Bhaskar Mishra

Vivekananda Institute of Professional Studies


Every state or the Government has a lot of power to look into the personal areas of an individual but what you eat, drink, how much money you have in bank or what religion you profess should not be a concern of the government. If we need to question the Government we have the Right to Information Act[1] but to question an individual we need Right to Privacy. This right is available against a state, Journalist and even your neighbours. The Supreme Court of India is the protector of the Rights of the individual, and so when we see judgments coming out on Section 377[2], Triple Talaq[3] and the famous Aadhar Card[4] we question a lot of things which we will discuss in this article further. Lets see what is the status of PRIVACY in Indian legal system for everyone and the story behind bringing it under the Fundamental rights.

Keywords: personal data, rights , privacy.

The History and Evolution of Data protection.

The history of data protection in India starts with the Aadhar case[5]. While the Aadhar case was pending the government made a proposal to the supreme court in the reference of right to privacy where the government took a position that neither there is a fundamental right to privacy nor is it guaranteed under the constitution in India. The supreme court had a Constitution bench to rule on this issue during which the government was constituting a committee under a retired supreme court judge with several governmental agencies to come up with what is a Personal data protection bill.

The Relationship between Service provider and User

The data protection particularly in the digital era where personal information is collected by entities of government and non-governmental. When there is information asymmetry there is also a power asymmetry. The relationship between a service provider and the user or state and the citizen where the service provider collects information from the user or the state collecting information from a citizen[6]. So far there was no legislative or statutory protection of the users’ interests in that relationship. In the case of a service provider and a user of the service, this relationship was largely controlled by ordinary contract law; there is no added statutory protection or legislative protection for this relationship protecting the interests of the user recognising that there is power asymmetry between such a service provider and a user. The Power asymmetric comes largely because the user is unable to forecast the harms that are infictable by the service provider by violating it’s privacy. For instance, personal data that is collected without a limitation of purpose without telling the user as to for what purpose that is needed. This is something that we see in our everyday life: you go to a supermarket for no reason, your email address and your phone number are collected. This was not always the case, you went to a kirana store and bought whatever you wanted and returned home you didn’t have to give the rest of your details to that store. The collection and harvesting of personal information for the sake of data where now every service provider has become data hungry[7]. With this personal data comes a power superiority and it is used to map, combine databases, different databases and make sense out of people’s behaviour and profile people. Such indiscriminate data collection, storage and processing[8] needs fixing. To fix this asymmetry of power several countries now have legislative protection in the form of data protection laws.

The Promise of Government

This is arguably the history of modern data protection in India[9], although the information technology act, 2000 and particularly the reasonable security practices rule that came in 2008 as part of this history but the contemporary history of data protection in India starts with the case of Adhar and the Government’s information to the court that they were constituting a committee under retired supreme court judge Srikrishna to head that committee[10]. They came out with white paper and a draft bill in 2018. There were multiple rounds of consultation although the constitution of the committee itself were questioned that it did not have a broad-based representation from civil society groups and people who work in the human rights field, the committee came out with the bill in 2018, The Data Protection Bill, 2018 and even that went through couple of rounds of consultation[11]. The draft did not find its way to parliament. The 2019 bill which would borrow a lot from the 2018 bill but still has significant differences from the 2018 was introduced in parliament in the winter session and it is now before the joint ad hoc committee.

Fundamental Principles

Any data protection legislation must be based on fundamental principles that have been recognised and evolved by people working in privacy and data protection rights activists, experts and thinkers in this area. Some of these crystallized as the seven principles that one can read from The principles of the Indian Privacy Code, 2018, the save our privacy campaign[12]. The draft of the Indian privacy code 2018 which has now been introduced in parliament as a private member’s bill by Ravi Kumar of the DMK party. 



Q. What is the origin of these principles?

It is a collection of data collected through debates, discussions, multiple roundtables and inputs conducted by the Centre for Internet and Society, Bangalore. The report of Justice A.P. Shah committee of experts and a huge number of submissions to the Justice Srikrishna committee of experts by lawyers throughout the globe. Also references from Privacy Protection bill, 2013.


“Individual rights are at the center of privacy and data protection and must be empowered by promoting the right to privacy including the right to dignity and autonomy. The protection should encourage innovation and sustenance”


“A data protection law must be based on privacy principles. it should include the advancements of technology and global practices. The guidance of supreme court’s right to privacy decision and inspiration from the european union’s gdpr should be kept in mind”


“A strong privacy commission must be created to enforce the privacy principles. The need for a strong legal regime to ensure the best outcome, an Independent privacy commission. A commission that holds the violator accountable and provides justice to the user.”



“The government should respect user privacy and only use the power for cases of emergence and high security risks. The Commission must always have jurisdiction and authority over the government.”


“A complete privacy code comes with surveillance reform. The need to limit the actions of the government or the data controller which will judge the actions or the data controller. The victim of the illegal surveillance must be informed about his/her privacy breach.”


“The right to information needs to be strengthened and protected. The protection of privacy already exists in the RTI act and is clearly the subject of public interests and so it should stay that way.”


“International Protections and Harmonisation to protect the open internet must be incorporated. The reach of Indian Privacy code, 2018 should not only be limited to national borders but should be global because the threats are not limited to our homes anymore.”

Remarkable Cases in the Journey of Right to Privacy.

  1. M.P Sharma vs. Satish Chandra (1954)[13]
  2. Related to the Dalmia Groups investigation. The allegations were that Dalmia Group is involved in money laundering and malpractices and to hide these practices they are forging fake documents and submitting fraud balance sheets.
  3. The government started an investigation and issued a warrant for Search & Seizure on 30+ locations of Dalmia Groups.
  4. Dalmia Group challenged the investigation and stated that along with the company documents the government is also looking into our personal documents. Further stated that this action is a violation of their fundamental right to Privacy.

The Supreme court held that the “for the security of the society the state was provided overriding powers of search & seizure” the bench also held that “there is no such concept of right to privacy in the Indian Constitution”.

  • Kharak Singh vs. State of U.P. (1962)[14]
  • This is related to the concept of Surveillance. Kharak Singh was arrested in the case of Dacoity[15] later due to no substantial evidence he was released.
  • The police later used the U.P. Police Regulation[16] and imposed Surveillance on him. By the rules they could
    • 1. Suspect anyone who comes in contact or meets with Kharak Singh
    • 2. Can use Domiciliary visits, can call him anytime in the police station for questioning.
    • 3. Can track him or anyone in his family wherever they go or visit.
  • After being harassed with all these things Kharak singh filed a writ petition challenging the surveillance and Police regulations. He stated that all these acts by the authorities are restricting his fundamental right to move and right to life and personal liberty.

The Supreme Court held that only domiciliary visits were unconstitutional but every other regulation was deemed valid. Also held that, Right to movement under Article 19 (i)(D)[17] infringes with physical restriction only.

However, Justice Subba Roa’s dissenting opinion was also considered important. He said “anybody can enjoy freedom of movement anywhere for personal purposes. If the movement is being tracked then how is it free?”.

Both these cases made it clear that Right to privacy is not a fundamental right and is not guaranteed by the Indian Constitution. In the same direction a different case emerged which was:

  • People’s Union for Civil Liberties (PUCL) vs. Union of India. (1997)[18]
  • Famously known as the Wiretapping case. The former prime minister Chandra Shekhar made allegations on the government that it is tapping his and 27 other politicians’ phones.
  • A CBI investigation revealed widespread tapping of phones being done by the government.
  • PUCL filed a PIL in the supreme court and asked for clarity on wiretapping and phone tapping and also asked for the remedies available to the people who are the victims of such acts.
  • Hence, the section 5(2) of the Indian Telegraph Act[19] was challenged which gave the government the power to tap wire and phones of people for public safety, emergency and security.

The Supreme Court made some clarifications and guidelines in this case against phone tapping.

  • First clarification was that The Right to privacy is embedded in the Right to Life and personal Liberty[20].
  • The second clarification was that the telephonic conversations are personal and intimate and hence they fall under the Right to Privacy. Hence the guidelines were incorporated in the Rule 419 (A) of Indian Telegraph Rules[21] was codified.
  • The Rule established that the section 5 of Indian Telegraph Act[22] which gave the government the permission to tap phones will now be used in only unavoidable circumstances authorised by either the Union Home secretary or State Home secretary.

Coming the most important and Landmark judgment of Aadhar Case.

  • Justice K.S. Puttaswany vs. Union of India (2017)[23].
  • The National Identity Project, Aadhar project, was challenged. It was stated that this project infringes the Right to Privacy[24].
  • The advocate general of India in support of the project said that “there is no Fundamental Right to privacy available to the Indians[25]. The argument was supported by the judgment of M.P. Sharma and Kharak Singh case as it was held in both these cases that right to privacy is not guaranteed by the Indian Constitution.
  • Hence to discuss this further a 9 judge bench was established in August 2017. With a unanimous judgment the bench held that “yes! Indians do have a Right to privacy. Indians enjoy the fundamental right to privacy, the support of this you will find under article 21.”[26]
  • It was also held that there is no need to make a separate declaration to practice the right to privacy as the Articles 14, 19 and 21[27] holds this right sufficiently.


The imperative here is strongly advocated that a data protection regime in India must include a comprehensive surveillance reform. Surveillance power in India where it is with various intelligence agencies various governments to tap telephones, intercept mobile signal is under the section 69 of information technology act[28] and section 5(2) of the telegraph act[29] and generally even without invocation of any legislative power we see that there is indiscriminate surveillance by the government of India, agencies associated with the Government of India and even the state government.

The RTI act, 2005 which has greatly empowered a number of people. We also see the section 8(1)(j) exemption under the RTI act[30] which is an exemption to give our personal information that has privacy interest so that is widely considered to be a misused provision by the government in shielding a lot of data that otherwise have a lot of public interest attached to it. When we want privacy for individuals or citizens we want more transparency from the government but what happens is RTI is cited to defeat the right to privacy interests and Right to privacy is cited to defeat the right to information of individuals. Therefore the Right to privacy or Data protection must enforce the existing RTI regime. The protections under the Right to Information act should not be expanded at the altar of the Right to Privacy or the Data Protection regime unjustly.

[1]Right to Information Act, 2005. (Act No. 22 of 2005)

[2]The Indian Penal Code, 1860. (Act No. 45 of 1860)

[3]Shayara Bano v. Union of India, 2017 9 SCC 1.

[4]Justice K.S. Puttaswany v. Union of India, 2017 10 SCC 1

[5]Justice K.S. Puttaswany v. Union of India, 2017 10 SCC 1

[6]D. Yagil, The Service Providers. (Palgrave Macmillan UK, Switzerland, 2008)

[7]Jeri Freedman. Privacy, Data Harvesting, and You. (Rosen Publishing Group, US, 2019)

[8]Robert A. Cropf and Timothy C. Bagwell. Ethical Issues and Citizen Rights in the Era of Digital Government Surveillance. (IGI Global, US, 2016)

[9]Naavi. Personal Data Protection Act of India (PDPA 2020): Be Aware, Be Ready and Be Compliant. (Notion Press Media Pvt. Limited, India, 2020)

[10]Rahul Matthan. Privacy 3.0: Unlocking Our Data-Driven Future. (HarperCollins Publishers India, 2018)


[12]7 principles of the Indian Privacy Code, India, available at: (last visited on June 3, 2021).

[13](1954) 1 SCR 1077

[14](1964) 1 SCR 332, AIR 1963 SC 1295

[15]The Indian Penal Code, 1860 (Act No. 45 of 1860) S. 391

[16]THE POLICE ACT, 1861. (Act No. 5 of 1861)

[17]The Constitution of India, 1950, Art. 19 (i) (D).

[18](1997) 1 SCC 301

[19]Indian Telegraph Act, 1885 (Act No. 13 of 1885) S. 5(2)

[20]The Constitution of India, 1950, Art. 21.

[21]The Indian Telegraph Act, 1885 (Act. No. 13 of 1885) R. 419 (A)

[22]The Indian Telegraph Act, 1885 (Act. No. 13 of 1885) S. 5

[23]2017 10 SCC 1

[24]N.S. Ramnath and Charles Assisi. The Aadhaar Effect: Why the World’s Largest Identity Project Matters. (OUP India, 2018)

[25]2017 10 SCC 1

[26]2017 10 SCC 1

[27]The Constitution of India, 1950, Art. 14, 19 and 21

[28]Information Technology Act, 2000 (Act. No. 21 of 2000) S. 69

[29]The Indian Telegraph Act, 1885 (Act. No. 13 of 1885) S. 5 (2)

[30]Right to Information Act, 2005. (Act No. 22 of 2005) S. 8 (1) (j)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close