Published On: December 5th 2025
Authored By: Ankita Mishra
Banaras Hindu University
Abstract
Government officials record and monitor every click, search, transaction, and location we visit. Does this raise the question of whether human rights are at risk?
In today’s world, our personal data has become the new currency that fuels the drive of economies and steers governance. This unprecedented capacity of tracking and analyzing personal data has made it extremely difficult to protect human rights in the digital age.
Nowadays, traditional safeguards are increasingly challenged by the fast speed of data processing, the growth of artificial intelligence, and cross-border data circulation. Thus, the law is challenged to strike a balance between protecting individuals’ fundamental rights and, at the same time, facilitating innovation and advancements. From Billion-euro GDPR fines to India’s Digital Personal Data Protection Act, 2023, shows how laws are evolving to keep a check on how states and corporations deal with personal data.
Privacy and Data Protection as Human Rights
International instruments :
Privacy as a human right has been embedded long ago in international human rights law.
Some examples related to the same are as follows:-
Universal Declaration of Human Rights (UDHR, 1948)
Article 12 declares: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”[1]
It was adopted after World War 2 to prevent and control state power under repressive regimes. UDHR has become customary international law and acts as a moral base.
International Covenant on Civil and Political Rights (1966), Article 17:
Article 17 protects privacy and directs the state to follow unlawful non-interference, which means it lacks a legal basis, which means even if it’s allowed by the law, it is excessive and disproportionate.[2]
The UN Human Rights Committee (HRC) in General Comment No. 16 (1988) clarified that:
- Legislation must be adopted to give effect to privacy rights.
- If interference is done, it should be reasonable and proportionate.
European Convention on Human Rights (1950), Article 8:
Each one has the right to privacy in family life, home, and communications. These rights can only be limited by laws in case of necessity.
E.g.- Example: In Peck v. United Kingdom (2003), in this case, unauthorized CCTV footage was telecast of an individual violating article 8.
A crucial development came in 2018 when the UN Human Rights Council mentioned that the same rights protected offline need to be protected online. This marks the evolution of international law from traditional protections to the digital era.
In 2013, according to Edward Snowden, the UN General Assembly adopted Resolution 68/167 (“The Right to Privacy in the Digital Age”), making human rights obligations equally applicable online.[3]
Constitutional Law in India
India has been through a principal shift in respect to the right to privacy:
In Kharak Singh v. State of Uttar Pradesh (1962), the Supreme Court refused to elevate it as a fundamental right and treated it as an idea of personal liberty.[4]
However, this case was nullified in a landmark nine-judge bench ruling in Justice K.S. Puttaswamy v. Union of India (2017), where it was unanimously decided that privacy will be a fundamental right under Articles 14 (equality), 19 (freedoms), and 21 (right to life and personal liberty) of the Constitution.[5]
Three tests have been laid for any restrictions on privacy:-
- Legality- presence of a valid law that allows restrictions
- Legitimate Aim – the law must serve a genuine purpose
- Proportionality- the restrictions must limit rights only as much as required
E.g., in the 2018 Aadhaar case, the court mentioned the use of Aadhaar only for welfare purposes, but struck down its use in bank accounts as well as mobile numbers as it failed the privacy tests.
Comparative perspectives:
Similarly, in the US Supreme Court in Carpenter v. United States (2018), a warrant was needed to access the cell-site location data, as the German Federal Constitutional Court has protected “ informational self-determination”.
Principles of Data Protection:
The EU’s General Data Protection Regulation (GDPR, 2018) has been a global achievement, influencing legislation in India, Brazil, and South Africa.
Core principles :
The core principles are lawfulness, fairness, and transparency, purpose limitation, data minimization, storage limitation, accuracy, integrity and confidentiality, and accountability.
Recent Data and Trends:
A. Data Breaches:
- United States: In 2024, 3,158 data compromise incidents occurred, affecting over 1.35 billion individuals due to infringements. From September 2022 to 2023, more than 4,600 incidents in the US implicating about 5 billion records.
- Public Concern: In the United States, approximately 84 percent of people have reported concerns about the safety and privacy of their data being circulated online. Similarly, in India, it has been reported through surveys that 60 percent of online users have a fear of unauthorised data collection, and only 11 percent of them read privacy policies.
B. GDPR Enforcement & Fines:
According to the reports from 2018 to March 2025, approximately 2,245 fines were issued under the GDPR, which was a total of €5.65 billion, and an average fine of €2.36 million. [6]
In 2024 alone, GDPR fines were about €1.2 billion, which is considered to have decreased in respect to 2023, which marked high-profile penalties such as Meta platforms (€1.2 billion).
Some other penalties were issued as well by companies like Amazon, TikTok, etc.
C. India’s Legal Penalties under the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 (DPDP Act), is responsible for the modern legal work and personal data protection in India, levying monetary sanctions.
The Act distinguishes between different categories of breaches:
| Category of Breach | Maximum Penalty |
| Violation of security safeguards (Section 8(5)) | Up to INR 25 crore (₹250,000,000) |
| Failed to notify Board | Up to INR 20 crore (₹200,000,000) |
| Infringement that concerns children (Section 9) | Up to INR 20 crore (₹200,000,000) |
| Restrictions on significant data fiduciaries (Section 10) | Up to INR 15 crore (₹150,000,000) |
| Duty of the data principal (data subject) (Section 15) | Up to INR 10,000 |
Interpretation :
The key role of this act is to align with international proceedings, making infringement financially and legally significant. There is a need for a sturdy framework.
Legal Cases
- Meta €1.2 billion Fine: In May 2023, the Irish Data Protection Commission fined Meta (Facebook) for a lack of an adequate legal framework in transferring EU data to the US, which makes it the largest GDPR penalty to date.
- Uber Data Transfer Fine: Similarly, Uber was heavily fined in 2024 by the Dutch Data Protection Authority of about €290 million for unethical sharing of driver data outside the EU.
- India on Right to Privacy Judgements: The Puttaswamy (2017) judgement set out privacy to be a fundamental right of each citizen.
Challenges Faced
Cross-border and data transfer
The global economy depends on the seamless transfer of data. The Schrems II highlighted that the U.S was inefficient in protecting the privacy rights of the citizens of the EU. This raises serious concerns, and as a result, it faces too many dilemmas under the DPDP Act.
Technological Disruption and Emerging Risks
Artificial Intelligence, machine learning, biometrics, and face recognition all raise concerns of discrimination, opacity, and lack of accountability. Courts and regulators are still trying to respond to the risks, and at the same time keep up with the advancements.
Low Public Awareness and Consent Fatigue
According to the report, people are concerned about their data being misused. This is called “consent fatigue”, which weakens the autonomy of the foundation of many privacy laws.
Conclusion
The digital has led to the blurring of lines between the public and private spheres. In this context, privacy is not a luxury but can be considered a precondition for liberty, autonomy, and human dignity. At the same time, the challenges faced by the people as well as the judiciary are formidable. Laws like GDPR and the DPDP Act provide a powerful framework.
The main risk lies in setting up corporate practices and advice on data governance. In the words of Justice D.Y. Chandrachud in Puttaswamy, privacy helps the individual “to retain the autonomy of the body and mind”. Safeguarding data in the digital era, therefore, is not just about regulation — it is about preserving the very essence of human freedom.
References
[1] Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res 217 A(III)) art 12.
[2] International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 art 17
[3] Peck v United Kingdom App no 44647/98 (ECtHR, 28 January 2003).
[4] Kharak Singh v State of Uttar Pradesh (1962) 1 SCR 332 (India).
[5] Justice K.S. Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (India).
[6] CMS Law, ‘GDPR Fines & Enforcement Tracker’ (CMS Law, March 2025) https://cms.law/en/int/expertise/data-protection accessed 20 September 2025.
[7] Digital Personal Data Protection Act 2023, s 8(5) (India), Digital Personal Data Protection Act 2023, s 8(6) (India), Digital Personal Data Protection Act 2023, s 9 (India), Digital Personal Data Protection Act 2023, s 10 (India), Digital Personal Data Protection Act 2023, s 15 (India).
