Digital Age and Data Protection Laws in India

by Anshuman Pandey

Supreme Courtin KS Puttaswamy v. Union of India[I] held privacy as the fundamental right under Article 21 of the Constitution, later in the Internet and Mobile Association of India v. RBI[II]upheld the cryptocurrency business, debate for data protection is on the floor. As India is pushing for Digital Age including health, identity, etc., it is now necessary to reshape the relationship between the users and those entrusted with our personal data by forming a comprehensive data protection law for the country.

Various approaches are taken to form the data protection laws, for example, USA follows the laissez-faire approach. The amendments to the US Constitution reflect the right to privacy, i.e. First, Fourth, Fifth and Fourteenth Amendment of the Constitution. Their approach is based upon the understanding of constitutional liberty as freedom from state control.  

European Union has enacted the General Data Protection Regulation (GDPR) in May 2018, this has replaced the existing Data Protection Directive of 1995. It is a comprehensive framework dealing with all kinds of processing personal data, providing rights and obligations of the parties in detail.

China has adopted a consent-based framework for the strict control on cross-border sharing of the personal data, its basis is primarily on averting national security risks. Its cybersecurity law came into force in 2017[III], containing principles to handle personal data.

There is no universal legislation to govern data privacy at a global level and is dependent upon the jurisdiction’s own understanding and the relationship between the citizens and the state.

India’s scenario is different, being a diversified country, understanding of the citizen-state relation is not clear. Therefore, In India the conceptualization of the state in the constitution is based upon two planks:

  1. The state is the facilitator of human progress commanded by the Constitution i.e. Directive Principles of the State Policy (DPSP) inscribed in part IV of our Constitution to serve the common good.
  2. State is prone to excess so it is checked by effectuating both a vertical (federal structure) and horizontal (three organs of the government) separation of power, as well as by investing every individual with the fundamental rights that can be enforced against the state.

These two planks are the base of the evolution of data privacy laws in India, as per Directive Principles of the State Policy, the state should thrive and in particular, direct its policy towards securing that the ownership and control of the material resources of the community are so distributed as best to subserve the common good[IV]. In addition to the DPSP, right to privacy in Justice Puttaswamy case has been recognized as an integral component of fundamental right under Article 21 of the Constitution

The debate of privacy laws in India is not new and can be traced back to the cases of M.P. Sharma v. Satish Chandra, District Magistrate[V]and Kharak Singh[VI]which held that the right to privacy is not protected by the Constitution of India; constituent assembly also made a proposal to guarantee every citizen the right to secrecy of correspondence in clause 9(d) and the protection to be secure against unreasonable search and seizures in their persons, houses, papers and assets. Since the law relating to search and seizure was already provided under Cr.P.C., this provision was not incorporated in our constitution.

The right to privacy which is now guaranteed under Part III of the Constitution is not an absolute one and is subject to the satisfaction of certain tests and as agreed by most of the judges of the bench, the European standard of the Proportionality has to be applied to test the privacy infringement in the future.  The test conducted will be based upon the principle of just, fair and reasonable standard evolved under Article 21 of the Constitution.

After the judgment, although the right to privacy was added to Part III of the Constitution, the ruling has not defined what privacy is and it is left upon the adjudicators to give interpretations to understand the term.

The current position of India in terms of the Data Privacy Laws

India has moved closer to building a proper data protection legal structure as it has drafted an extensive data privacy bill and has submitted it to the government in 2018. It is the need of the hour to implement such data protection laws in India as it would be a base for the government’s ‘Digital India’ Campaign. The bill proposed shall apply to both the government and the private entities. Another challenge to put sanctions upon the entities not present within the territories of India but use personal data in connection to any business carried in India will be solved as the proposed bill extends to such data controllers also. The Data Protection Bill, 2019 makes four major distinctions between data and the restrictions vary as per their level. They are first is the non-personal data, second is the personal data, from which an individual can be identified easily, third is the Sensitive Personal Data (SPD) which includes information that is likely to cause greater harm, or harm of graver nature (caste, religious and political belief, sexual orientation, financial data, health data, biometric data, etc.), the fourth category of data is Critical Personal Data (CPD), which has not been defined and just found mention in the bill and leaving it open to the government to define as per future need[VII].    

Privacy Threats from Outside India

Various entities try to keep data outside of the country of business in order to escape the jurisdiction and sanctions. Data Protection Bill, 2019 identifies circumstances under which data has to be mandatorily stored in India.

The privacy threats can be classified into three categories:

  1. That which involves invasion by a state into a person’s physical body;
  2. Information privacy which captures unauthorized uses of personal information;
  3. Privacy of choice, or “individual autonomy over fundamental personal choices”.

There are instances where tech giants have used deceptive means to gain access to the personal data of individuals. Even if India wants to take stringent legal action against the companies, it is not possible because that would be an empty threat, given that existing legal recourse in India under the Information Technology Act, 2000 is inadequate. So, there is an urgent need to call for data sovereignty and it can be seen through Indian action that it is thriving for the same.

Therefore “localization” of data under the Data Protection Bill, 2019 is going to play a key role in data protection and this goes beyond GDPR, whose restrictions are limited to countries with an inadequate level of data protection rather than a blanket requirement to store data within the country[VIII].

The approach that India should adhere to:

India has to adopt a hybrid and nuanced approach in order to form a comprehensive and balance the advantage of a data-driven ecosystem with reasonable restrictions.

Since India is pressing for the Digital India campaign and has the potential to lead the world into a digital economy, it should make use of the existing strengths in information technology, demographic dividend and ensure overall empowerment based on data-driven access to services and benefits.

Approachability, Comprehensibility, Legibility and Readability are some of the factors legislators have to take into consideration while drafting the privacy policy. Although it would be a hectic task to ensure the jurisdiction because of the borderless nature of the internet which needs to have some sort of extraterritorial jurisdiction. 


Recent developments in privacy laws in India have led to significant progress towards a comprehensive data privacy regime, one increasingly urgent in India, either it is the inclusion of privacy under Part III of the constitution or the draft of the Data Protection Bill, 2019. Law introduces a series of rights and obligations modeled on global standards. Personal data being the lifeblood for both modern economy and politics, national storage of data is need of the hour to reflect the ambition of both Indian business and the government to stake their claim. Although accountability has been discussed for the misuse of data by the entities in the Data Protection Bill, 2019, there is not enough clarification regarding the misuse of data by the government itself and its accountability.

the author is in his 4th year of B.A. LL.B. (Hons.) course at National Law University and Judicial Academy, Assam

[I]Writ Petition (Civil) No.494of2012

[II]Writ Petition (Civil) No.528 of 2018

[III]Cyber Security Law of China.

[IV]Article 39(b) of the Indian Constitution

[V]1954 AIR 300, 1954 SCR 1077

[VI]1963 AIR 1295, 1964 SCR (1) 332


[VIII]Amba Kak, The Emergence of the Personal Data Protection Bill, 2018 A Critique, Economic & Political Weekly Vol LII No 35.

Leave a Reply

Your email address will not be published. Required fields are marked *