Legal Information / Articles


The rapid growth of information technology and Internet has a transformative effect on society as it has completely changed the communication patterns. With the advancement of technology, privacy and personal data laws are constantly under threat in cyberspace because the scope of privacy has been untouched and to provide complete protection to information it is necessary cover it. In 2017 Supreme Court of India issued a major decision defining the right to privacy as a fundamental right under the framework of our Constitution. Article 21 safeguards the right to privacy and promotes individual dignity. In India there is no separate and comprehensive privacy law. Data protection consists of a technical framework of security measures meant to ensure that data is handled in a way that protects them from malicious uses. The Information Technology Act, which went into effect in 2000, is the only Act to date that, while not entirely comprehensive, addresses the major issues relating to data protection. 
There is conflict between right to privacy and data protection. These competing interests in information should be the main goal of data protection. Furthermore, the privacy rights of people and organizations should be maintained so that their data is not misused.
In 2017 Supreme Court of India delivered a landmark judgment defining the right to privacy as a fundamental right under the framework of our Constitution. Article 21 safeguards the right to privacy and promotes individual dignity. In India, there is no separate and comprehensive privacy law. 

In India, a protection law is currently in its fourth iteration. The Personal Data Protection Bill, 2018, is the first version of the bill. The Personal Data Protection Bill, 2019 was introduced by the government after amendments were made to the draft. The bill is intended to lay out the procedures and guidelines for data collecting for businesses as well as the rights and obligations of citizens. This updated bill on personal data protection proposes a significant rise in penalties up to 500 crore and also relaxed regulations on cross-border data transfers. This amended draft is known as Digital Personal Data Protection Bill, 2022. The main issues include decreased integrity of the proposed Data Protection Board and broad exemptions granted to the Centre and its agencies with minimal to no protections. The fact that the new Bill comprises only 30 provisions as opposed to the more than 90 in the previous one is also noteworthy, primarily because many practical details have been assigned to later regulation. The Data Protection Board is currently a central government-established board, whereas the Data Protection Entity was previously intended to be a statutory authority (under the 2019 Bill). 
The bill is based on seven principles - 
Organizations must use personal data in a way that is legal, fair to the individuals involved, and transparent to individuals.
Personal data must be used for the purpose for which it is collected.
Processing of personal data must be sufficient, pertinent, and restricted to what is required in light of the objectives for which it is being done.
Personal information must be accurate, maintained up to date, all reasonable measures must be made to ensure that inaccurate personal information is immediately deleted or corrected.
Data collected can not be stored perpetually by default, and storage should be limited to a fixed duration.
There should be reasonable safeguards to ensure there is no unauthorised collection or processing of personal data.
A person should be held accountable for whatever purpose and methods are used to process personal data. 

Two crucial rights for data principals are absent from the Data Protection Bill 2022. The first is the right of data portability.   The right to data portability provided data subjects access to all of their personal information that they had given the data fiduciary as well as any information that was created about them as a result of processing it for the performance of the data fiduciary's services. This increased consumer welfare by empowering data principals to select from a variety of platforms and promoting competition among data fiduciaries.

Private data protection is not specifically governed by any laws or provisions in India. The Supreme Court has, however, recognized that the idea of privacy will change and advance throughout time. Further, Digital Personal Data Protection Bill, 2022 which have been recently framed are a step in the right direction but its implementation is still not clear and thus they remain obscure. However they provide adequate safeguards with respect to sensitive personal data or information which has paved the way for a stronger data privacy regime. Although a person can remain somewhat anonymous online, every time they access the internet, they always leave behind traces of their digital footprints. If users are to respect and value privacy as much as possible, they must also recognise the need for self-control and responsibility in their online behaviour. However, hackers who are skilled at misusing data that is kept or sent in cyberspace are constantly attacking the online world. Every website must also contain a privacy statement that makes it clear what information is being gathered, how it might be used by the organization, and how it will not be abused in any way, whether for profit or otherwise. To address valid concerns, a comprehensive legal framework addressing privacy both generally as well as online is necessary. 

Written by:
Ms. Kashish Shah 
M/s Aura & Co. 
Date: 28.12.2022