DATA PROTECTION IN INDIA – FROM M.P. SHARMA CASE TO THE DPDP ACT, 2023
INTRODUCTION
Human civilization has always relied on the creation and preservation of information. Ancient texts such as the Vedas, Upanishads, and Puranas are organised compilations of human thought. Even the mythological idea of Chitragupta recording deeds reflects data collection, storage, and analysis. The principle remains the same; only the medium has changed—from palm leaves and oral traditions to digital systems.
INFORMATION IS A SUBSET
Data is a broad, unorganized mass of facts, instructions, and concepts meant for computer processing. When processed and organized, it becomes information. Privacy concerns arise not from all data, but from information that identifies an individual or reveals sensitive details. This forms the core of information-privacy debates in law and policy.
CONCEPT OF DATA PRIVACY
The term privacy comes from the Latin privatus, meaning withdrawn from public life. With technological advancement, “data privacy” has emerged to denote an individual’s control over the collection, use, and disclosure of personal information. It essentially reflects a person’s ability to decide what is collected about them, how it will be used, and who it will be shared with.
DATA PRIVACY AND DATA PROTECTION
These terms are often used interchangeably but differ. Data privacy concerns an individual’s right to control personal information, while data protection refers to the safeguards and protocols organisations must employ to prevent breaches or unauthorised use.
PURPOSE OF DATA COLLECTION
-
Government bodies collect data for governance, welfare, security, and identification.
-
Private corporations collect data for personalisation, monetisation, behavioural prediction, and commercial gain.
EVOLUTION OF DATA PROTECTION IN INDIA
PHASE 1: BEFORE 2000
In M.P. Sharma v. Satish Chandra (1954), the Supreme Court held that search and seizure does not violate constitutional rights under Articles 19(1)(f) and 20(3), and noted that the Constitution did not expressly recognise privacy as a fundamental right.
In Kharak Singh v. State of UP (1962), the Court struck down midnight domiciliary visits as violating the right to life, though not privacy.
In Gobind v. State of MP (1975), the Court accepted privacy as a right subject to public order, morality, and security.
Maneka Gandhi v. Union of India (1978) broadened the scope of personal liberty.
In PUCL v. Union of India (1997), the Court held that privacy is part of Article 21 and protected telephone conversations under Article 19(1)(g), subject to Article 19(2).
PHASE 2: BEFORE PUTTASWAMY
The IT Act, 2000 became India’s first cyber law. Section 43A, inserted in 2008, made corporate bodies liable for failing to protect sensitive personal data. The 2011 IT Rules defined intermediary liabilities.
The A.P. Shah Committee (2012) recommended national privacy principles for future legislation.
In 2015, the Gujarat High Court saw India’s first discussion of the “right to be forgotten,” though it declined to recognise it.
PHASE 3: AFTER PUTTASWAMY
In 2017, the Supreme Court declared privacy a fundamental right, emphasising the realities of the informational age and directing the government to create a data protection framework.
In 2018, the B.N. Srikrishna Committee released its report and draft bill, forming the basis for later legislation.
The RBI (2018–19) restricted storage of card details on online platforms.
The IT Rules 2021 required platforms to enable identification of message originators; the matter is pending before the Delhi High Court.
In 2023, Parliament passed the DPDP Act, India’s first comprehensive data protection law.
In November 2025, the government notified the DPDP Rules for implementation.
CHALLENGES DUE TO THE DATA BOOM
-
Personal Freedom and Revenue
Traditional privacy protections were designed for the physical world, but digital activity is constantly tracked and monetised, raising questions about control over personal information.
-
Organisational Integrity
Individuals routinely share personal details with institutions without knowing how they are stored or used. Ethical handling depends entirely on the organisation’s integrity, and most users ignore “Terms and Conditions.”
-
Technological Vulnerability
Technology treats all data uniformly, exposing everyone to similar risks. Privacy is most compromised when data is analysed for patterns and behavioural predictions, enabling targeted influence and profiling—creating modern, technology-driven privacy concerns.
CONCLUSION
Data is a powerful resource, but also a risk to privacy. Judicial developments show that protection must preserve dignity, autonomy, and uninfluenced choice. The law has progressed from the IT Act to the DPDP Act, 2023, but genuine protection will depend on how responsibly organisations comply.
Zee Media
Bureau, ‘Chitragupta Puja 2022: Date, time, puja vidhi and significance’ (Zee
News, 26 October 2022 < https://zeenews.india.com/culture/chitragupta-puja-2022-date-time-puja-vidhi-and-significance-2526842.html> accessed 23 November 2025
Sanjay
Jain, ‘What is Data vs. What is Information’ (Bloomfire, 10 February 2025) <https://bloomfire.com/blog/data-vs-information/> accessed 23 November 2025
Maithreyi,
‘Challenges to Privacy and data protection in India’ (2022) 10 (1) IJCRT
1 <https://ijcrt.org/papers/IJCRT2201513.pdf > accessed 23 November 2025
Quincy Maquet, ‘ A Company’s Guide to an
Effective Web Site Privacy Policy’ (2001) 2 Chicago-Kent Journal of
Intellectual Property 1 <https://studentorgs.kentlaw.iit.edu/ckjip/wp-content/uploads/sites/4/2013/10/02JIntellProp12001.pdf > accessed 17 November 2025
MP Sharma v
Satish Chandra (1954) SCR 1077
M
Janssen, M Wimmer and H Deljoo (eds), EGOV 2014: Electronic Government - LNCS
8653 (Springer 2014) 253- 264