Written by Ishan Yadav & Pranshur Sharma students at IIM Rohtak
Abstract
In a country as big and diverse as India, where millions don’t know where, how, and why they are digitally consenting, the guarantee of privacy is hollow. As digital governance expands unchecked in welfare, identification, and public space the question remains: Are India’s data laws actually protecting the individual, or enacting for data governance in the interest of the state and corporations?
This essay engages with the shifting terrain of India’s data governance regime, particularly regarding the privacy, consent, and digital exclusion legal regimes. In light of jurisprudence post-Justice K.S. Puttaswamy v. Union of India and the enactment of the Digital Personal Data Protection Act, 2023, the study reflects on whether laws translated the constitutional right of privacy from theory to practice.
With legal argument and empirical insight, the paper brings to the fore how infrastructural gaps, shadowy data practices, and digital illiteracies most unequally affect marginalized communities. The paper argues the need for a model of consent that is not merely legally valid but also meaningfully informed and accessible. The paper concludes on the note of what can make India’s data infrastructure a more ethical, participatory, and human-friendly one.
1. Introduction
In the world’s most democratic polity, where technological empowerment has been enshrined as a national article of faith for development, that question of proper consent is all too frequently failing to be asked, let alone answered. The data management of India, a developing country in transition, sits at the juncture of converging tech and an avowedly inegalitarian social order. Whereas legislative creativity, such as the Digital Personal Data Protection Act, 2023 (DPDP Act), is an ambitious attempt to regulate personal data, facts on the ground of digital illiteracy, infrastructural underdevelopment, and socio-economic imbalances cast urgent doubts on the effectiveness and inclusiveness of this measure.
The legal phenomenon of consent, so prevalent in global data privacy laws, is not simply the act of agreement, but informed, voluntary, and withdrawable. In a country where millions lack elementary digital literacy and where data tends to be harvested by coercion, ignorance, or infrastructural duress, the idea of “free and informed consent” may seem perilously symbolic. In addition, unequal access to privacy rights and data protection mechanisms creates daunting challenges to the constitutional promise of equality and dignity. This essay critically analyzes India’s existing data protection regime in a twinned optic of legal criticism and statistical evidence. The essay seeks to inquire whether Indian laws provide sufficient protection for individual privacy and consent, particularly for the digitally excluded. The paper, based on an interdisciplinary approach, weighs both the text of law and its de facto impact, providing a somber analysis of the situation of digital justice in present-day India.
2. Legal Framework for Data Protection in India
In the wake of increasing anxieties about online privacy, India tabled the Personal Data Protection Bill, 2019 (PDPB) to frame an effective data regime. Passed subsequent to the epoch-making Puttaswamy decision holding the right to privacy a constitutional right, the Bill intends to control the processing of data with the will and liability of the individual at its focal point.
2.1 Salient Features of the PDPB
The PDPB classifies individuals handling personal data as Data Fiduciaries and mandates that they process data on the basis of free, specific, and well-informed consent. Under Section 11, consent must be obtained by clear affirmative action, a shift towards user-level control over data. The Bill allows Data Principals the right to access, correct, and remove their data and withdraw consent at any time (Section 19). Section 29 requires automatic notification of breaches to the Data Protection Authority (DPA) and to the affected persons, promoting transparency. One key requirement under Section 33 requires specific forms of data to be localized on national security grounds. Though increasing sovereign power, operational burdens, as well as surveillance possibilities, worry critics.
2.2 Operational Concerns
Though the PDPB reiterates consent, its efficacy as a protection is doubtful in a nation whose digital literacy index is low. People agree willingly without knowing what the terms themselves are, thus, “consent” being very procedural than supported. Further, the Bill exempt sweeping expanses of government departments on national security grounds, raising spectres of state excess with minimal oversight. The Data Protection Authority, even if it is independent in theory, still remains subject to central government control, undermining its autonomy.
2.3 Comparison with Global Norms
Though patterned after the EU’s General Data Protection Regulation (GDPR), India’s proposed law lacks corresponding enforcement authority. Though GDPR holds violators with severe fines, otherwise India’s model is constructed on more regulation by discretion rather than penalty. And the PDPB provides for data processing for “reasonable purposes” sans consent ,a clause subject to general interpretation, threatening user control.
2.4 Conclusion
India’s PDPB is a landmark in digital rights law, but it will come to fruition only if there is the integrity of implementation. With lack of institutional autonomy, successful awareness campaigns, and improved accountability mechanisms, the potential of informed consent rings hollowly as a legal fiction—particularly for the digitally excluded.
3. Statistical Review: India’s Digital Exclusion and Illiteracy to Consent
Barring progress on the law side, data management in India remains characterized by intense digital divides as well as consent illiteracy. Legal mechanisms, altruistic as they are, are a success only to the extent that citizens are well-informed and can exercise their rights. Technology access in India, in especially so, is uneven, while knowledge of privacy in data remains lamentably poor.
3.1 Digital Divide in Numbers
India had around 759 million internet users in 2022, of whom more than 500 million remained unconnected, according to the Internet and Mobile Association of India (IAMAI).Internet penetration still leans heavily towards urban areas: urban India enjoys a 69% rate of internet penetration, while rural India enjoys 37%.
Even among access-holding users, illiteracy in digital matters is minimal. Only 38% of people aged 15 and above were able to use a computer in a 2021 National Sample Survey, and less than 30% were able to carry out simple internet functions like emailing or surfing the web.
3.2 The Illusion of Informed Consent
This online exclusion has widespread implications for the doctrine of informed consent. In reality, consent is typically achieved through pre-checked boxes, gobbledygook legalese, or deceptive interfaces. According to a 2022 Centre for Internet and Society (CIS) report, more than 70% of Indian users did not read or comprehend privacy policies prior to giving consent.
This fact impacts worst those most at-risk populations—rural communities, the elderly, and women least likely to have the resources or literacy to assess risk. In these cases, “consent” is veneer, eroding the implied assumption of data rights.
3.3 Platform Conduct and Asymmetric Power
Algorithmic profiling and dark patterns are applied most frequently on websites to coerce individuals into consenting to data scraping. Dark patterns depend on taking advantage of cognitive bias and leveraging confusion and urgency and hiding opt-outs or making them hard to find.
It is complemented by linguistic variations. Privacy notices are predominantly in English—except for the huge non-English speaking population. Estimates from 2021 Census numbers project that at most 10% Indians speak English as a prevalent language, putting in sharp relief an acute deficiency .
4. Judicial Developments and Legal Concerns in India’s Data Protection Jurisprudence
India’s regime for data governance is not one established by law and bills alone but is heavily conditioned by constitutional interpretation and judicial activism. The Indian judiciary has taken the lead in recognizing privacy as a constitutional right and goading the state to more responsible data protection. Nevertheless, this juridical advance has also been without contradiction and limit, specifically when confronted by state interests, national security, and institutional practicalities.
4.1 The Puttaswamy Judgment and Constitutional Privacy
The watershed moment of Indian privacy law came in 2017 when the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India by a unanimous decision held that the right to privacy is the guarantee as an integral part of the right to life and personal liberty under Article 21 of the Constitution. The Court elaborately brought to focus that privacy includes autonomy in private choices, bodily integrity, and information privacy.
In its decision, the Court specifically underscored that consent is a cornerstone of informational privacy, especially in our times. It also warned that consent cannot be made a formality. It must be informed, meaningful, and revocable.This vision of nuanced distinction is directly opposed to the de facto regimes of app-based data aggregation or state-led ID-linking proposals that often bypass meaningful consent procedures.
4.2 Aadhaar Case and Conditional Autonomy
Yet, even the judgment thereafter, coming after Puttaswamy in Binoy Viswam v. Union of India and Justice K.S. Puttaswamy (Aadhaar-5J) v. Union of India remains unclear. In the Aadhaar judgment, the Supreme Court held its legality but exercised some restraint on it. Even while the majority was of the view that Aadhaar cannot be made mandatory in schemes like bank accounts or mobile phones, it permitted its link to welfare schemes and thereby compromised the universality of informed consent.
This created a paradox: in creating privacy as fundamental, the Court allowed its limitation in the interest of welfare provision, in effect assigning a greater value to administrative convenience than to personal freedom in certain cases. The practical implications of this are dire—especially in rural and peripheral communities where Aadhaar-based authentication has led to exclusion from welfare due to failure of authentication.
4.3 Executive Discretion and Oversight Gaps
A second matter is the insufficiency of judicial or parliamentary oversight of executive data practices. As witnessed in the Pegasus spyware scandal, there is a shortage of accountability processes for state surveillance and data collection. Even with obvious implications for privacy, courts have typically left matters of national security up to the government, illustrating the weakness of judicial protections when set against the interests of the state.
In addition, the position of the Data Protection Board under the 2023 Digital Personal Data Protection (DPDP) Act is still unclear and indeed compromised, as it is structurally reliant on executive appointment and control. This institutional dependency injects a crisis of confidence in whether Indian citizens will receive an unbiased determination of privacy breaches.
4.4 A Dissonance Between Rights and Realities
Whereas India’s legal theory increasingly backs individual data rights, the ground reality is a different story. Courts have delivered landmark verdicts, but the absence of robust mechanisms for awareness, redressal, and enforcement prevents these rights from being enforced by common citizens. The conflict between normative rights and realities points to a systemic shortfall in India’s data governance ecosystem.
Until there is substantive reform in how consent is obtained, privacy is imposed, and harms to data are remedied—particularly for the digitally excluded—the legal progress is trapped in courtrooms and legislation, rather than finding its way into the Indian people’s daily lives.
5.Conclusion and Recommendations
In a country where digital access over digital awareness is the priority, the notion of informed consent is still very idealistic. India’s intentions, particularly through the DPDP Act, are commendable, but intentions without participatory implementation can be used to reinforce current disparities. Consent for the digitally illiterate becomes a matter of a checkbox, not a choice.
The law needs to go beyond constructions and capture lived lives. An unused right is an absent right. Protecting privacy takes more than legal language—it takes capacity building, awareness generation, and real agency creation.
- In order to close the law-life divide, India needs to:
- Make users digitally multilingually literate,
- Implement an independent data protection authority, and
- Prioritize accessibility, equity, and user-centered enforcement.
Then, and only then, can the promise of data rights be realized—not in concept, but in every corner of the country.