- To find out the history and emergence of data privacy laws.
- To compare and analyze the data privacy laws in India and other
- To research the need and effectiveness of such data privacy laws.
The research methodology used for this project includes descriptive, analytical,
and qualitative research. The researchers have referred to various sources and
have taken the help of both primary as well as secondary sources such as Supreme
Court cases, government reports, journals, newspaper articles, and internet
websites. No empirical data through fieldwork has been used for this project.
Some of the researchers' views, conclusions, and suggestions may be brought out.
They are not necessarily correct and of authoritative value.
The research work and submission of this project are primarily driven by the
following set of questions:
- How did the current data privacy laws come into being?
- Why do we need data privacy laws?
- Are data privacy laws effective?
Nowadays, virtually everyone's data is saved and exchanged via the internet.
This has made individuals' data easily accessible to a large number of other
people, organizations, and hackers, making them vulnerable to cyber-attacks.
Hence, it becomes very important for people to have control over their personal
data with regards to how it is collected, how much it is collected, and how it
is used by different corporations and third parties.
With the oversaturation of
freely available data on the internet and specific personal information
in the hands of corporations and governments, data privacy laws have become one
of the most important requirements of the 21st century. Data privacy regulations
help to protect the way an individual's data is used to some extent by
establishing checks on the collecting and processing of data by
Currently, a total of 137 countries have legislation on data protection and
privacy, which makes it a total of 71% of countries have current laws on data
protection and privacy, 9% of countries with draft legislation, 15% of countries
with no laws on data protection and the rest 5% of the countries whose data
regarding such laws is not available. These legislations include laws related to
electronic transactions, data privacy and protection, cybercrimes, and consumer
Privacy: Different Perspectives
Privacy as a concept means having control over one's personal information. Many
different thinkers have different notions as to what 'privacy' means and that
can have an impact on the laws formed regarding the same.
According to the scholar, Alan Furman Westin, privacy refers to the "…claim of
individuals, groups or institutions to determine for themselves when, how and to
what extent information about them is communicated to others."
According to Morison, privacy is an 'interest' rather than a 'right' and such
interest should be protected while also balancing other interests of oneself,
the society, and other entities.
As per Roger Clarke, "Privacy is the interest that individuals have in
sustaining 'personal space', free from interference by other people and
organizations." He talks about four types of privacy, namely the privacy of the
person, personal behavior, personal communication, and personal data. According
to him, privacy should be understood in a broader sense and the different kinds
of privacy should be dealt with by different kinds of laws.
Bhairav Acharays who is a lawyer and policy analyst talks about an analysis of
privacy in India and recognised four types of privacy claims, namely press
freedom, state surveillance, decisional autonomy, and privacy of personal
Through a thorough analysis of various definitions of privacy, it can be
established that privacy is about the personal information and data of an
individual or an organization and how the individual chooses to present or hide
it. Besides this, many scholars believe that there can be some exceptions to
data privacy in case there is some bigger cause to answer like public security.
History Of Data Privacy
In 2012, a report based on a discussion between a Group of Experts on Privacy
was published called the Justice AP Shah Committee Report which presented the
nine principles which should be included in the legislation made for data
privacy in India.
The nine principles are as follows:
This principle mainly talks about how in case there is a breach of
data, the affected party should be notified about the same along with the
privacy commissioner. That is whenever an organization needs to ask for consent
from an individual to gain access to their data, it should state in a very clear
and concise manner what information is being collected, why is it being
collected, and how it will be used by the organization, whether it will be
disclosed to a third party, what are the safeguards used by them, how would one
be able to change it along with the contact details of privacy
officers. This way there can be transparency in the way data is being collected.
- Consent and Choice:
This principle states that along with notifying the
users about the data collection process, data controllers should have to gain
the approval of the individual. There are some exceptions to this principle
including the case of authorized agencies and situations like medical
- Limitation of Collection:
According to this principle, data controllers
shall only collect personal information when it is required and for
the objectives specified in the data protection principle. The idea tries to
ensure that data is gathered legally and fairly and that it is used in
compliance with the law and practice.
- Limitation of Purpose:
This principle states that personal data should
only be collected, processed, disclosed, made available, and used for the
purposes specified in the notice and agreed to by the individual. Data should
not be kept for any longer than is necessary to achieve the specified goals, and
it should be discarded once those goals have been met.
- Access and Correction of Collected Data:
This principle was laid down
to ensure that the individual whose data has been collected has some control
over the data even when it is submitted to the data controller. That is the
individual should retain the power to make changes or delete a piece of
information later on.
This principle focuses on data security against any
external party. It aims to ensure that data controllers have technical,
administrative, and physical protections in place to protect personal
information from unauthorized use, alteration, access, or retention.
- Transparency and Openness:
This principle is laid down to ensure
personal data from the users. There should be transparency between the user and
the data controller.
The data controllers should be accountable to the users
whose data they collect. This is to ensure that they stick to the permissions
Before 2012, only four of the nine principles were being implemented in the laws
that were made about data privacy. These principles were security, limitation of
purpose, accountability, and limitation on collection.
Privacy In The 21st Century
Before focusing entirely on India, it becomes important to see the types and
effects of contemporary data privacy laws in other countries around the world.
Different countries around the world have their ways in which they look at
data privacy and forming laws regarding the same. In the US, 'liberty
protection' is a concept used to explain privacy protection. That is, the laws
made on data privacy are essentially made to protect the private spaces of
people from the government.
It does not have a whole set of comprehensive
legislation but has sector-based laws made to fulfill the purpose of data
privacy. Both the government and the private sectors have different laws
applicable to them. Moreover, American law allows for the collection of personal
data of a person as long as they are informed. This does have its own set of
loopholes since many times people are unaware and careless about what they are
signing up for.
In the European Union, on the other hand, the 'right to privacy is a fundamental
right. The European Union law related to data protection is comprehensive in the
sense that it includes laws against both the private entities and the government
with regards that do not allow them to process personal data. It does have a few
exceptions like defense, national security, and public security. Though, it is
also criticized for having stringent laws that impose many obligations on
various organizations and corporations.
The multiplicity of actions taking place in India's privacy and data protection
circuit might be missed if one blinks. Despite a severe gap in comprehensive
data protection legislation, the legislature and government were quite active in
their efforts. India has seen several important developments, including the
liberalization of the country's long-standing
geolocation policy, the implementation of industry-standard privacy protections,
and the implementation of strong security measures in the digital payments
sector. There have even been legal rulings on topics like governmental
monitoring, the right to be forgotten, and the necessity for anonymity.
The proposed GDPR-inspired data protection law, which has been in the works for
two years, was also revived. To further know what privacy means in 21st century
India, the analysis of its brief evolution period becomes important. Following
are the main events that directly or indirectly introduced data privacy in law
and established it as legislation:
K. S. Puttaswamy vs Union of India: The Right to Privacy Verdict (2017)
Justice K. S. Puttaswamy has been one of the pioneers who demanded the
protection of an individual's privacy in the country. In terms of India, the
right to privacy was held to be fundamental by the Supreme Court of India in
K.S.Puttaswamy vs Union of India. After the judgment under the directions of the
Supreme Court of India, a committee headed by Justice BN Srikrishna, a retired
Supreme Court judge, was formed. The committee submitted a report titled "A Free
and Fair Digital Economy:Protecting Privacy, Empowering Indians" in 2018 in
addition to forwarding a draft of the Data Protection Bill to the Ministry of
Electronics and Information Technology.
K. S. Puttaswamy vs Union of India: Puttaswamy-II Judgement (2018)
Later in the year 2018, in the Puttaswamy-II judgment, the Aadhaar Act was
challenged on the ground that it was violative of the right to privacy. In the
judgment, most provisions of the act were upheld but some provisions were struck
down as they suffered from the excessive collection of data.
Personal Data Protection Bill (2019)
In 2019, the Personal Data Protection Bill was introduced. It had many
differences from the draft bill that was suggested by the Srikrishna Committee
in 2017. These changes were mostly with regards to giving greater power to the
government. The government and other authorized agencies were exempted from
liability by citing reasons like national security, public order, and foreign
relations. Out of the three grounds of exception, only 'national security was
suggested in the draft bill put forth by the committee.
Information Technology Rules, 2021
One of the most recent developments in privacy laws in India was the
introduction of the new IT Rules in 2021. This law consists of a provision that
requires social media platforms, as and when required by the government, to
locate the first originator of messages that spread hate speech, fake news, and
indulge in illegal activities like distribution of child porn, etc.
provision could very much lead to a breach of privacy because to find the first
originator of a message, the social media platforms would have to trace the
users' conversations which can only be done when the corporations keep
surveillance on the private chats of their users.
So, through an analysis of recent developments in India, what can be seen is a
focus on the protection of private data of individuals and how it is used by
private entities. On the other hand, the government has comparatively more
freedom with regards to how it can collect and use an individual's data by
citing reasons like national security and maintaining public order to justify
Joint Committee On The Personal Data Protection Bill, 2019 (2021)
The Joint Parliamentary Committee released its report for a new data protection
law on December 16, 2021, along with a modification of the "Data
Protection Bill, 2021" in Parliament.
Stakeholders have expressed misgivings, requesting new discussions because
several of the clauses made public differed from the prior version disclosed two
years ago. There have been numerous notable modifications in the proposed draft
proposal that are similar to the "GDPR," such as the broadening of the law's
reach to embrace both personal and non-personal data.
Stringent regulations for
reporting data breaches within 72 hours, a certification framework for all IoT
and digital devices, and hardware manufacturer control are among the other
measures. According to the new proposed bill, the central government might
arrange for phased implementation or notification for the passage of
Issuance Of Data Privacy Standards
"The Bureau of Indian Standards" made public the previously announced new data
protection standards in mid-2021. The new requirements require enterprises to
design, maintain, and deploy a data privacy management system, as well as
continue to build on it, giving them a privacy assurance framework. The new
framework is divided into prescriptive and suggestive parts, with the
prescriptive portion including mandatory requirements and the suggestive part
containing best practices for assisting in the implementation of the
prescriptive part's requirements.
Implementation of the prescriptive component has not been specifically described
if they are necessary to maintain appropriate security practices and procedures
in the regulations. As a result, it is the responsibility of the organizations
to ensure that the prescriptive element is implemented in a way that meets the
need. Data processors must adopt security protections that utilize
de-identification, encryption, and other methods to preserve personal data
integrity and prevent misuse, unauthorized access, alteration, disclosure, or
destruction of personal data with the introduction of the new data protection
Traceability Feature Necessary For Large Messaging Apps
The "Information Technology (Intermediary Guidelines and Digital Media Ethics
Code) Rules, 2021," which were announced to the Ministry of Electronics and
Information Technology, superseded the "Information Technology (Intermediaries
Guidelines) Rules, 2011." Internet intermediaries must adhere to new
intermediary requirements for some due diligence, including the requirement to
keep information collected from users for 180 days after they have withdrawn
The laws also designated some intermediaries as "major
social media intermediaries" if the number of registered users exceeded
50,00,000, which was disclosed subsequently. Upon court or government order, the
major social media intermediaries must provide the identity of the first
originator of communication, but not the substance of the message or any other
information to the first originator.
Judicial Investigation Into The Pegasus Spyware Controversy
When it was revealed that Pegasus malware produced by an Israeli security
business, the NSO group, was being used to spy on Indian residents, it sparked
outrage. The Supreme Court of India issued a crucial decision. The petitioners
demanded an impartial probe of the alleged use of Pegasus by various foreign
countries, as well as the Indian government. The Supreme Court ruled that the
impact of Pegasus' deployment on the right to privacy and freedom of speech
needed to be considered. The Supreme Court formed a three-member expert group to
provide recommendations for new surveillance legislation or amendments to
Right To Be Forgotten Denied
A petitioner asked the Madras High Court to remove his name from court orders as
part of his right to be forgotten, but the case was denied by a single judge
bench. Even though the Madras High Court alluded to the K.S Puttaswamy v Union
case regarding an individual's right to privacy, it also pointed to a
Supreme Court order stating that one cannot exercise the right to be forgotten
if the information is required for the performance of a public-interest
activity. Due to the lack of any structure or criteria for redacting a person's
name, the court opted to wait for the government to pass a new data protection
law before using such powers.
Tussle Between WhatsApp And Indian Government
The new social media guidelines enacted by the Indian government in May of last
year oblige WhatsApp to track the origin of communication if needed by
appropriate authorities. Instead of complying with the instructions, WhatsApp
has filed a lawsuit against the government, alleging that the new restrictions
violate Indian users' right to privacy and urging the Supreme Court to deem the
intermediary requirements illegal. WhatsApp's parent firm, Facebook, has
disputed the dilution of its platform's de-encryption on several occasions.
Because of the privacy it provides, the American firm has highlighted how its
app is used for private chats by individuals from all walks of life such as
healthcare experts, government officials, law enforcement agencies, and
journalists, among others. WhatsApp claims that requiring intermediaries to
identify the source of information in India on its app jeopardizes the privacy
and security for which millions of users rely on it, jeopardizing end-to-end
encryption technology. Because it is unknown which messages may be subject to
tracing orders, the corporation will need to develop a mechanism to track down
the sender of every communication transmitted in India.
The intermediary guidelines have imposed restrictions on WhatsApp's basic
philosophy and technology, which is end-to-end encryption. End-to-end
encryption, as defined by WhatsApp, refers to the encryption of communications
sent between the sender's device and the recipient's device. The material sent
cannot be accessed by any other party, even WhatsApp's parent firm, Facebook.
End-to-end encryption and traceability do not mix because they are incompatible,
putting encryption technology at risk.
The Indian government's requests violate
the "data minimization principles," as WhatsApp is required to keep more data
for communications sent within India. Because there is no date offered, the
corporation is forced to keep this additional data for years after the content
has been exchanged.
The IT Act was never meant to provide the government the authority to compel
social media intermediates (SSMIs) to maintain track of a text's origin.
Repercussions Of The Intermediary Guidelines:
Traceability And Human Rights Concerns
According to WhatsApp, imposing traceability will not only fail to meet the
government's demands but will also result in human rights breaches. One of the
fears is that many people's names will be marked just because they shared
information, even if they were not the originator, merely to be safe or to
double-check its legitimacy. If certain content proves to be harmful to the
government, a large number of innocent persons may become embroiled in
investigations or even imprisoned.
As a result, it might result in a breach of
the widely accepted values of free expression and human rights. The use of
digital fingerprinting has also been criticized by internet specialists as
dangerous since it is easy to imitate while gaining traceability, putting the
integrity of the system in jeopardy.
Experts believe that fingerprinting techniques may be readily misused and that
they will eventually jeopardize the public's digital privacy by jeopardizing
encryption. Apps would have to forsake encryption completely to keep track of
message digital signatures.
In the future, the government may request any message, thus WhatsApp would have
to track every message, not just some. By requiring social media service
providers to track users, the government is inadvertently enforcing widespread
monitoring. To meet the government's regulations, social media firms will now
have to preserve vast databases of every message shared privately with
friends, family, coworkers, and enterprises, among other things. In
comparison to what users know about these firms, these companies will now gather
more information about them.
Violation Of Principles Of Law And Investigation
Traceability would have a direct impact on how law enforcement and
investigations operate. The way the inquiry is now going, the government is
requesting information from technology firms concerning a certain individual's
account information. Following the adoption of the guidelines, the government
would give technology firms a piece of material and a demand for its source,
which would be ineffectual and prone to misuse.
Enforcement Or Alternatives:
WhatsApp has already stated its position on traceability, but the company still
maintains a team committed to reviewing and responding to legitimate law
enforcement demands. During the inquiry, the business has also replied to the
authorities' legitimate demands with whatever limited information was available,
by applicable law and policy. In addition, the organization has a dedicated
staff that works closely with law enforcement authorities 24 hours a day, 7 days
a week in emergency scenarios such as impending danger, risk of death, or major
Concerns With Data Privacy
The major concern in regards to having codified legislation for data privacy is
state of the right to privacy in India which has created an urgent need to come
up with a comprehensive and regulatory framework for data protection.
The law is on the government's side, making it simpler for the government to
pass new data privacy regulations, but there is still an unresolved issue: the
undervalued importance of data privacy and protection. Any typical smartphone
user in our nation, not even a layperson, is completely oblivious of the need
for online privacy.
These are the folks for whom the government must take great
measures to protect their data. A substantial section of our population is
exposed to giant businesses and online organizations that exploit users'
private and personal data due to a lack of understanding about safe surfing,
data privacy, and protection.
Subject experts and IT professionals believe that the "Indian Data Protection
Bill, 2019," which aims to protect the much-needed data of Indian users on the
internet so that users can exercise their privacy rights on the online platform,
is not sufficiently equipped to provide the necessary privacy and rights for
enforcement. The measure requires a stronger structural and organizational
framework, otherwise, the personal and sensitive data or information of millions
of Indian users would be compromised.
The classification of the user's data, which the bill divides into three
components, is the first major challenge in creating and executing such a
The three types of user data are as follows:
- Personal Data
- Sensitive Personal Data, and
- Critical Personal data
One of the most glaring flaws of the Data Protection Rules is that personal data
is limited to information that may be used to identify a single user. The
personal and private information of other people recorded in the background of a
user's device, which can lead to a significant breach of privacy whether caused
willingly or inadvertently when using the internet or just browsing social
media, is not specifically covered by these Rules.
The restricted reach of these sensitive personal data is another additional
impediment to the timely implementation of data privacy legislation. The
misunderstanding about which data should be classified under which of the three
heads is the fundamental reason for the delay in implementing the guidelines.
This ambiguity might have disastrous effects when it comes to data collecting,
storage, and processing, which are all handled by distinct firms that must
now obtain consent at each stage of the process.
Scope Of Data Privacy And Suggestions
The government may take a variety of different actions to make the web space
stronger and more secure for citizens to make data protection easier for them.
Instead of mandating companies to hold ever-increasing amounts of data, the
government should examine how sensitive our data is, and hence limit large-scale
data collecting by corporations. Data collected by data suppliers, as well as
social media intermediaries, should be kept to a minimum.
Even if the data
is acquired and held with the user's knowledge, the user's right to be forgotten
must be respected, which is why users must have the ability to have their data
removed from databases and servers. The data processors should be held liable
for the security of our information. Users should have the right to know about
data breaches and the right to seek compensation as a remedy if their
privacy has been violated. As a result, suitable data collecting norms should
The government should also take steps to eliminate outdated data protection
regulations, restricting the amount of information acquired from consumers.
Increased constraints on data collection with consent may also be implemented,
ensuring that users' data remains private and safe. Increased penalties should
be applied to data and privacy violations. Data storage, in whatever form it
takes, should be ethical and legal.
The state should make it mandatory for data collectors/processors to keep a
close eye on data usage by requiring them to have user-service provider openness
in the data processing. In this manner, a balance may be struck between the data
protection principle and the purpose, as well as the collection and processing
of user data.
The government simply cannot implement dictatorial and harsh data privacy
regulations because, as technology advances, the purpose of data storage and
usage will change. The law that the government draughts in the future to protect
citizens' data privacy should be flexible and adaptable to changing technology.
The government must have a clear framework in mind for the many sectors where
data is processed and utilized, which may be abused by exploiting legal gaps
hence enforcing the required penalties is necessary. The data privacy laws
should be complementary, and there should be other areas where the legislation
may be reinforced, such as consumer protection, to give individuals all-around
With the abundance of freely available data on the internet and specific
personal information in the hands of corporations and governments, data privacy
laws have emerged as one of the most important requirements of the twenty-first
century. Data privacy regulations are made to protect the way an individual's
data is used by establishing checks on the collection and processing of data by
various organizations. Many different thinkers, like Westin, Morison, Clarke,
and Acharya, have different ideas about what 'privacy' means, and this can have
an impact on the laws that are made and enacted around the world.
For the purview of this project, it became important to know about privacy in
the context of India. In 2012, a report based on a discussion among a Group of
Experts on Privacy was published by a committee headed by Justice AP Shah. This
was one of the first official committees made to deliberate on data protection
and data privacy laws in India. The committee report outlined the nine
principles that should be kept in mind while forming India's data privacy
The nine guiding principles were:Notice, Consent and Choice,
Limitation of Collection, Limitation of Purpose, Access and Correction of
Collected Data, Information Disclosure, Security, Transparency and Openness, and
Accountability. But even then, before 2012 only four of the nine principles were
enshrined in law.
One of the biggest developments seen in India with regards to data privacy was
the landmark Justice KS Puttaswamy vs Union of India judgment of 2017. In the
judgment, the Supreme Court of India ruled that the right to privacy is a
fundamental right and that it is an essential component of Part III of the
Indian Constitution. Moreover, according to the ruling, any type of surveillance
in India should be evaluated using three criteria:legality, necessity, and
proportionality. This is one of the basic principles that is used to govern data
privacy laws and keep a check on the various legislations and enactments brought
out by the government.
Besides India, data privacy laws around the world are based on different
principles and ideals. For instance, data privacy laws in the United States of
America are made to protect the personal and private lives of individuals from
government intervention. Besides focusing on the protection of data from the
government, there are also sector-based laws made for various business sectors
to keep data privacy in check. On the other hand, laws in the European Union
regarding Data Privacy are pretty comprehensive in the sense that the same data
privacy law is applicable against both the government and the private entities.
The new IT rules, which came into place in 2021, require social media
intermediaries to track the source of communication, requiring firms to abandon
their cherished notion of user privacy. This would be a grave infringement of
human rights, and it has been widely denounced by individuals
from all walks of life, as the regulations appear to be vital and beneficial on
the surface, but the state might utilize users' data for other
purposes. With such rules, the government has more freedom with public data.
The previously mentioned revised data protection standards were made public by
the "Bureau of Indian Standards" in mid-2021. The new criteria call on
businesses to create, maintain, and implement a data privacy management system,
as well as continue to improve it, providing a privacy assurance framework. If
they are required to maintain suitable security policies and processes under the
rules, the prescriptive component's implementation has not been precisely
stated. As a result, the organization must guarantee that the prescriptive
feature is implemented in a way that fits the need.
The "Information Technology (Intermediary Guidelines and Digital Media Ethics
Code) Rules, 2021," which were announced to the Ministry of Electronics and
Information Technology, replaced the "Information Technology (Intermediaries
Guidelines, 2011" rules. Internet intermediaries must comply with new due
diligence standards, which include keeping information obtained from users for
180 days after they have canceled their registration. The main social media
intermediaries are required to provide the identity of the original originator
of communication in response to a court or government request, but not the
content of the message or any other information.
Outrage erupted when it was found that Pegasus software developed by an Israeli
security firm, the NSO group, was being used to spy on Indian citizens. The
Indian Supreme Court handed down a significant judgment. The Supreme Court
convened a three-member expert panel to provide suggestions for new surveillance
legislation or changes to existing legislation.
As part of his right to be forgotten, a petitioner petitioned the Madras High
Court to delete his name from court orders, however, the case was dismissed by a
single judge bench. Due to the lack of a framework or criterion for redacting a
person's name, the court decided to hold off on utilizing such powers until the
government passed a new data protection law.
The Indian government's new social media guidelines, issued in May of last year,
require WhatsApp to track the origin of a conversation if requested by relevant
authorities. Instead of following the
instructions, Whatsapp has brought a case against the government, claiming that
the new restrictions infringe on Indian users' right to privacy and urging the
Supreme Court to declare the intermediary requirements unconstitutional. The
American company has emphasized how its software is used for private talks by
people from all backgrounds of life because of the privacy it gives.
WhatsApp contends that mandating intermediaries in India to pinpoint the
source of communication on its service compromises the privacy and security on
which millions of users rely, as well as end-to-end encryption technology.
WhatsApp's underlying concept and technology, end-to-end encryption, has been
restricted by intermediate limitations.
Because end-to-end encryption and
traceability are incompatible, encryption technology is jeopardized. The Indian
government's demands violate the "data minimization principles," as WhatsApp is
compelled to preserve more data for messages carried within India for an
indeterminate amount of time.
Traceability, according to WhatsApp, will not only fail to fulfill the
government's expectations but will also result in human rights violations. One
of the concerns is that many people's names will be blacklisted just because
they shared information with others, even if they were not the source, just to
be safe or double-check its veracity.
If specific information is found to be
damaging to the government, a huge number of completely innocent and completely
innocent people might be subjected to probes or even imprisoned. The government
may seek any message in the future, so WhatsApp would have to trace all
messages, not just some. The government is accidentally pushing extensive
monitoring by compelling social media service providers to track users.
The situation of the right to privacy in India is deteriorating, necessitating
the creation of an urgent statutory framework for data protection. The "Indian
Data Protection Bill, 2019," seeks to protect the much-needed data of Indian web
users so that users can exert their privacy rights on the digital platform,
which is not sufficiently equipped to provide the requisite privacy and rights
for accountability, according to experts and IT professionals. Another hurdle to
the early adoption of data privacy regulations is the limited reach of these
sensitive personal data.
Rather than requiring businesses to store ever-increasing volumes of data, the
government should assess how critical our data is and so prohibit large-scale
data collection by businesses. The amount
of data gathered by data providers and social media, intermediaries should be
maintained to a bare minimum.
Even if the data was collected and stored with the
user's consent, the user's right to be forgotten must be maintained, which is
why users must be able to request that their data be erased from databases and
servers. The government should also take efforts to update obsolete data
protection laws and legislation, limiting the quantity of data collected from
Because the goal of data storage and usage will shift as technology evolves, the
government must not impose totalitarian and draconian data privacy legislation.
The law that the government drafts in the future to preserve citizens' data
privacy should be responsive to new technology and flexible.
- (2021).meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf accessed 25 March 2022
- Data Protection and Privacy Legislation Worldwide (UNCTAD)
- Ettech Explained: Government Rules On Whatsapp & The
Controversy Around It (The Economic
accessed 25 March 2022
- Report Of The Joint Committee On The Personal Data Protection Bill, 2019
Data Protection Bill, 2019/17_Joint_Committee_on_the_Personal_Data_Protect
ion_Bill_2019_1.pdf> accessed 24 March 2022
- The Personal Data Protection Bill, 2019
accessed 27 March 2022
- Acharya B, The Four Parts of Privacy
in India (2015) 50(22) EPW.jstor.org/stable/24482489> accessed 29 March 2022
- Aggarwal E, 'Scope And Fate Of Data Privacy Laws In
India' (Lexlife India, 2021)
accessed 27 March 2022
- Clarke R, 'What's Privacy?' (Roger Clarke, 2006)
accessed 29 March 2022
- Dhapola S, 'Explained: Whatsapp'S Arguments To Fight
Traceability Clause In IT Rules 2021'
accessed 26 March 2022
- Gokhale G, Kamath A, and Kittane P, 'Privacy & Data Protection
Capsule: India's Turn On The World Stage' (The
National Law Review, 2022)
stage> accessed 24 March 2022
- Government of India Planning Commission, Report of the Group of Experts
accessed 30 March 2022
- Justice K S Puttaswamy (Retd) and Anr vs Union Of India And Ors
 The Supreme Court of India, 10 SCC (The Supreme Court of India)
- Karthick Theodre v The Registrar General  Madras High Court
(Madras High Court)
- Kessler DJ, Ross S and Hickok E, 'A Comparative Analysis Of Indian
Privacy Law And The Asia-Pacific Economic Cooperation Cross-Border Privacy
Rules' (2014) 26(1) National Law School of India
Review .jstor.org/stable/44283781> accessed 29 March 2022
- Kulhari S, Building-Blocks of a Data Protection Revolution (2018)
- Manohar Lal Sharma v Union Of India  The Supreme Court of
India (The Supreme Court of India)
- Ministry of Electronics and Information Technology, Data Protection In
accessed 30 March 2022
- Morison WL, Report on the law of privacy (1973)
- Qureshik M and Rizvi A, 'The Evolution of Right to Privacy in
India: A Look at the Past, Present & Future' The Quint (30 September 2021)
- Westin AF, 'Privacy And Freedom' (1968) 25(1) Wash. & Lee L. Rev.accessed 28 March 2022
- White Paper Of The Committee Of Experts On A Data Protection Framework
accessed 29 March 2022
- Aryan Dash, currently pursuing B.A.LL.,B from
National Law University Odisha and
- Bhumika Navin, currently pursuing B.A.LL.,B from
National Law University Odisha.