DATA PROTECTION IN INDIA – FROM M.P. SHARMA CASE TO THE DPDP ACT, 2023

 DATA PROTECTION IN INDIA – FROM M.P. SHARMA CASE TO THE DPDP ACT, 2023

INTRODUCTION
Human civilization has always relied on the creation and preservation of information. Ancient texts such as the Vedas, Upanishads, and Puranas are organised compilations of human thought. Even the mythological idea of Chitragupta recording deeds reflects data collection, storage, and analysis. The principle remains the same; only the medium has changed—from palm leaves and oral traditions to digital systems.

INFORMATION IS A SUBSET
Data is a broad, unorganized mass of facts, instructions, and concepts meant for computer processing. When processed and organized, it becomes information. Privacy concerns arise not from all data, but from information that identifies an individual or reveals sensitive details. This forms the core of information-privacy debates in law and policy.

CONCEPT OF DATA PRIVACY
The term privacy comes from the Latin privatus, meaning withdrawn from public life. With technological advancement, “data privacy” has emerged to denote an individual’s control over the collection, use, and disclosure of personal information. It essentially reflects a person’s ability to decide what is collected about them, how it will be used, and who it will be shared with.

DATA PRIVACY AND DATA PROTECTION
These terms are often used interchangeably but differ. Data privacy concerns an individual’s right to control personal information, while data protection refers to the safeguards and protocols organisations must employ to prevent breaches or unauthorised use.

PURPOSE OF DATA COLLECTION

1. Government bodies collect data for governance, welfare, security, and identification.

2. Private corporations collect data for personalisation, monetisation, behavioural prediction, and commercial gain.

---

EVOLUTION OF DATA PROTECTION IN INDIA

PHASE 1: BEFORE 2000

In M.P. Sharma v. Satish Chandra (1954), the Supreme Court held that search and seizure does not violate constitutional rights under Articles 19(1)(f) and 20(3), and noted that the Constitution did not expressly recognise privacy as a fundamental right.
In Kharak Singh v. State of UP (1962), the Court struck down midnight domiciliary visits as violating the right to life, though not privacy.
In Gobind v. State of MP (1975), the Court accepted privacy as a right subject to public order, morality, and security.
Maneka Gandhi v. Union of India (1978) broadened the scope of personal liberty.
In PUCL v. Union of India (1997), the Court held that privacy is part of Article 21 and protected telephone conversations under Article 19(1)(g), subject to Article 19(2).

PHASE 2: BEFORE PUTTASWAMY

The IT Act, 2000 became India’s first cyber law. Section 43A, inserted in 2008, made corporate bodies liable for failing to protect sensitive personal data. The 2011 IT Rules defined intermediary liabilities.
The A.P. Shah Committee (2012) recommended national privacy principles for future legislation.
In 2015, the Gujarat High Court saw India’s first discussion of the “right to be forgotten,” though it declined to recognise it.

PHASE 3: AFTER PUTTASWAMY

In 2017, the Supreme Court declared privacy a fundamental right, emphasising the realities of the informational age and directing the government to create a data protection framework.
In 2018, the B.N. Srikrishna Committee released its report and draft bill, forming the basis for later legislation.
The RBI (2018–19) restricted storage of card details on online platforms.
The IT Rules 2021 required platforms to enable identification of message originators; the matter is pending before the Delhi High Court.
In 2023, Parliament passed the DPDP Act, India’s first comprehensive data protection law.
In November 2025, the government notified the DPDP Rules for implementation.

---

CHALLENGES DUE TO THE DATA BOOM

1. Personal Freedom and Revenue
   Traditional privacy protections were designed for the physical world, but digital activity is constantly tracked and monetised, raising questions about control over personal information.

2. Organisational Integrity
   Individuals routinely share personal details with institutions without knowing how they are stored or used. Ethical handling depends entirely on the organisation’s integrity, and most users ignore “Terms and Conditions.”

3. Technological Vulnerability
   Technology treats all data uniformly, exposing everyone to similar risks. Privacy is most compromised when data is analysed for patterns and behavioural predictions, enabling targeted influence and profiling—creating modern, technology-driven privacy concerns.

---

CONCLUSION
Data is a powerful resource, but also a risk to privacy. Judicial developments show that protection must preserve dignity, autonomy, and uninfluenced choice. The law has progressed from the IT Act to the DPDP Act, 2023, but genuine protection will depend on how responsibly organisations comply.

[1] Zee Media Bureau, ‘Chitragupta Puja 2022: Date, time, puja vidhi and significance’ (Zee News, 26 October 2022 < https://zeenews.india.com/culture/chitragupta-puja-2022-date-time-puja-vidhi-and-significance-2526842.html> accessed  23 November 2025

[1] Sanjay Jain, ‘What is Data vs. What is Information’ (Bloomfire, 10 February 2025) <https://bloomfire.com/blog/data-vs-information/> accessed 23 November 2025

[1] Maithreyi, ‘Challenges to Privacy and data protection in India’ (2022) 10 (1) IJCRT 1 <https://ijcrt.org/papers/IJCRT2201513.pdf > accessed 23 November 2025

[1] Quincy Maquet, ‘ A Company’s Guide to an Effective Web Site Privacy Policy’ (2001) 2 Chicago-Kent Journal of Intellectual Property 1 <https://studentorgs.kentlaw.iit.edu/ckjip/wp-content/uploads/sites/4/2013/10/02JIntellProp12001.pdf > accessed 17 November 2025

[1] Lloyd Law College, ‘Data Protection vs Data Privacy in Indian Law: What's the Difference?’ (Lloyd Law College Blog, 2020) <https://www.lloydlawcollege.edu.in/blog/data-protection-vs-privacy-indian-law.html > accessed 16 November 2025

[1] MP Sharma v Satish Chandra (1954) SCR 1077

[1] Kharak Singh v State of Uttar Pradesh AIR 1963 SC 1295

[1] Gobind v State of MP (1975) 2 SCC 148

[1] Maneka Gandhi v Union of India (1978) 1 SCC 248

[1] PUCL v Union of India (1997) 1 SCC 301

[1] Information Technology Act 2000

[1] Information Technology Act (Amendment) 2008, s 22 (inserting s 43A)

[1] Ardent Privacy, ‘Evolution of Data Protection Laws in India’ (Ardent Privacy Blog, 25 August 2023)  <https://www.ardentprivacy.ai/blog/evolution-of-data-protection-laws-in-india/> accessed 23 November 2025

[1] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011

[1] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

[1] Press Information Bureau, Group of Experts on Privacy Submit Report (Press Release, Government of India, 18 October 2012) < https://www.pib.gov.in/newsite/PrintRelease.aspx?relid=88503> accessed November 2025

[1] Dharamraj Bhanushankar Dave v State of Gujarat, 2015 SCC OnLine Guj 7643

[1] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1

[1] Committee of Experts under Justice B N Srikrishna, Report of the Committee on Draft Personal Data Protection Bill, 2018 (Ministry of Electronics and Information Technology, Government of India, July 2018) <https://www.prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill,%202018_0.pdf > accessed 24 November 2025

[1] Reserve Bank of India, Storage of Payment System Data (FAQs, 26 June 2019) <https://www.rbi.org.in/commonman/english/scripts/FAQs.aspx?Id=2995> accessed 24 November 2025

[1] Reserve Bank of India, Device-based Tokenisation - Card Transactions (FAQs) <https://www.rbi.org.in/commonman/english/scripts/FAQs.aspx?Id=2917 > accessed 24 November 2025

[1] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.

[1] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021

[1]WhatsApp LLC v Union of India W.P. (C) 682/2021 (Delhi HC, pending) accessed 24 November 2025

[1] Digital Personal Data Protection Act 2023

[1] Press Information Bureau, DPDP Rules, 2025 Notified -A Citizen-Centric Framework for Privacy Protection and Responsible Data Use  (Press Release, Government of India, 17 Nov 2025)  <https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655 > accessed 22 November 2025

[1]  M Janssen, M Wimmer and H Deljoo (eds), EGOV 2014: Electronic Government - LNCS 8653 (Springer 2014) 253- 264