Data Protection and Digital Rights in India: Safeguarding Privacy in the Digital
Data Protection is the process of protecting individual's personal information
which is collected, processed and stored in the electronic form by the
Government and various private enterprises to protect individual's right to
privacy which is also one of the fundamental rights in India. In the context of
the digital domain, the right to privacy is the ability to preserve one's
information privately without granting access to third parties.
In India, the Parliament passed the Data Protection Bill, 2023 which recognises
both the individuals' right to protect their personal data and the need to
process such data for lawful purposes.
Need for Separate Data Protection Laws
India is rapidly growing in the field of technology and people are subject to
use of smartphones, digital devices to carry out daily tasks. As per the law
officer's report given during the recent international lawyers' conference held
on 23rd & 24th September 2023[i], there are around 760 million internet users
joining every 3 seconds.
These users submit their personal data in various
circumstances as in when they download any mobile application then they will
have to give access to their google account in order for such apps to function
and provide personal information like age, qualification, gender, location,
interests, and Aadhar number.
This data is quite often sold for hefty amounts.
People use UPI apps for easy online transaction which mandates them to provide
their bank details and no one is aware about the processing, storing of such
When we fill out any kind of membership form, we provide our personal
information like contact number, mail-id, address, etc. These data are processed
and stored for future reference. We cannot prevent such data collection but
instead ensure that it is protected through certain laws. Clarity and
consistency in data protection laws can foster trust in the digital ecosystem,
encouraging businesses to invest in India and drive economic growth through
innovation and technology adoption.
To ensure that India complies with the international norms including General
Data Protection Regulation (GDPR) in the European Union, data protection
legislation is crucial to facilitate global data transfers, trade, and
Why IT Amendment Act, 2008 is not sufficient for data protection?
The IT Act, 2000 as amended by the IT Amendment Act, 2008 includes provisions
for personal data protection. The Information Technology (Reasonable Security
Practices and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules)
provides reasonable security practices, procedures, and standards to handle
sensitive personal data or information (SPDI).
The Act is not sufficient because:
- ITA-2008 is primarily focused on regulating electronic records and cybersecurity. It lacks data protection principles like lawful and fair processing, purpose limitation, data minimization, and data subject rights.
- The IT Act does not specify about the data protection board of India unlike the data protection act, 2023. The board's function is to conduct inquiry & impose penalty on the complaint received by the data principal regarding data breach. The board shall have same powers as that of a civil court to issue summons, receive evidence & inspect any data or document.
- The IT rules 2011 fails to provide redressal mechanism by not including the provisions for appeal & alternative dispute resolution unlike the 2023 Act.
Data Breach and Right to Privacy
The right to privacy is recognized as a fundamental right under Article 21 of
the Indian Constitution. Data breaches compromise individuals' personal
information, including sensitive data like financial details, medical records,
and communication logs. The right to privacy is violated when this information
is disclosed without consent. The landmark case Justice K.S. Puttaswamy (Retd.)
v. Union of India
,[ii] firmly established the right to privacy as a basic
The petitioner opposed the scheme proposed by the Indian Government for
a biometric-based identity card to access governmental benefits and services was
a violation of a citizen's right to privacy. The Supreme Court held that the
right to privacy as a fundamental right under Article 21 of the Indian
Constitution. The court also observed that privacy includes the protection of
personal data and informational autonomy.
We experience data breaches every day but are oblivious to them. This includes,
when we add any product to cart in any of the online shopping app and
immediately social media apps start showing the same products and recommends us
to purchase them. This could be one of the marketing strategies used by the
e-commerce companies. But it is our personal data which has been transferred
from such online shopping apps to social media platforms.
In other cases, we are asked to provide our contact number in the billing
section of any supermarkets to generate bill. Later, we receive random calls
from any of the insurance companies, real estate agents or fake bank calls and
we fail to question that how did they get our personal information.
The Right to Privacy is also a Human Right as it is the right of every citizen
as a human to have control over their personal information and is essential for
Evolution of Data Protection Bill in IndiaInformation Technology Act, 2008
The IT Act, 2000 as amended by the IT Amendment Act, 2008 inserting Section 43A
which mandates the companies to protect personal data and sensitive information
of people that they possessed, dealt or handled in a computer resource by
implementing reasonable security practices. Such companies are also liable for
penalty in case of non-compliance.
The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules 2011, provides guidelines for the
while collecting or transferring such data.
Draft Personal Data Protection Bill, 2018
Sri Krishna Committee had drafted the Personal Data Protection Bill, 2018 which
governs the data processing by the Government and private entities in India and
abroad. The bill also provides rights to the Data Principal (person to whom the
personal data belongs) in seeking access to their data. It also formed National
Level Data Protection Authority.
Personal Data Protection Bill, 2019
The bill was again introduced in 2019 after making amendments to it by
broadening the data principal's rights, prescribing compliance criteria for
personal data and introduced central data protection regulator.
Data Protection Bill, 2021
The bill regulates both personal & non- personal data. It provided key
obligations for data fiduciaries (State, corporate entities and individuals who
collects personal data). The data fiduciary is obliged to notify the data
principal at the time of personal data collection, even if such data is not
being collected directly. Data is collected after obtaining free consent from
the data principal.
Rights of the data principal:
- Right to Confirmation and Access
- Right to Correction and Erasure
- Right to Data Portability
- Right to be Forgotten
Cross Border Data Transfer: The bill permits cross-border transfer and
processing of personal data hence imposing penalties in case of contravention of
The Digital Personal Data Protection Bill 2022
The bill had recommended to set up a Data Protection Board of India to determine
non-compliance with the provisions of the draft Bill. The bill had imposed
penalty for non-compliance mandating data fiduciaries to publish privacy
policies on their websites so that users are informed about the collection,
handling, and processing of their data.
Digital Personal Data Protection Act 2023
India's first ever privacy act to govern digital personal data, was passed on
11TH August 2023.
It provides rights to the data principals including the right
- Receive details about their personal data.
- Amend or update the information if it is inaccurate or incomplete.
- Seek remedies for grievances.
- Nominate a 3rd party to act on their behalf.
Compliance Obligations for Data Fiduciaries
- Comply with the act.
- Notify data principals about the purpose and process of data collection & handling.
- Obtain free consent from data principals.
Penalties for Non-Compliance
- Failure to prevent a personal data breach: Up to ₹250 crore.
- Failure to notify the breach to the Board and data principals: Up to ₹200 crore.
- Non-fulfilment of obligations while processing children's data: Up to ₹200 crore.
- Non-fulfilment of obligations by a significant data fiduciary: Up to ₹150 crore.
- Miscellaneous non-compliance with provisions of the Act: Up to ₹50 crore.
India needs to align its data protection practices with international standards.
A separate law allows India to be in harmony with global data protection laws,
facilitating international data flows and boosting the country's position as a
data-driven economy. The Data Protection Act, 2023 is passed to prevent Data
breach so that India can aspire to create a data protection regime that protects
the rights of its citizens by fostering a conducive environment for economic
growth and technological advancement in the coming years.
Written By: Bindu Gowda,
- Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, AIR 2017 SC 4161.
5th year law student, Presidency University,