Data Privacy In India


9/1/202315 min read

What is Privacy?

Privacy is a fundamental right, essential to sovereignty and the protection of human dignity, helping as the base upon which many other human rights are built.

Privacy permits us to build boundaries and set barriers to safeguard ourselves from undue intrusion into our lives, allowing us to decide who we are and how we want to connect with the world around us. Privacy allows us to set limits on who can gain access to our bodies, locations, and objects, and also to our conversations and data.

As an outcome, Privacy is an important method in which we strive to safeguard ourselves and society from capricious and unjustifiable use of power by limiting whatever can be publicly disclosed and conveyed to us while shielding us from those who may try to exercise control.

Privacy is fundamental to who we are as humans; it allows us to be ourselves without condemnation, think freely without prejudice, and is vital to providing our authority regarding who acknowledges what about us.

Is Privacy a right?

Privacy is an approved, basic human right. The right to Privacy is enshrined in all major international and national human rights treaties, including the United Nations Declaration of Human Rights (UDHR) 1948, Art 12: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

International Covenant on Civil and Political Rights (ICCPR) 1966, Article 17: "1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor or reputation. 2. Everyone has the right to the protection of the law against such interference or attacks."

What is Data Privacy?

Privacy is not a new notion; it was originally identified in the Semayne case in 1604 when it was determined that "everyone's house is to him as his castle and Fortress. This issue has several legal ramifications, but the territorial privacy aspect, i.e., the Privacy of one's house or property, is well established. In general, it implies that you cannot enter someone's home abruptly and burst through the door without a court order or notice. This would be a violation of one's territorial sovereignty. The term "privacy" continued to evolve and gained heightened attention on December 15, 1890, when Justice Louis Brandeis and Boston Attorney Mr. Samuel Warren penned their now ageless article, "The Right to Privacy," in which they defined Protection of the Private realm as the foundation of modern individual freedom and argued that the law should recognize such a right and impose liability for any intrusions on it."It is our purpose to consider whether the existing law manages a principle which can properly be invoked to protect the privacy of the individual; and, if it does, what the nature and extent of such protection is," declared the writers Brandeis and Warren.

The Universal Declaration of Human Rights (UDHR) in 1948

UDHR's Article 12 7statutorily established Privacy for the first time internationally in 1948. With the inclusion of such protection in the UDHR, many nations became more aware of the complexities of Privacy and began incorporating similar protections into their domestic laws.

Right to Privacy in India

The concept of privacy dates back to the daybreak of humankind. However, the idea of Privacy is difficult to grasp. Privacy has many definitions according to different scholars, and it also has different features that evolve as society changes. When we go back in time to the deliberations in the Constituent Assembly, we discover some issues regarding Privacy and secrecy. According to the Constituent Assembly debates, the right to Privacy was purposefully left out of the Constitution. It is still being determined what the legislature's objective was behind this.

In the post-independence age of India, the country's constitution does not directly recognize the right to Privacy, but it has grown via court decisions. It was recognized for the first time in the case of Kharak Singh v. St. of Uttar Pradesh. There are also many legislations that contain laws related to Privacy, such as the Indian Evidence Act, Information Technology Act, Indian Penal Code, Criminal Law, Indian Telegraph Act, and Indian Easement Act.

Humans need Privacy because it is fundamental to them. Over time, Privacy has taken on many different forms, including the Privacy of one's body, one's space, one's information, and one's choices. Moreover, there is a greater need to defend this freedom in today's digital age. The article discusses the fundamental right to Privacy in the modern digital age. We will also discuss the laws that safeguard Privacy and if we have enough legislation to address concerns of invasion of Privacy, which has been recognized as a Fundamental Right under the provisions of Art. 21 of the Constitution, as well as the sanctity of the right to Privacy in India.


Humans have sensed the need for privacy protection since ancient times, although the idea was not properly defined. When we begin discussing the notion and foundation of right, we must first trace its historical evolution in order to arrive at a universally recognized interpretation. The notion of seclusion can also be found in ancient Hindu texts.

According to Hitopadesha, certain matters like worship, sex, family matters, etc., should be protected from disclosure. Ancient Indian law-givers declared, "Sarve sve sve grihe raja" (Every man is a king in his own house). In the Mahabharata, Draupadi was the common wife of the five Pandavas, and they accorded utmost priority to Privacy by framing a rule to avoid embarrassment – if, by chance, any of them happened to see Draupadi in the company of any brother, he would have to undergo banishment for 12 years in the forest as a 'Bramhachari.

A person's right to Privacy is a vague and mutable idea that comes from the values and principles developed by the Courts over many years in the shape of case laws. The Supreme Court has maintained in a series of decisions that Article 21 of the Constitution is the core of basic rights and is multifaceted.

The earliest recordings of the 'right to privacy' in Indian jurisprudence were in the late 1800s when a local British court upheld the Privacy of a 'Pardanashin' woman to access her balcony without fearing the neighborhood gaze. The jurisprudence has evolved ever since, and the right to Privacy was read into 'Article 21' of our Constitution by the Supreme Court as an integral part of 'personal liberty.'

Judicial precedents regarding the Right to Privacy

1. M.P. Sharma v. Satish Chandra AIR (1954). Supreme Court of India

The Supreme Court of India initially decided that Privacy was not a basic right in 1954. The Court rejected the concept of a right to Privacy in M.P. Sharma v. Satish Chandra11 on the grounds that the creators of the Constitution did not intend to establish a basic right to Privacy.

2. Kharak Singh v. State of Uttar Pradesh AIR 1963 SC

In the case of Kharak Singh v. St. of Uttar Pradesh,12, most judges involved in the ruling denied the right to Privacy again, stating that "our Constitution does not in terms confer any like constitutional guarantee." However, in the Kharak Singh case, the minority opinion of Subba Rao J. was in Favor of Privacy. The silver lining was Justice Subba Rao's dissent, stating, "The right to personal liberty includes not only the right to be free from restrictions on his movements but also the right to be free from encroachments on his private life."

3. Gobind v. State of Madhya Pradesh AIR 1975 SC

In Gobind v. State of Madhya Pradesh, the court conducted a more thorough examination of the right to Privacy. In addition, the Court recognized a limited Fundamental Right to privacy "as an emanation" of Arts. 19(a), (d), and 21. However, the right was not absolute; reasonable limitations might be imposed through a legal procedure.

4. R. Rajagopal and Ors. v. St. of Tamil Nadu, AIR 1995 SC 264

The law governing Privacy was toughened significantly. The Supreme Court stated in the case of the famed gangster "Auto Shanker" that the right to Privacy had just gained constitutional validity. After considering the above judgments, the Supreme Court stated, "We have, therefore, no hesitation in holding that the right to Privacy is a part of the right to life and personal liberty enshrined under Art. 21 of the Indian Constitution. Once the facts in a given case constitute a right to Privacy, Art 21 is attracted. The said right cannot be curtailed 'except according to procedure established by law. "

The "right to privacy" arose in India through legal precedents. By this point, Privacy had become an intrinsic function in our basic rights law, assisting us in living a decent existence. And it has never faced such a significant challenge as it is presently confronting.

Right to Privacy under the Indian Constitution

The Constitution of India doesn't expressly mention the basic right to Privacy, although it is considered protected by Part III of the Constitution through court rulings. The following sections are claimed to have provisions relating to the 'right to privacy.'

Article 19: Freedom of Speech and Expression Art 19(1) (a) provides that "all citizens shall have the right to freedom of speech and expression."17 "However, this is justified by Article 19(2), which says that it will not influence the implementation of any current law or stop the State from creating any law, insofar as such law imposes reasonable constraints on the practice of the right in the interests of India's sovereignty and integrity, state security, friendly ties with foreign countries, public order, decency or morality.

  • Article 21: Right to Life and Personal Liberty

Article 21 of India's constitution gives citizens and non-citizens the right to Privacy. Article 21 of the Constitution 21 states: "No individual shall be denied of his lives or personal freedom except as provided by the procedure established by law."

Why is Data Protection legislation required in India?
  • Every day, millions of Indians use numerous programs, leaving traces of data that may be used to develop profiles, target commercials, and anticipate activities and trends.

  • In India, the confluence of multiple regulations for different areas produces uncertainty, which is one of the key reasons for large-scale data breaches. In India, there is no one codified legislation that addresses all areas of data privacy and maintains track of the fines that should be applied.

  • Numerous examples of non-existent or failing grievance redressal systems must be revived and assessed immediately. When dealing with situations involving data breaches and cybersecurity, the enforcement mechanism typically confronts various implementation challenges.

  • Because India is a nation-state, citizen data is considered a national asset. This national asset may need to be preserved and stored within national boundaries depending on India's security and geopolitical interests. This includes not just corporations but also non-governmental organizations and governmental agencies.

Rights related to data privacy

The Information Technology Act of 2000 is the only extant regulation in the country that protects individuals' Privacy in data and information transactions. The Indian legislature revised the Act in 2008, adding additional clauses to the previous Act of 2000 to make it more effective in the realm of protection. The provisions in the Information Technology Act and the Amendment Act 2008 that safeguard data privacy include the following:

  • Section 30- Section 30 of the Information Technology Act of 2000 requires the certifying body to follow security procedures to ensure the confidentiality and Privacy of electronic signatures.

  • Section 43- Section 43 of the Information Technology Act, 2000 provides sufficient provision for the person concerned to receive compensation for unlawful access to his private and personal data.23 In this section, intrusion into one's computer systems or computer framework is considered compensation. The ITAA 2008 altered many provisions and explanations in this section, including clause (a), clause (i), clause (j), and explanation (v).

  • Section 43A (ITAA, 2008) - The IT Amendment Act of 2008 introduced a whole new provision to the act. This section states, 'Compensation for inability to safeguard data- where an entity that possesses, distributes, or handles any delicate private data or information in a computer resource that it possesses, monitors, or works is negligent in applying and retaining appropriate safety practices and procedures and thus creates any unfair individual loss or unfair benefit, that entity is responsible for paying the losses by way of compensation to the person who is affected.'

  • Section 66- Section 66 of the Information Technology Act, 2000 also protects sensitive private information residing in a computer resource as it makes, among others, a punishable decrease in the value of information residing within a computer resource with imprisonment for up to three years.

  • The new Amendment Act gives power to the Indian government under Section 69(A) to prevent intercept, monitor, and decrypt computer systems, and resources in computer devices and block electronic data stored therein. However, this came under major controversy, and later in the year 2015, it was declared by the Supreme Court that Section 69(A), under which the government can issue directions to block internet sites, is constitutionally valid as there prevails adequate procedural safeguards.

  • Section 72 - Section 72 of the Information Technology Act, 2000 says about violation of confidentiality and Privacy, i.e., a government officer can be fined if he transfers in his formal ability any digital information or data which he has obtained about a person.

  • Section 72A- this section was also added to the statute through the ITAA 2008. The section says; Punishment for disclosure of information in contravention of a lawful contract- Save as otherwise provided for in this Act or any other law in force for the time being, any person, including a mediator, who, while offering services under a legal contract, has obtained access to any material containing information about another person to cause or know that he is ought to cause the unlawful damage or unlawful profit reveals, without the approval of the individual involved or in violation of a legitimate agreement, such work shall be punished with probation for up to three years or a penalty of up to five lakh rupees or both.

In addition, in compliance with the Supreme Court's judgment in the case of Justice K.S. Puttaswamy, the Government of India has formed a five-member committee led by former SC judge, Justice (Retd.) B.N. Srikrishna to draught a Data Protection Bill. If enacted, the measure will be India's first comprehensive legislation to protect online users' personal data against exploitation by state and non-state invaders. According to the office memorandum of the Srikrishna Committee, the government is cognizant of India's growing importance of data protection. It is critical to ensure the growth of the digital economy while safeguarding people's personal data safe and secure.

The Privacy Bill, 2011

The Bill safeguards citizens against theft of identity, including both criminal and commercial identity theft. Monitoring lines of communication without the authority of a Secretary-level officer is prohibited by the Bill. Furthermore, the material gathered must be deleted within two months following the termination of interception. It assures the formation of a Central Communication Interception Assessment Committee to evaluate and assess the interception orders that have been issued. Furthermore, it is obligated to ensure that any interception that violates Section 5 of the Telegraphs Act is destroyed immediately. It also precludes surveillance except in circumstances when the procedure requires it.

According to the bill, no one whose place of business or data equipment is located in India shall disclose any data pertaining to any individual without their consent. The Privacy Bill establishes the Data Protection Authority of India. The Indian Data Protection Authority will keep track of advancements in computer technology and data processing. This is done to assess the law and study its impact on data protection. In addition, the authority is responsible for receiving recommendations and representing the public on data privacy issues.

The authority can also examine data breaches and impose directives to protect security interests. The bill states that an interception not following the criteria may result in jail or a fine. It further states that anybody who gets any record of information regarding a person. Any official of the government or the agency under pretenses faces a punishment of up to Rs. 5 Lacs.

The Personal Data Protection Bill, 2019

On December 11, 2019, in the Lok Sabha by Mr. Ravi Shankar, Minister of Electronics and Information Technology, The main object of the Bill was to draft a data protection regime to recognize current issues and possible statutory protection. Furthermore, this is not the first time a data protection bill has been submitted in Parliament; in 2017 and 2018, data protection bills were introduced. One of the most essential aspects of the Bill is that it imposes a responsibility on the data intermediary to implement safety measures to ensure the security of the gathered data. He or she must notify the individual of any data breach within a certain time frame. DPPA is constituted with the intention of appealing, in addition to data protection officials, which are established under the Act to resolve grievances. This governing body has the right to take discretionary action against the data collectors or the processor. The Bill also authorized the DPPA to punish, monitor, and order damages for any kind of harm caused to individuals from any acts of the Government or private institution"

Individuals may register a complaint against a private company or the government for infringement of Privacy under the provisions of the Bill. Furthermore, another component of the Bill is that in order to handle any type of information, whether sensitive or personal, affirmative agreement must be obtained from those whose information the company or the Government is obtaining. The Bill criminalized all offenses within its scope and raised the monetary and jail penalty for all existing violations. Aside from that, several clauses, such as Sections 10, 14, and demonstrate the significance of the Bill. The issue is that the bill has yet to be implemented. However, we can affirm that if this Bill becomes an Act, it will be a big step forward in data protection and will be an effective and outstanding data protection law.

The Aadhaar verdict by the Supreme Court and the Right to Privacy –In the Puttaswamy case Justice D.Y. Chandrachud said that the following conditions must be met in order to determine the allowable boundaries of invasion of Privacy under Article 21 of the Constitution:

(a) the very existence of a law;

(b) a justifiable state interest; and

(c) the stated statute must meet the requirements for proportionality.

Personal Data and Privacy

However, India has failed to establish appropriate privacy laws. The Indian legislature nevertheless decided to amend the IT Act of 2000 to add Sections 43A and 72A, which provide for compensation for incorrect publication of personal information. Under Section 43A of the IT Act, the Indian federal government later adopted the IT (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules place new standards on commercial and corporate enterprises in India for the collection and dissemination of highly confidential private data or information. The IT Act and Rules include no provisions for using highly sensitive personal information or data for direct marketing. However, where the info is collected from a provider of info., the prior consent of the provider of info must be obtained, including the purpose for which the info is being collected.

Aadhaar and Right To Privacy

Aadhar is a severe intrusion of people's right to Privacy, and it has the potential to evolve into a state of surveillance in which each individual may be retained under surveillance by constructing a profile of his or her life and movement based on his or her usage of the Aadhaar. It is vital to emphasize that the UID project's key privacy issues are territorial and data privacy. The UID poses a significant risk to an individual's Privacy since it will bring together information that is currently dispersed in the public domain. This information might be abused by authorities. Furthermore, the project's usage of biometric data raises concerns about privacy. The Collection of and identification based on biometric info. could be understood as a breach of one's territorial Privacy and one's data privacy.

The present emphasis on the right to Privacy is founded on digital-era realities. ID theft, fraud, and misrepresentation are major challenges in India, which is fast becoming a digital economy. Several government activities and schemes have been conducted in recent years utilizing information technology platforms, utilizing computerized data obtained from residents. As more transactions are conducted via the Internet; such data is subject to theft and exploitation. As a result, any kind of data-obtaining system ought to consider concerns about Privacy and contain protocols to secure citizen data.

What if we are informed tomorrow that the right to Privacy is not a basic right? The right to Privacy will lose its place among the Golden Trinity of the Constitution's Articles 14, 19, and 21. These rights may only be taken away by a reasonable and equitable law, which is the primary safeguard provided by our Constitution. If Privacy is not a fundamental right, this intrinsic right can be taken away by our legal system.

In the Gian Kaur case, a five-judge Constitutional Bench decided that the "right to life" is fundamentally incompatible with the "right to die," just as "death" is incompatible with "life." Later, in the Aruna Shanbaug case, the Supreme Court of India recognized the practice of passive euthanasia, sometimes known as execution by mercy.

Similarly, the Supreme Court of India initially declared that the right to Privacy is not a basic right in the M.P. Sharma case. It is currently regarded as a Fundamental Right by numerous legal rulings. What if the Supreme Court rules once more that one's right to Privacy is not considered a basic right? As a result, unless the government enacts a law preserving the right to Privacy, this fundamental right is not secure.

However, every other law is insufficient; there is an urgent need for severe legislation on the right to Privacy. The legislation that can deal with today's complicated privacy challenges in the digital age.


The capacity of a person or group to disconnect or disclose data pertaining to oneself specifically is referred to as Privacy. The borders and content of what is viewed as personal vary among cultures and individuals, although there are certain commonalities. Occasionally, Privacy is associated with namelessness, an urge to remain undetected or unidentifiable in the open domain. When something is considered personal to a person, it usually means that it is seen as unusual or sensitive inside them. How much confidential data gets exposed along these lines is determined by whether this information is gathered in the open, which varies between locations and over time. Protection primarily extends beyond Privacy to include concepts such as appropriate data usage and indemnification. The privilege of not being subjected by the administration, organizations, or individuals to unsanctioned attacks on Privacy is a piece of the protection legislation of various countries and now and again constitutions. Practically all nations have laws on Privacy here and there; a case of this would be tax assessment law, which regularly requires the sharing of near-home wage or profit data. Individual privacy may conflict with the freedom to freely express laws in certain countries, and some legislation may demand the open sharing of data that is considered private in other countries and communities. Despite the fact that this is an important perspective on human connections, Privacy can be willingly abandoned, generally in return for evident benefits and with specific risks and tragedies all the time. Scholars who work as entrepreneurs, development scientists, and research doctors describe revealing Privacy as a "deliberate penance," such as preparing players for competitions or conflicts.

(Edited and Posted by Lawful Bytes Team)



Army Institute Of Law Mohali