DIGITAL PRIVACY AND DATA PROTECTION IN THE INTERNET AGE

Azra Fatma, Tanzila Rahman, Shaikh Shad Ahmad

Editor - Sakshi Soni

Abstract

In the contemporary era, digital privacy and data protection has emerged as a critical area of concern by virtue of propelling use of technologies in request digitization. According to the United Nations, privacy remains a fundamental human right in the digital era.[1] However, the accelerating amount of data consumption has reduced privacy to a distributed, prosaic, and a technologically mediated concept. Thus, privacy rights have emerged as a cornerstone of individual freedom and autonomy in the digital age. This paper delves into the sophistication and challenges of privacy and data protection in the digital era along with mapping out the various legal provisions in India in the context of datafication. Further, it throws light onto the key judicial pronouncements and the current legislative developments regarding digital privacy and the protection of data along with a comparative insight with the international frameworks. This aims to provide an enhanced understanding of the entwinement of technological, regulatory and the ethical dynamics. Therefore, it fulfills the need for broader conceptual understanding of the preservation of privacy and data in the increasing era of datafication while focusing on the analogous attempts taken in India.

INTRODUCTION

When was the last time you actually read those privacy policies you keep clicking “Accept” on?

In an age of rapid technological advancement, where everything is entirely connected, digital privacy and data protection have evolved into a more crucial and vulnerable challenge for humans. It has transformed into a fundamental human right, rather than existing as a mere legal requirement. Digital privacy simply implies discretion over our personal information regarding its accessibility and use. Various information concerning personal life of an individual is constantly being collected without the complete understanding or knowledge of the individual. The digital era has completely altered the approach of exchange of information, communication and in even the way we perceive things and process ideas. Though technological innovations have strengthened accessibility and practicality, they have also raised substantial obstacles to personal privacy. With the intensifying use of social media, security monitoring and metrics driven governance, digital privacy has appeared as a foundation for personal liberty. The compelling reason behind this is the potential of our digital footprints of getting exploited by various entities like government, institutions, companies and even cybercriminals. Safeguarding privacy in the era of information technology is not only a statutory requirement but even an ethical obligation. It has become very vital to understand our privacy rights and approaches to protect them as we are delving deep to technological world.

CONCEPTUAL ANALYSIS

Digital privacy is a sophisticated integration of numerous aspects which includes data privacy and individual’s privacy in the age of innovation. It involves safeguarding of the personal information, which an individual shares with other individuals, corporations and public entities over virtual platforms. It centers on the management of sensitive and confidential data which includes personal communication, financial details, and numerous others being circulated on the virtual interfaces. The main objective of digital privacy and protection is that individuals can browse digital world, safely and reliably and even regulate private data. It affords protection to diverse categories of online scams, malware attacks, identity theft and several others.

Data protection can be termed as the regulatory and technical standards which involves safeguarding particular data from variants of cybercrime along with illegal access. It is a critical aspect of information management. It is not just a technical term, but focuses on facilitating one’s own space and autonomy in the era of digitization. It requires specialized process requirements, which institutions implement while handling data. Protection of data is important to ensure confidentiality, integrity and authorized use of it. Thus, security of personal data has evolved as a critical concern due to increasing volume of data collection.

CHALLENGES TO DATA PRIVACY

The ever-expanding landscape of data posits several challenges to the data privacy, at both the individual and the organizational levels. Few of such challenges are enumerated herein:

1.     Balance between Security and Privacy: The need to safeguard sensitive information makes robust security measures a crucial aspect. However, it is unfortunate that such measures usually come at the expense of privacy of the users. Thus, owing to this difficulty, striking a right balance between individual control and security has become a complex task.[2]

2.     Unauthorized Access: Another major concern regarding data privacy is the breach of data as hackers or other unauthorized entities have the potential to access personal data which are hoarded in large databases. By virtue of this breach, sensitive information of an individual such as medical records, financial details, or personal identities is subjected to public exposure.[3]

3.     Digital Surveillance: The proliferation of connected devices has raised significant concerns about digital surveillance. Data from various platforms like IoT devices, social media, and GPS tracking can be used to monitor movements, preferences, and activities of individuals, leading to privacy violations.[4]

4.     Data Ownership and Control: Data ownership is one of the most contentious issues in digital era. Most often there is ambiguity around the ownership of data collected, stored, and analyzed. Most users may not even realize or fully understand that their data is being utilized or that it is being exploited.

5.     Cross Border Data Flows: Data or information can now be easily transferred, shared or stored across geographical boundaries. Different countries have different frameworks to regulate data which makes it difficult for various organizations to comply with such regulations especially when user data is located in distinct jurisdictions.

6.     Data Retention and Deletion: Another critical concern is the retention and deletion of personal data. Various companies and organizations retain personal data for a longer period than necessary, thereby enhancing the risk of misuse and breach of data. Further, it may be difficult or even impossible for the individuals to delete or erase their data from such systems, making it a complex task.

Therefore, the urge to store and analyze personal data on such a massive scale necessitates comprehensive privacy protections, including stronger and broader regulatory frameworks, enhanced measures for security and better practices for data management. Moreover, failure to address such risks concerning privacy can lead to erosion of trust in the digital systems, resulting in substantial implications for businesses, governments, and consumers alike. 

INDIAN FRAMEWORKS GOVERNING DIGITAL PRIVACY AND DATA PROTECTION

In the era of digitization, where digital privacy has become extremely crucial, users must have certain reliable enhanced and effective data protection frameworks.

ARTICLE 21 of the Constitution of India guarantees that “No person shall be deprived of his life or personal liberty except according to procedure established by law.”[5] The scope of article 21 incorporates digital privacy as well. This is also confirmed by the findings of the United Nations which declares privacy as a fundamental human right. Nevertheless, right to privacy must be adequately resilient to the current digital landscape. The regulatory development of article 21 can be mainly traced as existing after the independence of India. Complementing the statutory framework, Indian judicial authority has affirmed the regulatory development in various judicial pronouncements from time to time.

The initial debate on privacy sparked in Kharak Singh v. state of Utter Pradesh[6] in which right to privacy was inferred as a part of right to personal liberty but it was not acknowledged as a fundamental right. Subsequently, the ambit of right to privacy was amplified in R. Rajagopal v. State of Tamil Nadu[7] in which it was recognized as a facet of Article 21.

The ruling in Justice K.S. Puttaswamy and Ors. v. Union of India and Ors[8] became a watershed event in the amplification of the scope of privacy in which right to privacy was recognized as a fundamental right under Article 21 of the Constitution of India. In Anuradha Bhasin v. Union of India[9], the Apex Court laid emphasis on the restrictions imposed by government on internet and directed that it must be limited, legitimate and reasonable. In the case of Faheema Shirin v. State of Kerala[10], the High court of Kerala held that the right to access the internet is intrinsic to educational, privacy and dignity rights under Article 21. Thus, these judgements reflect the judicial frameworks governing digital privacy and data protection.

INFORMATION TECHNOLOGY ACT, 2000[11]

The act, commonly referred as IT Act, is a legislation which deals with cybercrime, electronic and commerce governance.

Section 43A of the IT Act stipulates compensation for institutions and corporation, which fall short in protecting confidential data and making them liable for infringement of data protection obligation. However, the above-mentioned section of the Act is explicitly put into effect for corporate institutions.

Further, Section 72A of the IT Act deals with the liability for wrongful disclosure of confidential and personal information. This section makes it clear that if any individual including intermediaries, discloses any confidential information without proper consent, along with an intention to inflict wrongful profit or loss, he may attract liability and be punished with imprisonment of maximum 3 years, financial sanction up to 5 lakhs or even both.

Information Technology Rules of 2011[12]

In pursuance of the IT Act, 2000, the government of India notified IT Rules in 2011. These rules established the legal framework for safeguarding the confidential data pertaining to individuals. These regulatory frameworks are pertinent to all the corporates and individuals dealing with sensitive and confidential data within the country.

The Information Technology Rules of 2021[13]

The government notified the modified rules in 2021 as a continuation of the 2011 rules. The rules provide legislative framework for intermediaries including social media and digital media. These rules were brought into force by Ministry of Electronics and Information Technology (MEITY).

RIGHT TO INFORMATION ACT, 2005[14]

Section 8(1)(j) of the Right to Information Act absolves confidential data from disclosure if it has no association to any public service, or if it would cause an unjustified intrusion of privacy except where the disclosure of such data is legitimized by the larger public interest. This provision upholds privacy while preserving transparency under the RTI Act.

CONSUMER PROTECTION ACT, 2019[15]

The consumer protection rules notified in 2020, in pursuit of the Consumer Protection Act 2019, incorporates regulations to safeguard consumer data in e- commerce operations. It also provides for a digital redressal mechanism in case of data breach or infringement of other consumer rights. Further, the Act also guarantees certain rights such as right to be informed about data use and the right to give or withdraw consent, which are intrinsic to digital privacy and data protection.

AADHAAR ACT, 2016[16]

It is another important legislation in India, governing the essential right of data protection. The Act intends to assure effective delivery of subsidies and other benefits to the citizens of the country. Random 12digit unique numbers are assigned to all individuals of the country to ensure proper and effective delivery of benefits and services.

Section 29 of Aadhaar Act explicitly restricts the disclosure and exchange of biometric information. The Act in particular states that biometric information can only be used for Aadhaar authentication. Identity information should only be disclosed as specified by the regulations mentioned in the Act.

Section 30 of the Aadhaar Act, categorized biometric information as confidential and sensitive data. It is confidential because of its anticipated outcomes of security and even privacy.

Section 33 of the Act states about the need of disclosure of information in extraordinary situations. It allows sharing of confidential data, if directed by court and upon concern of national security directed by an officer not below the rank of joint secretary.

THE DIGITAL PERSONAL DATA PROTECTION ACT OF 2023[17]

The Digital Personal Data Protection Act, commonly known as the DPDP Act, 2023 indicates a significant shift in India’s regulatory mechanism with regard to data privacy. It aims to safeguards digital privacy of users by enforcing legal duty on corporations and individuals handling sensitive and personal data. The necessity to organize the data protection laws emerged in 2000s, due to manifold increase in the use of internet and rapid technological advancement.

In the landmark judgement of Justice K.S. Puttaswamy and Ors. v. Union of India and Ors, the Apex Court recognized the right to privacy as a fundamental right under the Constitution of India. In the aftermath of the judgment, a committee of experts was appointed by the government of India for Data Protection under the chairmanship of Hon’ble Justice B. N. Srikrishna. The committee submitted its report in July 2018 along with a draft of the Data Protection Bill. The Report reflected a wide range of recommendations which aimed at strengthening the Indian laws on privacy. The highlighting proposals of the report included restrictions on collection and processing of data, explicit consent requirements for sensitive personal data, right to be forgotten, creation of a Data Protection Authority, data localisation, etc. Subsequently, the draft of the Bill was revised and released by the Ministry of Electronics and Information Technology on November 18, 2022, titled as the Digital Personal Data Protection Bill, 2022.The Bill was afterwards passed by both the houses of the Parliament and finally received presidential assent on August 11, 202, thereby maturing in the Digital Personal Data Protection Act, 2023.

The scope of DPDP extends to the management of data across India, and in foreign countries as well, if it involves providing services and goods to the users of India. The Act extends to both private corporations as well as public institutions, as it seeks to impose stringent data protection standards on organizations to safeguard personal privacy. Personal data, as defined by the Act, encompasses all such information which have the potential to identify a natural person either directly or directly. This definition connotes a broader aspect to personal data, thereby including a wide range of data such as name, date of birth, contact and financial details, address, browsing history, etc. Thus, DPDP Act offers a comprehensive protection to personal data by inclusion of such an extensive array of information.

The Act consists of seven fundamental principles which are designed to ensure robust data protection:

• Equity and validity

• Purpose limitation

• Restricting data usage

• Authenticity

• Storage limitation

• Precautionary measures

• Accountability

These underlying principles presuppose certain restrictions such as lawful processing of personal data, collection of data for specific and legitimate purposes, minimization to what is necessary, data accuracy and update, storing personal data only for limited period, data deletion and security against unauthorized access and damage. These restrictions also imply various rights granted to individuals, referred to as the “Data Principals” under the DPDP Act. Some of these rights are access to personal data, erasure or deletion of data, right to rectify inaccuracies such as wrong or obsolete data, data portability, restricted data processing, right to object to data processing, right to grievance redressal and the right to nominate. The herein mentioned provisions empower individuals to retain control over their personal data. The Act also ensures that confidential data can only be disclosed with proper consent, which should be free from coercion, must be unconditional and qualifies certain other criteria as stated in the Act. The Act even stipulates financial penalties for contravention with regulatory standards.

In accordance with the committee’s report, an authority was established to oversee the enforcement of the Act, known as the Data Protection Authority of India (DPA). It is a statutory authority established under DPDP act of 2023 to supervise conformity and resolve breaches of data. It is an independent body bestowed with the responsibility to ensure compliance with the Act. It also has the power to scrutinize complaints, inflict fines, and make it mandatory for organizations to adhere to the recommended data protection standards. By fulfilling these roles, the DPA plays an important role in upholding the privacy rights of individuals.

Thus, one can say that the Digital Personal Data Protection Act 2023 reflects a comprehensive effort to safeguard privacy of individuals in the digital era. Through a broad interpretation of personal data, guarantee of specific individual rights, and establishment of key principles for data protection, the Act attempts to establish a secure and crystalline environment for processing of personal data. It also states obligations of data fiduciaries to obtain proper consent, ensuring clarity in data processing. Enforced by the Data Protection Authority of India, the DPDP Act ascertains that institutions comply with the given standards, thereby strengthening the aggregate privacy and safety of personal data in India.[18]

However, the provisions of the Act were comparatively generic in nature, in spite of the roadmap provided by the Act to combat the challenges accruing to data privacy. There was a need of effective enforcement through a comprehensive framework, which was sensed by the stakeholders of the Government.[19]Accordingly, the Ministry of Electronics and Information Technology, Government of India (MEITY) notified the Digital Personal Data Protection Rules, 2025 to bridge the gap between the declaration and enforcement of the Act.

The Digital Personal Data Protection Rules, 2025

The Digital Personal Data Protection Rules, 2025 [20]give full effect to the DPDP Act, 2023, thereby establishing a clear and practical system for protection of personal data in a proliferating digital environment. These Rules emphasize on the rights of individuals and on responsible and legitimate use of data by organisations. It aims to restrain the unauthorized commercial use of data, minimize negative digital impacts and foster a safe space for innovation. They are also expected to aid India in maintaining a strong and entrusted digital economy. Therefore, in order to carry this vision forward, the Rules outline several core provisions which are herein enumerated:[21]

·       Phased and Practical Implementation

The Rules provide for a phased compliance spread over a period of eighteen months. This is aimed to provide sufficient time to organisations for adjusting their systems and adopting responsible data practices. It makes it mandatory for every Data Fiduciary to issue a separate notice of consent, which should be clear and easy to understand. Further, the notice must also describe the specialized purpose for which personal data is collected and used. The rules also specify that the Consent Managers, who assist people in managing their permissions, must strictly be India-based companies.

·       Clear Protocols for Personal Data Breach Notification

The Rules provide for a clear and timely process to report personal data breaches. It states that in case of a breach, the Data Fiduciary must notify all individuals affected by the breach without any delay. Moreover, the message or notification must be in simple language and must clearly explain the breach, the anticipated impact and the measures adopted to address the issue. It must also include the details of the authority that could be contacted in case of requirement of any guidance.

·       Transparency and Accountability Measures

The Rules state that every Data Fiduciary must display clear contact information to address the queries related to personal data. The contact provided may be the contact of any designated authority or a Data Protection Officer. The significant Data Fiduciaries are subject to more compelling duties. They are instructed to conduct independent audits and organize impact assessments. They must also adopt stricter precautions while handling new or sensitive technologies. In some situations, they must even follow the directions of government with respect to the restricted categories of data, including local storage wherever needed.

·       Strengthening Rights of Data Principals

The Rules of 2025 act as an enforcement mechanism for the rights already provided under the Act. The individuals are guaranteed the right to seek access to their personal data or ask for corrections and updates. In certain situations, they may even request the removal or erasure of data. They may even employ an agent to exercise these rights on their behalf. It also states that in such situations, the Data Fiduciaries are compelled to respond and comply with such requests within ninety days.

·       Digital-First Data Protection Board

The creation of a fully digital Data Protection Board of India is also necessitated by the Rules, consisting of four members. It allows citizens to file complaints online and also track their cases through a dedicated portal and mobile application. This provision of a complete digital system allows quicker decisions while simplifying grievance redressal. It also provides for an authority to hear appeals against the decisions of the Board in the form of an Appellate Tribunal, known as the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

INTERNATIONAL FRAMEWORKS

1.     THE GENERAL DATA PROTECTION REGULATIONS (GDPR)

The GDPR safeguards the data of the individuals, which is being handled by government owned entities and private institutions within EU. It was enforced in 2018 by the European Union. It stipulates legitimate handling of data, with proper consent of users and prescribes heavy financial penalties for breach of data. Moreover, Article 22 of GDPR mentions that institutions should ensure that any technology driven findings made about the users that is automated individual decision-making including profiling, must be based on fair, lawful and transparent procedures.

GDPR intensifies the pre-existing rights and provides enhanced authority to users on their confidential data. The Regulation provides convenient reach to the users own data, confers more information including how data is being handled and dealt with. The Act mandates that information provided should be clear and precise with proper comprehension. It also includes the provisions which enable the users to delete their data, when they are no longer in need to retain and process it. This provision is termed as the ‘right to be forgotten’. In the cases of serious data leaks, the corporations and institutions need to inform the concerned authority and the individuals impacted. The Regulation also ensures the appointment of data protection officer by businesses and corporations to handle the large-scale data processing and protect the sensitive data such as health records. Moreover, even the non-EU corporations are forced to comply with the rules of GDPR while dealing with service provision to the users of the European Union. In addition, it also mentions end to end encryptions and Pseudonymisation, which are designed to ensure privacy safeguards.[22]

2.     PIPEDA (PERSONAL INFORMATION PROTECTION AND ELECTRONICS DOCUMENT ACT)[23]

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the privacy law of Canada which governs how institutions and corporations handle and disclose confidential data in commercial operations. The law is operative to both the private sector institutions and the public sector organizations, carrying out commercial activities. The main purpose of PIPEDA is to ensure that the users’ privacy rights are secured simultaneously, enabling business to be in operation in digitally driven economy.  The Act safeguards privacy rights which restraint cybercrimes such as identity theft and reputational harm. Non-compliance with the PIPEDA provisions results in financial penalties up to $100,000. Furthermore, the Act ensures that Canadian institutions can compete worldwide while safeguarding digital privacy.[24] The framework of PIPEDA is based on some of the basic standards as enumerated below:

1. Accountability: Institutions must specify individuals, who are accountable for PIPEDA compliance.

2. Identifying purposes: Organizations need to specify the objective for collecting data.

3. Consent: Appropriate consent must be taken from the individuals for disclosure of their personal data.

4. Limiting collection: Business corporations can only collect and use the required data which is necessary.

5. Accuracy: The data must be accurate.

6. Transparency: The data management practices should be fair and transparent.

7. Individual access: It enables individuals to correct inaccuracies in data.

8. Challenging compliance: It provides the individuals to impugning for non-compliance.

3.     CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

California Consumer Privacy Act of 2018 guarantees the ‘right to know’ to individuals by virtue of which they have more authority over their confidential data that business corporations gather through various means and also over how it is being utilized and disclosed. The Act also includes the provision which mentions the ‘right to delete’, which implies that the users can request the business organizations to delete their confidential data, subject to some exceptions. The CCPA has introduced user-enable global privacy control which provide users with the right to opt out. This right enables the individuals to request the business corporations to discontinue disclosing personal data via user enabled global privacy control. Further, the Act also includes the right to correct which enables the users to correct their incorrect data. The Act also guarantees the right to limit use and disclosure of personal information which allows individuals to direct institutions to use their personal information such as transaction details, health records etc. only for required purpose.[25]

COMPARITIVE ANALYSIS OF INDIAN AND INTERNATIONAL FRAMEWORKS GOVERNING DIGITAL PRIVACY AND DATA PROTECTION[26]

A comparative analysis of the Indian and the other international frameworks suggest that the European Union possesses more stringent and comprehensive statutory provisions for data protection pursuant to GDPR, but in contrast with the data protection laws in India, the DPDPA has a stronger foundational framework. Nevertheless, the GDPR of European Union has robust extra territorial provisions while in India, the DPDPA incorporates less extensive extra territorial provisions. The Article 22 of GDPR unequivocally mentions automated decision framing provision, whereas in contrast, India does not have any such provision in any of the legislation.

Moreover, for adjudication and any encroachment of the provisions of GDPR, the European Union has autonomous regulators and substantial penalties are awarded to non-compliers, while in India the same is addressed by a government appointed board and hence lacks coercive power. Nevertheless, the DPDPA mandates the establishment of Data Protection Board of India, which handles the grievances, complaints and even imposes strict penalties for breachers. On the other hand, GDPR bestows power to data protection authorities for handling grievances while PIPEDA confers power to Privacy Commissioner of Canada for investigations.

Also, the framework of the European Union better coordinates with the constitutional rights assuring accountability and openness. In the Indian Constitution, legal interpretation of Article 21 has acknowledged right to privacy but unfortunately, Indian legislations such as DPDPA remains unmatched with European standards of digital privacy.

CONCLUSION:

Data privacy is one of the core issues faced by every country in the digital era. In India, the Digital Privacy and Data Protection Act acts as a cornerstone of contemporary legal framework to address the challenges posed by digital age. As technology is increasingly used by large number of people in every aspect of personal, social, and economic life, the concern for the protection of personal data has intensified over the past decades. The DPDP Act reflects a conscious legislative effort to respond to the concern of digital privacy such as mass data collection, surveillance, cybercrime, and unchecked power of digital platforms. By establishing clear rules on data collection, storage, processing, and sharing, the Act promotes transparency, fairness in the digital ecosystem.

The Act strengthens trust between the users and digital service providers, mandating robust security measures for data protection and providing remedies in cases of data breaches or misuse. These provisions not only protect users from harms but also enhances public trust in digital system which is essential for the sustained growth of digital economy. However, the success of the DPDP Act depends on its practical implementation, judicial interpretation and continuous evolution from time to time. As the technology evolves, the protection measures should also be updated from time to time. In addition, there are other legislations in India such as the IT Act of 2000 and the Aadhaar Act, governing the privacy rights in India. Not only this, the judicial interpretations in India have resulted in the recognition of the right to privacy as a fundamental right under Article 21 of the Constitution in the landmark case of Justice K.S. Puttaswamy and Ors. v. Union of India and Ors.

Further, the paper also analyses certain key international frameworks governing privacy and data protection such as the GDPR, PIPEDA and the CCPA, along with a comparative insight of these frameworks with the Indian framework. All these frameworks focus on the enhanced right of the individuals to manage and control their personal data, guaranteeing certain essential rights such as the right to access, right to delete, right to update, etc. It implies that an individual must remain the ultimate master of his or her personal and sensitive data, handling it as per his own discretion.

REFERENCES

1.     Anvesh Gunuganti, “Privacy and Data Protection in Digital Age”, Vol V, Journal of Scientific and Engineering Research, 358-365, 2018

2.     Adyasha Behera & Bhanu Pratap Singh, “Safeguarding Privacy in the Digital Era: Balancing Rights, Security, and Innovations”, VOL.V (issue II), Chanakya Law Review, 57-71, 2024

3.     Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1. Supreme Court of India.

4.     Romansky, R. (2017), Opportunities of the digital space and challenges for privacy and individual’s security, Proc. Of the 31st International Conference on Information Technologies (InfoTech-2017), 20-21 Sep., Bulgaria, pp. 169-178.

5.     The Digital Personal Data Protection Act, 2023, Ministry of Law and Justice, Government of India. Retrieved from: https://prsindia.org

6.     What Is PIPEDA? Canadian Privacy Law Explained Ondato Blog

7.     California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General

8.     Report of the Committee of Experts on a Data Protection Framework for India (Chair: Justice B.N. Srikrishna), 2018. Ministry of Electronics and Information Technology. Retrieved from: https://www.meity.gov.in/

[1] United Nations Digital Library System, “The Right to Privacy in the Digital Age”, UN General Assembly (75^th sess. 2020-2021)

[2] Jane Doe, Misuse of Personal Data: The Risks of Unauthorized Sharing, Selling, and Use, 65 Privacy & Data Protection J. 45, 50 (2020)

[3] John A. Smith, Unauthorized Access and Data Breaches: Exposing Personal Information, 63 Cybersecurity L. Rev. 120, 125 (2018)

[4] Michael T. Johnson, The Rise of Surveillance: Privacy Implications of IoT, Social Media and GPS Tracking, 55 Tech. & Privacy L. Rev, 98, 102 (2019)

[5] Article 21, The Constitution of India

[6] Kharak Singh v State of Utter Pradesh, AIR 1964 SC 724

[7] R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632

[8] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

[9] Anuradha Bhasin v. Union of India, (2020) 3 SCC 637

[10]  Fahima Shirin v. State of Kerala, (2019) 16 SCC 1

[11] The Information Technology Act, 2000 (Act 21 of 2000), s. 43(A) and 72(A)

[12]  IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[13]  The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

[14]  Right to Information Act, No. 22 of 2005

[15] The Consumer Protection Act, 2019 (No. 35 of 2019) 16

[16] The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016 (NO. 18 OF 2016) ss.29,30,33

[17] The Digital Personal Data Protection Act, 2023 (No. 22 of 2023)

[18] Ibid

[19] https://www.livelaw.in/articles/data-privacy-law-in-india-and-digital-personal-data-protection-rules-analysis-310865

[20] Digital Personal Data Protection Rules, 2025, Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i) (2025)

[21] DPDP Rules, 2025 Notified, Press Information Bureau, Government of India

[22] 60 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 Apr. 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, [2016] O.J. L 119/1 (General Data Protection Regulation).

[23] What Is PIPEDA? Canadian Privacy Law Explained Ondato Blog

[24]  PIPEDA self-assessment tool: Personal Information Protection and Electronic Documents Act. 

[25] California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General

[26]  Rahul Matthan, Get on with data protection now that the law’s enacted, MINT (15 Aug. 2023), https://www.livemint.com/opinion/online-views/get-on-with-data-protection-now-that-the-law-s-enacted 11692108114742.html (last visited July 17 2025); Digital Personal Data Protection Act, No. 22 of 2023, § 17(2)