Data, privacy and data protection: Tools for India’s growth

India’s privacy and data protection regime are no longer distant ambitions or empty policy conversations. With the enactment of Digital Personal Data Protection (DPDP) Act, 2023 and now operationalisation of DPDP Rules, 2025, businesses in India are required to speak the language of privacy and at the heart of this shift is a simple requirement to ‘know your data’. Every entity must map the personal data it holds and trace data flow across internal departments, vendors, cloud systems, and automated tools. Importantly, businesses must link each instance of data processing to a lawful ground or legitimate use. An emphasis has been placed on minimisation, purpose limitation, and accountability.

The DPDP Act has had a long journey, and it began with rejection. In the MP Sharma case in 1954, an eight-judge Bench held that the Constitution did not guarantee privacy. In Kharak Singh in 1962, a six-judge Bench reiterated that position.

But the Court’s approach steadily shifted in Gobind in 1975, wherein it treated privacy as an element of personal liberty under Article 21. Thereafter, in R Rajagopal in 1994, the Court explicitly recognised privacy as a fundamental right, while balancing it against press freedom, and in PUCL in 1997, the Court held that telephone tapping without safeguards violated privacy and laid down surveillance guidelines.

These strands culminated in the nine-judge decision in the Justice KS Puttaswamy case in 2017, where privacy was affirmed as a fundamental right embedded in Articles 14, 19, and 21 of the Constitution, and where the Court left it to the government to pass a law on data protection.

The DPDP Act defines key roles for:

- Data Principal: the individual;

- Data Fiduciary: the entity deciding why/ how data is processed;

- Data Processor: the entity processing on the fiduciary’s behalf; and

- Consent Manager: the platform enabling consent management.

The DPDP Rules, 2025, were notified in mid-November 2025, giving operational shape to the DPDP Act and introduced a phased rollout. Institutional provisions, such as the Data Protection Board’s establishment, became effective immediately in November 2025. The obligations for Consent Managers become operational around November 2026; and full substantive compliance consent, rights, fiduciary duties, penalties, etc. become enforceable around May 2027.

Data, information and its collection are as old as humanity and are contained in all its glory in religion, mythology, philosophy and its law. In fact, Kautilya’s Arthashastra has detailed chapters on the collection of information, governance, espionage, economy, diplomacy, military strategy, and is one of the most important ancient texts on statecraft. In the 1950s, magnetic tapes and hard drives allowed data to be stored electronically and by the 1970s, structured storage became possible. The rise of the internet, search engines, and social media resulted in the explosion of user-generated data.

Data, as we know it, has its origins in the Cold War, in a little-known entity, Simulmatics Corporation, founded by Ithiel de Sola Pool in 1959. One of the successes of the company was its work on the 1960 US presidential election, wherein it provided data-driven insights for the candidate and the subsequent US President, John F. Kennedy. Simulmatics was successful in developing a predictive model that used surveyed data and computational analysis to assess voter behaviour and was able to develop an early version of micro-targeting. The company worked with major corporations and devised advertising strategies, focusing on consumer behaviour and preferences and assisted the military to apply its predictive modelling to counterinsurgency strategies. Despite the early success, Simulmatics Corporation suffered an unceremonious demise.

While privacy has long been criticised as vague or elusive, its most influential modern formulation remains Warren and Brandeis’ idea of privacy as ‘the right to be let alone.’ Data protection or informational privacy, by contrast, is a more recent regulatory concept. Privacy is broader, as it shelters multiple values such as dignity, autonomy, decisional freedom, and limited state intrusion. Data protection, on the other hand, is narrower and operational, and it governs how personal data may be collected, used, stored, shared, and deleted. Functionally, privacy tends to work as a tool of opacity, shielding persons from illegitimate power, while data protection works as a tool of transparency and controls through regulations. Data protection regulates legitimate power through notice, consent, accountability, and redress. Put simply, privacy is often prohibitory while data protection is primarily regulatory.

India’s regime has chosen to include clear, purpose-specific notices and granular consent, easily withdrawable, with processing stoppage unless there is another legal basis which allows the processing of the said data. The reporting for breaches is obligatory without any delay to both the Board and affected individuals, in simple and plain language, followed by subsequent detailed reports. Data minimisation and storage limitation have been operationalised to ensure that what is collected is only used for the purposes for which it is needed and is erased once the purpose ends. Stricter governance for Significant Data Fiduciaries, including audits and impact assessments, has been introduced and imposed. At least on paper, India’s privacy regime has its heart in the right place, though operationally, the verdict is still some time away. Optimism is in the air, but there is a lot more to be done.

India’s data protection regime is no longer aspirational, and businesses must now map personal data they hold; trace every purpose and data flow across systems; and match each processing activity to consent or a legitimate use ground and stop and/ or delete anything unjustified. India has thus moved to defining how privacy is to be protected in practice, through permissible data collection and protection. In the age of data surveillance, information is power, and power must be bounded by rights and law, and India is now on this journey. Aspirationally, 1.5 billion people are hopeful of a Viksit Bharat by 2047.

Let us operationalise that journey through privacy and security, with the citizen at the centre, and a data protection regime as its engine.

About the authors: Shally Bhasin and Varun Pathak are Partners at Shardul Amarchand Mangaldas & Co.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.