A Review on Data Protection Laws and Library User Privacy

Harihararao Mojjada Assistant Librarian MVGR College of Engineering (A) Vizianagaram-Andhra Pradesh

______________________________________________________________________________

Abstract:

The rapid digitisation of library services in India has intensified concerns regarding the privacy and security of user data generated through digital library interactions. This paper examines the adequacy of India's existing data protection legislative framework comprising the Information Technology Act 2000, its 2008 Amendment, and the Digital Personal Data Protection Act 2023 in safeguarding the privacy rights of digital library users, with particular reference to academic and institutional library environments. Adopting a qualitative, descriptive analytical research design, the study systematically reviews eight peer reviewed studies and benchmarks Indian legislative provisions against international standards, including the GDPR, IFLA Privacy Guidelines, and OECD Principles. The findings reveal significant regulatory gaps in library specific data governance, compounded by inadequate cyber security infrastructure, low user awareness, and the absence of AI specific privacy provisions. The paper proposes a rights based, sector specific legal framework encompassing data minimisation, informed consent, purpose limitation, and institutional accountability to safeguard academic freedom and user privacy in India's expanding digital knowledge ecosystem.

Keywords: Digital libraries, data protection laws, user privacy, Digital Personal Data Protection Act 2023, Right to privacy

I. Introduction

The spread of digital library platforms across India's higher education has changed how academic communities access and use information. Institutions from central universities to AICTE approved engineering colleges now depend on digitised resource environments. Examples include the National Digital Library of India, eShodhSindhu, and proprietary institutional repositories. These platforms silently generate large volumes of user data with each login, search query, and document download. Data privacy is now a critical governance issue, moving from a minor administrative concern to a central problem. This new reality demands rigorous scholarly and legislative focus.

Unlike commercial digital platforms, libraries occupy a distinctive institutional position. Their foundational mandate to enable free, uninhibited, and confidential access to information is constitutionally proximate to the rights of free expression and personal liberty guaranteed under Articles 19 and 21 of the Indian Constitution. The Supreme Court's landmark ruling in Justice K.S. Puttaswamy v. Union of India (2017) established informational privacy as a fundamental right, explicitly encompassing reading habits and intellectual choices, creating a direct normative bridge between constitutional protection and library data governance. Yet despite this judicial mandate, India's existing legislative architecture, the IT Act 2000, the ITAA 2008, and even the recently enacted Digital Personal Data Protection Act 2023, contain no sector specific provisions governing the collection, retention, or disclosure of digital library user data, leaving a critical regulatory vacuum.

1. Basic Concepts

Several foundational concepts frame this inquiry. Data privacy refers to individuals' rights and procedural norms governing how personal information data that can identify a person, such as names, addresses, or ID numbers is collected, processed, stored, and shared, ensuring individuals' control over their data. Data protection refers to the legal and technical mechanisms, such as encryption (scrambling data to prevent unauthorised reading), access controls (restrictions on who can view or change information), and anonymisation (removing identifying details from data), that are deployed to operationalise those rights against unauthorised access or misuse. User privacy in digital libraries specifically encompasses the confidentiality of reading records, search histories, borrowing patterns, and behavioural analytics (data about user actions and preferences), recognising these as epistemically sensitive that is, relating to a person's knowledge or beliefs and warranting heightened protection. Informed consent requires that users knowingly authorise data collection prior to processing, while purpose limitation mandates that data collected for one declared function cannot be repurposed without explicit renewed consent. Together, these principles constitute the normative grammar of contemporary data protection law and provide the analytical vocabulary through which this study evaluates India's regulatory adequacy for digital library environments.

2. Need and Scope of the Study:

The rapid digitisation of library services in India has intensified the need to safeguard user data, encompassing reading habits, search patterns, device information, and personal identifiers. Despite the enactment of the Digital Personal Data Protection Act 2023 and constitutional protection under Article 21, no dedicated legislative framework exists specifically for digital library privacy in India. This study is scoped to examine privacy risks, legislative gaps, and institutional challenges confronting academic digital library users. It encompasses an analysis of Indian and international legal standards, AI driven technological vulnerabilities, and user behaviour patterns, and extends to recommending actionable policy reforms, compliance mechanisms, and user empowerment strategies for India's growing knowledge infrastructure.

3. Importance of the Study

Data privacy in digital libraries is indispensable for preserving academic freedom and protecting sensitive user information. As digital platforms increasingly track reading histories, search behaviours, and interaction data, the risk of surveillance, algorithmic profiling, and unauthorised disclosure poses a serious threat to user trust and intellectual liberty. Robust legal frameworks, ethical data management, transparent consent mechanisms, and user education programmes are essential to ensure that India's expanding digital knowledge infrastructure remains a safe, open, and inclusive space for learning, research, and academic independence without compromising individual privacy rights. International Centre for Information Systems & Audit (2024) discusses the growing importance of data protection and privacy in the digital era, especially in India’s rapidly expanding digital ecosystem. It highlights the risks of cybercrime, data breaches, and misuse of personal information, emphasising the need for strong legal frameworks and privacy protection mechanisms. The article also explains the balance between data utility and privacy through legal and technological measures, such as the Digital Personal Data Protection Act, 2023

4. Objectives of the Study:

Based on the foregoing review of literature, the following three objectives are framed to guide this study:

• To examine the existing legal frameworks governing data privacy and user rights in Indian digital libraries, with specific reference to the Information Technology Act 2000, the IT Amendment Act 2008, and the Digital Personal Data Protection Act 2023.

• To identify and analyse the key challenges and risks faced by digital library users in India, including unauthorised data access, surveillance of reading habits, user profiling, and data breaches enabled by emerging technologies such as artificial intelligence and machine learning.

• To evaluate international privacy standards, including GDPR, IFLA Privacy Guidelines, and OECD Principles and to propose evidence based strategies to strengthen data protection governance in Indian digital library environments.

II. Review of Literature

The following reviews synthesise key scholarly works on data privacy, user rights, legal frameworks, and digital library contexts in India and abroad. Each review presents the core contribution, methodology, and findings of the selected study.

Pelteret and Ophoff (2016) present a transdisciplinary narrative review of information privacy, linking consumer and organisational perspectives across law, psychology, economics, and management. The study identifies key consumer concerns, including secondary use of information, profiling, price discrimination, identity theft, and data breaches. Using a rich picture framework, the authors demonstrate that privacy decisions are constrained by incomplete information, bounded rationality, and psychological distortions. They argue that trust between consumers and organisations are central to privacy governance and call for cross-disciplinary research to address evolving challenges in the digital information environment.

Ghosh and Shankar (2016) analyse data protection in India through a rights based lens, examining its relationship with privacy, the RTI Act, IT law, IPC, national security, intellectual property, and corporate affairs. Grounded in Articles 19 and 21 of the Constitution, the study traces judicial milestones, including R. Rajagopal v. State of Tamil Nadu and K.S. Puttaswamy. The authors argue that data protection must be treated as a fundamental right rather than a regulatory obligation. They call for a unified legal platform integrating data collection, processing, storage, security, and access to safeguard individual liberty in a technologically advancing society.

Bhatia et al. (2020) conducted a comprehensive review of data privacy laws in India, examining the IT Amendment Act 2008, the Personal Data Protection Bill 2019, IPC sections, and SEBI regulations. The study categorises data breaches into natural, accidental, intentional, and cyber-attack causes, and outlines DLP tools as countermeasures. Case studies of Target Corporation and Unacademy illustrate how breaches occur and their legal, financial, and reputational consequences. The authors stress that Indian data privacy laws need significant modernisation to meet evolving corporate and consumer protection needs.

Rawat and Aggarwal(2020) examine the right to privacy and data protection issues within the Indian constitutional framework, tracing the judicial evolution of privacy as an implicit fundamental right under Articles 19 and 21, culminating in the landmark Justice K.S. Puttaswamy v. Union of India ruling. The study analyses key provisions of the IT Act 2000 and ITAA 2008, specifically Sections 43, 43A, 66, 72, and 72A. The authors recommend a constitutional amendment explicitly codifying privacy, a comprehensive national data policy, and enhanced public awareness programmes to strengthen individual control over personal information in the digital era.

Sreehari and Vijayakumar (2022) present a relevant study on user privacy in digital libraries, examining HTTPS encryption, RFID vulnerabilities, and tracking agents. Referencing Corrado (2020), Breeding (2019), and ALA (2016), the paper outlines practical privacy protection strategies. While the theoretical synthesis is commendable, the absence of primary empirical data limits its originality. Future research incorporating survey based findings would significantly enhance its scholarly impact.

Fareed (2024) examines data privacy and security through the interlocking dimensions of ethics, standards, laws, and regulations in India and abroad. The study analyses frameworks including GDPR, CCPA, HIPAA, PCIDSS, ISO/IEC 27001, and India's IT Act, as well as the draft Personal Data Protection Bill 2019. Ethical pillars such as transparency, informed consent, data minimisation, and purpose limitation are identified as foundational to responsible data governance. The paper highlights how interdependencies between legal mandates and organisational compliance can foster a balanced, morally integrated digital environment across diverse jurisdictions and industry sectors.

Kapadiya and Kapadiya (2024) explore user privacy challenges in Indian digital libraries, applying data protection theory, the privacy paradox, and the privacy calculus model. The study identifies risks including data breaches, unauthorised access, AI driven user profiling, and surveillance without consent. Despite the DPDPA 2023, implementation gaps persist due to outdated infrastructure, low user awareness, and the absence of AI specific regulations. The authors recommend encryption, anonymisation, multifactor authentication, transparent data policies, user education workshops, and privacy by design principles to ensure ethical data management and sustain user trust in digital academic library environments.

Kadam and Dagale (2025) investigate data privacy and user rights in Indian digital libraries, assessing the adequacy of the Digital Personal Data Protection Act 2023 for academic library contexts. The paper identifies critical risks, including surveillance of reading habits, data sharing without consent, inadequate cyber security funding, and cross border data transfers via cloud services. Benchmarking India against GDPR, IFLA privacy guidelines, and U.S. library laws, the authors expose significant legislative gaps. They recommend library specific privacy guidelines, improved consent mechanisms, data minimisation practices, mandatory encryption, and appointment of institutional data protection officers.

III. Methodology: This study adopts a qualitative, descriptive analytical research design grounded in doctrinal and interpretive epistemology. Secondary data forms the exclusive evidence base, drawn from three tiers: primary legal instruments including the IT Act 2000, ITAA 2008, DPDPA 2023, GDPR, and CCPA landmark judicial pronouncements, particularly Justice K.S. Puttaswamy v. Union of India (2017), and peer reviewed scholarly literature spanning 2005–2025. Some thematically selected studies were systematically reviewed using content analysis and thematic coding. Comparative legal analysis benchmarks Indian frameworks against international standards, while normative analysis evaluates their jurisprudential and ethical sufficiency. Literature was selected on the criteria of thematic relevance, scholarly rigour, and temporal currency. The methodology is trans-disciplinary, integrating jurisprudence, information science, library management, and digital ethics to produce policy relevant, conceptually rigorous analysis for specialist academic audiences.

IV. Data Protection Laws and Library User Privacy

The intersection of data protection legislation and library user privacy represents one of the most consequential yet under theorised domains within contemporary information science and legal scholarship. As digital libraries evolve from passive repositories into dynamic, data intensive platforms, the nature of the privacy relationship between institution and user has fundamentally shifted. Where the traditional library was governed by a professional ethic of confidentiality rooted in intellectual freedom, the digital library now operates as a data processor in the fullest regulatory sense collecting, storing, analysing, and transmitting personally identifiable information (PII) at a scale and granularity that existing legal frameworks were not designed to address.

The Regulatory Landscape and Its Foundational Tensions

Contemporary data protection regimes principally the European Union's General Data Protection Regulation (GDPR, 2018), India's Digital Personal Data Protection Act (DPDPA, 2023), and the California Consumer Privacy Act (CCPA, 2018) share a common normative architecture: lawful basis for processing, purpose limitation, data minimisation, informed consent, and rights of access, correction, and erasure. These principles, when applied to digital library environments, generate productive but unresolved tensions. Libraries exist to maximise information access and personalise discovery; data minimisation, by contrast, constrains precisely the data intensive processes algorithmic recommendation, reading analytics, and behavioural profiling that enable such personalisation. The regulatory logic and the service logic are, at their core, structurally opposed, and this friction has not been adequately resolved in either legislative design or institutional policy.

In the Indian context, this tension is particularly acute. The DPDPA 2023 establishes a foundational framework for consent based data processing and introduces the concept of a Data Fiduciary, yet it contains no library specific provisions and makes no distinction between a commercial ecommerce operator and a university digital library serving a constitutionally guaranteed right to education. The Information Technology Act 2000 and its 2008 amendment, while addressing sensitive personal data and reasonable security practices, similarly operate at a level of generality that renders their application to academic library contexts interpretive rather than prescriptive. The constitutional right to privacy, affirmed in Justice K.S. Puttaswamy v. Union of India (2017), provides an indispensable normative foundation, extending protection expressly to intellectual choices and reading habits; yet this judicial mandate has not been translated into sector specific statutory obligations for library data governance.

The Nature of Library Specific Privacy Risks

What distinguishes library user data from other categories of personal information is its epistemic intimacy. Search queries, reading histories, downloaded materials, and dwell time analytics constitute a detailed map of a user's intellectual interests, ideological orientations, political affiliations, and professional concerns. Unlike transactional data generated by commercial platforms, library data is generated in a context of presumed intellectual safety. The chilling effect produced by surveillance of reading behaviour a phenomenon well documented in post Patriot Act library studies in the United States demonstrates that perceived monitoring suppresses information seeking, thereby undermining the library's foundational purpose. This effect is not merely theoretical; it is measurable in altered search patterns, reduced engagement with sensitive subject areas, and increased selfcensorship among users aware of tracking practices.

Towards a Legally Coherent Framework

Resolving these challenges demands more than compliance with general data protection statutes. It requires the development of library specific regulatory instruments grounded in four interlocking principles. First, reading records must be classified as sensitive personal data, which attracts the highest tier of processing restrictions and limits their disclosure to explicit judicial compulsion. Second, data minimisation must be operationalised through privacy by design architectures that anonymise interaction logs at the point of collection rather than retrospectively. Third, consent mechanisms must be genuinely informed and granular, distinguishing between data collected for core service delivery and data processed for analytics or third party sharing. Fourth, institutional accountability must be institutionalised through the appointment of mandatory Data Protection Officers and the conduct of regular privacy impact assessments benchmarked against IFLA's internationally recognised privacy guidelines.

The International Federation of Library Associations and Institutions has long maintained that the confidentiality of library records is not a courtesy but a professional and ethical obligation inseparable from intellectual freedom. Translating that principle into enforceable, sector specific legal obligations calibrated to the realities of AI driven digital library infrastructure is the defining legislative and scholarly task of this moment. The subject matter demands not incremental policy adjustment but a conceptual reframing that treats library user privacy as a juridical right, not an institutional preference.

V. Conclusion

The governance of digital library user privacy in India stands at a decisive crossroads. While the constitutional recognition of informational privacy in Puttaswamy and the enactment of the DPDPA 2023 signal meaningful legislative intent, they collectively fall short of providing the sector specific, jurisprudentially coherent protection that digital library users as bearers of intellectual freedom fundamentally require. Reading histories, search behaviours, and research patterns constitute epistemically intimate data whose misuse carries consequences extending well beyond individual harm, threatening the academic freedom upon which knowledge societies are built.

Addressing this deficit demands legislative specificity, institutional accountability, privacy by design infrastructure, and a cultural reorientation within library governance that treats user confidentiality not as a compliance obligation but as a professional and ethical imperative. India's ambition to build a robust digital knowledge infrastructure will remain structurally compromised unless the rights of its library users are protected with the same rigour accorded to financial and medical data. The time for incremental adjustment has passed; purposive, sector specific reform is now an urgent scholarly and policy necessity.

References:s

1. Bhatia, P., Jaitly, S., Sharangpani, S., Akhouri, A., & Munshi, A. (2020). Review of data privacy laws and case study. International Journal of Creative Research Thoughts (IJCRT), 8(10), 2923–2927. https://www.ijcrt.org

2. Fareed, Q. (2024). Data privacy and security; Ethics, standards, laws and regulations. International Journal of Research Publication and Reviews, 5(8), 162–168. https://www.ijrpr.com

3. Ghosh, J., & Shankar, U. (2016). Privacy and data protection laws in India: A rightbased analysis. Bharati Law Review, October–December, 54–72.

4. Kadam, S. J., & Dagale, A. N. (2025). Data privacy and user rights in digital libraries: Need for legal safeguards in India. Advanced International Journal for Research (AIJFR), 6(6), 1–6. https://www.aijfr.com

5. Kapadiya, H., & Kapadiya, N. K. (2024). User privacy in digital libraries: Challenges, implications and strategies for safeguarding information. Indian Journal of Library Science Research & Information Technology, 1(2), 37–45. https://www.bmsgroup.in

6. Mohd Roni, N. A. (2005). Privacy and data protection in digital libraries on policies, preparedness, and awareness: An investigation on two Malaysian public academic libraries [Unpublished master's thesis]. University of Malaya.

7. Pelteret, M., & Ophoff, J. (2016). A review of information privacy and its importance to consumers and organisations. Informing Science: The International Journal of an Emerging Transdiscipline, 19, 277–301. http://www.informingscience.org/Publications/3573

8. Rawat, P., & Aggarwal, S. (2020). Right to privacy and data protection issues in India. International Journal of Creative Research Thoughts (IJCRT), 8(8), 2680–2686. https://www.ijcrt.org

9. ALA Intellectual Freedom Committee. (2016). Library Privacy Guidelines for Library Websites, OPACs, and Discovery Services. ALA.Org.

10. Breeding, M. (2019). Protecting Privacy on Library Websites: Critical Technologies and Implementation Trends. ALA TechSource.

11. Corrado, E. M. (2020). Libraries and protecting patron privacy. Technical Services Quarterly, 37(1), 44–54.

12. Sreehari, P., & Vijayakumar, S. (2022). Protection of users' privacy while using library eresources: Challenges and prospects. In V. Shivannavar (Ed.), ERUDITE Conference Proceedings 2021–22 (pp. 340–348). Seshadripuram Institute of Commerce and Management.

13. International Centre for Information Systems & Audit. (2024). Data protection and data privacy. PursuIT eJournal (9th ed.). Supreme Audit Institution of India.