Data Protection in Privacy Rights : Evolution, Current Legislation, and Future Demands

Author: Atul Thakur, Campus Law Centre, Delhi University

In an era dominated by digital transformation, data has emerged as a critical asset. From personal identity to national security, data privacy is a cornerstone of individual autonomy and democratic governance. This article critically looks into data protection in India, redefine the evolution of privacy rights, examining the legislative framework—including the IT Act, 2000, the Personal Data Protection Bill, 2019, and the Digital Personal Data Protection Bill, 2022 and comparing them with global standards such as the GDPR,2016 of European Union. It assesses judicial interventions, analyzes the rights of data principals, and evaluates the balance between state interests and individual freedoms, ultimately advocating for a nuanced and enforceable legal framework.

The Age of Data and the Indian Context

The maxim "data is the new oil," attributed to Clive Humby, encapsulates the definition of personal data in the 21st century. With the exponential growth of digital transactions and government digitization programs, personal data has become more vulnerable than ever before. This makes the protection of digital privacy a constitutional assertion and regulatory necessity in India. Privacy, although not expressly stated in the Indian Constitution, has been interpreted as a fundamental right under Article 21 in the landmark decision of Justice K.S. Puttaswamy v. Union of India.

The right to privacy is multifaceted, encompassing informational, physical, and decisional(includes consent) privacy. It includes protection from surveillance, data theft, and unauthorized dissemination of personal details. Informational privacy— links to data protection, concerns the ability of an individual to control data about themselves. This control is undermined when corporations and state entities process, store, and transfer data without adequate safeguards. The Information Technology Act, 2000, introduced provisions related to cyber crimes but fell short of addressing comprehensive data privacy concerns. As it only provides safeguard to specialized personal data.

Indian courts have significantly expanded the meaning of privacy. In Kharak Singh v. State of U.P. and Govind v. State of M.P., the Supreme Court held that privacy must be with dignity and autonomy. The People’s Union for Civil Liberties v. Union of India case addressed telephone tapping and declared it a breach of the right to privacy unless conducted under fair procedure. Similarly, in Mr. X v. Hospital Z, the Court upheld the right of confidentiality in healthcare, balancing the individual’s right to privacy with public interest. However, there remains tension in balancing transparency, especially in contexts like electoral disclosures, with individual privacy. In K.S. Puttaswamy v. Union of India court held the legislative requirement to strengthen the “big data” which is mined on large scale in incorporation like Meta and state in CIDR(in terms of Aadhar)  for proper personal data protection.

The PDP Bill, 2019, was India’s first comprehensive attempt to legislate data privacy. Inspired by the GDPR,2016 of the European Union. It classified data into personal, sensitive personal, and critical personal data. It introduced concepts such as data fiduciaries and data principals and proposed rights like consent, data correction, and the right to be forgotten. However, it faced criticism for excessive exemptions granted to the state, vague provisions regarding anonymized data usage, and lack of robust notification mechanisms in case of data breaches. The 2022 revision—Digital Personal Data Protection Bill—simplified several elements while introducing newer rights like post-mortem privacy and removing mandatory data localization which are yet to be enacted and in draft stage.

The DPDP Bill outlines rights for data principals including: right to information and access; right to correction and erasure; right to grievance redressal; and right to nominate in case of incapacitation. It mandates that data fiduciaries undertake reasonable safeguards and imposes penalties up to ₹500 crores for breaches.

Unlike the Indian DPDP Bill, the GDPR emphasizes user consent, transparency, and accountability. It mandates: explicit and revocable consent; right to data portability; and mandatory breach notifications to data subjects. In contrast, the Indian regime grants the government wide-ranging exemptions, lacks enforcement independence, and offers limited redressal for individuals in breach situations.

Despite improvements, the 2022 Bill has several shortcomings: no distinction for sensitive personal data; deemed consent could lead to misuse; lack of timeline for data deletion post-withdrawal of consent; and exemptions for government bodies violate the Puttaswamy judgment’s proportionality standard. Other issues include dilution of RTI provisions, unregulated offline data, and the Data Protection Board which is not independent. 

1. Legislative Clarity: Define key terms like 'sensitive data,' 'trusted geographies,' and 'adequate protection’,‘data localization’, ‘data protection board’ and ‘personal data’ .2. Institutional Independence: Make the Data Protection Board autonomous from executive control which can give rise to risk of government control and exercise of undue power.  .3. Citizen-Centric Approach: Prioritize the rights of data principals and individuals.4. Transparency in Government Use: Exemptions provided must meet necessity and proportionality tests, giving free pathway to government can lead to institutional maintained risk of data breach and leakage of sensitive data of citizens of the country .5. Education and Enforcement: Promote digital literacy and effective grievance redressal systems.

India’s journey from ambiguous legal provisions in the IT Act to more structured bills like the PDP, 2019 and DPDP, 2022 reflects a growing recognition of privacy as a pillar of democracy. However, the current legislation needs refinement to uphold fundamental rights robustly. A holistic, transparent, and enforceable data protection law, aligned with global best practices yet tailored for local realities, is essential for safeguarding citizens' rights in a digital India.

Cases

1. K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).

2. Kharak Singh v. State of U.P., AIR 1963 SC 1295 (India).

3. Govind v. State of M.P., AIR 1975 SC 1378 (India).

4. People’s Union for Civil Liberties v. Union of India, AIR 1997 SC 568 (India).

5. Mr. X v. Hospital Z, AIR 1999 SC 495 (India).

6. Suchita Srivastava v. Chandigarh Admn., (2009) 9 SCC 1 (India).

7. R. Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264 (India).

Statutes & Bills

8. Information Technology Act, No. 21 of 2000, India Code (2000).

9. Personal Data Protection Bill, Bill No. 373 of 2019, Parliament of India.

10. Digital Personal Data Protection Bill, 2022, Ministry of Electronics & Information Technology, Government of India.

11. General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council (Apr. 27, 2016).

Articles & Commentary

12. Shubhodip Chakraborty, Personal Data Protection Bill, 2019 – A Critical Analysis: Old Wine in a New Bottle, (2020) PL February 66.

13. Aditya Bashambua & Lavanya Chetwani, Critical Analysis: Digital Personal Data Protection Bill, 2022, (2023) 32 JCLJ 519.

14. Shiv Shankar Singh, Privacy and Data Protection in India: A Critical Assessment, 53(4) J. Indian L. Inst. 663 (2011).