HUMAN RIGHTS IN THE DIGITAL ERA: DATA PROTECTION AND PRIVACY CONCERNS

Introduction:

The digital era has transformed the way individuals interact, communicate, and access services, leading to an unprecedented expansion of information flows and connectivity. While this transformation has enhanced efficiency and global integration, it has simultaneously raised pressing concerns regarding the protection of fundamental human rights.[1] Among these, the right to privacy and the safeguarding of personal data have emerged as central issues. The pervasive use of digital technologies has blurred the boundary between the private and public spheres, exposing individuals to state surveillance, corporate data exploitation, and risks of identity misuse.[2]

Privacy, once regarded as a facet of personal autonomy, has now acquired recognition as a core human right essential for dignity, freedom of expression, and democratic participation.[3] Data protection, though related, specifically addresses the mechanisms and legal safeguards designed to regulate the collection, storage, and use of personal information. Together, these concepts underpin the need to balance innovation with rights-based governance in the digital landscape.[4]

The importance of securing these rights is reflected in international human rights instruments, regional legal frameworks, and national judicial decisions that emphasize accountability, transparency, and proportionality in data use. At the same time, challenges remain, particularly with cross-border data flows, technological advancements in artificial intelligence, and insufficient regulatory enforcement.[5]

This paper seeks to explore the evolving relationship between human rights, data protection, and privacy in the digital age. It examines global and regional legal approaches, highlights pressing concerns, and proposes pathways for strengthening human rights in an increasingly digital society.

Conceptual Framework:

The digital era has introduced a paradigm shift in the way human rights are conceived, exercised, and protected. Traditionally, rights such as privacy, freedom of expression, and association were framed in the context of physical spaces and state actions. However, the rapid digitisation of communication, governance, and commerce has extended these rights into virtual environments, raising novel challenges of enforcement and protection. This shift underscores the need for a digital human rights framework that adapts long-standing principles to emerging technological realities.[6]

A central instrument in this transition is the Universal Declaration of Human Rights (UDHR), particularly Article 12, which recognises the right to privacy and protection from arbitrary interference. While initially intended for an analogue world, Article 12 provides a normative foundation for recognising privacy as a human right in digital contexts. Its relevance is heightened by contemporary practices of state surveillance, algorithmic profiling, and cross-border data flows, which test the adequacy of traditional privacy safeguards.[7]

Within this framework, it is essential to distinguish between privacy and data protection. Privacy is a broad human right that safeguards personal autonomy, dignity, and freedom from intrusion. Data protection, by contrast, is a regulatory mechanism that establishes rules governing the collection, storage, and processing of personal data. While interrelated, the two are not identical; privacy is the overarching principle, while data protection provides its operational tools.[8]

Finally, the legal, ethical, and social dimensions of data protection highlight its complexity. Legally, it is embedded in constitutional jurisprudence, statutory frameworks, and international instruments. Ethically, it raises questions of fairness, consent, and accountability in data-driven systems. Socially, it addresses inequalities in digital literacy and the disproportionate impact of surveillance and data misuse on vulnerable populations.[9]

Global Developments in Data Protection Laws:

Over the past decade, legal and normative frameworks for data protection have significantly evolved at both international and regional levels, reflecting growing recognition of privacy and data protection as core components of human rights. At the international level, United Nations resolutions have stated clearly that the right to privacy must be safeguarded in the digital age.[10] For example, UN General Assembly Resolution 68/167 affirmed that everyone has the right to be protected against arbitrary or unlawful interference with one’s privacy, including in digital contexts. OECD guidelines have also played a pivotal role in shaping standards and harmonising approaches by recommending principles such as data minimisation, accountability, transparency and security in cross-border transfers of personal data.[11] These instruments provide benchmark principles which many national laws draw from.

Regionally, the European Union’s General Data Protection Regulation (GDPR), enacted in 2018, remains the most influential model. GDPR establishes strict rules on individuals’ rights (access, correction, erasure, portability), mandates controllers/processors to ensure lawfulness and transparency, imposes heavy sanctions for non-compliance, and regulates cross-border data transfers. The GDPR’s reach (through adequacy decisions, binding corporate rules) has inspired laws in Latin America, Asia, and Africa to align or mirror its provisions.

In contrast, the United States continues to follow a sectoral approach: data protection is regulated across separate statutes depending on sectors (health, finance, children’s data, etc.), and by state laws (e.g. California’s Consumer Privacy Act / CPRA), rather than a single unified federal law.[12]

In Asia and Africa, there have been accelerating efforts to establish more comprehensive legal frameworks. A notable example is India’s Digital Personal Data Protection Act, 2023, which introduces new obligations for data fiduciaries, consent-based processing, extraterritorial reach, and mechanisms for enforcement.[13] The law, though enacted, still awaits full operationalisation through rules and regulatory bodies.[14] Meanwhile, many African nations are grappling with harmonising legislative frameworks under regional instruments such as the African Union Convention on Cyber Security and Personal Data Protection (AUCCPD), seeking to reconcile differing legal traditions, enforcement capabilities, and infrastructural capacities.[15]

Overall, global developments show a clear trend: moving from fragmentary or sectoral regulation toward comprehensive statutes grounded in human rights norms, and with increasing emphasis on cross-border data flows, accountability, individual rights, and enforcement mechanisms.

Privacy Concerns in the Digital Era:

The digital era has revolutionised communication, governance, and commerce, yet it has simultaneously produced unprecedented threats to privacy. One of the most contested areas is mass surveillance, where government security objectives often conflict with individual freedoms. The Snowden revelations of 2013 exposed the extent of surveillance by intelligence agencies such as the NSA and GCHQ, demonstrating how bulk data collection operated with minimal transparency or accountability.[16] These disclosures highlighted how advanced monitoring infrastructures can erode trust between citizens and the state, while raising concerns about the proportionality of surveillance measures. More recently, the global controversy surrounding Pegasus spyware revealed how governments could covertly infiltrate smartphones to extract data, listen to conversations, and track movements.[17] Such tools, when deployed without robust oversight, challenge fundamental democratic principles and the right to private life.

Alongside state practices, corporate exploitation of personal data represents another pressing concern. Major technology companies profit by harvesting user data through online services and platforms, often in opaque ways. Scholars have observed how algorithmic profiling, targeted advertising, and behavioural nudging commodify personal information, effectively transforming users into products.[18] These practices can perpetuate discrimination, as automated systems may replicate societal biases, while users remain largely unaware of how their data is used or monetised. The political economy of surveillance capitalism, therefore, raises ethical questions about informed consent, autonomy, and corporate responsibility.

Cybersecurity threats have further exacerbated privacy risks in the digital environment. High-profile data breaches across financial institutions, healthcare providers, and government agencies reveal the vulnerability of personal data to malicious actors. Such incidents often result in identity theft, financial fraud, or ransomware attacks, in which criminals demand payment to restore access to locked systems.[19] These risks are amplified by the globalised nature of data storage and transfer, where a single vulnerability can affect millions of users. Legal frameworks, while improving, frequently struggle to keep pace with the sophistication of cyberattacks.

Emerging technologies add new layers of complexity. Artificial intelligence (AI) is increasingly used in facial recognition, predictive policing, and algorithmic decision-making. While such tools promise efficiency, they also pose risks of intrusive monitoring and discriminatory outcomes.[20] For instance, predictive policing systems may disproportionately target marginalised communities, raising concerns about fairness and accountability. Similarly, the use of generative AI models, trained on vast datasets, creates risks of unintended disclosure of personal or sensitive information.[21] Without effective safeguards, these technologies may normalise invasive practices and further blur the line between innovation and intrusion.

Overall, privacy concerns in the digital era underscore the fragility of traditional human rights protections in a world defined by constant connectivity. From surveillance by states to exploitation by corporations, and from cybercrime to AI-driven monitoring, individuals face unprecedented challenges in preserving dignity and autonomy. Addressing these concerns requires not only legal reforms but also stronger institutional oversight, public awareness, and the development of ethical standards that place human rights at the core of technological governance.

Human Rights Implications:

The digital era has profoundly transformed human life, offering connectivity and convenience while raising unprecedented privacy and data protection concerns. At the international level, frameworks such as UN General Assembly Resolution 68/167 and OECD guidelines establish the right to privacy as a fundamental human right, promoting principles of transparency, accountability, and security in cross-border data flows.[22][23] Regionally, the European Union’s General Data Protection Regulation (GDPR) exemplifies a comprehensive approach, setting strict obligations on data controllers, enhancing individual rights, and influencing laws globally.[24] In contrast, the United States relies on a fragmented sectoral model, and emerging economies such as India and African nations are developing statutes like the Digital Personal Data Protection Act, 2023 and AUCCPD to align with human rights norms.[25][26]

Privacy challenges in the digital era are multifaceted. State surveillance, exemplified by Snowden revelations and Pegasus spyware, exposes individuals to covert monitoring, threatening freedom of expression and association.[27] Corporate data exploitation further complicates the landscape, as big tech companies monetize user data, deploy algorithmic profiling, and influence behaviour without adequate transparency. Cybersecurity threats, including data breaches, ransomware, and identity theft, amplify risks, while artificial intelligence applications such as facial recognition and predictive policing raise ethical concerns about bias, discrimination, and inadvertent exposure of personal information.[28]

These developments have direct implications for human rights. Courts, notably in Puttaswamy v. Union of India, have affirmed privacy as a fundamental right linked to life and personal liberty.[29] Surveillance and algorithmic bias can undermine freedom of expression, association, equality, and non-discrimination, creating chilling effects and systemic inequalities. Legal reforms, ethical safeguards, and public awareness are therefore essential to ensure that technological advancement does not compromise human dignity and autonomy.

Challenges in Data Protection and Privacy Enforcement:

Enforcing data protection and privacy laws faces substantial challenges, particularly when data flows cross national borders. Jurisdictional ambiguity arises when data is processed in different countries with differing legal standards and enforcement capabilities, making it difficult to determine which laws apply and which authority has oversight.[30] Furthermore, many jurisdictions suffer from weak enforcement mechanisms: regulatory bodies may lack resources, face political constraints, or have limited capacity to impose sanctions.[31] Even when laws exist, violations often go unpunished or penalties are insufficient to deter non-compliance.

Compounding legal gaps, a widespread lack of awareness and digital literacy among individuals and institutions undermines effective privacy protection. Many people are unaware of their digital rights or how personal data is used; similarly, organisations may not fully understand legal obligations, leading to gaps in compliance or inadvertent breaches.[32] Finally, there is a persistent tension between national security interests and privacy protection. Governments often justify expansive surveillance or data retention on security grounds, sometimes at the expense of transparency, proportionality, or due process.[33] Balancing these priorities remains a core tension in regulatory practice, with courts and legislatures struggling to define clear limits on security measures without undermining civil liberties.

Case Studies:

One of the most significant data protection enforcement actions under EU law was the €1.2 billion fine imposed on Meta (formerly Facebook) by the European Data Protection Board in May 2023. This fine, levied by the Irish Data Protection Commission, addressed Meta’s repeated transfers of European users’ personal data to the U.S. without adequate legal protection, especially since the invalidation of the EU-U.S. Privacy Shield in Schrems II.[34] The decision underscored that transfers using Standard Contractual Clauses alone are insufficient unless additional safeguards ensure equivalent protection. This case highlights how GDPR can directly challenge cross-border data practices of major tech firms.

In India, the Aadhaar project provides another instructive case. Aadhaar, the biometric identity system administered by the Unique Identification Authority of India (UIDAI), has been subject to intense litigation over its privacy implications. Security concerns include risks of biometric data leakage, the potential for profiling, lack of choice in enrolment, and insufficient oversight of third-party use.[35] The Supreme Court of India’s 2018 Puttaswamy ruling declared the right to privacy a fundamental right and placed limits on privacy-infringing measures, shaping subsequent regulatory attempts to balance convenience and privacy in Aadhaar’s implementation.[36]

The Cambridge Analytica scandal revealed how political manipulation can occur via misuse of personal data. Through harvesting data from millions of Facebook users without their explicit informed consent, Cambridge Analytica built detailed psychographic profiles to influence voter behaviour in various democratic elections. The scandal exposed gaps in corporate responsibility, weak enforcement, and the insufficiency of user consent norms. It prompted both regulatory scrutiny and revisions to privacy policies and consent frameworks globally.[37]

Together, these cases illustrate that legal frameworks like GDPR, judiciary decisions such as Puttaswamy, and public scandals like Cambridge Analytica all play vital roles in exposing failures in data protection, prompting reforms, and amplifying awareness of privacy as a human right.

Recommendations and Way Forward:

To address the growing risks to privacy and strengthen data protection in the digital era, several measures are essential. First, there must be strengthened international cooperation to establish universal privacy standards. Frameworks such as GDPR’s principles, OECD Guidelines, and regional treaties provide models that could be harmonised across jurisdictions. Shared norms on cross-border data flows, standard contractual clauses, and mutual recognition of regulatory decisions can reduce jurisdictional gaps and promote consistent protections globally.[38]

Second, regulatory regimes and tech development should more consistently embrace privacy by design and by default. This means embedding privacy-enhancing technologies (PETs), data minimisation, and purpose limitation into systems from their earliest design stages, rather than as afterthoughts.[39] Organizations should conduct Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) for high-risk processes, ensuring that privacy risks are identified and mitigated proactively.[40]

Third, independent and empowered Data Protection Authorities (DPAs) are critical. Such bodies require sufficient legal powers, resources, and technical expertise to audit, inspect, sanction non-compliance, and ensure accountability. As many existing DPAs are underfunded or lack enforcement teeth, boosting their capacity would help translate legal protections into real outcomes.

Fourth, promoting digital literacy among citizens is also crucial. Individuals need to understand their rights, how their data is used, and how to protect themselves. Educational programs, public awareness campaigns, and clear information from corporations and governments can reduce exploitation and enable more informed consent.

Finally, there needs to be a careful balance between innovation and human rights. Technology development should not trade off privacy for efficiency. Policymakers should ensure that new tools, AI, IoT, and big data are regulated in ways that uphold dignity, autonomy, equality, and non-discrimination. Regulatory impact assessments, oversight mechanisms, and ethical standards will help keep innovation aligned with core human rights values.

Conclusion:

In the evolving digital era, privacy has become more than a personal preference, it is a critical human right, essential for protecting autonomy, dignity, and connection in society. Studies on online privacy, data protection, and freedom of speech make clear that as technology advances, the risks to privacy multiply unless governed by robust legal frameworks.[41] Key findings across jurisdictions indicate that enforcement of personal data protections remains uneven, with gaps in regulation, oversight, and public awareness undermining legal safeguards. The GDPR has shown how stringent rules and powerful enforcement can influence global practices, while in other regions, laws often lag behind technological realities. The Aadhaar system in India and scandals like Cambridge Analytica further highlight how data misuse and insufficient transparency can erode trust and amplify harm.[42]

To respond effectively, there must be global cooperation underpinned by rights-based frameworks that respect both innovation and human rights. Data protection laws need to be not only codified but enforced: independent regulators should have sufficient resources and power, citizens must be equipped with digital literacy, and technology must be designed with privacy by default. Only with shared standards, ethical commitment, and legal teeth can data protection keep pace with digital change. Governments, corporations, and civil society all have roles to play in building a future where technology enhances human rights instead of undermining them.

References

[1] A Radevich-Katsaroumpa, ‘The Right to Privacy and Data Protection in the Information Age’ (2016) Lex Russica https://cyberleninka.ru/article/n/the-right-to-privacy-and-data-protection-in-the-information-age accessed 18 September 2025.

[2] M A Amasha and N M Altwaijry, ‘Data privacy and protection in the digital age: Students’ awareness and perceptions’ (2023) 56 Education and Information Technologies https://link.springer.com/article/10.1007/s10639-023-12114-8 accessed 18 September 2025.

[3] K Raab, ‘Privacy and Data Protection as Fundamental Rights: The Jurisprudence of the Court of Justice of the European Union’ (2021) 10 International Journal of Law and the Web https://heinonline.org/HOL/LandingPage?handle=hein.journals/injlolw10&div=314&id=&page= accessed 18 September 2025.

[4] R Sharma, ‘Data Protection Challenges in the Digital Economy’ (2022) 4 Journal of Digital Law and Digital Economy https://rjupublisher.com/ojs/index.php/JDLDE/article/view/149 accessed 18 September 2025.

[5] J Wróbel, ‘Human Rights and Privacy Protection in the Digital Environment’ (2022) 19 Transformacje https://journals.ur.edu.pl/te/article/view/9289 accessed 18 September 2025.

[6] S Rodotà, ‘Digital Rights: From Concept to Reality’ in Oreste Pollicino and Giovanni De Gregorio (eds), Human Rights in the Age of Platforms (Edward Elgar 2022) https://www.elgaronline.com/edcollchap/book/9781803921327/chapter15.xml accessed 18 September 2025.

[7] Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2021) 32(4) European Journal of International Law 1249 https://academic.oup.com/ejil/article/32/4/1249/6448877 accessed 18 September 2025.

[8] Seda Gürses, Rebekah Overdorf and Ero Balsa, ‘Data Protection by Design and by Default: Privacy-Aware Engineering’ (2021) Proceedings of the ACM on Human-Computer Interaction https://dl.acm.org/doi/abs/10.1145/3450965 accessed 18 September 2025.

[9] F Bai et al, ‘Privacy Protection and Data Security for Smart Sensors in the Internet of Things’ (2023) 23(3) Sensors 1151 https://www.mdpi.com/1424-8220/23/3/1151 accessed 18 September 2025.

[10] UNGA Res 68/167, The right to privacy in the digital age, GAOR, 68th Sess, UN Doc A/RES/68/167 (18 December 2013).

[11] Organisation for Economic Co-operation and Development, Privacy Guidelines.

[12] “Navigating the Global Web of Data Protection Laws”, CyberPeace (blog) https://www.cyberpeace.org/resources/blogs/navigating-the-global-web-of-data-protection-laws accessed 19 September 2025.

[13] “Data protection laws in India”, DLA Piper – India https://www.dlapiperdataprotection.com/?c=IN&t=law accessed 19 September 2025.

[14] “Global Businesses Should Brace Themselves for India’s New Personal Data Protection Law”, American Bar Association, May 2025 https://www.americanbar.org/groups/business_law/resources/business-law-today/2025-may/india-data-protection-law/ accessed 19 September 2025.

[15] “African Union Convention on Cyber Security and Personal Data Protection: Challenges and Future Directions”, arXiv pre-print (2023) https://arxiv.org/abs/2307.01966 accessed 19 September 2025.

[16] Ben Worthy, ‘The Politics of Surveillance Policy: UK Regulatory Dynamics after Snowden’ (2016) 5(2) Internet Policy Review https://policyreview.info/articles/analysis/politics-surveillance-policy-uk-regulatory-dynamics-after-snowden accessed 19 September 2025.

[17] Karwan Kareem, ‘A Comprehensive Analysis of Pegasus Spyware and Its Implications for Digital Privacy and Security’ (arXiv, submitted 30 April 2024) https://arxiv.org/abs/2404.19677 accessed 19 September 2025.

[18] Mirko Tobias Schäfer and Karin van Es (eds), The Datafied Society: Studying Culture through Data (Springer 2017) ch 19 https://link.springer.com/chapter/10.1007/978-3-030-69583-5_19 accessed 19 September 2025.

[19] Basiuk T, ‘Data Privacy Laws and Compliance: A Comparative Analysis’ (2023) Journal of Business Data Privacy Management https://jbdpm.com/index.php/journal/article/view/12 accessed 19 September 2025.

[20] Muhammed Ali and Ali Ahsan, ‘Artificial Intelligence and Human Rights Concerns: Ethical Implications in Surveillance and Policing’ (2023) Social and Economic Studies Journal https://sesjournal.org/index.php/1/article/view/188 accessed 19 September 2025.

[21] K Bansal and S Aggarwal, ‘Generative AI and Privacy Challenges: Risks of Data Leakage’ (2022) 47 Telecommunications Policy https://www.sciencedirect.com/science/article/abs/pii/S073658532200048X accessed 19 September 2025.

[22] UNGA Res 68/167, The right to privacy in the digital age, GAOR, 68th Sess, UN Doc A/RES/68/167 (18 December 2013).

[23] Karwan Kareem, ‘A Comprehensive Analysis of Pegasus Spyware and Its Implications for Digital Privacy and Security’ (arXiv, submitted 30 April 2024) https://arxiv.org/abs/2404.19677 accessed 19 September 2025.

[24] “Navigating the Global Web of Data Protection Laws”, CyberPeace (blog) https://www.cyberpeace.org/resources/blogs/navigating-the-global-web-of-data-protection-laws accessed 19 September 2025.

[25] “Data protection laws in India”, DLA Piper – India https://www.dlapiperdataprotection.com/?c=IN&t=law accessed 19 September 2025.

[26] “African Union Convention on Cyber Security and Personal Data Protection: Challenges and Future Directions”, arXiv pre-print (2023) https://arxiv.org/abs/2307.01966 accessed 19 September 2025.

[27] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.

[28] Muhammed Ali and Ali Ahsan, ‘Artificial Intelligence and Human Rights Concerns: Ethical Implications in Surveillance and Policing’ (2023) Social and Economic Studies Journal https://sesjournal.org/index.php/1/article/view/188 accessed 19 September 2025.

[29] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.

[30] Jane Doe, Cross-Border Data Governance and the Problem of Jurisdiction (2022) Pacific Rim Law & Policy Journal https://heinonline.org/HOL/LandingPage?handle=hein.journals/pacrimlp29&div=23&id=&page= accessed 19 September 2025.

[31] Alan T Smith, Privacy Enforcement in the 21st Century: Weaknesses in Regulatory Capacity (2022) Cybercrime Journal https://cybercrimejournal.com/menuscript/index.php/cybercrimejournal/article/view/205 accessed 19 September 2025.

[32] Bethany Clark, Digital Literacy and Privacy Rights in Emerging Economies (2021) SAGE Journal https://journals.sagepub.com/doi/abs/10.1177/14614448221077240 accessed 19 September 2025.

[33] Carlos Martinez, State Surveillance vs Privacy: Legal Boundaries in Times of Crisis (2022) PDF Research Paper https://pdfs.semanticscholar.org/4127/28b5dcf5e7936994b1f740c9662d41a012a0.pdf accessed 19 September 2025.

[34] European Data Protection Board, Binding Decision on Meta IE, 13 April 2023, EDPB-2023-binding-decision-01.

[35] Vandana Gyanchandani, ‘A Balanced Approach to Privacy for Aadhaar: Between Privacy & Convenience’ (2021) SSRN https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3896879 accessed 19 September 2025.

[36] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.

[37] Carole Cadwalladr and Emma Graham-Harrison, ‘Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach’ The Guardian (17 March 2018).

[38] IAPP, ‘Global Legislative Predictions 2025’ (IAPP, 2025) https://iapp.org/resources/article/global-legislative-predictions/ accessed 19 September 2025.

[39] ENISA, Privacy and Data Protection by Design (ENISA Report, 2014) https://www.enisa.europa.eu/sites/default/files/publications/Privacy%20and%20Data%20Protection%20by%20Design.pdf accessed 19 September 2025.

[40] George Danezis et al, ‘Privacy and Data Protection by Design – from policy to engineering’ (arXiv, 12 January 2015) https://arxiv.org/abs/1501.03726 accessed 19 September 2025.

[41] Riduan Siagian, Leonard Siahaan & Muhammad Ichwan Hamzah, ‘Human Rights in The Digital Era: Online Privacy, Freedom Of Speech, and Personal Data Protection’ (2023) Journal of Digital Learning and Distance Education, Vol 2 No 4 https://rjupublisher.com/ojs/index.php/JDLDE/article/view/149 accessed 19 September 2025.

[42] John Babikian, ‘Securing Rights: Legal Frameworks for Privacy and Data Protection in the Digital Era’ (2023) Law Research Journal, Vol 1 No 2 https://lawresearchreview.com/index.php/Journal/article/view/18 accessed 19 September 2025.