Introduction

"Data protection and privacy have emerged as a concern in India due to wide-scale digitalization and internet usage in day-to-day life. People will willingly share their personal data with government organizations, corporations, social networks, banks, and internet service providers. The mass collection and processing of personal data has raised concerns about data misuse, unauthorized surveillance, hacking, profiling, and breaches. Personal data has monetary value in a digital society, giving rise to data exploitation, resulting in a need for personal data protection for safe internet interactions."

Privacy is also closely related to human dignity, autonomy, and the free development of personality, which makes it very significant under the Constitution. In contrast to international law, privacy was developed as an aspect of Indian law through judicial pronouncement over the years before being accorded a fundamental right under Article 21 of the Indian Constitution. By contrast, there do exist legitimate concerns for the Indian State with regard to matters such as its security, state security, or economic development, which may make it obliged to access data. The passing of an exhaustive data protection law is an attempt to carefully weigh, on the scale of justice, privacy concerns/interests vis-a-vis larger societal concerns by developing data protection law as an aid to its digital economy.

Definition / Relevant Legal Framework

“The right to privacy is also guaranteed by the Indian Constitution as a right guaranteed by Article 21, which provides that no person can be deprived of their life and personal liberty except according to a procedure established by law.” Justice K.S. Puttaswamy & Ors. v. Union of India, 2017, is a historic verdict by the Supreme Court, in which the Court stated that “Life, liberty, and dignity are inextricably linked with privacy; without privacy, these concepts are hollow in the digital age in which we live today, where intrusive technologies are becoming inevitably interconnected.”

In its decision on Puttaswamy, the Supreme Court greatly enlarged the concept of privacy by declaring informational privacy to be an integrally related aspect of privacy. Informational privacy pertains to the protection of personal data submitted to the state or private individuals during routine daily transactions. The Supreme Court's decision states that because modern technology allows for the easy collection, storage, or abuse of privacy, there must also be formal protection under the law. In its decision, it also formulated that for an impairment of privacy to be constitutional, there must also be fulfillment of three elements: legality, referring to the existence of law; necessity, referring to a state's purpose; and proportionality, referring to an equal weighting of purpose and limit.

In the given scenario, data protection is considered a legal regime that regulates the processing, storage, use, and disclosure of personal data by both the State and private parties. This legal regime is regulated through the Digital Personal Data Protection Act, 2023. The The act defines "personal data" as any data about an identifiable individual. This Act casts obligations on data fiduciaries to process data in a lawful, fair, and safe manner but also includes several rights for the data principals, such as consent, access, rectification, and grievance redressal. However, the Act also provides for the use of data for lawful purposes, such as governance and public interest.

Illustration / Example

Let's consider a scenario where a person uses a mobile app to order products online and submits his personal info, like his name, mobile number, address, and bank details, to complete his purchase. He provides this personal info to a company with which he creates an online account to buy products and pay for his orders. But when a company gathers this information and uses it for promotional activities or passes it on to third-party members without properly informing a person or getting consent from him, his privacy is violated.

Under data protection laws, personal data shall be collected for a lawful and specified purpose. Free, informed, and clear consent from the user should be obtained. The data should be stored securely and protected against unauthorized access or misuse. Leakage of the data, misuse, and unlawful processing entitle the victim to complain through the grievance redressal mechanism under the respective law. The above example accurately depicts how data protection rules work around the daily digital lives of individuals to protect them from the unauthorized or incorrect use of their information.

Case Law

The most significant decision regarding the right to privacy in Indian law is Justice K.S. The case of Justice K.S. Puttaswamy (Retd.) vs. Union of India occurred in 2017. Puttaswamy (Retd.) vs. Union of India took place in 2017. In this case, the Supreme Court was made up of nine judges, and they all agreed that privacy is a basic right protected by Article 21 and other parts of Part III of the Indian Constitution. Additionally, the Court recognized three important areas of privacy: "bodily privacy, which protects a person's physical well-being; informational privacy, which safeguards personal information; and decisional liberty, which allows individuals to make personal choices without unfair interference from the government." Moreover, the Court clarified that any limitation placed on the right to privacy is necessary to meet the principles of legality, necessity, and proportionality. This case constituted the first step in determining the data protection statute in India from a constitutional perspective.

Another landmark case is People's Union for Civil Liberties (PUCL) v. Union of India, where the Supreme Court, in 1997, acknowledged the right to privacy in terms of telephone tapping. The Court held that telephonic conversation is a part of one's private life and cannot be permitted to be intercepted arbitrarily. The Court ruled that Article 21 requires a fair, just, and reasonable procedure for interception of communications. The judgment clarified that procedural safeguards are necessary to ensure that powers of surveillance by the state are not abused. The said case brought into focus the protection of personal communication and laid early grounds for the protection of privacy in India.

Practical Application

The effect of data protection laws is quite direct, and they have a substantial impact on the workings of government bodies, businesses, and other organizations that handle personal data. Organisations, such as banks, telecommunications service providers, hospitals, educational institutions, e-commerce businesses, and social media platforms, accumulate a vast amount of personal data. Organizations are compelled to comply with fundamental principles of data protection law, some of which include obtaining personal data solely for a particular, lawful, and predefined purpose. The data obtained by these bodies has to be restricted to what is absolutely necessary and cannot be excessive.

One of the essential elements in the context of personal data protection is the need to obtain the free consent of natural individuals whose personal data is being collected. Organizations need to provide specific information to the users regarding the intention behind collecting personal data, the kind of personal data that is being processed, and the way that the data shall be treated or transmitted. At the same time, the implementation of appropriate technical and organizational security measures by concerned bodies is essential to safeguarding personal data against any unauthorized physical or technical access.

The act also provides significant rights to data principals for safeguarding their personal data. The rights include the right to access and obtain confirmation about one’s personal data, the right to rectify any incorrect or incomplete personal data, and the right to erasure of personal data, or the right to be forgotten, in certain lawful situations. The grievance redressal mechanism provides an opportunity for individuals to lodge grievances about the misuse of their data. The act also exempts significant state activities like law and order, security, and research. The act maintains a balance between an individual's right to privacy and administrative purposes.

Conclusion / Summary

The protection of personal data and the idea of privacy in India have evolved from being implicit within the structure of their constitution to becoming fully identified as a legal right that can be protected. The identification of privacy as a basic right protected by Article 21 of the Indian Constitution has given individuals adequate protection from the misuse of personal information. The development of the Indian Constitution in this area has enabled the Indian government to enact adequate laws that protect personal data. The emergence of digital platforms in all walks of life has made personal data protection compulsory.

Therefore, the Digital Personal Data Protection Act, 2023, marks an important landmark in this regard in dealing with the collection and processing of data in the digital age. Although The enacted law has established a plan for rights, liabilities, and punishments. Much depends upon its effective implementation in terms of capacity building. With the dynamic pace of technological advancements continually presenting new challenges regarding privacy, the proposed law must evolve accordingly. A balanced dynamic legal structure in relation to data protection is also required to make data protection itself capable of dealing with the future imperatives of dignity, autonomy, and liberty.

References

1. Justice K.S. Puttaswamy (Retd.) & Ors. v. Union of India, (2017), 10 SCC 1 (India).

2. People's Union for Civil Liberties (PUCL) v. Union of India, AIR 1997 SC 568 (1997), 1 SCC 301 (India).

3. The Constitution of India, art. 21.

4. The Digital Personal Data Protection Act, 2023, No. 22 of 2023, Acts of Parliament, India.

5. The Ministry of Electronics and Information Technology, Government of India, published "Digital Personal Data Protection Act, 2023 – An Overview" in 2023.

6. B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Report of the Committee of Experts on Data Protection Framework for India (2018).

7. The Supreme Court of India issued a nine-judge bench decision on the right to privacy, as documented in Supreme Court Cases (SCC) Online (2017).

Disclaimer: This article is published for educational and informational purposes only and does not constitute legal advice, legal opinion, or professional counsel. It does not create a lawyer–client relationship. All views and opinions expressed are solely those of the author and represent their independent analysis. ClearLaw.online does not endorse, verify, or assume responsibility for the author’s views or conclusions. While editorial standards are maintained, ClearLaw.online, the author, and the publisher disclaim all liability for any errors, omissions, or consequences arising from reliance on this content. Readers are advised to consult a qualified legal professional before acting on any information herein. Use of this article is at the reader’s own risk.