Data Protection and Privacy Laws in India

This article examines the evolution of India's privacy framework, tracing the shift from a rules-based system to a rights-based regime where data is viewed as an extension of the self. It begins by highlighting the limitations of the Information Technology Act, 2000, and the SPDI Rules, 2011, which primarily focused on cybercrime and corporate negligence rather than comprehensive data rights. It identifies the 2017 K.S. Puttaswamy judgment as a turning point that established privacy as a fundamental right under Article 21, paving the way for the Digital Personal Data Protection Act, 2023. This new legislation is described as a compact framework that balances user rights with business innovation by establishing clear "Data Fiduciary" obligations and a strict consent architecture. Finally, the author discusses the specific rights granted to citizens, such as the right to correction and grievance redressal, while acknowledging the continuing tension between personal privacy and state surveillance powers.