Authored By: Ms.Prachi Pal
University of Lucknow
Abstract
This article traces the constitutional evolution of the right to privacy in India, from its hesitant beginnings to its emphatic recognition as a fundamental right by the nine-judge bench in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). It then examines post-Puttaswamy jurisprudence, statutory developments such as the Digital Personal Data Protection Act, 2023 (DPDP Act), and the continuing tension between security, governance, and individual autonomy in the digital state. The article argues that privacy in India has shifted from being an implicit liberty interest to a core structural principle, but its translation into effective protection requires legislative refinement, judicial vigilance, and administrative transparency.
Introduction
The Indian Constitution does not explicitly mention a right to privacy. Yet, over seven decades, privacy has moved from being a contested penumbra to a structural guarantee of liberty and dignity. The doctrinal turning point was Justice K.S. Puttaswamy (Retd.) v. Union of India, where a unanimous nine-judge bench held that privacy is intrinsic to life and personal liberty under Article 21 and forms an integral part of the freedoms guaranteed by Part III.¹ The bench rejected the false binary between individual rights and collective good, insisting instead on proportional balancing.
Puttaswamy’s promise has since been tested in controversies over Aadhaar, internet shutdowns, biometric and telecom surveillance, platform governance, and the design of India’s first comprehensive personal data protection statute.² The stakes have only grown with smartphones, mass data processing, and AI-driven analytics. Against this background, this article offers a doctrinal and policy-informed account of how Indian privacy law reached its current shape and the challenges that lie ahead.
The Evolution of Privacy in Indian Constitutional Law
The right to privacy in India has evolved significantly. Initially denied in M.P. Sharma v. Satish Chandra³ and Kharak Singh v. State of Uttar Pradesh,⁴ it gained cautious recognition in Gobind v. State of Madhya Pradesh⁵ and R. Rajagopal v. State of Tamil Nadu.⁶ The transformative moment came in Justice K.S. Puttaswamy (2017), where a nine-judge bench unanimously declared privacy a fundamental right rooted in dignity, autonomy, and liberty under Articles 14, 19, and 21.⁷ This judgment laid the foundation for proportionality-based limitations. Subsequent rulings like Navtej Singh Johar v. Union of India,⁸ Joseph Shine v. Union of India,⁹ and the Aadhaar verdict¹⁰ further expanded privacy’s ambit to sexuality, marriage, surveillance, and informational autonomy.
The Puttaswamy Framework: From Penumbra to Principle
The Justice K.S. Puttaswamy (2017) decision decisively overruled the scepticism of M.P. Sharma and Kharak Singh. It anchored privacy in dignity, autonomy, and constitutional morality, and introduced a four-part proportionality test for limitations:
(a) Legality – restriction must have a basis in law.
(b) Legitimate aim – pursuit of a proper state objective.
(c) Proportionality – necessity and least-restrictive means.
(d) Procedural safeguards – to prevent abuse.¹¹
The judgment integrated privacy within the liberty-equality framework of Articles 14, 19, and 21, and anticipated the need for a statutory data protection regime.
Applying Privacy After 2017: Aadhaar, Internet Restrictions, and Transparency
Aadhaar – The Court upheld Aadhaar for targeted subsidies but struck down Section 57 (private sector mandate) and read down linkage requirements for bank accounts and mobile numbers. It retained PAN–Aadhaar linkage.¹²
Internet shutdowns – In Anuradha Bhasin v. Union of India, indefinite shutdowns were held impermissible; restrictions must be lawful, necessary, and proportionate, with periodic review.¹³ The Kerala High Court in Faheema Shirin R.K. v. State of Kerala recognised internet access as integral to education.¹⁴
Transparency v. privacy – In Central Public Information Officer v. Subhash Chandra Agarwal, the Court brought the Chief Justice’s office under RTI while balancing transparency with privacy and judicial independence.¹⁵
Statutory Landscape: From the IT Act to the DPDP Act, 2023
India’s statutory framework for privacy and data protection has evolved gradually. The Information Technology Act, 2000, supplemented by the 2008 amendments and IT Rules, 2011, was the first attempt to regulate electronic data, mandating “reasonable security practices” for sensitive personal information.¹⁶ However, the Act largely focused on cybercrimes, offering limited safeguards against State surveillance (People’s Union for Civil Liberties v. Union of India)¹⁷ and compelled disclosures (District Registrar v. Canara Bank).¹⁸
The landmark Puttaswamy (2017) judgment recognized privacy as a fundamental right, necessitating comprehensive legislation. This culminated in the Digital Personal Data Protection Act, 2023, which establishes principles of consent, purpose limitation, and data fiduciary accountability while granting individuals rights to correction and erasure.¹⁹ Though progressive, concerns remain regarding wide governmental exemptions and enforcement mechanisms.²⁰ Together, this trajectory reflects India’s gradual shift from piecemeal protections under the IT Act to a rights-based statutory regime under the DPDP Act, aligned with constitutional privacy jurisprudence.
Contemporary and Emerging Challenges
- Surveillance and proportionality – Legacy interception laws lack prior judicial oversight. Applying Puttaswamy demands narrow tailoring, necessity, and independent authorisation. The Pegasus spyware controversy highlighted gaps.²
- Biometric identity & function creep – Aadhaar’s vast ecosystem risks profiling and database linkage beyond its original purpose.²²
- Platform governance – Intermediary Rules (2021, amended 2022–23) require traceability and prompt takedowns, raising privacy–speech conflicts.²³
- AI and privacy – Automated decision-making demands fairness, transparency, and contestability in addition to DPDP Act protections.²⁴
- Children’s and vulnerable persons’ privacy – The DPDP Act’s parental consent rules need careful implementation to avoid exclusion.²⁵
- Horizontality – Private actors’ data practices require regulation through consumer law, competition law, and tort remedies.²⁶
A Normative Roadmap
The recognition of privacy as a fundamental right in Puttaswamy (2017) demands not only judicial vigilance but also a coherent legislative and policy framework.²⁷ A principled roadmap begins with the rigorous application of proportionality in all privacy disputes, ensuring that State actions—whether in surveillance, data collection, or restrictions on communication—are tested for legality, necessity, and least-restrictive means.
Second, India’s surveillance architecture requires urgent reform. Reliance on colonial-era statutes like the Telegraph Act and broad powers under the IT Act should give way to a modern framework with independent judicial authorization, strict necessity standards, and periodic public transparency reports, similar to global best practices.²⁸
Third, the Digital Personal Data Protection Act, 2023 must be enforced robustly. Narrowing wide governmental exemptions, empowering an independent Data Protection Board, and introducing data protection impact assessments would ensure accountability.²⁹
Fourth, embedding privacy-by-design in emerging public digital infrastructures—such as Aadhaar-linked services and health data platforms—will safeguard rights at the architectural level, rather than as an afterthought.³⁰
Finally, the roadmap must recognize the social dimensions of privacy: protecting journalists, whistle-blowers, and ordinary internet users against arbitrary shutdowns, online harassment, and profiling.³¹ Only by combining constitutional doctrine with statutory reform can India secure privacy as both an individual and democratic guarantee.
Conclusion
The constitutional journey of the right to privacy in India reflects an evolution from judicial reluctance to emphatic recognition of privacy as a structural guarantee of liberty and dignity. Justice K.S. Puttaswamy (2017) firmly established privacy as a fundamental right under Articles 14, 19, and 21, while subsequent jurisprudence expanded its ambit to include sexuality, surveillance, internet freedom, and informational autonomy.³² The enactment of the Digital Personal Data Protection Act, 2023 marks a significant step toward aligning statutory frameworks with constitutional values, though challenges remain in ensuring robust enforcement and curbing excessive state exemptions.³³
In the contemporary digital state, privacy cannot be secured by constitutional doctrine alone. It requires vigilant courts, independent regulatory institutions, transparent governance, and privacy-conscious technological design. The task ahead is to strike a balance between security, innovation, and fundamental rights, ensuring that privacy functions not merely as an individual entitlement but also as a democratic guarantee. Only through such a multi-pronged approach can India translate the promise of Puttaswamy into enduring protection for its citizens in the age of data-driven governance.³⁴
Citations:
1.Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).
2.Id.
3.M.P. Sharma v. Satish Chandra, 1954 S.C.R. 1077 (India).
4.Kharak Singh v. State of Uttar Pradesh, A.I.R. 1963 S.C. 1295 (India).
5.Gobind v. State of M.P., (1975) 2 S.C.C. 148 (India).
6.R. Rajagopal v. State of T.N., (1994) 6 S.C.C. 632 (India).
7.Puttaswamy, (2017) 10 S.C.C. 1 (India).
8.Navtej Singh Johar v. Union of India, (2018) 10 S.C.C. 1 (India).
9.Joseph Shine v. Union of India, (2019) 3 S.C.C. 39 (India).
10.K.S. Puttaswamy v. Union of India (Aadhaar Case), (2019) 1 S.C.C. 1 (India).
11.Puttaswamy, (2017) 10 S.C.C. 1 (India).
12.Id. ¶¶ 447–53.
13.Anuradha Bhasin v. Union of India, (2020) 3 S.C.C. 637 (India).
14.Faheema Shirin R.K. v. State of Kerala, 2019 S.C.C. OnLine Ker. 1733 (India).
15.Cent. Pub. Info. Officer v. Subhash Chandra Agarwal, (2020) 5 S.C.C. 481 (India).
16.Information Technology Act, No. 21 of 2000, INDIA CODE.
17.People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 S.C.C. 301 (India).
18.Dist. Registrar & Collector v. Canara Bank, (2005) 1 S.C.C. 496 (India).
19.Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE.
20.Id.
21.Vidhi Centre for Legal Policy, Pegasus and Surveillance Reform in India, Policy Brief (2021).
22.Reetika Khera, Aadhaar and the Inadequacy of Privacy Safeguards in India, 12 Indian J. Const. L. 45 (2019).
23.Information Technology (Intermediary Guidelines & Digital Media Ethics Code) Rules, 2021, G.S.R. 139(E).
24.NITI Aayog, Responsible AI for All: 2021 Strategy Document (2021).
25.Digital Personal Data Protection Act, No. 22 of 2023, § 10, INDIA CODE.
26.Anupam Chander, Privacy and Platform Regulation in India, 41 COMP. L. REV. 213 (2022).
27.Puttaswamy, (2017) 10 S.C.C. 1 (India).
28.Justice B.N. Srikrishna Committee Report on Data Protection (2018).
29.Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE.
30.Id.
31.Id.
32.Puttaswamy, (2017) 10 S.C.C. 1; Navtej Johar, (2018) 10 S.C.C. 1 (India).
33.Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE.
34.Id.
