Scope and Fate of Data Privacy Laws in India

Reading time : 6 minutes

 This article gives an insight to the scope of Data Privacy laws in India. It begins with a brief introduction about the current fate of cyber laws and data privacy in the Indian jurisprudence, further explaining the steps taken by the Indian legislature to incorporate Data Privacy laws in India with a thorough analysis of the Personal Data Protection Bill, 2019.  In furtherance to its objectives, the first phase traces the aims and objectives of this Bill and draws attention to the remarkable features of the European Law on the subject. Then, it continues with an insight to the prominence of the Data privacy and the utmost need to incorporate Data privacy laws in India. Then it goes with the judicial standpoint towards the Data privacy laws and various landmark judgments related to it. This article also includes the Data privacy laws that are currently protecting the rights of users with respect to various online platforms. It then discusses the recent WhatsApp Data Privacy Policy and its conflict with the Indian government and the users. Further, the offences in the light of Data Privacy are highlighted. With the rapid growth in the field of technology and an instant shift towards the online medium, it is the need of the hour for a country like India to incorporate strict data laws to protect and ensure effective interface. Finally, the article concludes by stressing on the need for this much-awaited law despite the various hurdles that may come in the way of its implementation and compliance with a distinct perspective towards it.



The year 2020 was one in which the world literally transformed into one digital or global platform than ever before, owing to the pandemic that altered and affected the nitty-gritty of life as we know it. One of the silver lining of the year was the spotlight on the importance of data privacy and data flow. Keeping this in mind, the Indian Government took significant steps towards data policy and regulation in 2020, inculcating various laws and regulations like personal data, health data, financial data, and data related to e-commerce, and online trade. The judiciary has significantly observed individual rights regarding data privacy, and the ever-deliberated Personal Data Protection Bill, 2019 i.e. the “PDP Bill”[1] being a significant step under Government deliberation during the year.


The Constitution of India does not explicitly grant the a fundamental right to privacy, however, the courts have interpreted this right with other existing fundamental rights, like the freedom of speech and expression under Art 19(1)(a) and right to life and personal liberty under Art 21 of the Constitution of India, subject to reasonable restrictions imposed by the state as provided in Article 19(2) of the Constitution. Right to privacy is recognised as a fundamental right under Article 21 of the Constitution of India, which lays down the right to life and personal liberty.

This was held by a nine-judge bench of the Supreme Court of India in the landmark judgement of Justice K.S. Puttaswamy v. Union of India[2]on 24th August 2017 wherein the bench declared the ‘Right to Privacy’ as an integral part of Part III of the Constitution of India, subject to certain reasonable restrictions.

The Attorney General in the Aadhaar case had then argued that although several Supreme Court judgments had recognized the Right to Privacy, still had refused to accept that the right to privacy could be a fundamental right as held in the Kharak Singh judgment[3] passed by a six- judge bench in 1960 and M P Sharma[4] judgement held by an eight-judge Constitutional bench in 1954.

The biggest setback one may face is the possibility that an individual’s information may be illegally and improperly disclosed on online public platform which can have numerous hazardous consequences including identity frauds, reputational damage, discrimination or even financial loss. Such broad interpretations of the privacy laws by the apex court and its standpoint in the judiciary of India led to a stream of initiatives by the government towards implementing Personal Data Protection laws.


After the Supreme Court’s landmark judgment of right to privacy in the Justice KS Puttaswamy case which suggested that the government should legislate a data privacy law to ensure that the fundamental right to privacy is adequately protected to protect an inter se relationships between private legal entities, the Ministry of Electronics and Information Technology (MEITY) set up a 10 member committee under the leadership of retired Supreme Court judge B.N. Srikrishna, mandated to develop a Framework for Data Protection Law for protection of online personal data.

 The committee submitted its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians[5] along with the draft of a bill on personal data protection. The revised draft on the Personal Data Protection Bill, 2019 (Bill), was introduced by Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, in the Lok Sabha on December 11, 2019 which is being thoroughly examined by a 30 member team of the Joint Parliamentary Committee (JPC).


India in the present scenario does not have any express legislation governing the laws relating to data protection or privacy and unfortunately, such laws being equivalent to negligible in India.  However, there are some legislation in India dealing with Data Protection, which is the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. With constantly increasing cyber crimes, the government of India is coming up with its own data protection laws, based on the European Union’s General Data Protection Regulations (GDPR).

The Data privacy Bill is primarily for the protection of an individual’s personal data which specifies the flow and usage of personal data on the internet, creating a trust relationship between users and entities processing the personal data by protecting the rights of individuals whose personal data are processed while creating a framework of organisational and technical measures in data processing, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing such personal data of the users. The basic principles of the newly introduced Bill are widely similar to those in the General Data Protection Regulation.[6]

On 2nd September 2020, the Ministry of Electronics and Information Technology (MEITY), evoking its power under Section 69A[7] of the Information Technology Act,2000 read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009, in view of the emerging concern over cyber security, blocked 118 mobile apps. As per the notification issued by MEITY, these apps were engaged in activities which were possessed  to be a threat to the  sovereignty and integrity, defence, public order and the security of India.

This decision by the MEITY is a targeted move to ensure safety, security and sovereignty of Indian cyberspace which has yet again opened up the discussion on the paramount importance to have strong and legit Data Privacy Protection Laws in the country.


The most confusing question that arises in the minds of the general citizens is that why the personal data of a person requires protection when it is not even the public domain without the owner’s consent?  This question can be dealt in two folds namely ;

 I. Firstly, what does the word ‘consent’ imply, and,

II. Secondly, what is the rationale behind in protecting the personal data when it is not even accessible to the public and, and when can it be said to be truly given by the user focusing on the ‘Exploitation of personal data by Social Media platforms in the garb of Consent.’A. Bobde in the Puttaswamy case, “Consent is essential for distribution of inherently possessed personal data.”

After being recognised by courts and law bodies all around the world, Social Media Platforms have finally realised that they would require the consent of the online users for pulling off a gimmick of such sort as audiences cannot be fooled easily in this digital age. In pursuance of this, such giant companies create a mirage or a tassel in the minds of such kind that the user can neither escape nor get hold of the same situation. Such exploitative terms and conditions are so impungantly camouflaged with the general terms that any common person agrees to all these conditions without even caring to read them once because even if they do not agree to such conditions, it bears them no fruit as generally it can be seen that one cannot even proceed or access the online platform without agreeing to such conditions.

Such kind of contracts are famously called as the ‘Standard form Contracts’ also referred to as a contract of Adhesion, a leonine contract, or a boilerplate contract wherein the terms of the contract are set by one of the parties, and the other party has practically zero ability or knowledge to be able to even negotiate a favourable terms and condition, thereby landing in a ‘take it or leave it’ position.  Users allow these social media platforms and give permissions to collect their personal data to fulfil their organisational agendas and use this automatically ‘saved’ information on their servers for other purposes outside the scope of this ‘gimmick’ contract which the user had entered into with them.

Thus, it can be rightly said social media platforms are exploiting personal data in the garb of consent of the users.


Whatsapp was launched in 2010 and was subsequently taken over by Facebook in the year 2014.WhatsApp updated its privacy policy for users that made three-fold changes unilaterally – data processing, data sharing with Facebook, and integration of Facebook’s other products with WhatsApp. According to which: –

  1. Users have to mandatorily permit the app to share the user-data with Facebook
  2. WhatsApp will collect the hardware information of the device such as Application version, device operations, battery level and mobile network.
  3. The app will collect the location related information off the user despite the user opting not to use the applications location feature.
  4. The new feature of the app for the payments would help the app to retain all the payment, transactions, and bank accounts related information
  5. If the user opts for 3rd party services, these third-party services may receive the personal information that the user shared has with others
  6. Lastly, even if the user deletes it’s WhatsApp account, the app reserves the right to retain their previously stored data.

Previously, WhatsApp did not have the ownership of the user data but as per the new policy, the app  now has become the owner of the user’s data, if they accept the new policy. The Indian Data Protection Bill, 2019 prohibits collecting personal data and processing such data by ‘data fiduciaries’ without user’s consent or prior notification. Moreover, it lays down data principles for the users i.e., the right to confirmation and access, right to data portability, right to be forgotten. Lastly, the bill also provides for compensatory damage in case of breach of data protection to the user. However, WhatsApp claims to protect its user’s messages with end to end encryption, ensuring that only the user can access the data and that not even WhatsApp can access it.

Various writ petitions were being filed in the Supreme Court of India to challenge the unjust updated terms of the app and restrain WhatsApp from implementing the controversial updated terms of services as it is deemed to be against the right to privacy, thereby violating the fundamental rights of the citizens and also threatening the state’s security. Owing to this massive negative publicity, the implementation of the new policy or the updated terms has been finally put on hold in India.

In  Karmanya Singh Sareen and Anr. v. Union of India and Ors[8] the latest privacy policy set out by the popular messaging app ‘Whatsapp’ was challenged. The High Court of Delhi rejected this petition on September 23, 2016, and ordered to delete personal data collected up to September 25, 2016, while directing the Telecom Regulatory Authority of India to consider bringing similar Smartphone apps under the umbrella of its regulatory ambit.

Aggrieved by this judgment, a Special Leave Petition was filed in the Supreme Court of India seeking an alternative and putting out various issues:-

 firstly, whether the Whatsapp Privacy Policy violated the right to privacy of the users,

 secondly, whether the omission of the option given to the user of the app of not sharing their data with the parent company Facebook is contrary to law and, 

thirdly, whether this manner of obtaining the consent of the user by Whatsapp is deceitful.

In its order on September 6, 2017, The Supreme Court explicitly ordered the parent company Facebook and Whatsapp to file affidavits explaining the exact nature data that is being shared by them. The Court further emphasized the need for laws like data privacy and security and highlighted the efforts earlier made by the Shrikrishna Committee.

The Committee headed by Justice BN Srikrishna advocated for data localization, restricting users’ data to move out of the country for commercial exploitation clearly explaining that India needs data localization laws that will enable data storage of Indian users in India itself, rather than at data centers owned by huge multinational companies like Facebook or Google headed in the United States.


The Data Protection laws or cases in the country are presently governed and regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which mandates the corporate entities to provide a privacy policy for personal user-data. Furthermore, the (WhatsApp) policy violates the Guidelines issued by the Ministry of Electronics and Information Technology according to which, disclosing sensitive information to a third party is prohibited. Lastly, despite ratification from NPCI (National Payments Corporation) regarding the payment feature of the app in India, the policy violates Notification issued by the Reserve Bank of India related to storage of Payment Data.

The IT Act, 2000 in India mandates the country’s largest social media platforms to develop a solution to enable the government to track all the user messages.[9] This means that these social media platforms need to essentially affix a digital fingerprint to each message which the government can trace back to the ‘first originator of the information’ so as to enable the government to track the original creator of any message which is found to be violent or suspicious or as opposed to public policy.

The rationale behind this rule is to basically track the cyber offenders wherein the reason behind introducing such rules has been clarified by government as ‘curbing of fake news i.e. misinformation. Many activists and political viewers fear that it is a step taken by the government for the main purpose of political crackdowns; however this is a never-ending debate with absolutely no concrete conclusion. Yet, one thing which has been pointed out prominently is that the enforcement of such strict IT rules and cyber laws would lead to fulfillment of the Right to Privacy of the users.

As per the K.S. Puttaswamy case[10], the new WhatsApp policy is not only disproportional but is also strictly against the values of the Indian Constitution. Further, while it is true that the government agencies could easily trace someone who is putting out sensitive misinformation or trying to disturb public peace, at the same time, they shall also have the power to follow how politically sensitive content transfers between individual users or to even track activists and political opponents.

The situations relating to the enforcement of such privacy evasive guidelines prevailing in India are not a novel development for the global community.[11] Many countries have pressurized the WhatsApp to enable the government to have access to user data in the name of state’s welfare but there are various contradicting opinions to it.


The major challenge for a Codified Legislation for Data Privacy in India is the lack of progress regarding “Right to Privacy”, which has created the need for an urgent action to develop a comprehensive and regulatory framework for data protection.

This arena of law although has been on the back hand of the government for legislation for quite some time now but because mostly, data privacy laws are underemphasized in India, a layman or a common internet or mobile user himself is not aware of the significance of the pricavy and security his own data. This lack of awareness and seriousness has led the users vulnerable to big corporations and online platforms who exploit these weaknesses and thus misuse the data of the internet users.

Experts on this subject and IT geeks have recognised that the Indian Data Protection bill 2019, which aims to help internet users to clearly exercise their privacy rights on the online platforms need a proper structural and organisational framework to be implemented successfully or else the highly personal and confidential data or information of millions of users in the country will be at stake.

The main challenge in first designing and then implementing such a progressive law, lies in the classification of data, as the bill itself classifies and categorizes the user’s data into three categories namely –

  1. Personal Data
  2. Sensitive Personal Data, and
  3. Critical Personal data.

One of the key limitations of such Data Protection rules is that the personal information is only confined to the information capable of identifying only a particular individual. Confidential information of personal nature of a user pertaining to other persons that are knowingly or unknowingly captured in the background while using such online platforms or websites as in the case of the internet, is not explicitly covered by these Rules.

 The limited scope of ambit of these sensitive personal data or information is an additional limitation or drawback to the timely implementation of data privacy laws. The lack of clarity as to which data should qualify under which of the three heads is ultimately causing the delay in the implementation of the bill. This problem can even get aggravated when the data collection, storage and finally the processing are done by different companies, where, in such a case each agency shall be required to take consent at every step of the operation.

Such in-depth study further slows down the process and causes delay in successful implementation of a progressive law like the Data Privacy Law.


 There are various suggestive perspectives for the government of the nation such as;

 The government should consider the data sensitivity issue and restrict the issue or collection of such data by the corporate giants; the restriction to access the user data by the data providers themselves; the right to have the data erased from the database and servers even if the data has been collected with consent of the owner(right to be forgotten); impose obligation to the data processors to keep the data mandatorily secure; right to information in case of breach and accountability in case of breach; right to claim compensation as a remedy of such data privacy breach and reasonable standards for the collection of data.

The government is required to eliminate the obsolete data protection measures and impose quantitative limitation upon the collection of data so as to embracement of users with respect to the essentiality and non-essentiality of data provision. And this limit could be expanded with some minimum requirements but with consent. The government is required to establish stricter laws against the misuse or breach of the data. It is evident from the WhatsApp case that the current approach is insufficient for protection of the data of the users. Therefore, regulatory measures are required to be place in such a manner that there is a lawful usage of the data.

To keep a check on the data usage, the data collectors/ processors could be obligated by the state to ensure there is a user-service provider transparency with respect to the processing of the data so that a balance is achievable between the principle of data protection and the objective of the collection as well as processing of the user data.

With the passage of time, new purposes for collection of the data shall continue to evolve even of government incorporate a strict data protection framework, they need to make sure that the legislation is fluid enough to keep a pace in future with the new innovations or evolving technologies. The government should keep in mind the diverse areas where the data is processed and can be misused to ensure an effective execution and leave no loophole in the legislation. The need to develop a more coherent law outside the sphere of data privacy, including the other areas too such as consumer protection to achieve the holistic protection of data providers.


The concept of “Data” is not anymore new to us. It can do wonders if used wisely but can
lead to destruction if misused. All over the world, there are various legislations, acts and laws governing the issue of Data Protection but now it’s high time that India finally takes a step forward which is the ardent need of the hour to incorporate such legislation in India. However, since M.P Sharma and Ors. v. Satish Chandra[12] to the Puttaswamy Judgement, years after the recognition of Right to Privacy as a fundamental right, we as a country are still struggling to incorporate a properly codified and effective legislation to that respect.

The differential treatment given to India as compared to other nations in Europe by the messaging company WhatsApp strictly highlights the need for a codified data protection law in India, much like the European General Protection Regulation, further raising issues relating to data localization and storage.

With the present COVID-19 situation existing, people of the nation and even worldwide are compelled to maintain social distancing, necessitating them to stay home and work from home which is most famously being recognised as the ‘New Normal’. Such a situation which has triggered a huge dependence on digital platforms requires India to thoughtfully fast track the clearance of the new Personal Data Protection Bill.

When, how and under what conditions the said Bill gets enacted, and the way in which it is to be implemented and enforced is yet to be discovered, but the same shall definitely determine the fate of personal and confidential data of millions of Indian Internet users.


[2] Writ Petition (Civil) No 494 of 2012; (2017) 10 SCC 1; AIR 2017 SC 4161

[3] Kharak Singh v. State of Uttar Pradesh [1963 AIR 1295, 1964 SCR (1) 332]

[4] M. P. Sharma And Others v. Satish Chandra, [1954 AIR 300, 1954 SCR 1077]


[6] (Regulation (EU) 2016/679) (“GDPR”) .

[7] Section 69A,The Information Technology Act, 2000 –‘69A.  Power to issue directions for blocking for public access of any information through any computer resource.’

[8] (2017 SCC Online Sc 434)

[9] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021

[10] KS Puttaswamy v. Union of India, (2017) 10 SCC 1

[11] Shirish Parashar and Raj Shekhar, WhatsApp and the End-to-End Encryption Saga: Analyzing the Tussle Between Government Guidelines and Right to Privacy, JURIST – Student Commentary, June 25, 2021,

[12] 1954 AIR 300, 1954 SCR 1077

Author: ESHA AGGARWAL, Guru Gobind Singh Indraprastha University, New Delhi

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s