Privacy, as an essential facet of personal autonomy and human dignity, has long been a subject of robust debate in legal and constitutional discourse worldwide. While globally recognized as a crucial element of individual liberty, the right to privacy has historically been conspicuously absent from the express language of the Indian Constitution. In contrast, jurisdictions like the United States have seen privacy evolve as a derivative right through progressive judicial interpretations, most notably in cases such as Griswold v. Connecticut (1965 SCC OnLine US SC 124), where the U.S. Supreme Court inferred privacy as a fundamental right within the “penumbra” of explicitly stated constitutional guarantees.
India, however, lacked a similar trajectory of judicial recognition for privacy in the early years of its constitutional history. This omission left the Indian judiciary grappling with whether and to what extent privacy could be afforded protection under existing constitutional provisions. For decades, Indian courts oscillated between recognizing privacy as an implicit right and rejecting its independent existence, resulting in a fragmented and inconsistent jurisprudence. The lack of explicit recognition created a vacuum that left personal data and informational privacy vulnerable in a rapidly digitalizing world.
The turning point arrived in 2017 with the landmark case of K.S. Puttaswamy (Privacy-9J.) v. Union of India ((2017) 10 SCC 1), where the Supreme Court of India unequivocally declared privacy as a fundamental right protected under Article 21 of the Constitution. Article 21, which guarantees the right to life and personal liberty, was interpreted expansively to include the right to privacy as intrinsic to human dignity and personal autonomy. This judgment not only marked a significant advancement in constitutional law but also laid the foundation for the regulation of privacy in the digital age.
The recognition of privacy as a fundamental right in Puttaswamy reflects a profound acknowledgment of its necessity in safeguarding individual freedoms against unwarranted state and private intrusions. This decision was particularly critical in the context of an increasingly interconnected and data-driven world, where the collection, storage, and processing of personal data pose unprecedented challenges to personal autonomy. Moreover, it underscored the need for a comprehensive legislative framework to address data privacy concerns, leading to the eventual enactment of the Digital Personal Data Protection Act, 2023.
Evolution of Privacy Rights in India
The journey to recognizing privacy as a fundamental right spanned nearly seven decades since the adoption of the Constitution. In the Puttaswamy judgment, the Supreme Court underscored privacy as integral to the right to life and personal liberty under Article 21. The decision leaned heavily on the precedent set by Rustom Cavasjee Cooper v. Union of India ((1970) 1 SCC 248), where an eleven-judge bench ruled that fundamental rights are not mutually exclusive. The Court emphasized that the reasonableness test under Article 21 must conform to the principles of Article 14, ensuring fairness and equality.
Overview of the Digital Personal Data Protection Act, 2023
The DPDPA was conceived as an evolution of the Personal Data Protection Bill, 2019, to address growing concerns around data privacy and establish robust mechanisms for protecting personal data. Enacted on August 11, 2023, the DPDPA includes nine chapters and an annexed schedule detailing penalties for non-compliance. The Act seeks to balance individual rights with the need for lawful data processing by defining critical roles and responsibilities:
- Data Fiduciary: An entity determining the purpose and means of processing personal data.
- Data Processor: An entity processing data on behalf of a fiduciary.
- Data Principal: The individual to whom the personal data pertains, including children, persons with disabilities, and their lawful guardians.
The DPDPA explicitly defines “personal data” as information enabling the identification of an individual, either directly or indirectly.
Consent and Rights of Data Principals
Consent forms the cornerstone of data processing under the DPDPA. Section 4(1) stipulates that personal data can only be processed for lawful purposes, either with the explicit consent of the data principal or for specified legitimate uses. “Lawful purpose” is defined as any purpose not expressly forbidden by law, while implied consent is permitted under Section 7(a) for specific legitimate uses. For example, data voluntarily provided for a particular purpose may be processed unless the data principal explicitly withholds consent.
Section 5 mandates data fiduciaries to inform data principals of key details, such as the type of data being processed, the purpose of processing, and avenues for exercising their rights. These rights, detailed in Section 11, include access to information about shared data, data processing activities, and the identities of entities with whom the data has been shared. However, exceptions exist for law enforcement and national security purposes.
Critique of Consent-Based Framework
While the DPDPA emphasizes consent, its reliance on this framework presents challenges. The Act’s narrow definition of lawful processing undercuts broader safeguards for data principals. For instance, inaccuracies in pension or welfare data can severely impact individuals’ financial stability, yet the absence of corrective mechanisms for non-consensual data creates significant gaps in protection.
Recommendations for a More Inclusive Framework
To align with constitutional principles and ensure robust data protection, the DPDPA must expand its scope beyond consent-based processing. Allowing data principals to exercise rights over all data, irrespective of consent, would foster greater accountability and transparency. Furthermore, implementing comprehensive corrective mechanisms for inaccuracies in critical data, such as pensions or welfare records, would safeguard individuals from adverse outcomes.
Conclusion
The Digital Personal Data Protection Act, 2023, marks a significant milestone in India’s data protection landscape. Its provisions underscore the importance of privacy and aim to empower individuals in the digital age. However, the Act’s consent-centric approach and limited rights framework necessitate a re-evaluation to ensure alignment with constitutional mandates and evolving global standards. By broadening the scope of data principal rights and addressing existing gaps, India can establish a more inclusive and effective data protection regime.
References
- Griswold v. Connecticut, 1965 SCC OnLine US SC 124.
- K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1.
- Constitution of India, Art. 21.
- Rustom Cavasjee Cooper v. Union of India, (1970) 1 SCC 248.
- Constitution of India, Art. 14.
- Joint Parliamentary Committee Reports, Seventeenth Lok Sabha, Report of the Joint Committee on the Personal Data Protection Bill, 2019 (December 2021).
- Digital Personal Data Protection Act, 2023.
- Personal Data Protection Bill, 2019.
- D.S. Nakara v. Union of India, (1983) 1 SCC 305.
SHARE :
