HUMAN RIGHTS IN THE DIGITAL ERA: DATA PROTECTION AND PRIVACY CONCERNS

INTRODUCTION

The twenty-first century has been marked by the rapid penetration of digital technologies into nearly every aspect of human existence. Smartphones, biometric identification systems, digital payments, and social-media platforms have redefined how individuals communicate, work, and even exercise citizenship. While these tools have expanded opportunity, they have also fundamentally altered the relationship between the individual, the State, and private corporations. Increasingly, the contours of liberty and autonomy are being shaped not only in the courtroom or legislature but in the architecture of data flows and the algorithms that govern them.

In this new digital order, privacy emerges as the most contested right. Unlike traditional civil liberties such as speech or association, privacy in the digital era is inseparable from the ordinary, everyday use of technology. Each online transaction, biometric authentication, or GPS ping generates a trail of personal information. Individually trivial, collectively this data paints intimate portraits of citizens their habits, preferences, beliefs, and vulnerabilities. Without effective regulation, such information becomes a tool of power: governments may use it for mass surveillance, while private corporations may monetise it for profit.

India’s constitutional jurisprudence has had to evolve to meet this challenge. For decades, the right to privacy was uncertain, dismissed in M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of Uttar Pradesh (1962), then cautiously affirmed in Gobind v. State of Madhya Pradesh (1975), and finally given definitive recognition in Justice K.S. Puttaswamy v. Union of India (2017). In Puttaswamy, a nine-judge bench unanimously held that privacy is intrinsic to life and liberty under Article 21 of the Constitution. More importantly, the Court identified informational privacy control over the collection and dissemination of personal data—as central to dignity and autonomy in the digital age.

The constitutional recognition of privacy coincides with the rise of large-scale digitisation projects in India. The Aadhaar programme, which creates a biometric identity database for welfare and authentication purposes, symbolises both the opportunities and risks of digital governance. On the one hand, Aadhaar has streamlined service delivery; on the other, it has raised fears of surveillance and exclusion. Beyond Aadhaar, the growing dominance of global technology platforms in India’s digital economy, controlling search, communication, and commerce, has made questions of data protection global as well as domestic.

This article argues that safeguarding privacy in the digital era is not a matter of technological convenience but a human-rights imperative. The right to privacy is anchored in international law, particularly Article 12 of the Universal Declaration of Human Rights and Article 17 of the ICCPR, and must be realised through domestic law and practice. By analysing India’s constitutional framework, statutory developments such as the Digital Personal Data Protection Act, 2023, and international models like the EU’s GDPR, the paper seeks to explore the challenges of reconciling individual rights with the imperatives of governance and innovation.

Ultimately, the question is not whether India should embrace digitisation, it already has but whether this embrace can be structured in a manner that secures the constitutional promise of dignity, liberty, and accountability. Protecting privacy in the digital age is therefore not only a legal duty but a democratic necessity.

CONSTITUTIONAL AND LEGAL FRAMEWORK IN INDIA

1. Constitutional recognition of privacy

Although the Constitution does not textually enumerate “privacy,” the Supreme Court has read it into Article 21 and related freedoms. In Puttaswamy (2017), a unanimous nine-judge bench held that privacy is intrinsic to life and liberty, drawing on dignity, autonomy, and limited government as foundational principles.[1] The Court emphasised informational privacy and warned against the chilling effects of unregulated data collection, requiring any intrusion to satisfy tests of legality, necessity, and proportionality. Earlier, in PUCL v. Union of India (Telephone Tapping), the Court treated wiretapping as a grave invasion of privacy and set procedural safeguards an antecedent to today’s digital surveillance debates.[2] Together, these rulings constitutionalise privacy and create the baseline that any data-protection law or surveillance programme must respect.

2. Statutory developments

For nearly two decades, India relied on a patchwork under the Information Technology Act, 2000, notably Section 43A (compensation for failure to protect data) and Section 72A (criminal liability for disclosure of information in breach of lawful contract).[3] These provisions were narrow in scope (focused on “body corporates”), unevenly enforced, and lacked a rights-first architecture.

In 2023, Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), India’s first horizontal privacy statute.[4] The Act defines roles (data principal/data fiduciary), centres consent (with specified legitimate uses), grants rights of access, correction, and erasure, and creates a Data Protection Board of India for adjudication and penalties. Critics, however, highlight broad government exemptions, the executive control over the Board, and limited transparency obligations, raising questions about independence and effectiveness when the State itself is the largest data fiduciary.[5] Whether the DPDP’s rulemaking and enforcement design will satisfy Puttaswamy’s proportionality and due-process standards is likely to be tested as subordinate legislation and practice evolve.[6]

INTERNATIONAL AND COMPARATIVE LAW

1. International human-rights framework

The right to privacy in the digital era is grounded in core international instruments. Article 12 of the Universal Declaration of Human Rights (UDHR) prohibits arbitrary interference with privacy, family, home, or correspondence.[7] Similarly, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) binds state parties, including India, to protect individuals against unlawful or arbitrary intrusions into their private lives.[8] The UN Human Rights Committee, in General Comment No. 16, stressed that states must adopt legislative and other measures to give full effect to this right in practice.[9] In recent years, the UN General Assembly has passed resolutions affirming that offline rights, including privacy, apply equally online, signalling a global consensus that human-rights protections must adapt to digital realities.[10]

2. Comparative perspectives

• European Union (GDPR): The General Data Protection Regulation (GDPR), in force since 2018, is widely regarded as the most comprehensive privacy law. It codifies principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, and accountability.[11] Importantly, it provides enforceable rights such as the right to be forgotten and mandates independent supervisory authorities.
• United States: The U.S. lacks a horizontal privacy statute. Instead, it follows a sectoral approach, with laws like HIPAA (health data), COPPA (children), and the California Consumer Privacy Act (CCPA). While flexible, this patchwork creates uneven protection.[12]
• China: China has enacted the Personal Information Protection Law (PIPL), but this is coupled with expansive state surveillance powers. The result is a system where private-sector data processing is regulated, yet state agencies retain sweeping authority.[13]
• Global South: Countries such as Brazil (LGPD) and South Africa (POPIA) have adopted GDPR-inspired frameworks, aiming to strike a balance between privacy and development needs.[14]

For India, these comparative lessons underscore three points: the importance of independent oversight, clear limitations on state power, and robust user rights. The DPDP Act borrows some concepts from GDPR but lacks equivalent safeguards in relation to state surveillance and institutional independence.[15]

KEY CHALLENGES IN INDIA

• Surveillance and state power

The Pegasus spyware revelations raised concerns about the extent of government surveillance, with journalists, activists, and political figures allegedly targeted. The absence of a dedicated surveillance law. India still relies on colonial-era statutes like the Telegraph Act, 1885 and Section 69 of the IT Act, creates risks of disproportionate intrusions without adequate judicial oversight.[16]

• Weak enforcement mechanisms

The DPDP Act establishes a Data Protection Board, but its design leaves questions about independence, as appointments and removals are controlled by the central government. Without institutional autonomy, the Board may struggle to hold powerful state agencies accountable.

• Big Tech dominance and data monopolies

Global technology companies extract and monetise vast quantities of Indian user data. Algorithmic profiling, targeted advertising, and opaque content moderation practices affect not only privacy but also freedom of expression and equality.[17] Absent strong competition and interoperability norms, individuals have little bargaining power.

• Digital divide and awareness gap

While urban elites may be able to invoke privacy rights, large sections of India’s rural and marginalised population lack digital literacy to understand or exercise their rights under the DPDP Act.[18] This creates a two-tiered privacy regime, where the vulnerable remain most exposed.

• Balancing innovation with regulation

India aspires to build a global digital economy. Excessively rigid regulation could hinder innovation, but weak safeguards risk undermining human rights. Crafting proportionate, transparent, and enforceable rules remains a delicate policy challenge.[19]

JUDICAL DISCOURSE

Indian courts have consistently shaped the privacy landscape, moving from denial to robust recognition. The early reluctance is seen in M.P. Sharma v. Satish Chandra (1954), where an eight-judge bench rejected a standalone right to privacy in search and seizure matters.[20] Similarly, in Kharak Singh v. State of Uttar Pradesh (1962), the majority dismissed privacy claims, though Justice Subba Rao’s dissent foreshadowed later developments.[21]

This trajectory shifted with Gobind v. State of Madhya Pradesh (1975), where the Court cautiously accepted that privacy could be read into Article 21, though subject to compelling state interest.[22] Over time, PUCL (Telephone Tapping) and R. Rajagopal v. State of Tamil Nadu expanded this recognition, until Puttaswamy (2017) finally settled the debate by declaring privacy a fundamental right.[23]

Post-Puttaswamy, judicial discourse has focused on implementation and proportionality. In Puttaswamy II (Aadhaar case), the Court upheld Aadhaar’s constitutional validity but struck down provisions permitting private use of biometric data, emphasising that data collection must be backed by law and proportionate.[24] More recently, in Anuradha Bhasin v. Union of India (2020), the Court linked internet access restrictions to constitutional freedoms, implicitly recognising the digital sphere as central to rights enjoyment.[25]

Scholarly debate mirrors these tensions. Legal academics stress that privacy in the digital age cannot be understood solely as a negative right against the state, but must include positive obligations to regulate private actors, ensure transparency, and build institutional safeguards.[26] Others caution against over-constitutionalising, arguing that privacy frameworks must balance individual liberty with India’s developmental imperatives.[27]

WAY FORWARD

While the DPDP Act is a milestone, it must be viewed as a starting point rather than a comprehensive solution. Several reforms are necessary to align India’s data-protection regime with constitutional and international standards:

1. Strengthen institutional independence
   • The Data Protection Board of India must be insulated from executive control, akin to the independence of Election Commission or judiciary.[28] Appointment processes should involve Parliament or a judicial collegium.
2. Limit government exemptions
   • Current provisions allow wide-ranging exemptions for reasons of national security or “public order.” These must be narrowly tailored, subject to judicial review, and time-bound, in line with Puttaswamy’s proportionality test.[29]
3. Enhance user rights
   • Introduce rights akin to GDPR: data portability, right to object to automated decision-making, right to be forgotten. These strengthen informational self-determination and individual autonomy.
4. Transparency and accountability
   • Mandate regular transparency reports from both state agencies and private companies on data requests, breaches, and processing practices. Independent audits should be routine.[30]
5. Build digital literacy
   • Awareness campaigns in rural and semi-urban areas are critical. Citizens must understand their consent rights, grievance mechanisms, and remedies under the DPDP Act.[31]
6. Judicial oversight of surveillance
   • India requires a dedicated surveillance law that mandates prior judicial approval for interception, periodic review, and parliamentary oversight similar to safeguards in the UK and USA.[32]
7. International cooperation
   • As data flows transcend borders, India must engage in bilateral and multilateral frameworks to enable cross-border data transfers while safeguarding privacy. Leadership among Global South countries would enhance India’s normative influence.[33]

Together, these reforms would not only enhance compliance with constitutional mandates but also position India as a responsible digital power committed to rights-based governance.

CONCLUSION

The digital era presents both promise and peril. On one hand, it enables unprecedented innovation, connectivity, and economic growth; on the other, it threatens to reduce individuals to mere data points, vulnerable to surveillance, profiling, and exploitation. India’s constitutional jurisprudence, culminating in Puttaswamy, places privacy at the heart of democratic governance. Yet constitutional recognition must be matched with statutory effectiveness, institutional independence, and active judicial oversight.

The Digital Personal Data Protection Act, 2023, is a critical step forward, but its effectiveness will depend on how exemptions are applied, how independent the Data Protection Board proves to be, and how far courts are willing to scrutinise executive actions. Internationally, India must learn from GDPR-like models that embed rights such as data portability and the right to be forgotten, while tailoring them to local socio-economic contexts.

Ultimately, the test of India’s digital future is whether it can protect the dignity and autonomy of every citizen while fostering technological progress. Privacy is not a privilege for the few but a collective guarantee for all. Safeguarding it is not only a legal duty but also a democratic imperative, because in protecting digital rights, India safeguards the very essence of its constitutional promise.

REFERENCES

[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, Supreme Court of India, Judgments Repository, available at https://main.sci.gov.in/judgments (last used Sept. 17, 2025)

[2] People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301 (telephone tapping), full text available at Indian Kanoon, https://indiankanoon.org/doc/309352/ (last used Sept. 17, 2025)

[3] Information Technology Act, 2000, §§ 43A, 72A. Statutory text and amendments available at India Code, https://www.indiacode.nic.in/ (last used Sept. 17, 2025)

[4] Digital Personal Data Protection Act, 2023, text and resources at MeitY: https://www.meity.gov.in/digital-personal-data-protection-act-2023 (last used Sept. 18, 2025)

[5] MeitY legislative resources, https://www.meity.gov.in/ (last used Sept. 18, 2025)

[6] Puttaswamy, supra note 1 (proportionality and constitutional tests) as applied to future DPDP rules and Board design; see also Supreme Court Judgments Repository, https://main.sci.gov.in/judgments (last used Sept. 18, 2025)

[7] Universal Declaration of Human Rights, art. 12, United Nations, available at https://www.un.org/en/about-us/universal-declaration-of-human-rights (last used Sept. 19, 2025)

[8] International Covenant on Civil and Political Rights, art. 17, OHCHR, available at https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights (last used Sept. 19, 2025)

[9] UN Human Rights Committee, General Comment No. 16 (Article 17), OHCHR, available at https://www.ohchr.org/en/treaty-bodies/ccpr (last used Sept. 19, 2025)

[10] UN General Assembly Resolution on the Right to Privacy in the Digital Age, A/RES/73/179, available at https://digitallibrary.un.org/ (last used Sept. 19, 2025)

[11] Regulation (EU) 2016/679 (General Data Protection Regulation), available at https://gdpr.eu/ (last used Sept. 19, 2025

[12] California Consumer Privacy Act, State of California Department of Justice, available at https://oag.ca.gov/privacy/ccpa (last used Sept. 19, 2025)

[13] Personal Information Protection Law of the People’s Republic of China, 2021, available at https://www.chinalawtranslate.com/en/personal-information-protection-law-of-the-prc/ (last used Sept. 20, 2025)

[14] Lei Geral de Proteção de Dados Pessoais (Brazil), available at https://www.gov.br/ (last used Sept. 20, 2025)

[15] PRS India, Bill Summary: Digital Personal Data Protection Bill, 2023, PRS Legislative Research, available at https://prsindia.org/ (last used Sept. 20, 2025)

[16] Telegraph Act, 1885; Information Technology Act, 2000, § 69. Statutory texts available at India Code, https://www.indiacode.nic.in/ (last used Sept. 20, 2025)

[17] Critical commentary on Big Tech data dominance, Internet Freedom Foundation, available at https://internetfreedom.in/ (last used Sept. 20, 2025)

[18] Digital literacy and privacy awareness gap in India, NITI Aayog Reports, available at https://www.niti.gov.in/ (last used Sept. 20, 2025)

[19] Policy debates on innovation vs. regulation balance, MeitY, available at https://www.meity.gov.in/ (last used Sept. 20, 2025)

[20] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300, available at Supreme Court Judgments Repository, https://main.sci.gov.in/judgments (last used Sept. 20, 2025)

[21] Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295, available at Indian Kanoon, https://indiankanoon.org/doc/619152/ (last used Sept. 20, 2025)

[22] Gobind v. State of Madhya Pradesh, (1975) 2 SCC 148, available at Supreme Court Judgments Repository, https://main.sci.gov.in/judgments (last used Sept. 20, 2025)

[23] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, Supreme Court of India, Judgments Repository, available at https://main.sci.gov.in/judgments (last used Sept. 20, 2025)

[24] Justice K.S. Puttaswamy (Aadhaar) v. Union of India, (2019) 1 SCC 1, available at Supreme Court Judgments Repository, https://main.sci.gov.in/judgments (last used Sept. 20, 2025)

[25] Anuradha Bhasin v. Union of India, (2020) 3 SCC 637, available at Supreme Court Judgments Repository, https://main.sci.gov.in/judgments (last used Sept. 20, 2025)

[26] Gautam Bhatia, Privacy in India after Puttaswamy: Expanding the Constitutional Horizon, Indian Constitutional Law and Philosophy Blog, available at https://indconlawphil.wordpress.com/ (last used Sept. 20, 2025)

[27] Usha Ramanathan, Aadhaar: Governing with Data, Seminar Magazine, available at https://www.india-seminar.com/ (last used Sept. 20, 2025)

[28] Institutional independence for data regulators, PRS Legislative Research, available at https://prsindia.org/ (last used Sept. 20, 2025)

[29] Puttaswamy, supra note 1, proportionality test; see also Supreme Court Judgments Repository, https://main.sci.gov.in/judgments (last used Sept. 20, 2025)

[30] Transparency practices in global privacy regimes, Electronic Frontier Foundation (EFF), available at https://www.eff.org/ (last used Sept. 20, 2025)

[31] Digital literacy initiatives in India, NITI Aayog, available at https://www.niti.gov.in/ (last used Sept. 20, 2025)

[32] UK Investigatory Powers Act, 2016; USA Foreign Intelligence Surveillance Act (FISA), statutory texts available at respective government portals (last used Sept. 20, 2025)

[33] International cooperation on data flows, OECD Digital Economy Papers, available at https://www.oecd.org/ (last used Sept. 20, 2025)