, according to Section 8 of the Act, must:

1. Handle personal data only with consent or for legitimate purposes.

2. Ensure accuracy and completeness of data.

3. Implement suitable measures to protect personal data.

4. Respond to data principal's communications promptly.

5. Notify authorities and affected persons in case of data breach.

Transfer of Personal Data outside India:

Section 16 permits extraterritorial processing and transmission of Personal Data, except in such countries limited by Centre government through notice.

  Critics of DPDP ACT, 2023

1. Limited Oversight of Data Collection by Large Tech Companies: Critics argues that the Act doesn't explicitly address how large technology companies collect and handle personal data of Indian citizens.

2. Exemptions for Government and Aadhaar Linking: This Act ignores the limitation as there is mandating linking of Aadhar card by the government in recent days has been done.

3. Broad Exemptions for Biometric Technologies: The Act allows exemptions for the use of facial recognition and other biometric technologies. Critics argue that these powerful technologies can pose significant privacy risks, and the broad exemptions weaken the Act's ability to safeguard individuals from potential misuse.

4. Lack of Clarity on Sensitive Personal Data Definition: The DPDP Act lacks a clear definition of "sensitive personal data." This vagueness creates challenges for both individuals and organizations in understanding what data falls under stronger protection measures.


Several suggestions can be considered to strengthen the DPDP Act:

1. Implement data privacy laws rigorously with strict penalties for violations.

2. Define sensitive personal data clearly.

3. Timely review and adopt and follow globally enacted data privacy regulations.

4. Specific regulations and oversight mechanisms should be established for how large tech companies collect, use, and transfer personal data of Indian citizens.

5. Exceptions for using biometric technologies like facial recognition should be carefully reviewed and narrowed down to minimize potential privacy risks.

You may like: Question: Explain the Application of Doctrine of 'Relation Back' Under Hindu Law.



The recent enactment of the Bharatiya Nyaya Sanhita (BNS), Bharatiya Nagarik Suraksha Sanhita (BNSS), and Bharatiya Sakshya Adhiniyam (BSA) has introduced significant changes to India's criminal justice system. While these new laws aim to enhance public safety and address emerging criminal threats, they also raise potential concerns regarding privacy protection.

One major area of concern is the advanced use of biometric facilities for keeping data of criminals, along with provisions for the search and seizure of electronic devices. These measures, while intended to strengthen law enforcement capabilities, may pose risks to individual privacy rights. Additionally, there is a growing concern about overreliance on electronic evidence, which may compromise privacy and due process rights if not adequately regulated.

As India transitions to a digital age, it becomes imperative to strike a balance between ensuring public safety and protecting individual privacy rights. While the new criminal laws offer opportunities for more effective crime prevention and investigation, it is essential to implement safeguards to prevent privacy violations and abuse of power by law enforcement agencies.



The landscape of data protection and privacy in India has undergone significant transformations in recent years, driven by landmark judicial decisions and legislative enactments. The recognition of privacy as a fundamental right by the Supreme Court in the Puttaswamy case laid the groundwork for the development of comprehensive data protection legislation, culminating in the enactment of the Digital Personal Data Protection Act in 2023.

This legislative framework grants individuals important rights over their personal data while imposing obligations on organizations to handle data responsibly. However, challenges such as the implementation of these laws, the adequacy of safeguards for sensitive data, and the evolving nature of technology underscore the need for continued vigilance and adaptation in the realm of data privacy.

Looking ahead, it is imperative for India to adopt a holistic approach to data protection, one that combines legal frameworks with technological advancements and societal awareness. By doing so, India can strive towards creating a digital ecosystem that not only fosters innovation and economic growth but also respects and safeguards the privacy rights of its citizens.

Confused which books to purchase for various law subjects? We’ve a curated list for you: for your Law School and Judicial services exams.



Hello readers!

Hope you are all having a good time here. We are trying our best to keep you updated with available paid internship opportunities, our thoughtfully curated  question-answer series for aspirants of judiciary as well as other competitive exams, the latest legal developments and much more like this.

But here's the thing: we can't do it alone. We need YOUR support to expand our endeavors, to create incentive based internship opportunities for our community members, to bring more eminent scholars on the board, and foster fruitful collaborations.

Here's how you can contribute:

1.       Become A Campus Leader At In Light Of Law: Gain Experience, Develop Skills, and Make a Difference all by working just 20-30 minutes per week, Click Here to Know More.

2.       Share Your Knowledge: Publish Your Work With Us - Help us grow by sharing your insights and knowledge with our community. Click here to know more.

3.       Financial Support: You can also support us with any amount you are comfortable with. Click here to make a direct payment with your Installed UPI app or use UPI ID: 7297911597ss@paytm for manual transfers.

Every contribution toward a goal is valuable, regardless of how small it may be. Thank You.

Note: the content available on this site will remain always free.


Read important descriptive questions on IPC, CRPC, Evidence, Constitutional and Contract Law.


Read Paid internship related posts, Click here.



Post a Comment