Introduction
Human civilisation has always relied on the creation and preservation of information. For example, ancient texts such as the Vedas, Upanishads, and Puranas are nothing but the organised compilation of human thought. Even a mythological concept illustrates data accumulation.
Metaphorically speaking, a lifetime record of deeds measured by the Chitragupta to determine one’s afterlife, whether the person shall go to hell or heaven,[1] It is fundamentally a metaphor for data collection, storage, and analysis. However, the principle remains the same; only the medium has changed. Instead of palm leaves, stone tablets, or oral traditions, data is now created and stored through a digital system.
Information Is a Subset
Data is a broader, unorganised mass of represented facts, instructions, and concepts intended for processing by a computer system. When data is processed, organised, and made useful, then it is called information.[2] So, information is a subset of the processed data. Privacy is not concerned with every piece of data floating in digital space; it is connected to the part of the data that one organises and interprets, reveals someone’s personal identification, or is sensitive about an individual. Information privacy is a real subject of debate in law and policy.
Concept Of Data Privacy
The term privacy has been derived from the Latin term ‘Privatus’, which means withdrawn from public life.[3] New words have been added, i.e., data privacy or information privacy with the advancement of technology and the internet, According to the IITF principle of the US, information privacy is “an individual’s claim to control the terms under which personal information is collected…information identifiable to the individual (i.e., through which people can be identify) ..is acquired (i.e., people can decide if data can be collected in first place), disclosed i.e.,( people can decide who can see and access their information ), and used ( i.e., how their data is utilized by others and for what purpose).”[4]
Therefore, an individual’s ability to decide what information about them is collected, how it will be used, and who it will be shared with.
Data privacy and Data protection
Data Privacy and data protection are often used interchangeably, but they are not the same. The right of individuals to manage access and use of their personal data is the main emphasis of data privacy. On the other hand, data protection focuses on the security, safeguards, and protocols a business or entity must implement to protect data from breaches or unauthorised use.[5]
Purpose Of Data Collection
- Government bodies are collecting data for governance, welfare, security, and identification.
- Private corporations are collecting data for personalisation, monetisation, behavioural prediction, and commercial gains.
Evolution of data protection in India
Phase 1- before 2000
In the M.P. Sharma v. Satish Chandra (1954), the Supreme Court of India examined the issue of Privacy for the first time. And the court held that “search and seizure does not infringe constitutional right provided under article 19(1)(f) and article 20(3), and further court observed that Constituent Assembly also did not explicitly recognise the privacy as a fundamental right under Part III of the Constitution.”[6]
In the Kharak Singh v. State of UP (1962), it is another case where the Supreme Court upheld that “Police domiciliary visits to habitual criminals at midnight are unconstitutional, infringing on the right to life, but not privacy.”[7]
In the Gobind v. State of MP (1975), the court said that “the Right to privacy has its own set of restrictions, such as public order, morality, national security, etc.”[8] In this case, the court gives more significance to the state interest rather than the individual interest.
In Maneka Gandhi v. UOI (1978), the court expanded the ambit of “personal liberty to include a variety of rights.”[9]
In PUCL v. UOI (1997), the court held that “the right to privacy is an integral part of the right to life & personal liberty and the right to freedom of speech under Article 19(1)(g) includes the freedom of telephone communication, which can only be interrupted according to the restrictions in Article 19 (2).”[10]
Phase 2- before the Puttaswamy case
The evolution of data protection in India can be traced back to 2000, when the first cyber law was enacted, i.e., the IT Act 2000.[11] In its major amendment in 2008, 43(A)[12], which was inserted which holds the corporate body liable to pay compensation if they fail to protect the sensitive personal data.[13] Then, in 2011, the IT Rule 2011[14], which introduced and defined the liabilities of intermediaries.[15]
The government constituted the Justice A.P. Shah committee to examine data privacy concerns and suggest safeguards. The committee, which released its findings in 2012, has recommended the five salient features and nine national privacy principles for the proposed privacy legislation.[16]
In the year 2015, the Gujarat HC, where the petitioner sought the removal of his name from a judicial judgement that continued to harm his reputation, despite his acquittal. It was the first Indian case where the concept of the right to be forgotten although the court declined to recognise the right at that stage. [17]
Phase 3 -after the Puttaswamy case
In 2017, the Supreme Court recognised the “right to privacy as a fundamental right.” J. Chandrachud stated that “we are in an informational age. With the growth and development of technology, more information is now easily available.”[18] Now, basically, after it, the government was bound to respect the individual’s privacy legacy. The Supreme Court advised the Central Government to establish a data protection policy that balances the needs of individuals with legitimate concerns of the state.
In 2018, the Justice B.N. Shrikrishna Committee was formed to study the issues of data protection and draft comprehensive legislation. The committee submitted its report, “A Free and Fair Digital Economy”, and drafted a personal data protection bill, which became the basis of the DPDP Acts.[19]
In April 2018, the Reserve Bank of India released a notification regarding the saving of card details on online portals while shopping. After this notification, the RBI mandated that such an entity must store these details only in India.[20] In January 2019, the RBI reinforced its earlier mandate by issuing another notification, which prohibited all entities from even saving those card details; they could only save the last four digits of the card, but not the full number or any other information related to the card.[21]
In 2021, we got the IT Rules 2021.[22] According to this rule, it mandated messaging services like WhatsApp to enable the identification of the first originator of the message.[23] It was challenged before the Delhi High Court, and the matter remains pending for adjudication.[24]
In 2023, the Digital Personal Data Protection Act, 2023 bill was placed in parliament, both houses passed the bill and received the President’s assent, becoming India’s first data protection law.[25]
On 14th November 2025, the government released the Digital Personal Data Protection Rules,2025, for the proper implementation of the DPDP Act 2023.[26]
Challenges faced by people due to the data boom
- Personal Freedom And Private Revenue
Constitutional privacy protections are designed for the physical world, such as unlawful entry, surveillance, and body autonomy. But today, people exist in dual form, physically and digitally. Your physical presence may be private, but your every digital action is recorded and monetised by various entities, raising critical questions about who truly controls personal information. Corporations treat the data as a “new oil or the new gold.”[27], and consider it a more valuable asset than land or machinery.
- Organisational Integrity
We routinely share personal data, phone numbers, addresses, and preferences with apps, banks, and marketplaces without questioning how they store, use, or share it. Whether this happens ethically depends entirely on the integrity of the institution collecting it. Most people never read the “Terms and Conditions” when they agree to them because of the font size.
- Technology Does Not Discriminate, But It Makes Us Vulnerable
Unlike the constitution, the technology makes no discrimination based on caste, gender, religion, or economic status. It treats everyone uniformly, which may sound fair, but in practice, it exposes all the individuals to identical risks.
Privacy is most compromised not when data is collected but when it is analysed about a user. For example, when a person searches for a product on a search engine like Google, similar advertisements subsequently appear across platforms such as Instagram or YouTube. It happens due to the algorithmic system recognises the patterns, predicts preferences, and influences decision-making through customised recommendations.
When big data turns into information through behavioural harvesting based on (statistical learning, analysing the data, behavioural models, predicting target behaviour, influencing individuals) based on data profiling, it affects privacy now; it is not your freedom of choice if the other party gets to know via technology. It is a modern privacy concern.
CONCLUSION
Data is a powerful resource, but it also creates risks for privacy. After analysing several judgements, we can understand that true data protection is not just about the security systems, but about preserving human dignity, autonomy, and the freedom to make choices not influenced by others. The law has evolved from the IT Acts to the DPDP Acts 2023, which aim to regulate how personal data is collected and used. However, the real protection will depend on how honestly the organisation follows these laws.
Author(s) Name: Chandan Sha (Indian Institute of Legal Studies)
References:
[1] Zee Media Bureau, ‘Chitragupta Puja 2022: Date, time, puja vidhi and significance’ (Zee News, 26 October 2022 < https://zeenews.india.com/culture/chitragupta-puja-2022-date-time-puja-vidhi-and-significance-2526842.html> accessed 23 November 2025
[2] Sanjay Jain, ‘What is Data vs. What is Information’ (Bloomfire, 10 February 2025) <https://bloomfire.com/blog/data-vs-information/> accessed 23 November 2025
[3] Maithreyi, ‘Challenges to Privacy and data protection in India’ (2022) 10 (1) IJCRT 1 <https://ijcrt.org/papers/IJCRT2201513.pdf > accessed 23 November 2025
[4] Quincy Maquet, ‘ A Company’s Guide to an Effective Web Site Privacy Policy’ (2001) 2 Chicago-Kent Journal of Intellectual Property 1 <https://studentorgs.kentlaw.iit.edu/ckjip/wp-content/uploads/sites/4/2013/10/02JIntellProp12001.pdf > accessed 17 November 2025
[5] Lloyd Law College, ‘Data Protection vs Data Privacy in Indian Law: What’s the Difference?’ (Lloyd Law College Blog, 2020) <https://www.lloydlawcollege.edu.in/blog/data-protection-vs-privacy-indian-law.html > accessed 16 November 2025
[6] MP Sharma v Satish Chandra (1954) SCR 1077
[7] Kharak Singh v State of Uttar Pradesh AIR 1963 SC 1295
[8] Gobind v State of MP (1975) 2 SCC 148
[9] Maneka Gandhi v Union of India (1978) 1 SCC 248
[10] PUCL v Union of India (1997) 1 SCC 301
[11] Information Technology Act 2000
[12] Information Technology Act (Amendment) 2008, s 22 (inserting s 43A)
[13] Ardent Privacy, ‘Evolution of Data Protection Laws in India’ (Ardent Privacy Blog, 25 August 2023) <https://www.ardentprivacy.ai/blog/evolution-of-data-protection-laws-in-india/> accessed 23 November 2025
[14] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011
[15] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules 2011
[16] Press Information Bureau, Group of Experts on Privacy Submit Report (Press Release, Government of India, 18 October 2012) < https://www.pib.gov.in/newsite/PrintRelease.aspx?relid=88503> accessed 23 November 2025
[17] Dharamraj Bhanushankar Dave v State of Gujarat, 2015 SCC OnLine Guj 7643
[18] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1
[19] Committee of Experts under Justice B N Srikrishna, Report of the Committee on Draft Personal Data Protection Bill, 2018 (Ministry of Electronics and Information Technology, Government of India, July 2018) <https://www.prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill,%202018_0.pdf > accessed 24 November 2025
[20] Reserve Bank of India, Storage of Payment System Data (FAQs, 26 June 2019) <https://www.rbi.org.in/commonman/english/scripts/FAQs.aspx?Id=2995> accessed 24 November 2025
[21] Reserve Bank of India, Device-based Tokenisation – Card Transactions (FAQs) <https://www.rbi.org.in/commonman/english/scripts/FAQs.aspx?Id=2917 > accessed 24 November 2025
[22] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.
[23] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021
[24]WhatsApp LLC v Union of India W.P. (C) 682/2021 (Delhi HC, pending) accessed 24 November 2025
[25] Digital Personal Data Protection Act 2023
[26] Press Information Bureau, DPDP Rules, 2025 Notified -A Citizen-Centric Framework for Privacy Protection and Responsible Data Use (Press Release, Government of India, 17 Nov 2025) <https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655 > accessed 22 November 2025
[27] M Janssen, M Wimmer and H Deljoo (eds), EGOV 2014: Electronic Government – LNCS 8653 (Springer 2014) 253- 264
