1

Privacy in the digital era: Constitutional concerns over

surveillance and government access to personal data in India

A DISSERTATION

Submitted by

ANANYO ROY

Reg. No. LM0123023

Under the guidance of

DR. Aparna SREEKUMAR

In partial fulfilment of the requirements for the awards of the Degree of

MASTER OF LAWS

LL.M. (CONSTITUTIONAL AND ADMINISTRATIVE LAW)

2

CERTIFICATE

This is to certify that Ananyo Roy , Register No. LM012303 has submitted the dissertation
titled " Privacy in the digital era: Constitutional concerns over surveillance and
government access to personal data in India " is a record of research work done by him
during the academic year 2023-2024 under my supervision in partial fulfillment for the award
of Master of Laws (LL.M.) in Constitutional and Administrative Law.

Place;- Kochi

Date:-
3

DECLARATION

I, Soorya Ananyo Roy , hereby declare that the dissertation titled " Privacy in the digital
era: Constitutional concerns over surveillance and government access to personal data
in India " is a record of original research work undertaken by me for the award of the
degree of Master of Law in LL.M. (Constitutional and Administrative Law) I have completed
this study under the supervision of Dr. Aparna Sreekumar, Faculty member, National
University of Advanced Legal Studies, Kochi.

I also declare that this dissertation has not been submitted for the award of any degree,
diploma, associate ship, fellowship or other titles, I hereby confirm the originality of the work
and that there is no plagiarism in any part of the dissertation.

Place;- Kochi

Date:-

ANANYO ROY

LM0123023

NUALS, Kochi
4

ACKNOWLEDGEMENT

This piece of work is the culmination of intense research guided immensely by very
resourceful persons. First and most importantly, from the bottom of my heart, I render my
sincere gratitude to my guide and supervisor, who walked me through the right path in
accomplishing my task on time, (Dr.) APARNA SREEKUMAR, for her immense support. I
am forever indebted to you for your patience and motivation.

I express my sincere and deepest gratitude to the Vice-Chancellor Former Justice S. SIRI
JAGAN for providing me with this opportunity and his kind support during this endeavor. I
also thank Prof. (Dr.) MINI S. for imparting her knowledge and inspiring me throughout the
completion of this work. I also express my due respect and gratitude to all the faculty of
NUALS for their constant encouragement.

I also thank the NUALS library and its staff, for the access provided to the online and offline
resources, which have helped me abundantly in completing this Dissertation.

I also thank my family, friends and God Almighty for his blessings, without which this
dissertation would have been impossible.

ANANYO ROY
5

ABBREVIATIONS

ABBREVIATIONS FULL FORMS

APEC - Asia-Pacific Economic Cooperation

CCPA - California Consumer Privacy Act

CoE - Council of Europe

DPA - Data Protection Act

DPDPA - Digital Personal Data Protection Act

EU - European Union

GDPR - General Data Protection Regulation

ICO - Information Commissioner's Office

IIPs - Information Privacy Principles

LGPD - Lei Geral de Proteção de Dados

(Brazilian General Data Protection Law)

OECD - Organisation for Economic Co-operation and Development

PIPEDA - Personal Information Protection and Electronic Documents Act

SC - Supreme Court

UIDAI - Unique Identification Authority of India

UPA - United Progressive Alliance

6

LIST OF CASES

1. Kharak Singh vs State of Uttar Pradesh (1962)

2. Gobind vs State of Madhya Pradesh (1975)
3. Justice K.S. Puttaswamy (Retd.) vs Union of India (2017)
4. Nikhil Deogun vs Union of India (2019)
5. Manohar Lal Sharma Vs Union of india & Ors. 2021

6. Ministry of Information and Broadcasting, Govt. of India v. Cricket Association of

Bengal,
 7

TABLE OF CONTENT

CONTENT PAGE NO
8
9

Abstract

In the digital era, government access to personal data has emerged as a complex and pressing
issue with significant implications for privacy, civil liberties, and individual rights. This
dissertation focuses on the constitutional concerns surrounding surveillance and government
access to personal data in India, particularly in the context of the Digital Personal Data
Protection Act 2023.

The Constitution of India recognizes the right to privacy as a fundamental right under Article
21, and the "Justice K.S. Puttaswamy (Retd.) vs Union of India" case in 2017 affirmed the
intrinsic nature of privacy in the protection of life and liberty. However, the Indian
government has introduced various surveillance programs and laws allowing the collection
and access of personal data, leading to a dynamic and evolving debate on the constitutionality
of these practices.

The Digital Personal Data Protection Act 2023 represents a significant milestone in India's
journey toward data protection and privacy. However, questions remain about data
localization, surveillance, and the potential impact on civil liberties, especially in the context
of the Act's provisions for critical personal data.

Through a comprehensive analysis of the constitutional framework, international data

protection laws, legal cases, and government access practices, this dissertation explores the
multifaceted challenges surrounding the protection of civil liberties in the digital age. Case
studies demonstrate the real-world impact of government access to personal data on privacy
and freedom.

The dissertation concludes with recommendations, emphasizing the need for comprehensive
data protection legislation, strong oversight mechanisms, transparency, and accountability to
safeguard civil liberties while addressing legitimate government security concerns. It
underscores the dynamic nature of privacy protection in the digital age and the necessity of
striking a delicate balance between national security and individual rights.
10

The protection of civil liberties in the digital era is a fundamental challenge, and this
dissertation contributes to the ongoing discourse by addressing India's unique context while
drawing lessons from international practices and experiences.

Introduction

The rapid advancement of technology has ushered in a digital era that has transformed the
way we live, communicate, and conduct our daily affairs. As we embrace the convenience
and efficiency brought about by the digital revolution, we also grapple with an unprecedented
conundrum – the pervasive collection, monitoring, and access to our personal data by
governments. In this era of digitization, the profound implications of government access to
personal data on privacy rights and civil liberties have become a subject of profound concern
and scrutiny worldwide. This dissertation delves into these concerns, with a specific focus on
the implications of government access to personal data and its constitutional ramifications
within the Indian context.

The Digital Personal Data Protection Act (DPDPA) of 2023, hereinafter referred to as the
“

DPDP Act, marks a pivotal moment in India's journey towards safeguarding digital privacy
and data protection. However, it's imperative to recognize that the genesis of this legislation
is rooted in the realization that India lacked a specific legal framework to deal with the
burgeoning cases of personal data breaches. The legal foundations of data privacy and
protection in India gained prominence with the landmark judgment in the "Justice K.S.
Puttaswamy (Retd.) vs Union of India" case, where the Supreme Court recognized the right
to privacy as a fundamental right under Article 21 of the Indian Constitution. This
acknowledgment confirmed that the protection of life and liberty guaranteed by the
Constitution depends on privacy. It set the stage for a more comprehensive legal framework
to protect personal data in the digital age.

The DPDP Act, largely influenced by the Digital Personal Data Protection Bill (PDPB) of
”

2022, seeks to establish a robust legal framework that provides data protection, upholds
privacy rights, and preserves civil liberties. This legislation is especially significant given the
government's initiatives to digitize India, exemplified by the introduction of Aadhaar (a
unique identity number), the Unified Payments Interface (UPI), and Digi Locker. These
initiatives, while aimed at enhancing efficiency and accessibility, have considerably
11

augmented the digitization of personal data in India. Consequently, it is imperative that the
Indian Parliament takes a proactive stance to ensure that these digital advancements are
balanced with the protection of each person's civil liberties and right to privacy.
“

The scope of the constitutionality of surveillance and government access to personal data in
India is a multifaceted and continuously evolving issue. The right to privacy is one of the
essential rights guaranteed to Indian citizens under Article 21 of the Constitution. This right
includes the ability to manage one's personal data and the liberty to be left alone.
Nevertheless, the concept of privacy and the extent of its protection have been subjects of
interpretation and debate within the Indian courts. In 2017, the Indian Supreme Court (SC)
affirmed that the right to privacy is a basic right under Article 21 and that it is essential to the
preservation of life and liberty guaranteed by the Constitution. Yet, despite this recognition,
the Indian government has implemented several surveillance programs and laws that permit
the collection as well as access of personal data, further complicating the landscape of
privacy and civilliberties.

One of the most prominent examples of such a legal framework is the Aadhaar Act, which
established a unique identification system for residents of India. The potential for privacy
violations and concerns about the use and storage of personal data have drawn attention to
and criticism of the Aadhaar Act. Notably, the Indian Supreme Court maintained the legality
of the Aadhaar Act in 2018 while enforcing some limitations and protections.

The scope of constitutionality concerning surveillance and government access to personal

data in India continues to evolve as new technologies emerge and as pertinent cases are
presented before the courts. In addition to issuing recommendations and protections to protect
individual privacy, the SC of India additionally highlighted the need for establishing a
balance between concerns about national security and the right to privacy. As we delve into
the heart of this research, we aim to navigate the complexities surrounding the constitutional
implications of surveillance in India and examine the impact of extensive surveillance and
government access to personal data on privacy rights and civil liberties within this dynamic
legal landscape.
12

Background and Context of the Study

The advent of the digital age has caused an unparalleled level of connectedness, information
sharing, and technological progress. While these developments have undoubtedly brought
about transformative changes in our lives, they have also raised profound questions about the
preservation of privacy and the protection of civil liberties, especially when governments
exercise their authority to access personal data. This dissertation delves into the evolving
landscape of privacy rights, surveillance, and government access to personal data, with a
specific focus on India.

The Digital Revolution and the Need for Data Protection:

The globe has experienced a digital revolution in recent decades that has drastically changed
the way individuals communicate and conduct business with one another, with businesses,
and with governments. The proliferation of digital devices, the ubiquity of the internet, and
the explosion of data-driven technologies have collectively reshaped the fabric of society.
The benefits of this digital transformation are numerous, ranging from enhanced
communication and convenience to innovative solutions that have improved efficiency in
various sectors. However, this transformation has not been without its challenges.

The increasing digitization of personal information, from financial transactions to healthcare

records, and the growing interconnectivity of systems have magnified the risks associated
with data breaches and privacy infringements. In this digital milieu, personal data, once
confined to physical records, is now stored, transmitted, and analyzed electronically. The
vulnerabilities inherent in this ecosystem have necessitated the development of robust data
protection and privacy frameworks to safeguard individuals' rights and interests.

The Constitutional Protection of Privacy in India:

The Constitution, which outlines the fundamental freedoms and rights that every Indian
citizen is entitled to, has historically been viewed as the ultimate source of legal power in the
country. One such fundamental right that extends across both the physical and digital
13

domains is the right to privacy. The SC's historic judgment in the 2017 case of "Justice K.S.
Puttaswamy (Retd.) vs Union of India" solidified the idea that privacy is a fundamental right
in India. This important judgment marked an important point in Indian constitutional history
by emphasizing the fundamental connection between privacy and the protection of life and
liberty.

The Need for Legal Frameworks and Data Protection Legislation:

India adopted the initiative to pass comprehensive data protection legislation after realizing
the significance it was to safeguard personal information in the digital era. An important
piece of legislation is the DPDPA of 2023. The goal of this legislation is to establish a
systematic legal framework that will govern the gathering, use, and preservation of personal
data. It was influenced by the Digital Personal Data Protection Bill of 2022.

As India's government initiatives aimed at digitizing the nation continued to flourish, with the
introduction of transformative technologies like Aadhaar, the Unified Payments Interface
(UPI), and Digi Locker, it became clear that a comprehensive legal framework was
necessary. These initiatives streamlined access to public services, financial transactions, and
essential documents, but they also underscored the pressing need for data protection.

Scope of this study:

The constitutionality of government surveillance as well as access to private information in

India is an intricate, multifaceted issue that warrants thorough examination. Particularly
within the limits of the Indian Constitution, it poses important problems regarding the way to
accomplish a balance between individual privacy rights and national security concerns. As
new technologies emerge and legal challenges arise, the SC of India has been instrumental in
providing guidelines and safeguards to protect the privacy of individuals.

This dissertation seeks to explore these complexities and confront the pressing questions
surrounding the constitutional implications of surveillance in India. In doing so, it analyses
the impact of extensive surveillance and government authority on private information on
privacy rights and civil liberties within the dynamic and evolving legal landscape of the
digital era.
14

As the research unfolds, it investigates the extent to which the present legal framework in
India is sufficient to protect citizens' privacy and personal data, examine the potential
consequences of government surveillance on fundamental rights like freedom of speech and
expression, and assess how the intersection of technology, surveillance, and government data
access affects democratic participation and dissent.

In the ensuing chapters, I have delve deeper into the legal, ethical, and practical dimensions
of these issues, with the ultimate goal of contributing to a deeper understanding of the
complex interplay between technology, privacy, and civil liberties in the digital age,
particularly within the Indian context.

Significance of the Research

The significance of this research is multifaceted, encompassing legal, societal, and ethical
dimensions, and it has implications for both India and the global community. This study
addresses critical issues in the digital era and government access to personal data, shedding
light on their constitutional implications within the Indian context. The importance of this
research is evident through the following aspects:

1. Legal and Constitutional Implications:

This research contributes significantly to the field of law and constitutional studies. It
explores the intricacies of constitutional rights, with a specific focus on privacy, as
recognized under Article 21 of the Indian Constitution. The significance of this research lies
in its in-depth examination of how constitutional principles apply to the challenges posed by
government surveillance and data access in the digital age. The dissertation seeks to clarify
the boundaries and protections of these rights, offering valuable insights for legal scholars,
practitioners, and policymakers.

2. Data Protection and Regulation:

The DPDPA of 2023 is a landmark legislation for India, signaling the nation's commitment to
protecting personal data in a digital society. This research is significant in providing a
comprehensive assessment of the DPDP Act, examining its strengths, limitations, and areas
for improvement. Such insights have far-reaching implications for data protection and
15

regulation, not only in India but also for countries looking to develop or refine their own data
protection frameworks.

3. Privacy and Civil Liberties:

A fundamental right is the right to privacy, and democracy depends on the protection of civil
liberties. This research is essential in assessing the impact of government surveillance and
data access on these fundamental rights. By exploring how digital advancements intersect
with the right to dissent, protest, and participate in democratic processes, this study highlights
the broader societal implications of privacy infringements. It provides valuable context for
activists, policymakers, and citizens advocating for the preservation of civil liberties.

4. Ethical Considerations:

Ethical considerations surrounding privacy, surveillance, and government data access are of
paramount importance. This research delves into the ethical dimensions of these issues,
enabling a deeper understanding of the ethical dilemmas faced by governments, businesses,
and individuals. The research's ethical perspective is a useful tool for anyone trying to
understand the complicated ethical framework around data protection and surveillance.

5. Global Relevance:

The research holds global significance as it explores issues that transcend national
boundaries. Data privacy, government surveillance, and civil liberties are concerns that
resonate worldwide. By examining India's approach and the challenges it faces in this
context, the study provides valuable comparative insights for other countries dealing with
similar challenges, contributing to the global conversation on data protection and digital
privacy.

6. Policy Recommendations:

As part of this research, policy recommendations and proposed amendments to existing laws
are provided. These recommendations offer a practical and constructive approach to
addressing the challenges and gaps in the current legal framework. They are intended to
guide policymakers and lawmakers in India and potentially inspire discussions on best
practices in data protection and privacy globally.
16

Research Objectives:

1. To understand the constitutional implications of government surveillance and access

“

to personal data in India, especially in light of the Digital Personal Data Protection
Act of 2023.

2. To analyze the impact of extensive surveillance and government access to personal

”

data on privacy rights and civil liberties in the Indian context.

3. To compare data privacy laws in India with those in other countries, with a focus on
international best practices and legal standards for data protection.

Research Questions:

1. Are the current legal frameworks in India sufficient to adequately safeguard citizens'
privacy and protect their personal data, especially in the digital age?
“

2. What are the potential consequences of government surveillance and government

access to personal data on privacy rights and freedom of speech and expression in
India?

3. Does the intersection of technology, surveillance, and government access to personal

”

data in India intersect with the right to dissent, protest, and participate in the
democratic process as guaranteed by the Indian Constitution?

4. Can the central government legitimately restrict access to certain publicly accessible
web data in the name of public interest, and what impact does this have on civil
liberties?
17

Hypotheses:

1. Hypothesis 1: The prevalence of surveillance practices and government access to

personal data in India has a negative impact on the privacy rights and civil liberties of
“

individuals, potentially infringing on their right to privacy under the Indian

Constitution.

2. Hypothesis 2: While the Digital Personal Data Protection Act of 2023 applies to all
kinds of personal data, it does not adequately address sub-categories of personal data
such as sensitive or critical personal data, which creates a potential loophole for data
violations.

3. Hypothesis 3: The central government's ability to obstruct public access to certain

information by way of a written order as provided by the DPDP Act on the grounds of
public interest can jeopardize civil liberties, particularly the right to access
information and freedom of speech and expression.

4. Hypothesis 4: Comparative analysis of data privacy laws in India with those in other
countries will reveal gaps and areas for improvement in India's data protection
framework, ultimately contributing to the enhancement of data privacy laws in the
country.

These research objectives, questions, and hypotheses form the foundation for your study,
”

guiding your investigation into the complex interplay between technology, privacy,
government access to data, and the legal and ethical considerations surrounding these issues
in the Indian context.

Methodology

The methodology section outlines the research approach and methods that I have employed to
investigate the constitutionality of surveillance and government access to personal data in
18

India, as well as their impact on privacy rights and civil liberties. The research predominantly
employs a doctrinal and analytical research method.

Research Method:

1. Doctrinal Research:

The primary research method is doctrinal research, which involves an extensive examination
of existing legal sources and documents. This includes an in-depth analysis of statutory
provisions, case law, and legal literature related to data protection, privacy, and government
surveillance in India. Key sources for doctrinal research will include statutes like the DPDPA
2023, relevant legal cases, judgments, government documents, and academic articles.

2. Analytical Research:

Scope: In addition to doctrinal research, analytical research has been conducted to critically
analyze and synthesize the findings from legal sources. This analytical approach involved
examining case law, legislation, and legal literature to identify trends, gaps, and areas of
concern related to privacy and surveillance. Analytical research has drawn upon legal
scholarship, expert opinions, and comparative studies of data protection laws and surveillance
practices in other countries.
19

Chapterisation

Historical Development of Privacy Rights and Surveillance in India

In India, the concept of privacy as a basic right has a long history. The right to life and
personal liberty have been established as fundamental rights by Article 21 of the
Indian Constitution, which came into force in 1950 and formed the foundation for the
protection of privacy. Nonetheless, over time, the idea of privacy and its scope have
changed significantly. The 2017 judgment in "Justice K.S. Puttaswamy (Retd.) vs
Union of India" by the SC was an important moment in the country's history on
privacy rights. The right to privacy was recognized by the SC in this case as a basic
right under Article 21 that is fundamentally related to the preservation of life and
liberty. This recognition marked a pivotal moment, firmly establishing privacy as a
constitutional right. (Puttaswamy vs Union of India, 2017)
International Data Protection Laws and Their Relevance
Although India has made tremendous progress in recognizing privacy as a
“

fundamental right, it is crucial to consider these advancements in the broader global

context of data protection. A notable example of a comprehensive data protection
system is the General Data Protection Regulation (GDPR) of the European Union.
The GDPR places emphasis on consent, transparency, and stringent laws around the
collection and utilization of personal data. Severe fines for noncompliance and data
”

breaches are also outlined. (Regulation (EU) 2016/679)

Constitutional Provisions Related to Privacy in India
Beyond Article 21, there are sections in the Indian Constitution that indirectly deal
with privacy. For example, the SC has acknowledged that privacy is an essential part
of the freedoms of speech and expression protected by Article 19(1)(a). With the
protection of their right to privacy, individuals can freely express themselves and
create opinions without fearing undergoing surveillance. (Nikhil Deogun vs Union of
India, 2019)
Key Legal Cases and Landmark Judgments
Apart from the Puttaswamy case, several other legal cases have shaped the privacy
landscape in India. In "Justice K.S. Puttaswamy (Retd.) vs Union of India," the SC
emphasized the requirement for privacy safeguards in government surveillance, even
20

while recognizing the legitimacy of surveillance in the interest of national security.

(Puttaswamy vs Union of India, 2017). The "Aadhaar Act" case presented another
significant juncture in the debate over privacy as well as data protection. The Aadhaar
Act established a unique identification system in India, and it faced scrutiny for its
potential privacy implications. In 2018, the SC upheld the validity of the Act but
“

imposed restrictions and safeguards to address concerns about data protection.

(Justice K.S. Puttaswamy (Retd.) vs Union of India, 2017)
Discussion
The historical and legal developments outlined in this literature review underscore the
”

evolving nature of privacy rights and the enhancing significance of data protection in
the digital age. These developments have set the stage for the formulation of the
DPDPA of 2023, which seeks to address the contemporary challenges associated with
data privacy in India.
21

CHAPTER II

Historical Development of Privacy Rights and Surveillance in India

Though believed by many to be a concept of modern times, privacy rights and surveillance in
India have a rich historical backdrop that has evolved over time, shaped by societal, legal,
and technological changes. The term privacy is derived from the Latin word “Privatus”
“

which means set apart from what is public, Personal, and belonging to oneself and not the
state. The definition of privacy differs with varying cultures. Though the word privacy
”

doesn’t find any definite and explicit place in the constitution of India, during the constituent
assembly debates the first effort to protect individual privacy from excessive state
interference took place when Mr Kazi Syed Karimuddin suggested an amendment to guard
against unreasonable searches and seizures, drawing inspiration from the American and Irish
Constitutions. Despite Dr. B. R Ambedkar's acknowledgment that a similar provision existed
in the Criminal procedure Code, he acknowledged the amendment, calling it a “useful
proposition” that should be beyond the reach of the legislature 1. Through Article 21 of the
Indian constitution, the Indian legislatures had set up the stage in furtherance of privacy
rights. The historical developments, highlight the key milestones and turning points in
India’s privacy rights and surveillance .

Pre-Independence Era had a significant impact on privacy right and

surveillance in India. In the period before India gained independence the concept of
privacy and surveillance differed greatly from that of todays standard. The need to protect an
individual's personal life and belongings is acknowledged in ancient books like the
Arthashastra, which is where the concept of privacy originated in India. The british
administration through various mechanisms had monitored the Indian population at large.
Though there was an absence of legal provisions for privacy rights , The struggle for India’s
independence had time to time shown shown the resistance of the Indian population against
the challenges posed by the British empire against individuals pivacy and civil liberties. Prior
to independence, cultural norms and traditional beliefs that prioritized individual autonomy
within the family structure had an impact on privacy. These impacts thus layed for the
eventual recognition of privacy rights in Independent India.

1
Supreme Court Observer, An Analysis of the History of Right to Privacy Under Article 21 of the Constitution,
22

The profound impact on privacy right and surveillance by the Indian

Constitution (1950) is of great significance. The introduction of the Indian
Constitution in 1950 was of great significance in the nation’s legal and societal fabric . The
“ right to life and personal liberty were formally recognized in India as fundamental rights in
Article 21 of the Indian Constitution upon its adoption in 1950 2. Although privacy wasn’t
explicitly mentioned under the constitution of India . This fundamental provision established
the framework for privacy protection. The right to privacy is recognized in the Universal
Declaration of Human Rights, which had a significant influence on the Constitution. The ”

Indian constitution thus laid a growndwork for the subsequent judicial, legislative and
societal movements that have moulded the evolution of pivacy rights and surveillance
practices in India.

With the legal and Constitutional Developments privacy rights in India had
significantly developed. The right to privacy was interpreted and expanded upon by
Indian courts in the decades that followed the adoption of the Constitution. The right to
privacy was cited in landmark cases like the Kharak Singh case (1962) 3 to contest police
surveillance of an accused person. Following his release from custody due to a lack of
evidence, Kharak Singh was placed under surveillance by the Uttar Pradesh police under
“

chapter XX of the Uttar Pradesh Police Regulations. Singh had been imprisoned for dacoity.
A six-judge panel upheld the remaining requirements while declaring that overnight
domiciliary visits were illegal. Crucially, the panel found that the constitution fails to
explicitly guarantee the right to privacy. In the 1975 Gobind case 4 Similar to the Kharak
Singh v. State of Uttar Pradesh case, Govind challenged the Madhya Pradesh Police's
surveillance regulations in this case, particularly those pertaining to domestic visits. He
”

argued that he was falsely accused and subjected to police surveillance. The Hon’ble
Supreme Court of India dismissed his petition but suggested reforming the regulations,
warning that they were “Verging perilously near unconstitutionality” these cases
acknowledged the significance of privacy, especially regarding surveillance by state
authorities. These early cases set the stage for a more comprehensive understanding of
privacy as a fundamental right.
2
Supreme Court Observer, An Analysis of the History of Right to Privacy Under Article 21 of the Constitution,
3
Kharak Singh v. State of Uttar Pradesh, (1964) 1 S.C.R. 332.
4
Govind v. State of Madhya Pradesh, (1975) 2 S.C.C. 148.
23

Technological Advancements has influenced privacy right as India has

experienced significant techological growth over the past few decades which have impacted
various sectors and transformed daily life of the individuals. The introduction of technologies
like that of the internet connectivity , smart phones, and more recent advanced technologies
like Artificial Intelligence (AI) have ushered the way people communicated thus with the
development of technology came new privacy problems, particularly with the growing use of
the internet and digital communication. The digital era has created the possibility of more
government and private organizations collecting data and conducting surveillance.

"Justice K.S. Puttaswamy (Retd.) vs Union of India" (2017) 5 has been keen
in ensuring individuals privacy as Justice K.S. Puttaswamy (Retd.) vs Union of
India" (2017)6 Widely known as the Puttaswamy judgement has played a pivotal role in the
evolution of the privacy rights in India . This important case marked a significant turning
“

point in the development of privacy rights in India. The Supreme Court recognized the right
to privacy as a fundamental right under Article 21 of the Constitution, ruling that protecting
one's privacy is necessary to preserve one's life and liberty. The ruling emphasized the
importance of privacy in the digital age and the groundwork for comprehensively balancing
between privacy rights and national security. By establishing privacy as an individuals
fundamental right it empowered the individuals with more autonomy over their personal
data.and prompted a reassessment of governments surveillance practices, thus emphasizing a
need for stronger over sight and accountability on the part of the government in use of
surveillance technologies. This landmark judgement of the 9 Judges Bench of the Hon’ble
Supreme court of India laid a robust jurisprudence on privacy rights in India . Thus prompted
to the formation of the Justice B.N Srikrishna Committee.7

to draft the data protection legislation for India.

The influence of the Digital Personal Data Protection Act (2023) in

ensuring individuals privacy rights is paramount. The PDPB, 2019 was created
with the intention of protecting people's privacy with regard to their personal data in response
“

5
Justice K.S. Puttaswamy (Retd.) v. Union of India, A.I.R. 2017 S.C. 4161.
6
Justice K.S. Puttaswamy (Retd.) v. Union of India, A.I.R. 2017 S.C. 4161.
7
Personal Data Protection Bill can turn India into ‘Orwellian State’ Justice BN Srikrishna The Economic”
Times 31 January 2020.
24

to the growing issues of data protection and privacy in the digital era. The original Bill's
drafter, justice B.N. Srikrishna, protested the Bill's potential to transform India into an
"Orwellian state," leading to its withdrawal 8. In order to regulate the processing of digital
personal data in a way that recognizes both the requirement to process such data for
legitimate purposes and for matters related or incidental thereto, as well as the rights of
individuals to protect their personal data, the Digital Data Protection Bill 2023 was
”

subsequently presented. In 2023, India implemented the DPDPA. This act aims to provide an
established legal framework that will protect personal data and control its processing, storing,
and access.9

The Government Surveillance Programs were a boon in bringing light to

individuals awareness towards privacy rights. Over the years, the Indian
government has implemented various surveillance programs aimed at maintaining national
security and law enforcement. These initiatives include the contentious DRDO NETRA 10, an
India-wide mass surveillance project created by the Defence Research and Development
“

Organization's Centre for Artificial Intelligence and Robotics (CAIR) laboratory. Words like ”

"bomb," "blast," "attack," or "kill" can be quickly identified by the algorithm from tweets,
status updates, emails, and instant chats. Additionally, it can identify questionable voice
traffic on Google Talk, Skype, and other platforms. India's National Cyber Coordination
Centre (NCCC), an operational cyber security and e-surveillance organization, established a
cyber-surveillance program based on the controversial US program Prism 11 With the intention
of screening communication Metadata (data that provides information regarding other data,
but not the content of the data itself, such as the text message or the image itself) and
coordinating the intelligence-gathering activities of other agencies under the jurisdiction of
the Ministry of Home Affairs.12 The 12-digit digital documentation system known as the
Aadhaar Biometric System recorded biometric data in the form of fingerprints and, in

8
Vatsal Gaur & Krishnan Sreekumar, A Dawn of a New Era for Data Protection in India: An In-Depth Analysis of
the Digital Personal Data Protection Act, 2023, India, Aug. 15, 2023.
9
Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, 2023 (India). .
10
"Government to launch ‘Netra’ for internet surveillance," The Economic Times, Dec. 16, 2013, available at
https://www.economictimes.indiatimes.com. Accessed on 24th Feb,2023
The Diplomat, “India Sets Up Domestic PRISM-Like Cyber Surveillance?” (June 10
11

2013),, also known as US-984XN.

12
“The Whistleblower behind the NSA Surveillance Revelations.” The Guardian (June 9,2013)
https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-
surveillance
25

addition, an iris scan, which became vitally important to obtain any governmental service. It
is one of the largest databases with approximate data of over 1.1 billion people and has
sparked debates regarding the balance between security and privacy.

The impact of Privacy Advocacy and Civil Society in upholding individuals

privacy rights is of great significance as privacy rights have significantly developed
in india over the past few decades with the development of and rise in the digital
technologies. With the increase in use of the digital space the need to protect individuals
personal data became a grave concern thus the Civil Society Organizations (CSOs) in India
have played significant role at times to ensure development of the privacy advocacy
landscape in India. Stronger data protection regulations and increased public understanding of
privacy rights have been facilitated by civil society organizations and privacy activists. These
groups have actively participated in legal challenges and policy discussions surrounding data
privacy and surveillance. Indian CSOs have many a times even collaborated with
international privacy advocacy groups and Human Rights Organizations in facilitating that
the global best practices are incorporated and that india aligns itself with the global privacy
standard norms.

International influence on development of India’s privacy rights have been of great

importance. International developments, like the GDPR of the European Union, have
influenced India's approach to privacy and data protection. The GDPR has set standards for
“

data protection that India has considered when formulating its own data protection laws.
Article 8(1) of the Convention for the Protection of Human Rights and Fundamental Freedom ”

says “Everyone has the right to respect the private and family life, his home and his
correspondence”. Permissible restrictions that are "necessary in a democratic society" are
outlined in clause (2) and are justified in the context of national security, crime prevention,
etc.13

13
Right to Privacy A.G Noorani Economic and Political Weekly, Vol . 40 , No. 9 (Feb. 26- Mar . 4, 2005 ), p.
”

802
26

In summary, the historical development of privacy rights and surveillance in India is a

complex journey, shaped by constitutional provisions, legal interpretations, technological
advancements, and evolving societal values. Initially, privacy can be seen to have lacked
explicit legal protection, and many a time the courts were in favor of upholding the state
interest. However significant rulings progressively acknowledged privacy as an implied
constitutional right resulting in the landmark judgement of K.S Puttaswamy which
established privacy as a fundamental right. This decision not only overruled previous
decisions that had denied privacy as a fundamental right but also set a clear precedent for
future legal interpretation and policy-making aimed at ensuring the protection of individuals'
privacy. The acknowledgment of privacy as an essential entitlement and the implementation
of data security laws signifies significant developments in the continuous development of
privacy rights and monitoring strategies in India. Despite this milestone reconciling privacy
and surveillance remains a challenge in India. Aiming to regulate the processing of personal
data by public and commercial organizations, legislative initiatives like the implementation of
the Personal Data Protection Act in 2023 will help protect people's right to privacy in an
increasingly digital world. However, it has not been as effective as dreamt of because of the
ongoing surveillance practices and technological advancements at a swift rate. The
introduction of the Adhaar system by the government with various other digital surveillance
systems stresses the need for the state to ensure the privacy of all individuals. The trajectory
of privacy rights in India highlights a persistent struggle to balance individual freedoms with
national security.

CHAPTER III

International Data Protection Laws and Their Relevance

The landscape of data protection and privacy is not limited by national borders, and
international data protection laws play a significant role in shaping global norms and
standards. These International data protection laws ensure a free flow of transborder data and
to a large extent allow for the protection of individuals' private life by ensuring limited
intervention by the state authorities. The relevance of international data protection laws in
case of india has been pivotal in shaping india’s own Personal Data protection Act of 2023 .
27

As protecting personal data became a significant concern globally it has prompted India in
the development of it’s own data protection laws . These International regulations are aimed
to oversee the collection , storage , processing and transfer of personal data to protect privacy
and ensure data security . The major international data protection frameworks have
significantly influenced india in the following ways.

General Data Protection Regulation (GDPR):The relevance of GDPR in

accordance with India’s own Personal Data protection law is of great significance as GDPR is
one of the most extensive data privacy laws in the world that was put into action in 2018,
with the introduction of the GDPR by the European Union the EU ensured to secure the
personal data privacy of the EU residents . The GDPR is applicable to everyone who
manages the personal data of EU residents or citizens and provides products and services to
EU persons. Seven protects and accountability principles are provided by the GDPR and are
described in Article 5.1-2. The principles include the requirement that processing be fair,
lawful, and transparent to the data subject. The legitimate purposes for which the data was
gathered must have been clarified to the data subject at the time of collection. Only the
information that is absolutely required for the stated purpose must be processed from the
collected data. Personal information needs to be updated. Only as long as is required for the
stated purpose may personally identifiable data be stored on record. Processing needs to be
carried out in a way that ensures the necessary security, integrity, and confidentiality. It is the
data controller's responsibility to be able to provide evidence of GDPR compliance with each
”

of these guidelines. Additionally, GDPR places a strong emphasis on concepts like consent,
transparency, and data subjects' rights. Its significance for India stems from the fact that it
shaped the country's data privacy legislation. The GDPR has established strict guidelines for
the security of personal data, setting the bar for Indian law and promoting a stricter approach
to data protection.14

The GDPR has enxtensively impacted India as it helped India to understand how a stricter
framework can be developed for protection of personal data of its own residents. The GDPR's
extraterritorial reach immediately impacts Indian companies and organizations that manage
the personal data of EU citizens. Compliance with GDPR requirements, including data
localization and cross-border data transfers, has become crucial for Indian entities operating
in the global market. Additionally, the Indian government has taken note of the GDPR's

14
Data Privacy Legislation in Focus: A Deep Dive into India’s DPDP Act & EU’s GDPR By Anas Baig
“ ”
28

emphasis on data protection principles and has incorporated some of these principles into the
DPDPA of 2023.

Convention 108 of the Council of Europe:The relevance of Convention 108 of the

Council of Europe15 in the Indian context is quite significant as the Convention for the
“

Protection of Individuals with respect to Automatic Processing of Personal Data, or

Convention 108, was approved in 1981 was among the first global agreements that addressed
”

data protection specifically. It created normative responses to the challenges that computer
technology presented to privacy-related interests. The convention is intended to be more than
a contract between European governments, despite being a product of Europe. Harmonization
was aimed at enhancing data privacy and, consequently, the right to respect private life as
“

stated in Article 8 of the European Convention on Human Rights. It also seeks to ensure the
free flow of personal data across national borders and, as a result, protect the right embodied
in Article 10 of the European Convention on Human Rights to receive and impart ideas and
information without interference from public authorities, regardless of borders. India has
contributed significantly to the development of data protection principles and laid the ”

groundwork for later data protection regulations, like the GDPR, despite not being a party to
Convention 108. With the ongoing time the impact of Convention 108 of the Council of
Europe over India was explicitly realised as the principles and standards set out in
Convention 108 have influenced global discussions on data protection and have indirectly
“

influenced the development of Indian data protection legislation.

Asia-Pacific Economic Cooperation (APEC) Privacy Framework: The

relevance of APEC in India’s alignment towards a stronger data protection law
can be negated by none , As with its Established in 2004, the APEC Privacy
Framework offers a collection of guidelines and standards for the Asia-Pacific region's
”

personal information protection. This work's main product is a "Privacy Framework," which
is an agreement. The APEC governments' willingness to create a data privacy strategy based
on their interests rather than those of the European states was demonstrated by this

15
Data privacy law an international perspective by LEE A. BYGRAVE
29

framework. Rather than using instruments from the EU and CoE, the framework is based on
and influenced by the OECD recommendations. The "Information privacy Principles" (IIPs),
which are mostly based on OECD principles, are the framework's central component. A few
principal nomenclatures also appear to have been influenced by the Safe Harbour agreement.
The fundamental tenet of the choice principle is that people should have clear, noticeable
easily comprehensible, affordable, and accessible procedures to exercise their right to choose
when their personal information is collected, used, and disclosed (paragraph 20). One novel
aspect of the framework's promotion is that member countries permit non-governmental
organizations, such as those focused on consumer protection and privacy, to engage in the
creation of laws and regulations in these areas (Paragraph 37). Although not legally binding,
it serves as a reference for member economies, including India. The framework promotes a
risk-based approach to privacy protection, which aligns with India's approach to data
protection. APEC like all other International data privacy laws have had a key impact in
India’s effication towards the development of a strong data privacy framework. 16 The APEC
Privacy Framework contributes to the harmonization of data protection practices in the Asia-
Pacific region and influences discussions on regional data protection initiatives. India's
engagement with APEC and its principles encourages the adoption of practices in line with
regional norms.

Convention “ on Cybercrime (Budapest Convention): The Budapest

convention is the first international treaty that was aimed at combating crimes
related to the internet .The Budapest Convention, adopted in 2001, primarily focuses on
combating cybercrime. While its primary objective is law enforcement cooperation, it
includes provisions related to data protection and the exchange of electronic evidence. Its
relevance to India lies in its role in fostering international collaboration in addressing cross-
border cyber threats. The convention standardized the definition of cyber crimes across the
various member countries it ensured a unified approach to crimes like unauthorized access,
data and system interference , misuse of devices , computer – related fraud as well as child

16
Data privacy law an international perspective by LEE A. BYGRAVE
30

pornography . The convention also provides for essential procedural tools for investigating
cyber crimes as well as provides for punishing for the same. Though India is not a signatory
to the Budapest Convention but the principles enshrined in the Budapest Convention has
”

been a significant influence at international cooperation in tackling cybercrime. The

Convention indirectly underscores the need for data protection regarding cyber
investigations, which is pertinent to India's evolving cybersecurity and data protection
landscapeas well as aligning with International standards like that of the Budapest
Convention has been potent for India’s understanding of tackcling transnational cyber crime
especially with the advancement in technology it is essential for India to take key steps in
combatting cyber crimes.

OECD Initiatives Guidelines Governing the Protection of Privacy and Transborder

“

Flows of Personal Data are available from the OECD. Eight data privacy principles form the
basis of these rules, which are meant to be implemented in both public and commercial
sectors' manual and electronic processing of personal data. The guidelines dispense with
potentially restrictive concepts of personal data regardless of the way in which data is
organized. According to the convention, personal information may be obtained fairly and
legally. However, it must be collected with the knowledge and consent of the data subject and
not for any other purpose. The purposes for which the data is being collected must also be
stated at the time the data is being collected. Its relevance lies in the collection limitation
”

principle which provides for lawful, fair, and transparent processing of personal data which
has been incorporated in the Indian legislation. The OECD guidelines are well incorporated
in the Indian data protection legislation which ensures global best practices in data privacy
ensuring user consent, data security, and individual rights. The OECD principles provided a
strong foundation for the development of India’s digital data protection legislation.

In conclusion, international data protection laws are highly relevant to India due to the
interconnected nature of data flows and privacy concerns in the digital age. These laws
influence India's approach to data protection and privacy, both in terms of global compliance,
as well as the formulation of domestic legislation such as the DPDPA of 2023. With
globalization and digital connectivity on the rise, it is crucial for India to align itself with
31

global standards and practices in data protection. International regulations like that of the
European Union’s GDPR set a high standard that significantly influences legislation
throughout the globe including India. They set benchmarks, inspire best practices, and
encourage harmonization of data protection standards, contributing to a global framework for
safeguarding personal data. 17Additionally adhering to these international standards helps in
enhancing India’s global credibility, thus ensuring that India becomes a lucrative destination
for businesses and technology investment. International data protection laws are crucial for
India’s effort to establish a comprehensive data privacy regulation that ensures strong data
protection for individuals while facilitating international trade and cooperation.

21.Data privacy law an international perspective by LEE A. BYGRAVE

Chapter IV
17
S.K. Sharma, Privacy Law: A Comparative Study (Atlantic Publishers & Dist, 1994) at Pg 211.
32

Constitutional Provisions Related to Privacy in India

In India, protecting one's privacy is a fundamental human right that is necessary for one's
personal safety and security. Privacy ensures that an individual’s private life is private and is
not arbitrarily interfered with by others, even the government. Privacy includes various
aspects of a person’s life from his personal autonomy, and bodily integrity to his digital
footprint. Privacy is a key aspect of a person’s day-to-day life, especially in the current times.
With more and more advancement in technologies worldwide, man is keen to align
themselves with the advancement, thus increasing more interaction between man and
machines, where privacy acts as a fundamental necessity in ensuring an individual’s safety
thus preventing them from being vulnerable to arbitrarily intervention by the government or
other organizations. Privacy may be regarded as a basic right of every human being. The
“ right to privacy is not expressly protected by the Indian constitution; rather, it has developed
over time as a result of the high court's expansive interpretation. There are limitations to the
right to privacy. India's main privacy-related constitutional provisions are as follows:

With the incorporation of the digital era it is evident to all that Article 21 - Right to Life and
Personal Liberty plays a significant role in upholding individuals liberties . Article 21 of the
Indian Constitution declares that "No person shall be deprived of his life or personal liberty
except according to a procedure established by law." 18 The foundation of India's private rights
is this article. A component of the right to personal liberty is the right to privacy, which
encompasses the freedom to be left alone and the power to manage one's personal
information. Article 21 of the India constitution had a crucial Impact on privacy as the SC
of India has consistently interpreted Article 21 as including the right to privacy. A significant
ruling in the 2017 case of "Justice K.S. Puttaswamy (Retd.) vs Union of India" stated the vital
importance of the right to privacy in safeguarding life and liberty.
” “

23. Commentary on Constitution of India Durga Das Basu

18
Dr. Mamta Rao, Constitutional Law, 1st ed. (2013), pg. 222.
33

Article 19(1)(a) which provides for the Freedom of Speech and Expression is significantly
relevant to privacy as the freedom of speech and expression is protected by Article 19(1)(a)
of the Indian Constitution. The freedom of speech and the right to privacy are interconnected.
”

Because of confidentiality, individuals can freely express opinions without fearing being
under surveillance or having their private lives violated. (S.P. Gupta v. Union of India 1981)
CITATION AIR 1982 SC 149.the court held that the right to know is derived from the
fundamental right to freedom of speech and expression. Article 19(1)(a) has brought a

significant impact on privacy as the Indian courts have recognized that privacy is an
essential component of the freedom of speech and expression. It enables individuals to
express themselves without fearing surveillance by the government or other parties.

Right to Equality under Article 14 of the Indian constitution . The right to equality before the
law is protected by Article 14 which ensures that every citizen of india is treated equally by
law . This Article prohibits discrimination on grounds of caste, sex or place of birth thus
ensuring equall protection of all. Every citizen has an equal right to privacy, which
guarantees them protection from unauthorized access to their personal information. This
principle is increasingly relevant to the digital age , where the potential for data misuse and
surveillance has heightened concerns over individuals privacy. Though right to privacy is not
explicitly mentioned in Article 14 of the Indian constitution but is implicitly protected
through the its interpretation by the judiciary. Article 14 of the Indian constitution has made a
crucial Impact on privacy in india by ensuring that the states actions are just and fair and non
discriminatory. The right to privacy under Article 21 and the right to equality under Article
14 work in conjunction to ensure that privacy protections are extended equally to all citizens
without discrimination. This mandates tha any law or state action infringing upon an
individuals privacy must meet the standards of reasonableness and proportionality. Thus it
can be determined that any intrusion into privacy must be justified , necessary and the least
restrictive means to achieve the intended purpose. The synergy between aricle 14 and 21 of
the Indian constitution ensures that marginalized and vulnerable groups are afforded the same
level of privacy protection as others, preventing any form of unequal treatment or biasness.
This comprehensive approach helps to address issues related to surveillance , data protection
thus fostering a legal environment that respects and upholds individuals privacy rights.

24. Constitutional law Dr Mamta Rao pg 170 first edition , 2013

34

25. Constitutional law Dr Mamta Rao pg 103 first edition , 2013

26. Constitutional law Dr Mamta Rao pg 104 first edition , 2013

Article 32 - Right to Constitutional Remedies have a significant relevance to privacy .

this provision empowers Individuals with the right to petition the SC to have their
fundamental rights upheld under Article 32. This Article acts as a vital tool for the protection
of privacy by providing a judicial avenue for redressal when privacy rights are breached. It
provides people a way to pursue legal action when their rights to privacy are violated. This
mechanism ensures that citizens have immediate access to the highest court in the
country, thus by-passing the lower courts in case of urgent constitutional matters. The
Impact of Article 32 on privacy is crucial as it enables individuals to challenge laws,
government actions, or surveillance practices that violate their privacy rights, reinforcing the
importance of privacy within the constitutional framework. This direct access to the supreme
court ensures that any infringement on privacy can be promptly addressed , maintaining a
check on the potential abuse of power by both the state or any private entity. Article 32 also
serves as a guardian of the Fundamental rights by allowing individuals to seek remedies such
as habeas corpus, mandamus, prohibition, quo warranto and certiorari.19

. These ensure and compels authorities to provide a justification for their actions, correct
administrative malpractices or stop unlawful activities thus ensuring protection against
violation of individuals right to privacy. The role of Article 32 is pivotal in upholding the
balance between state security measures and individuals privacy rights. Article 32 acts as a
detterent against the arbitrary actions by the state thus ensuing that any governmental
enchrochment on individuals privacy rights must withstand judicial scrutiny. Article 32 not
only reinforces the protection of privacy rights but also promotes transparency and
accountability in governmental operation. The significance of article 32 extends beyond

19
Constitutional law Dr Mamta Rao pg 301 first edition , 2013
35

individuals grievances , it has been instrumental in shaping the jurisprudence around privacy
by setting up precedents that shall influence future legislations .

Article 12 of the Indian constitution provides for the definition of the State. It
has distinct relevance to privacy as , While not a provision directly related to privacy,
Article 12 defines the "State" as it applies to fundamental rights. This definition extends the
obligation to protect fundamental rights to both government agencies and, in certain cases,
private entities that perform functions of a public nature. The Impact of Article 12 on
privacy is quite significant as this broader interpretation of the "State" under Article 12
implies that not only the government but also certain private entities must respect and protect
privacy rights in their dealings with individuals. This interpretation is crucial in the modern
context where private entities often handle vast amount of personal data , such as
telecommunications companies , social media platforms and other service providers. By
extending the scope of state action to include certain private actors, Article 12 of the Indian
constitution ensures that privacy rights are safeguarded against encroachment by non state
entities as well.20 Thus aligning with the evolving understanding of pivacy as a fundamental
right that transcends traditional distinctions between public and private spheres. Additionally
Article 12 reinforces the principle that individuals privacy should be protected irrespective of
whether the infringement originates governmental or non governmental sources . Thus
Article 12 of the Indian Constitution serves as a cornerstone in ensuring comprehensive
protection for privacy rights in India.

In conclusion, the Indian Constitution provides a strong basis for the protection of
“

individuals' right to privacy. The principal constitutional provision that upholds the right to
privacy is Article 21. The courts have been crucial in interpreting and extending these rights,
which resulted in the "Justice K.S. Puttaswamy (Retd.) vs Union of India" case, which
”

recognized privacy as a fundamental right. The establishment of data protection laws and the
“

restriction of state monitoring were two major legal and policy efforts that were influenced by
20
Constitutional law Dr Mamta Rao pg 83 first edition , 2013
36

this decision, both of which had profound consequences. The provisions in the Indian
constitution related to privacy highlight the critical role of rights in safeguarding individuals'
”

dignity and autonomy. These constitutional provisions ensure that privacy is an essential and
unalienable right for every Indian, including the preservation of personal information and the
management of government surveillance activities.

An In-Depth Analysis of the Indian Constitution's Provisions Related to

Privacy

Privacy rights in India are firmly anchored in the Indian Constitution, with Article 21 serving
as the linchpin of this fundamental right. The decision in Bugdaycay v. Secretary of State
(1987) provided the foundation for the most careful examination of any decision pertaining to
human life, as it is the most fundamental of all human rights. Among human social ideals, the
sanctity of life is arguably the most fundamental. A society that grants individuals the
freedom to choose how they are to lead their lives will naturally respect their right to privacy.
This involves not only the ability of the individual to seclude from other individuals or avoid
publicity but also the freedom from unwarranted state interference. In the simplest terms,
privacy is just a state that is marked by isolation, secrecy, and anonymity. It might be lost as a
result of an action or another person's actions. Privacy is also an important interest to which
people accord. When the interest is defeated, it doesn’t amount to just a loss but a violation,
invasion, or infringement of privacy.21 Stone defines privacy as the limited right to stop or
constitute the unlawful acquisition or disclosure of confidential personal data. Indian
constitution while not containing an express provision or mention of privacy provides for an
intricate framework reflecting a well-emphasised understanding of individuals' personal
autonomy, dignity, and liberty. A thorough examination of the pertinent constitutional
provisions clarifies the complex relationship between constitutional safeguards and privacy.
21
Stone, “Textbook on Civil Liberties and Human Rights”, P.338
37

Right to Life and Personal Liberty under Article 21 of the Indian constitution
incorporates a significant safeguard in upholding individuals privacy rights.

Section 21. A fundamental human right is the right to life, which cannot be violated by the
“

government or any individual else. The state is required to uphold these rights as the
custodian of persons, and Article 21 is a storehouse of all human rights that are fundamental
to an individual. Article 21 of the Indian Constitution holds paramount significance for
privacy rights. It proclaims that "No person shall be deprived of his life or personal liberty
”

except according to a procedure established by law." While using derogatory language, it

grants everyone the fundamental right to life and personal freedom. This provision expressly
“

recognizes the close connection between the right to life and the right to privacy, upholding
the fundamental value of each person's individual freedom. The SC has repeatedly ruled that
the right to human dignity and personal autonomy is a part of the right to life. The ”

recognition of privacy as a fundamental right underscores the importance of protecting

individuals from arbitrary intrusions by the state or other entities. It ensures that the
individuals personal data is managed in a manner that respects the autonomy and dignity of
the individuals thus aligning with the global human rights standards . The relationship
between individual freedom and the management of one's personal data is highlighted by this
“ interpretation.

Article 19(1)(a) Freedom of Speech and Expression under the constitution of

India has a significant impact on individuals privacy rights.

While not explicitly focused on privacy, Article 19(1)(a) guarantees the right to freedom of
speech and expression. The connection between freedom of expression and privacy is
integral. Privacy creates the necessary space for individuals to form and express their
thoughts and opinions without fear of surveillance or undue intrusion into their personal lives.
This mutual reinforcement between privacy and freedom of expression is vital for the
”

flourishing of democratic values. In a democratic society like that of India , the ability of
individuals to communicate freely and without fear is essential for the healthy exchange of
38

ideas and for ensuring accountability. Dinesh Trivedi v. Union of India, (1997) CITATION
Dinesh Trivedi v. Union of India, (1997) 4 SCC 306. the court affirmed that citizens have the
right to be informed about government affairs, though this right is subject to certain
restrictions. Privacy protections ensure that individuals can freely share their thoughts
without the fright of surveillance or unwarranted intervention. Through safeguarding the
privacy realm where thoughts and opinions are developed privacy underpins the very
foundation of free expression . This symbolic relationship between privacy and freedom of
expression also extends to the digital era, where the online anonymity and data protection are
critical for the protection of free speech.The right to freedom of speech and expression under
Article 19 (1) (a) thus acts as a cornerstone for the development of a strong legal framework
for protection of individuals personal data.

Article 14 - Right to Equality has a significant impact on right to privacy.

Article 14 ensures that the law treats individuals equally, regardless of their background.
Privacy rights, as fundamental rights, are uniformly protected for all citizens. The concept of
equality prevalent in Article 14 ensures that the law is equal among the equals and is equally
administered and the likes are treated alike. 22 Arbitrariness being opposed to reasonableness
is an anti-thesis to law and is a violation of reasonableness enshrined in Article 14, Thus any
government action that is irrational and not based on sound policy decision is inherently an
arbitrary action and is violative of the mandate of article 14. This constitutional principle
reinforces the idea that privacy is a right that must be extended uniformly and without
discrimination. The right to privacy applies to every citizen, ensuring equal protection under
the law.

Article 32 - Right to Constitutional Remedies serves as a linchpin in

safeguarding individuals right to privacy.

22
D.D. Basu, Commentary on the Constitution of India, vol. 2, 9th ed. (Arts. 13-14) (LexisNexis 2014).
39

Under Article 32, individuals can petition the Supreme Court to have their fundamental rights
maintained.23 When someone's right to privacy has been violated, it is a powerful tool that
allows them to pursue legal action. In cases where individuals believe their privacy is
compromised by state or non-state actors, Article 32 provides a constitutional avenue to seek
redress. Article 32 of the indian constitution empowers the citizens of India to approach the
highest judicial body directly without the need to go to the lower courts , thus ensuring that
justice is delivered swiftly and effectively. It upholds the judiciary’s role as the guardian of
the fundamental rights thus acting as a mechanism of critical oversight against unlawful
encroachments. The supreme court under article 32 of the Indian constitution has the
authority to issue various writs like habeas corpus, mandamus, prohibition, quo warranto and
certiorari to safeguard individuals privacy rights. Article 32 of the Indian constitution
significantly upholds the importance of fundamental rights in the constitutional framework
and thus serves as a cornerstone in protecting individuals liberty in india.

Article 12 provides for the definition of the State which is of great

significance in the digital era.

Although not directly pertaining to privacy, the description of the "State" in Article 12 is
crucial for a comprehensive understanding and application of fundamental rights. The
commitment to upholding fundamental rights is expanded to encompass entities that carry out
public functions, regardless of whether they are government entities or non-government
groups engaged in activities similar to public functions. In this way, it indirectly underscores
the importance of protecting privacy rights in dealings with various entities. Article 12 of the
Indian constitution ensures that any authority or body that performs public duties are
accountable for the protection of individuals fundamental rights . Article 12 is of great
significance specially in the digital era as with the increase in privatization and outsourcing of
public functions which have significantly increased , ensuring that private entities that are
executing the role of public authorities are also held within the constitutional standards. Art
12 of the Indian constitution provides the individuals with the opportunity to challenge the
violation of their privacy rights by a wide range of actors whether private or public entity.

23
D.D. Basu, Commentary on the Constitution of India, vol. 6, 9th ed. (Arts. 25-35) (LexisNexis 2014)..
40

Article 12 of the Indian Constitution effectively reinstates the pervasive reach of

constitutional protection in safeguarding the individuals liberties.

CHAPTER V

Key Legal Cases and Landmark Judgments

Privacy and data protection in India have been significantly influenced by key legal cases and
landmark judgments. These cases have not only shaped the interpretation of privacy rights
but also set precedents for the regulation of surveillance and the protection of personal data.
“

The Most notable cases on privacy rights Justice K.S. Puttaswamy (Retd.) vs Union

of India (2017)24: Marked a significant event in India's history of privacy rights. The
importance of privacy right is represented by this important court case. According to Article
21 of the Constitution, the Supreme Court of India recognized the right to privacy as a basic
freedom. The judgment emphasized the constitutional importance of privacy by declaring that
it is essential to the safeguarding of life and liberty. This significant judgment also affirmed
that privacy is fundamentally connected to other liberties protected under article III of the
Indian constitution, including the freedom of speech and expression. It emphasized that
”

privacy protects individuals from unwarranted interference by both state and nonstate actors.
24
41

The judgment set a triple test of legality, necessity, and proportionality that must be satisfied
for putting any restriction on privacy rights. The Puttaswamy judgement had a
significant Impact on privacy rights. The Puttaswamy case affirmed privacy as a
fundamental right, influencing subsequent legal and policy developments related to
government surveillance and data protection in India. It established a precedent for the courts
to ensure a higher standard of accountability and transparency from the government regarding
the collection of personal data of individuals and surveillance. Further, this landmark
judgment has significantly raised public

awareness about the individual's privacy rights and government accountability in collecting,
and processing personal data of individuals. It also ensured that the legislature reformed the
present legislation and brought in a more comprehensive legal framework for data protection
in India.

Kharak Singh vs State of Uttar Pradesh (1962) Kharak Singh v. State of

Uttar Pradesh, AIR 1963 SC 1295, 1964 (1) SCR 332. The Kharak Singh case
was one of the earliest cases in India that discussed issues related to surveillance and
personal privacy. The judgment recognized that surveillance practices must conform to
fundamental rights and emphasized the need for safeguards against arbitrary surveillance.

The kharak singh case had a significant Impact on surveillance in India . In addition to laying
the foundation for further legal advancements in this field, this case established the concept
that privacy is a basic right. It also opened avenues for state surveillance measures, subjecting
privacy rights to legislative regulations. The supreme court’s decision in Kharaksingh
“

underscores that any state action infringing upon individuals privacy must be backed by a
clear legal framework , thus protecting individuals from unwarranted governmental intrusion.
This case was pivotal in establishing the concept that privacy is a basic right , even though
the explicit term “privacy’ was not directly mentioned in the constitution at that time. The
Supreme Courts recognition of privacy as intrinsic to personal liberty has changed the sphere
of Individuals privacy rights significantly. The kharak singh case had opened avenues for
state surveillance measures but had also imposed strict scrutiny on such practices, ensuring
that they are subjected to judicial oversight. This ensured that while the state retained its
42

ability to conduct surveillance , it had to do being within the bounds of the law , ensuring that
the individuals privacy rights were respected.

Gobind vs State of Madhya Pradesh (1975):Govind v. State of Madhya

Pradesh, AIR 1975 SC 1378. The Gobind case reinforced the importance of privacy
rights. It highlighted the necessity of establishing a balance between a person's right to
privacy and the state's interest in monitoring them. In this case, the court recognized that
the right to privacy is a fundamental component of the individual freedom ensured by
Article 21 of the Indian Constitution. The judgment also established that privacy rights
are not absolute and can be limited by legitimate state interests. This historic ruling
emphasizes that privacy restrictions must be carefully considered to make sure they don't
unjustifiably infringe upon an individual's liberties and acknowledges the significance of
striking a balance between the right to privacy of the individual and the state's interest in
”

maintaining law as well as order.

The Gobind case had a significant impact on state surveillance and individuals privacy rights
as , The Gobind case contributed to the development of a legal framework that recognizes
privacy as a right subject to reasonable restrictions, particularly in the context of surveillance.
This judgment introduced the triple test framework of legality, need, and proportionality for
examining the validity of the restrictions imposed on an individual's right to privacy. A
judicial precedent was also laid by the judgment ensuring a balance between individuals'
rights with the state's interests. Also prompted a need for legislative reform to regulate police
surveillances ensuring compliance with the constitutional safeguards.

Aadhaar Act Case (2018)25: The Aadhaar Act, which established a unique
identification system for Indian residents, faced legal challenges related to privacy concerns.

25
Beghar Foundation v. Justice K.S. Puttaswamy (Retd.), AIR 2021 SC 891.
43

The Supreme Court maintained the legality of the Aadhaar Act in 2018 while imposing a
number of limitations and privacy-related measures.

This case had a key impact on surveillance and individuals privacy rights as the case
highlighted the tension between government initiatives that involve the gathering of private
information and rights to privacy. The judgment clarified the boundaries within which such
initiatives must operate to protect individuals' privacy. The court emphasized that while
Aadhaar serves a legitimate state interest such as ensuring welfare benefits to reach to the
intended beneficiaries , it must also adhere to principles of necessity and proportionality. This
case had imposed a prohibition on usage by private entities as a method of authentication of
individuals. Thus ensuring that the personal data of individuals are not misused . The
Supreme courts decision has been significant in upholding that any personal data of
individuals that is collected by the state must be accompanied by stringent safeguard
measures to protect the individuals personal information. Moreover this judgement has been
fundamental in re enforcing the idea that privacy is a significant fundamental right under
Article 21 of the Indian Constitution . With this decision the court also highlighted the
importance of informed consent and transparency that is essential in collection and usage of
individuals personal data . Thus the Aadhaar Act Case of 2018 serves as a significant
precedent in balancing the state’s interest necessary for upholding national security and
public order with that of the fundamental right of individuals on their privacy.

Manohar Lal Sharma Vs Union of india & Ors. 2021 26 Is a landmark

judgement in context of privacy right and surveillance in India as this case revolves
around the controversial Pegasus spyware scandal . In this case the Hon’ble supreme
court reaffirmed privacy as a fundamental right and called for a stringent legal
framework and oversight mechanism, Thus ensuring a more balanced approach to
state surveillance - one that respects individuals freedom while addressing legitimate
security concerns.This case significantly raised public awareness about the issue of
individuals privacy and surveillance, Thus empowering citizens and civil society
organizations to advocate more actively for upholding their privacy right and
ensuring that the government is accountable for any breach. The ensured that

26
Manohar Lal Sharma v. Union of India & Ors., AIR 2021 SC 5396
44

surveillance activities must be subjected to judicial oversight to prevent infringement

of individuals right to privacy and that such measures are used only for legitimate
purposes such as national security and public safety. In this case the Hon’ble
supreme Court by appointing an independent committee to investigate allegations set
a precedent for involving impartial experts in scrutinizing state actions. This was a
significant step as it fostered public trust thus ensuring an unbiased examination of
allegations.

Nikhil Bhatia vs Union of India (2019): WP© 7123/2018.

This case involved challenges to government orders and practices related to an individuals
personal right to access contents available on OTT platforms . The court's decision
underscored the necessity of privacy in enabling people to express themselves without
concern about being monitored, emphasizing that privacy is a crucial element of freedom of
“

speech and expression.

This case had a significant Impact on privacy rights as the case reinforced the connection
between privacy and fundamental rights, especially the right to freedom of expression. In this
”

case the court stressed that any state action infringing upon privacy must adhered to the
principles of legality necessity and proportionality ensuring that governmental measures are
not arbitrary and are subjected to judicial oversight. The case also upheld the need for a
transparency and accountability in states monitoring activities , thus ensuring the need of a
stringent safeguard and oversight mechanism to prevent misuse and abuse of states
monitoring powers. This case significantly contributed to the evolving discourse of right to
privacy in India as it affirmed that privacy is not just a derivative right but a fundamental
aspect of right to life and personal liberty under Article 21 of the Indian Constitution thus
moulding the legal landscape in regards to data protection and privacy rights .
45

In conclusion: Data protection and privacy rights have developed significantly in India as a
result of these significant court decisions and historic judgments. To balance the rights to
privacy with the justifiable interests of the state, they have helped to establish legal
protections for privacy, acknowledge privacy as a fundamental right, and regulate
government monitoring approaches. Furthermore, these cases have stimulated public
awareness about individuals' privacy rights and empowered individuals to assert their rights
over arbitrary infringement of their privacy rights by the state and non-state actors. Also,
these judgments asserted a need for a more enhanced legislative framework aimed at
enhancing the protection of individual rights and a more comprehensive framework for
surveillance practices by the state. Overall, these cases continue to shape the evolving
landscape of privacy and data protection in India, balancing individual freedoms with state
interests, while also paving the way for continued evolution and adaptation in response to
new problems and developments in technology.
46

The Significance of the Supreme Court's Recognition of the Right to

Privacy as a Fundamental Right

In the case of "Justice K.S. Puttaswamy (Retd.) vs Union of India" (2017), the Supreme
“

Court of India made history by recognizing the right to privacy as a fundamental right. This
decision has significant implications for civil liberties, the protection of individual rights, and
”

the legal framework in India. The judicial acknowledgment highlights the dynamic nature of
the fundamental rights, adapting to contemporary challenges such as technological progress,
and state surveillance. It aligns India with international norms emphasizing the country’s
dedication to securing individuals' dignity and freedom in an increasingly connected world.
Furthermore, the Supreme Court’s decisions have substantial political implications,
empowering individuals to assert their privacy rights and challenge any arbitrary government
encroachment over individuals' right to privacy thus stimulating a balance between individual
rights and national security, which in turn leads to a reassessment of the existing laws and
practices. Thus, privacy as a fundamental right ensures that an individual's personal space and
autonomy are respected and protected in the Indian democracy. The following are the
primary aspects of its importance:

It provides for a Constitutional Safeguard as the recognition of privacy as a fundamental

“

right places it on par with other fundamental rights enshrined in the Indian Constitution. This
position established by the constitution offers strong protection against state or non-state
organizations violating an individual's right to privacy.

The recognition of right to privacy as a fundamental right is intrinsic to Life and

Liberty. The SC’s judgment declared that privacy is intrinsic to the protection of life and
liberty, reinforcing its centrality to human existence. This understanding highlights that
privacy is not merely a statutory right but nevertheless a crucial component of a person's
freedom and dignity.

37. Beghar Foundation v Justice K.S. Puttuswamy (Ret’d) WP

“ ” 494/2012 REPEATED NO 35
47

It ensures balancing of State Interests. Although the Court acknowledged the right to
privacy, it also pointed out that it is not absolute and can be subject to reasonable restrictions
where it advances the objectives of the state. This recognition allows for a balanced approach
”

where privacy is protected while allowing legitimate state interests, like national security or
law enforcement, to be pursued.

Provides implications for Data Protection as the judgment has direct implications for data
protection and personal data privacy. It laid the groundwork for the succeeding DPDPA,
which aims to restrict personal data processing and provide individuals more control over
their data, to be formulated in 2023.

It has a significant impact on Surveillance Practices. Since the recognition of privacy as

a fundamental right has brought greater scrutiny to government surveillance practices. It has
led to a re-evaluation of surveillance laws and practices, ensuring that they conform to
constitutional principles and privacy protections.

It has induced anInternational Influence, with India's recognition of privacy as a

fundamental right it aligns itself with global norms and standards. It resonates with
international documents like the Universal Declaration of Human Rights and the GDPR of
the European Union. India's stance on privacy is consistent with international principles,
facilitating global cooperation on privacy matters.

It has profoundly Empowered Individuals as the recognition of the right to privacy

empowered individuals to assert their privacy rights against any intrusion, be it by the
48

government or private entities. It encourages individuals to actively guard their privacy and
personal information.

The supreme courts recognition of right to privacy as a fundamental right has

significantly influenced the Protection of Freedom of Expression .Since Privacy and
freedom of expression are intertwined. The protection of privacy makes it possible for
individuals to freely express their ideas and opinions without concern about being monitored
or having their private violated.

The Puttaswamy case sets a powerful legal precedent for future cases involving privacy and
surveillance. This important judgment can be cited by courts to protect private rights and
achieve a balance between the interests of the state and individual liberty.

In conclusion, the growth of civil liberties and private rights in India is approaching an
important moment with the Supreme Court's recognition of the right to privacy as a
“

fundamental right. It underscores the constitutional significance of privacy, balances state

interests with individual rights, and empowers individuals to protect their personal data as
well as privacy in the digital age. By embedding privacy with fundamental rights, the SC has
strengthened the legal framework against any arbitrary and intrusive state action, enhancing
protection for individuals’ personal data and personal space. The development of
comprehensive data protection regulations, like the DPDPA of 2023, which seeks to regulate
personal data processing and preserve individuals' privacy, has been encouraged by the
Supreme Court's recognition of the right to privacy and the emphasis on data protection. The
impact of the Supreme Court’s recognition of the right to privacy goes beyond the legal
”

domain. Individuals using digital platforms have become more aware of the possible dangers
of unrestricted data collection and monitoring, which has increased demand for stricter
privacy laws and more meticulous management of individuals' personal information by
public and private sectors. It also positions India in alignment with global privacy norms and
sets a precedent for future legal cases involving privacy as well as data protection.
49

Chapter VI

Discussion on How the Constitution's Principles Apply to the Digital Era

The Indian Constitution, which was adopted in 1950, forms the bedrock of the country's legal
system. While the Constitution was framed in a pre-digital era, its principles are versatile and
adaptable, allowing them to be successfully applied to the opportunities and problems created
by the digital age. With the rapid advancement in technology the principles enshrined in the
constitution of India holds a pivotal place in ensuring that India adorns the potential to
harness digital technologies as well as remains capable of safeguarding the dignity, rights and
freedoms of the individuals . The constitution of India provides for a significantly strong
legal framework which is adaptive to all the necessary changes with the capability to
incorporate certain changes to uphold the individuals right . The Constitution's principles
continue to apply to the digital era through the provisions enshrined in the Articles of the
Indian constitution as

(Article 21) of the Indian constitution that provides for the Right to Privacy
has significant application to the Digital Era as the right to privacy is particularly important in
“

the digital era because Article 21 recognizes it as a fundamental right. The proliferation of
technology and digital communication has increased the potential for privacy infringements.
”

This right extends to protecting personal data from unwarranted surveillance, data breaches,
and unauthorized access . With the advancement in the digital era it is of paramount
importance to ensure that the individuals privacy rights are essentially important to be
protected by ensuring a balance between national security and the individuals rights. The
constitutional principle like that of Article 21 ensures that the legislations that are crafted fo
ensurning the safeguard of the individuals privacy rights are aligned with the principles of
legality, necessity and proportionality as provided in the Puttaswamy judgement. The right to
privacy under Article (Art) 21 also ensures that in this digital era as the significance of
internet connectivity is blooming at an un precedented rate the amount of personal data that is
being produce by the indiviuals are not subjected to any arbitrary encroachment by any
50

government or privat entity as upholding the individual right to privacy is of grave

importance.

The Freedom of Speech and Expression (Article 19(1)(a)) has a significant

application to the Digital Era . The freedom of speech and expression has expanded in the
digital age. Online platforms offer individuals strong tools to voice their thoughts, increasing
the impact and accessibility of this constitutional right. However, it also raises complex
questions regarding the regulation of online speech and the balance between free expression
and responsible use of technology. With the digital era advancing it can be witnessed by all
how the constitutional guarantee of freedom of expression has significantly extended into the
digital era . The constitutional principles like that of (Article 19(1)(a)) ensures that
legislations that are formulated for governing digital contents form a delicate equilibrium
between freedom of expression and the protection of individuals rights and social welfare .
With the enlargement in individuals scope to express themselves through the digital medium .
the individuals right are subject to certain constitutional considerations such as privacy
rights . Ministry of Information and Broadcasting, Govt. of India v. Cricket Association of
Bengal, the court determined that freedom of speech and expression encompasses the right to
acquire and disseminate information. This freedom is crucial for self-expression and serves as
the primary means for political discourse, which is fundamental to democracy. Consequently,
the right to communicate includes using available media—whether print, electronic, or audio-
visual, such as advertisements, articles, and speeches.

38. Constitutional law Dr Mamta Rao pg 222 first edition , 2013 Repeated

39. Constitutional law Dr Mamta Rao pg 215 first edition , 2013 Repeated

40. AIR 1995 SC 1236

Right to Equality (Article 14):

51

Application of Article 14 to the Digital Era is of profound importance as the right to

equality remains a fundamental constitutional principle, even in the digital age. It
necessitates that individuals are treated equally with respect to their digital rights, such as
access to the internet, protection from online discrimination, and equitable opportunities
in the digital realm. This principle ensures that no individual is unfairly disadvantaged
“

due to their lack of digital awareness. It also mandates that the digital platforms and
service operators function in a non discriminatory manner , providing equal access and
benefit to all users. Through Article 14 of the Indian constitution in the digital era the
constitution bridges the digital divide fostering an inclusive digital society where
technology enhances equal participation of individuals and equal representation. In
addressing unequal access to digital sources, data privacy violation Article 14 of the
Indian constitution ensures to uplift its commitment to equality in an fast forwarding
digital age.

Right to Constitutional Remedies (Article 32):

Application to the Digital Era: The right to constitutional remedies is especially relevant
in the digital age, where individuals may need to seek legal redress for privacy violations,
data breaches, or online harassment. In order to have their fundamental rights—including
their right to digital privacy—enforced, citizens may petition the SC under Article 32.

40 . Constitutional law Dr Mamta Rao pg 222 first edition , 2013 repeated

Definition of the State (Article 12):

52

Application to the Digital Era: Article 12's definition of the "State" extends the obligation
to protect fundamental rights to non-government entities when they perform functions of
a public nature. This principle has significance in the digital era, as private tech
companies and online platforms that engage in public functions are increasingly
scrutinized for their role in safeguarding digital rights.
“

Directive Principles of State Policy:

Application to the Digital Era: The state formulates policies based on the Directive
Principles of State Policy, even if the state cannot enforce them in court. They have the
power to affect laws pertaining to digital inclusion, digital literacy, and bridging the
digital divide in the modern day.
”

Fundamental Duties:

Application to the Digital Era: Fundamental duties, such as the duty to promote harmony
and the spirit of common brotherhood, have relevance in the digital era to counteract
online hate speech, cyberbullying, and the spread of disinformation.

41. Constitutional law Dr Mamta Rao pg 83 first edition , 2013

53

Examination of the Digital Personal Data Protection Act 2023

A major legal achievement, the DPDPA 2023 was enacted in India with the goal of resolving
the growing concerns about privacy and personal data protection in the digital age. The
“

Indian Act established a comprehensive framework for handling digital data in order to
achieve a balance between the need for strong data protection, technological advancement,
and national security. In an era where data is a vital asset for governments, businesses, and
”

individuals the protection of personal information is more important than ever before. On a
broader scale the DPDP Act 2023 positions India as a progressive nation that is committed to
upholding data privacy and security at a parallel stage. It enhances India’s global standing in
the digital arena, facilitating international data flows and collaboration with entities that
prioritize data protection. Thus, the DPDP ACT 2023 is a landmark law that meets the urgent
necessity for comprehensive data protection in the digital age of India. An overview of the
main points, goals, and implications of the Act is provided by this analysis.

The Purpose and Objectives of the DPDP Act 2023 is that the Digital Personal Data
“

Protection Act 2023 seeks to regulate the processing of personal data in India, placing a
strong emphasis on data protection and privacy rights. The primary objectives of the Act are
to Establish a legal framework for the protection of personal data. The DPDP act of 2023 has
significantly enhanced India’s legal framework in ensuring that the privacy rights of the
individuals are upheld. The DPDP Act of 2023 Provide individuals with greater control over
their personal data. The DPDP Act of 2023 Defines the responsibilities and obligations of
data controllers and processors. The DPDP Act of 2023 Facilitates the safe and secure ”

handling of personal data.

42. pib.gov.in Salient Features of Digital Personal data Protection bill

The DPDP Act 2023 provides for the Definitions and Scope as the Sensitive personal data,
personal data, data processor, data subject, and data controller are some of the terms
established by the Digital personal data Act of 2023 . Based on the distinction between
processing personal and sensitive personal data, several criteria are provided. No matter
54

where an individual is located, the Act applies to organizations that process personal data in
India or to those that target Indian citizens.

The DPDP Act establishes a Data Protection Authority . According to the DPDP Act of 2023
aData Protection Authority (DPA) is formed by the Act to supervise and implement data
protection laws. It is responsible for registering data fiduciaries, monitoring data processing
activities, and imposing penalties for violations.

The DPDP Act of 2023 provides for the provision of Consent and Purpose Limitation. Before
processing a data subject's personal information, the Act strongly emphasizes obtaining that
subject's express and informed consent. To ensure purpose limitation, data controllers are
required to specify the reason(s) for processing data, and data can only be used for the
“

specified purpose.

Data Localization under the DPDP Act of 2023 Important personal data must be processed
exclusively in India, according to the Act's regulations for its processing and preservation. A
copy of the personal data may also need to be maintained on record by data controllers and
”

processors inside the nation.

43. DPDP ACT section 37(2)

44. DPDP ACT section 16(1)

The Digital Data Protection Act of 2023 enshrines the concept of Cross-Border Data
Transfer:The DPA's clearance is one of the requirements for the cross-border transfer of
personal data. For data to be protected during international transfers, sufficient security
measures must be in place.
55

Data Subject Rights are also enshrined in the DPDP Act of 2023 A number of
rights are granted to data subjects by the Act, including the ability to examine their data, have
it corrected, have it deleted, and limit or object to data processing. Additionally, consent can
be withdrawn by data subjects.

DPDP Act of 2023 provides for Data Breach Notification the Data controllers have to
inform the DPA and impacted data subjects of any data breaches. Timely notification of data
breaches is a crucial aspect of the Act to ensure transparency and accountability.

The DPDP Act of 2023 provides for the Exemptions and Special Categories as the Act
permits certain exceptions from data processing for security, law enforcement, detection,
investigation, or prosecution of illegal activity. Additionally, it presents particular types of
personal data that are more heavily protected, such as biometric and health data.

The DPDP Act of 2024 lays the provision for Penalties and Enforcement as the serious
consequences, such as fines, jail time, or both, may follow noncompliance with the Act. To
make sure that compliance is maintained, the DPA is authorized to perform inspections,
audits, and investigations.

DPDP Act of 2023 has a significant impact on Businesses . Data controllers and processors
are subject to strict duties under the Act, which includes the establishment of data protection
officers, policies, and impact assessments. It demands that data management procedures be
reevaluated and that the Act's requirements be followed.

DPDP Act of 2023 has been aligned with the International legislations- The Act is intended
to bring India into compliance with international standards for data protection and is in line
with international data protection principles. This will facilitate international data transfers
and collaboration on data protection issues.

In conclusion, the DPDPA 2023 is a significant legislative initiative to solve privacy and data
protection issues in India's digital environment. It highlights the rights of data subjects, offers
56

a thorough framework for processing personal data, and creates a regulatory body to monitor
compliance with data protection laws. This legislation ensures to align India’s efforts in
protecting individuals' privacy rights with the global best practices thus positioning India as a
leader in data protection on the international stage. It fosters the trust of individuals in data
handling, privacy, and accountability of the government. In addition, the Act is expected to
have a major impact on businesses, data processors, and data controllers as they adjust to the
new data protection requirements in the digital era. With India's digital economy evolving, it
is thought that the DPDP Act 2023 will be instrumental in protecting individuals' personal
data and fostering a safe and dynamic digital environment in India.
57

Detailed Analysis of Key Provisions in the Digital Personal Data Protection

“

Act 2023

The DPDA 2023 is a comprehensive legislation that addresses various aspects of data
protection as well as privacy in India. In an era marked by the explosive growth of digital
technology and the tremendous surge in data generation, a robust data protection law was
more crucial than ever. The DPDP Act is a crucial step for India in the way forward in
addressing the need to safeguard individuals’ personal data while fostering a secure digital
environment for innovation. With the primary objective of establishing a balance between the
protection of individuals' right to privacy and that of national security, the Act offers a
comprehensive framework that covers a number of concerns connected to the collecting,
processing, storage, and exchange of personal data. A notable aspect of the Digital Data
Protection Act 2023 is the creation of the DPA a regulatory body responsible for enforcing
”

the data protection regulations. Additionally, the DPDPA 2023 aligns India’s data protection
standards with that of international norms, thus facilitating a cross-border data flow and
enhancing the country’s position as a global leader in the data privacy space. By adhering to
the global best practices, the Act not only protects the privacy of Indian citizens but also
ensures that Indian businesses can operate seamlessly on the international stage. This detailed
analysis focuses on the Act's key provisions, including those related to data categories and
government access to data.

Data Categories:

Personal Data: According to the Act, personal data is any information that can be used to
identify a natural person. Many different kinds of information can be found in this area, such
as phone numbers, email addresses, names, and distinctive online IDs. It is the basis of the
Act's data protection regulations.

45.Digital Personal Data Protection Act , 2023 section 2(n).

“ ”

The Act distinguishes sensitive private data, which includes information related to a person's
financial data, health, sexual orientation, biometric data, and more. This category is subject to
58

stricter regulations, requiring explicit consent for processing. Critical personal data is a
special category of data that is governed by even stricter laws. Critical personal data is
defined as data that, if breached, could harm national security or public order. It is required to
be stored and processed exclusively within India.

Data Processing:

Data controllers are responsible for stating the purpose of data collection and processing.
Data is therefore ensured to be used only for that purpose, and any changes to that purpose
need consent from the data subject. The necessity that data subjects provide their express and
informed consent before having their data processed is one of the Act's main tenets. Consent
must be expressly provided, freely granted, and reversible by data subjects. Data controllers
have a critical responsibility to clearly state the purpose of data collection and processing.
This transparency ensures that data is used solely for the specified purposes, safeguarding the
data subjects' expectations and rights. Should there be any intent to change the purpose for
which the data was originally collected, it is imperative to obtain new, informed consent from
the data subjects. A cornerstone of the governing data protection framework is the necessity
for data subjects to provide their express and informed consent before any data processing
occurs. This consent must be explicitly given, meaning that it cannot be assumed or implied
from silence or inactivity. It must also be freely granted, ensuring that data subjects are not
coerced or unduly influenced. Additionally, consent must be reversible, allowing data
subjects to withdraw their consent at any time, thereby maintaining control over their
personal data. This framework upholds the principles of autonomy and self-determination,
reinforcing trust in the digital ecosystem.

Government Access to Data:

The Act provides the government access to personal information under specific conditions.
The main goals of this are national security and law enforcement. The Act includes measures
pertaining to government access to data, including the authority to ask data controllers and
processors for their information. The Act grants the government the ability to access personal
information under clearly defined conditions, primarily aimed at safeguarding national
security and facilitating law enforcement activities. This provision ensures that while
59

individual privacy is protected, there are mechanisms in place to address critical threats and
uphold public safety. To this end, the Act includes specific measures that outline the
circumstances under which government agencies can request access to data. These measures
provide the government with the authority to compel data controllers and processors to
furnish necessary information. Such access is typically regulated to prevent abuse and ensure
that it is conducted in a manner consistent with legal standards and oversight. By balancing
the need for security with the protection of personal privacy, the Act seeks to create a
framework that allows for effective government intervention in matters of national
importance while maintaining trust in the overall data protection regime.

46. Digital Personal Data Protection Act, 2023 Section 16(1)

47. Digilaw. in DPDP Act 2023 Key Features

When preserving India's integrity, sovereignty, and national security requires access to data,
the government may obtain it. However, such access must be proportionate to the threat and
must follow due process.The DPA plays a key role in overseeing government access to data.
Monitoring such access, ensuring that the Act is followed, and protecting the rights of data
subjects are under the authority of the DPA. When the preservation of India's integrity,
“

sovereignty, and national security necessitates access to data, the government is empowered
to obtain it. However, this access must be proportionate to the perceived threat and must
adhere to established due process. Ensuring that these criteria are met is essential to
maintaining a balance between national security and individual privacy rights. The Data
Protection Authority (DPA) plays a crucial role in overseeing government access to data. The
DPA is responsible for monitoring such access to ensure compliance with the Act,
safeguarding against misuse, and protecting the rights of data subjects. This oversight
includes verifying that government requests for data are justified, proportional, and follow the
due legal procedures. By fulfilling these duties, the DPA acts as a guardian of personal data,
ensuring that any government intervention is transparent, justified, and limited to what is
necessary for addressing legitimate security concerns. This system of checks and balances is
fundamental to maintaining public trust in both the government's actions and the broader data
protection framework.
60

Data Subject Rights:

The Act provides data subjects a number of rights, such as Access to personal information
maintained by the controllers is a right of data subjects. Right to Rectification : Inaccurate
data can be corrected upon request from data subjects. Right to Erasure: Data subjects may
request that their data be removed under specific conditions. Right to Data Portability: Data
subjects have the option to obtain their data in an organized, machine-readable format. Right
to Restriction and Objection: The possibility to restrict or object to the processing of
personal data is available to data subjects under specific circumstances. Right to Withdraw
”

Consent: Reversing their consent to data processing is a right granted to data subjects. The
Act provides data subjects with a suite of rights designed to give them control over their
personal information. One of the fundamental rights is the right to access, which allows
individuals to obtain and review the personal information that data controllers maintain about
them. This transparency helps ensure that data subjects are aware of and can monitor how
their data is being used. Another critical right is the right to rectification, enabling data
subjects to request corrections to any inaccurate or outdated information held by data
controllers. Furthermore, the right to erasure allows individuals to request the deletion of
their data under specific conditions, such as when the data is no longer necessary for the
purposes for which it was collected, or if the data subject withdraws consent.

In addition, the right to data portability gives data subjects the ability to receive their personal
data in a structured, commonly used, and machine-readable format, facilitating the transfer of
their data to another service provider if desired. The right to restriction and objection permits
data subjects to limit or contest the processing of their personal data in certain situations, such
as when they dispute the accuracy of the data or object to processing based on legitimate
interests or direct marketing purposes. Lastly, the right to withdraw consent empowers data
subjects to revoke their consent for data processing at any time, reinforcing their control over
their personal information. Collectively, these rights ensure that data subjects can actively
manage their personal data and protect their privacy in the digital age.

48.Digilaw. in DPDP Act 2023 Key Features REPEAT 47

”
61

Data Localization and Cross-Border Data Transfer

Critical personal data, as defined by the Act, must be exclusively processed in India. This is a
significant provision aimed at safeguarding data related to national security.Certain
requirements apply to the cross-border transfer of personal data, one of which is the approval
of the DPA. To protect data during international transfers, sufficient protections must be in
place. The Act stipulates that critical personal data, as defined within its provisions, must be
processed exclusively within India. This requirement is a crucial measure aimed at
safeguarding data that pertains to national security and other sensitive areas. By mandating
that critical personal data remain within national borders, the Act seeks to prevent potential
vulnerabilities and threats that could arise from international data exposure. Additionally, the
Act outlines specific requirements for the cross-border transfer of personal data. One of the
key conditions for such transfers is obtaining approval from the Data Protection Authority
(DPA). The DPA's role is to ensure that any international data transfer complies with
stringent standards designed to protect personal data.

To further secure data during cross-border transfers, the Act mandates that adequate
protections must be in place. These protections can include ensuring that the recipient country
has comparable data protection laws, implementing binding corporate rules, or other
contractual agreements that guarantee the safeguarding of personal data. The aim is to
maintain a high level of data protection regardless of where the data is transferred. This
approach not only protects individuals' personal information but also builds trust in the
mechanisms governing international data flows, ensuring that privacy and security are not
compromised in the global digital landscape.

Data Breach Notification:

Data controllers must inform the affected data subjects and the DPA of any data breaches.
Alerting data breaches in a timely and open manner is crucial for maintaining accountability
and safeguarding the rights of data subjects. Data controllers are mandated to inform both the
affected data subjects and the Data Protection Authority (DPA) in the event of any data
breaches. This requirement ensures that individuals are promptly made aware of potential
risks to their personal information, allowing them to take necessary precautions to protect
themselves from identity theft, fraud, or other forms of misuse. Notifying the DPA enables
62

regulatory oversight, ensuring that the breach is properly investigated and appropriate
measures are taken to prevent future occurrences. Timely and transparent reporting of data
breaches is critical for maintaining accountability within organizations, as it demonstrates a
commitment to upholding data protection standards and fosters trust among data subjects. By
ensuring that breaches are communicated openly, the Act reinforces the importance of
transparency and responsiveness in the management of personal data, ultimately safeguarding
the rights and interests of individuals in the digital age.

Penalties and Enforcement:

Significant consequences, including fines and jail time, may follow noncompliance with the
Act. The Data Protection Authority possesses the jurisdiction to carry out audits, inquiries,
and examinations to ensure adherence to regulations. Noncompliance with the Act can lead to
significant consequences, including substantial fines and even imprisonment for serious
violations. These penalties underscore the importance of adhering to data protection
regulations and serve as a deterrent against negligent or malicious handling of personal data.
The Data Protection Authority (DPA) is empowered with broad jurisdiction to ensure
compliance with the Act. This includes the authority to conduct audits, inquiries, and
examinations of data controllers and processors. Through these activities, the DPA can
scrutinize the practices of organizations to ensure they are following the prescribed data
protection standards.

The ability to perform audits allows the DPA to proactively identify potential compliance
issues before they result in breaches or other incidents. Inquiries and examinations enable the
DPA to investigate specific complaints or suspicions of noncompliance, ensuring that any
lapses are addressed promptly and effectively. By enforcing the Act's provisions rigorously,
the DPA plays a critical role in maintaining the integrity of data protection frameworks,
protecting the rights of data subjects, and fostering a culture of accountability and
responsibility among organizations handling personal data. The prospect of fines and jail time
serves to reinforce the seriousness of these obligations, ensuring that data protection remains
a top priority for all entities involved.
63

Data Protection Authority:

The Act establishes the DPA, which is responsible for registering data fiduciaries, monitoring
data processing activities, and enforcing data protection regulations. In India, the DPA is
essential to the supervision and control of data processing.The Act establishes the Data
Protection Authority (DPA), a regulatory body tasked with overseeing the implementation
and enforcement of data protection laws. The DPA's responsibilities are multifaceted and
crucial to ensuring robust data governance in India. One of its primary duties is the
registration of data fiduciaries, entities that determine the purpose and means of processing
personal data. This registration process helps maintain a comprehensive record of
organizations handling significant volumes of personal data, facilitating better regulatory
oversight.

In addition to registration, the DPA is charged with monitoring data processing activities
across various sectors. This involves scrutinizing how data is collected, stored, and used to
ensure compliance with the Act's provisions. The DPA's oversight helps detect and prevent
potential violations, safeguarding the privacy and rights of data subjects. Furthermore, the
DPA is empowered to enforce data protection regulations through a range of actions,
including conducting audits, investigating complaints, and imposing penalties for
noncompliance. This enforcement capability is critical for maintaining accountability and
ensuring that data fiduciaries adhere to the established standards.

In India, the DPA is central to the supervision and control of data processing activities. Its
role extends beyond mere regulatory functions; it also involves promoting awareness and
understanding of data protection principles among both organizations and the general public.
By fulfilling these responsibilities, the DPA helps build a secure and trustworthy data
environment, fostering confidence in the digital ecosystem and protecting individuals'
personal information.

49. Digilaw. in DPDP Act 2023 Key Features

64

Comparison with International Data Protection Laws

“

The DPDP Act 2023 in India aligns with several international data protection laws and
regulations, as it aims to establish data protection standards that are in harmony with global
best practices. The need for India to align its digital data privacy law with that of the other
global data privacy legislations is of critical concern as with the rise in global concerns over
protection of data privacy rights, India needs a robust data protection framework especially to
balance India’s rapidly growing digital economy and vast population the global best
practices are a must as it is both necessary and beneficial . Data privacy is a central issue
internationally it is driven by the massive increase in data generation and the risk of data
breach and misuse, Countries throughout the globe have implemented comprehensive data
protection laws to safeguard individuals personal data, ensure user consent and regulate data
transfers. With the advancement in time and modern economies depending heavily on the
semless flow of data across borders it is essential for India to incorporate the global best
practices. A strong data protection law ensures that the Indian consumers would enjoy a
similar assurance that their personal data is secured like that in other countries. The
incorporation of global best practices also necessitates robust security measures that would in
turn reduce the incidents of data breaches and cyber threats. Alligning with the global best
practices also ensure that it would foster a more predictable and more stable regulatory
environment for the businesses operating in India both domestically and internationally.
Here is a comparison with some prominent international data protection laws:

European Union's General Data Protection Regulation (GDPR):The GDPR

as well as DPDP Act 2023 provides for a Consent Requirement as in order to
guarantee that people have control over their personal data, both the GDPR and the Indian
”

Act place a strong emphasis on the requirement for express and informed consent for data
processing.
65

GDPR and DPDP Act both incorporate the need for Data Subject Rights. Both the
frameworks improve the control that data subjects have over their data by granting them
rights including access, rectification, erasure, and the ability to object. The need for Data
Localization is intricate for both GDPR and DPDP Act of 2023 , Although data localization
is not explicitly required by the GDPR27, the Indian DPDP Act requires that sensitive
personal data be maintained only in India, which is consistent with the GDPR's emphasis on
data sovereignty.

Provision for Data Breach Notification is incorporated in both the Acts. To increase
accountability and transparency, data controllers are required by the Indian Act and the
GDPR to immediately alert the relevant regulatory body and the impacted individuals of any
data breaches.

California Consumer Privacy Act (CCPA): The California Consumer Privacy Act
(CCPA) is a significant legislative effort of the United states in this realm . It is one of the
most comprehensive data privacy law in the united States of America (USA) and aims to
enhance the privacy rights and consumer protection for residents of California. Both CCPA
and DPDP Act ensures to uphold Data Subject Rights. Residents of California are granted
rights under the CCPA to access, correct, delete, or retrieve their data, which are comparable
to those granted under the Indian Act. The Consent and right to Opt-Out are incorporated in
both the Acts as , In addition to emphasizing consent, both legislations offer people the
option to refuse to have their data sold.

50. Gdpr. eu what is GDPR, the EU’s new data protection law

Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada

regulates how private sector organizations handle personal information during commercial
activities.28 The Act aims to protect personal data while acknowledging the legitimate needs
of businesses. PIPEDA, like the Indian Act, requires organizations to obtain meaningful
27
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
28
Personal Information Protection and Electronic Documents Act (PIPEDA), c. 12 (Canada).
66

consent for data collection, use, and disclosure. Both the Acts provide for Data Subject
Access Like the terms of the Indian Act, PIPEDA gives individuals access to their personal
information. They also enable individuals to request corrections to their data and challenge
their accuracy. Both PIPEDA and DPDP Act mandate for transparency and requires
organizations to inform individuals clearly. Accountability is a key feature of both the Acts as
both the frameworks hold organizations accountable for compliance with data protection
principles and also require for the designation of a responsible individual for privacy
practices.

Data Localization is an intrinsic part of both the Acts but the Indian Act's data localization
requirements are more stringent than PIPEDA, which doesn't have specific data localization
provisions.

Australia's Privacy Act 1988 . : The Australian Act and DPDP Act of 2023 Both Acts
provide for Data Breach Notification. As transparency is ensured by requiring enterprises to
notify individuals and the regulating body of data breaches under both the Australian Privacy
Act and the Indian Act. Thereby ensuring that individuals are informed about the potential
risks to their personal data . The notification process plays a crucial role in maintaining trust
and allows individuals to take necessary precautions to protect themselves from any adverse
data breach.Ensuring the Data Subject Rights is a necessity in safeguarding individuals
personal data The Australian Privacy Act29 grants individuals rights similar to those in the
Indian Act, involving the right to access their personal information. These rights
predominantly empowers the individuals to have a greater control over their data ensuring
that they can be assured of their personal data being in safe hands. Both the Acts also provide
mechanism for individuals to loge complains and seek redress in case of their privacy rights
are violated . thus through these robust frameworks both Australia and India aims to enhance
individuals trust in the digital ecosysytem by ensuring that their personal data is handeled
transparently and securely.

29
Privacy Act 1988, c. 12 (Australia)
67

United Kingdom Data Protection Act 2018 is a key international data

protection legislation. The UK Data Protection Act, which aligns with the GDPR, shares
several similarities with the Indian Act in terms of consent requirements, data subject rights,
and data breach notifications. Both these legislative frameworks emphasize the necessity of
obtaining explicit concent from individuals before they process individuals personal data,
thereby ensuring that data processing activities are conducted transparently and with the
individuals informed agreement.30 The data subject rights under the DPA are significantly
enhanced gving the Individuals' rights over their personal data are greatly increased under the
DPA, giving them more power to access, correct, erase, and limit when their personal data is
processed. This not only empowers the individuals to maintain greater control over their
information but also aligns with the principles of data minimization and accuracy which are
core tenets of the GDPR . Aditionally the DPA includes the right to data portability thus
enabling individuals the power to transfer their data between different service providers
seamlessly , thus promoting a competition and innovation within the digital marketplace.

DPA provides for data breach notification: According to the statute, companies must notify
the ICO of specific kinds of data breaches within 72 hours and, in certain situations, the
impacted individuals. This prompt notification process is cucial for mitigating the potential
impact of data breaches and ensuring that individuals can take appropriate measures to
protect themselves from identity theft and various other malicious activities.

Brazilian General Data Protection Law (LGPD) Act 2020:

30
Data Protection Act 2018, c. 12 (UK).
68

The LGPD represents a significant step forward in data protection for Brazil and has
implications for both businesses and individuals.

The LGPD is applicable to any data processing activity performed by individuals or legal
entities, regardless of whether the data is processed or where the data subject resides .
The LGPD Act secures the rights of data subjects as Individuals have rights regarding their
personal data, such as the capacity to access, update, anonymize, block, remove, and transfer
their information.
Another key feature of the LGPD Act is it specifies the Obligations of data processors as the
LGPD Act ensures that the entities handling personal data must ensure data security, obtain
consent for data processing, and maintain transparency about how the data is used.

Asia–Pacific Economic Cooperation APEC Privacy Framework 2005:

The Asia-Pacific Economic Cooperation created the APEC Privacy Framework, which
provides a set of rules for establishing a balance between the security of personal data and
unrestricted data . The framework stresses the need for an effective enforcement mechanism
and accountability measures to ensure compliance, including the establishment of regulatory
authorities, and complaint handling procedures.The framework ensures that there is no harm
to individuals from data privacy breaches, it provides individuals the ability to opt out of
certain data uses. Individuals are also granted the right to access and update their personal
data.

While the DPDPA 2023 shares common principles with these international data protection
laws, there are also distinctions, such as the Act's specific provisions related to critical
personal data localization. These comparisons illustrate that India's data protection
framework, while tailored to the country's unique needs and challenges, aligns with global
efforts to enhance data privacy and protection. A great benefit of comparing the DPDP Act is
the need for harmonization with global standards. The GDPR sets a high bar for data privacy.
India’s DPDP Act which draws inspiration from the GDPR aims to align with these global
standards, enhancing India’s credibility and facilitating a smoother international data transfer.
69

As it is crucial for Indian businesses looking to expand globally and attract global investment.
The contrast highlights the significance of strong legal and regulatory frameworks in
safeguarding personal information. While India made progress with the DPDP Act 2023, a
continuous update and improvement shall always be needed to address the new privacy and
security challenges. Taking insights from the enforcement and accountability measures of
GDPR and LGPD can help India create more effective regulatory practices. The
International data protection laws highlight the importance of empowering consumers with
rights such as data access, correction, and the right to delete which India’s DPDP Act also
aims to provide thus reflecting a global move towards greater individual control over the
individual's personal data. The comparison also reveals both opportunities and challenges for
India as it upholds the challenges in ensuring compliance across diverse sections and
addressing gaps however it also presents opportunities for India to become a leader in data
protection at the global stage. As a result, the DPDP Act addresses India's particular
requirements in the digital age and demonstrates India's adherence to international data
protection standards.

Surveillance and Government Access to Personal Data

The DPDPA 2023 in India addresses the critical issue of surveillance and government access
to personal data in the context of data protection as well as privacy. An evolving and intricate
landscape of surveillance and government access to personal data that is influenced by legal,
technological, and societal factors has influenced the government to introduce advanced
surveillance technologies. While these technologies can improve security and public safety,
they also pose substantial risks to individuals' privacy and freedoms if not regulated properly.
Surveillance and government access to personal data in India presents a multifaceted
challenge that requires a careful and balanced approach. Involving navigating through the
delicate balance between ensuring national security and protecting individuals' privacy. As
India continues to advance technologically, it becomes increasingly important for India to
establish a more robust legal framework that is transparent, provides for an oversight
mechanism, and develops a culture of respect for individuals' privacy to prevent the erosion
70

of civil liberties in the name of security and governance thus the DPDP Act 2023 was
introduced. Here's an analysis of how the Act manages this complex relationship.

The DPDP Act of 2023 enshrines provisions that act as Safeguards Against Unwarranted
Government Access. The DPDP Act of 2023 includes provisions that require government
access to personal data to be proportionate and justifiable. This means that government
agencies must have a legitimate reason, such as national security concerns, to access personal
data. This is consistent with many international data protection regulations' use of the
proportionality and necessity concepts. The Digital Personal Data Protection Act of 2023
mandates that government requests for access to data must follow due process and be subject
to oversight by the DPA. This oversight ensures that government access is not arbitrary and
respects the rights of individuals.

The DPDP Act 2023 also ensures the Protection of National Security as the Act
acknowledges the importance of protecting national security and allows the government
access to data when necessary for safeguarding the integrity as well as the sovereignty of
India. Nevertheless, this access needs to follow the rules of proportionality, legality, and
legitimacy. Thus by including provisions for government access in cases related to national
security, the Act strikes a balance between privacy rights and the need to address potential
threats, reflecting international norms.

Localization for Critical Personal Data is an important aspect that the Digital Personal Data
Protection Act of 2023 addresses. The Digital Personal Data Protection Act 2023 introduces
the concept of critical personal data, which is subject to stricter regulations. According to the
Act, only data processed and held in India may be considered critical personal information.
The purpose of this provision is to protect sensitive national security data from the dangers
associated with transferring it internationally. By restricting the processing and storage of
critical personal data within national borders, The Digital Personal Data Protection Act of
2023 ensures that risks such as unauthoized access by foreign entities and cyberattacks from
international sources can be mitigated. This approach ensures that data critical to national
security and public interest remains under the jurisdiction of Indian laws and thereby enhance
the country’s control over its most sensitive information.
71

The Digital Personal Data Protection Act of 2023 incorporates the concept of Data
localization which as a significant measure has been adopted by several countries to enhance
control over data that could impact national security. This requirement is not only a defensive
measure but also a proactive strategy to bolster the country’s digital infrastructure and self-
reliance in data management. Additionally data localization helps in ensuring a faster
regulatory responses and enforcement actions as data residing within the country can be more
easily monitored. It aligns with similar provisions in international data protection laws,
reflecting a global trend towards data sovereignity and the protection of national interest in
the digital age .

As it is essential for a strong legal framework to ensure that there is an authority to oversee
the compliance with the provisions of the Act. The Digital Data Protection Act of 2023
provides for the Data Protection Authority Oversight. The DPA plays a crucial role in
overseeing government access to personal data. The DPA ensures that such access is in
compliance with the Act's provisions and respects the rights of data subjects. The DPA acts
as an independent regulatory body that monitors and enforces data protection laws,
investigates complaints and imposses penalties foe non compliance. Furthermore the DPA is
tasked with promoting public awareness about data protection rights and fostering a culture
of data privacy within the country. The DPA by conducting regular inspections and audits
helps to maintain high standards of data security and accountabilityamong data processors
and contollers. The presence of a robust oversight mechanism is crucial in building public
trust and ensuring that the government and private entities alike adhere to the highest
standards of data protection. The framework provided by DPDP Act 2023 not only reinforces
the principles of transparency and accountability but also ensures that India remains aligned
with the global best practices in data protection.

In order to prevent the misuse of governmental authority, oversight by an impartial body is a

basic component of data protection regulations across the globe.

The Digital Personal Data Protection Act 2023 also upholds Transparency and
Accountability. The Act emphasizes transparency in government access to data by requiring
data controllers to report any such access to the DPA. Additionally, affected data subjects
must be notified. This enhances accountability and ensures that individuals are aware of
government requests for their data. Transparency and accountability are core principles in
international data protection laws, like the GDPR and the CCPA.
72

In summary, the DPDA 2023 in India incorporates several provisions to address the issue of
surveillance and government access to personal data. It emphasizes the need for
proportionality, legality, and oversight, ensuring that government access is not arbitrary and
respects privacy rights. The Act's approach is in line with global data protection principles
while addressing the specific challenges associated with data protection in the digital era,
including safeguarding national security interests. Further, the Act introduces measures for
data breach notification, data minimization, and user consent enhancing the overall
framework. By establishing an independent oversight body and mandating regular audits, the
Act aims to provide transparency in data handling practices but the transparency and
accountability mechanisms need rigorous oversight to ensure that surveillance activities are
lawful and respectful of individuals privacy rights. The rapid advancement in technology
necessitates a continuous update to the legal framework to address the new challenges.
Though the DPDP Act is a significant milestone for India it must evolve taking account of the
global best practices and domestic experiences to ensure that it remains relevant and
effective.
73

Overview of Government Surveillance Programs in India

Government surveillance programs in India have gained prominence over the years, raising
concerns about individual privacy, civil liberties, and the need for transparent and
accountable surveillance practices. These encompass various initiatives such as CMS,
NATGRID, Adhaar, etc has significantly highlighted a need for a stronger legal framework
ensuring that the individual's privacy is not invaded arbitrarily. With advancements in
technology and India’s need to uphold national security, it is intricate for India to balance
between the individual's privacy rights and that of national security. It is essential for India to
overview the measures as many a time these measures have proved to have lacked adequate
oversight and safeguards. It is important with the advancement in time and technology to
reform the legislation ensuring accountability and transparency in government surveillance.
Romesh Thappar v. State of Madras (1950) CITATION Romesh Thappar v. State of Madras,
1950 SCR 594. in this case the court clarified that not every instance of public disorder
constitutes a threat to the security of the State; only serious and aggravated forms of public
disorder fall under this category. An understanding of some of the major government
monitoring projects and programs in India can be obtained from this overview:

Central Monitoring System (CMS):

The CMS, launched by the Indian government, is designed for lawful interception and
monitoring of telecommunications31. It is primarily intended for security and law enforcement
agencies to monitor communications for national security purposes.

CMS enables government agencies to intercept and monitor phone calls, emails, and internet
usage, drawing data directly from service providers. It allows for real-time surveillance of
communications.

Network Traffic Analysis (NETRA):

India's Centre for Artificial Intelligence Bureau created the software network. It plays a vital
role in cybersecurity and network management, primarily aimed at monitoring network

31
India Today, Forget NSA, India’s Centre for Development of Telematics is one of the top 3
worst online spies (March 12, 2014), India Today.
74

availability and activities to detect anomalies that suggest security breaches 32. Scope: NETRA
provides real-time and historical network activity recording. It analyses the flow of data from
devices like routers and network TAPs to understand the data traffic pattern. The Centre for
Artificial Intelligence and Robotics (CAIR), a division of India's Defence Research and
Development Organisation (DRDO), has developed a software network monitoring system
called NETRA. NETRA plays a crucial role in cybersecurity and network management by
monitoring network availability and activities to detect anomalies that could indicate security
breaches.

NETRA provides real-time and historical recording of network activity. It analyzes the flow
of data from network devices such as routers and network TAPs (Test Access Points) to
understand the patterns of data traffic. This allows NETRA to identify any unusual or
suspicious activity that could signify a potential security threat.

By continuously monitoring the network, NETRA is able to detect anomalies and alert the
relevant authorities promptly. This helps organizations proactively address security issues
and mitigate the impact of cyber attacks. The system's advanced analytics capabilities enable
it to identify complex patterns and correlations that could indicate more sophisticated threats.

NETRA's comprehensive network monitoring and analysis functionalities make it a valuable

tool for maintaining the security and integrity of India's critical information infrastructure.
The system's deployment across various government and private sector organizations
underscores its importance in safeguarding the nation's digital assets.

National Intelligence Grid (NATGRID):

32
The Times of India, Govt to launch internet spy system ‘Netra’ soon (January 7, 2014), The
Times of India.
75

NATGRID is an ambitious intelligence-sharing project that aims to provide security agencies

with quick access to a vast amount of data on individuals and organizations 33. The primary
objective is to enhance counter-terrorism and counter-crime efforts. NATGRID seeks to
collate and share data from various government databases, including financial, immigration,
and law enforcement records, to create a comprehensive intelligence grid. While it has been
in development for years, concerns about data privacy and oversight persist.

Aadhaar Database:

The Aadhaar program, managed by the Unique Identification Authority of India (UIDAI), is
primarily designed for identity authentication and welfare distribution. It provides inhabitants
of India with a distinct 12-digit identifying number 34. While Aadhaar's primary purpose is not
surveillance, there have been concerns about the potential misuse of the database for tracking
individuals' activities. The Indian government has emphasized Aadhaar's role in reducing
fraud and ensuring efficient service delivery.

National Cyber Coordination Centre (NCCC)

NCCC is a current cyber security and e-surveillance institution in India. It was founded by
the Ministry of Information Technology and Electronics (Meity). The major layer for data
flow monitoring in India is the NCCC. For all communications between the public sector and
private service providers, it serves as the focal point. It maintains Virtual contact with the
Internet Service Providers (ISPs) to monitor traffic within the country including traffic at
points of entry and exit and the international gateway35. It engages in international
collaboration with global cybersecurity agencies and organizations to share intelligence

33
Dalip Singh, Close watch. NATGRID to turn lens on digital print of people, firms (April 27,
2023), Business Line.

34
Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31 NLSIR Rev.
72-97 (2019).

35
India gets ready to roll out cyber snooping agency, The Hindu, June 10, 2013, The Hindu.
76

recovered from monitoring the data flow in the country. It also enhances the coordination
between cyber security agencies and other various other government agencies.

63. t

State-Level Surveillance Programs:

Several Indian states have implemented their own surveillance programs. For example, the
Kerala Police's "Hi-tech Surveillance System" aims to enhance public safety through the use
of advanced technology, including cameras and facial recognition systems.

Internet Surveillance and Data Retention:

In India, ISPs and telecom firms are legally obligated to hold onto consumer data for a
predetermined amount of time. Government organizations have access to this information for
security and investigation needs.

Surveillance Laws and Regulations:

The legal foundation for legitimate interception and internet surveillance is provided by the
Information Technology (Procedure and Safeguards for Interception, Monitoring, and
Decryption of Information) Rules, 2009.
77

Challenges and Concerns:

Government surveillance programs in India have raised significant concerns:

There are concerns that surveillance programs may infringe upon individual privacy rights
and civil liberties, particularly when the extent of surveillance is not clear or adequately
regulated36.The absence of strong oversight mechanisms and a clear legal framework for
surveillance programs has been a subject of criticism. The security of data collected through
surveillance programs is a concern, given the potential for data breaches and misuse. In the
case of Ajay Goswami vs Union of India (2007) CITATION Ajay Goswami v. Union of
India, (2007) 1 SCC 143.the court held that any anticipated danger justifying a restriction
must not be remote, speculative, or unlikely. A lack of transparency in the functioning of
these programs has led to public apprehension and calls for greater accountability.

36
Critical Assessment of Information Technology Act 2000 by Gaurav Saluja
78

Discussion on the Aadhaar Act and Its Implications for Privacy

The Aadhaar Act, introduced in India, represents a unique and ambitious digital identity
program that has both transformative potential and significant implications for privacy.
Aadhaar a 12-digit unique identity number is linked to individuals' biometric and
demographic information. The aim of the Act is to improve the efficiency and accuracy of
distributing subsidies, benefits, and services37. However, the risk of data misuse and breach of
privacy is increased by the centralized gathering and storing of enormous amounts of
personal data. Despite these concerns, it is often argued that the Aadhaar system helps to
reduce fraud, ensures accurate targeting of welfare schemes, and enhances administrative
transparency. The Supreme Court of India weighed on these issues with landmark rulings that
balance the need for Aadhaar with privacy safeguards. Thus, the Aadhaar Act highlights an
ongoing struggle between the utilization of technological advancements for the benefit of the
public at large and protecting individuals' privacy rights in the digital age. As India continues
to digitize its public services, the implications of the Aadhaar system shall remain a critical
focal point for all as it shall need to balance between public welfare and individuals' privacy
rights. This discussion delves into the Aadhaar Act, its objectives, and its impact on privacy:

The Aadhaar Act was introduced with the primary objective of assigning a unique 12-digit
identification number to every Indian citizen. This initiative was envisioned to facilitate three
key goals: financial inclusion, fraud reduction, and streamlined government services. 38One of

37
Government adopts UPA’s Aadhaar Bill, Business Standard (Mar. 7, 2016), Business Standard.
38
Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, 18 Ind. Code §
1 (2016).
79

the primary objectives of Aadhaar was to enhance the distribution of welfare programs and
subsidies by the government. By providing a secure and unique identification system, the
initiative aimed to ensure that these benefits reach the intended beneficiaries efficiently,
minimizing leakages and misappropriation.

Aadhaar was designed to promote financial inclusion by bringing individuals without

traditional identification documents into the formal financial system. This would enable
access to banking services and other financial instruments for a significant segment of the
population that previously lacked proper identification. Additionally, the prevention of
identity-related fraud was a crucial objective of the Aadhaar project. By establishing a robust
and secure identification system, the initiative aimed to minimize fraudulent activities that
often arise due to the lack of a reliable identity verification mechanism.

The implementation of Aadhaar has raised concerns regarding privacy implications. The
massive database containing personal information, including biometric data, has raised
questions about data security and the potential for misuse. Maintaining the confidentiality of
this sensitive information is of utmost importance to protect individual privacy rights.

Another critical concern is the possibility of unauthorized access, data breaches, and identity
theft, which could have severe consequences for individuals' privacy and security. There are
apprehensions that the Aadhaar database could be exploited for surveillance purposes,
infringing upon the privacy rights of citizens.

Moreover, the government's efforts to integrate Aadhaar with various services, such as
mobile numbers and bank accounts, have sparked debates about the potential for excessive
tracking and monitoring of individuals' activities across different sectors, potentially leading
to privacy violations.

While the objectives of Aadhaar are laudable, addressing these privacy concerns through
robust data protection measures, transparent governance, and stringent safeguards is crucial
to ensure the success of the initiative while upholding the fundamental right to privacy.

66. “Government adopts UPA’S Aadhaar Bill” Business standard 7 March 2016. retrieved 11 March 2016

67. Aadhaar (Targeted Delivery of Financial and other subsidies, benefits and services) Act, 2016
80

The landmark "Justice K.S. Puttaswamy (Retd.) vs Union of India" judgment by the Supreme
Court of India in 2017 marked a significant milestone in the realm of privacy rights. Through
this ruling, the apex court recognized the right to privacy as a fundamental freedom,
underscoring the critical importance of robust data protection and privacy measures in the
digital age.

Acknowledging the potential implications of the Aadhaar initiative, the legislation itself
incorporated provisions aimed at safeguarding data protection and privacy. To this end, the
Aadhaar Act mandated the establishment of the Unique Identification Authority of India
(UIDAI), a statutory body entrusted with the responsibility of ensuring the security and
confidentiality of the vast Aadhaar database. The UIDAI was tasked with implementing
stringent protocols and mechanisms to protect the sensitive personal information, including
biometric data, collected under the Aadhaar program.

The inclusion of these legal safeguards within the Aadhaar Act itself reflects the recognition
of the paramount importance of data protection and individual privacy in the context of a
nationwide identification system. By enshrining these provisions in law, the legislative
framework sought to strike a balance between the objectives of the Aadhaar program and the
fundamental right to privacy upheld by the Supreme Court.

The Aadhaar Act places significant emphasis on the principle of informed consent when it
comes to data sharing. This provision recognizes the fundamental right of individuals to
exercise control over their personal information. Under the Act, individuals must explicitly
provide their consent before their Aadhaar data can be utilized for any purpose, serving as a
critical safeguard against unauthorized access or misuse of sensitive data.

Despite the laudable objectives and legal safeguards incorporated within the Aadhaar Act, the
initiative has faced numerous legal challenges in India's courts. Critics have raised concerns
that the Act infringes upon privacy rights and lacks adequate measures to protect individual
data effectively. These apprehensions stem from the potential risks associated with the
centralized storage and handling of vast amounts of personal information, including biometric
data.In a landmark decision in 2018, the Supreme Court of India upheld the legality of the
Aadhaar Act while simultaneously introducing a series of limitations and additional
protections. These measures aimed to strike a delicate balance between the objectives of the
Aadhaar program and the critical need to uphold the fundamental right to privacy and ensure
81

data security. The court's ruling emphasized the value of privacy and the imperative of
implementing robust safeguards to prevent misuse or unauthorized access to personal data.

Even after the Supreme Court's ruling, public discussions and legal concerns surrounding the
Aadhaar Act continue to persist. As the government pursues efforts to integrate Aadhaar with
various other services, the challenge of striking an optimal balance between convenience,
security, and privacy has become increasingly complex. Ongoing debates revolve around the
potential implications of such integration, including the potential for excessive monitoring
and the erosion of individual privacy rights.

These debates reflect the inherent tension between the objectives of streamlining governance
and ensuring efficient service delivery through a centralized identification system, and the
fundamental rights of citizens to privacy and data protection. Addressing these concerns
through continuous refinement of legal frameworks, robust data security measures, and
transparent governance mechanisms remains a critical imperative for the successful
implementation of the Aadhaar initiative while upholding the cherished values of privacy and
individual liberty.

68. Aadhaar (Targeted Delivery of Financial and other subsidies, benefits, and services) Act, 2016

69. "The Curious Case of Aadhaar". Anupamtimes. 26 June 2017. Retrieved 6 July 2017.

In conclusion, the Aadhaar Act in India has far-reaching implications for privacy. While it
has the potential to enhance efficiency and financial inclusion, it also raises concerns about
data security, misuse, and surveillance. The Act's legal safeguards and the SC’s recognition
of the right to privacy have contributed to the ongoing debate about the balance between the
82

benefits of Aadhaar as well as the protection of personal privacy 39. Achieving this balance is
a complex challenge for India as it seeks to harness the potential of digital identity while
safeguarding privacy rights.

Case Study 1: Aadhaar Data Privacy Concerns

Background: The Indian government launched the Aadhaar program with the goal of
providing all Indian citizens with a distinctive 12-digit identifying number. The program has
decreased fraud and expedited access to government services, but it has also sparked
concerns about data privacy and government access to personal information40.

Impact on Individuals' Rights:

The implementation of the Aadhaar system has raised significant concerns regarding the
potential impact on individuals' privacy rights. One of the most pressing issues revolves
around the collection and storage of biometric and personal data by the Aadhaar system. The
centralized nature of this vast database and the sensitive information it contains have sparked
fears of potential data breaches and misuse, which could lead to violations of people's
fundamental right to privacy.

Furthermore, there have been apprehensions that the extensive data collected through
Aadhaar could be exploited for surveillance purposes. Unauthorized access to this

39
Constitutionality of Aadhaar Act, 31 S.C. Observer 72-97 (2019).

40
Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31 NLSIR
Rev. 72-97 (2019).
83

comprehensive database could enable the tracking of individuals' activities across various
domains, potentially leading to infringements on their privacy rights. These concerns
underscore the need for robust data protection measures and stringent safeguards to prevent
such misuse.

Adding to these concerns is the government's ambition to link Aadhaar to numerous services,
including bank accounts and mobile numbers. This integration raises questions about the
government's ability to monitor individuals' activities across multiple sectors, potentially
resulting in violations of privacy rights. The potential for excessive tracking and monitoring
has fueled debates about the boundaries between efficient service delivery and the
preservation of individual privacy.

In a landmark judgment, the Supreme Court of India, in the case of "Justice K.S. Puttaswamy
(Retd.) vs Union of India," recognized the right to privacy as a fundamental right. While
upholding the validity of the Aadhaar Act, the court imposed certain limitations and
safeguards to protect individual privacy. This ruling exemplifies the ongoing debate and the
need to strike a delicate balance between the benefits of Aadhaar and the protection of
individual privacy rights.

The impact of the Aadhaar system on individuals' rights has become a subject of intense
scrutiny and public discourse. Addressing these concerns through robust legal frameworks,
transparent governance mechanisms, and stringent data protection measures is crucial to
ensure that the objectives of the Aadhaar program are achieved without compromising the
fundamental rights and liberties of citizens.

Case Study 2: U.S. National Security Agency (NSA) Surveillance Programs

84

Background: To obtain intelligence for national security needs, the National Security
Agency (NSA) of the United States conducts a number of surveillance activities 41. One of the
most notable revelations about these programs came from the disclosures made by Edward
Snowden in 2013.

Impact on Individuals' Rights

The global mass collection of phone records, internet communications, and metadata by
intelligence agencies has raised significant privacy concerns. These surveillance programs
have subjected both citizens and non-citizens alike to widespread monitoring, potentially
violating their fundamental right to privacy. The lack of transparency and oversight in the
bulk collection of data, often without the knowledge or consent of individuals, has further
exacerbated these concerns.

In response to these surveillance programs, legal challenges have arisen, igniting a debate
over the delicate balance between national security imperatives and the protection of
individual privacy rights. Landmark court cases, such as "Clapper v. Amnesty International
USA" and "United States v. Carpenter," have explored the legality and constitutionality of
these programs, seeking to establish clear boundaries and safeguards. The revelations
surrounding these mass surveillance programs, brought to light by whistleblowers like
Edward Snowden, sparked calls for legislative reforms to enhance transparency and oversight
mechanisms. The USA Freedom Act, passed in 2015, aimed to address some of these
concerns by placing restrictions on the indiscriminate collection of vast amounts of data,
attempting to strike a balance between security needs and privacy rights.

These developments underscore the ongoing tension between the imperative of national
security and the protection of individual privacy in an increasingly interconnected and
digitized world. Striking the right balance through robust legal frameworks, effective
oversight mechanisms, and a commitment to upholding civil liberties remains a critical
challenge for governments and societies worldwide.

Case Study 3: China's Social Credit System

41
Factbox: History of mass surveillance in the United States, Reuters (June 7, 2013), Reuters.
85

Background: China's Social Credit System is an extensive surveillance and data collection
program aimed at assessing individuals' and businesses' behaviour and trustworthiness. It
assigns scores based on various factors, including financial history, social media activity, and
public behaviour.

Impact on Individuals' Rights:

The implementation of the Social Credit System in China has raised significant concerns
regarding its potential impact on individuals' rights and privacy. At the core of this system
lies the extensive collection of personal data, encompassing online behavior, financial
transactions, and various other aspects of individuals' daily lives. This data is accessible to
multiple government agencies, raising questions about the potential for misuse and violations
of privacy.

One of the primary concerns surrounding the Social Credit System is the threat it poses to
individual privacy rights. The system involves the monitoring of individuals' everyday
activities, including their online interactions and financial transactions. This level of
surveillance raises apprehensions about the potential infringement of privacy, as it allows for
the gathering and analysis of sensitive personal information without adequate safeguards or
transparency.

Furthermore, the Social Credit System has the potential to impact individuals' fundamental
rights, such as freedom of speech and expression. Some individuals may engage in self-
censorship of their online activities and expression to avoid negative consequences on their
social credit scores. This chilling effect on free speech and the potential for coercion raise
concerns about the erosion of civil liberties. Adding to these concerns is the lack of
transparency and oversight in the operation of the Social Credit System. The opaque nature of
the system, coupled with the absence of clear mechanisms for individuals to challenge or
appeal their scores, has raised questions about accountability and the ability of citizens to
exercise their rights effectively.

The far-reaching implications of the Social Credit System underscore the delicate balance
that must be struck between the pursuit of societal goals and the protection of individual
rights and liberties. Addressing these concerns through robust legal frameworks, transparent
governance mechanisms, and effective oversight is crucial to ensure that technological
advancements do not come at the expense of fundamental human rights and freedoms.
86

73. Ahmed, Shazeeda (1 May 2019). “The Messy Truth About Social Credit”. Logic magazine.

74.Hornby, Lucy. “China changes track on ‘social credit scheme plan “ Financial Times. 5 July 2017.
Retrieved 14 July 2017

Impact on Civil Liberties of Government Access to Personal Data

Government access to personal data has a significant impact on civil liberties, raising
concerns about privacy, freedom, and the potential abuse of power. This impact is
exemplified in various cases worldwide. Governments globally are in efforts to ensure
national security, law enforcement, and public safety, thus increasingly seeking access to vast
amounts of personal data produced through individuals' daily interaction with technology.
This data includes communications, financial transactions, location details, and internet
browsing habits, offering a detailed and intimate picture of an individual day to day life.
Various critics have from time to time expressed deep concerns regarding the impact of such
surveillance on civil liberties and privacy rights. Historically balancing state security and
personal privacy has been a delicate challenge. However, the rise in technological
development has significantly increased the volume and detail of personal data, raising the
stakes significantly. Governments now possess unprecedented abilities to monitor and
analyze individuals’ behavior and interactions, necessitating a re-evaluation of the existing
legal and ethical framework that governs state surveillance. Several incidents like that of the
Edward Snowden disclosure revealed the extensive surveillance programs of various nations.
The infamous Pegasus spyware controversy in India has highlighted the need for
transparency and accountability in government practices. Artificial intelligence, machine
learning, and big data analytics are examples of the latest innovations that further complicate
the situation. These technologies enable the processing of vast amounts of data at
87

unprecedented speed thus facilitating more sophisticated and pervasive surveillance. The
targeted and disproportionate surveillance of certain groups can increase social inequalities
and discrimination, raising fundamental questions about justice and fairness. Here, we
explore this impact with reference to specific cases and scholarly sources:

75.Revealed: leak uncovers global abuse of cyber-surveillance weapon. The Guardian, 18 July
2021, link. Retrieved 28 July 2021.

76. "Despite the hype, iPhone security no match for NSO spyware". Washington Post. 19 July 2021. Retrieved
28 July 2021.

Privacy and Individual Autonomy:

The right to privacy is frequently violated by government access to personal data. In the case
of "Rotaru v. Romania," the European Court of Human Rights stated that privacy is a
fundamental right that is necessary for human growth and autonomy.1 When governments
engage in extensive surveillance, individuals may feel constrained in their personal and
online activities, leading to a chilling effect on their exercise of fundamental rights.

Freedom of Expression:

Freedom of expression may be restricted by government monitoring. In the "Lloyd v.

Google" case, the UN Human Rights Committee acknowledged that the right to free speech is
a fundamental component of civil liberties and is essential to the advancement of democracy
and the protection of human rights.2 When individuals are concerned that their
communications are being observed, they might not express their ideas or participate in
“ activism.
88

Right to Due Process:

The right to due process is frequently at risk in situations when the government needs access
to personal information for law enforcement. The significance of protections against unlawful
seizures and searches was highlighted by the U.S. Supreme Court in the case "Hiibel v. Sixth
”

Judicial District Court of Nevada."3 Extensive government surveillance may erode the
presumption of innocence and the right to a fair trial.

Protection Against Arbitrary Use of Power:

Government access to personal data, particularly in the absence of proper oversight and
“

transparency, can lead to the arbitrary use of power. The European Court of Human Rights
highlighted this risk in the case of "Liberty and Others v. United Kingdom," underscoring the
”

importance of safeguards against arbitrary interference with private life.

“

Safeguards and Accountability:

In the event that the government gains access to personal data, civil liberties must be
adequately protected by protection and accountability systems. In his report "The Right to
”

Privacy in the Digital Age," the UN Special Rapporteur on the right to privacy emphasized
the need for extensive legal frameworks and impartial oversight to guarantee that government
surveillance respects citizens' civil freedoms and rights to privacy.
89

Recommendations for Addressing Government Access to Personal Data

and Safeguarding Civil Liberties:

Comprehensive Data Protection Legislation:

India should enact and enforce comprehensive data protection legislation that clearly outlines
the rights of individuals regarding their personal data. This legislation should establish
stringent safeguards, consent mechanisms, and data breach notification requirements.

Data Localization Safeguards:

Data localization requirements, such as those for critical personal data, should be
implemented with a strong focus on security and oversight to prevent misuse. The
government should ensure that data stored within India is protected against unauthorized
access.

Robust Oversight Mechanisms:

Strong, independent oversight mechanisms should be established to monitor government

access to personal data. This oversight should include regular audits and transparent
reporting on the nature and extent of data access.

Transparency and Accountability:

Governments must be transparent about their data access practices and the purposes for
which personal data is collected and used. Accountability for any misuse of data should
be clearly defined, and individuals should have the right to seek redress.
90

Data Minimization and Purpose Limitation:

Governments should minimize their data collection by only collecting that which is
necessary to achieve a particular goal. The principle of purpose limitation should be
strictly enforced, ensuring that data is not used for purposes beyond what was initially
specified.

Strong Encryption Standards:

Encrypted communication should be promoted and protected to ensure the privacy and
security of individuals' digital interactions. Governments should refrain from
undermining encryption technologies.

International Cooperation:

Collaboration with other nations on data protection and surveillance issues is essential.
India should work with international partners to develop common principles and
standards for government access to data.

Public Education and Awareness:

The public should be made aware of their rights, privacy threats, and the best ways to
secure personal information through educational initiatives. Citizens who are
knowledgeable are better able to uphold their civil rights.
91

Whistleblower Protection:

Robust protection for whistleblowers who expose government data abuse or surveillance
overreach is vital. Legal frameworks should be in place to support individuals who
disclose such practices.

Periodic Review and Amendment:

Data protection laws and government access practices should be periodically reviewed
and amended to adapt to evolving technology and privacy challenges. Flexibility in the
legal framework is crucial.

Engagement with Stakeholders:

Civil society, academia, and industry experts should be actively engaged in the
formulation and review of data protection and surveillance policies to ensure a balanced
and informed approach.

Court Challenges and Legal Safeguards:

Encourage legal challenges to government access practices in cases where civil liberties
are at risk. Interpreting and upholding privacy and data protection rules should be a major
responsibility of the courts.
92

Strong International Relations:

India should work collaboratively with other nations to address transnational data issues
and ensure that individuals' data is protected in cross-border situations.

Conclusion

In the digital era, government access to personal data has emerged as a critical concern, with
profound implications for privacy, civil liberties, and individual rights. This dissertation
examined the constitutional issues raised by government access to personal data and
surveillance in India, with an emphasis on the potential effects of the DPDPA 2023.

The significant "Justice K.S. Puttaswamy (Retd.) vs Union of India" case states that the
fundamental right to privacy is essential to safeguarding life and liberty, as stipulated in the
Indian Constitution. Even with this acknowledgment, India has struggled to find a middle
ground between the necessity of maintaining national security and the rights of individuals to
privacy protection.
93

The DPDPA 2023 represents a significant step forward in addressing these concerns.
However, this legislation also brings to light several challenges and areas of debate. The Act's
provisions for data localization, especially for critical personal data, are a unique attempt to
safeguard sensitive information. Still, questions remain about the potential implications for
data security and international data flows.

The Act's approach to government access to personal data has been analyzed, and the need
for robust oversight, transparency, and accountability has been emphasized. The dissertation
has also discussed the international context, comparing data protection laws from around the
world and highlighting the need for cooperation on this global issue.

Through case studies and legal analyses, the impact of government access to personal data on
civil liberties, privacy, and freedom of expression has been elucidated. It is evident that
governments must adopt a rights-based approach to data access, ensuring that safeguards,
consent mechanisms, and accountability measures are in place to protect individuals' rights.

In conclusion, the digital age presents both opportunities and challenges for the protection of
civil liberties. Government access to personal data must be carefully regulated to avoid
encroachment on privacy and individual rights. The DPDPA 2023, and similar legislation
worldwide, serve as a critical framework for achieving this balance. As technology continues
to evolve, the protection of civil liberties in the digital era remains an ongoing and dynamic
process, demanding vigilance, adaptability, and a commitment to upholding the principles of
democracy and individual freedoms.

Bibliography

Statutes:

1. The Digital Personal Data Protection Act, 2023

Provides a comprehensive framework for data protection in India.Establishes a

Data Protection Authority (DPA) to oversee compliance. Emphasizes the
importance of obtaining consent before processing personal data. Includes
provisions for cross-border data transfer and data localization.
94

2. Article 21 of the Indian Constitution

Protects the right to life and personal liberty, which has been interpreted to
include the right to privacy. Key judgments include Justice K.S. Puttaswamy vs
Union of India case.Significant for understanding privacy as a fundamental
right .

3.Article 19(1)(a) of the Indian Constitution

Ensures freedom of speech and expression, impacting digital privacy and data
protection.Relevant for discussions on the balance between free expression and
privacy in the digital age .

4. Article 12 of the Indian Constitution

Defines "State" and extends the obligation to protect fundamental rights to both
government agencies and certain private entities.Important for privacy
considerations involving non-governmental organizations that handle personal
data .

Websites:

1. Press Information Bureau (PIB)-https://www.pib.gov.in/

2. Ministry of Electronics and Information Technology- (MeitY)

https://www.meity.gov.in/

3. Legal Service India-https://www.legalserviceindia.com/

Books:
95

1. Mamta Rao, Constitutional Law Edition V, AHL Publication,2023

2. M.P. Jain, Indian Constitutional Law, Edition VII, Allahabad Publication

House,2023

3. V.N. Shukla, Constitution of India, Edition IV, 2022

4. Justice K.S. Puttaswamy (Retd.) vs Union of India (2017) Judgment 2017 10

SCC 1

References

1. Solove, Daniel J. "Understanding Privacy." Harvard University Press, 2008.

2. Greenwald, Glenn. "No Place to Hide: Edward Snowden, the NSA, and the U.S.
Surveillance State." Metropolitan Books, 2014.

3. Kuner, Christopher. "Transborder Data Flows and Data Privacy Law." Oxford
University Press, 2013.

4. Swire, Peter P. "The System of Foreign Intelligence Surveillance Law." Harvard Law
Review, Vol. 72, No. 4, 2009.

5. Ohm, Paul. "The Fourth Amendment in a World without Privacy." Mississippi Law
Journal, Vol. 81, No. 5, 2012.

6. Walden, Ian, and John Angel. "Privacy and Data Protection in the Cloud: The Cloud
Privacy Paradox and the Illusion of Control." International Data Privacy Law, Vol. 2,
No. 2, 2012.

7. United Nations General Assembly. "The Right to Privacy in the Digital Age." Report
of the United Nations High Commissioner for Human Rights, A/HRC/27/37, 2014.

8. Government of India. "The Digital Personal Data Protection Act 2023."

96

9. European Court of Human Rights. "Rotaru v. Romania," Application no. 28341/95,

Judgment, 2000.

10. U.S. Supreme Court. "Justice K.S. Puttaswamy (Retd.) vs Union of India," 2017.

11. U.S. Supreme Court. "Hiibel v. Sixth Judicial District Court of Nevada," 2004.

12. European Court of Human Rights. "Liberty and Others v. United Kingdom,"
Application nos. 58243/00, 59520/00, 59696/00, Judgment, 2008.

13. Electronic Frontier Foundation (EFF). "Surveillance Self-Defense." https://ssd.eff.org/

14. Privacy International. "Understanding Privacy."

https://privacyinternational.org/learn/understanding-privacy

15. The Guardian. "Edward Snowden: The Whistleblower behind the NSA Surveillance
Revelations." https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-
whistleblower-surveillance

16. Wikipedia.org ‘Privacy’

17. Right “to Privacy: Court in Review Supreme Court” Observer

18. Right to Privacy: Court in Review Supreme Court Observer

19. 1963 AIR 1295

20. 1975 AIR 1378

21. AIR 2017 SC 4161

22. Personal “Data Protection Bill can turn India into ‘Orwellian State’ Justice BN
Srikrishna The Economic” Times 31 January 2020.

23. “The Digital Personal Data Protection Bill, 2023” PRS Legislative Research.
Retrieved 2024-01-08

24. “Government to launch ‘Netra’ for internet surveillance” The Economic Times. 16
December 2013. Retrieved 16 December 2013

25. “Government to launch internet spy system ‘Netra’ soon” The “Times of India 7
January 2014. Retrieved 7 January” 2014
97

26. “India Sets Up Domestic PRISM -Like Cyber surveillance?” The “Diplomat 10 June
2013 Retrieved 24 November 2014

27. Right to Privacy A.G Noorani Economic and Political Weekly, Vol . 40”, No. 9 (Feb.
26- Mar . 4, 2005 ), p. 802

28. Data “Privacy Legislation in Focus: A Deep Dive into India’s DPDP Act & EU’s
GDPR By” Anas

29. Data privacy law an international perspective by LEE A. BYGRAVE

30. Data privacy law an international perspective by LEE A. BYGRAVE

31. Sharma, “S.K., PRIVACY LAW A COMPARATIVE STUDY, Atlantic Publishers

and” Distributors

32. Data privacy law an international perspective by LEE A. BYGRAVE

33. Constitutional law Dr Mamta Rao pg 222 first edition , 2013

34. Commentary on Constitution of India Durga Das Basu

35. Constitutional law Dr Mamta Rao pg 170 first edition , 2013

36. Constitutional law Dr Mamta Rao pg 103 first edition , 2013

37. Constitutional law Dr Mamta Rao pg 104 first edition , 2013

38. Constitutional law Dr Mamta Rao pg 301 first edition , 2013

39. Constitutional law Dr Mamta Rao pg 83 first edition , 2013

40. Stone, “Textbook on Civil Liberties and Human Rights”, P.338

41. Commentary on Constitution of India Durga Das Basu

42. Commentary on Constitution of India Durga Das Basu

43. Commentary on Constitution of India Durga Das Basu

44. (2017) 10 SCC 1

45. AIR 1963 SC 1295 Kharaksingh

46. AIR 1975 SC 1378 Govind

98

47. Beghar “Foundation v Justice K.S. Puttuswamy (Ret’d) WP” 494/2012

48. LAWS (P&H)-2006-5-243

49. Constitutional law Dr Mamta Rao pg 222 first edition , 2013 Repeated

50. Constitutional law Dr Mamta Rao pg 215 first edition , 2013 Repeated

51. Constitutional law Dr Mamta Rao pg 222 first edition , 2013 repeated

52. Constitutional law Dr Mamta Rao pg 83 first edition , 2013

53. pib.gov.in Salient Features of Digital Personal data Protection bill

54. Digital “Personal Data Protection Act”, 2023 section 2(n)

55. Digital Personal Data Protection Act, 2023 Section 16(1)

56. Digilaw. in DPDP Act 2023 Key Features

57. Gdpr. eu what is GDPR, the EU’s new data protection law?

58. Priv.gc.ca PIPEDA legislation and related regulations

59. Oaic.gov.au The Privacy Act

60. Legislation.gov.uk Data Protection Act 2018

61. app law LGPD Brazilian General data protection Law

62. Thales group. Com Beyond GDPR: DATA PROTECTION AROUND THE WORLD

63. "Forget NSA, India's Centre for Development of Telematics is one of top 3 worst
online spies". India Today. 12 March 2014. Retrieved 26 August 2014.

64. "Govt to launch internet spy system 'Netra' soon". The Times of India. 7 January
2014. Retrieved 7 January 2014.

65. Singh, Dalip (27 April 2023). "Close watch. NATGRID to turn lens on digital print of
people, firms". Business Line. Retrieved 2023-04-30.

66. Aadhaar (Targeted Delivery of Financial and other subsidies, benefits and services)
Act, 2016

67. "India gets ready to roll out cyber snooping agency". The Hindu. 10 June 2013.
Retrieved 24 November 2014.
99

68. Critical Assessment of Information Technology Act 2000 by Gaurav Saluja

69. “Government adopts UPA’S Aadhaar Bill” Business standard 7 March 2016.
retrieved 11 March 2016

70. Aadhaar (Targeted Delivery of Financial and other subsidies, benefits and services)
Act, 2016

71. Aadhaar (Targeted Delivery of Financial and other subsidies, benefits, and services)
Act, 2016

72. "The Curious Case of Aadhaar". Anupamtimes. 26 June 2017. Retrieved 6 July 2017.

73. Supreme Court Observer Constitutionality of Adhaar Act

74. A CRITIQUE OF THE AADHAAR LEGAL FRAMEWORK Vrinda Bhandari,

Renuka Sane ,National Law School of India Review, Vol. 31, No. 1 (2019), pp. 72-97

75. “Factbox: History of mass surveillance in the United States”. Reuters 7 June 2013.
Retrieved 14 August 2013

76. Ahmed, Shazeeda (1 May 2019). “The Messy Truth About Social Credit”. Logic
magazine.

77. Hornby, Lucy. “China changes track on ‘social credit scheme plan “ Financial Times.
5 July 2017. Retrieved 14 July 2017

78. "Revealed: leak uncovers global abuse of cyber-surveillance weapon". the Guardian.
18 July 2021. Retrieved 28 July 2021.

79. "Despite the hype, iPhone security no match for NSO spyware". Washington Post. 19
July 2021. Retrieved 28 July 2021
100