Author: Gayathri S Pillai , National University of Advanced Legal Studies


Data encompasses us and is generated for all activities that we do. One sort is data that we may wilfully share. Furthermore, the subsequent kind is the information produced truly every time we accomplish something – regardless of whether it be travel, request a feast, or use transportation. There is no uncertainty that this information is monstrously significant, and several organizations are willing to pay for access to this data. Several questions emerge under this circumstance: whom does this data belong? Who can get to it? What are the limits set on the misuse of this information? This position is additionally convoluted by a few governments requesting and looking for access to data from its residents. Then again, what are the limits to privacy? Advancement in technology, for example, Data Mining, Cloud computing, and so forth, brings unexpected difficulties, and one of the significant challenges is a danger to "privacy." Globalization has given acknowledgment to technology in the entire world. According to developing prerequisite, various nations has presented a diverse lawful structure for the protection of data and for upholding privacy rights.

This article includes how privacy rights and data protection laws are enacted in India and how it emerged as a controversial topic during the global pandemic of COVID -19.


The privacy issues have various dimensions like legal, political, and technical arenas. According to the Cambridge dictionary, privacy means "the right that someone has to keep their personal life or personal information secret or known only to a small group of people." [1] It can be understood as one's personal right to decide who, what, and when another person can access his information. With the coming up of globalization and new technologies, privacy rights began to be questioned as data became more accessible to the common man.

Personal data relates to any information of an individual, whether it be in a personal, private or professional sphere. With the abundance of online resources, it is very crucial to protect these data from unwanted attacks. Data protection refers to the rules and regulations adopted in protecting this information. It ensures that you remain in control of your data, and you have the right to determine who has the right to access this information.

On August 24, 2017, the supreme court ruled that privacy is a fundamental right because it is intrinsic to right to life. SC’s nine judge bench ruled that “right to privacy is an integral part of right to life and personal liberty guaranteed in article 21 of the constitution.”[2] still, we do not have comprehensive privacy rights or data protection laws in India. We still look upon the IT Act of 2008[3].It mainly focuses on e commerce and privacy rights has not been given enough consideration. This suggests that India has to take further steps when it comes to privacy rights and data protection as it is the need of the hour.

Covid19 and data privacy

The flare-up of COVID-19 and its improvement into a pandemic has driven governments over the world to take exceptional measures to secure their occupants. The Central Government and different State Governments in India, alongside general wellbeing specialists, various associations, and corporates, are gathering, following, and utilizing data about people to hinder the spread of COVID-19. This requires a huge extent of personal data being utilized which is directly dependent upon the data protection laws in India. Therefore, a balance has to be struck between a person’s right to privacy and public interest. Independently, because of the COVID-19 pandemic, corporates are likewise required to execute unusual measures to safeguard their representatives and expanded the workforce. In such a manner, the assortment of individual information by corporates should be embraced in consistence with the prerequisites of data protection laws in India.

By virtue of the absence of a vaccine for COVID-19, nations over the world have set a great deal of onus on the estimation of social distancing and regulation to battle the pandemic. The World Health Organization likewise thinks about testing, isolation, and contact-tracing as the foundation of the battle against the infection. In such a manner, nations are taking assistance of innovation driven estimates, for example, thermal screening, mass surveillance, location tracking, etc. and so forth to contain the spread of the infection. Various nations, including India, have declared the dispatch of cell phone applications with various functionalities planned for supporting the battle against COVID-19. While such applications could end up being compelling in containing the spread of the infection, they have begun a discussion on security worries comparable to the abuse of data gathered by the applications.

The Government of India propelled the Arogya Setu application on April 2, 2020, which, inter alia, tracks the area of a contaminated individual and informs the application users of their proximity to such people. The Data Protection Laws just give an essential structure on data protection and not explicitly examine measures to be taken by the public authorities in relation to the protection of data during public health emergencies. In accordance with KS Puttuswamy, the Supreme Court of India has seen that if the state safeguards the anonymity of an individual, it could honestly affirm a substantial state interest for the protection of public health to design suitable policy interventions based on the information accessible to it. The Arogya Setu application requires its clients to switch the GPS and Bluetooth following on consistently and has been reprimanded in light of the fact that it could disregard its clients' security and could go about as a surveillance tool in possession of the administration.

Similar applications are being utilized by the State Governments of Goa, Karnataka, Maharashtra, and Tamil Nadu. The utilization by the State Government of Kerala of the Sprinklr application has likewise been scrutinized on the ground that sensitive personal data is being accessed by an entity that isn't situated in India. In an ongoing appeal testing the agreement between the State Government of Kerala and Sprinklr, the High Court of Kerala has given an interim order in April 2020 asking the State Government, inter alia, to anonymize all information gathered concerning COVID-19 preceding imparting it to Sprinklr and to educate all residents from whom information is taken that such information can be imparted to Sprinklr or any outsider and get the consent of such citizens. Further, the High Court of Kerala has limited Sprinklr from submitting any demonstration that may bring about break of privacy of information gathered under the agreement with the State Government of Kerala and misusing such information legitimately or by implication for business purposes or promoting or speaking to any outsider that they have access to information relating to COVID-19 cases. The court likewise ordered Sprinklr to restore all information to the State Government of Kerala once the authoritative commitments are finished and erase any remaining or secondary information in its possession.

In light of the COVID-19 pandemic, corporates have been asking their workers and business partners to share their and their relatives' expert/individual travel chronicles, manifestations of sicknesses of themselves and their relatives, medical records, and so forth data identifying with medical records will qualify as SPDI under the Data Protection Laws and will require the consent of the individual unveiling such data. Moreover, before gathering such data, corporates should make and execute a privacy policy for handling of or dealing in PI and SPDI.

Taking into account the above-mentioned, corporates in India should consider receiving a data privacy policy in consistence with the minimum technical standards recommended under the Data Protection Laws. Corporates will likewise need to build up a methodology and configuration in which assent is acquired from people from whom individual information is gathered and set up a system for the arrangement, stockpiling, and dispersal of the individual information that is gathered. The COVID-19 pandemic has made employees to work from home, and, in like manner, matters of data security should be considered by corporates going ahead.


The current circumstance by virtue of the COVID-19 pandemic is unprecedented. The health specialists, corporates and different partners are finding a way to contain the spread of the virus and measures, for example, data tracking and mass surveillance could end up being compelling in checking the spread of COVID-19. In any case, remembering that such close to home information will be accessible in the long term, the Government of India should find a balance between assurance of public interest and keeping up the fundamental right to privacy. When the COVID-19 enforced lockdown in India eases, corporates in India will progressively need to wrestle with the handling of SPDI and other personal data to limit the danger of COVD-19. To this end, corporates should process personal data in consistence with the prerequisites of the Data Protection Laws while looking out for likely change in the Indian legal framework by virtue of the PDP Bill.[4]

[1] PRIVACY, (last accessed on October 7, 2020) [2] Dhanajay Mahapatra & Amit Anand Choudhary, Right to privacy is a fundamental right, it is intrinsic to right to life: Supreme Court, Times of India(August 24 2017), [3]Information Technology (Amendment) Act,2008 [4]Shivaji Bhattacharya and Anindhya Shrivastava, India: COVID-19: Implications On The Data Protection Framework In India, mondaq (6 May 2020),

10 views0 comments