Data Privacy in India: Is Your Personal Information Secure?

In today’s world, everything is digital every click, every share and every search leaves a trace of your personal data. Personal data is information in a form of data that is related to an identifiable person. Given the increase in cyber threats, data breaches and privacy concerns. Several major breaches in India such as the Aadhar leaks (2018), K.S. Puttaswamy (Retd.) v. Union of India and several others cases in India give rise to concern about whether our data are truly secure however India has taken several measures to safeguard the data of its citizens and one such milestone is Digital Personal Data Protection (DPDP) Act, 2023  which aims at the safeguarding the information of users. But whether this legislation is enough to protect individuals’ information remains uncertain. This blog further delves deeper into Indian privacy law and tries to analyse whether our data is secure.

Data privacy is the process of safeguarding private data and making sure it is used appropriately. It covers the procedures for gathering, exchanging, and storing data.In recent years, data privacy has become more widely recognised in India. The “Digital Personal Data Protection Act (DPDP Act)” is the main law governing data privacy in India. It guarantees individuals control over their personal information, including the right to access, correct, and delete it. It also gives businesses the right to lawfully store, collect, and process data while adhering to principles like consent and limitations. Additionally, the act incorporates the right to privacy found in Article 21 of the Indian Constitution.

The goal of the law is to strike a balance between the demands of economic expansion and technological innovation and individual rights. However, before the enactment of this law several landmark judicial rulings played a significant role in establishing the foundation for data protection in India.

Landmark judicial Precedent under Data Privacy of India

These landmark cases have played a crucial role in shaping data privacy rights in India. The 2017 K.S. Puttaswamy (Retd.) v. Union of India case set the stage for future data protection laws by recognising privacy as a fundamental right. Building on this, the Supreme Court, in the Aadhaar Case (2018), upheld the scheme’s legality but placed restrictions on its mandatory use for private services, addressing concerns about the misuse of biometric data. In, the Internet Freedom Foundation v. UOI filed a petition against the Indian government raising concerns about the absence of sufficient safeguards to control such surveillance activities and contesting the legitimacy of the extensive surveillance powers granted to intelligence agencies, claiming that these powers disproportionately violate citizens’ fundamental rights to privacy and free expression. In 2019, Google India Pvt. Ltd. v. Visakha Industries stressed the need for a balance between platform responsibility and user privacy while focussing on intermediary liability. Facebook’s data-sharing practices have been questioned more recently in the WhatsApp Privacy Policy Case (2021), which has strengthened the need for user consent and openness when managing personal data. In the digital age of India, these cases collectively demonstrate the growing significance of robust data protection regulations to protect personal information.

Key provisions of the Digital Personal Data Protection Act :

1. Applicability (Section 3)

This section pertains to the handling of digital personal information in India and holds for foreign organisations that process information about providing goods or services to Indian citizens.

excludes domestic or personal use and publicly accessible personal information.

2. Data Fiduciary Obligations (Sections 4-10)

Only legitimate uses or consent-based legal purposes may be used to process personal data with data Fiduciaries it is required to notify individuals of the reasons behind data processing and the users have the right to revoke their consent at any moment. To avoid breaches, fiduciaries must implement appropriate security measures.

3. Rights of Data Principals (Sections 11-14)

Users have the right to know what personal information is being processed and they have the right to ask for their data to be corrected or erased. There also shall be grievance redressal and In the event of incapacity or death, users have the ability to designate nominees for data rights.

4. Exemptions (Section 17)

There are some exceptions for: court cases such as national security, public order, law enforcement and Startups, research, and archiving (as informed by the government).

6. Personal Data Transfer (Section 16)

Data transfer to specific nations may be restricted by the government.

7. Enforcement & Penalties (Section 33 & Schedule)

Serious sanctions for infractions, such as ₹250 crore for security breaches,  ₹200 crore for neglecting to report violations and ₹200 crore for failure to comply with obligations regarding the processing of child data.

Challenges and limitation of DPDP act

The Digital Personal Data Protection Act is an important data privacy law in India that establishes consent-based data collection, data storage, transfer, and processing, data fiduciary obligations, and severe penalties for data breaches. However, the act has flaws and issues. The government should set up a powerful, authoritative body to ensure that the act is applied everywhere it pertains to an individual’s information because its enforcement is crucial. As the central government is the broad executive of this act, allowing it to decide how it is applied results in more ambiguous regulations and potential misuses of people’s personal data. The act’s exception of government agencies to process people’s data that pertains to public order and national security raises concerns about mass surveillance and misuse of personal data by state authorities.

Although this act deals with the storage, transfer, and processing of personal data, it does not adequately protect individual privacy because breaches and leaks of personal data occur outside the scope of the laws with many exceptions. the general public’s ignorance of digital rights and data privacy laws is a significant problem in India. Unaware of the consequences, many people unwittingly agree to share their private information, leaving them open to fraud, exploitation, and abuse. It is still very difficult to enforce a data protection law in the absence of widespread digital literacy and awareness.

How Secure is Your Personal Data?

Despite broadened regulations, personal data in India remains highly vulnerable for a number of reasons:

1. Vulnerabilities to Cybersecurity Infrastructure – Many small and medium-sized enterprises (SMEs) lack the proper security measures in place and remain soft targets for cyberattacks. Data breaches occur because no encryption, firewalls, or formal security audits protect against attacks, putting users’ sensitive data at grave risk.
2. Lifting The Burden of Penalties for Private Entities – Although the Digital Personal Data Protection Act (DPDPA) has imposed fines on data breaches, many private companies overlook the protection of data. Because of an absence of monitoring and enforcement, some companies persist with abusing internet security practices without facing serious penalties.
3. Rise In Cyber Fraud Cases – With the booming number of digital transactions, phishing, identity theft, and financial fraud are on the rise. A lot of them fall prey to fraud and cybercriminals just due to the low levels of awareness and bad digital hygiene, including having weak passwords or sharing personal data without asking questions

How to Protect Your Data?

There are so many steps one can take to guard against cyber threats. Here are some about protecting personal data:

1. Enable Two-Factor Authentication 2FA-This step is just an additional layer of sanding surfaces of a single account, for short-a process of verifying an individual but even beyond and above providing utterly anti-phishing for improper entry to a bank account in Mobile, Email Accounts, or in any other social media.
2. Change Passwords Frequently-Having the same password for different accounts can be disastrous if one of the accounts is hacked. Use a stronger password that diminishes with time to lessen the risk of hacking.
3. Share Selectively: Be mindful that sharing information, including phone numbers, addresses, and other details, increases the likelihood that it will be used against you in phishing scams and identity theft.
4. Make Use of Encrypted Messaging Apps: Signal, WhatsApp (which enables end-to-end encryption), and Telegram (for secret chats) are a few of the most popular apps. Using these apps contributes to the privacy of conversations. Don’t use unencrypted areas to share messages with other people.
5. Be Aware of Cyber Breaches-Cyberattacks start happening on a frequent basis with the leaking of personal data. Be aware of the cybersecurity breaches affecting net services you regularly use and change your passwords right away should you feel you are a victim.

In the world full of digitalisation where one click, one share and one search can trail an individual personal data , protecting a person’s data become crucial than ever and with cases like K.S. Puttaswamy (Retd.), Aadhaar Case, Internet Freedom Foundation case and other landmark case have shaped the establishment of the crucial and significant legislation Digital Personal Data Protection (DPDP) Act, 2023 which aims to safeguard the personal data of individuals even though there are loopholes in the act such as lack of enforcement, broader government exemptions, and others challenges in the full application of DPDP act however only a legal framework is not enough to control the rise of data breaches , fraud, and other data concerns it requires a collaborative framework  that is people also should be acknowledged of there digital rights and people they must know there data is important and cannot just be shred or collected without any legal reasons By adopting strong cybersecurity habits, staying informed, and demanding accountability, we can move toward a future where data privacy is not just a regulation but a fundamental right.

Author: Deeya Anil Dani, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney.

References

1. “Digital Personal Data Protection”, 2023.Ministry of Electronics and Information Technology < https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf>
2. S. Puttaswamy v. Union of India (2017) 10 SCC 1
3. Internet Freedom Foundation v. Union of India (ongoing)
4. Google India Pvt. Ltd. v. Visakha Industries (2019) INSC 352
5. WhatsApp Privacy Policy Case (2021), SM 01
6. Raktima Roy & Gabriela Zanfir-Fortuna (2023) THE DIGITAL PERSONAL DATA PROTECTION ACT OF INDIA, EXPLAINED, 2023. <https://fpf.org/blog/the-digital-personal-data-protection-act-of-india-explained/>
7. Minister of Corporate Affairs The Government of India (2025) Collecting and Using Your Personal Data, 2025. <https://www.mca.gov.in/content/mca/global/en/home/mca-mobile-app-policies/collecting-and-using-your-personal-data.html>