A CRITICAL ANALYSIS OF THE CONSTITUTIONAL SAFEGUARDS

FOR THE RIGHT TO PRIVACY IN THE DIGITAL ERA

A Project Submitted to the School of Law, VISTAS in partial fulfilment for the award of
Master of Law (LL.M) Degree in Branch I: Constitutional and Administrative Law

Submitted by
AKSHITA. B. N
(UP24G1430003)

Under the Guidance of

Dr. CH. VENKATESWARLU
Associate Professor,
School of Law,
VISTAS

VELS INSTITUTE OF SCIENCE, TECHNOLOGY AND ADVANCED STUDIES

(Declared as a Deemed-to-be-University u/s. 3 of UGC Act, 1956)
PALLAVARAM, CHENNAI – 600 117.
SCHOOL OF LAW

NOVEMBER 2024
Dr. S. AMBIKA KUMARI B. SC., LL.M., Ph.D.
PROFESSOR AND DEAN,
SCHOOL OF LAW, VISTAS

CERTIFICATE OF THE DEAN, SCHOOL OF LAW

This is to certify that the Research Project entitled, “A CRITICAL ANALYSIS OF THE
CONSTITUTIONAL SAFEGUARDS FOR THE RIGHT TO PRIVACY IN THE
DIGITAL
ERA” is a bona fide work done by AKSHITA. B. N, UP24G1430003 in partial fulfilment for
the award of the Degree of Master of Law (LL.M) in Branch I: Constitutional Law and
Administrative Law in the academic year 2024 – 2025, to the School of Law, Vels Institute of
Science, Technology and Advanced Studies (VISTAS), Chennai and that it is a record of genuine
work carried out under the guidance of Dr. CH. VENKATESWARLU, Associate Professor,
School of Law, Chennai and has not formed the basis of previous work done, submitted or
published for any degree / diploma.

(Dr. S. AMBIKA KUMARI)

Place: Pallavaram
Date: 21-11-2024

i
 CERTIFICATE OF THE PROJECT SUPERVISOR

This is to certify that the Research Project entitled, “A CRITICAL ANALYSIS OF THE
CONSTITUTIONAL SAFEGUARDS FOR THE RIGHT TO PRIVACY IN THE
DIGITAL
ERA” is a bonafide work done by AKSHITA. B. N, UP24G1430003 in partial fulfilment for
the award of the Degree of Master of Law (LL.M) in Branch I: Constitutional Law and
Administrative Law in the academic year 2024 – 2025, to the School of Law, Vels Institute of
Science, Technology and Advanced Studies (VISTAS), Chennai, and that it is a record of
genuine work carried out under my guidance and has not formed the basis of previous work
done, submitted or published for any degree / diploma.

(Dr. CH. VENKATESWARLU)

Place:
Pallavaram
Date:21-11-2024

ii
 DECLARATION BY THE STUDENT

I do hereby declare that the Research Project entitled, “A CRITICAL ANALYSIS OF THE
CONSTITUTIONAL SAFEGUARDS FOR THE RIGHT TO PRIVACY IN THE
DIGITAL
ERA” is a bonafide work done by me under the guidance of Dr. CH. VENKATESWARLU,
Associate Professor, School of Law, Chennai in partial fulfilment for the award of the Degree of
Master of Law (LL.M) in Branch I: Constitutional Law and Administrative Law in the
academic year 2024 – 2025, to the School of Law, Vels Institute of Science, Technology and
Advanced Studies (VISTAS), Chennai and that it is a record of genuine work carried out by me
and has not formed the basis of previous work done, submitted or published for any degree /
diploma.

(AKSHITA. B. N)
Place: Pallavaram
Date: 21-11-2024

iii
 ACKNOWLEDGMENT

I express my sincere gratitude and indebtedness to Dr. S. Ambika Kumari, Dean, School of
Law, VISTAS, Chennai for her valuable aid and guidance on preparing this Research Project.

This Research Project has been undertaken under the guidance of Dr. C. H. Venkateswarlu,
Associate Professor, School of Law, VISTAS, Chennai with his guidance, expert advice and
perpetual encouragement, this work would not have appeared in the present form. I am deeply
indebted to him for the special interest he has taken in my work.

I take this opportunity to express my sincere gratitude to all the LL.M faculty members of
VISTAS, School of Law, Chennai for extending their cooperation and aid in the completion of
this Research Project.

Above all I thank God Almighty for all the blessings showered on me which helped me to
successfully complete this Research Project.

iv
 ABBREVIATIONS

ABBREVIATION FULL FORMS

AI Artificial Intelligence

APEC Asia-Pacific Economic Cooperation

CAIR Centre for Artificial Intelligence and Robotics

CCPA California Consumer Privacy Act

CMS Central Monitoring System

CoE Council of Europe

CSO Civil Society Organization

DPA Data Protection Act

DPDPA Digital Personal Data Protection Act

DRDO Defence Research and Development Organisation

EU European Union

GDPR General Data Protection Regulation

ICO Information Commissioner’s Office

IIPs Information Privacy Principles

ITA Information Technology Act

LGPD Lei Geral de Proteção de Dados (Brazilian General Data

Protection Law)

NATGRID National Intelligence Grid

v
NCCC National Cyber Coordination Centre

NETRA Network Traffic Analysis

OECD Organisation for Economic Co-operation and Development

PIPEDA Personal Information Protection and Electronic Documents Act

Retd. Retired

SC Supreme Court

UIDAI Unique Identification Authority of India

UPA United Progressive Alliance

UPI Unified Payments Interface

WWW World Wide Web

vi
 TABLE OF CASES

S. No. CASE NAME CITATION

1 Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295

2 Gobind v. State of Madhya Pradesh AIR 1975 SC 1295

3 Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1

4 Nikhil Bhatia v. Union of India W.P. (Civil) No. 249 of 2019

5 Manohar Lal Sharma v. Union of India & Ors. W.P.(C) No. 314 of 2021

6 Bugdaycay v. Secretary of State [1987] 1 AC 514

7 Dinesh Trivedi v. Union of India (1997) 4 SCC 306

8 Romesh Thapar v. State of Madras AIR 1950 SC 124

9 Ajay Goswami v. Union of India (2007) 1 SCC 143

10 Clapper v. Amnesty international USA 568 U.S 398 (2013)

11 United States v. Carpenter 138 S. Ct. 2006 (2018)

12 Rotaru v. Romania APP. No. 28341/95, ECHR

2000-V

13 Lloyd v. Google LLC [2021] UKSC 50

vii
14 Hibbel v. Sixth District Court of Nevada 524 U.S 177 (2004)

15 Liberty and Others v. United Kingdom App. No. 58423/00, ECHR

2008

viii
 TABLE OF CONTENTS

CHAPTERS CONTENT PAGE

NO.

CERTIFICATE OF DEAN, SCHOOL OF LAW i

CERTIFICATE OF THE PROJECT SUPERVISOR ii

DECLARATION BY THE STUDENT iii

ACKNOWLEDGMENT iv

ABBREVIATIONS v

TABLE OF CASES vii

CHAPTER I: INTRODUCTION 1
1.1 IMPORTANCE OF PRIVACY IN THE DIGITAL ERA

1.2 OBJECTIVE OF THE STUDY 2

1.3 HYPOTHESIS 3

1.4 METHODOLOGY 3

1.5 SCHEME OF THE STUDY 3

1.6 REVIEW OF LITERATURE 3-5

CHAPTER II: HISTORICAL DEVELOPMENT OF 6

PRIVACY RIGHTS AND SURVEILLANCE IN
2.1
INDIA
PRIVACY RIGHTS IN THE PRE-INDEPENDENCE ERA

2.2 IMPACT OF THE CONSTITUTION 7

ix
2.3 TECHNOLOGY DEVELOPMENT 7-9

2.4 LAWS PROTECTING PRIVACY RIGHTS 9-16

CHAPTER III: THE RIGHT TO PRIVACY : A 17-20

CONSTITUTIONAL PERSPECTIVE IN INDIA
CONSTITUTIONAL PROVISIONS RELATED TO
3.1 PRIVACY

3.2 AN IN-DEPTH ANALYSIS OF HOW THE 20-23

CONSTITUTIONAL PROVISIONS APPLY TO THE
DIGITAL ERA

3.3 LANDMARK JUDGMENTS 23-27

CHAPTER IV: COMPARISON OF 28-32

INTERNATIONAL DATA PROTECTION LAWS
AND INDIAN DATA PROTECTION LAWS
4.1 INTERNATIONAL AND INDIAN FRAMEWORKS ON
DATA PROTECTION

4.2 SURVEILLANCE AND GOVERNMENT ACCESS TO 33-38

PERSONAL DATA

4.3 CASE STUDY 38-42

CHAPTER V: SUGGESTIONS AND CONCLUSION 43-44

5.1 CONCLUSION

5.2 SUGGESTION 44-46

BIBLIOGRAPHY 47-50

x
 CHAPTER 1
INTRODUCTION

1.1 IMPORTANCE OF PRIVACY IN THE DIGITAL ERA:

Over the ages, privacy has evolved. Privacy, which can be understood as the idea of “right to
be let alone,” became one of the most important descriptors among cultural, social, and
technological transitions as the ages went by 1. Early formulations of privacy tended to focus
around the protection of one’s reputation or space from unwarranted intrusion. Though
privacy meant different things in ancient Greece and Rome, it was only a social norm, the
concept was still largely unwritten or legally formulated2. This was the infancy stage of
privacy, however, this phase ranged from the time under the enlightenment era when
philosophers such as John Stuart Mill presented the idea of personal liberty, thereby starting
to build what can later be termed as the principle of privacy that had come to acquire a
conceptual status as essential to the individual’s freedom.

By the end of the 19th century, Warren and Brandeis started to shape and provide privacy as a
right, addressing the grave violation of private space that by then had become the pretensions
of new technologies such as photography and the press. They felt the new technologies were
violating personal liberty. In India, on the contrary, privacy was always viewed as a cultural
norm rather than a legal right. Soon after independence, with the creation of the legal and
constitutional infrastructure, the protection of privacy gradually started appearing and all this
was especially shown by the attention towards government surveillance. Kharak Singh v.
State of Uttar Pradesh3 marked an important milestone in the insertion of privacy within
India’s legal system as the case presided upon by the SC in 1964 found privacy to be a basic
right. In the year 2017, vide the case of Justice K.S. Puttaswamy v. Union of India4 it was
declared that privacy is a fundamental right under the Indian Constitution. This recent
decision put into perspective the complex check-and-balance that exists between privacy and
state surveillance

1
Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Harvard Law Review, 4(5), 193–220 (ISSN:
0017- 811X)
2
Keigo Komamura, Privacy’s Past: The Ancient Concept and Its Implications for the Current Law of Privacy, 96
WASH. U. L. REV. 1337 (2019)
3
Supreme Court of India, (1964). Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295

1
4
Supreme Court of India, (2017). Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India, (2017) 10 SCC 1

2
regarding data collection, primarily, it arises concerning Aadhaar, India’s biometric scheme
for universal identification.

Privacy issues are at the forefront of reformulating societies globally as life has evolved into a
digital era. The internet, social media and technology such as AI etc made it easier than ever
for one to collect and analyse personal data about people, often without their explicit consent.
Edward Snowden in 2013 identified the mass government surveillance of the United States
and revealed how data was collected on a large scale, it led to intense debates on privacy in
the digital age5. Further, the European Union introduced the General Data Protection
Regulation, which enacts strict provisions regarding privacy rights, data access, consent, etc.
through the GDPR the first-ever standard on data privacy protection was set in Europe.

These days, across the globe, discussions have brought issues regarding the privacy of an
individual into the limelight. Privacy ensures the personal autonomy of individuals to express
themselves freely online, without fear of constant monitoring. It also protects democratic
engagement such that people should be able to meet, greet and comment, as well as criticise
one another without fear of retaliation. Economically, it safe-guards the environment in
which safe digital transactions can be conducted, as it protects individuals and organisations
from identity theft and cyber threats. Privacy plays a vital role to manage the tension between
the state, especially in the context of growing information and cybersecurity challenges and
the basic rights of the individual in India, where rapid development is taking place
technologically. With technology setting an effective change into every aspect of life, a fine
line should be drawn between regulations and technological safeguards to secure personal
freedom of individuals in the rapidly changing world.

1.2 OBJECTIVES OF THE STUDY

1. To study the historical development of privacy rights and surveillance in India.
2. To study the Constitutional framework regarding the right to privacy, including
significant Court rulings.
3. To examine, compare and contrast Indian privacy protection laws with the global
norms.
4. To evaluate the impact of data collection through Aadhaar and other systems on
individuals’ right to privacy.

5
Greenwald, G. (2014). No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. New
York: Metropolitan Books

3
1.3 HYPOTHESIS
“India’s present digital privacy laws are not adequate to safeguard people’s right to privacy
from the threats posed by private sector data collecting and governmental surveillance.”

The DPDP Act, 2023 protects privacy only when the data is collected digitally. When the
data is collected offline the act lacks provisions to protect such data and the Information
Technology Act, 2000 also lacks provisions on such data collected by the private sector i.e.
by businesses.

1.4 METHODOLOGY
The current study is based on Doctrinal Research. The research began with the finding of
research problems based on the Review of Literature. Data is collected through secondary
sources. The articles, journals, reports, newsletters are considered as the secondary sources.

1.5 SCHEME OF THE STUDY

1. INTRODUCTION
2. HISTORICAL DEVELOPMENT OF PRIVACY RIGHTS AND SURVEILLANCE
IN INDIA
3. THE RIGHT TO PRIVACY: A CONSTITUTIONAL PERSPECTIVE IN INDIA
4. COMPARISON OF INTERNATIONAL DATA PROTECTION LAWS AND
INDIAN DATA PROTECTION LAWS
5. CONCLUSION AND SUGGESTIONS

1.6 REVIEW OF LITERATURE:

Heide Wunder6, emphasises the need for privacy regulations to control digital platforms.
These platforms’ widespread effect makes it difficult to distinguish between private and
public issues. The author also contends that the growing amount of personal information
being shared online heightens privacy problems. She supports specific regulations that
preserve people’s right to privacy and safeguard their personal data in order to address this.
In-depth rules would balance the advantages and disadvantages of social media, allowing
users to maintain control over their personal data while still taking advantage of the
platforms’ communication and connectivity capabilities. The author through his study
highlights how urgent it is to put such laws into effect given how the privacy situation is
changing.

4
6
Considering ’Privacy and Gender in Early Modern German- Speaking Countries’ (2022) In Early Modern
Privacy: Sources and Approaches (pp. 63-78)

5
Woodrow Hartzog7, argues that privacy is a multifaceted concept that changes depending on
the circumstances and the individual and that it cannot be reduced to a single definition. He
highlights how important it is to view privacy as a contextual idea that changes as society and
technology do. The author challenges current privacy frameworks and suggests a thorough
regulatory strategy that takes power relations into account and encourages significant
restrictions on data activities, personal autonomy and openness. The paper adds to current
debates in privacy legislation and policy by questioning accepted ideas of privacy and calling
for a reassessment of presumptions as well as the creation of more effective methods for
protecting privacy in the digital age.

Margot E. Kaminski et.al8, emphasise how urgently privacy rights must be protected. They
underscore the significance of protecting people’s privacy and the legitimate expectations and
rising concerns for data privacy. In light of our increasingly digital society, their work
advocates for strong steps to solve these issues. The authors add to the continuing
conversation on privacy by promoting robust privacy safeguards and increasing awareness.
They urge businesses and politicians to give priority to efficient methods that adjust to the
changing privacy landscape, emphasising the need to strike a balance between privacy
protection and technology improvements.

The usage of modern surveillance methods and India’s inadequate privacy legislation are
issues brought up by Sangeeta Mahapatra9, in this study. She emphasises the necessity of
privacy being a basic right and raises concerns about the use of “digital surveillance systems”
in the absence of thorough data privacy laws. The author also draws attention to the fact that
certain businesses engaged in surveillance activities, especially during the COVID-19
epidemic when contact tracing devices were widely in use. The study emphasises the
necessity for India to enact appropriate policies and put strong frameworks in place to
safeguard individuals’ right to privacy and deal with the moral and legal ramifications of
surveillance technology.

7
"What is Privacy? That’s the Wrong Question", 88 The University of Chicago Law Review 1677 (2021)
8
"The Right To Contest Al", 121 Columbia Law Review Association, Inc. 1957 (2021)
9
"Digital Surveillance and the Threat to Civil Liberties in India Author(s): Institute of Global and Area Studies",
6
(GIGA) (2021)

7
Young, Kaliya, et al10, note that, in contrast to the United States, which has strong privacy
rules, India’s Aadhaar system, like the US Social Security Number system, lacks explicit
legislation for managing individual data. While the U.S. tightly controls SSNs and enforces
rigorous privacy safeguards, India’s privacy rights are based on Court rulings. An overview
of Aadhaar and SSN is given in the study, which also looks at current and past dangers. It
covers legal and regulatory frameworks, operational transparency, the creation of extensive
databases in India, the function and placement of each number inside their separate systems
and the disparate applications of the numbers in financial services and employee enrollment.

10
"Key Differences Between the U.S. Social Security System and India’s Aadhaar System." The Promise of
Public Interest Technology: In India and the United States, New America, 2019, 137-154. (2019)

8
 CHAPTER - 2

HISTORICAL DEVELOPMENT OF PRIVACY RIGHTS AND SURVEILLANCE IN

INDIA

2.1 PRIVACY RIGHTS IN THE PRE-INDEPENDENCE ERA

In India, privacy rights and surveillance have a rich history that has changed over time due to
sociological, legal, and technical advancements, despite the fact that many people think of
them as a new idea. The word "privacy" comes from the Latin word "privatus," which means
"set apart from what is public," "personal," and "belonging to oneself and not the state."
Different civilizations have different ideas about what privacy is. In the constituent assembly
during the debates, Mr. Kazi Syed Karimuddin proposed an amendment to protect against
unreasonable searches and seizures, taking inspiration from the American and Irish
constitutions, which was the first attempt to protect individual privacy from excessive state
interference, even though the word "privacy" has no specific and explicit place in the Indian
Constitution. Although he pointed out that the Criminal Procedure Code had a comparable
provision, Dr. B. R. Ambedkar acknowledged the revision, calling it a “useful proposition”
that should be outside the legislative branch 11. The Indian legislatures had laid the
groundwork for the advancement of private rights u/a. 21 of the Indian Constitution. The
historical events draw attention to significant turning points and milestones in India’s
surveillance and privacy laws. India’s privacy rights and surveillance were significantly
impacted by the pre - independence era. Prior to India’s independence, the notions of
privacy and surveillance were very different from what is accepted now. Ancient texts like
the Arthashastra, which is where the idea of privacy initially appeared in India, recognising a
need of safeguarding a person’s private life and possessions. Through a number of methods,
the British government kept tabs on the Indian populace as a whole. Despite the lack of laws
protecting private rights, the Indian people’s opposition to the British Empire’s threats to
their civil liberties and privacy was occasionally demonstrated throughout the country’s
independence movement. Prior to independence, privacy was impacted by cultural norms and
traditional beliefs that valued individual liberty within the family unit. Thus, these effects
paved the way for India’s ultimate independence and the acknowledgment of private rights.

11
Supreme Court Observer, An Analysis of the History of Right to Privacy Under Article 21 of the Constitution.

9
2.2 IMPACT OF THE CONSTITUTION
The Constitution has a very important influence. The 1950 adoption of the Indian
Constitution had a significant impact on the legal and social structure of the country. The
"right to life and personal liberty" was formally recognized as basic right u/a. 21 of the Indian
Constitution upon its adoption in the year 195012. Despite all this, the Indian Constitution
included no mention of privacy. The foundation for privacy protection was created by this
essential clause. The Universal Declaration of Human Rights, which greatly influenced the
Constitution, acknowledges the right to privacy. Thus, the Indian constitution set the stage for
later judicial, legislative, and social activities that shaped the country’s evolving privacy
rights and monitoring methods. In the decades that followed the Constitution’s promulgation,
Indian Courts interpreted and extended the right to privacy. The right to privacy was invoked
in well- known instances, such the Kharak Singh case (1962) 13, to contest police surveillance
of an accused person. Following his release from custody due to a lack of evidence, Kharak
Singh was placed under surveillance by the Uttar Pradesh police under chapter XX of the
Uttar Pradesh Police Regulations. Singh’s dacoity had led to his imprisonment. A six-judge
panel ruled that overnight domiciliary visits were unlawful but maintained the remaining
criteria. Importantly, the panel concluded that, right to privacy is not expressly protected by
the constitution. In the Gobind case from 1975 14 in this case, Govind contested the Madhya
Pradesh Police’s surveillance rules, especially those concerning home visits, much as in
Kharak Singh v. State of Uttar Pradesh. He said that he was the target of police monitoring
and unjustly charged. The Supreme Court of India rejected his suit but recommended changes
to the rules, stating that they were "Verging perilously near unconstitutionality." These
rulings recognized the importance of privacy, particularly with reference to governmental
monitoring. The foundation for a more thorough comprehension of privacy as a basic right
was laid by these early instances.

2.3 TECHNOLOGY DEVELOPMENT

The globe has experienced an advanced transformation that has radically changed the way
people communicate and conduct trade with one another, with businesses, and with
governments. The multiplication of advanced gadgets, the ubiquity of the web, and the blast
of

12
Supreme Court Observer, An Analysis of the History of Right to Privacy Under Article 21 of the Constitution.
13
Kharak Singh v. State of Uttar Pradesh, (1964) 1 S.C.R. 332.

10
14
Govind v. State of Madhya Pradesh, (1975) 2 S.C.C. 148.

11
data-driven advances have collectively reshaped the texture of society. The benefits of this
computerised change are various, extending from improved communication and comfort to
inventive arrangements that have progressed productivity in different segments. Be that as it
may, this change has not been without its challenges. The expanding digitization of
individual data, from money related exchanges to healthcare records and the developing
interconnectivity of frameworks have amplified the dangers related with information
breaches and security encroachments. In this computerised milieu, individual information,
once restricted to physical records, is presently put away, transmitted and analysed
electronically. The vulnerabilities characteristic in this biological system have required the
improvement of strong information security and protection systems to safeguard individuals’
rights and interface.

Technological advancements have a significant impact on privacy rights as India has seen
significant technological growth over the past few decades, which has impacted various
sectors and transformed the daily lives of individuals. The introduction of technologies such
as internet connectivity, smart phones and more recent advanced technologies such as
artificial intelligence (AI) have changed the way people communicate. Thus, with the
development of technology, new privacy issues have emerged, especially with the increased
use of the Internet and digital communication. The digital age has created opportunities for
more government and private organisations to collect data and conduct surveillance. Justice
K.S. Puttaswamy (Retd.)
v. Union of India (2017)15 in the case of Justice K.S. Union of India (2017) has always been
concerned with protecting the privacy of individuals. The landmark Puttaswamy decision
marked a turning point in the development of individual freedoms in India. This landmark
case made an important impact in the development of privacy rights in India. The Supreme
Court recognised the right to privacy as a fundamental right under Article 21 of the
Constitution, holding that protection of privacy is necessary to preserve the life and liberty of
everyone. The decision highlighted the importance of privacy in the digital age and a balance
between privacy rights and national security. By establishing privacy as a fundamental right
of individuals, it gave individuals more autonomy over their personal data and prompted a
reassessment of government surveillance practices, emphasising the need for stronger
oversight of governance and accountability in the use of surveillance technologies. This
landmark judgment by the 9- judge bench of the Hon’ble Supreme Court of India has
established strong jurisprudence on

12
15
Justice K.S. Puttaswamy (Retd.) v. Union of India, A.I.R. 2017 S.C. 4161.

13
privacy rights in India. This prompted the formation of the Justice B.N Srikrishna
Committee16 to draft data protection legislation for India.

2.4 LAWS PROTECTING PRIVACY RIGHTS

India embraced the activity to pass comprehensive information assurance enactment after
realising the centrality it was to protect individual data in the advanced time. An imperative
piece of enactment is the DPDPA of 2023. The objective of this enactment is to build up an
efficient legitimate system that will administer the gathering, utilise and conservation of
individual information. It was affected by the Computerised Individual Information
Assurance Charge of 2022. As India’s government activities pointed at digitising the country
proceeded to prosper, with the presentation of transformative innovations like Aadhaar, the
Bound together Instalments Interface (UPI) and Digi Locker, it became clear that a
comprehensive lawful system was essential. These innovations like UPI, Digi Locker etc are
brought to enhance productivity. Similarly the parliament takes a step to ensure that
technological advancement is balanced with the right to privacy.

When it comes to safeguarding people’s privacy, the Digital Personal Data Protection Act
(2023) is supreme. In response to the growing concerns about data protection and privacy in
the digital age, the PDPB, 2019 was developed with the goal of preserving people’s privacy
with regard to their personal data. Justice B.N. Srikrishna, who drafted the original Bill,
objected to its potential to turn India into a "Orwellian state," which caused it to be
withdrawn17. The Digital Protection Bill 2023 was then introduced in order to regulate the
processing of digital personal data in a manner that acknowledges both the need to process
such data for legitimate purposes and for matters related or incidental thereto, as well as the
rights of individuals to protect their personal data.

India put the DPDPA into effect in 2023. The purpose of this act is to establish a legal
framework that will safeguard personal information and regulate its handling, storage, and
accessibility18. The Government Surveillance Programs helped raise people’s awareness of
their right to privacy. The Indian government has put in place a number of surveillance

16
Personal Data Protection Bill can turn India into ’Orwellian State’ Justice BN Srikrishna The Economic Times
31 January 2020.
17
Vatsal Gaur & Krishnan Sreekumar, A Dawn of a New Era for Data Protection in India: An In-Depth Analysis
of the Digital Personal Data Protection Act, 2023, India, Aug. 15, 2023.
18
Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, 2023 (India).

14
initiatives over the years with the goal of upholding law enforcement and national security.
Among these efforts is the controversial DRDO NETRA 19, a mass surveillance project that
spans India and was developed by the Centre for Artificial Intelligence and Robotics (CAIR)
laboratory of the Defence Research and Development Organization. The program can
instantly identify words like "bomb," "blast," "attack," or "kill" from tweets, status updates,
emails, and instant chats20. It can also identify suspect speech communication on a number of
platforms, such as Google Talk and Skype. The National Cyber Coordination Centre
(NCCC), an operational cyber security and e-surveillance organization in India, developed a
cybersurveillance program based on the controversial Prism program in the United States.
The objective is to filter communication metadata, which is information that describes other
information but not the actual data, such as an image or text message, and to coordinate the
intelligence-gathering activities of other Ministry of Home Affairs organisations 21. The 12-
digit digital documentation system known as the Aadhaar Biometric System kept track of
biometric information, like the fingerprints and iris scans, which were essential for accessing
any government activity. It is one of the largest databases with the personal data of about 1.1
billion people, sparking debates about the trade-offs between security and privacy.

A comprehensive law that covers many facets of privacy and data protection in India is the
DPDA 2023. A strong data protection regulation was more important than ever in a time
when digital technology was developing at an exploding rate and data collection was
skyrocketing. An important step towards India’s future in addressing the need to protect
people’s personal information while promoting a safe digital environment for innovation is
the DPDP Act. The Act provides a thorough framework that addresses a variety of issues
related to the gathering, processing, storing and sharing of personal data, with the main goal
of striking a balance between the protection of people’s right to privacy and that of national
security. One significant aspect of the Digital Data Protection Act 2023 is the creation of the
"Data Protection Authority" (DPA), a regulatory body charged with upholding data
protection laws. Additionally, the DPDPA 2023 aligns India’s data protection laws with
international standards, facilitating cross-border data transfers and enhancing India’s standing
as a global leader in data privacy. The Act guarantees that Indian firms can function
smoothly on the global scene while

19
Government to launch ’Netra’ for internet surveillance," The Economic Times, Dec. 16, 2013.
20
The Diplomat, “India Sets Up Domestic PRISM-Like Cyber Surveillance?” (June 10 2013), US-984XN.

15
21
“The Whistleblower behind the NSA Surveillance Revelations.” The Guardian (June 9,2013).

16
simultaneously protecting the privacy of Indian individuals by following international best
practices. The main aspects of the Act, such as those pertaining to data categories and
government access to data, are the subject of this thorough examination22.

Information handling is too secured by The Digital Personal Data Protection Act 2023.
Announcing the objective of information collection and preparing is the duty of information
controllers. As a result, information is ensured to be utilised only for that reason and any
adjustments require the information subject’s endorsement. One of the principal standards of
the Act is the necessity that information subjects provide their express and educated assent
earlier to the preparation of their information. Assent needs to be unreservedly given,
expressed, and revocable by the information subjects. Clarifying the objective of information
collection and preparing is a significant obligation for information controllers. This
straightforwardness guarantees that information is utilised exclusively for the indicated
purposes, securing the rights and desires of information subjects. If the initial purpose of data
collection is to be altered, it is crucial to get new informed consent from data subjects. A key
element of the data protection framework governing this domain is the requirement that data
subjects give their express and informed consent before data processing can begin. This
consent cannot be inferred or presumed from inaction or quiet; rather, it must be expressly
granted. In order to prevent coercion or undue influence on data subjects, it must also be
voluntarily given. Moreover, consent must be revocable, meaning that data subjects may
revoke it at any time, in order for them to have control over their personal information. In
order to foster trust in the digital world, this framework upholds the principles of
independence and self determination.

The conditions under which the government may acquire personally identifiable information
are outlined in the DPDP Act. Here, maintaining the peace and safeguarding the nation come
first. One of the data access tools covered by the Act is the authority to ask data controllers
and processors for information. With the primary goals of preserving national security and
supporting law enforcement efforts, the Act gives the government access to personal data
under specific guidelines. This provision guarantees that, even while people’s privacy is
safeguarded, there are systems in place to deal with serious risks and maintain public safety.
In order to achieve this, the Act contains particular provisions that specify the conditions
under which government organisations may ask for access to data.These actions give the
government the

17
22
Digital Personal Data Protection Act, sec, No. 2 (n) of 2023.

18
power to force data controllers and processors to produce the information that is required 23.
Usually, such access is controlled to guard against misuse and guarantee that it is carried out
in a way that complies with legal requirements and supervision. By balancing the conflicting
objectives for security and privacy, the Act seeks to create a framework that upholds trust in
the data protection regime overall while permitting efficient government action in matters of
national importance.

The government may acquire data when doing so is necessary to protect India’s integrity,
sovereignty and national security. Such access must, however, adhere to due process and be
commensurate with the threat. The DPA plays a critical role in monitoring how the
government obtains data. The DPA is responsible for monitoring such access, enforcing Act
compliance and safeguarding the rights of data subjects. The government has the authority to
acquire data when doing so is necessary to protect India’s integrity, sovereignty and national
security.

This access must, however, follow established due process and be commensurate with the
alleged threat. To preserve a balance between individual privacy rights and national security,
it is imperative that these requirements be fulfilled. Overseeing government access to data is a
critical function of the Data Protection Authority (DPA). The DPA is in charge of keeping an
eye on such access to make sure the Act is being followed, preventing abuse, and defending
the rights of data subjects. This monitoring involves confirming that data demands from the
government are appropriate, reasonable and compliant with the relevant legal processes. By
carrying out these responsibilities, the DPA protects personal information and makes sure that
any government action is open, reasonable and restricted to what is required to solve valid
security issues. The public’s confidence in the government’s operations and the larger data
protection framework depends on this system of checks and balances.

The DPDP Act gives data subjects many rights, including access to personal data kept by
controllers. Right to Rectification: Data owners are entitled to request that inaccurate data be
updated. Right to Erasure: In some circumstances, data subjects have the right to request that
their data be deleted. Data subjects are entitled to data transfer, which grants permission to
them to access their data in an organised, readable format. The right to Objection and
Restriction: In certain situations, individuals who provide personal information may be able
to protest or limit how that information is processed. Right to Withdraw Consent: People
who

19
23
Digital Personal Data Protection Act, sec, No. 16 (1) of 2023.

20
give their permission for their data to be processed can revoke their consent at any moment.
To enable people to take charge of their personal information.

One of the fundamental rights is the ability to see and access one’s own personal information
that is stored by data controllers. This transparency aids in informing data subjects and
enabling them to monitor how their data is being used. Another significant right that data
subjects have is the right to correction. It enables them to request that data controllers update
any inaccurate or out-of-date information they may possess. Additionally, if specific
conditions are met, such as when the data is no longer required for the original purpose or the
data subject withdraws consent, they have the right to have their data deleted. In addition, the
right to data portability enables people to obtain their personal data in a machine-readable
format that is commonly used, making it simpler for them to switch providers if they so
desire. Data subjects have the right to limit or contest the processing of their personal data
where they doubt the accuracy of the data or object to processing for legitimate purposes or
direct marketing. Lastly, data subjects have more control over their personal information
because they can revoke their consent for data processing at any time. When considered
collectively, these rights ensure that people may manage their data and protect their privacy
in the digital age.

Critical personal data, as defined by the DPDP Act, must be exclusively processed in India.
This is a significant provision aimed at safeguarding data related to national security. The
consent of the DPA is one of the conditions that must be met in order for personal data to be
transferred internationally. To protect data during international transfers, sufficient
protections must be in place. The Act stipulates that critical personal data, as defined within
its provisions, must be processed exclusively within India. This requirement is a crucial
measure aimed at safeguarding data that pertains to national security and other sensitive
areas. By mandating that critical personal data remain within national borders, the Act seeks
to prevent potential vulnerabilities and threats that could arise from international data
exposure.

The Act also outlines the requirements for international transfers of personal data. Consent
from the Data Protection Authority (DPA) is a necessary but insufficient condition for certain
transfers. The role of the Data Protection Authority (DPA) is to ensure that data travels across
borders in accordance with stringent guidelines intended to protect individuals’ private
information. The Act requires that sufficient measures be used to better secure data during
cross-border transfers. To guarantee the protection of personal data, a receiving country
21
should have comparable data protection legislation to its sending country, as well as legally
binding

22
business standards and other contractual agreements.The main objective is to guarantee the
highest level of security for the data transmission, regardless of its final destination. In
addition to safeguarding people’s private information, this strategy increases confidence in
the systems controlling cross-border data transfers, guaranteeing that security and privacy in
the global digital environment are maintained.

The data controller is required to notify the DPA and the impacted data subjects of any data
breach. Notifying impacted parties of data breaches in a timely and public manner is crucial
for maintaining accountability and safeguarding the rights of data subjects. The controller is
legally obligated to notify the Data Protection Authority (DPA) and the individuals whose
data was compromised in the event of a data breach. This regulation ensures that people are
notified as quickly as possible about any threats to their personal information in order to
prevent identity theft, fraud, and other forms of abuse. Notifying the DPA may result in
regulatory monitoring, a comprehensive investigation into the infraction, and the installation
of appropriate precautions to prevent repetition. Prompt and transparent disclosure of data
breaches is essential to organizational accountability because it demonstrates a commitment
to data protection standards and fosters trust with data subjects. The Act emphasises the
importance of being open and responsive when handling personal data and requires public
communication of breaches in order to safeguard people’s rights and interests in the digital
age.

Violations of the Act can have serious repercussions, such as fines and jail time. The Data
Protection Authority is empowered to carry out audits, inquiries, and examinations to ensure
adherence to regulations. Anyone who violates the Act faces severe consequences, such as
steep fines and, in the worst situations, jail time. These penalties emphasize the necessity of
adhering to data protection laws as a deterrent against negligent or malevolent data handling.
The Data Protection Authority (DPA) has broad authority to ensure compliance with the Act.
This includes having the power to investigate, audit, and examine data controllers and
processors. By engaging in these actions, the DPA can examine an organisation’s procedures
to make sure they adhere to the established data protection guidelines. The DPA can
proactively detect any compliance problems before they lead to breaches or other incidents
thanks to the capacity to conduct audits. The DPA can look into specific complaints or
suspicions of noncompliance through inquiries and exams, which guarantees that any errors
are dealt with quickly and efficiently. The DPA is essential to preserving the integrity of data
protection regimes, safeguarding the rights of data subjects, and encouraging an accountable
23
and responsible culture among enterprises that handle personal data since it enforces the
Act’s

24
requirements strictly. The threat of penalties and jail time serves to emphasise how serious
these responsibilities are, guaranteeing that data protection stays a primary concern for all
parties.

The Act created the DPA, which is responsible for monitoring data processing activity,
registering data fiduciaries, and enforcing data protection regulations. The DPA is essential
for managing and supervising data processing in India. The Act creates the Data Privacy
Authority (DPA), a regulatory body tasked with overseeing the implementation and
enforcement of data privacy laws. Strong data governance in India requires the DPA to do a
variety of tasks. One of its primary responsibilities is to register data fiduciaries, or
individuals who make decisions about the purposes and techniques of data processing. Better
regulatory supervision is made possible by this registration process, which keeps an
exhaustive record of businesses managing large amounts of personal data. Apart from
registering, the DPA is also responsible for keeping an eye on data processing operations in
different industries. To do this, the procedures for gathering, storing, and using data must be
examined for adherence to the Act’s standards. The DPA’s oversight helps identify and stop
such violations while safeguarding people’s rights and privacy. Additionally, the DPA has the
authority to carry out audits, look into complaints and impose sanctions for noncompliance in
order to implement data privacy laws. In order to uphold accountability and guarantee that
data fiduciaries follow the set criteria, this enforcement capability is essential.

The DPA is essential to the oversight and management of data processing operations in India.
Its responsibilities go beyond simple regulation; it also includes building public and
organisational knowledge and comprehension of data protection concepts. By carrying out
these duties, the DPA contributes to the creation of a safe and reliable data environment,
boosting trust in the digital economy and safeguarding people’s private data.

The EU’s GDPR and other international developments have affected India’s position on
privacy and data protection. When drafting its own data protection laws, India took the
GDPR’s data protection requirements into consideration. “Everyone has the right to respect
his private and family life, his home, and his correspondence,” the Convention for the
Protection of Human Rights and Fundamental Freedom states in Article 8(1). Clause
(2) enumerates

25
acceptable restrictions that are "necessary in a democratic society" and is backed up by
justifications pertaining to national security, crime prevention, etc.,24.

In conclusion, India’s history of privacy rights and surveillance has been a convoluted one,
influenced by changing social norms, legal interpretations, technological developments, and
constitutional requirements. At first, it appears that there was no clear legal protection for
privacy, and judges frequently sided with the state’s interests. But important decisions
gradually recognized privacy as an implicit constitutional right, leading to the historic K.S.
Puttaswamy case that made privacy a fundamental right. This decision overturned previous
decisions that had rejected privacy as a fundamental right and set a clear precedent for future
judicial interpretation and policymaking with the express purpose of preserving people’s
private. The adoption of data security regulations and the recognition of privacy as a
fundamental right are important advancements in India’s ongoing evolution of privacy rights
and surveillance techniques. In India, balancing privacy and surveillance is still difficult
despite this significant achievement.

Aiming to regulate the processing of private data by public and business organisations,
legislative initiatives like the implementation of the Personal Data Protection Act in 2023 will
help protect people’s right to privacy in an increasingly digital world. However, it has not
been as effective as dreamt of because of the ongoing surveillance practices and
technological advancements at a swift rate. The introduction of the Adhaar system by the
government with various other digital surveillance systems stresses the need for the state to
ensure the privacy of all individuals. The trajectory of privacy rights in India highlights a
persistent struggle to balance individual freedoms with national security.

24
Right to Privacy A.G Noorani Economic and Political Weekly, Vol . 40” , No. 9 (Feb. 26- Mar . 4, 2005 ), p.
802.

26
 CHAPTER - 3
THE RIGHT TO PRIVACY : A CONSTITUTIONAL PERSPECTIVE IN INDIA

3.1 CONSTITUTIONAL PROVISIONS RELATED TO PRIVACY

In India, a person’s right to privacy is crucial to their safety and well-being. The right to
privacy shields an individual’s private life from prying eyes, including government ones.
Privacy encompasses all aspects of an individual’s life, including their digital footprint,
bodily integrity and autonomy. Particularly in the modern day, privacy is an essential
component of an individual’s daily existence. With the rapid advancement of technology
around the world, people are eager to keep up with the changes. This leads to more
interaction between humans and machines, where privacy is essential to a person’s safety and
keeps them from being subject to arbitrary government or other organization intervention.
One could argue that every human being has the fundamental right to privacy. The Indian
constitution does not specifically guarantee the right to privacy; rather, it has evolved over
time as a result of the High Court’s broad interpretation. The right to privacy has restrictions.
The following are India’s primary constitutional provisions pertaining to privacy: With the
advent of the digital age, it is clear to everyone that protecting people’s rights is a major
function of Article 21: Right to Life and Personal Liberty. "No person shall be deprived of his
life or personal liberty except according to a procedure established by law," states Article 21
of the Indian Constitution25. The foundation of India’s private rights is this article. A
component of the right to personal liberty is the right to privacy, which includes the freedom
to be left alone and the power to manage one’s personal information. Article 21 of the India
constitution had a crucial Impact on privacy as the SC of India has consistently interpreted
Article 21 as including the right to privacy. A significant ruling in the 2017 case of "Justice
K.S. Puttaswamy (Retd.) v. Union of India" stated the vital importance of the right to privacy
in safeguarding life and liberty.

Given that the Indian Constitution’s Article 19(1)(a) guarantees the right to free speech and
expression, this provision has a substantial bearing on privacy. The right to privacy and the
freedom of speech are intertwined. Confidentiality allows people to openly share their
thoughts without worrying about being watched or having their privacy infringed26. In the
1981 case of
S.P. Gupta v. Union of India, an Indian Court ruled that the fundamental right to freedom of

27
25
S.P. Gupta v. Union of India AIR 1982 SC 149.
26
S.P. Gupta v. Union of India AIR 1982 SC 149.

28
expression is the source of the right to know. Article 19(1)(a) has had a significant impact on
privacy since Indian Courts have recognized that privacy is an essential component of
freedom of expression27. It allows people to express themselves without fearing surveillance
by the government or other parties.

Article 14 of the Indian Constitution protects the right to equality. Article 14 defends the right
to equality and ensures that all Indian citizens are treated equally under the law. This article
prohibits discrimination on the basis of a person’s caste, gender, or place of birth in order to
ensure equal protection under the law. Every citizen is entitled to privacy, which ensures that
their personal data is shielded from unwanted access. This idea is becoming more and more
pertinent in the digital era, as worries about people’s privacy have increased due to the
possibility of data exploitation and spying. Despite not being expressly mentioned in the
constitution, the Indian Court’s interpretation of Article 14 implicitly protects the right to
privacy. Article 14 of the Indian constitution has had a major impact on privacy in India by
ensuring that the state’s actions are fair, equitable and nondiscriminatory28. Together, the
rights to equality under Article 14 and privacy under Article 21 guarantee that everyone has
equal access to privacy protections free from discrimination. According to these standards,
any government action or law that infringes on a person’s right to privacy must be
appropriate and justified. Thus, it is evident that any privacy violation needs to be justified,
necessary, and executed with the least restrictive. The Indian constitution’s Articles 14 and 21
work together to guarantee that vulnerable and marginalised groups receive the same degree
of privacy protection as everyone else, eliminating any kind of bias or unfair treatment. This
all- encompassing strategy aids in addressing concerns about data security and surveillance,
promoting a legislative framework that protects and preserves people’s right to privacy.

Under Article 32, people have the right to petition the SC to have their fundamental rights
respected. By offering a legal channel for redress in cases where privacy rights are violated,
this article serves as an essential instrument for the protection of privacy. It gives people a
means of pursuing legal action in cases where their privacy rights are infringed. In the event
of an urgent constitutional issue, this method guarantees citizens instant access to the nation’s
top Court, avoiding the inferior Courts. The significance of privacy within the constitutional
framework is reinforced by Article 32, which gives people the ability to contest legislation,

27
Constitutional law Dr Mamta Rao pg 170 first edition, 2013.

28
Constitutional law Dr Mamta Rao pg 103 first edition, 2013.

18
government actions, or surveillance methods that infringe upon their right to privacy.
Allowing citizens direct access to the nation’s highest Court will enable us to promptly
address any privacy invasion cases and stop potential abuses of power by the government or
private sector. Article 32 further safeguards the fundamental rights by instituting processes
for remedies such as quo warranto, certiorari, prohibition, habeas corpus and mandamus29.

They ensure that authorities provide explanations for their judgments, correct administrative
errors, or stop unlawful activities in order to prevent violations of people’s right to privacy. In
order to preserve a balance between the rights of individuals to privacy and state security
measures, Article 32 is essential. According to Article 32, any government interference with
an individual’s private rights must be reviewed by a Court in order to prevent the state from
acting arbitrarily. Article 32 promotes transparency and accountability from the government
in addition to protecting the right to privacy. Article 32’s importance goes beyond personal
complaints; by establishing precedents that will impact future laws, it has played a crucial
role in forming the body of knowledge on privacy.

Article 12 of the Indian Constitution gives a definition of the state. Article 12’s
characterization of the "State" in respect to fundamental rights makes it evidently important
in this context, even though it does not directly address privacy. This interpretation holds that
protecting fundamental rights is a duty shared by governments and, in some cases, private
organizations that perform public functions. The wider definition of the "State" under Article
12 suggests that not just the government but also some private organizations must respect and
uphold people’s right to privacy in their interactions with them, which has a big impact on
privacy. In the current environment, where private organizations frequently manage
enormous amounts of personal data, This interpretation is crucial. like social media sites,
phone firms, and other service providers. Article 12 of the Indian constitution guarantees that
privacy rights are protected against infringement by non-state actors by broadening the scope
of governmental action to include certain private actors 30. Consequently, it is in line with the
growing recognition of privacy as an essential right that goes beyond the conventional
divisions between the public and private domains. Furthermore, regardless of whether the
violation comes from governmental or non-governmental sources, Article 12 upholds the idea
that people’s privacy

30
Constitutional law Dr Mamta Rao pg 83 first edition, 2013.

19
29
Constitutional law Dr Mamta Rao pg 301 first edition, 2013.

30
Constitutional law Dr Mamta Rao pg 83 first edition, 2013.

19
should be respected. Therefore, a key component in guaranteeing complete protection for
India’s private rights is Article 12 of the Indian Constitution.

3.2 AN IN-DEPTH ANALYSIS OF HOW THE CONSTITUTIONAL PROVISIONS

APPLY TO THE DIGITAL ERA
The Indian Constitution provides for a strong and flexible legal framework that can
accommodate all necessary changes and integrate specific amendments to protect individual
rights. Because technology is developing at a rapid pace, the values outlined in the
Constitution are essential for the country to be able to use digital technologies while still
protecting people’s dignity, rights, and freedoms. Although the Constitution was framed in a
pre-digital era, its principles are versatile and adaptable, allowing them to be successfully
applied to the opportunities and problems created by the digital age. The "right to privacy is
particularly important in the digital era because Article 21 recognises it as a fundamental
right," which indicates that the values stated in the Indian constitution are still relevant in this
highly technologically advanced era, is an example of a provision that is still relevant today.
The likelihood of privacy violations has increased due to the widespread use of digital
communication and technology. This right includes shielding private information from illegal
access, data breaches, and unjustified surveillance. As the digital age progresses, it is critical
to make sure that people’s right to privacy is fundamentally safeguarded by striking a balance
between national security and individual rights. According to the Puttaswamy ruling,
constitutional principles such as Article 21 guarantee that laws designed to protect people’s
right to privacy are in line with the legality, necessity and proportionality criteria 31. Because
internet connectivity is growing at an unprecedented rate in this digital age, the right to
privacy guaranteed by Article 21 also makes sure that the quantity of personal data generated
by people is not vulnerable to arbitrary incursion. It is crucial for any government or private
organization to protect people’s right to privacy.

The foundation of India’s fundamental right to privacy is found in Article 21 of the

Constitution. The idea that one’s right to one’s own life is the most fundamental human right
was established by the seminal decision of Bugdaycay v. Secretary of State (1987). The most
important of all societal values is the worth of human life. Every civilization has the intrinsic
value of the right to privacy, which permits individuals to live their lives as they see proper.
This includes the ability to distance oneself from society and avoid the spotlight, in addition
to
31
Constitutional law Dr Mamta Rao pg 222 first edition, 2013.

20
31
Constitutional law Dr Mamta Rao pg 222 first edition, 2013.

20
the freedom from unwarranted government interference. To put it simply, privacy is a state
characterised by anonymity, secrecy, and seclusion. It could be lost as a consequence of one’s
own or another’s actions. Another significant interest that people have is privacy. When the
interest is defeated, there is a breach, invasion, or intrusion of privacy in addition to a loss 32.
According to Stone, privacy is the restricted ability to prevent or deter the unauthorised
collection or sharing of private information. The Indian constitution offers a complex
framework that reflects a well-emphasised view of people’s personal autonomy, dignity, and
liberty, but lacking an explicit provision or mention of privacy. The intricate connection
between privacy and constitutional protections is made clear by a careful analysis of the
relevant constitutional clauses. The Indian Constitution’s Article 21, Right to Life and
Personal Liberty, provides strong protection for people’s right to privacy. "The right to life,
which cannot be violated by the government or any individual else," is a fundamental human
right. Since the state is the custodian of humans, it must protect these rights, and Article 21
contains a list of all essential human rights. Regarding private rights, Article 21 of the Indian
Constitution is quite important. It states that "No person shall be deprived of his life or
personal liberty except according to a procedure established by law." It grants the
fundamental right to life and personal freedom while using disparaging language. In
particular, this clause affirms that everyone "understands the fundamental value of each
person’s individual freedom, acknowledging the close connection between the right to life
and the right to privacy." The SC has ruled time and time again that the right to life includes
the right to personal autonomy and human dignity. The recognition of privacy as a
fundamental right emphasises the need of protecting individuals from capricious government
or entity invasions. It ensures that personal data is handled in a way that respects people’s
autonomy and dignity, in accordance with international human rights standards. This
"interpretation" highlights the relationship between data privacy and self-determination.

The Indian Constitution’s Article 19(1)(a) on freedom of speech and expression has a big
influence on people’s right to privacy. Article 19(1)(a) protects the right to freedom of speech
and expression, even though it does not specifically address privacy. Freedom of expression
and privacy are inextricably linked. The ability to generate and express one’s views and
opinions without fear of surveillance or excessive intrusion into one’s personal life is made
possible by privacy. Freedom of speech and privacy must be reciprocally reinforced if

32
Stone, “Textbook on Civil Liberties and Human Rights”, P.338.

21
democratic values are to flourish. For a democratic country like India to create an atmosphere
where ideas can flourish and people can hold one another accountable, information must be
freely and openly shared. In Dinesh Trivedi v. Union of India (1997)33 The Court maintained,
notwithstanding some restrictions, peoples’ right to know about government matters. Thanks
to privacy protections, people can openly express their thoughts without fear of being seen or
having them arbitrarily changed. The fundamental foundation of the right to free speech is
privacy, which safeguards the environment in which thoughts and opinions are generated.
Online anonymity and data protection are crucial for preserving free expression in the digital
age, where the symbolic link between privacy and free speech endures. Therefore, the right to
free speech and expression guaranteed by Article 19 (1) (a) is essential to the development of
a strong legal framework that protects people’s personal information.

The right to privacy is significantly impacted by Article 14: Right to Equality. Article 14
guarantees that everyone is treated equally under the law, regardless of their background. As
fundamental rights, everyone’s right to privacy is equally guaranteed. Article 14’s core
principle of equality ensures that everyone is treated equally and that the law is applied
equally34. Any government activity that lacks rationality and is not supported by sound policy
judgments is fundamentally arbitrary and in violation of Article 14’s demand for
reasonableness, which is opposed by arbitrary conduct. The idea that privacy is a right that
must be granted consistently and without prejudice is supported by this constitutional
principle. Every citizen has the right to privacy, guaranteeing equal protection under law.

People can petition the Supreme Court to uphold their fundamental rights under Article 3235.
It is a potent instrument that enables people to take legal action when their right to privacy
has been infringed. Article 32 offers a constitutional channel for people to seek redress when
they feel that state or non-state actors have violated their privacy. The Indian Constitution’s
Article 32 gives its citizens the authority to go straight to the highest Court without first going
through the subordinate Courts, guaranteeing prompt and efficient administration of justice. It
upholds the judiciary’s role as a guardian of fundamental rights, which stops unlawful
infringements through critical examination. The Indian Constitution’s Article 32 gives the
Supreme Court the authority to defend people’s right to privacy by issuing writs like quo
warranto, prohibition,

33
Dinesh Trivedi v. Union of India, (1997) 4 SCC 306.
34
D.D. Basu, Commentary on the Constitution of India, vol. 2, 9th ed. (Arts. 13-14) (LexisNexis 2014).

22
35
D.D. Basu, Commentary on the Constitution of India, vol. 6, 9th ed. (Arts. 25-35) (LexisNexis 2014).

23
habeas corpus, mandamus and certiorari. Article 32 of the Indian constitution significantly
highlights the importance of fundamental rights within the constitutional framework, serving
as a pillar in the country’s efforts to protect individual liberty.

The "State" mentioned in Article 12 is crucial for a full comprehension and application of
fundamental rights, even though it has nothing to do with privacy explicitly. All
organizations that serve the public, whether they are government agencies or non-profits with
similar goals, are required to uphold fundamental rights. It thus subtly emphasises how
crucial it is to uphold individuals’ right to privacy when interacting with other organizations.
Any authority or body carrying out public tasks is held accountable for protecting people’s
fundamental rights, according to Article 12 of the Indian Constitution. Under Article 12 of
the Indian Constitution, individuals have the right to contest the violation of their privacy
rights by various private and public entities. Article 12 of the Indian Constitution successfully
restores the far-reaching sweep of constitutional protection, protecting individual liberty. This
is especially important in the digital age, as the privatization and outsourcing of public
functions has increased significantly, ensuring that private entities carrying out the role of
public authorities are also held within the constitutional standards.

Even though the state is unable to execute its policies in Court, it bases its policymaking on
the Directive Principles of State Policy. In the current day, they have the ability to influence
policies concerning digital inclusion, digital literacy, and closing the digital gap. In the digital
age, fundamental responsibilities like fostering peace and a sense of fraternity are still
important in the fight against internet hate talks, cyberbullying and the rumours of false
information.

3.3 LANDMARK JUDGMENTS

Important Court cases and historic rulings have had a big impact on privacy and data
protection in India. In addition to influencing how privacy rights are interpreted, these
decisions established guidelines for controlling monitoring and safeguarding personal
information.

The most prominent privacy rights lawsuits Union of India v. Justice K.S. Puttaswamy
(Retd.) (2017): was a pivotal moment in the development of privacy rights in India. This
significant Court case serves as a reminder of the value of the right to privacy. The Supreme
Court of India acknowledged the right to privacy as a fundamental freedom in accordance
with Article 21 of the Constitution. The ruling highlighted the value of privacy under the
24
constitution by stating

25
that it is necessary to protect life and liberty. This important ruling also confirmed that the
freedom of "speech and expression" and other liberties safeguarded by article III of the Indian
constitution are inextricably linked to privacy. It underlined that both state and nonstate
entities cannot unjustly meddle with people’s privacy. The ruling established three
requirements that must be met before any restrictions on privacy rights may be implemented:
legality, necessity, and proportionality. Personal liberties were significantly impacted by the
Puttaswamy ruling. The Puttaswamy case influenced subsequent laws and policies in India
pertaining to data protection and government surveillance by reaffirming privacy as a basic
right. Because of this, the Courts will now subject the government to a higher standard of
transparency and accountability when it comes to gathering personal information and
carrying out surveillance. Additionally, since this landmark decision, people’s awareness of
their right to privacy has grown, and they are far more aware of the government’s role when
it comes to gathering and using personal data. Furthermore, it ensured that lawmakers
strengthened the legal framework and updated the existing legislation to protect personal data
in India.

Kharak Singh v. State of Uttar Pradesh (1962): One of the first cases in India to address
surveillance and personal privacy issues was the Kharak Singh case, which acknowledged
that surveillance practices must adhere to fundamental rights and stressed the need for
protections against arbitrary surveillance. The Kharak Singh case had a significant impact on
India’s surveillance landscape, solidifying the notion that privacy is a fundamental right and
laying the foundation for subsequent developments in this area of law. It also opened avenues
for state surveillance measures, subjecting privacy rights to legislative regulations. The ruling
in Kharak Singh highlights the need for any state action that infringes on an individual’s
privacy to be supported by a clear legal framework, protecting people from unjustified
government actions.Even though the phrase "privacy" was not specifically stated in the
constitution at the time, this case played a crucial role in developing the idea that it is a
fundamental right. The area of individual privacy rights has undergone tremendous
transformation as a result of the Supreme Court’s determination that privacy is fundamental
to human liberty. In addition to providing opportunities for state monitoring, the Kharak
Singh case placed stringent restrictions on these techniques, guaranteeing that they are subject
to judicial oversight. This made sure that people’s right to privacy was upheld, even if the
state was still able to undertake surveillance as long as it stayed within the law.

26
Gobind v. State of Madhya Pradesh (1975): The significance of privacy rights was reaffirmed
by the Gobind case. It emphasized how important it is to strike a balance between an
individual’s right to privacy and the government’s desire to keep an eye on them. In this
instance, the Court acknowledged that the freedom guaranteed by Article 21 of the Indian
Constitution includes the fundamental right to privacy. The ruling also made clear that
legitimate governmental objectives have the power to restrict privacy rights, which are not
unqualified. This landmark decision highlights the importance of finding a balance between
an individual’s right to privacy and the state’s interest in upholding law and order, and it
stresses that privacy restrictions must be carefully considered to ensure they don’t unjustly
infringe upon an individual’s liberties. The Gobind case had a significant impact on both
individual privacy rights and governmental surveillance since it contributed to the
development of a legal framework that recognizes privacy as a right subject to reasonable
constraints, particularly with regard to surveillance. This ruling created the three-pronged test
of legality, need, and proportionality to assess whether a restriction on a person’s right to
privacy is reasonable. The ruling also established a legal precedent that guarantees a balance
between the rights of individuals and the interests of the state. also made legislative reform
necessary to control police surveillance and guarantee adherence to constitutional protections.

Aadhaar Act Case (2018): Due to privacy concerns, the Aadhaar Act, which created a
distinctive identity system for Indian citizens, was challenged in Court. In 2018, the Supreme
Court upheld the Aadhaar Act’s constitutionality despite enacting some restrictions and
privacy-related safeguards. This case had a significant impact on surveillance and people’s
right to privacy because it brought to light the conflict between government programs that
collect personal data and individuals’ right to privacy. The ruling made it clearer what
parameters these programs must adhere to in order to safeguard people’s privacy. The Court
underlined that Aadhaar must follow the rules of necessity and proportionality even though it
serves a valid governmental objective, such as guaranteeing that social benefits reach the
intended beneficiaries. This case had imposed a prohibition on usage by private entities as a
method of authentication of individuals. Thus ensuring that the personal data of individuals
are not misused.The necessity of putting strong safeguards in place to secure people’s
personal information whenever the state gathers it is a key lesson to be learned from the
Supreme Court’s decision. This decision is significant because it reinforces the idea that,
according to Article 21 of the Indian Constitution, privacy is a fundamental right. The Court
emphasised in its decision the importance of being open and getting people’s informed

27
consent before using their personal

28
information. The Aadhaar Act Case of 2018 establishes a significant precedent when weighed
against the state’s interest in upholding national security and public order as well as
individuals’ fundamental right to privacy.

Union of India & Ors. v. Manohar Lal Sharma, 2021: focuses on the contentious Pegasus
spyware incident, making it a significant ruling in the Indian context of privacy rights and
surveillance. In this case, the Hon’ble Supreme Court affirmed the right to privacy and called
for stringent rules and oversight. Consequently, a more balanced approach to state monitoring
is ensured, one that addresses valid security concerns while respecting people’s freedom.This
case greatly increased public awareness of the problem of monitoring and individual privacy,
enabling citizens and civil society organisations to take a more active stance in favour of
protecting their right to privacy and holding the government responsible for any
violations.They made sure that surveillance operations must be judicially supervised to avoid
violating people’s right to privacy and that they are only employed for justifiable reasons like
public safety and national security. The Hon’ble Supreme Court’s appointment of an
independent committee to investigate claims set a precedent for the use of impartial experts in
evaluating governmental actions. This was an important step since it ensured an objective
investigation of the claims by fostering public trust.

WP (Civil) 7123/2018 Nikhil Bhatia v. Union of India (2019): Ibid. In this case, government
orders and policies pertaining to a person’s individual right to access content on over-the-top
(OTT) platforms were challenged. In its ruling, the Court emphasised that privacy is an
essential component of "freedom of speech and expression," allowing individuals to express
themselves without fear of surveillance. The ruling has significant ramifications for privacy
regulations since it confirmed the connection between privacy and fundamental rights,
especially the right to free speech. In this ruling, the Court emphasised that any state action
that violates privacy must adhere to the principles of legality, necessity, and proportionality in
order to avoid arbitrary government actions and ensure that they are subject to judicial
review. A strict safeguard and supervision mechanism are necessary to prevent exploitation
and abuse of states’ monitoring capabilities, as the case also upheld the necessity for
transparency and accountability in state monitoring activities. The history of the right to
privacy debate in India was significantly persuaded by this case. It proved that privacy is not
just a derived right but a necessary part of the right to life and personal liberty, as stated u/a.
21 of the Indian Constitution. Consequently, it influenced the laws pertaining to privacy
rights and data protection.
29
As a result of these important Court rulings and landmark rulings, data protection and privacy
rights have advanced considerably in India. They have contributed to the establishment of
legislative protections for privacy, the recognition of privacy as a basic right and regulation of
government monitoring practices in order to bring a balance between the rights to privacy and
legitimate interest of state. These incidents have also increased public awareness of people’s
right to privacy and given people the means to defend themselves against state and non-state
actors who infringe on their privacy without cause. Additionally, the aforementioned rulings
affirmed the necessity of a more complete framework for state surveillance operations as well
as a more improved legal framework targeted at improving the protection of individual rights.
All things considered, these cases continue to influence India’s changing privacy and data
protection environment by striking a balance between state interests and individual liberties
and opening the door for further development and adaptation in response to emerging issues
and technological advancements.

30
 CHAPTER - 4
COMPARISON OF INTERNATIONAL DATA PROTECTION LAWS AND INDIAN
DATA PROTECTION LAWS

4.1 INTERNATIONAL AND INDIAN FRAMEWORKS ON DATA PROTECTION

Since it seeks to provide data protection standards that are consistent with international best
practices, India’s DPDP Act 2023 complies with a number of international data protection
laws and regulations. Given the growing global concerns about protecting data privacy rights,
India needs a strong data protection framework, particularly to balance its rapidly expanding
digital economy and large population. This is why it is necessary and advantageous for India
to align its digital data privacy law with other international data privacy laws. The enormous
rise in data generation and the potential for data breaches and misuse have made data privacy
a major global concern. To protect people’s personal information, obtain user consent and
control data transfers, nations all over the world have put in place extensive data protection
laws. Since modern economies rely so significantly on the seamless exchange of data across
borders, it is imperative that India adopt global best practices. Strong data protection laws
guarantee that Indian consumers will have the same level of confidence that their personal
information is protected as it is in other nations. Adopting international best practices also
calls for strong security measures, which would lower the frequency of cyberattacks and data
breaches. For companies doing business in India both domestically and abroad, conforming
to international best practices also guarantees a more stable and predictable regulatory
environment.

Convention on Cybercrime (Budapest Convention): The first international agreement

designed to address online crimes was the Budapest Convention. The primary goal of the
2001-adopted Budapest Convention is to combat cybercrime. Although law enforcement
cooperation is its main goal, it also contains clauses pertaining to data protection and the
sharing of electronic evidence. Its importance to India stems from its ability to promote
global cooperation in combating transnational cyberthreats. By standardizing the definition of
cybercrimes among its member nations, the convention guaranteed a common approach to
offenses such as child pornography, computer-related fraud, abuse of devices, illegal access,
and interference with data and systems. Additionally, the convention outlines the necessary
procedural instruments for both detecting and prosecuting cybercrimes. The principles
outlined in the Budapest Convention have had a major impact on international collaboration

31
in combating cybercrime, notwithstanding India’s non-signatory status. In addition to being
in line with international

32
standards like the Budapest Convention, which has been powerful for India’s understanding
of tackling transnational cybercrime, the Convention subtly emphasises the need for data
protection regarding cyber investigations. Given the rapid advancements in technology, it is
imperative that India take significant action to combat cybercrimes.

OECD Initiatives: The OECD has published Guidelines Governing the Protection of Privacy
and Transborder Flows of Personal Data36. These regulations, which are intended to be
applied to the manual and electronic processing of personal data in both the public and
private sectors, are based on eight data privacy principles. Regardless of how data is
arranged, the rules do away with potentially constrictive notions of personal data. The treaty
permits the fair and lawful acquisition of personal data. It must, however, be gathered with
the data subject’s knowledge and consent and not for any other reason. The reasons behind
the data collection must also be disclosed at the time of the data collection. Its significance
stems from the collection limitation principle, which is a part of Indian law and guarantees
the handling of personal data in a fair, transparent, and lawful manner. The Indian data
protection laws effectively incorporate the OECD recommendations, guaranteeing worldwide
best practices in data privacy while upholding individual rights, data security and user
consent. India’s digital data protection laws were developed on a solid basis thanks to the
OECD’s guidelines.

The General Data Protection Regulation (GDPR) of the European Union: The DPDP Act
2023 and the GDPR both include a permission requirement because they both emphasise the
need for express and informed consent for data processing in order to ensure that individuals
have control over their personal data37. Data Subject Rights are required by both the DPDP
Act and the GDPR. By giving data subjects rights like access, rectification, erasure and the
capacity to object, both frameworks increase their control over their data. Both the GDPR
and the DPDP Act of 2023 have complex requirements for data localization. While the GDPR
does not specifically call for data localization38. The Indian DPDP Act mandates that sensitive
personal data be kept solely in India, which aligns with the GDPR’s focus on data
sovereignty. Both Acts include provisions for notifying parties of data breaches. The Indian
Act and the GDPR mandate that data controllers notify the appropriate regulatory
agency and the affected

36
Data privacy law an international perspective by LEE A. BYGRAVE.
37
What is GDPR, the EU’s new data protection law, GDPR.eu, https://gdpr.eu/what-is-gdpr/

33
38
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).

34
individuals of any data breaches right away in order to improve accountability and
transparency.

California Consumer Privacy Act (CCPA): A major U.S. legislative endeavour in this area is
the California Consumer Privacy Act (CCPA). Its stated goal is to strengthen consumer
protections and privacy rights for California citizens, and it is one of the most extensive data
privacy laws in the USA. Protecting Individuals’ Right to Privacy is a Key Goal of the CCPA
and the DPDP Act. Similar to the Indian Act, the CCPA gives California residents the ability
to view, amend, delete, or recover personal data. The Consent and right to Opt-Out are
incorporated in both the Acts. In addition to emphasising consent, both legislations offer
people the option to refuse to have their data sold.

The Personal Information Protection and Electronic Documents Act (PIPEDA)39 governs how
the private sector handles consumer personal data when conducting business in Canada. The
Act aims to protect personal data while acknowledging the legitimate needs of businesses.
Under PIPEDA and the Indian Act, organizations must obtain the necessary authorization
before gathering, utilising, or sharing personal data. People can obtain their personal
information under PIPEDA, just like they can under the Indian Act. They also allow anyone
to contest the correctness of their data and request corrections. The DPDP Act and PIPEDA
both compel organizations to be transparent and to provide people with clear information.
Since both frameworks require that enterprises designate a responsible people for privacy
practices and hold them accountable for adhering to data protection rules, accountability is a
crucial component of both Acts. Although data localization is a fundamental component of
both Acts, the Indian Act has stricter restrictions than PIPEDA, which lacks any particular
data localization measures.

Australia’s 1988 Privacy Act: The Australian Act and the 2023 DPDP Act Data Breach
Notification is covered by both Acts. Because both the Indian Act and the Australian Privacy
Act require businesses to notify individuals and the regulatory authority of data breaches,
openness is guaranteed. so guaranteeing that people are aware of the possible dangers to their
personal information. The notification procedure is essential for preserving confidence and
enabling people to take the appropriate safety measures against any unfavorable data breach.
Protecting the rights of data subjects is essential to protecting people’s personal information.

39
Personal Information Protection and Electronic Documents Act (PIPEDA), (Canada).

35
The right to access one’s personal information is one of the rights granted by the Australian
Privacy Act40, which is comparable to the Indian Act. These rights primarily give people
more control over their data and give them peace of mind that their personal information is in
good hands. Both Acts also give people a way to file complaints and get help if their privacy
rights are being infringed. Therefore, by guaranteeing that their personal data is managed
securely and transparently, both Australia and India hope to increase people’s faith in the
digital environment.

The 2018 Data Protection Act in the United Kingdom: It is an important piece of international
data protection law. Regarding permission requirements, data subject rights, and data breach
notifications, the Indian Act and the UK Data Protection Act—which is in line with the
GDPR—have a number of parallels. In order to ensure that data processing operations are
carried out clearly and with the persons’ informed consent, both of these legislative
frameworks stress the importance of getting individuals’ explicit approval before processing
their personal data41. The DPA greatly expands the rights of data subjects by providing The
DPA significantly expands individuals’ rights over their personal data, granting them the
ability to access, amend, remove, and restrict the processing of their personal data. In addition
to giving consumers more control over their information, this is consistent with the GDPR’s
core tenets of data minimization and accuracy. People can also easily transfer their data to
other service providers because to the DPA’s promise of data portability. In the digital
economy, this promotes competition and innovation. DPA offers data breach notification:
The law requires businesses to give an account for certain types of data breaches to the ICO
and in some cases, the aggrieved parties within 72 hours. This timely warning procedure is
essential for reducing the possible effects of data breaches and making sure people can take
the necessary precautions against identity theft and other nefarious activity.

Act 2020 of the Brazilian General Data Protection Law (LGPD): The LGPD is a huge step
forward for Brazil’s data security initiatives, and both individuals and businesses should take
heed. The LGPD is applicable to any data processing activity conducted by individuals or
legal entities, regardless of whether the data is processed or the location of the data subject.
Regarding their personal data, people have rights that include the capacity to see, amend,
anonymize, block, remove and transfer their data. The protection of these rights is guaranteed

40
Privacy Act 1988, (Australia).
41
Data Protection Act 2018,(UK).

36
by the LGPD Act. The LGPD Act’s obligations for data processors are another important
aspect of the law. It mandates that organisations that handle personal data must protect the
data, secure the data, get consent before processing it, and be open and honest about its use.

The 2005 APEC Privacy Framework was created by the Asia-Pacific Economic Cooperation:
The Asia-Pacific Economic Cooperation created the APEC Privacy Framework to find a
balance between the necessity to safeguard people’s privacy and the requirement for
unrestricted data access. In order to guarantee compliance, the framework emphasizes the
necessity of an efficient enforcement system and accountability mechanisms, such as the
creation of regulatory bodies and complaint resolution protocols. The framework gives
people the option to opt out of specific data uses and guarantees that they won’t suffer any
harm from data privacy breaches. Additionally, people have the right to view and amend their
personal information.

There are some similarities between the DPDPA 2023 and these international data protection
laws, but there are also some distinctions, such as the Act’s specific guidelines for the
localization of sensitive personal information. These comparisons show that India’s data
protection framework is in line with international initiatives to enhance data privacy and
protection, even though it is customised to the country’s particular requirements. A big
benefit of comparing the DPDP Act is the requirement for harmonisation with international
standards. The GDPR establishes strict guidelines for data privacy. In an effort to improve
India’s standing internationally and facilitate more smooth international data transfers, the
DPDP Act was inspired by the GDPR. It is crucial for Indian businesses looking to expand
globally and attract foreign investment. The discrepancy highlights how crucial strong legal
and regulatory frameworks are to safeguarding personal information. Even though India
made progress with the DPDP Act 2023, new privacy and security concerns continually call
for constant improvements and updates. By studying the enforcement and accountability
strategies of the GDPR and LGPD, India could create more effective regulatory processes. A
global trend toward increasing individual control over one’s personal data is reflected in the
DPDP Act of India, which aims to give customers rights such data access, correction, and
deletion as stressed by international data protection regulations. The comparison also
highlights India’s potential and challenges, highlighting the difficulty of ensuring compliance
and filling gaps in a number of sectors while also giving India the chance to take the lead
globally in data protection. The DPDP Act demonstrates that India complies with
international data protection requirements while simultaneously meeting the expectations of
37
the digital era in India.

38
4.2 SURVEILLANCE AND GOVERNMENT ACCESS TO PERSONAL DATA
In the context of data protection and privacy, India’s DPDPA 2023 addresses the critical
issue of government access to personal data and surveillance. In response to a complex and
dynamic environment of personal data access and monitoring that is influenced by social,
technological, and legal factors, the government has implemented advanced surveillance
techniques. These technologies have the potential to increase public safety and security, but if
improperly governed, they potentially seriously jeopardize people’s freedoms and privacy.
Surveillance and government access to personal data in India presents a multifaceted
challenge that requires a careful and balanced approach. It requires finding a way to
safeguard people’s privacy while also guaranteeing the safety of the country. With the rapid
advancement of technology in India, there is a growing need for a stronger legal framework.
The DPDP Act 2023 aims to achieve just that by being transparent, establishing an oversight
mechanism, and encouraging a culture of privacy respect. Without these safeguards, civil
liberties could be eroded for the sake of security and governance. Here’s an analysis of how
the Act manages this complex relationship.

The DPDP Act of 2023 contains provisions that act as barriers against unauthorized
government access. The DPDP Act of 2023 stipulates that the government must have
reasonable and appropriate access to personal data. This suggests that government agencies
need a legitimate reason, such as national security concerns, before they can access personal
data. This is consistent with the concepts of necessity and proportionality found in a number
of international data protection regulations. The DPA is required by the Digital Personal Data
Protection Act of 2023 to oversee and adhere to due process when the government demands
access to data. This regulation protects individual rights and ensures that access to the
government is not arbitrary.

The DPDP Act 2023, which acknowledges the importance of maintaining national security
and provides the government access to data when necessary to protect India’s integrity and
sovereignty, also ensures the protection of national security. But this access needs to follow
the rules of proportionality, legality, and legitimacy. In light of this, the Act reflects
international standards by allowing the government access in national security situations
while striking a balance between individual rights and the need to confront any risks.

The Digital Personal Data Protection Act of 2023 addresses one crucial element, localization
for vital personal data. Stricter rules would apply to "important personal data" under the new
Digital Personal Data Protection Act of 2023. The Act restricts the processing and storage of
39
significant personal data to India. Ensuring the security of critical national security
information during its transfer overseas is the primary goal of this provision. The Digital
Personal Data Protection Act of 2023 aims to reduce vulnerabilities to international
cyberattacks and unauthorised access by foreign organizations by limiting the processing and
storage of sensitive personal data inside national borders. This strategy strengthens India’s
control over its most sensitive data by keeping it inside Indian legal jurisdiction.

The Digital Personal Data Protection Act of 2023 includes data localization, a crucial tactic
that several countries have used to enhance control over data that could impact national
security. This mandate strengthens the country’s digital infrastructure and data management
independence in a proactive and protective manner. Furthermore, data localization guarantees
speedier regulatory responses and enforcement actions since data situated within the country
can be monitored more successfully. It is in line with comparable clauses in international data
protection laws and represents a global trend toward data sovereignty and the preservation of
national interests in the digital age. Because a strong legal system requires someone to be in
charge of making sure the Act is obeyed.

The Data Protection Authority Oversight was created by the Digital Data Protection Act of
2023. The DPA is crucial for controlling government access to personal data. The DPA
ensures that such access adheres to the Act’s requirements and respects the rights of data
subjects. The DPA is an independent regulatory body that monitors and enforces data privacy
laws, investigates complaints, and imposes penalties for noncompliance. The DPA is also
tasked with increasing public awareness of data protection rights and fostering a data privacy
culture across the country. Through regular inspections and audits, the DPA upholds high
standards of data security and accountability among data processors and controllers. To
promote public trust and ensure that governmental and private organizations maintain the
highest standards of data privacy, a comprehensive oversight framework is required. The
DPDP Act 2023 establishes a framework for more accountability and openness from
government agencies in addition to bringing India into compliance with international data
protection standards. Oversight by an impartial body to prevent the misuse of governmental
power is a basic component of data protection laws around the world. Additionally,
transparency and accountability are highly valued in the Digital Personal Data Protection Act
of 2023. The Act emphasizes transparency in government data access by requiring data
controllers to inform the DPA of any such access. It is also essential to notify the affected
data subjects. This ensures that people are notified when the government requests their
40
personal information and increases accountability. The

41
core ideas of accountability and openness serve as the foundation for international data
protection laws like the CCPA and the GDPR.

A number of clauses of India’s DPDA 2023 deal with the problem of government
surveillance and access to personal information. It emphasizes the need for proportionality,
legality, and oversight to ensure that private rights are upheld and government access is not
arbitrary. The Act’s approach respects worldwide data protection standards while addressing
the particular challenges of data protection in the digital age, such as safeguarding national
security interests. The Act also improves the entire framework by including measures for user
permission, data minimization and data breach notification. The Act attempts to enhance
transparency in data handling procedures by creating an independent monitoring body and
requiring frequent audits; nonetheless, the accountability and transparency systems require
strict oversight to guarantee that surveillance operations are legal and considerate of people’s
right to privacy. The legal framework must be updated frequently to meet the new issues
brought about by the rapid evolution of technology. Even though the DPDP Act represents a
major turning point for India, it needs to be updated to reflect both domestic and international
best practices in order to be applicable and efficient.

Over time, government surveillance activities in India have become more well-known,
sparking debates over civil liberties, individual privacy and the necessity of open and
accountable surveillance methods. The need for a more robust legislative framework that
guarantees that people’s privacy is not arbitrarily violated has been brought to light by a
number of programs, including CMS, NATGRID, Adhaar and others. Given India’s urgent
need to safeguard its inhabitants from technology dangers, finding a balance between national
security and individual privacy rights is a challenging task. Given the history of cases with
inadequate oversight and safeguards, India needs to examine the measures. The advancement
of time and technology has made it imperative to update legislation that ensure accountability
and transparency in government oversight. Romesh Thappar v. State of Madras (1950) is a
case study42, The Court clarified in Romesh Thappar v. State of Madras that the state’s
security is only at risk from extremely severe and intensified forms of public unrest.

42
Romesh Thappar v. State of Madras, 1950 SCR 594

42
Central Monitoring System (CMS): The Indian government introduced the CMS, which is
intended for legal telecommunications monitoring and interception43. For the sake of national
security, it is mainly meant for law enforcement and security organizations to monitor
communications. By obtaining information directly from service providers, CMS allows
government organizations to intercept and track emails, phone conversations, and internet
traffic. It makes it possible to monitor communications in real time.

Network Traffic Analysis (NETRA): The software network was developed by the Centre for
Artificial Intelligence Bureau in India. It is essential to network administration and
cybersecurity, mainly for keeping an eye on network activity and availability to spot
irregularities that could indicate security breaches44. Scope: NETRA records network activity
in present time as well as in the past. In order to comprehend the data traffic pattern, it
examines the data flow from devices such as routers and network TAPs. The Centre for
Artificial Intelligence and Robotics (CAIR), a division of India’s Defence Research and
Development Organization (DRDO), developed the software network monitoring system
NETRA. By keeping an eye on network availability and activity to spot irregularities that can
point to security breaches, NETRA plays a critical role in cybersecurity and network
management. NETRA offers both historical and real-time network activity recording. In order
to identify trends in data traffic, it examines the data flow from network devices like routers
and network TAPs (Test Access Points). This makes it possible for NETRA to spot any odd
or suspicious conduct that would indicate a security risk. Through constant network
monitoring, NETRA can identify irregularities and quickly notify the appropriate authorities.
This lessens the effect of cyberattacks and enables enterprises to proactively address security
concerns. The system can recognize intricate patterns and connections that can point to more
sophisticated attacks thanks to its superior analytics capabilities. Because of its broad range
of network monitoring and analysis capabilities, NETRA is a crucial tool for guaranteeing the
security and dependability of India’s critical information infrastructure. The system’s
widespread use in both public and commercial sector institutions highlights how crucial it is
to protecting the country’s digital resources.

43
India Today, Forget NSA, India’s Centre for Development of Telematics is one of the top 3 worst online spies
(March 12, 2014).
44
The Times of India, Govt to launch internet spy system ‘Netra’ soon (January 7, 2014).

43
In order to improve counter-terrorism and counter-crime efforts, the National Intelligence
Grid (NATGRID) is an ambitious intelligence-sharing project that aims to give security
agencies rapid access to a vast amount of data on individuals and organizations 45. NATGRID
aims to create a comprehensive intelligence grid by combining and sharing data from various
government databases, such as financial, immigration, and law enforcement records.
Although it has been in development for years, concerns regarding data privacy and oversight
still exist.

Aadhaar Database: Benefit distribution and identity identification are the main objectives of
the Aadhaar program, which is supervised by the Unique Identification Authority of India
(UIDAI). It gives Indian citizens a unique 12-digit identification number 46. Although
surveillance is not the main function of Aadhaar, there have been worries about the abuse of
the database to track people’s whereabouts. Aadhaar’s contribution to lowering fraud and
guaranteeing effective service delivery has been highlighted by the Indian government.

The National Cyber Coordination Centre (NCCC) is an Indian organisation that specialises in
electronic monitoring and cyber defence. It was founded by the Ministry of Electronics and
Information Technology (Meity). The primary layer for data flow monitoring in India is the
NCCC. As a result, it serves as the central location for all communications between public
and private organisations. It maintains virtual contact with ISPs to monitor gateways and
entry/exit points in order to monitor both domestic and international traffic 47. It collaborates
internationally with international cybersecurity authorities and groups to exchange
intelligence gathered by tracking the nation’s data flow. Additionally, it improves
collaboration between various government departments and cyber security agencies.

State-Level Surveillance Programs: A number of Indian states have put in place their own
monitoring initiatives. For example, the Kerala Police have put in place a "Hi-tech
Surveillance System" that uses state-of-the-art equipment including cameras and facial
recognition software to further protect the people.

45
Dalip Singh, Close watch. NATGRID to turn lens on digital print of people, firms (April 27, 2023).
46
Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31 NLSIR Rev. 72-97 (2019).

44
47
India gets ready to roll out cyber snooping agency, The Hindu, June 10, 2013.

45
Internet Surveillance and Data Retention: In India, telecom companies and ISPs are required
by law to retain customer data for a specified period of time. This information is available to
government agencies for use in security and investigative purposes.

Laws and Regulations Governing Surveillance: The Information Technology (Procedure and
Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, allow
for both legal internet monitoring and interception.

Problems and Issues: India’s government monitoring initiatives have given rise to serious
issues. Particularly when the scope of surveillance is unclear or not sufficiently regulated,
there are worries that programs may violate people’s civil liberties and private rights48. Critics
have pointed to the lack of robust supervision procedures and a well-defined legal framework
for surveillance programs. Given the possibility of data breaches and misuse, the security of
data gathered by surveillance systems is a worry. According to the Court’s ruling in Ajay
Goswami
v. Union of India (2007)49 every risk that could support a restriction has to be minimal,
speculative, or unlikely. The public’s concern and calls have been sparked by these
initiatives’ opaque operations.

4.3 CASE STUDY

Case Study 1: Privacy Issues with Aadhaar Data: With the intention of giving each Indian
resident a unique 12-digit identification number, the Indian government started the Aadhaar
program. Although the program has accelerated access to government services and reduced
fraud, it has also raised questions around data privacy and government access to personal
data50.

Effect on Individuals’ Rights: There are serious worries about how the Aadhaar system’s
deployment may affect people’s right to privacy. One of the most significant issues is the
gathering and storing of biometric and personal data by the Aadhaar system. This enormous
database’s centralised structure and the sensitive material it holds have raised concerns about
possible data breaches and misuse, which may result in infringements on people’s
fundamental right to privacy. In addition, there have been concerns that the vast amounts of
data gathered by Aadhaar might be used for spying. Unauthorised access to this extensive
database would

50
Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31 NLSIR Rev. 72-97 (2019).

38
48
Critical Assessment of Information Technology Act 2000 by Gaurav Saluja.
49
Ajay Goswami v. Union of India, (2007) 1 SCC 143

50
Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31 NLSIR Rev. 72-97 (2019).

38
make it possible to trace people’s activity across multiple websites, which could violate their
right to privacy. These problems emphasize the necessity of stringent controls and robust data
security protocols to prevent such abuse. These worries are heightened by the government’s
plan to connect Aadhaar to a wide range of services, such as mobile numbers and bank
accounts. This integration calls into question the government’s capacity to keep tabs on
people’s activities in a variety of areas, which could lead to privacy rights abuses.
Discussions concerning the limits of effective service delivery and the protection of
individual privacy have been stoked by the possibility of excessive surveillance and
monitoring. A historic decision in "Justice K.S. Puttaswamy (Retd.) v. Union of India" saw
India’s top Court uphold the right to personal privacy. The Court incorporated specific
privacy safeguards and limitations in its decision upholding the constitutionality of the
Aadhaar Act. This ruling emphasises the ongoing debate and the necessity of striking a
balance between the benefits of Aadhaar and the protection of individual privacy rights.
There is now much public discussion and close examination of how the Aadhaar system
affects people’s rights. To guarantee that the goals of the Aadhaar program are met without
jeopardising the fundamental rights and liberties of citizens, it is imperative that these issues
be addressed through strong legislative frameworks, open governance procedures, and strict
data protection measures.

Case Study 2: Surveillance Programs of the National Security Agency (NSA) of the United
States To obtain information for national security, the US National Security Agency (NSA)
uses a variety of surveillance techniques. The 2013 revelations by Edward Snowden were one
of the most important in exposing the nature of these programs 51. The effect of the National
Security Agency’s (NSA) surveillance programs on people’s rights Significant privacy issues
have been raised by intelligence services’ worldwide mass collection of phone records,
internet communications, and metadata. These surveillance programs have enabled
widespread monitoring of both citizens and non-citizens, potentially violating their
fundamental right to privacy. These worries have been made worse by the lack of
transparency and supervision in the mass data collecting, which frequently occurs without
people’s knowledge or agreement. A debate about how to balance the demands of national
security with the protection of individual privacy rights has resulted from the monitoring
programs’ legal challenges. Famous

51
Factbox: History of mass surveillance in the United States, Reuters (June 7, 2013), Reuters.

39
51
Factbox: History of mass surveillance in the United States, Reuters (June 7, 2013), Reuters.

39
Court cases like "United States v. Carpenter52," and "Clapper v. Amnesty International
USA53", have investigated these services’ legality and constitutionality in an effort to define
precise limits and protections. Calls for legislative amendments to improve openness and
oversight measures were triggered by the disclosures made by Edward Snowden and other
whistleblowers about these widespread surveillance operations. The USA Freedom Act was
launched in 2015 with the goal of resolving some of these issues by restricting the haphazard
collection of vast amounts of data in an effort to strike a balance between security necessities
and privacy rights. These developments underscore the ongoing tension between the need to
protect national security and the right to privacy in an increasingly digital and interconnected
society. Finding the ideal mix with strong legal frameworks, efficient monitoring procedures,
and a dedication to maintaining civil liberties remains a critical challenge for governments
and societies worldwide.

Case Study 3: Social Credit System in China: In China, the Social Credit System is a vast
data collection and monitoring program whose declared objective is to assess the
dependability and behavior of individuals and businesses. Its scoring methodology takes into
account a number of factors, including financial background, social media activity, and public
behavior. As the Social Credit System is being implemented in China, many individuals are
concerned about how it can impact people’s rights and privacy. The vast accumulation of
personal data, which includes financial transactions, online activity, and other facets of
people’s everyday life, is at the heart of this system. Numerous government entities have
access to this data, which raises concerns about potential abuse and privacy issues. The
danger the Social Credit System 54 presents to people’s right to privacy is one of the main
issues with it.The system includes tracking people’s daily activities, such as their financial
transactions and online interactions. Concerns regarding possible privacy violations are raised
by this degree of surveillance since it permits the collection and examination of private data
without sufficient protections or openness.

The right to freely express oneself is one of the fundamental liberties that may be impacted
by the Social Credit System. To prevent detrimental effects on their social credit scores, some
people may self-censor their online expression and behaviours. Concerns over the
degradation

52
United States vs Carpenter, 138 S. Ct. 2006 (2018).
53
Clapper Vs Amnesty international USA , 568 U.S 398 (2013).

40
54
Shazeeda Ahmed, The Messy Truth About Social Credit, Logic Mag., May 1, 2019.

40
of civil freedoms are raised by this restriction on free expression and the possibility of
compulsion. The absence of oversight and transparency in the Social Credit System’s
operations exacerbates these worries. The system’s opaqueness and the lack of obvious
channels for people to contest or appeal their results have sparked concerns about
accountability and citizens’ capacity to successfully exercise their rights. The extensive
impacts of the Social Credit System underscore the necessity of striking a balance between
advancing societal goals and protecting individual liberties and rights 55. To guarantee that
technology breakthroughs do not compromise essential human rights and freedoms, it is
imperative to address these issues through strong legal frameworks, open governance
procedures and efficient oversight.

Individual liberty and privacy are very important: The right to privacy is frequently violated
when the government has access to personal information. The right to privacy is fundamental
to human growth and autonomy, according to the European Court of Human Rights’ ruling in
"Rotaru v. Romania56". When governments engage in extensive monitoring, people may feel
constrained in their personal and online activities, which may make them unwilling to
exercise their fundamental rights.

The state shouldn’t restrict freedom of expression: There is a chance that people’s freedom of
speech will be restricted by government surveillance. In the "Lloyd v. Google57" case, the UN
Human Rights Committee acknowledged that the preservation of human rights and the
growth of democracies depend on the right to free expression, which is a fundamental
component of civil liberties. People may refrain from voicing their opinions or engaging in
activism if they are worried that their communications are being monitored.

Defence Against the arbitrary use of authority Government: the arbitrary use of authority can
result from access to personal data, especially when there is inadequate monitoring and
transparency. In the case of "Liberty and Others v. United Kingdom58," the European Court of
Human Rights emphasised this vulnerability and the significance of protecting private life
from arbitrary interference.

55
Lucy Hornby, China Changes Track on ‘Social Credit Scheme’ Plan, Fin. Times, July 5, 2017.
56
Rotaru vs Romania, APP. No. 28341/95, ECHR 2000-V
57
Lloyd vs Google LLC, [2021] UKSC 50
58
Liberty and Others vs United Kingdom United Kingdom , App. No. 58423/00, ECHR 2008

41
To protect civil liberties Accountability and safeguards are crucial because civil liberties must
be sufficiently safeguarded by accountability and protection mechanisms in the event that the
government obtains access to personal information. The United Nations Special Rapporteur
on the right to privacy has emphasized in his report "The Right to Privacy in the Digital Age"
the need for strong legal frameworks and unbiased oversight to guarantee that government
monitoring does not violate people’s civil liberties and rights to privacy.

42
 CHAPTER - 5
CONCLUSION AND SUGGESTIONS

5.1 CONCLUSION
India must carefully balance utilizing the advantages of the digital era with maintaining
democratic principles as it navigates the challenges of digital expression. The internet era has
given individuals greater power and expanded opportunities for free speech, but it has also
brought significant challenges to democracy. To combat the dissemination of false
information, privacy concerns and threats to the right to free expression, the government,
public society and digital platforms must collaborate.

By strengthening digital literacy initiatives, enacting comprehensive data protection

legislation, developing transparent content moderation protocols, safeguarding freedom of
speech, and promoting media pluralism, India can navigate the digital age while upholding
democratic values.

In the digital age, government access to personal data has grown to be a serious concern, with
important implications for privacy, civil liberties and individual rights. With an emphasis on
the possible consequences of the DPDPA 2023, this project has investigated constitutional
issues with the Indian government’s monitoring and access to personal data.

According to the well-known "Justice K.S. Puttaswamy (Retd.) versus Union of India" case,
protecting one’s right to privacy is equal to protecting one’s life and liberty. Despite this
recognition, India has struggled to balance the conflicting demands of protecting individual
privacy and preserving national security.

The DPDPA 2023 represents a significant advancement in addressing these issues. However,
there are several issues and points of controversy with this law. The Act’s data localization
regulations offer an innovative method to securing sensitive information, especially for
essential personal data. However, there are still concerns over the possible effects on
international data flows and data security.

Analysis of the Act’s approach to granting the government access to personal data has
highlighted the importance of strong oversight, accountability and transparency. The
international context was also covered in the project, which compared and contrasted data
protection regulations from various nations and emphasised the necessity of international
collaboration on this matter.
43
The successive points provide the gaps in the DPDP Act 2023:
● The method of collecting data, seeking consent and providing notice is left open to
future guidelines or rules.
● The manner of notifying the data principal and board when there is a personal data
breach has been left to the rules.
● The time period and the limitations for replying to a grievance mentioned in the
DPDP Act 2023, will be provided in accordance with the requirements of various
sectors of data fiduciaries and purposes.
● The method to obtain verifiable parental consent before processing personal data of a
child or an individual with a disability who has a lawful guardian will be notified in
the rules.
● Laws related to an individual’s right to access information about personal data is also
reserved for future rules and regulations.
● The method to appoint a chairperson, other members, officers and staff of the Data
Protection Board of India and their salary, allowances, other terms and conditions of
service, as well as the procedure of conducting business of the Board will be notified
only in the rules.

The effects of government access to personal data on civil rights, privacy and freedom of
expression have been clarified through case studies and legal assessments. It is clear that
governments must take a rights-based approach to data access, making sure that
accountability procedures, consent procedures and protections are in place to protect people’s
rights.

Lastly, safeguarding civil rights in the digital age has both benefits and drawbacks. To avoid
privacy invasion and individual rights violations, government access to personal data must be
strictly regulated. The DPDPA 2023 and similar laws around the world are crucial to
achieving this balance. Maintaining civil liberties in the digital era is a dynamic process that
requires ongoing focus, adaptability and a commitment to upholding individual liberties and
democratic principles in the face of quickly advancing technology.

5.2 SUGGESTIONS
● In India, a comprehensive data protection law that outlines people’s rights over their
personal data should be passed and rigorously implemented. Strict safeguards,
consent procedures and data breach notification standards should all be established by
this law.
44
● In order to prevent misuse, data localization requirements such as those pertaining to
sensitive personal information should be implemented with a strong emphasis on
security and control. The government should make sure that information kept in India
is shielded from unwanted access.
● In order to prevent misuse, data localization requirements such as those pertaining to
sensitive personal information should be implemented with a strong emphasis on
security and control. The government should make sure that information kept in India
is shielded from unwanted access.
● Governments should be forthright about the ways they obtain data and the reasons for
the collection and use of personal information. Accountability for any misuse of data
should be clearly defined, and individuals should have the right to seek redress.
● Only information that is absolutely necessary to achieve a certain goal should be
collected by the government. To stop unauthorized use of data for reasons unrelated
to its original objective, the idea of purpose limitation must be strictly adhered to.
● Promoting and safeguarding encrypted communication is necessary to guarantee the
security and privacy of people’s online interactions. It is not appropriate for
governments to interfere with encryption technology.
● It is crucial to cooperate with other countries on matters of surveillance and data
protection. India should collaborate with foreign partners to create shared guidelines
and standards for data access by the government.
● Through educational campaigns, the public should be made aware of their rights,
privacy dangers, and the best practices for protecting personal information.
Knowledgeable citizens are better equipped to defend their civil rights.
● Whistleblowers who reveal misuse of government data or overreach in monitoring
must have strong protection. There should be legal structures in place to assist anyone
who come out with information about such practices.
● Regular evaluation and updating of data protection laws and government access
policies is necessary to stay abreast of the rapidly evolving technological world and
privacy issues. It is essential that the legal system be flexible.
● To guarantee a fair and knowledgeable approach, civil society, academic institutions,
and business professionals should actively participate in the creation and evaluation of
data protection and surveillance rules.

45
● In situations where civil liberties are in jeopardy, support legal challenges to
government access policies. The primary responsibility for interpreting and upholding
privacy and data protection laws should be on the Courts.
● To solve transnational data concerns and guarantee that people’s data is safeguarded
in cross-border circumstances, India should cooperate with other countries.

46
 BIBLIOGRAPHY

ACTS AND STATUTES

● The Constitution of India, 1950
● The Digital Personal Data Protection Act, 2023
● The Digital Personal Data Protection Bill 2022
● Australia’s Privacy Act 1988
● United Kingdom Data Protection Act 2018
● Brazilian Data Protection Law (LGPD) Act 2020
● California Consumer Privacy Act 2018
● Personal Information Protection and Electronic Documents Act 2000
● Aadhaar (Targeted Delivery of Financial and other subsidies, benefits, and services)
Act, 2016

BOOKS
● Mamta Rao, Constitutional Law Edition V, AHL Publication,2023
● M.P. Jain, Indian Constitutional Law, Edition VII, Allahabad Publication House,2023
● V.N. Shukla, Constitution of India, Edition IV, 2022
● S.K. Sharma, Privacy Law: A Comparative Study (Atlantic Publishers & Dist, 1994)
● Solove, Daniel J. "Understanding Privacy." Harvard University Press, 2008.
● Constitutional law Dr Mamta Rao first edition, 2013
● Greenwald, Glenn. "No Place to Hide: Edward Snowden, the NSA, and the
● U.S. Surveillance State." Metropolitan Books, 2014.
● Kuner, Christopher. "Transborder Data Flows and Data Privacy Law." Oxford
University Press, 2013.
● Data privacy law an international perspective by LEE A. BYGRAVE
● D.D. Basu, Commentary on the Constitution of India, vol. 2, 9th ed. (LexisNexis
2014).
● D.D. Basu, Commentary on the Constitution of India, vol. 6, 9th ed. (LexisNexis
2014).

REFERENCES
● Swire, Peter P. "The System of Foreign Intelligence Surveillance Law." Harvard Law
Review, Vol. 72, No. 4, 2009.

47
● Ohm, Paul. "The Fourth Amendment in a World without Privacy." Mississippi Law
Journal, Vol. 81, No. 5, 2012.

48
● Walden, Ian, and John Angel. "Privacy and Data Protection in the Cloud: The Cloud
Privacy Paradox and the Illusion of Control." International Data Privacy Law, Vol. 2,
No. 2, 2012.
● United Nations General Assembly. "The Right to Privacy in the Digital Age." Report
of the United Nations High Commissioner for Human Rights, A/HRC/27/37, 2014.
● European Court of Human Rights. "Rotaru v. Romania," Application no. 28341/95,
Judgment, 2000.
● U.S. Supreme Court. "Hiibel v. Sixth Judicial District Court of Nevada," 2004.
● European Court of Human Rights. "Liberty and Others v. United Kingdom,"
Application nos. 58243/00, 59520/00, 59696/00, Judgment, 2008.
● Electronic Frontier Foundation (EFF). "Surveillance Self-Defense." https://ssd.eff.org/
● Privacy International. "Understanding Privacy."
https://privacyinternational.org/learn/understanding-privacy
● The Guardian. "Edward Snowden: The Whistleblower behind the NSA Surveillance
Revelations." https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-
whistleblower-surveillance
● Factbox: History of mass surveillance in the United States, Reuters (June 7, 2013),
Reuters.
● Supreme Court Observer, An Analysis of the History of Right to Privacy Under
Article 21 of the Constitution,Constitutionality of Aadhaar Act, 31 S.C. Observer 72-
97 (2019).
● Personal “Data Protection Bill can turn India into ’Orwellian State’ Justice BN
Srikrishna The Economic Times 31 January 2020.
● “The Digital Personal Data Protection Bill, 2023” PRS Legislative Research.
Retrieved 2024-01-08
● Government to launch internet spy system ’Netra’ soon The Times of India 7 January
2014.
● Beghar “Foundation v Justice K.S. Puttuswamy (Ret’d) WP” 494/2012.
● The Times of India, Govt to launch internet spy system ’Netra’ soon (January 7,
2014), The Times of India.
● India Today, Forget NSA, India’s Centre for Development of Telematics is one of the
top 3 worst online spies (March 12, 2014), India Today.
● What is GDPR, the EU’s new data protection law, GDPR.eu, https://gdpr.eu/what-is-
gdpr/ (last visited June 21, 2024).
49
● Press Information Bureau (PIB). “Salient Features of the Digital Personal Data
Protection Bill, 2023.” Posted On: August 9, 2023.
● What is GDPR, the EU’s new data protection law, GDPR.eu, https://gdpr.eu/what-is-
gdpr/ (last visited June 21, 2024).
● Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC.
● “India Sets Up Domestic PRISM -Like Cyber surveillance?” The “Diplomat 10 June
2013 Retrieved 24 November 2014.
● Right to Privacy A.G Noorani Economic and Political Weekly, Vol . 40”, No. 9 (Feb.
26- Mar. 4, 2005 ), p. 802.
● Data “Privacy Legislation in Focus: A Deep Dive into India’s DPDP Act & EU’s
GDPR By Anas Baig.
● Beghar “Foundation v Justice K.S. Puttuswamy (Ret’d) WP” 494/2012
● Priv.gc.ca PIPEDA legislation and related regulations.
● Oaic.gov.au The Privacy Act.
● Legislation.gov.uk Data Protection Act 2018.
● App.law LGPD Brazilian General data protection Law.
● Thales group. Com Beyond GDPR: DATA PROTECTION AROUND THE WORLD.
● "Forget NSA, India’s Centre for Development of Telematics is one of top 3 worst
online spies". India Today. 12 March 2014. Retrieved 26 August 2014.
● "Govt to launch internet spy system ’Netra’ soon". The Times of India. 7 January 2014.
● Singh, Dalip (27 April 2023). "Close watch. NATGRID to turn lens on digital print of
people, firms". Business Line.
● "India gets ready to roll out a cyber snooping agency". The Hindu. 10 June 2013.
● Government Adopts UPA’s Aadhaar Bill, Bus. Standard (Mar. 7, 2016),
https://www.business-standard.com
● Personal Data Protection Bill can turn India into ’Orwellian State’ Justice BN
Srikrishna The Economic” Times 31 January 2020.
● Government adopts UPA’s Aadhaar Bill, Business Standard (Mar. 7, 2016), Business
Standard.
● A CRITIQUE OF THE AADHAAR LEGAL FRAMEWORK Vrinda Bhandari,
Renuka Sane ,National Law School of India Review, Vol. 31, No. 1 (2019), pp. 72-97.

50
● “Factbox: History of mass surveillance in the United States”. Reuters 7 June 2013.
Retrieved 14 August 2013.
● Ahmed, Shazeeda (1 May 2019). “The Messy Truth About Social Credit”. Logic
magazine.
● Hornby, Lucy. “China changes track on ’social credit scheme plan “ Financial Times.
5 July 2017.
● "Revealed: leak uncovers global abuse of cyber-surveillance weapon". The Guardian.
18 July 2021.
● "Despite the hype, iPhone security no match for NSO spyware". Washington Post. 19
July 2021.
● Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31
NLSIR Rev. 72-97 (2019).
● Dalip Singh, Close watch. NATGRID to turn lens on digital print of people, firms
(April 27, 2023), Business Line.
● Vrinda Bhandari & Renuka Sane, A Critique of the Aadhaar Legal Framework, 31
NLSIR Rev. 72-97 (2019).
● India gets ready to roll out cyber snooping agency, The Hindu, June 10, 2013, The
Hindu.

51