Author: Dipanwita Tripathy, University of Calcutta

In the modern digital era, use of big data analytics has increased across different sectors such as healthcare, banking systems, social media and governance. While data has become a high-yield resource for the national economy, it has also raised serious concerns regarding privacy of individuals. In Article 21 of the Indian Constitution, Justice K.S. Puttaswamy v. Union of India (2017), privacy is recognized as a fundamental right, strengthening the legal protection of individuals. The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted as the first national law to deal exclusively with digital personal data. However, even after implementation of this Act, there remain several loopholes, including the absence of special protection of sensitive data and concerns regarding cross-border data transfer. Despite legal provisions, challenges related to weak enforcement and data misuse persist. This paper examines how big data practices affect individual privacy and highlights the growing need for stricter safeguards like purpose limitation and data minimization.

Keywords: Big Data Analytics, Privacy Rights, DPDPA 2023, Personal Data, Purpose     Limitation 

From recognition of right to privacy in K.S. Puttaswamy case, to the current petition filed by Senior Journalist Geeta Seshu and SFLC, it appears that the judiciary has shown the reality of consequences of technological growth and its complications. The recent landmark: Geeta Seshu & Anr. v Union of India & Ors.(March 2026) directly addresses the legal failures of the new data protection framework. The petition argues that several provisions of the Digital Personal Data Protection Act, 2023 (DPDPA) and the Digital Personal Data Protection Rule, 2025 dilute constitutional privacy protections and is a source to weaken democratic accountability. This case reflects a widening gap between fast-moving data technologies and the slower pace of evolution of legal remedies. In June 2023 we faced the CoWIN Data Breach where personal details of millions of Indians who registered for the COVID-19 vaccine, by a Telegram bot. After such a breach of privacy right, the DPDP Act, 2023 was enforced, which proved that pure State control over Big Data is as vulnerable as in private hands. In February 2026 researchers discovered an unsecured database containing 1 billion entries of sensitive KYC data including national Ids belonging mostly to Indian and US citizens, highlighting the risk of having “Data Fiduciaries” as middleman. These incidents have gradually weakened public trust in digital systems and created concerns regarding the protection of the fundamental right to privacy in everyday digital interactions. In my view, the increasing reliance on automated data systems has created legal challenges that traditional privacy frameworks were not designed to address.

1. Is “inferred data” used by technological entities undisclosed as trade secrets an unconstitutional encroachment on an individual’s right to information under Articles 19(1) and 21?

2. To what extent does the “Compensation Vacuum” in the DPDP Act, 2023 work against the test of proportionality established in the judgment of the case of Puttaswamy?

3. Is the principle of Purpose Limitation a legal fiction in the age of Big Data and do we need stricter regulation of data collection?

4. Does removal of ‘Public Interest’ override in DPDPA, create a shield for administrative corruption in disguise of personal privacy?

The primary objective of this study is to inquire about the legal implications of big data algorithms and profiling while searching for adequate means of data protection regulations. The study intends to:

• Analyze the statutory adequacy of the DPDPA, 2023 in addressing the predicted data by Big Data analytics.

• Examine the system for compensation to victims of breached Fundamental Right under the DPDPA, 2023 and what changes shall be brought upon.

• Propose recommendations on transparency of data usage and clear purpose and restriction of Artificial Intelligence use in automated decision-making using Big Data.

The paper is structured by first establishing the outpaced advancement of Big Data analytics, followed by analyzing judicial decisions and statutory framework, finally concluding with policy recommendations for a better procedural regulation and accountable privacy protection.

1. The Conflict Regarding Inferred Data and Article 21:

Current scholarship has debated whether Right to Privacy covers the data which are actually never shared. Recent critics like Amber Sinha have pointed out a growing interference gap, where the debate is whether protection of inferred data like AI assumptions about our habit or health pattern is needed. Fintech companies use such data in the name of Trade Secrets and proprietary assets. But legal scholars argue that, if a simple algorithm can decide our insurance permit or credit worthiness based on our private profiles, it absolutely violates our Right to Informational Self-Determination. In the ongoing case Venkatesh Nayak v Union of India, issue has been raised questioning violation of right to know and right to information under Articles 19(1) and 21, by the DPDP Act. It appears that there’s an urgency of addressing inferred data as a distinct legal category. The analysis indicates the void in the DPDP Act, 2023 in the matter of AI generated profiling and that it focuses mainly on data collection.

2. Compensation Vacuum v. Proportionality Test:

In my view, one significant limitation of the existing legal framework is the absence of an effective and clearly defined mechanism for compensating victims of data breaches. Previously before the DPDPA, 2023, in the IT Act, 2000- Section 43A allowed victims of data hacks to sue for civil damages. The DPDP Act, 2023 has extinguished this right effectively.

In the ongoing case of Geeta Seshu & Anr. v Union of India & Ors. (March 2026), the petitioners have challenged this Compensation Vacuum, arguing that directing massive penalties up to ₹250 Crore to the Government’s fund while the victim gets no financial recovery. This new system fails the Test of Proportionality where the victim is not financially protected as compensation for the right to privacy breached. Section 33(1) of the DPDP Act imposes penalties only for ‘significant’ data breaches where there’s vague statutory guidance to determine what constitutes as a ‘significant’

3. Failure in Implementation of Purpose Limitation in the Big Data Era:

The principle of purpose limitation requires that personal data be processed only for specific purposes that have been clearly communicated to and accepted by the data subject. The reports from the Internet and Mobile Association of India (IAMAI) and various global tech journals suggest that this idea is becoming just a legal fiction against profit making companies. Even cross-border data transfer is allowed by default under the DPDP Act.

Scholarly analysis of the DPDP Rules shows that there’s a trend of huge interpretation of data and companies being highly dependent on such data mining. In Section 7 of DPDP Act, the definition of Legitimate Uses is being broadly interpreted allowing companies to do so. This research argues for a shift of focus from consent to harm prevention.

4. Statutory Collision: RTI v. Privacy:

The controversy started with the change introduced by the DPDP Act, the amendment brought upon the RTI Act, 2005 via Section 44(3). In my opinion this provision acts as a protective shield for corruption. By removing the Public Interest Override, the law allows any public official to hide information by simply calling it “personal data”. Before officially changing Section 8(1)(j) of the RTI Act, a balancing test existed where, if public interest was larger, the information was shared. The highlight is the statutory collision between two Constitutional Rights- RTI (Right to Information), which is a part of Right to Freedom of Speech (Article 19), and DPDPA being a guard for Right to Privacy (Article 21). This paper addresses such confusion and gap by analyzing whether the current law is being used to actually protect citizens or to protect the State from accountability for their actions.

1. Nature of the study

The research done is primarily doctrinal and analytical in nature. The study does not rely on empirical data like field surveys or interviews, but instead focuses on the critical analysis of the gaps in the current legal framework. It involves a systematic examination of statutes, including the Constitution of India and the Digital Personal Data Protection Act, 2023, to scrutinize their efficiency against the evolving technological challenges of Big Data. 

2. Scope and Limitation 

 The scope of this paper is limited to the Indian legal landscape, specifically emphasizing on the post-2023 developments. Another limitation of this study is that the analysis relies primarily on statutory interpretation and publicly available case materials, which may evolve with future judicial developments. While global frameworks like the GDPR in EU are referred for a comparative clarity, the core analysis mainly focuses on:

• Statutory impact of the DPDP Act, 2023 on the RTI Act, 2005

• Judicial challenges currently facing in 2026 regarding victim compensation. The study does not cover the technical coding aspects of AI but focuses strictly on its legal implications.

• Sources of Data

  This research is based on both primary and secondary sources ensuring the paper covers the latest updates and developments made in 2026:

1. Primary Sources: Includes DPDP Act, 2023, the DPDP Rules, 2025, and the landmark Supreme Court judgments such as Justice K.S. Puttaswamy v. Union of India and the ongoing 2026 cases of Geeta Seshu and Venkatesh Nayak against the State.

2. Secondary Sources: Building arguments for remedy and policy changes, the study draws from scholarly journals, reports from regulatory bodies (e.g. IAMAI), and legal editorials from various platforms.

   
   

   Research Approach 

    For answering the four research questions, this study adopts the following approaches:

• Comparative Approach: The contrast between India’s Consent-based model and the global Rights-based models.

• Evaluative Approach: Assessment of suitability of current penalty system, whether it satisfies the legal requirement of Justice and Equity for the victim.

• Normative Approach: Proposing what changes shall be brought upon regarding the legal provisions and consequences for AI-generated inferred data.

1. The Inference Paradox and the Constitutional Silence 

The key concern about the DPDP Act is not what it states, but what it leaves unaddressed. While the Act meticulously defines Personal Data under Section 2(t), but not the concept of Inferred Data. In our current Big Data ecosystem, the corporations are not only collecting but also creating algorithm-based information. By analyzing our location or spending, an algorithm creates a profile of our health or political leanings based on the data we technically never gave or consented to use.

I contend that such practices can weaken constitutional safeguards, allowing sensitive insights to be generated without explicit consent. If the Puttaswamy (2017) judgment truly intended to provide citizens informational self-determination, then how is our sensitive data being used by tech giants hiding behind the excuse of Trade Secret. This raises a serious concern because individuals often remain unaware of how their personal information is interpreted beyond its original use. In the Supreme Court’s observation in Geeta Seshu & Anr. v. Union of India (March 2026). In this matter the Bench led by Chief Justice Surya Kant questioned whether information concerning a person in a public office can truly be classified as “private” once it is processed through algorithm lenses. The judicial skepticism highlights a fundamental flaw in Section 4 of DPDPA. The law regulates the data collection but ignores the creation of new sensitive insights through big data analytics. When a Significant Data Fiduciary (SDF) uses behavioral data to infer a user’s political orientation or health risk, they avoid the requirement of obtaining user consent. Under Section 7 (Legitimate Uses) these fiduciaries often claim it is necessary for efficiency, yet there’s lack of a Right to Explanation. 

 Unlike the GDPR’s Article 22, which at least attempts to offer a Right to Explanation for   automated decisions, the Indian framework leaves its citizens in a huge pit of helplessness. We have a Right to correction and erasure of personal data under Section 12(3) of the DPDPA, 2023, but there’s no clarification on how we can correct a profile we are not allowed to see. Unlike GDPR, the DPDPA does not explicitly mandate data fiduciaries notify third parties if they correct or erase data shared with them previously. This limitation allows personal data to persist across various platforms.

2. Restorative Justice vs. State Revenue: The Compensation Vacuum 

The most heated debate of 2026 and the ongoing petition of Venkatesh Nayak v. Union of India questions the sudden death of civil compensation. From a legal perspective, the absence of compensation mechanisms weakens the practical enforcement of privacy rights. Prior to the DPDP Act and at present, the only legal framework addressing digital data privacy issues is the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. For years, Section 43A of the IT Act was a shield for the Indian consumer. Now that shield is being broken down for the State's profit. The legislative intent behind Section 43A was reinforced in the case of State Bank of India v. Suhas Enterprises and Others, which highlighted that if any entity fails to protect the personal data of any individual, they can be held liable for paying compensation to the affected individuals. 

Under Section 33 of the DPDPA, a company can be fined up to ₹250 crore, yet the person who suffered the damage gets nothing. Section 34 provides provision which says that all sums collected in the form of penalties imposed by the Board are credited to the Consolidated Fund of India. While these collected penalties are intended to serve as obstruction to prevent future breaches and promote organizational compliance, these funds do not adequately address the harms suffered by the individuals whose data was subject to breach. This issue points out not only a policy deficiency but also encourages continuation of inadequate data protection practices. Taking the Star Health Breach(2024-25) into the study: the State collected a massive penalty while 31 million people had their medical histories sold on Telegram, the law is effectively taxing privacy breaches rather than preventing them. Is this proportionate under the standards set by the Supreme Court? I argue it is not. This creates a moral hazard where the State profits from the failure of corporations, leaving the citizens doubly victimized. Such a framework turns the Data Protection Board into a revenue collector rather than the watchdog of our digital data privacy. In the IDMerit KYC Leak Litigation(February 2026), when KYC data of millions was exposed via an unsecured database, a series of writ petition were filed, the petitions argued that without a Statutory Right to Compensation, there is no incentive for companies to invest in high-level security because they only fear the State’s fine but not a victim’s lawsuit. 

3. The Weaponization of Privacy Against Transparency 

We must address the Statutory collision where the DPDP Act has been used to handicap the RTI Act, 2005. By amending Section 8(1)(j) via Section 44(3) the legislature has removed the Public Interest Override (PIO). Referring the Geeta Seshu hearings, Senior Advocate Indira Jaising argued that this amendment absolutely creates a ‘one way mirror’, where the State has the power to check upon citizens under the guise of State Security under Section 17, but citizens are denied the right to question the State who uses personal data as a shield. Furthermore, Public Information Officers are now structurally incentivized to deny requests regarding such. Given the severe penalties for unauthorized data disclosure under DPDPA, the Public Interest Officers choose to protect an official’s privacy over the public's right to know.

In the past, a PIO had to perform a balancing act which decided whether the public’s right to know about information of corruption outweighed the official’s privacy. Now there’s bias opposing justice. This moves India away from the Global Minimum Transparency Standard, where public interest is usually the supreme deciding factor. Personal information is being cited as a justification to avoid administrative transparency. The shift is a direct threat to our Right to Know under Article 19 of the Indian Constitution. We are seeking a legal ecosystem where law empowers citizens instead of being used as a shield of public officials from accountability. Notably, the balance of transparency and privacy must be carefully preserved to maintain democratic accountability. 

This research argues that by removing the balancing test, the DPDPA has inverted the democratic logic of RTI Act: privacy is no longer being used to protect the weak from the strong, but rather to protect the powerful from the public. The Constitution Bench must refer to the judgment, Central Public Information Officer (2019), which held that personal information should remain private unless disclosure is necessary for the public interest. 

 According to the GDPR, transfer of personal data outside the EU is subject to strict     regulations. It allows data transfer to countries deemed to have adequate data protection measures. Whereas the DPDP Act allows the Central Government to restrict the data transfer to certain notified territories outside India. The Act’s approach is less prescriptive than GDPR, focusing more on governmental discretion to determine safe data transfer jurisdictions.

4. Erosion of Purpose Limitation in the Big Data Ecosystem 

The principle of Purpose Limitation is the legal mandate that the data should be processed only for a specific reason it was collected is mentioned in Section 4 of the DPDPA, 2023. For example, when an individual provides personal details to access a banking application, that information may later be analyzed to predict spending behavior not related to the original purpose. But there’s a significant statutory dilution in Section 7 stating the provision of Legitimate Uses. The author contends that the language of Section 7 allows for an expansive interpretation of “voluntary sharing”. The very value of Big Data lies in its unpredictability- finding secondary correlations that were not apparent at the time of collection. Scholarly debates in the Digital Constitution (April 2025) highlights that Big Data is inherently anti-purpose limitation. 

Unlike in Section 5(1)(b) of the GDPR strictly prohibiting “incompatible further processing" the Indian framework provides broad deemed concept categories. In the 2026 legal landscape, we see companies using “Notice of Purpose” which is so broad that it renders the principle of purpose limitation a legal fiction. This research argues that such vague notices fail the “informed consent” standard established in the Puttaswamy judgment. 

To remain relevant in 2026, the law must recognize that in this Big Data environment, purpose is dynamic. It is submitted that the DPDP Rules 2025 must be interpreted to require a “compatibility test” where any further proceeding of the data must be functionally related to the original purpose, or else a fresh consent must be sought. Without this, the DPDPA is a mere regulator of the data while entry, leaving the use of data unchecked.

The analysis of the DPDPA, 2023 and its subsequent 2025 Rules shows a clear tension between technological acceleration and constitutional safeguards. While the Act successfully modernizes India’s data protection framework, it fails to provide a satisfactory enforcement mechanism that prioritizes Data Principal. The gravest mistake identified in this study is that the State acts as Beneficiary. Redirection of penalties to the Consolidated Fund of India rather than the victims, the law is wrongful towards its citizens instead of providing remedy. It appears to me that in the current 2026 legal scenario, privacy is treated as a negotiation rather than an enforceable right.

Policy Implications and Reform:

The ongoing litigation in Geeta Seshu and Venkatesh Nayak shows a critical policy failure: the Statutory Collision with transparency. Since privacy is being used as a blanket to deny RTI requests, it has long ceased to be a tool for personal liberty and has become a tool for administrative opacity. The research suggests that Section 44(3) requires a legislative re-amendment to restore the Public Interest Override mechanism.

Recommendations for Restoring the Balance

To address the “compensation vacuum” and the issue of inferred data and breach of digital privacy, I recommend some essential reforms:

1. Statutory Right to Damages: The legislature must introduce a Civil Compensation Provision which is similar to the EU’s GDPR Article 82. This would allow victims of breaches- such as those in the Star Health or KYC Leak cases, if sensitive medical records are exposed during a hospital data breach, they can seek direct financial restitution proportionate to the harm suffered.

2. Mandating Algorithmic Transparency: For Significant Data Fiduciaries (SDFs), the Data Protection Board of India (DPBI) should mandate a Right to Explanation. Data Principals must have the right to know the logic behind automated inferences that affect their credit, health, or employment status. 

3. Independent Board Functioning:  To ensure the DPBI remains an actual watchdog and not a puppet acting on behalf of the executive, they must have funding independent from executive discretion, and its members should be appointed through a multi-party judicial committee rather than the process be solely in the hands of the executive.  The reactive nature of the DPBI, which may limit the misuse of data, can effectively enforce purpose limitation.

Strengths and Weaknesses:

The primary strength of the DPDPA, 2023 is the simplicity and its attempt to create a “Digital Office” for faster dispute resolution under Section 28. However, such simplicity has come at the cost of legal depth. The Act has failed to regulate De-identified data that can be re-identified through Big Data Analytics. This, in my opinion, remains a significant technical gap.

The DPDP Act is a necessary step taken, but in the current 2026 landscape the Act has been a procedural success but a substantive failure. Without effective remedies for victims and transparency in algorithmic profiling, the protection of privacy rights becomes significantly weak.

An overall review of the DPDPA, 2023 alongside recent technological developments suggests that legal safeguards are struggling to keep pace with big data practices. This research has systematically examined the three pillars of protection- Privacy, Transparency, and Remedy and found each to be structurally compromised. From the "Inference Gap" where algorithmic profiling negates consent, to the Statutory Collision where the RTI Act is being dismantled, the findings suggest that the current framework prioritizes state-centric regulation over citizen-centric empowerment.

​ As argued throughout the analysis, a fundamental right without a civil remedy is merely a symbolic gesture. By removing the victim’s right to damages and replacing it with state-collected penalties, the DPDPA has inadvertently created a system where the government financially benefits from the data breaches it is supposed to prevent. This shift from restoring justice to revenue-centric deterrence remains the most regressive feature of India’s modern data regime. In my considered opinion, without meaningful remedies for affected individuals, the significance of data protection is symbolic.

Ultimately, the focus of data protection should extend beyond managing breaches and working toward preserving human dignity and their rights. My research concludes that the Data Protection Board (DPBI) must evolve beyond its current bureaucratic role and be empowered to act independently from executive interference to enforce algorithmic transparency.

The final insight of this study is that privacy should not be allowed to become a shield for secrecy and the balance between the Right to Know and the Right to Privacy must be restored. When the law provides a clear, enforceable path to compensation and forces big data fiduciaries to explain their algorithmic process, the citizens will truly regain informational self-determination. The 2026 data privacy issues and criticism are not against the law; they are for necessary correction which ensures India’s digital transformation does not come at the cost of its democratic spirit upheld in the Constitution. 

​STATUTES AND LEGISLATIONS

• ​CONSTITUTION OF INDIA, 1950.  

• ​Digital Personal Data Protection Act, 2023, No. 40, Acts of Parliament, 2023 (India).

• ​Digital Personal Data Protection Rules, 2025, G.S.R. 42(E) (India). 

• ​Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).   

• ​Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E) (India).

• ​Right to Information Act, 2005, No. 22, Acts of Parliament, 2005 (India).

• ​Council Regulation 2016/679 (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU). 

  
  

  JUDICIAL PRECEDENTS

• ​Central Public Information Officer, Supreme Court of India v. Subhash Chandra Agarwal, (2020) 5 SCC 481. 

• ​Geeta Seshu & Anr. v. Union of India, W.P.(C) No. 275/2026 (Supreme Court of India, Mar. 12, 2026) (Pending).

• ​In re: IDMerit KYC Data Leak, W.P. (C) No. 104/2026 (Delhi High Court, Feb. 20, 2026).

• ​Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. 

• ​S.P. Gupta v. Union of India, AIR 1982 SC 149.

• ​Star Health & Allied Insurance Co. v. Telegram FZ LLC, (2024) 456 (HC) (Mad.).

• ​State Bank of India v. Suhas Enterprises and Others, (2023) SCC OnLine Bom 1245.

• ​State of Gujarat v. Utility Users’ Welfare Association and Others, (2018) 6 SCC 21.

• ​Venkatesh Nayak v. Union of India, W.P.(C) No. 177/2026 (Supreme Court of India) (Pending).

  
  

  BOOKS & JOURNALS

• ​Basu, Arindrajit, The DPDPA and the Future of Data Mining in India, 12 Indian J. L. & Tech. 42 (2025).

• ​Bhatia, Gautam, The Transformative Constitution: A Radical Biography in Nine Acts (2019).

• ​Sinha, Amber, The Networked Public: How Social Media Shapes Democracy (2019).

• ​Wachter, Sandra & Mittelstadt, Brent, A Right to Reasonable Inferences: Re-thinking Data Protection Law in the Age of Big Data and AI, 2019 Colum. Bus. L. Rev. 494 (2019).

  
  

  REPORTS & WEB RESOURCES

• ​IAS Gyan, CoWIN Data Leak: Impact on Indian Cybersecurity, https://www.iasgyan.in/daily-current-affairs/cowin-data-leak-3 (last visited Apr. 4, 2026).

• ​Internet and Mobile Association of India [IAMAI], Submission on the Draft Digital Personal Data Protection Rules (2025).

• Software Freedom Law Centre (SFLC.in), State Enrichment vs. Individual Remedy: A Critique of Section 33, SFLC Legal White Paper (Jan. 2026).

• Symposium on the Digital Constitution, 16 Indian J. L. & Tech. 12 (Apr. 2025).