Home » Blog » Data Protection Laws in India: An Emerging Framework for Privacy and Security

Data Protection Laws in India: An Emerging Framework for Privacy and Security

By /

Authored By: Shantanu Pandey

Deen Dayal Upadhyaya Gorakhpur University

Introduction:

In the digital age, personal data has become the “new oil,” driving economic activity innovation, and governance. However, it has simultaneously raised profound concerns about the right to privacy, misuse of data, and the role of the State and corporations in surveillance. India, with its vast digital economy and growing internet penetration, has faced increasing challenges in balancing the free flow of information with the protection of individual privacy.

The legal discourse on data protection in India gained constitutional importance with the landmark judgment in Justice K.S. Puttuswamy (Retd.) V. Union of India, wherein the Supreme Court recognized the right to privacy as a fundamental right under Article 21 of the constitution of Inda. [1]

This recognition created the need for a comprehensive data protection framework. The legislative response to this judicial pronouncement culminated in the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act), India`s first comprehensive data protection legislation.

This article examines the evolution of data protection jurisprudence in India, analysis the key provisions of the DPDP Act, compares it with global standards like the General Data Protection Regulation (GDPR) of the European Union, and highlights challenges and the way forward.

Evolution of Data Protection Jurisprudence in India

Early Legal Framework

Prior to the DPDP Act, India relied primarily on sectoral regulations and the Information Technology Act, 2000 (IT Act), particularly Section 43A and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. [2]

These provisions placed limited obligations on body corporates handling “sensitive personal data”, but the regime was largely inadequate due to vague definitions, weak enforcement, and absence of individual rights.

Judicial Recognition of Privacy

The turning point came with Puttuswamy (2017), in which a nine-judge bench held that privacy is intrinsic to life and personal liberty. [3]

The judgement emphasized informational privacy as a crucial dimension of individual autonomy, compelling the State to create robust data protection safeguards.

Subsequently, in Puttuswamy (Adhaar Case, 2018), the Court scrutinized the Adhaar system of biometric data collection, upholding it only with strict limitations. [4]

These decisions established the constitutional foundation for data protection legislation.

Expert Committee and Draft Bills

Following these judicial pronouncements, the Justice B.N. Srikrishna Committee was constituted in 2017, which submitted its report “A Free and Fair Digital Economy” along with the draft Personal Data Protection Bill, 2018. [5]

This draft inspired subsequent iteration, including the Personal Data Protection Bill, 2019, which was scrutinized by a Joint Parliamentary Committee (JPC). After years of debate, the government introduced a simplified version, resulting in the Digital Personal Data Protection Act, 2023.

The Digital Personal Data Protection Act, 2023

The DPDP Act, 2023 marks a watershed in India`s data governance framework. Its core objective is to balance individual rights with the legitimate needs of the State and businesses to process data.

Key Features

  1. Scope and Applicability
  • Applies to the processing of digital personal data, whether collected online or digitized offline. [6]
  • Coves processing within Inda and certain extra-territorial processing outside India if related to offering goods or services in India.
  1. Rights of Data Principals (Individuals):
  • Right to access information about processing.
  • Right to correction and erasure of personal data.
  • Right to nominate a representative in case of incapacity or death.
  1. Obligations of Data Fiduciaries (Entities Processing Data):
  • Obtain consent before processing personal data.
  • Ensure purpose limitation and storage limitation.
  • Implement reasonable safeguards against breaches.
  1. Special Category- Significant Data Fiduciaries:
  • Entities meeting thresholds based on volume and sensitivity of data are designated as Significant Data Fiduciaries, requiring additional compliance such as appointing a Data Protection Officer (DPO) and independent audits. [7]
  1. Data Protection Board in India (DPB):
  • Established as an adjudicatory body to handle complaints, breaches, and disputes.
  1. Penalties:
  • Imposes financial penalties up to Rs. 250 Crore depending on the nature of breach. [8]

Comparison with GDPR

While modelled partly on the GDPR, the DPDP Act differs significantly:

  • It focuses only on personal data, unlike GDPR which covers both personal and non-personal data.
  • It adopts a consent-centric approach, though with broad exemptions for government agencies.
  • It lacks explicit provisions on data localization, though cross-border transfer is subject to government notification.

Challenges and Criticisms

Despite its significance, the DPDP Act has been criticized for several reasons:

  1. Broad Government Exemptions:

The Act empowers the government to exempt any State instrumentality from compliance, raising concerns of surveillance and dilution of privacy guarantees. [9]

  1. Absence of Strong Independent Regulator:

Unlike the GDPR`s independent supervisory authorities, the Data Protection Board of India is perceived as insufficiently autonomous since members are appointed by the government.

  1. Lack of Provisions on Data Localization and Non-Personal Data:

Critics argue that the Act ignores the strategic importance of data localization and the regulation of non-personal or anonymized data, which are crucial for national security and economic policy.

  1. Enforcement Capacity:

The success of the law depends on robust institutional mechanisms and capacity-building, which remain underdeveloped in India`s regulatory ecosystem.

Way-Forward

To strengthen India`s data protection regime, several measures may be considered:

  • Ensure independence of the Data Protection Board to enhance trust and impartiality.
  • Introduce stronger safeguards against government surveillance, in line with constitutional principles of proportionality.
  • Enhance public awareness to empower individuals in exercising their data rights.
  • Promote harmonization with global frameworks like GDPR to facilitate cross-border digital trade.

Conclusion

The recognition of privacy as a fundamental right marked the constitutional genesis of India`s data protection regime. The enactment of the Digital Personal Data Protection Act, 2023 represents a major step forward in codifying this right and establishing obligations for entities processing personal data. However, its efficacy depends on how effectively it balances competing interests of individual autonomy, corporate innovation, and state security.

India`s journey in data protection law is still unfolding. To realize its potential, the law must evolve towards greater transparency, accountability, and independence of regulatory oversight. In the long run, a strong and citizen-centric data protection regime will not only safeguard constitutional rights but also bolster India`s digital economy and its role in the global data governance landscape.

Reference(S):

  1. Judge K.S. Puttuswamy (Retd.) V. UOI, (2017) 10 SCC 1 (India)
  2. Information Technology Act, No. 21 of 2000, India Code (2000), 43A
  3. Puttuswamy Case
  4. S. Puttuswamy V. UOI (Adhaar), (2019) 1 SCC 1 (India).
  5. Justice B.N. Srikrishna Comm., A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018)
  6. Digital Personal Data Protection Act, No. 22 of 2023, Gazette of India, Extra., Aug. 11, 2023.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top