Close Menu
Trending
Subscribe
Saturday, September 27
Lawyers in India

Cyber Law 2.0: Power, Privacy & Protection in a Hyperconnected India

Building a Rights-Based Legal Framework for India’s Digital Future
SAMIYABy Updated: Cyber Law No Comments17 Mins Read

Introduction

India is on the verge of a digital era that is both exciting and dangerous. With more than 800 million people using the internet, the nation is seeing a significant shift in the way social interactions, education, business, and governance are organised. The government has demonstrated its commitment to a technology-driven future through flagship projects like Digital India, Aadhaar-enabled Public Delivery Systems, Unified Payments Interface (UPI), and the expanding application of artificial intelligence in judicial and law enforcement frameworks.

However, several ethical, legal, and policy issues have arisen as a result of this widespread digitisation. Critical issues have surfaced as digital technologies increasingly mediate daily life, including the threat of widespread surveillance, opaque algorithmic governance, private companies profiting from data, and escalating weaknesses in national cybersecurity infrastructure. The complicated and dynamic nature of these threats is difficult for the law to handle in its current form, particularly when it comes to the way they affect constitutionally protected rights like due process, freedom of speech, and privacy.

India needs to develop a new generation of legal and regulatory responses to adjust to its hyperconnected world, which is known as Cyber Law 2.0. It represents a structural and normative change in the way the digital ecosystem is to be governed, not just a statutory upgrade. It must be consistent with constitutional principles, especially those stated by the Supreme Court in seminal rulings such as Shreya Singhal and Justice K.S. Puttaswamy (Privacy). The foundation for a body of law that acknowledges the digital expressions of fundamental rights has been established by these rulings.

Three interconnected and constitutionally based pillars must support this new cyber-legal framework:

  1. Power: the necessity of defining and restricting the ability of state and corporate actors to exert coercion in cyberspace while maintaining accountability, transparency, and due process;
  2. Privacy: Article 21 of the Constitution requires that both public and private data regimes uphold individual liberty, information control, and dignity;
  3. Protection: To protect digital citizens from harm, it is essential to set up strong grievance redressal procedures, enforceable data rights, and efficient cybersecurity measures.

These pillars are practical requirements in a rapidly changing digital society rather than theoretical abstractions. They interact with administrative regulations and statutory developments, including the Digital Personal Data Protection Act of 2023 and the Information Technology Act of 2000.

In light of this, the purpose of this article is to present a methodical and critical examination of India’s changing cyber law environment. It starts by looking at the legal structures that control corporate and governmental authority in the digital sphere. The constitutionalization of privacy, particularly after Puttaswamy, and the effects of new technologies on informational autonomy are then covered in detail. Finally, it looks at the safeguards required to make sure that civil liberties and legal certainty are not sacrificed in India’s digital transformation.

By doing this, the article hopes to advance the conversation about a rights-based, responsible, and progressive cyber legal framework—what could be appropriately referred to as Cyber Law 2.0.

Power in the Digital Realm

  1. Surveillance and State Power

    The recognition of the right to privacy as a fundamental right is among the most important recent developments in Indian constitutional law. The Supreme Court categorically ruled in Justice K.S. Puttaswamy v. Union of India that the right to privacy is inextricably linked to the right to life and personal freedom under Article 21 of the Constitution.

    In this case, the nine-judge bench established a three-pronged test for any state action that violates a person’s right to privacy: legality, necessity, and proportionality. Since then, this test has evolved into the norm for determining whether government monitoring programs are constitutional.

    The permissive nature of Section 69 of the Information Technology Act, 2000—which permits the federal and state governments to intercept, monitor, or decrypt any information in the interest of public order, sovereignty, or goodwill with other nations—has been criticized in light of this decision. The proportionality test established in Puttaswamy is not met by the provision, since it does not currently require independent authorization or prior judicial oversight.

    The Delhi High Court raised concerns in Internet Freedom Foundation v. Union of India about the broad and ambiguous scope of digital surveillance powers granted under Section 69, emphasizing the lack of independent accountability procedures and procedural protections. The case is a crucial reminder that any framework that permits electronic surveillance needs to be carefully examined from the perspective of constitutional validity—particularly when it comes to fundamental rights.

  2. Intermediary Power and Free Speech

    In the digital age, online middlemen like social media platforms, messaging apps, and content-hosting websites have become increasingly important. Although these platforms are essential for facilitating access to information and the exercise of free speech, they are also becoming more and more regulated by the government.

    The Supreme Court rendered a historic decision in Shreya Singhal v. Union of India, invalidating Section 66A of the IT Act that made sending “offensive” messages via communication services illegal. The Court determined that the clause was imprecise, excessively expansive, and incompatible with Article 19(1)(a)’s guarantee of free speech.

    Crucially, the Court also maintained Section 79’s constitutionality, which protects intermediaries from liability for user-generated content as long as they don’t intentionally exercise active control or initiate the transmission.

    The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, however, brought about a change in the regulatory landscape. Intermediaries are subject to increased due diligence requirements under these regulations, which include:

    • Mandatory grievance redressal procedures
    • Traceability of encrypted messages
    • Content removal within stringent timeframes

    Critics contend that these regulations stifle free speech and violate the safe harbor principle established in Shreya Singhal. The Delhi High Court is currently considering whether the 2021 Rules are constitutional in the case of LiveLaw Media Pvt. Ltd. v. Union of India. According to the petitioners, the Rules violate the fundamental rights of free speech, privacy, and due process, and are beyond the scope of the parent legislation.

    The state’s authority to regulate the internet must be reevaluated in light of this changing legal environment. Any future changes to cyber governance must be supported by a constitutional framework that strikes a balance between the rights of individuals and the interests of the government.

Privacy: Constitutional Foundations

  1. The Privacy Paradigm

    With the historic decision in Justice K.S. Puttaswamy v. Union of India, the jurisprudential trajectory of the right to privacy in India experienced a radical change. The Supreme Court acknowledged privacy as a fundamental right guaranteed by Article 21 of the Constitution, overturning previous rulings in cases like M.P. Sharma v. Satish Chandra and Kharak Singh v. State of U.P.

    According to this 2017 nine-judge bench decision, privacy is a multifaceted right that includes decision-making autonomy, bodily integrity, and informational self-determination. In addition to reaffirming privacy in theory, the ruling established a strict three-part test to assess its limitations:

    • Proportionality – rational relationship with the goal,
    • Necessity – in a democratic society,
    • Legality – existence of the law.

    Since then, this framework has evolved into the standard for evaluating the legality of legislative and executive actions that affect the privacy of information. In K.S. Puttaswamy (Aadhaar-5J.) v. Union of India, the Court maintained the constitutionality of the Aadhaar Act while severely limiting its operational reach, further developing the doctrine.

    It declared that Aadhaar could only be utilized for legally sanctioned welfare programs and invalidated the requirement that private organizations like banks and telecom providers use it. The Court also mandated purpose limitation and data minimization as key principles of data processing and placed stringent restrictions on data storage.

    Collectively, these rulings made it clear that the core of the right to privacy is individual control over personal information. They demand that the State—in addition to acting legitimately—should exercise restraint when interfering with digital identity and data.

  2. Data Protection and Consent

    Legislative enactments have found it difficult to keep up with technological advancements, even as the judicial recognition of privacy rights has changed. India didn’t have a separate law protecting personal data until recently. An important step toward codifying rights pertaining to informational privacy and data processing has been taken with the passage of the Digital Personal Data Protection (DPDP) Act, 2023.

    Core principles like purpose limitation, informed consent, and data minimization are established by the DPDP Act. In order to monitor compliance, it also presents the idea of a Data Protection Board.

    However, the extensive exemptions provided to the State under Sections 16 and 17 have drawn grave criticism. These provisions weaken the safeguards intended by the government by enabling it to circumvent consent requirements and place few limitations on its data processing operations by Puttaswamy.

    Such broad exemptions, according to legal experts and privacy advocates, go against the necessity and proportionality standards established by the Supreme Court. The State could process personal data without judicial oversight on nebulous grounds like public order or national security if there were no effective checks and balances in place.

    In addition to weakening constitutional protections, this gap damages India’s reputation in the international digital economy, where data security regulations are becoming more uniform. Therefore, the DPDP Act needs to be reformed to limit executive discretion and harmonized with constitutional jurisprudence in order to fulfill its intended purpose.

    Emerging Digital Challenges

  1. Artificial Intelligence and Bias

    There are now serious ethical and legal concerns raised by the rapid adoption of artificial intelligence (AI) technologies in Indian public administration. Predictive policing, AI-based surveillance, and facial recognition software are increasingly being integrated into governance frameworks without enough regulatory scrutiny. These developments raise questions about justice, transparency, and fundamental rights even though they are intended to improve security and efficiency.

    In Anivar Aravind v. Union of India, the Kerala High Court looked into the validity of facial recognition software used in public spaces. The Court recognized the tension between technological advancements and the constitutionally guaranteed right to privacy.

    The swift integration of AI technologies in India’s public administration has sparked urgent ethical and legal questions. Facial recognition software, AI-based surveillance, and predictive policing are being incorporated into governance frameworks more frequently without sufficient regulatory review.

    Even though these advancements are meant to increase security and efficiency, they also raise concerns about fairness, transparency, and fundamental rights. The Kerala High Court investigated the legitimacy of facial recognition technology used in public areas in Anivar Aravind v. Union of India. The Court acknowledged the conflict between the right to privacy guaranteed by Article 21 of the Constitution and technological advancements.1 The case brought to light the possibility of mass profiling and the absence of legal protections governing biometric surveillance.

    The necessity of an AI-specific regulatory framework has been emphasized time and time again by legal scholars and research organizations like NALSAR’s Centre for Research in Information Security and Privacy. These include requirements for algorithmic audits, decision-making systems’ explainability, and accountability for discriminatory results.

    Automated decision-making systems could violate due process rights, reinforce preexisting biases, and undermine accountability in public administration in the absence of such checks.2 To guarantee that the application of AI is consistent with constitutional principles—especially those pertaining to equality, nondiscrimination, and dignity—a rights-based governance model for AI must be created.

  2. Internet of Things (IoT) Vulnerabilities

    The proliferation of Internet of Things (IoT) devices, from home automation tools to smart surveillance systems, has made India’s cybersecurity environment more vulnerable. These gadgets frequently gather private information without proper consent procedures, have firmware updates that are out of date, and function with very little encryption.

    Reports of security vulnerabilities in government-installed smart meters and biometric authentication systems connected to Aadhaar are especially worrisome because they leave large volumes of citizen data vulnerable to possible breaches. Many of these devices do not follow uniform security standards, exposing users to hacking, data theft, and unauthorized surveillance even though they handle sensitive and important data.

    A sector-specific approach to IoT regulation in India has been advocated by legal scholars. This entails requiring device certification, holding manufacturers accountable for flawed security architecture, and establishing minimal cybersecurity standards.3 In order to guarantee that devices are constructed with data protection principles ingrained in their architecture, privacy-by-design should also be formalized as a fundamental regulatory requirement.

    The lack of a specific legal framework for IoT security continues to be a noticeable gap as India transitions to a smart infrastructure future. To protect users and stop systemic digital vulnerabilities, legislative action is required.

Institutional and Academic Contributions

A strong cyber legal framework requires ongoing institutional and scholarly cooperation in addition to legislative and judicial efforts. Leading Indian academic institutions have taken the initiative in recent years to close the knowledge gap between legal theory and technology in the areas of digital governance and cyber law.

The collaboration between NALSAR University of Law and the Telangana Cyber Security Bureau (TGCSB) is one noteworthy step in this direction. The two organizations signed a Memorandum of Understanding (MoU) in 2025 with the goal of incorporating forensic and legal knowledge into cybercrime investigations. This MoU serves several functions, including strengthening institutional capability, advancing digital forensic techniques, and assisting in the development of evidence-based policy.

This partnership is a reflection of the increasing awareness that good cyber governance necessitates not only technical expertise but also a thorough comprehension of procedural justice, evidentiary procedures, and constitutional protections.

This collaboration exposes law students to the technological foundations of cybercrime detection and prosecution while providing investigative staff with access to professional legal training. Additionally, NALSAR University has taken several independent actions to advance interdisciplinary training and cyber law education. One of the most extensive legal programs in the nation, its Advanced Postgraduate Diploma in Cyber Law, focuses on digital forensics, intermediary liability, data privacy, and regulatory compliance. By training judges, attorneys, and law enforcement officials, the program has helped build a cyber-literate legal ecosystem.

Additionally, NALSAR’s CTRL-Z Cyber Forensics Lab offers practical instruction in digital evidence retrieval, preservation, and analysis. Simulations, mock trials, and compliance audits are all part of the lab’s work to equip participants with useful tools for handling cyber investigations.

The development of a new generation of cyber-aware jurists, legislators, and law enforcement officials depends heavily on these scholarly contributions. Such initiatives show how important legal education is in creating a cyber legal regime that respects rights and is technologically sound by fusing academic research with institutional needs.

Recommendations

A series of focused reforms is necessary to bring India’s cyber law framework into compliance with democratic norms and international best practices, given the changing digital landscape and constitutional jurisprudence on privacy, surveillance, and cyber regulation. The author’s analysis of existing institutional, legal, and technological gaps leads to the following recommendations:

  1. The Author’s Suggestions

    1. Modify the IT Act’s Section 69: All state surveillance authorizations granted under Section 69 must be subject to judicial oversight. To meet the legality and proportionality standards established in Puttaswamy, a system similar to the US FISA court should be established, complete with required ex-ante and ex-post reviews.
    2. Strengthen the DPDP Act, 2023: Government agencies’ exemptions under Sections 16 and 17 of the Act should be carefully crafted and subject to impartial review. Constitutional privacy standards would be better reflected by stricter sanctions for violations and a more precise standard of consent.
    3. Update the IT Rules, 2021: The safe harbor principles defended in Shreya Singhal are incompatible with the content moderation and traceability requirements imposed by the current rules. To handle user complaints about takedown orders and content filtering, an impartial appeals body must be established.
    4. Require Security-by-Design: Compulsory encryption, frequent third-party security audits, and timely breach reporting are required for all digital platforms and Internet of Things (IoT) devices. The “privacy-by-design” principle that Puttaswamy emphasized would be operationalized in this way.
    5. Encourage AI Accountability: To ensure the ethical application of AI, specific laws should be passed. Especially for use cases in the public sector, this needs to include algorithmic impact assessments, data protection-by-design, and independent bias audits.

  2. Legal and Institutional Recommendations

    1. Constitutional Compliance in Surveillance: To codify the protections found in Puttaswamy, such as proportionality, judicial approval, and redressal procedures, Parliament should enact a specific law governing surveillance. Additionally, this would increase public confidence in digital governance.
    2. Operationalize the Data Protection Board: In accordance with the DPDP Act, the central government is required to guarantee the independence, adequate funding, and transparency of the Data Protection Board. Judicial review should be applied to its decisions to increase accountability.
    3. Create a Unified Cyber Regulatory Framework: To harmonize cybersecurity, privacy, and digital governance policies, a centralized, cross-sectoral cyber regulator ought to be established. By doing this, overlap would be removed and uniform standards would be guaranteed.
    4. Institutional Capacity Building: Law enforcement and judicial officers should be trained in digital evidence, cybercrime, and data governance through ongoing partnerships with academic institutions such as NALSAR.
    5. International Harmonization: To increase investor confidence and international cooperation, India should harmonize its cyber laws with international frameworks like the General Data Protection Regulation (GDPR) of the EU, particularly when it comes to cross-border data transfers.

In the era of algorithmic governance and data capitalism, these suggestions are essential for both future-proofing India’s digital infrastructure and upholding its constitutional values.

Conclusion

India’s transition to the digital era has been characterized by revolutionary advancements in legal theory, technology, and governance. As the nation rapidly digitizes every aspect of public and private life—from biometric identification and artificial intelligence to encrypted messaging and Internet of Things devices—it is crucial to ensure that constitutional rights are not compromised in the name of technological convenience.

Cyber Law 2.0 is not merely an update to the Information Technology Act or the passage of the DPDP Act, 2023; it represents a fundamental rethinking of how India wields digital power. The rights to free speech and privacy, as established in Shreya Singhal v. Union of India and Justice K.S. Puttaswamy v. Union of India, serve as the constitutional pillars of this new framework.

However, judicial rulings alone are not enough to safeguard these rights. Institutional reform and legislative action are equally essential. This article identifies several key areas for reform:

  • Unrestricted state surveillance must be brought within the boundaries of necessity, legality, and proportionality.
  • Although a positive step, the Digital Personal Data Protection Act requires strict oversight and the removal of unnecessary government exemptions.
  • Intermediary guidelines must be updated to protect free expression and promote procedural justice.
  • Technological safeguards such as encryption, breach notification, and security-by-design should be made mandatory, not optional.

Additionally, to address new challenges in AI and IoT, India must implement targeted regulatory frameworks that ensure accountability, transparency, and rights-respecting digital innovation. Academic institutions like NALSAR can play a vital role in bridging the gap between policy and practice through expert collaboration, research, and training.

Cyber Law 2.0 is not only a legal necessity but a constitutional mandate. It calls for coordinated efforts among legislators, judges, regulators, educators, and technologists. Only by adopting a comprehensive, rights-centric approach can India leverage the power of technology while preserving the democratic values enshrined in its Constitution.

As India shapes its digital legal system, the principles of individual liberty, institutional restraint, and enforceable remedies must remain at its core.

End Notes:

  1. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
  2. Section 69, Information Technology Act, 2000
  3. Internet Freedom Foundation v. Union of India, 2021 SCC OnLine Del 1683.
  4. Shreya Singhal v. Union of India, AIR 2015 SC 1523.
  5. Section 79, Information Technology Act, 2000.
  6. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
  7. LiveLaw Media Pvt. Ltd. V. Union of India, WP© No. 1354/2021 (Del HC).
  8. M.P. Sharma v. Satish Chandra, AIR 1954 SC 300.
  9. Kharak Singh v. State of U.P., AIR 1963 SC 1295.
  10. K.S. Puttaswamy (Aadhaar-5J.) v. Union of India, (2019) 1 SCC 1.
  11. Digital Personal Data Protection Act, 2023.
  12. Anivar Aravind v. Union of India, 2021 SCC OnLine Ker 568
  13. Arjun Rao, “Algorithmic Accountability in Public Decision-Making: An Indian Perspective”, (2024) 11(2) NALSAR Tech Law Review 122.
  14. Rohit Menon, “Legal Framework for IoT Security in India”, (2023) 65(1) JILI 97.
  15. Memorandum of Understanding between TGCSB and NALSAR University of Law, signed March 2025 (available on Telangana Cyber Security Bureau official website).
  16. NALSAR University of Law, “Advanced PG Diploma in Cyber Law” and CTRL-Z Cyber Forensics Lab Initiatives, www.nalsar.ac.in (last accessed July 2025)


References:

  1. Union of India v. Anivar Aravind, 2021 SCC OnLine Ker 568.
  2. Arjun Rao, “An Indian Perspective on Algorithmic Accountability in Public Decision-Making,” 11(2) NALSAR Tech Law Review 122 (2024).
  3. Rohit Menon, “Legal Framework for IoT Security in India,” 2023, 65(1) JILI 97.
Views: 25,199

Hi,I'm Samiya, a second-year B.A. LL.B. (Hons.) student at Aligarh Muslim University. My journey into the legal world is driven by a deep curiosity and a strong sense of responsibility toward making a difference. From understanding how laws affect our everyday lives to recognizing how they can be used to bring about change, Law empowers me to question, to reason, and to stand up—for myself and others. I'm especially interested in Women’s Rights and Social Justice – because I strongly believe in equality and advocacy for the marginalized. This writing is my way of: Sharing what I learn during my law school journey. As an aspiring legal professional, I hope to Be part of a generation of lawyers that brings positive change through awareness and action This blog is a small beginning toward that goal.

Keep Reading

Add A Comment
Leave A Reply

Legal Service India - Articles

Lawyers

Law Topics

Services

© 2025 Legal Service India – Law, lawyers & legal Resources.