Digital evidence and data governance: rethinking evidentiary standards in India

Sanjay Basu
AQUILAW, Kolkata
sanjay.basu@aquilaw.com

Soumen Mohanty
AQUILAW, Kolkata
soumen.mohanty@aquilaw.com

Piyush Kumar Ray
AQUILAW, Bhubaneswar
piyush.ray@aquilaw.com

Upasana Mohanty
AQUILAW, Bhubaneswar
upasana.mohanty@aquilaw.com

Introduction: Digital evidence in contemporary litigation

In this digital era, courts are inundated with voluminous electronic records ranging from emails and chat logs to photos, device metadata, and surveillance video. It is therefore likely that trials in the near future will seldom proceed without some form of digital evidence, given that such information often provides crucial proof. However, apparent technical reliability raises deeper concerns. Questions arise as to the manner in which records were obtained. Were they collected with proper consent and authority or through coercion and privacy violation? Therefore, there exists a tension between technological authenticity and procedural or ethical legitimacy. On one hand, modern forensics can verify a file’s integrity with unprecedented precision; on the other hand, the social context of data collection, such as privacy norms, contractual consent, and statutory limitations, often remains insufficiently examined. 

Legal framework related to digital evidence

In India, the Bharatiya Sakshya Adhiniyam, 2023 (BSA) provides the current statutory framework for electronic evidence. In particular, Section 63 of the BSA governs the admissibility of information produced by computers and other digital devices. Broadly, Section 63(1) declares that any information in an electronic record produced by a computer shall be deemed to be also a document and shall be admissible as evidence of the contents of the original, notwithstanding any rule of law about evidence. This means a computer output, for instance, a printed report, an email stored digitally, is treated on par with physical documents, provided that the statutory conditions prescribed under the provision are satisfied.

Tracing the evolution from the erstwhile Indian Evidence Act, 1872 (IEA) to the new BSA, India has made a forward legislative move towards how courts interpret and admit electronic records. For well over a century, IEA guided litigants and courts on the proof of documents and the process of adducing relevant evidence during court proceedings. The IEA originally governed the admissibility of documents and introduced Sections 65A and 65B for electronic records via the Information Technology Act, 2000.

The foregoing rules create a kind of authentication paradox. Technology has given judicial forums strong tools to evaluate digital evidence, using hash encryption signatures, device logs and meta data judges and forensic experts can often verify that a record is unaltered and issued from the claimed source. Yet none of this technical verification necessarily extends to examining the way in which the data was obtained, along with the legality and ethicality of its collection. 

Establishing authenticity does not immunise wrongful conduct. Privacy and security concerns loom especially large; courts explicitly recognise that digital evidence often raises issues of data privacy and cyber-security beyond mere authenticity. For example, metadata or logs might be tampered with or withheld if they reveal illegal surveillance, and networked systems could be compromised. Effectively, courts face evidence that is technically reliable but potentially tainted at its origin.

A root cause of this dilemma is the unequal bargaining power between data subjects and platform/service providers. Most users are confronted with take-it-or-leave-it contractual arrangements. This came into focus in the recent probe by the Competition Commission of India (CCI) into WhatsApp Meta¹, in which consumers are essentially given an ultimatum: accept the data-sharing rules or lose access to an essential service. In such settings, it is dubious whether any consent can be regarded as having been meaningfully and freely given.

Legality of evidence collection and constitutional safeguards

Given these concerns, many legal systems have long grappled with the questions of how courts should treat evidence obtained through unlawful or unethical means. The central issue is whether the reliability of evidence alone should determine admissibility, or whether the manner in which the evidence was obtained should also be subject to judicial scrutiny.

One principle that emerges from broader equitable jurisprudence is the idea that a party who has engaged in unethical or illegal conduct related to the subject of the litigation may be disallowed from benefiting from that misconduct. In other words, one who comes to court ‘with unclean hands’ may not be granted equitable relief. Applied to evidence, this suggests that a party should not profit from deceitful data-gathering practices.

Following the landmark case of Justice K.S. Puttaswamy v Union of India², wherein the right to privacy was recognised as a part of the fundamental right to life under the Indian Constitution guaranteed under Article 21 of the Constitution, India’s constitutional framework is increasingly aligned with jurisdictions that recognize strong constitutional protections against unjustified state intrusion. 

The constitutional recognition of privacy has also informed the development of a statutory data protection framework in India. The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a regime governing the processing of personal data and emphasises lawful processing, informed consent, purpose limitation, and accountability of data fiduciaries, thereby reinforcing the importance of lawful data collection in the context of digital evidence.

Consequently, the legality of the method through which digital information is obtained assumes constitutional significance. If courts were to admit evidence without examining whether it was procured in violation of privacy rights, the constitutional guarantee itself risks becoming ineffective in practice. A legal system that disregards such violations in the pursuit of evidentiary advantage risks undermining the very rights it seeks to protect. A right without an effective remedy ultimately becomes illusory.

International data governance and evidentiary legitimacy

The Data Evidence Dilemma is not unique to India. Across the globe, regulators and courts are converging on the idea that lawful data governance is essential for any evidence system. For example, the European Union’s General Data Protection Regulation (GDPR) codifies principles that constrain data collection and use.

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorized or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Further, the Organisation for Economic Co-Operation and Development (OECD), through its principles of purpose specification and use limitation, has created a framework for the judicious use of data.⁴  Organisations must specify the purposes for which personal data is collected no later than at the time of collection. Subsequent use must be limited to fulfilling those purposes or others that are compatible with the original purposes and are specified when the purpose changes. This principle prevents what is commonly called ‘function creep’, where data collected for one purpose gradually gets used for entirely different purposes.

If a digital record was gathered in breach of a privacy law or a data protection norm, its evidentiary status might be compromised, much as a signature in violation of contract law is void. Thus, international developments reinforce the notion that digital records derive legitimacy only if the entire data lifecycle meets legal standards like consent, purpose limitation and data minimisation. In this context, courts may need to adopt a layered approach to digital evidence that evaluates not only its technical authenticity but also the legality and fairness of the manner in which the data was collected. 

Conclusion

It is without doubt that digital evidence has transformed legal practice and litigation, offering a more precise evidentiary landscape. Yet this transformation cuts both ways; it brings issues of privacy, consent and power into the courtroom. Courts have a responsibility to now reconcile the mechanical trustworthiness of bits and bytes with legal and ethical preconditions of their production. As illustrated, solving this dilemma requires pushing beyond purely technical verification. Looking forward, the courts may increasingly need to scrutinise the data governance context of digital records, much as they examine the chain of custody in traditional evidence. Only through the integration of data protection principles with evidentiary rules can the system ensure that the truth reflected by digital evidence is achieved without sacrificing justice or fundamental rights.

Notes

1. WhatsApp LLC v Competition Commission of India, 2025 SCC OnLine NCLAT 2071

2. Justice K.S. Puttaswamy v Union of India, (2017) 10 SCC 1

3. GDPR. (2018). Art. 5 GDPR – Principles Relating to Processing of Personal Data | General Data Protection Regulation (GDPR). General Data Protection Regulation (GDPR). https://gdpr-info.eu/art-5-gdpr/

4. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Includes the 'Declaration on Transborder Data Flows' and the 'Ministerial Declaration on the Protection of Privacy on Global Networks.') (n.d.)