Is Your Data Really Safe? Understanding Data Privacy Laws in India

In today’s digital world, data has become an indispensable part of everyone’s daily routine. From work emails and chats with friends to the pictures stored in our galleries, all of this forms part of our personal data.
But have you ever wondered how private your personal data really is? What laws protect it, and what regulations govern its use? How can you keep a check on the access and usage of your data by various websites and companies online?
To delve deeper into the world of data privacy and understand how to protect your data and exercise your rights, keep reading until the end………

Privacy is a concept that has existed in India since ancient times. If we look at history, during the Indus Valley Civilization, houses were designed without windows on the ground floor specifically to ensure privacy. Similarly, doors did not open directly onto the streets. The practice of using curtains to maintain privacy was further developed during the medieval era.
From then to now, privacy has remained a value that society has rarely compromised on.
As we move towards a digital age, India has also seen the vision of a technologically driven society through the initiative of Digital India.
Any country that dreams of complete digitalisation and a digital economy must have strict, transparent, and effective rules and regulations to protect the personal and sensitive data of its citizens. Here comes the use of data protection laws in any country.

Data protection refers to the protection of personal information while ensuring that individuals have control over how their data is collected, stored, processed, and shared. It grants individuals the right to keep their information private and secure, and to limit the unauthorised access, use, or misuse of their data by others.

The term personal information includes details such as a person’s mobile number, health records, financial information like bank account or card numbers, and any other data that can be used to identify an individual.
Data protection is an essential individual right as it is closely linked to the Right to Privacy under Article 21 of the Constitution of India, which is a part of the Fundamental Rights. The right to privacy includes the protection of personal data, and effective data privacy cannot exist without proper data protection systems.

Justice B.N. Srikrishna Committee (2017–2018)
The foundation of India’s modern data protection laws can be traced back to the formation of the Justice B.N. Srikrishna Committee in 2017. This was formed after the court recognized the right to privacy as a fundamental right, which gave the urgent need for a comprehensive data protection framework in India. In 2018, the committee released its landmark report titled ” A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”. It proposed a rights-based data protection framework, which means that individuals must have meaningful control over their personal data. It also recognised the need to balance individual privacy with legitimate interests of the state, like national security.
Key principles recommended were: informed consent, purpose limitation, data minimisation, accountability of data fiduciaries, and the need for data localisation in certain sensitive sectors. These recommendations worked as a backbone for India’s future data protection laws.

The Information Technology Act, 2000
The Information Technology Act,2000, was the first legislation in India that addressed the issues which were arising from the digital environment. Its primary objective was to give legal recognition to e-transactions and to address cybercrimes. A few provisions were introduced, like Section 43 A and SPDI Rules,2011, which imposed restrictions on corporate bodies to protect sensitive personal data. The IT Act proved to be insufficient because of rapid advancements in the digital world, which became concerning for data privacy.

Personal Data Protection (PDP) Bill, 2019
The Personal Data Protection Bill, 2019, was the first legislative attempt to address data privacy concerns in India. This was introduced in parliament by the recommendation of the Srikrishna Committee. The bill proposed the establishment of an independent Data Protection Authority(DPA) to oversee compliance and enforcement. The PDP Bill introduced several important individual rights like the right to data portability, the right to be forgotten, and a structured grievance redressal mechanism. It also imposed strict obligations on data sensitivity and requirements for certain classes of personal data.
Still, it faced criticism for being overly complex, compliance-heavy, and for granting broad exemption powers to the government.

Withdrawal of the PDP Bill and Enactment of the DPDPA, 2023
In 2022, the government withdrew the PDP Bill, as there was a need for a simpler, more adaptable framework that could respond effectively to the evolving digital world. This marked a shift from an elaborate regulatory model to a more focused and simpler approach.
The Digital Personal Data Protection Act,2023, was enacted. It focused specifically on the processing of digital personal data and seeks to balance the individual’s right to protect their data. It narrowed the scope and laws compared to the PDP Bill, it gave clarity, and started consent-based processing.

Draft Digital Personal Data Protection Rules, 2025
The Draft Digital Personal Data Protection Rules, 2025, aim to operationalise the provisions of the DPDP Act, 2023. These draft rules are intended to safeguard citizens’ rights while ensuring effective implementation of the Act.
Key features of these draft rules are :

• Registration and role of a Consent Manager
  Consent Managers must be officially registered and should be responsible for helping users give, manage, and withdraw their consent in a clear and transparent way.
• Intimation of personal data breach
  If a data breach occurs, the organisation must inform both the authorities and the affected individuals without delay.
• Verifiable consent for children and persons with disabilities
  Personal data of children and persons with disabilities can be processed only after obtaining verifiable consent from parents or legal guardians.
• Exemptions in processing children’s dat
  Limited exemptions are allowed when data processing is necessary for the welfare, safety, or lawful purposes involving children.

Although now India has its own data protection law’s but, having laws on paper does not mean that the data is fully safe. Still, there are certain gaps that affect how these laws affect people in real life like:

• Earlier version of these laws proposed a separate independent authority to keep a check on the data protection. However, under the current law the protection board is appointed by the government. This raises doubt about how effective and neutral the enforcement of these will be especially if a government body itself is involved .
• Most users are still unaware of their data rights. Many people click ‘I agree’ without reading privacy policy or terms and conditions and do not know where to complain if their data is misused.
• Although the law stresses consent, many times users don’t have any other option but to give their consent before using the app or any service and this weakens the control over personal data.
• Law allows certain data to be sent to some foreign countries, which makes it hard for users to trace the usage and protection of their personal data, and many people are unsure about the remedies for the misuse of their data abroad.

• Making Consent Meaningful.
  Consent should be free and clear. Privacy notices must be written in simple, laymen’s language, and it should be the choice of the user whether they want to share their data or not. This gives real control to a person over their personal data.
• Increasing Public Awareness and Digital Literacy.
  Laws are effective only when people know they exist and use or follow them properly. The government should include basic rights like the right to privacy and data protection in the school curriculum so that the youth grows into aware citizens of the country.
• Making the Regulator Truly Independent.
  The power of overseeing data protection should lie with a separate and independent board, free from any kind of pressure or bias. This would help people trust authorities with their personal data.
• Ensuring Accountability of Companies
  Companies collecting personal data must be transparent about how the data is used and with whom it is shared. Strict penalties should be imposed in case of any breach of security of a person’s personal data.
• Laws Should Be Adapted as per Future Technologies
  As technology evolves, data protection laws must also evolve. Regular review of the current scenario and timely amendments will help keep personal data safe and reduce online crimes and breaches of privacy.

• Turn Off Automatic Media Download on WhatsApp
  Go to WhatsApp Settings → Storage and Data → Media Auto-Download and set all options to Never.
  This prevents harmful videos, fake PDFs, APK files, or malware from automatically saving to your phone.
  
• Never Share OTPs, CVV Numbers, or UPI Approvals
  Banks, UPI apps, courier services, and government officials never ask for OTPs, CVV numbers, or approval of unknown UPI requests.
  If anyone asks for these details, it is a scam — no matter how genuine they sound.
  
• Lock Your SIM Card with a SIM PIN
  SIM swap fraud is one of the most common ways criminals hijack bank and WhatsApp accounts.
  Adding a SIM PIN ensures that even if your SIM is stolen, it cannot be misused.
  
• Avoid Apps from Links or Telegram Channels
  Never install apps from random links, WhatsApp forwards, or Telegram channels.
  Fake loan apps, trading apps, and “mod” apps are commonly used in India to steal personal and financial data.
  
• QR Codes Are Only for Paying, Not Receiving Money
  If someone asks you to scan a QR code to receive a refund, salary, or prize, it is a scam.
  Scanning a QR code always sends money, it never credits your account.

In a world where new developments occur every day and almost every part of our lives exists online, our phones have become the basic treasury of our lives. All these developments lead us to the conclusion that as the world evolves, we must keep our pace with it and reform our laws accordingly.
India has introduced several reforms in its legal framework and has laid down a clear structure for the protection of the personal data of its citizens. However, a lot still remains to be done. We need to keep up with the pace of technological developments, educate citizens about their rights, and work towards ensuring the safety of people, whether in the digital space or in the offline world.
In the end, we all need to realise that it’s high time and now protecting data is no longer just a legal obligation, it is a shared responsibility between the State, companies, and citizens.