The Supreme Court of India is currently listening to arguments in a significant case, unfolding in a bustling New Delhi courtroom. This case, taking place in the world’s largest democracy, has the potential to reshape the landscape of data privacy. At its heart, the matter concerns how companies handle user data, encompassing everything from sprawling social media networks to the apps that track your whereabouts and personal tastes.
India’s digital sphere has undergone a remarkable transformation, with connectivity now reaching over a billion people. A significant portion of this population relies on the internet for a wide array of activities, encompassing everything from accessing news to handling their financial affairs and beyond.
The ramifications reach far beyond the legal arena.
The core issue is the accessibility of your personal data to prying eyes.
Across the country, eyes are glued to the courtroom as judges deliberate over the merits of data privacy regulations.
What if the court opts to tighten the existing safeguards? Could this finally curb the persistent theft of Indian consumer data?
The ongoing legal battle surrounding the Digital Personal Data Protection Act (DPDPA) and its related rules highlights the increasing tension between safeguarding personal privacy and the relentless march of technological progress.
While the Digital Personal Data Protection Act, or DPDPA, officially became law in India in 2023, the full set of supporting regulations is still a work in progress.
A decision on this issue could set a standard for digital laws across the Global South, including India.
The Case’s Beginnings: From Petitions to the High Court
It all goes back to a few cases that were launched in the public’s best interest in the last several years. After a few big data breaches shook the public, privacy advocates like lawyers and civil society groups took their case to the Supreme Court. Do you remember the CoWIN portal leak in 2022? Millions of vaccination records were made public on the internet. Or the more recent attacks on big banking apps, when hackers posted consumers’ bank information on dark web forums? Many people were concerned with these occurrences and signed petitions asking for rules that would protect people’s data privacy.
Chief Justice D.Y. Chandrachud and the other judges on the court decided to look at the case right soon. Key petitioners say that the DPDPA is a step in the right way, but there are still problems, such the fact that “consent” isn’t properly defined and persons who break the law don’t face extremely heavy punishments. One petition asks if government entities should be able to access personal data without any checks or balances. This is similar to the concerns raised in the key 2017 Puttaswamy ruling, which declared that privacy is a fundamental right.
The judges have been trying to find a middle ground between protecting people and without hurting new businesses. Solicitor General Tushar Mehta stuck to the government’s position during the first sessions last month. He said that DPDPA is in line with international rules like the GDPR in Europe. But others say that enforcement is too delayed. For instance, India’s data protection agency, which is supposed to make sure that the law is followed, is still not completely functional two years after it was enacted.
This isn’t just a thought. Apps in India keep track of everything from your shopping habits to your political views. This is because 80% of internet traffic originates from mobile devices. A poll by the Internet and Mobile Association of India (IAMAI) in 2025 found that 62% of respondents were scared that their data might be exploited for other things. This was more than the 45% it was in 2023. People may change their thoughts after hearing what the court had to say.
India’s Problems with Data Privacy
It hasn’t been easy for India to get effective data privacy laws. There were rules everywhere before the DPDPA. They were based on the IT Act of 2000, RBI guidelines for money, and laws for several fields. The Supreme Court’s 2017 ruling in Justice K.S. Puttaswamy vs. Union of India modified that. It said that Article 21 gives people the right to privacy as part of their life and freedom.
Parliament enacted the DPDPA in August of 2023. The legislation stipulates that “data fiduciaries,” essentially companies managing data, are required to obtain explicit consent, allow customers to delete their data, and inform users of any breaches within a three-day window.
Fines? If they break the rules, CEOs might be penalized up to ₹250 crore, which is a lot of money.
That’s when things get hard.
People typically just hit “accept” without reading the fine print, which makes them tired of giving consent. The legislation says that consent must be “verifiable.” But what does that mean in real life?
Apps often hide the regulations in complicated legal language.
Kids under 18 are safer, but parents have to check, which is challenging because not many people know how to use technology in our culture.
Cross-border flows: Data can only go to other nations if there are limits in place. This hurts companies like Google and Meta.
There was more conversation regarding the rules from last year that were necessary to carry out the plan. Exemptions for state security raised red flags—could Aadhaar-linked data be tapped freely? After the news in 2021 that Pegasus malware was being used to spy on journalists and opposition individuals, campaigners are scared of a government that watches everyone.
India’s structure is similar to what is happening in other places. Since 2018, the EU’s GDPR has fined Meta €1.2 billion. The US has to follow standards set by each state, while China’s PIPL puts a lot of emphasis on national security. By 2028, India’s digital economy is expected to be worth $500 billion. If the country gets its data privacy policies right, it can grow without seeming like the Wild West.
What is at stake in the court case
Lawyers have been arguing about small things at hearings, which have been quite stressful. The petitioner’s lawyers point to concrete harms: NCRB data shows that identity thefts went up by 40% in 2025, and a lot of these were caused by bad data processing. They want the court to do rid of words that aren’t clear and put up a fair supervisory committee right once.
But groups in the industry, including NASSCOM, warn that too many rules are undesirable. One CEO told reporters outside the court, “Indian startups can’t afford to adopt GDPR.” They want a “data privacy law” that lets people try out new ideas, maybe with sandboxes for testing out new ideas.
It is really vital to get to the government. The administration says that privacy is less important than national security when it comes to risks like cyberterrorism. But what does it mean to be a threat? Petitioners want to know if employing vague language isn’t a way to misuse it. The bench seems to agree with the AG and is questioning about safety measures.
It has a big effect on the economy. India’s IT sector employs 5 million people and accounts for 8% of the country’s GDP. PwC says that stricter laws could cost firms ₹20,000 crore more a year to obey, but they could also help businesses gain trust and attract foreign investment. If Indian consumers feel comfortable, the number of UPI transactions, which reached 15 billion a month last year, might go through the roof.
For most people, it’s personal. Have you ever thought about how targeted advertising know what you ate for breakfast? Or why an app for health shares information with insurance companies? This case looks into those issues and may let persons “be forgotten.”
Voices from the Ground: Users, Experts, and the Business Speak Out
You can’t ignore what happens on the street. People who work in Mumbai’s tech clusters think there is too much red tape, but users like having more control. Priya Sharma, a freelancer in Bengaluru, says, “Someone has hacked my Aadhaar twice.” That’s all. A breach in 2024 put her data at risk.
“This is a make-or-break moment,” says Apar Gupta of the Internet Freedom Foundation. He has written opinion pieces in which he supports granular consent models, such as granular opt-ins for tracking ads. In the meantime, companies from other countries are changing. Last year, WhatsApp added more privacy features in India because the DPDPA forced them to.
Companies in India are likewise getting ready. Paytm and Reliance Jio have compliance teams that watch over data flows. A short look at the most recent numbers:
According to DSCI, there were more than 1,200 data breaches in 2025, which is 25% more than the year before.
A research by Nielsen indicated that only 35% of people read privacy guidelines.
An EY study found that 40% of businesses aren’t ready to obey the guidelines.
Small businesses are having the worst time. A individual who owns an online store in Nashik but doesn’t want to be named said, “We’re bootstrapped—fines may kill us.” But better rules might help smaller businesses that want to collect data.
People from all over the world are watching India. This could make Brazil or Indonesia want to make similar restrictions if it works. Not functioning? It could make people less trusting in Digital India.
Changing Digital India and More: Bigger Effects
If you look at the big picture, this case is about India’s objective of becoming a digital superpower by 2047. With 5G coming out and AI becoming more popular, data is the new oil. But if you don’t watch it, it might lead to wrong information, deepfakes, and unfairness. Half of India’s online users live in rural areas, and they are the ones who are most hurt by not having enough protections. They can’t get services without Aadhaar, yet leaks show that they do.
