Author: Simran,  Himachal Pradesh University

This research paper involves the evolution of digital privacy in India after the landmark judgment of K.S. Puttaswamy v. Union of India (2017), in which right to privacy was declared as a fundamental right. With the increase in digitalization and government measures like biometric, digital locker- this research paper analyzes whether the Information Technology Act, 2000 and the Digital Personal Data Protection Act,2023 protects citizen’s digital rights. This research is supported by judicial pronouncements, policy analysis and secondary sources. It highlights the gaps in consent model, enforcement and the lack of dedicated data protection authority. Findings suggest that India has taken steps to safeguard privacy , evolving technology. The paper concludes with recommendations on strengthening privacy laws and fostering transparency.

Keywords

Privacy, Data Protection, Consent, Artificial Intelligence, India

With the sudden rise of digital platforms, artificial intelligence, mobile applications, and face recognition in India, the protection of personal data has become more complex. The landmark judgment of Puttaswamy v. Union of India incorporated the right to privacy in the right to life and liberty under Article 21 of the Indian constitution. However the collection of biometric data under Aadhar, use of facial recognition, mass surveillance programs by the government has raised major concerns. 

This research aims to explore the sufficiency of India’s existing legal and regulatory mechanisms in safeguarding the digital privacy rights of its citizens. It examines the Digital Personal Data Protection Act, 2023, and evaluates its provisions in relation to international benchmarks such as the General Data Protection Regulation (GDPR).

The aims of this study are: (i) to identify the difficulties in implementing consent driven data practices, (ii) to examine how the right to privacy is constitutionally interpreted in the digital age and (iii) to assess how evolving technologies might affect personal privacy.

This study is significant as it can guide legal reforms, enrich public policy debates and propose actionable pathways to strengthen digital privacy protections in India.

Since the Puttaswamy judgment, most academic discussions have focused on its impact on constitutional rights. However, there is still a lack of research on AI-based surveillance and how digital consent is enforced. Scholar Ujwal Kumar has pointed out that while Aadhaar passed the court’s review to some extent, its use still raises concerns due to weak systems for addressing complaints.

The Digital Personal Data Protection Act, 2023 tries to address some of these issues, but critics argue that it gives too many exemptions to the government and does not set up an independent regulatory body. In comparison, the GDPR sets stricter rules for consent and gives more power to independent Data Protection Authorities.

Reports by organisations like the Internet Freedom Foundation show that facial recognition technology is being used without any clear legal support or transparency. This often violates the principles of necessity and proportionality mentioned in the Puttaswamy judgment. 

This paper points out a gap in how Indian laws deal with issues like algorithmic bias, decisions made by AI systems and profiling-especially when there are no strong accountability measures for these technologies.

This study adopts a qualitative, doctrinal research method, relying on secondary sources such as statutes, constitutional texts, court judgments, policy documents, academic literature and reports from civil society organisations. Judicial analysis draws from decisions of the Supreme Court and various High Courts. Legislative interpretation centers on the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.

A comparative approach is used to evaluate India’s data protection laws against global frameworks, particularly the EU’s GDPR and the Unites State’s sector-specified model. No fieldwork or empirical research was conducted.

The Supreme Court’s ruling in Justice K.S. Puttaswamy v. Union of India laid the groundwork for recognizing digital privacy as a fundamental right in India. The judgment highlighted key principles such as informational self-determination, bodily integrity and protection against unwarranted state interference.

Following this, the Aadhaar verdict allowed the use of Aadhaar for welfare schemes but struck down its mandatory use for services like mobile connections and bank accounts.

The Digital Personal Data Protection Act, lays down clear rules for how personal data should be handled. Individuals must give their permission before their data is used. However, the Act gives the government broad exemptions, which weakens its overall impact.

Unlike the GDPR, India lacks a powerful and independent data protection body. The enforcement of data rules is still quite weak and many people -especially in rural and semi-urban areas –are not fully aware of their digital rights or what giving consent really means.

India’s approach to privacy took a big step forward with the Puttaswamy judgment, which recognised digital rights as part of the Constitution. But in practice, these rights often fall short because of loopholes in law and a lack of strong action by the government. 

The consent framework in the Digital Personal Data Protection Act struggles to keep up with the complexities of today’s digital platforms. In many cases, consent is either taken for granted or influenced by unclear wording and default settings that leaves users with little real choice.   

When compared to the GDPR, India’s approach shows clear gaps. There is no independent authority with the power to enforce rules or impose meaningful penalties. Systems to audit algorithms, check fairness in AI-decisions or respond swiftly to data breaches are either missing or poorly developed.   

Cases of unchecked state surveillance, such as the use of Pegasus spyware, reveal the lack of legal protection and proper judicial oversight. Even though the Supreme Court has raised concerns and demanded accountability in the Pegasus matter, there’s been minimal follow-through so far.

These gaps come with serious consequences. When people don’t have clear rights or effective ways to seek justice, their personal data can be misused-whether by the government or by private companies. This not only puts individuals at risk but also erodes public trust in digital systems and governance.

India has made progress by acknowledging privacy as a fundamental right. Yet when it comes to enforcing digital privacy, the efforts are often uneven and lacking. 

To truly protect people from data misuse and unchecked surveillance, there’s an urgent need for stricter laws, active involvement from the judiciary and more awareness among the people. 

Key recommendations include: setting up an independent Data Protection Authority with the power to investigate and enforce rules; requiring transparency in the use of algorithms by public institutions; improving consent mechanisms and launching nationwide digital literacy initiatives.

Future research should explore the social and legal impacts of AI-based surveillance, conduct empirical evaluations of data protection practices and develop privacy-by-design solutions for use in public governance.

Cases

1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.

2. Aadhar (UIDAI) v. Justice K.S. Puttaswamy, (2019) 1 SCC 1.

   
   

Statutes

3. Digital Personal Data Protection Act, 2023, Act No. 22 of 2023 (India).India Code+2MeitY+2Wikipedia+2

4. Information Technology Act, 2000, Act No. 21 of 2000 (India).India Code

5. Regulation (EU) 2016/679, General Data Protection Regulation, 2016 O.J. (L 119) 1 (EU).WIRED+5GDPR+5Publications Office of the EU+5

Articles

6. Ujwal Kumar, Privacy and Data Protection in India: Legal Gaps and Future Prospects, 12 NUJS L. Rev. 45 (2023).

7. Internet Freedom Foundation, The State of Surveillance in India, 2022 Report, https://internetfreedom.in/state-of-surveillance-2022/.