Why Bar Council of Delhi’s publication of voter details online has sparked a legal tussle

In the run-up to the Bar Council of Delhi (BCD) elections, the Council uploaded its updated voter list on its website. Along with names and enrolment numbers, the list carried mobile numbers, residential addresses and photographs of advocates. Soon after, bar members began receiving campaign outreach — SMSes, emails, WhatsApp messages, phone calls and even campaign posters via speed post. Some lawyers said they were added to WhatsApp groups without prior consent. A petition before the Delhi High Court challenges the publication of the data itself. A Bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia observed on February 18: “This is not the way. You can’t encroach on people’s privacy. Individual lawyers are being harassed without their willingness… You have to protect their right to privacy. You are making every detail public. You have to do something.” This volume and frequency of outreach raises a broader question: How much personal information can a statutory professional body place in the public domain in the name of elections? What does the petition say? The plea describes the voter list publication as an “unauthorized publication, circulation and misuse of sensitive personal data of Advocates”. It states that as a direct consequence of the disclosure, advocates have been subjected to unsolicited calls, messages and canvassing. Invoking Article 21 and the Supreme Court’s ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India, the petition argues, “The impugned disclosure constitutes a manifest violation of the fundamental right to privacy protected and guaranteed under Article 21… and fails the test of legality, necessity, and proportionality.” It contends that while conducting elections may be a legitimate aim, “publication of such data is neither essential nor proportionate for the conduct of free and fair elections.” The plea further states that the disclosure “has the potential to facilitate stalking, harassment, intimidation, identity theft, cyber fraud, data mining, and other forms of data-driven harm.” On the statutory framework, the petition relies on the Bar Council of India Rules, which provides that the electoral roll shall contain “serial number; number on the State roll; name of advocates as on the roll; and address of the advocate.” It argues that publication of personal mobile numbers and photographs is not contemplated under the Rules. Referring to Section 13 of the Bar Council of Delhi Rules, the plea submits that electoral rolls must be prepared strictly in accordance with the BCI Rules, and that release of additional personal details is “wholly impermissible”. The petition also invokes principles under the Digital Personal Data Protection Act, 2023, arguing that data collected for enrolment and regulatory purposes cannot be disseminated beyond that purpose without consent. It states that the BCD was under a legal obligation to ensure that data was processed and disclosed only for the purpose for which it was obtained. What the law actually says Bar Councils are statutory bodies created under the Advocates Act. That means their powers are legal functions. And when they act, they are subject to constitutional discipline. The Constitution follows them into the digital space. The petition relies on Justice K.S. Puttaswamy (Retd.) v. Union of India, where the Supreme Court recognised privacy within Article 21. The judgment recognised that control over personal information is integral to dignity and liberty. It said that in the digital era, threats to privacy are not confined to the State; private actors can pose equal risks. Justice Nariman underscored that individuals retain an interest in deciding how and when personal information about them is shared, and that unauthorised dissemination may infringe that right. The Court also cautioned that fragments of data may appear benign in isolation, but when stitched together, they can reveal an intimate profile. A name, a phone number, an address, a photograph, each looks routine. Combined and uploaded without safeguards, they form a searchable file. That risk frames the present dispute Under the Digital Personal Data Protection Act, consent is the organising principle of personal data processing. Processing is generally lawful only when backed by informed, voluntary agreement. First, purpose limitation is when personal data must be collected and used for a clearly identified objective. If the objective is conducting bar elections, the legal question becomes whether unrestricted public publication of contact details and photographs is essential to that task. Second, data minimisation pertains only to the processing of information that is strictly necessary for the stated purpose. There is also a practical dimension. Once a consolidated database is uploaded without access controls, it can be copied infinitely. Deleting it later does not rewind circulation. Digital publication is not like putting a notice on a board; it is more like printing thousands of copies and leaving them in the wind. For context, courts have already recognised the regulatory responsibility of constitutional bodies in the digital arena. In Dhrone Diwan v. Election Commission of India, the Delhi High Court emphasised the Election Commission’s duty under Article 324 to proactively prevent misuse of digital campaign material that could distort electoral fairness. The court did not micromanage the Commission, but it reminded it of its constitutional burden. Oversight does not end because communication has moved to phones and servers.