Image source -

This article is written by Deepanwita Sengupta. 


This article mainly focuses on the emergence of data surveillance by the government and private bodies in new age India and how it is simultaneously breaching our privacy and violating the fundamental rights guaranteed by our constitution and affecting the lives of innocent citizens who are unaware of the data hoarding. This paper mainly analyses the various controversies related to data privacy in recent times like the introduction of AADHAR bill and how it can lead towards a totalitarian state which can manipulate citizens for their own advantage with unauthorised and uninformed selling of data to private bodies in the name of development and growth, without taking the citizens consent in mind.

The biggest irony of the situation is the justification of the government of illegally selling data of citizens without their consent or knowledge claiming it to be totally legal and a crucial step for the development of our country which will benefit our economy. Benefits have only been considered from the government’s viewpoint and only from the perspective of private entities and not from the position of the innocent citizens whose data is being shared without their consent or permission. The data-driven policy has changed law enforcement all around the world with the emergence of big data and surveillance. In the 21st Century with data being one of the most powerful sources of domination, this blatant disregard towards data hoarding has led to a major violation of our fundamental rights and with the introduction of The Personal Data Protection Bill 2019, there is a growing sense of worry about our data privacy and its protection as this bill gives clear exemptions to government agencies from scrutiny and uncontrolled authorisation further diluting our right to privacy.

Download Now

Data protection at a glance 

The 21st century has witnessed massive growth and development than any other century in the history of mankind owing it mainly to the expansion and spread of technology all around the world leading to some of the biggest innovations in the field of information and technology that has led to us to a new era, an era of ‘Information, Data, Technology and Social media’ which has further been inscribed in our day to day lives and changed the way humans lived and behaved. Our legislation to still be relevant in this new world and a new era of technology has to keep up with its fast pace and networks, laws need to be amended and changed and new laws need to be created to adapt to these new conditions and new challenges it brings with it. Information and technology are pervasive in every facet of our being and day to day lives. New technology creates new situations which existing law can’t control. Technology has highly influenced and changed the way we look at our world and has made us heavily dependent on it and has made it almost impossible to escape from it.

In the era of data-gathering and use by on-line businesses, the new technology has made it possible to not only store personal information provided by the consumers but also to track consumers’ decisions as they surf online sites, hence there has been a growing demand of securitising data under data protection. The passage of time has revealed that the unique characteristic of common law enabled the judges to allow requisite protection without the interposition of the legislature i.e. privacy or also known as ‘Right to be left alone’. Tort law has evolved into privacy concerns clearly showing how changes in law enforcement have a direct relation to the new data-driven policies, these have led to a profound impact on constitutional law too as we can see in the ‘AADHAR’ controversy. In May 2017, The Economist called data the most powerful resource even more valuable and of interest than oil, which was a major realisation as to how law enforcement has changed around the world and how highly it revolves around data hoarding and data mining and surveillance of this data, now the power is being determined by how much data the government holds and controls.

Important provisions of the data protection bill 2019

Free movement of data nowadays is a threat to the right to privacy of natural persons hence stress must be given to strictly adhere to confidentiality of information. To maintain an adequate level of fundamental rights and freedom the Indian government introduced the Data Protection Bill to strengthen the protection of personal data. The Personal Data Protection Bill, 2019 was brought by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad on 11th December 2019. The Bill’s main aim is to provide for the protection of personal data of each and every individual, and also wants to further establish a Data Protection Authority to look into the matters.

According to the minister, the committee has brought out a draft Personal Data Protection Bill (PDPB) and wide-ranging discussions and consultations have been conducted on the recommendations and advice of the committee with a strong view to finalise the draft legislation. The Bill regulates the processing of personal data of individuals by the government and private entities incorporated anywhere in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits. Which is a big step towards ensuring data privacy and protection of individual’s rights and giving paramount importance to free consent? The Bill formulates rules for the processing of personal data by the government, companies incorporated in India foreign companies dealing with personal data of individuals in India. Personal data deals with data which pertains to characteristics and attributes which are unique to an individual and categorize them as sensitive personal data with a scope that includes financial data, biometric data, caste, religious or political beliefs etc.

The Personal Data Protection Bill, 2019 majorly deals with privacy and security of data and information of Indian citizens. The government said it is also working on amendments to the temporary guidelines under the IT Act regarding the matter, and will also look into the rules regulating the internet and social media companies such as WhatsApp and Facebook etc., the main aim being to curb rumours and fake news which has grown rapidly over the last few years with the necessary requirement to provide for a voluntary user verification mechanism for users in India. The Bill brings in the Data Protection Authority which will take steps to protect the interests of individuals, and prevent the misuse of personal data, and will ensure compliance of the Bill. It shall consist of a chairperson and six members, with at least 10 years of experience in the field of data protection and IT.  Orders of DPA can be appealed to an Appellate Tribunal and further Appeals from the Tribunal will be challenged in the Supreme Court.

The bill specifically defines personal data as any data of a natural person which allows direct or indirect identifiability. Moreover, sensitive personal data has been defined as financial data, biometric data, and includes religious and political beliefs, caste, transgender status, and official government identity documents like PAN etc. The bill also restricts and imposes conditions on cross-border transfer of personal data and Sensitive personal data shall be transferred outside India only if explicitly consented by the individual. The minister also stated in his statement that the country’s data sovereignty is non-negotiable. And the interests of the public should not be sacrificed and must be vital behind formulating these policies. 

The biggest flaw of the bill can be witnessed through the exemptions granted as the central government has exempted its agencies from the provisions of the bill by citing the interest of the security of the state, public order, sovereignty and integrity of India and under friendly relations with foreign states. The grounds to process personal data also covers under its scope the order of State for providing benefits to the individual, legal proceedings and to respond to a medical emergency which makes our sensitive data quite perceptible and out in the open for manipulation. Moreover, the personal data processing is also exempted from provisions of the Bill for purposes such as prevention, investigation, or prosecution of any offence, or personal, domestic, or journalistic purposes which again makes the individual’s data quite vulnerable to misuse as it is still available to certain sectors without the individual’s consent at their own disposal.

Justice B.N. Srikrishna, who headed the committee whose reports were used to form the core structure of the Bill has used words such as “Big Brother” in response to the safeguard removal for Government agencies. It was previously noted by the committee that privacy faces major danger which can be harmful for its protection from the state and the non-state actors. It, therefore, emphasised more on the importance and need for exemptions to be more impermeable and strong and available for use only in times of acute necessity and available only in special limited circumstances. The committee also highly recommended a law to look over the various intelligence-gathering activities that the government is responsible for and to hence keep a check on the means by which non-consensual processing and use of data takes place in the day to day activities which can be a hindrance to the privacy of individuals.

The main question that is brought in the forefront from this reveal and also the biggest concern, is the selling of this data even legal? Moreover, is the data even public? Or is it a clear intrusion in our privacy and clearly violating our fundamental right to life and liberty under Article 21 of the Constitution of India, 1950. And the main question of concern is whether the commercialisation of this data for the public good or an invitation for more inconvenience through data breach and violation of our fundamental rights guaranteed by our constitution. The emergence of big data and surveillance and data-driven policy has totally changed our government’s approach of working of our country by totally digitalising our day to day transactions and also our personal details in their government databases to manipulate our minds and furthering the agenda of easily implementing their new legislation and policy decisions with minimum resistance.
          Click Above

Indian privacy laws

Indian privacy laws engage into almost similar concepts of global terminology of data handling while simultaneously not using the exact terms. In terms of usage, it is quite clear that Privacy Rules protect the data-subject i.e. an entity the data of which is being protected from collection; usage; and disclosure of its information without its knowledge or consent. The real reason behind the need for triggering the Privacy Rules is collection, possession, handling/dealing or transfer of ‘personal’ or ‘private’ information as given under rule 2(1)(i) of the Privacy Rules. It is very clear that the data subject in Indian privacy laws is mainly an individual. We can make out from the act is that predominantly, the data between the corporate bodies are not protected except in the situation where it relates to individuals (for e.g. banking data of overseas personnel). It is very important to note that there is no material legal distinction in terms of obligations between a data controller and a data processor which along with others brings its own set of problems. The range of information that is protected is not all personal information but only “sensitive” personal data or information (“SPDI”) according to the bill. In reality, the pool of information that is considered ‘sensitive’ is fairly low and there are no specified obligations relating to the sensitivity of data.

There has been an introduction of data protection laws which are clearly focusing on the protection and privacy of data. This had been introduced in the Information Technology Act, 2000 in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. These privacy laws have not been introduced with the intention of keeping it restricted only to the technology sector but these rules can also be applied equally and with the same force and compliance to all sectors and operations without any specified restriction as such because data protection principles are a very universal and crucial topic. This brings our attention to the concept of Right to privacy and its impact in India which is interwoven and interconnected to the concept of data protection and breach of personal data.

On July 4, 2019, the central government of India released its economic survey for 2018-19 which has one of its chapters titled “Data ‘Of the People, By the People, For the People'”. The government laid out the reasons why its data, and ours, must be sold. Section 4.12 according to the survey mentions the fact that “in the last two decades, the world has witnessed the emergence of companies, such as Facebook, Amazon, Instagram, etc., who earn revenue exclusively from people’s data.” Hence again justifying the actions of data surveillance because of the growing needs of the world and the race to keep up with new innovations for the betterment of our economy.

Right to privacy and aadhar

The Parliament of India on July 9th 2019 passed the Aadhaar (Amendment) Act 2019, the main aim of the bill is to modify the existing laws concerned with the use of biometric data for authentication of identity of an individual for the various purposes of grant of facilities, services, benefits and subsidies to individuals all around the country. The Act offers to allow voluntary use of Aadhaar cards which can be found helpful in getting mobile connections and bank accounts easily. The compulsory use of Aadhaar card based on the KYC for mobile connections and bank accounts was earlier prohibited by the apex court in its judgment delivered on September 26, 2018, which had upheld the constitutional validity of the Aadhaar Act, with introduction of certain restrictions and changes to bring it within the four corners of the Constitution of India 1950.

The Aadhaar Amendment Act 2019 aims to amend Indian Telegraph Act to allow the voluntary use of Aadhaar for identity verification by the banks before opening of a bank account. Without a robust data protection law, private entities cannot be permitted to store sensitive biometric data of citizens which simultaneously allows free flow of data for the benefit of the government without the consent or knowledge of the public which can be misused by private entities threatening the individual’s right to privacy. It is introduced so that it can facilitate the voluntary use of Aadhaar number for identity verification to use the 12-digit unique number for verification of identity of an individual. The Act also suggests an amendment to the Prevention of Money Laundering Act to allow the voluntary use of Aadhaar for identity verification by the banks before the opening of a bank account. This leads to the major landmark decision which changed the privacy jurisprudence for good.

Justice K.S Puttaswamy & anr v. Union of India

This was a landmark case in the Indian judicial history where the apex court once and for all made a firm stand on the issue of Right to Privacy as a fundamental right and declared the same, the bench did so by over-ruling both MP Sharma and Kharak Singh cases where it was held that there was no fundamental right to privacy. This decision has brought the much-needed relief and clarity in our country’s privacy law and jurisprudence. It held that privacy is a fundamental right, and the judgment also judged that informational privacy is a subset of our fundamental right to privacy. Discussions were held where it was led to the conclusion that liberty and privacy are pre-existing natural rights granted to an individual and that if our liberty is of fundamental value under our Constitution, then privacy is inherent too to be included in that value. Privacy is not a should not exist in the shadow of other rights, rather it should be the essence of our dignity, freedom and liberty.

Aadhaar is considered to be a serious invasion into the right to privacy of persons and it simultaneously also has the tendency to lead to a surveillance state where each individual can be kept under surveillance and under constant scrutiny of the state by creating his/her life profile and also track his/her movement based on his/her use of Aadhaar. The petitioners in the constitution bench case also contested that it could lead to a totalitarian state if Aadhaar project is allowed to continue. Data-driven policies have led to the government to give large emphasis on the Aadhar project which is against our democratic principles and rule of law, which is the backbone with the help of which the Indian Constitution stands.

It stands against the constitutional values and morality and has the power which would enable an intrusive state to become a surveillance state on the basis of information and data that is collected from all the individual citizens of the country by creation of a mesh of data. The Act strikes at the privacy of each individual thereby offending the right to privacy which was elevated and given the status of fundamental right in the Indian constitution under the Articles 14, 19 and 21 of the Constitution of India by a nine Judge Bench judgment of the apex court in K.S.Puttaswamy & Anr. v. Union of India & Ors. The cons of this kind of situation are the enormity of data that is being breached and sold. Hence the amount of people whose lives are being manipulated and also whose fundamental rights are being breached is a huge amount and hence this situation can’t be taken lightly as a thorough discussion of these policies is needed and this situation must be immediately dealt with as big data and surveillance has changed the way our governments all around the world are functioning.


Data Protection Bill 2019 is the most relevant example to the theme as to how data-driven policy has changed law enforcement, as nowadays the legislators have to keep in mind the current scenario we live in i.e. technological era and need to make the legislations which can live up to the newly emerging needs and problems arising out of our current situation which includes cyber-crime, social media bullying, privacy breach, data hoarding etc.

The data out there makes us more vulnerable as if fallen into wrong hands it can become a large threat to our freedom leading to more anti-social and criminal behaviour which can be used as a weapon either by the individuals for personal gains or also by other nations to promote their own agendas in future. Big data and surveillance offer highly sophisticated opportunities for law-breaking in non-traditional ways as society relies on computerised systems for everything from air traffic control to medical procedures to national security even a small glitch in these operations can put our lives in danger.

Data protection laws are covered under the notion of property as in cyber world data is nothing but the core of our property-specific legislative measures and are all part our right to proprietorship. The PDP bill is not adequate to address the privacy-related harms of our data economy in India and hence it has become quite important with the growing needs of our society and a technologically emerging world where a data breach is a real problem this area of law is coming of age in India and will hopefully be resolved with proper solutions and strategy in the near future.


  • S.V Joga Rao, Computer Contracts and Information Technology Law (2nd Ed. 2005)
  • David Parkins, “The world’s most valuable resource is no longer oil, but data”, Regulating the internet giants (May. 5, 2020, 6:40 PM),
  • David Parkins, “The world’s most valuable resource is no longer oil, but data”, Regulating the internet giants (May. 5, 2020, 6:40 PM),
  • India, “Personal Data Protection bill, 2019,” Pub. L. No. 373 of 2019, (May. 6, 2020, 9:00 AM),
  • Ministry: Law and Justice, The Personal Data Protection Bill, 2019, (May. 5, 2020, 8:05 PM),
  • M.Palaniswamy, R.Nandle, “Understanding India’s Draft Data Protection Bill”, (May 6, 2020, 11:00 AM),

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here