The author of this paper has made an effort to discuss about the origin and development of right to privacy. The paper discusses about the international perspectives of personal data and data protection, laws dealing with personal data, data protection, their acknowledgement and evolution in some international conventions and the development of the most acceptable international law- GDPR and its impact upon the legislations of the other nations.

The paper also addresses the principles of GDPR which form the integral part of a data protection regime. It discusses the constitutional debate pertaining privacy as a fundamental right, constitutional mandates in India along with discussing the recognition of privacy by the Indian judiciary and the development of a legislation relating to data protection in the form of Digital Personal Data Protection Act, 2023, its evolution, formation and its key provisions in brief along with other legislations governing data.

The author has tried to explain some important terms related to the legislations, which aids in clear and in depth understanding of the legislation. The paper also discusses intersection between data protection and technology along with several case laws.

Introduction
In the global information economy, personal data has become the fuel that is driving much of the current online activity. On a day to day basis, vast amount of information is transmitted, stored and collected across the globe, enabled by massive improvements in computing and communication power[1].

In the data economy world, information is a new gold. Data richness, security and privacy become one of the universal agenda. Although there are international as well as local codes inverted to secure, protect and ensure the integrity of data, there is ongoing persistence of fear, significantly into the virtual world[2].As the technology is growing, protection and privacy become a matter of concern.

Data protection stands as an integral aspect of international law in the forms of international treaties as it establishes common standards for enabling the free flow of data across borders. It is recognised as an important field of law, policy development and regulation. It combines elements of human rights and consumer protection. Data protection is considered as a fundamental right under international treaties[3] and individual jurisdictions.

Digitization fueled by technological advancements is increasingly reshaping and changing the order and ways traditional models of doing things were conducted. The world is indeed in a digital age where human activities such as business transactions begin and conclude online. This is why "Uber, the world's largest taxi company, owns no cars, Facebook, a well-known media company, produces no content, the world's most valuable retailer Alibaba has no inventory, and the world's largest accommodation provider Airbnb has no real estate"[4]. These companies are technology giants whose subscribers are regularly mandated to provide their data to enable access, with the internet and smartphones playing significant roles in enhancing the value, accessibility, and abundance of data. Nearly every human activity now leaves a digital footprint[5].

It is essential to encourage innovation. A decent practise in data protection is vital to ensure public trust, engagement with and support for innovative uses of data in both public and private sectors.

The rise of information technology has created a world where personal and organizational data can be easily accessed by unauthorized parties if not adequately safeguarded. With the increasing reliance on constant information exchange and data flow, the importance of data protection is becoming central to both political and institutional frameworks. Consequently, many nations have taken proactive measures to enact data protection laws aimed at crime prevention and fostering diplomatic relations.

Evolution Of Data Protection Laws Across Countries:

• The right to privacy is an integral part of enjoyment and exercise of human rights in both offline and online modes. It lays down foundations of a democratic society and broad range of human rights including in the digital sphere. Interference with the privacy can have a disproportionate impact upon individuals or groups, leading to inequality and discrimination.
   
• Article 12 of the Universal Declaration of Human Rights (UDHR)[6], 1948 recognised the privacy as a concept for the first time in the global scenario. Article 17 of International Covenant on Civil and Political Rights, 1966[7] highlighted the concept of privacy, guaranteeing individuals the protection of their personal sphere. Though this provision lacked binding power, it is recognised as a general principle under international law, thereby has been incorporated in international treaties, human right institutions and national constitutions. Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights state that 'no one shall be subjected to arbitrary or unlawful interference with his privacy that include family, correspondence or residence, unlawful attacks on reputation and dignity of an individual. Every person has the right to protection of law against such interference or attacks.[8]
   
• The first legal obligatory document on data protection was a result of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981, being the instrument specifically governing personal data.
   
• The 1980 Organisation for Economic Cooperation and Development (OECD) guidelines on Protection and Privacy of Trans Border Flows of Personal Data endorsed eight principles which were applicable in both the public and the private sector, encouraging countries to develop their own privacy protection frameworks[9]. The eight principles are:
  
  • Collection limitation
  • Data quality
  • Purpose specification
  • Use limitation
  • Security safeguards principle
  • Openness
  • Individual participation
  • Accountability

The most recent OECD advancement is its Recommendation on Digital Security Risk Management for Economic and Social Prosperity adopted in September 2015, wherein it highlights that the digital risk should no longer be treated as a technical issue but an economic risk. Thereby, digital risk should be an integral part of an organisation's overall risk management and decision making.

Privacy and data protection laws are rapidly adapting to the dynamic world. The evolution of these laws has been remarkable, especially over the last two decades. In the mid 1990s, the internet itself was a fairly new innovation to many people. Concepts including social media, virtual reality, smart devices, artificial intelligence have made vast leaps in the recent years, driven by innovative ways of collecting, using and utilising data.

Policymakers felt the need to design privacy and data protection laws that are flexible so as to allow unforeseen advancements in technology. In this context, the European Union (EU) introduced the General Data Protection Regulation (GDPR) in 1995. It was enforced in 2018. For a detailed clarification to the concept of personal data and outlining the legal requirements for its processing, GDPR has 4 categories, namely Personal data, Special categories of personal data, Pseudonymous data and Anonymous data.

It further has:

• Wide subject matter
• Broad territorial scope, applicable upon businesses
• Carries serious penalties
• Requires substantial openness and transparency
• Grants individual powerful rights that can be enforced against business¹⁰

The GDPR aims to standardise the protection of basic rights of the individuals and their freedom in processing activities, to ensure free movement of personal data between EU member states and to provide more control over the acquisition and use of the personal data of the customer.

The implementation of this legislation has provided people with rights to access the information that the businesses hold, with respect to them as well as provide new requirements for corporations so as to enable proper handling of their data along with a new system of varied fines.

In order to provide products or services to "anyone in EU territory," enterprises must respect their right to privacy under the General Data Protection Regulation (GDPR) and ensure that any personal data that has been acquired or processed is protected. Businesses with headquarters in the EU as well as foreign businesses that have activities there are subject to the GDPR. The rule promotes eight consumer privacy rights and mandates the application of seven data protection standards[11].

The GDPR brought in new regulations upon the right to personal data of the individual, thereby furthering the standard of data privacy.

Beyond the GDPR, the EU continues to issue new laws that impact privacy and data protection.
Some of them include:

• Directive on Security of Network and Information systems (NIS Directive), which imposes minimum cyber security standards on operators of essential services and digital service providers.
   
• Jurisdictions including Japan have revised their local data protection laws for implementing their local data protection laws so as to implement such standards that are more closely aligned with GDPR. It is done in order to avoid any additional changes that would be required to enable the continued free flow of data. A number of substantial amendments were introduced in the Japanese Act on Protection of Personal Information in 2021. It was done in consonance with the mutual arrangement between Personal Information Protection Commission of Japan, European Commission and other relevant data protection authorities.
   
• Similarly, in 2020, the National Assembly of the Republic of Korea approved substantial amendments to the Korean Personal Information Protection Act of 2011. This was done in consonance with the GDPR of the EU, wherein EU opined that "the recent reforms have increased the synergies between the data protection frameworks of the Republic of Korea and EU." Both sides acknowledged the opening up of new possibilities for closer cooperation on privacy and data flows[12].

Privacy Laws And India:

• The Constitutional Assembly Debate- Constitutional Assembly made the first attempt to protect privacy of an individual against the unreasonable state interference. An amendment was moved by Mr Kazi Syed Karimuddin under Article 20 of the draft Constitution to add a provision providing protection to an individual from unreasonable search and seizure in consonance with the American and Irish Constitution. It was strongly opposed by Sir B.N. Rau and Allady Krishnaswamy Ayyar as they disagreed with the inclusion of Right to Privacy as a fundamental right[13].
  
  The right to privacy was not directly envisaged by the Constitution framers, thereby initially did not find a mention under Part III of the Indian Constitution. It was the result of the deliberations of the judiciary that Right to privacy[14] was recognised as a fundamental right in certain cases and ultimately recognised and declared as a fundamental right in the K. S. Puttaswamy case, also known as the Aadhar judgement. Right to privacy is protected as an intrinsic part of the right to life and personal liberty, as a part of freedoms guaranteed under Part III[15].
   
• Evolution of Right to Privacy by judicial intervention:
  Privacy as a right for the first time came under the judicial lens in M.P. Sharma v Satish Chandra[16]. The Court in this case held that "the provision declaring that the state has an overriding power in law for affecting search and seizure is for the purpose of security". Further the Eight-Judge Bench of Supreme Court presided by the Chief Justice Mehr Chand Mahajan held, "When the Constitution makers have thought fit not to subject such regulation to constitutional limitation by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained constitution."[17]
  
  In Kharak Singh v State of Uttar Pradesh[18],the court started opening the doors for identifying the requirement to protect privacy but this identification is limited only for the police action which are not covered under the due process establish by law.
   
• The impact of international law upon domestic legal order on various countries of the world is manifold. India follows 'dualist school of law' for implementation of international law at domestic level. Thus, in India, for international treaties to become a part of the Indian legal system, must be incorporated by a legislation made by the Indian Parliament. It also forms a Directive Principle of State Policy under Part IV, thereby guiding the State to implement international law in India effectively[19].
   
• Indian judiciary is free to interpret the obligations of India under international law into the domestic law.
  
  India has adopted Digital Personal Data Protection Act in 2023. The implementation of GDPR regulation in European Union influenced the introduction and adoption of data protection laws in India.
  
  The Supreme Court of India in Justice K.S Puttaswamy and Anr v. Union of India[20] recognised and declared Right to privacy as a fundamental right under Right to life which encompasses Right to informational privacy as its integral part. The Court cited precedent to declare that "the State has a positive responsibility of upholding and safeguarding the dignity" and connected the value of privacy to the value of person dignity[21]. Thus, the Puttaswamy judgement serves as the foundation for both- the ban of privacy violating State action and the obligation of the State for regulating the private contracts and data exchange, both of which stand vital for protecting the privacy of an individual.
   
• Following this development, Shri Krishna Committee was established in 2018 and it tabled Draft Personal Data Protection Bill, 2019, which was further withdrawn. The Indian Parliament further introduced several data protection bills but withdrew them. In 2023, the Personal Data Protection Bill was passed by both the houses of the Parliament, becoming the first law in India with regards to data privacy.
  
  It is applicable upon digitised personal data and imposes obligations on data fiduciaries for ensuring integrity, confidentiality, security along with providing the right to access, correct and erase the personal data of the individuals, providing safeguards for processing the data of children[22].
  
  The data collected must be processed for any lawful purposes only either by taking consent from the concerned individual or for legitimate use. The consent shall be free, unambiguous, informed, unconditional and for a specific purpose[23]. The Act includes concepts like Data Fiduciary, Data Principal, Consent Management, Personal Data Breach, Data Audit, Personal Data Impact Assesment and others. It has both territorial as well as extra-territorial jurisdiction and is individual as well as State centric. The law also provides for establishing a Data Protection Board that would govern the cases and expressly excludes the jurisdiction of the civil courts. For filing of an appeal, one shall approach TRAI Telecom Dispute Department.
  
  The enactment lacks supporting rules and regulations, so as to effectuate the efficient implementation of the enactment. It strikes a partial balance between individual rights and government powers.
   
• Other legislation regulating law on privacy is Information Technology Act, 2000. It has specific expressed provisions that provide protection to the individuals against breach of privacy by corporate entities. It was amended in 2008 for inserting Section 43A, penalising the companies that compromise sensitive personal data by paying compensation.

Exercising powers under this section, the government framed eight rules for protection of the privacy of an individual. They relate to the permissions that a company shall sought before accessing private data of the individuals and fixing liabilities for violation of the same[24].

Conflicts Between Privacy And Technology:

• Technology has always intervened with the Right to privacy. Communication between two individuals via telephone, mobile and other communication software and devices have created a debatable issues related to Right to privacy relating of a person's correspondence. There have been cases of intercepting mails and telephonic communication of political opponents as well as of job seekers. Section 26(1) the Indian Telegraph Act, 1885 empower the central and state governments to intercept telegraphic and postal communications on the occurrence of public emergency in the interest of public safety[25].
   
• Telephone tapping is an invasion of right to privacy and freedom of speech and expression and also government cannot impose prior restraint on publication of defamatory materials against its officials and if it does so, it would be violative of articles 21 and 19(1)(a)49 of the Constitution". In People's Union for Civil Liberties v. Union of India[26] Kuldip Singh J held that, "right to hold a telephonic conversation in the privacy of one's home or office without interference can certainly be claimed as right to privacy". In this case Supreme Court laid down certain procedural guidelines to conduct legal interceptions, and also provided for a high level review committee to investigate the relevance of such interceptions[27]. The parameters for procedural validity describes that it must be fair, just and reasonable and not arbitrary, fanciful or oppressive. An authority cannot be given an untrammelled power to infringe the right to privacy of any person[28].
   
• In Neera Radia tape case to use phone tapping as a method of investigation in a tax case seems to be an act of absurd overreaction. For so many journalists, politicians and industrialists to have their phone tapped without a rigorous process of oversight represents a gross violation of basic democratic principles. Therefore, the supreme court of India is of the firm opinion that tapping of conversation between two people via telephone is the violation of right to privacy of both the individual[29].
   
• Privacy and Artificial Intelligence:
  Another important growing technology is Artificial Intelligence (AI). The Report of the United Nations High Commissioner for Human Rights, 2021 mentions that, "the operation of AI systems can facilitate and deepen privacy intrusions and other interference with rights in a variety of ways". Also in the Derechos Digitales and Privacy International report it is reported that:
  "AI tools are widely used to seek insights into patterns of human behaviour. AI tools can make far-reaching inferences about individuals, including about their mental and physical condition, and can enable the identification of groups, such as people with particular political or personal leanings. Many inferences and predictions deeply affect the enjoyment of the right to privacy, including people's autonomy and their right to establish details of their identity. They also raise many questions concerning other rights, such as the rights to freedom of thought and of opinion, the right to freedom of expression, and the right to a fair trial and related rights"[30]
  
  The intensity of AI's interference with right to privacy is high but the Indian courts and law is yet to identify it. Though, courts and law making bodies have already started analysing technological impact on privacy but exclusive reference of protection of right to privacy from AI is yet to get sighted[31].

Conclusion
Thus, the study has summarised the importance of personal data, data protection and privacy of individuals as it forms an integral part of the Fundamental right to Life and liberty, thereby living life with dignity. The study draws out the evolution of data protection laws, the concept of privacy and its position in the international law.

While there exists a remarkable harmonisation and coherence around data protection core principles, it lacks effective implementation of the already existing rules and legislations, thereby affecting the comprehended impact of the framed legislations. There also lacks existence of supporting rules so as to dilute the over-inclination towards the centre while protecting individual interests and his data.

Thus, the subjects of international law should ensure the implementation of already existing data protection legislations in such a way that it serves the requirement of the State but does not compromise the privacy of individual or groups.

As the current age is the revolutionising period and a transformation from an offline communication based to a complete digitised, online communication wherein data is the most important possession which can act as a double-edged sword.

Thus, the nations should ensure that the Data sword should be utilised only for the benefit and welfare of the world globally and not be used for serving the ill-wishes of any person. They should carefully analyse and implement the present laws and only introduce changes that do not serve the purpose intended and the steps shall be taken for compatibility and harmonisation efforts.

End Notes:

1. Data Protection Regulations and International Data flows: Implications For Trade and Development, United Nations Conference on Trade and Development, New York and Geneva 2016
2. Patricia Passau Data Privacy Law: An International Perspective, Faculty of Law, University of Passau, Germany (2015)
3. https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article12,againstsuchinterferenceorattacks., last seen on 16-08-2024
4. https://techcrunch.com/2015/03/03/in-theage-of-disintermediation-the-battle-is-all-for-the-customer-interface/, last seen on 16-08-2024
5. https://journals.ezenwaohaetorc.org/index.php/IBJ/article/view/2643, last seen on 16-08-2024
6. https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article12,againstsuchinterferenceorattacks., last seen on 16-08-2024
7. https://www.coe.int/en/web/compass/the-international-covenant-on-civil-and-political-rights., last seen on 16-08-2024
8. OCHCR and Privacy in Digital Age, available at https://www.ohchr.org/en/privacy-in-the-digital-age/international-standards, last visited on 16-08-2024
9. Bhawna Tyagi, Dr. Akbar Khan, Data Privacy and its National and International Perspectives- A Focus on International Trade and the Internet of Health Things, International Journal of Creative Research Thoughts (IJCRT) Volume 10 (2022)
10. Rapid Evolution of data protection laws, available at https://www.google.com/amp/s/iclg.com/practice-areas/data-protection-laws-and-regulations/01-the-rapid-evolution-of-data-protection-laws/amp, last visited on 17-08-2024
11. https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/, last seen on 17-08-2024
12. Rapid Evolution of data protection laws, available at https://www.google.com/amp/s/iclg.com/practice-areas/data-protection-laws-and-regulations/01-the-rapid-evolution-of-data-protection-laws/amp, last visited on 17-08-2024
13. https://loksabhadocs.nic.in/Refinput/New_Reference_Notes/English/RighttoPrivacyasafundamentalRight.pdf, last seen on 17-08-2024
14. P.M. Bakshi, The Constitution of India Seventeenth edition published by Universal Lexis Nexis in 2020
15. M.P. Jain, Indian Constitutional Law Third Edition, published by Wadhwa in 1978
16. M.P. Sharma v Satish Chandra, SCR 1077 (1954)
17. Payal Thaorey, Legal Introspections towards the Development of Right to Privacy as a Fundamental Right in India, (2021) published at Indonesia Law Review, Volume 11
18. Kharak Singh v. State of U.P., SC 1295 (1963)
19. Implementation of International Law in India: Role of Judiciary, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1864489, last visited on 17-08-2024
20. Justice K. S. Puttaswamy and Anr. V. Union of India and ors, (2017)10 SCC 1 AIR, 2017 SC 4161
21. Ibid
22. Evolution of Data Protection Law in India, available at https://irglobal.com/article/evolution-of-data-protectioninindia/, last visited on 17-08-2024
23. Understanding India's New Data Protection Law, available at https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624, last visited on 17-08-2024
24. http://indiatoday.intoday.in/story/right-to-privacy-fundamental-right-parliament/1/1032794.html, last visited on 17-08-2024
25. Shiv Shankar Singh, "Privacy And Data Protection In India: A Critical Assessment," Journal of the Indian Law Institute Vol.53 (2011)
26. People's Union for Civil Liberties v. Union of India, AIR SC 568 (1997)
27. Payal Thaorey, Legal Introspections towards the Development of Right to Privacy as a Fundamental Right in India, (2021) published at Indonesia Law Review, Volume 11
28. Directorate of Revenue v. Mohd. Nisar Holia, (Cri) 415 1 SCC (2008)
29. Payal Thaorey, Legal Introspections towards the Development of Right to Privacy as a Fundamental Right in India, (2021) published at Indonesia Law Review, Volume 11
30. https://documents.un.org/doc/undoc/gen/g18/239/58/pdf/g1823958.pdf?OpenElement, last seen on 17-08-2024
31. Payal Thaorey, Legal Introspections towards the Development of Right to Privacy as a Fundamental Right in India, (2021) published at Indonesia Law Review, Volume 11