I. Constitutional and Policy Background (Pre-2018)
Justice K.S. Puttaswamy v. Union of India
India’s journey toward a comprehensive data protection law began with a constitutional milestone. In 2017, a nine-judge Constitution Bench of the Supreme Court in Justice K.S. Puttaswamy v. Union of India unanimously declared that the right to privacy is a fundamental right under Articles 14, 19, and 21 of the Constitution.
The Court held that privacy is intrinsic to life and personal liberty, and extends to informational self-determination. In doing so, it emphasized that any restriction on privacy must satisfy the tests of legality, necessity, and proportionality, along with procedural safeguards.
This judgment came at a time when India was undergoing rapid digital transformation:
- Expansion of Aadhaar-linked welfare schemes
- Growth of digital governance platforms
- Rapid penetration of smartphones and internet usage
- Rise of e-commerce, fintech, and data-driven private enterprises
The absence of a dedicated data protection framework created legal uncertainty. While the Information Technology Act, 2000 and related rules addressed certain aspects of data security, they lacked a rights-based architecture. Post-Puttaswamy, it became constitutionally imperative for the State to enact a comprehensive data protection regime that balanced innovation with civil liberties.
II. Expert Committee and Draft Bill, 2018
- Constitution of the Srikrishna Committee (2017)
In response to the Supreme Court’s mandate, the Government of India constituted an Expert Committee in 2017 under the chairmanship of:
Justice B. N. Srikrishna
The Committee included senior policymakers, technologists, academics, and legal experts such as Aruna Sundararajan, Dr. Ajay Bhushan Pandey, Dr. Gulshan Rai, Prof. Rishikesha Krishnan, Prof. Rajat Moona, Arghya Sengupta, and Rama Vedashree.
The Committee’s objective was to examine data protection issues and recommend a robust legislative framework suitable for India’s socio-economic realities.
- Draft Personal Data Protection Bill, 2018
In July 2018, the Committee submitted:
- Its landmark report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”
- The Draft Personal Data Protection Bill, 2018
The report emphasized that data protection is not merely a regulatory issue, but a constitutional necessity rooted in dignity and autonomy.
Key Features of the 2018 Draft
- Data Principals’ Rights
Individuals (termed “data principals”) were granted rights such as:
- Right to confirmation and access
- Right to correction and erasure
- Right to data portability
- Right to be forgotten
This marked a shift toward a rights-centric framework.
- Data Fiduciaries and Data Processors
Borrowing conceptually from global frameworks like the EU GDPR, the Bill introduced:
- Data Fiduciaries — entities determining purpose and means of processing
- Data Processors — entities processing data on behalf of fiduciaries
The fiduciary relationship underscored a duty of care toward individuals.
- Data Protection Authority (DPA)
The Bill proposed an independent regulator — the Data Protection Authority — with investigative, corrective, and adjudicatory powers. - Sensitive Personal Data Classification
The Bill categorized certain data (health, biometric, financial, etc.) as “sensitive personal data,” requiring higher compliance standards. - Cross-Border Data Transfer Restrictions
It introduced localization mandates for sensitive personal data, reflecting concerns over sovereignty and enforcement. - Emphasis on Consent and Purpose Limitation
Processing was required to be:
- Lawful
- Fair and reasonable
- Based on informed consent
- Limited to specified purposes
Conclusion
The 2018 Draft Bill laid the intellectual and structural foundation for India’s modern data protection regime. While the legislative journey witnessed multiple revisions and debates, the constitutional anchor remained constant: privacy as a fundamental right.
Ultimately, this evolutionary process culminated in the enactment of the Digital Personal Data Protection Act, 2023, reflecting India’s attempt to harmonize digital innovation, state interests, and individual rights in a rapidly transforming technological landscape.
Letest Blogs
- Supreme Court on Prolonged Pre-Trial Detention: A Violation of Rights
- Section 13 of the Hindu Marriage Act, 1955: Grounds of Divorce
- Judicial Separation under Hindu Law: A Legal Perspective
- Sections 11 and 12 of the Hindu Marriage Act, 1955: Void and Voidable Marriages
- Digital Personal Data Protection Act, 2023-Key Compliance Requirements under the Legal Framework
- Digital Personal Data Protection Act, 2023Applicability of the Act to Companies and Organisations
- Digital Personal Data Protection Act, 2023,Implications and Consequences of Non-Compliance, including Relevant Penalties
- Digital Personal Data Protection Act, 2023, Legislative Evolution: Withdrawal of the 2019 Bill and Enactment of the DPDP Framework
- Digital Personal Data Protection Act, 2023- Legislative Evolution: The Personal Data Protection Bill, 2019 and the JPC Process
- The Digital Personal Data Protection (DPDP) Act, 2023,Constitutional Roots and Legislative Evolution