Context: International Data Privacy Day (28 January) commemorates the 2006 signing of Convention 108, the world’s first binding international treaty on data protection. The 2026 theme—“Take Control of Your Data”—underscores individual agency and informed consent in an increasingly data-driven economy.
What is Data Privacy?
Data privacy refers to an individual’s right to control how personal information is collected, processed, stored, and shared. In the digital age, it is a cornerstone of democratic governance, market trust, and national security.
In K.S. Puttaswamy v. Union of India (2017), the Supreme Court recognised the Right to Privacy as a fundamental right under Article 21, placing constitutional limits on state and private data use.
India’s Digital Scale and the Privacy Imperative
India is the third-largest digital economy, with nearly one billion internet users and about 70% penetration. Population-scale Digital Public Infrastructure (DPI)—Aadhaar, UPI, DigiLocker—has transformed service delivery but also amplified privacy risks. Ultra-low data costs (≈ $0.10/GB) have accelerated adoption, generating vast datasets that can be misused for profiling, AI-driven manipulation, and deepfakes.
State digitisation further heightens exposure. Platforms such as eSanjeevani (over 44 crore telemedicine consultations) and MyGov (over 6 crore users) handle sensitive personal data, making robust safeguards indispensable.
Recognising these risks, the Union Budget 2025–26 earmarked ₹782 crore for cybersecurity, signalling the growing salience of data protection in public policy.
Beyond citizen trust, privacy has economic value. Strong data governance improves investment confidence, enables cross-border digital trade, and positions Indian firms as credible global partners.
India’s Data Protection Architecture
India’s framework has evolved from sectoral rules to a comprehensive statute:
- Information Technology Act, 2000: The parent law for cyber offences and electronic governance; Section 69A empowers content blocking for national security.
- CERT-In: National nodal agency for cyber incident response and breach advisories.
- IT Rules, 2021: Due diligence and grievance redressal obligations for intermediaries to ensure platform accountability.
- Digital Personal Data Protection (DPDP) Act, 2023: India’s first comprehensive personal data law, built on the SARAL principle—Simple, Accessible, Rational, Actionable. It emphasises lawful purpose, consent, data minimisation, and accountability.
- DPDP Rules, 2025: Operationalise enforcement, timelines, and compliance processes.
- Data Protection Board of India (DPBI): A digital-first regulator for complaint filing and adjudication; appeals lie with TDSAT.
The Road Ahead
As India’s digital footprint expands, data protection must move from compliance to culture. Empowering users with meaningful consent, strengthening institutional capacity, and aligning innovation with privacy-by-design will be critical.
International Data Privacy Day is a reminder that safeguarding personal data is not merely a legal obligation—it is central to sustaining India’s digital transformation with trust and constitutional fidelity.