The goals of national security, technological progress, and individual liberties meet and occasionally clash in the intricate and ever-changing legal landscape that is the interplay between cybersecurity laws and basic rights. Data breaches, identity theft, cyber terrorism, and digital surveillance are serious problems in today’s digital age due to people’s heavy dependence on information and communication technologies, which has changed the way people communicate, do business, and engage with governments. Therefore, cybersecurity rules are crucial for safeguarding sensitive information, preserving confidence in digital infrastructure, and ensuring the safety of the nation. Problems arise, however, when considering the breadth and execution of such laws in relation to basic rights, such as the right to privacy, the right to free speech, and the right to be free from arbitrary state action.
Protecting individuals’ privacy is one of the primary goals of cybersecurity legislation. In the momentous decision of Justice K.S. Puttaswamy (Retd.) v. Union of India[1] (2017), the right to privacy was acknowledged as a basic right under Article 21 of the Indian Constitution by the Supreme Court. The court stressed that the right to privacy includes the right to one’s personal information. The acquisition, preservation, and manipulation of private information has grown substantially alongside the development of digital technology. Many cybersecurity measures, such as data retention policies, monitoring of online interactions, and surveillance mechanisms, rely on intrusive approaches that put people’s privacy at risk. Under national cybersecurity laws such as the Information Technology Act, 2000 and regulations enacted thereunder, government agencies have the authority to intercept, monitor, or decode any data delivered via any computer resource. In cases where it is determined that this is essential to safeguard public order, state security, Indian sovereignty and integrity, or national defence, it will be carried out. There is a risk of disproportionate or arbitrary intrusion into persons’ private life due to the lack of procedural safeguards, absence of judicial review, and unclear statutory language, even though these objectives are lawful.
Article 19(1)(a) of the Constitution guarantees the right to free speech, which is intersected with cybersecurity rules. Civic engagement, online activism, and public discourse all find a home in the digital sphere. Cybersecurity frameworks should avoid oversimplifying concepts like “cyber terrorism,” “objectionable content,” and “fake news” because of the potential for their exploitation. For instance, in the case of Shreya Singhal v. Union of India[2] (2015), the Supreme Court ruled that Section 66A of the Information Technology Act was invalid because it infringed upon the right to free speech. Critics said the provision was too vague and would lead to the arrest of people for harmless or critical social media posts, even if it had criminalised sending “offensive” communications through communication services. Reports of its ongoing abuse by law enforcement agencies have appeared even after it was invalidated, showing that there is still a disconnect between constitutional provisions and their execution in the cyber sphere.
The concept of proportionality, a constitutional criterion for determining the validity of governmental action that restricts basic rights, is another area where cybersecurity legislation provide difficulties. Legality, need, and proportionality are the three criteria that must be met before any limitation on rights like privacy or expression may be considered appropriate in the context of cybersecurity. Unfortunately, there aren’t always strong legislative or judicial oversight mechanisms in place to make sure cybersecurity frameworks, like India’s changing regulations, adhere to the proportionality test. Under the guise of national security or digital governance, the government is increasingly using surveillance technologies like face recognition, biometric data collecting, and AI-based tracking. This highlights the critical need for open and responsible frameworks. Laws pertaining to cybersecurity also affect the right to remedies guaranteed by Article 32 and Article 226 of the Constitution. People need to be able to get their rights back when they’re violated by things like state overreach, data leaks, or unauthorised surveillance. But people have a hard time getting the help they need because of how government surveillance systems are designed, how anonymous digital actors are, and how complicated cyber operations are. People in India have little options when it comes to dealing with data breaches or misuse of personal information because the country does not have a thorough data protection law. The Digital Personal Data Protection Act, 2023, is a major step in the right direction, but some worry that it could weaken people’s right to privacy due to its provisions concerning government exemptions, regulatory independence, and recourse methods.
Similar discussions concerning basic rights and cybersecurity are ongoing in several parts of the world. The EU’s General Data Protection Regulation (GDPR) establishes stringent requirements for data processing, gives people access to their data, and makes data controllers accountable in an effort to find a middle ground between data security and individual rights. In numerous cases, including Digital Rights Ireland and Schrems, the European Court of Justice has emphasised the importance of basic rights even when it comes to matters of public order or national security. In these cases, the court found that mass surveillance measures violated the EU Charter of Fundamental Rights. Indian lawmakers might use these decisions as a benchmark to craft cybersecurity legislation that upholds fundamental rights.
Within the framework of cybercrime legislation, forensic technology usage in criminal investigations is another area of concern. Digital evidence collecting highlights the inherent conflict between investigating cybercrime and protecting accused persons’ rights, such as the right against self-incrimination under Article 20(3). Individuals’ constitutional rights may be violated if they are coerced into disclosing passwords, decrypting devices, or providing biometric access. When it comes to cybersecurity enforcement, the courts have not yet made a definitive ruling on whether or not this kind of coercion breaches basic rights.
The right to non-discrimination and equality guaranteed by Article 14 is also impacted by cybersecurity laws. Such legislation must not disproportionately impact certain groups or be applied arbitrarily. Internet shutdowns are one example of a cybersecurity strategy that disproportionately affects vulnerable populations by cutting them off from resources like education and information. Some have argued that the Indian government’s regular shutdowns of internet access in areas like Jammu and Kashmir are unjustified and excessive. Given the importance of the internet for basic freedoms, the Supreme Court established proportionality and reasonableness standards for internet suspension in the case of Anuradha Bhasin v. Union of India[3] (2020). Nevertheless, there is still a lack of consistency in how these principles are being put into practice, which highlights the larger issue of harmonising cybersecurity measures with constitutional standards. The ever-changing cybersecurity landscape necessitates a flexible legislative framework; yet, this flexibility must not compromise fundamental principles. The framework for cybersecurity governance should incorporate impartial watchdogs, open processes, regular evaluations, and judicial review to forestall any possible misuse of authority. It is crucial for democratic nations to make sure that cybersecurity is not used as an excuse for repressing dissent or conducting widespread monitoring. State policy should promote, rather than limit, technological solutions that enable people to safeguard their basic rights in the digital sphere, such as encryption, anonymisation, and privacy-enhancing tools
Cybersecurity is an ecosystem in which the public and private sectors both participate significantly. Tech firms, ISPs, and social media sites amass and store reams of consumer information. There should be transparent regulations in place to protect user rights whenever they willingly or involuntarily cooperate with governmental agencies. It is important that data sharing procedures, terms of service, and regulations for content moderation are in line with the larger principles of the constitution. Ensuring cybersecurity should not be used as a pretext for unregulated surveillance or privatised censorship.
An important tension that calls for a delicate balancing act is revealed by an examination of cybersecurity regulations in relation to basic rights. Protecting national interests, economic stability, and digital infrastructure is crucial, but cybersecurity must not come at the expense of fundamental principles like human dignity, democracy, and the rule of law. Secure against abuse, accountable to all parties involved, and encouraging personal autonomy—these are the cornerstones of a constitutionally based legal and policy framework for cybersecurity. To create a safe and liberated digital future, a rights-based strategy for cybersecurity is essential. The extent to which basic rights are safeguarded in cyberspace will decide the viability and credibility of democratic rule in the twenty-first century, as technology permeates every facet of human existence[4].
[1] Ibid
[2] 2015 AIR SCW 1989
[3] (2020) 1 MAD LJ 574
[4] Giles, Keir. PROSPECTS FOR THE RULE OF LAW IN CYBERSPACE. Strategic Studies Institute, US Army War College, 2017. JSTOR, http://www.jstor.org/stable/resrep11600. Accessed 5 Apr. 2025.