Consent, Privacy, and Digital Exclusion: A Legal and Statistical Review of India’s Data Governance Regime
Written by Ishan Yadav & Pranshur Sharma students at IIM Rohtak Abstract In a country as big and diverse as India, where millions don’t know where, how, and why they are digitally consenting, the guarantee of privacy is hollow. As digital governance expands unchecked in welfare, identification, and public space the question remains: Are India’s data laws actually protecting the individual, or enacting for data governance in the interest of the state and corporations? This essay engages with the shifting terrain of India’s data governance regime, particularly regarding the privacy, consent, and digital exclusion legal regimes. In light of jurisprudence post-Justice K.S. Puttaswamy v. Union of India and the enactment of the Digital Personal Data Protection Act, 2023, the study reflects on whether laws translated the constitutional right of privacy from theory to practice. With legal argument and empirical insight, the paper brings to the fore how infrastructural gaps, shadowy data practices, and digital illiteracies most unequally affect marginalized communities. The paper argues the need for a model of consent that is not merely legally valid but also meaningfully informed and accessible. The paper concludes on the note of what can make India’s data infrastructure a more ethical, participatory, and human-friendly one. 1. Introduction In the world’s most democratic polity, where technological empowerment has been enshrined as a national article of faith for development, that question of proper consent is all too frequently failing to be asked, let alone answered. The data management of India, a developing country in transition, sits at the juncture of converging tech and an avowedly inegalitarian social order. Whereas legislative creativity, such as the Digital Personal Data Protection Act, 2023 (DPDP Act), is an ambitious attempt to regulate personal data, facts on the ground of digital illiteracy, infrastructural underdevelopment, and socio-economic imbalances cast urgent doubts on the effectiveness and inclusiveness of this measure. The legal phenomenon of consent, so prevalent in global data privacy laws, is not simply the act of agreement, but informed, voluntary, and withdrawable. In a country where millions lack elementary digital literacy and where data tends to be harvested by coercion, ignorance, or infrastructural duress, the idea of “free and informed consent” may seem perilously symbolic. In addition, unequal access to privacy rights and data protection mechanisms creates daunting challenges to the constitutional promise of equality and dignity. This essay critically analyzes India’s existing data protection regime in a twinned optic of legal criticism and statistical evidence. The essay seeks to inquire whether Indian laws provide sufficient protection for individual privacy and consent, particularly for the digitally excluded. The paper, based on an interdisciplinary approach, weighs both the text of law and its de facto impact, providing a somber analysis of the situation of digital justice in present-day India. 2. Legal Framework for Data Protection in India In the wake of increasing anxieties about online privacy, India tabled the Personal Data Protection Bill, 2019 (PDPB) to frame an effective data regime. Passed subsequent to the epoch-making Puttaswamy decision holding the right to privacy a constitutional right, the Bill intends to control the processing of data with the will and liability of the individual at its focal point. 2.1 Salient Features of the PDPB The PDPB classifies individuals handling personal data as Data Fiduciaries and mandates that they process data on the basis of free, specific, and well-informed consent. Under Section 11, consent must be obtained by clear affirmative action, a shift towards user-level control over data. The Bill allows Data Principals the right to access, correct, and remove their data and withdraw consent at any time (Section 19). Section 29 requires automatic notification of breaches to the Data Protection Authority (DPA) and to the affected persons, promoting transparency. One key requirement under Section 33 requires specific forms of data to be localized on national security grounds. Though increasing sovereign power, operational burdens, as well as surveillance possibilities, worry critics. 2.2 Operational Concerns Though the PDPB reiterates consent, its efficacy as a protection is doubtful in a nation whose digital literacy index is low. People agree willingly without knowing what the terms themselves are, thus, “consent” being very procedural than supported. Further, the Bill exempt sweeping expanses of government departments on national security grounds, raising spectres of state excess with minimal oversight. The Data Protection Authority, even if it is independent in theory, still remains subject to central government control, undermining its autonomy. 2.3 Comparison with Global Norms Though patterned after the EU’s General Data Protection Regulation (GDPR), India’s proposed law lacks corresponding enforcement authority. Though GDPR holds violators with severe fines, otherwise India’s model is constructed on more regulation by discretion rather than penalty. And the PDPB provides for data processing for “reasonable purposes” sans consent ,a clause subject to general interpretation, threatening user control. 2.4 Conclusion India’s PDPB is a landmark in digital rights law, but it will come to fruition only if there is the integrity of implementation. With lack of institutional autonomy, successful awareness campaigns, and improved accountability mechanisms, the potential of informed consent rings hollowly as a legal fiction—particularly for the digitally excluded. 3. Statistical Review: India’s Digital Exclusion and Illiteracy to ConsentBarring progress on the law side, data management in India remains characterized by intense digital divides as well as consent illiteracy. Legal mechanisms, altruistic as they are, are a success only to the extent that citizens are well-informed and can exercise their rights. Technology access in India, in especially so, is uneven, while knowledge of privacy in data remains lamentably poor. 3.1 Digital Divide in NumbersIndia had around 759 million internet users in 2022, of whom more than 500 million remained unconnected, according to the Internet and Mobile Association of India (IAMAI).Internet penetration still leans heavily towards urban areas: urban India enjoys a 69% rate of internet penetration, while rural India enjoys 37%.Even among access-holding users, illiteracy in digital matters is minimal. Only 38% of people aged 15 and above were able to use a computer in a 2021 National Sample Survey, and less than
THE RIGHT WAY TO BE FORGOTTEN: WHAT INDIA CAN BORROW FROM THE E.U.
Written by Khyati Sinha & Suyash Srivastava students at Maharashtra National Law University, Chhatrapati, Sambhajinagar. INTRODUCTION We leave behind a data trail while using the internet, either actively or passively, across various websites and platforms. These digital footprints build up over time and incorporate everything from online activities, interactions, and personal information collected by the platforms, often without their users’ explicit consent. One such instance occurred in 2023, when Meta was fined $1.3 billion for violating E.U. data privacy rules. It results in the violation of individual privacy, which is protected under Article 21 of the Constitution of India. Due to the data being collected on a large scale, it becomes imperative to safeguard individual privacy by prohibiting unauthorized storage and processing of personal data. To address the privacy concerns, the concept of the Right to be Forgotten has emerged, which enables individuals to seek erasure of their personal information in certain situations. The first legal recognition of this right was in the EU in Google Spain SL v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014), granting people the right to ask organizations to erase their data when it is no longer required. This caused a worldwide movement for the importance of privacy and RTBF. In the absence of dedicated legislation that explicitly recognizes RTBF, the framework on data protection in India has been profoundly shaped by the seminal case of Justice K.S. Puttaswamy v. Union of India, which established the right to privacy as a fundamental right, leading to the unfolding of significant developments thereafter. This blog aims to provide a comparative analysis of the data protection framework in India and the EU concerning RTBF. It also offers suggestions on what India can learn from the EU to implement its data protection framework effectively. RIGHT TO BE FORGOTTEN IN THE EUROPEAN UNION By the demands and requirements of society, laws relating to RTBF have rapidly evolved over the past few years. However, a significant milestone in this evolution was observed in the Google Spain case, when the European Court of Justice held that “Every individual has the right, under certain conditions, to ask search engines to remove links with personal information about them.” The judgment paved the way for this right to be granted recognition in 2016 under Article 17(1) of the GDPR, which allows Data Subjects to seek prompt erasure of their data from the data controller. This right is applicable under specific conditions, including when: 1. The data is no longer necessary for the purpose for which it was collected; 2. The data subject withdraws consent previously given for processing; 3. The data is being processed unlawfully, or 4. There is a legal obligation to erase the data. However, the right is subject to certain exceptions mentioned in Article 17(3) of GDPR, notably, where processing is necessary for the exercise of the right of freedom of expression and information, for public interest, for research or statistical purposes, or to comply with legal obligations. Through this ruling, the court aimed to balance an individual’s right to privacy with the public’s right to access information. The jurisprudence developed in the Google Spain case laid the groundwork for Google v. CNIL, wherein it was held that under EU law, RTBF is only applicable in its 28 member states, and there is no obligation on Google and other search engines to apply it globally. Article 51 of GDPR establishes Data Protection Authorities, one of the main elements of the European mechanism of data protection. They are independent public bodies responsible for enforcing the application of the regulation within each EU member state. This includes their ability to ensure compliance, provide guidance to data controllers and processors, handle complaints, and issue fines. RIGHT TO BE FORGOTTEN IN INDIA The legal landscape around the concept first surfaced in 2017 after the right to privacy was recognized as a fundamental right under Article 21 of the Constitution of India in the Puttaswamy case. While several cases have been filed seeking enforcement of RTBF, the courts have been hesitant and inconsistent in their application. In Dharamraj Bhanushankar Dave v. State of Gujarat (2015), a writ petition was filed under Article 226 praying for permanent restraint of the public exhibition of a non-reportable judgment that was displayed on several websites where the petitioner was charged with culpable homicide amounting to murder and other various criminal offenses. He contended that the display of the same had affected his personal as well as professional life, even after he was acquitted by the Sessions Court and, subsequently, the High Court. However, the court dismissed the petition, stating the publication of the judgment did not violate Article 21. However, in Sri Vasunathan v. Registrar General, the Karnataka High Court gave a conflicting ruling, wherein it upheld the petitioner’s claim to remove the name of his daughter from the cause title, stating it was ‘in line with the trend in the western countries’ to protect the modesty and reputation of women involved in sensitive cases. Further, in Zulfiqar Ahman Khan v. Ms. Quintillion Business Media Pvt Ltd., the Delhi High Court directed the removal of defamatory articles concerning #MeToo allegations against the petitioner and recognized the ‘right to be forgotten’ as an integral part of the right to privacy. In 2021, the Delhi High Court in Jorawar Singh Mundy v. Union of India, also acknowledged the need to balance an individual’s right to privacy with the public’s right to information and granted interim relief to the petitioner by directing websites to remove access to the judgments as it infringed the petitioner’s privacy and dignity. LEGISLATIVE FRAMEWORK IN INDIA In the 2019 draft of the Personal Data Protection Bill, the inclusion of RTBF was recommended by the B.N. Srikrishna Committee in cases where data is misleading, outdated, or humiliating. In a welcoming move, the Digital Personal Data Protection Act, 2023, adopted a revised framework tailored to modern privacy challenges and global best practices. A key strength of the DPDP