DATA PRIVACY AND PROTECTION LAW IN INDIA.

Author: KUMARI PRITY OF ASIAN LAW COLLEGE, NOIDA

In digital era, where every click, swipe, and login generate data, the issue of protecting personal information has gained central importance. India, with its booming digital economy and rising internet penetration, has recognized the pressing need to regulate data usage. In India the surge in digital services- from e-commerce and fintech to social media and AI-has led to the generation and collection of vast volumes of personal data. While this has driven innovation and convenience, it has also raised serious concern over data privacy, misuse, consent, and accountability. The Indian government, acknowledging these concerns and drawing inspiration from global practices, enacted the Digital Personal Data Protection Act, 2023.  In this article, we explore the legislative intent, core provisions, supporting case laws, and practical challenges associated with DPDP Act 2023.

USE OF LEGAL JARGON~

• Consent Manager- A mediator authorized to obtain, manage, and review user consent in a transparent and accessible manner.
• Legitimate Use- Conditions under which personal data can be processed without prior consent of the data principle.
• Grievance Redressal- Mechanisms that allow individuals to raise and resolve complaints regarding data misuse or rights violations.
• Significant Data Fiduciary (SDF)- A category of data fiduciaries who process large volumes of personal data and are therefore subject to higher compliance requirements.
•  Data Protection Board of India (DPBI)- A statutory authority created to enforce the DPDP Act, 2023 investigate breaches, and impose penalties.

THE PROOF~

India’s data protection journey began with recognition of constitutional right. In the justice K.S. Puttaswamy vs. Union of India (2017) case, a nine- judge bench of the Supreme Court unanimously declared that the right to privacy is fundamental right under Article 21 of the constitution. This historic ruling paved the way for statutory framework on data protection.

Later, the government set up the justice B.N. Srikrishna Committee, which gave its suggestions in 2018. Data Protection Bill was introduced in 2019 and went through several changes before the final digital personal data protection Act passed in 2023.

ABSTRACT~

The DPDP Act,2023 is India’s first comprehensive legislation dedicated solely to protecting personal data. It is guided by seven core principles: lawful purpose, data minimization, consent, accuracy, storage limitation, reasonable safeguards and accountability.

Salient Features~

• Applicability: The Act applies to the processing of digital personal data within India, and also to processing by Indian entities or foreign companies that offer goods or services in India.
• Consent Mechanism: Consent must be free, specific, informed and unambiguous, with a clear affirmative action. The Act empowers users to withdraw consent anytime.
• Legitimate Uses: Data can be processed without consent for purposes such as compliance with law,  court orders, or for state functions (e.g., issuing licenses, subsidies).
• User Rights

1. Right to correction and erasure of incorrect or obsolete data.

2. Right to grievance redressal.

• Obligations of Data Fiduciaries: They must ensure reasonable security measures, notify breaches, and delete personal data once the intended purpose is fulfilled.
• Data Protection Board of India (DPBI): Established to monitor compliance, conduct investigations, and impose penalties ranging from ₹10,000 to ₹250 crore, depending on the severity of the breach.
• Exemptions: Government agencies may be exempted from some provisions in the interest of national security, public order, or sovereignty, subject to safeguards.
• Cross- Border Data Transfers: Unlike previous versions, the Act allows data transfer outside India unless specifically restricted by the government through notification.
• Children’s Data: Processing of children’s data (under 18) requires verifiable parental consent and prohibits harmful tracking or behavioral targeting.

CASE LAWS~

1. Justice K.S. Puttaswamy (Retd.) vs. Union of India(2017) 

Citation: (2017) 10 SCC 1

FACTS-

Retired judge K.S. Puttaswamy challenged the constitutional validity of the Aadhaar scheme, which required individuals to share biometric and demographic data with the government.

ISSUE-

Does the Indian constitution protect the right to privacy as a basic fundamental right?

HELD-

The Supreme Court held that privacy is a fundamental right, implicity guaranteed under Article 21 (Right to life and personal liberty), and others parts of the constitution.

SIGNIFICANCE-

• This landmark case became the foundation for enacting a comprehensive data protection regime.
• The judgement recognized that individuals have the right to control, the collection, storage, and dissemination of their personal information.
• The court warned that without storage data protection laws, citizens would be vulnerable to state and corporate surveillance.

2. INTERNET AND MOBILE ASSOCIATION OF INDIA (IAMAI) vs. RESERVE BANK OF INDIA (2020)-

Citation: (2020) SCC online SC 275

FACTS-

The RBI issued a circular in 2018, effectively banning banks from dealing with cryptocurrency exchanges, citing concerns of consumer protection and data integrity.

ISSUE:

Was the RBI’s ban on cryptocurrencies unfair and did it harm the basic rights of crypto businesses?

HELD-

The Supreme Court cancelled the RBI circular. It said the ban was unfair and didn’t have enough legal support. The Court made it clear that any rule that limits trade or business must be reasonable and balanced.

SIGNIFICANCE-

• Though not directly a privacy case, it reaffirmed the principle of proportionality-a concept vital in data protection.
• The judgment emphasized that the state must justify restrictions on individuals or corporate rights, especially when dealing with sensitive digital data.

3. WHATSAPP LLC vs. UNION OF INDIA (2021-PENDING)

FACTS-

WhatsApp updated its privacy policy in 2021, which allowed sharing user data with parent company Facebook. This led to widespread backlash and a petition filed before the Delhi High Court and Supreme Court.

ISSUE-

Does WhatsApp’s new policy violate the right to privacy of Indian users? Is there an absence of data protection law regulating such practices?

HELD-

The case is still pending, but the court has issued notices to WhatsApp’s unequal treatment of Indian users compared to European users protected under GDPR.

SIGNIFICANCE-

• This case reflects the regulatory vacuum before the DPDP Act.
• It highlights how multinational tech companies could exploit weaker data regimes.
• The case has spurred demand for stronger consent and purpose limitation clauses in Indian privacy law.

4.ANURADHA BHASIN vs. UNION OF INDIA (2020)

Citation: (2020) 3 SCC 637

FACTS-

It the wake of the revocation of Article 370 in Jammu& Kashmir, internet services were suspended for several months. Journalist Anuradha Bhasin filed a writ petition against this suspension.

ISSUE-

Was stopping internet services for an unlimited time allowed under the consitituion?

HELD-

The Supreme Court ruled the access to the internet is a part of the right to freedom of speech and doing business. So, stopping internet services must be fair, necessary, and for a good reason. 

SIGNIFICANCE-

• Through not a direct privacy case, it reinforced the idea that digital rights form part of fundamental rights.
• The judgement indirectly emphasized the importance of digital access in exercising privacy and related rights.

CONCLUSION OF CASE LAW SECTION-

Together, these cases paint a clear trajectory:

• From early recognition of communication privacy (PUCL)…
• To acknowledgment of privacy in financial and digital contexts (WhatsApp case)

These rulings not only prompted the legislative urgency behind the DPDP Act, 2023, but they also serve as interpretative tools when courts review data breaches, consent issues, or surveillance under the new law.

CONCLUSION-

India’s digital landscape is undergoing a seismic shift. With over 800 million internet users, massive digitization of services, and increasing reliance on AI and big data, the risk to personal data has never been higher. The DPDP Act, 2023, is India’s first step toward a rights-based digital future, balancing individual liberty with technological innovation.

THE ACT SUCCEEDS IN :

• Establishing clear user rights.
• Enforcing obligations on companies.
•  Creating a statutory oversight body (DPBI).
•  Providing avenues for grievance redressal and penal actions.

Yet, critics point to several exemptions:

• BOARD GOVERNMENT EXEMPTIONS- critics argue that allowing blanket exemptions to the state could lead to misuse and surveillance.
• LACK OF PARLIAMENTARY OVERSIGHT- rules under Act are framed by the executive, raising concerns about checks and balances.
• PUBLIC AWARENESS GAP- many users remain unaware of their digital rights, making enforcement largely top-down.

In conclusion, while the DPDP Act lays a robust foundation, much depends on implementation, judicial interpretation, and public engagement. In the coming years, as India aims to become a global digital leader, protecting citizens data rights must remain a central pillar of its legal and policy framework.

FAQ~

Q1. WHAT IS THE DPDP ACT,2023?

~ It is a law that governs the processing of personal data in digital form, ensuring user consent, privacy rights, and accountability from companies handling such data.

Q2. IS PRIVACY A FUNDAMENTAL RIGHT IN INDIA?

~ Yes, the Supreme Court said in 2017 in case of justice K.S. Puttaswamy vs. Union od India that privacy is a fundamental right under Article 21.

        Q3. WHO OVERSEES COMPLIANCE WITH THE DPDP ACT?

~ The Data Protection Board of India (DPBI) is in charge of making sure the law is followed and punishing anyone who breaks it.

Q4. CAN DATA BE PROCESSED WITHOUT CONSENT?

~ Yes, under specific “legitimate uses” like compliance with the law, public interest, or emergencies, data can be processed without prior consent.

Q5. ARE THERE ANY RESTRICTIONS ON CROSS-BORDER DATA TRANSFER?

~ The Act allows such transfers unless restricted by thr central government. This provides flexibility for multinational operations.

Q6. DOES THE LAW APPLY TO OFFLINE DATA?

~ No, the DPDP Act specifically applies to digital personal data, including data digitized from physical records.

Q7. HOW DOES THIS LAW AFFECT BUSINESSES?

~ Businesses that collect personal data must follow rules like collecting only necessary data, keeping it safe, and solving customers complaints. If they don’t follow these rules, they can be fined heavily.