Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Securing informational privacy in India’s IoT governance: Looking through the lens of FASTag
Journal of Data Protection & Privacy,
7
(2),
125-151
(2025)
Abstract
As Internet of Things (IoT) technologies become increasingly integral to digital governance initiatives in India, this paper addresses the critical challenge of ensuring that their implementation conforms to the constitutional right to informational privacy established in the Puttaswamy judgment. Using India’s FASTag electronic toll collection system as a case study, the paper develops a comprehensive framework for evaluating and safeguarding privacy rights in state-deployed IoT applications. Through detailed analysis of FASTag’s implementation, which involves extensive data collection, multiple stakeholder access and reported vulnerabilities including recent data breaches, the study demonstrates how IoT applications can inadvertently compromise informational privacy rights. The paper then applies the threefold test from Puttaswamy (presence of law, legitimate objective, proportionality) to evaluate FASTag’s constitutional validity. Despite various legal instruments including the Digital Personal Data Protection Act 2023, NETC Procedural Guidelines and other rules, the analysis reveals significant gaps in meeting the ‘quality of law’ standards. While FASTag demonstrates rational connection to legitimate state objectives through improved efficiency and transparency, evidenced by reduced wait times and fuel savings, it fails the necessity requirement due to inadequate privacy impact assessments. The proportionality stricto sensu evaluation further identifies concerns about unclear scope definition and insufficient data protection measures affecting thousands of users. Building on this analysis, the paper develops a practical framework for privacy-conscious IoT deployment in public services. Drawing on both the Indian legal position and privacy and data protection measures concerning electronic toll collection and IoT systems under European Union (EU) and Californian law, it proposes specific safeguards that can strengthen the implementation of FASTag, such as IoT systems and their alignment with the right to privacy. In the final section, it elaborates upon two specific safeguards and discusses at length the significance, challenges and details of their implementation. These safeguards are privacy impact assessments and data localisation. This framework’s significance lies in its comprehensive approach to balancing technological innovation with privacy protection, not only providing actionable measures for future IoT implementations, but also discussing the alignment of such measures with the fundamental right to privacy at the highest level. This contribution is particularly valuable as India continues to expand its digital infrastructure, ensuring that technological advancement does not come at the cost of constitutional rights.
Keywords: Internet of Things (IoT); informational privacy; data protection; safeguards; electronic toll collection; privacy rights; proportionality test; privacy impact assessments
The full article is available to subscribers to the journal.
Author's Biography
Anupriya is a lecturer at Jindal Global Law School, O.P. Jindal Global University, Sonipat, India. She specialises in technology law. She holds a Master of Laws (LLM) degree in law and technology from Tilburg University, The Netherlands, where she also received the cum laude award for academic distinction. She also earned a B.A.LL.B. degree from the University of Petroleum and Energy Studies, Uttarakhand, India. Anupriya has a diverse professional background, having gained experience in both India and Europe. She was a data privacy and digital law intern at EU Digital Partners, Romania, and has worked with leading organisations such as PricewaterhouseCoopers and Clifford Chance Business Services Pvt. Ltd. in India. Her research interests lie in the regulation of emerging technologies, particularly focusing on artificial intelligence, data protection and data privacy laws.
Krishna Deo Singh Chauhan Professor Krishna Deo Singh Chauhan is an Associate Professor at Jindal Global Law School, O.P. Jindal Global University, Sonipat, India. He completed his undergraduate degree in law at the National Law Institute University, Bhopal, and his postgraduate degree at the National University of Singapore specialising in intellectual property and technology law. He is currently writing his doctoral thesis on the regulation of artificial intelligence (AI). Krishna was a member of the Jean Monnet Chair established by the European Union at the O.P. Jindal Global University, where he taught courses on privacy and data protection in the context of new technologies. He also led a project for developing the Certificate Programme on Technology Management commissioned by the Department of Scientific and Industrial Research, Ministry of Science and Technology, Government of India. Krishna’s recent papers have covered cutting-edge topics at the interface of AI revolution and legal and ethical issues, including a mapping of the regulatory approaches to AI, an exploration of the concept of beneficence in AI ethics, and the evolving nature of dark patterns in the context of AI-designed interfaces.
