Data protection, privacy and law: Is India ready yet?

The debate surrounding big data, privacy and security in India has reached different levels. One may ask that, how does the legal and regulatory framework in India, amongst other things, surrounding big data, surveillance, internet of things (IoT – Tech 5.0), cybersecurity and privacy balance the pre-requisites of protecting the privacy of its citizens on […]

The debate surrounding big data, privacy and security in India has reached different levels. One may ask that, how does the legal and regulatory framework in India, amongst other things, surrounding big data, surveillance, internet of things (IoT – Tech 5.0), cybersecurity and privacy balance the pre-requisites of protecting the privacy of its citizens on one hand; and, at the same time, foster novel inventions and effective developments on the other? Well, the answer to the above question is convoluted.

In the 21st century, data appears to be the new coinage. Hackers utilize the data for generating wealth illegally; Conglomerates utilize it for generating wealth legally and the Government utilizes the same for the purposes of keeping threats at bay and/or surveillance. Of course, there is no doubt about the fact that data is an extremely valuable commodity in the present century. Though, the law in India seems to be trying to address various nuances concerning data protection and privacy but, the law is stepping-up. Certain questions regarding the proposed personal data protection legislation in India emerge surrounding privacy related damage and probable misuse, if any.


Before delving into the niceties of the Personal Data Protection Bill, 2019 (“Bill”) that is presently being discussed at length in a joint parliamentary committee – it is relevant to note that the Supreme Court of India (“SC”) vide its judgment dated August 24, 2017 held that the right to privacy is a fundamental right that is essentially emanating from the right to life and personal liberty under Article 21 of the Constitution of India. Interestingly, vide the aforesaid judgment, the SC also noted that “…privacy of personal data and facts is an essential aspect of the right to privacy[…]. Apart from declaring that privacy is a fundamental right, the SC also acknowledged ‘Informational Privacy’ to be a subset of the right to privacy .

Be that as it may, the aforementioned privacy judgment of the SC may entail wider implications insofar as the law governing data protection and privacy is concerned in India. The proposed Bill and the extant laws will now entail going through the strictures and/or frameworks concerning life and personal liberty of the citizens, as enumerated under Article 21 of the Constitution of India.

Consequent to the aforesaid privacy judgment rendered by the SC, an expert committee was set-up and led by Justice B.N Srikrishna to scrutinize the feasibility of a new law concerning data protection and privacy in India regarding its contours and/or limits surrounding the same. Per the ‘Statement of Object and Reasons’ of the Bill, the same is based on the endorsements of the expert committee’s report and the comments received from numerous stakeholders involved in the process.

At the outset, one may note that privacy as-a-concept is not absolute or unfettered and there is no ‘one size fits all approach’ if one were to define it. However, trying to define privacy is a herculean task for the simple reason that the term (aka privacy) may signify different things to different people. Regrettably, it remains a challenge to ensure that the legal framework and the intent thereof concerning the Bill satisfies the needs and requirements of every entity – be it the Government, Corporates or NGOs (including citizens). All in all, it appears to be a challenge to effectively harmonize the clash between the privacy of one entity vis à vis the security of the other entity.

At this juncture, it is imperative to understand the extant legislations (other than the Bill) and/or policies surrounding data protection and privacy in India. Apart from the regional legislations concerning data protection and privacy, the personal data of citizens in India is also protected via concomitant safeguards developed by the Courts, especially the SC under the common law doctrine(s), rules of equity and the principle of breach of confidence.

The extant legislations are primarily regional-in-nature that includes, but is not limited to, the applicable provisions of the Information Technology Act, 2000 and the applicable rules framed thereunder, the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016, etc. Moreover, numerous entities in highly regulated sectors such as banking and financial services, telecommunications space are (also) amenable to information technology and confidentiality obligations arising under regional / local laws for the purposes of storing / utilizing the clienteles personal and confidential data / information for stipulated purposes only.

Yet, at this stage, two questions beg innumerable consideration(s), at the get-go, what measures ought to be taken to duly protect the personal and confidential data of the citizens till the time the Bill is enforced as a law ¬– are regional legislations apposite to address the same ? Next, is there a requirement to legislate and enforce a distinct – an all-encompassing law – concerning surveillance or legislate distinct regional / local laws with respect to the same ?

To my mind, it appears that we are currently functioning in a legal vacuum insofar as surveillance is concerned in India. As regards surveillance law, India does not address the issue of surveillance appositely as there is no (principal) surveillance law – matters concerning national interest and security have been laid out simply by the executive in exercise of its executive functions that do not provide for a legal framework and/or basis. Hence, a legislation governing not only data protection and privacy in India but, also necessitating the Union / Govt. to obey the prescribed data protection (including surveillance) rules warrants urgent necessity.

From the above, it necessarily appears that an all-inclusive legislation governing and regulating the storage, process and distribution of personal and sensitive data is a pressing priority. At present, there is no single (and an all-inclusive) legislation that governs and regulates the storage and distribution of personal and sensitive data / information in India.


The Bill has tried to address various issues surrounding the collection, process and utilization of personal and sensitive data / information by numerous entities in India. Rather interestingly, the Bill seeks to suggest a pre-emptive approach / system that hinges onto excessive governmental involvement and supposedly fortifies the Government. As a result, it may lead to a probable upsurge in compliance related costs for Corporates or other entities spanning numerous sectors and thereby leading to disturbing watering-down of the data privacy apropos the Government.

Further, the Bill intends to safeguard the privacy of the Indian citizens by establishing a pre-emptive system that controls how entities collect, process and utilize personal or sensitive data / information, rather than protecting the citizen’s privacy due to the resulting damage being caused by the perpetual infringement of the aforementioned privacy.

Besides, the proposed Bill is problematic and questionable when it comes to the fortification of the citizen’s privacy as the Bill considerably reinforces the Government’s part in the digital space and consequently leads to increasing surveillance and watering-down of the property rights in India without ensuring apposite counterbalance. In this regard, it is likely that India as a digital economy may observe disastrous outcomes concerning novelty in the digital space, though, brushing aside the intended object and purpose of protecting data privacy in India.

As a matter of fact, recently, the Jio-Facebook deal wherein Facebook acquired a 9.99% stake in Reliance Jio platforms appears to be worrisome in the context of data privacy. Both the Conglomerates now have entry to copious amounts of personal data / information of numerous citizens of India. What that means is, pending the enactment of the Bill into a legislation, the collection, process and utilization of personal and sensitive data / information by the aforesaid Conglomerates would be subject to their privacy policies in India.

Nevertheless, what worries me is that the users have not been provided with adequate information as to why or what plans the entity has to do with the personal data / information being sought and/or collected, and I don’t think most users understand the meaning of the terms – ‘Data Policy’ or ‘Privacy Policy’ – concerning the privacy and data policy of the entity.

If one were to study Facebooks’ privacy and data policy , it sets forth distinct data distribution arrangements not only with its users but, also third-party partners, albeit, restricted to stipulated purpose(s) only. Popular Facebook products like – Instagram and Messenger are (behind-the-scenes) disseminating significant amounts of data considerably among its popular products. Meanwhile, WhatsApp – a popular cross platform messaging and VoIP service application acquired by Facebook in the year 2014 already shares extant systems, processes, technology and apposite infrastructure with a view to provide its users a stable and reliable experience across its business eco-system.

This exemplifies my worried state concerning the Jio-Facebook deal, amongst others, for the reason that India does not have a data protection regime. In the absence of a legal and regulatory framework concerning data protection and privacy in India, nobody can stop the two Conglomerates (including others) – beyond their morals, values and ethics – to persuade them to stop the collection, process and utilization of personal and sensitive data / information of its users. Of course, it goes without saying that, one can drag them to the Court(s) of law should things falter but, sans any legal or regulatory framework in place, things (or your data) might get out of hand. Hence, it is desirable to duly implement, as soon as practicable and keeping in mind the interest of all stakeholders, the Bill (at the earliest) in order to protect our privacy. This is precisely why we need the legislation for safeguarding our privacy we so badly deserve.

[Disclaimer: Ali Waris Rao is an in-house legal counsel at Hindalco Industries Ltd., Aditya Birla Group. The views expressed are personal and have no bearing on the firm he represents.]