DIGITAL PRIVACY IN INDIA POST-PUTTASWAMY: EVALUATING  THE DATA PROTECTION LAW

ABSTRACT

The recognition of the right to privacy as a fundamental right in Justice K.S. Puttaswamy v.  Union of India (2017) marked a constitutional milestone for India. This article explores the  evolution of digital privacy in the country post-Puttaswamy, focusing particularly on the  Digital Personal Data Protection Act, 2023 (DPDP Act). While the legislation aims to  safeguard individuals’ data in an increasingly digitised world, it raises serious concerns over  vague provisions, government exemptions, and lack of accountability mechanisms. Through  an analysis of legal frameworks, judicial interpretations, and recent developments, this article  critically evaluates the effectiveness of the DPDP Act in protecting digital privacy. It concludes  with a set of recommendations to bridge the gap between constitutional ideals and legislative  realities.

Keywords : Digital Privacy, Right to Privacy, Puttaswamy Judgment, Data Protection, DPDP  Act 2023, Data Fiduciary, Informational Privacy, Constitutional Law, Data Protection Board  of India, Surveillance and Autonomy, Fundamental Rights,Government Exemptions,  Proportionality Test, GDPR, Data Sovereignty.

INTRODUCTION

In an era defined by digital transactions, online footprints, and algorithmic surveillance, data  has become the new oil. However, the unregulated use of personal data poses a significant  threat to individual autonomy and democratic values. The landmark judgment in Justice K.S.  Puttaswamy v. Union of India affirmed the right to privacy as a fundamental right under Article  21 of the Constitution, laying the foundation for comprehensive data protection legislation.¹ Subsequently, India enacted the Digital Personal Data Protection Act, 2023, with the stated  objective of safeguarding digital personal data.²

Despite being a long-awaited law, the DPDP Act has attracted criticism for its overbroad  exemptions to the state, weak regulatory mechanisms, and lack of strong user rights. This  article critically examines the law’s coherence with constitutional privacy principles and  assesses its capacity to uphold the privacy rights of individuals in practice.

LEGAL FRAMEWORK

CONSTITUTIONAL BASIS OF THE RIGHT TO PRIVACY

The right to privacy was elevated to a fundamental right in Puttaswamy I (2017), where a nine judge bench unanimously held that privacy is inherent in Article 21 and also intersects with  Articles 14 and 19.³ The Court acknowledged that informational privacy is a key aspect of  autonomy in the digital age.

“Privacy is the constitutional core of human dignity.” ⁴

Following this, the Puttaswamy II judgment in 2018 (upholding Aadhaar with limitations)  further underscored the need for a robust data protection regime grounded in legality, necessity,  and proportionality. ⁵

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (DPDP ACT)

The DPDP Act, 2023, received Presidential assent on August 11, 2023, and is the first dedicated  Indian law governing personal digital data.⁶ Key features include:

• Applicability: Covers processing of digital personal data in India, and by foreign entities if goods/services are offered in India.⁷
• Data Fiduciary Duties: Includes purpose limitation, data minimisation, and storage limitation.
• Consent-based regime: Data can be processed only after clear and informed consent. 
• Rights of Data Principals: Right to access, correction, erasure, and grievance redress.
• Data Protection Board of India (DPBI): A regulatory body for enforcement and adjudication.⁸

JUDICIAL INTERPRETATION

The cornerstone of digital privacy jurisprudence in India is the landmark Justice K.S.  Puttaswamy (Retd.) v. Union of India case, where a nine-judge bench of the Supreme Court  unanimously held that the right to privacy is a fundamental right under Article 21 of the  Constitution.⁹ The Court emphasized that privacy includes informational self-determination,  data protection, and autonomy over personal choices. ¹⁰Justice Chandrachud’s plurality opinion  laid the groundwork for future regulation of digital ecosystems, recognizing that “informational  privacy is a facet of the right to privacy.”¹¹

Following Puttaswamy, the Court in K.S. Puttaswamy v. Union of India (Aadhaar Case) examined whether the Aadhaar scheme violated the right to privacy. While the majority upheld  the constitutional validity of the Aadhaar Act, it struck down certain provisions (e.g.,  mandatory linking of Aadhaar to bank accounts and mobile numbers) as disproportionate and  intrusive.¹² The Court reiterated that any infringement on privacy must satisfy the three-fold  test laid down in Puttaswamy: (i) legality, (ii) necessity, and (iii) proportionality.¹³

In Internet and Mobile Association of India v. Reserve Bank of India, the Supreme Court  invalidated the RBI’s 2018 ban on cryptocurrency transactions, holding that the measure was  not proportionate and lacked empirical evidence of harm.¹⁴Though not directly about data  protection, this judgment illustrates the judiciary’s continued reliance on the proportionality  doctrine to safeguard digital rights.

More recently, in Anuradha Bhasin v. Union of India, the Supreme Court dealt with internet  shutdowns in Jammu and Kashmir. The Court recognized the right to access the internet as  integral to freedom of speech and expression under Article 19(1)(a), further affirming that  digital platforms are central to exercising constitutional rights.¹⁵ The Court called for  transparent and periodic review of shutdown orders, thereby indirectly reinforcing principles  of digital privacy and due process.

These judicial pronouncements collectively establish that informational privacy, data  security, and access to digital services are inextricably linked to fundamental rights. However,  courts have often relied on abstract reasoning without offering clear operational standards,  leaving much to be defined through future litigation and legislative refinement.

Binoy Viswam v. Union of India and Puttaswamy II (2018)

While upholding Aadhaar, the Supreme Court struck down Section 57 of the Aadhaar Act  (allowing private use of Aadhaar data), reinforcing that private players must be held to data  protection standards, and any consent must be “free, informed, and meaningful.”¹⁶

CRITICAL ANALYSIS

GAPS AND LOOPHOLES IN THE DPDP ACT

1. Excessive Delegation and Government Exemptions

Section 17 allows the government to exempt any agency from the application of the law “in  the interest of sovereignty, public order,” etc., without judicial oversight. ¹⁷This creates an  imbalance between state power and individual privacy.¹⁸

2. Lack of Independence of the Regulatory Authority

The Data Protection Board of India is appointed and controlled by the Executive, undermining  its independence and enforcement capability.¹⁹

3. Diluted Rights of Individuals

Unlike the 2018 draft Bill, the DPDP Act does not recognise data portability or the right to be  forgotten explicitly.²⁰

4. Absence of Local Data Storage Mandate

There is no explicit requirement for data localisation, weakening India’s sovereignty over  critical digital infrastructure.²¹

5. Neglect of Horizontal Application and Private Sector Accountability

Despite high levels of data extraction by private tech platforms, the DPDP Act’s provisions  on cross-border data transfer, data breach reporting, and penalties remain vague or  underdeveloped. The Act does not specify adequacy requirements for foreign jurisdictions,  weakening data sovereignty. Additionally, data fiduciaries can escape liability if they show  “reasonable security safeguards,” a subjective standard lacking clarity or precedent. This  undermines consumer protection and creates a compliance environment that favors Big Tech over small businesses and ordinary users.

COMPARATIVE JURISDICTIONAL PERSPECTIVE

• European Union (GDPR): Provides robust protection, including right to data portability, breach notification, and independent regulatory oversight.²²
• Brazil’s LGPD: Establishes an independent data protection authority with clear checks on government surveillance.²³
• India’s DPDP Act appears underdeveloped in comparison and leans heavily in favour of state discretion.²⁴

RECENT DEVELOPMENTS

1. Enactment of the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted in August 2023 and  came into partial force in June 2024. The law represents India’s first comprehensive attempt to  regulate personal data processing, based on the principles laid down in Puttaswamy,.²⁵ It  applies to both government and private entities, and includes extraterritorial provisions that  cover entities processing Indian citizens’ data outside India²⁶

Key features include:

• Recognition of data principals’ rights (e.g., right to access, correction, erasure). • Consent-based processing, with notice requirements.
• Establishment of the Data Protection Board of India, which began operations in April 2025.²⁷
• Significant exemptions granted to the State under Clause 17, raising concerns of executive overreach.²⁸

2. Concerns over State Surveillance

Since the enactment of the DPDP Act, civil society groups and legal scholars have raised  concerns regarding its compatibility with constitutional privacy guarantees, especially due  to Section 17(2) which allows the Central Government to exempt itself from application of the  law on grounds such as sovereignty, public order, or national security.²⁹ This has triggered  public interest litigations, with one major challenge pending before the Supreme Court of India  as of July 2025, alleging that the provision fails the proportionality test established in  Puttaswamy³⁰

3. Interplay with Other Legislations

The DPDP Act does not override sectoral laws such as the Information Technology Act,  2000, or sector-specific rules like the Telecom Commercial Communications Customer  Preference Regulations, 2018.³¹ However, a Digital India Bill is in draft stages as of mid 2025, aimed at overhauling the IT Act and integrating cybersecurity, digital content  moderation, and privacy enforcement.³²

4. Comparative Developments and Global Benchmarks

India’s data protection framework has been compared to the EU General Data Protection  Regulation (GDPR). While the GDPR includes independent regulatory oversight, strong  enforcement mechanisms, and clear limitations on state surveillance, the DPDP Act has  been critiqued for its executive dominance and lack of judicial oversight.³³

Additionally, global events such as the European Court of Justice’s Schrems II judgment and the U.S. Executive Order on Data Privacy Framework (2023) are shaping transnational  privacy discussions, making it crucial for India to align with international standards for data  transfer and adequacy recognition.

5. Judicial Monitoring and Future Directions

The Supreme Court is actively monitoring petitions challenging parts of the DPDP Act, particularly those affecting journalistic freedom, whistleblower protection, and exemptions to  state surveillance. Additionally, High Courts such as Delhi and Karnataka have issued interim  orders restraining misuse of personal data by tech companies in ongoing defamation and  privacy violation cases.³⁴

These developments suggest that judicial refinement, regulatory capacity-building, and  civil society vigilance will be key in determining whether India’s digital privacy regime aligns  with its constitutional ideals.

SUGGESTIONS / WAY FORWARD

1. Strengthen the Role of DPBI Make the Data Protection Board autonomous and accountable to Parliament, not the Executive.³⁵
2. Limit Government Exemptions Amend Section 17 to ensure judicial scrutiny and compliance with Puttaswamy’s proportionality test.³⁶
3. Enhance User Rights Introduce right to data portability, algorithmic transparency, and right to be forgotten.³⁷
4. Ensure Effective Redressal Mechanisms Establish a fast-track dispute resolution mechanism for privacy violations.³⁸
5. Capacity Building and Awareness Launch nationwide awareness campaigns and technical training for regulators and industry players.³⁹

CONCLUSION

The enactment of the Digital Personal Data Protection Act, 2023 is a welcome step toward  codifying data protection in India. However, the Act falls short of the high constitutional  standards laid down in Puttaswamy and global best practices. Without meaningful safeguards  against state overreach, independent enforcement mechanisms, and robust rights for  individuals, the promise of digital privacy remains hollow. For India to be a truly data

respecting democracy, the law must be revised, strengthened, and implemented in spirit — not  just in letter.

REFERENCE(S):

BOOKS

• JUSTICE K.S. PUTTASWAMY (RETD.), PRIVACY AND THE CONSTITUTION OF INDIA: THE EMERGENCE OF A FUNDAMENTAL RIGHT (Cambridge Univ. Press 2019).
• GRAHAM GREENLEAF, ASIAN DATA PRIVACY LAWS: TRADE & HUMAN RIGHTS PERSPECTIVES (Oxford Univ. Press 2014).

JOURNALS

• Chinmayi Arun, India’s Privacy Law and the Role of the State, 59 ECON. & POL. WKLY. 3 (2024).
• Ujwal Ghosh, Balancing State Surveillance and Individual Privacy in India, 45 N.U.J.S. L. REV. 118 (2023).

CASE LAWS

• Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India). • Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar), (2019) 1 S.C.C. 1 (India). • Binoy Viswam v. Union of India, (2017) 7 S.C.C. 59 (India).

OFFICIAL WEBSITES / GOVERNMENT SOURCES

• Ministry of Electronics and Information Technology, Government of India, https://www.meity.gov.in/ (last visited July 29, 2025).
• Digital Personal Data Protection Act, 2023, https://prsindia.org/billtrack/the-digital personal-data-protection-bill-2023 (last visited July 29, 2025).
• National Informatics Centre, https://www.nic.in/ (last visited July 29, 2025).

NEWS REPORTS

• The Hindu, Privacy Law Falls Short of Judicial Ideals, Aug. 15, 2023, https://www.thehindu.com/.
• Indian Express, Digital Data Bill Faces Backlash Over Govt Powers, Aug. 12, 2023, https://indianexpress.com/.

FOREIGN SOURCES

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), 2016 O.J. (L 119) 1.
• Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13,709/2018 (Braz.).

¹Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).

² Digital Personal Data Protection Act, 2023, https://prsindia.org/billtrack/the-digital-personal-data protection-bill-2023.

³ Puttaswamy, (2017) 10 S.C.C. 1,3.

⁴Id.168 (per Chandrachud, J.).

⁵ Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 S.C.C. 1 (India).

⁶ See PRS Legislative Research, https://prsindia.org.

⁷ Digital Personal Data Protection Act, § 3 (2023).

⁸Id. §§ 4–7.

⁹ Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1,  3–5.

¹⁰ Id.  248 (per Chandrachud, J.).

¹¹ Id.  307.

¹² K.S. Puttaswamy v. Union of India (Aadhaar), (2019) 1 S.C.C. 1, 447–453.

¹³ Id.  180–183.

¹⁴ Internet & Mobile Ass’n of India v. RBI, (2020) 10 S.C.C. 274,  6–7, 166.

¹⁵ Anuradha Bhasin v. Union of India, (2020) 3 S.C.C. 637,  68–76.

¹⁶ Binoy Viswam v. Union of India, (2017) 7 S.C.C. 59 (India).

¹⁷ DPDP Act, § 17.

¹⁸ Chinmayi Arun, India’s Privacy Law and the Role of the State, 59 ECON. & POL. WKLY. 3 (2024).

¹⁹ Id.

²⁰ See comparison in NITI Aayog’s draft bill reports (2023).

²¹ Id

²² Council Regulation 2016/679, 2016 O.J. (L 119) 1 (EU).

²³ Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13,709/2018 (Braz.).

²⁴ Graham Greenleaf, Asian Data Privacy Laws: Trade & Human Rights Perspectives (2014).

²⁵ Digital Personal Data Protection Act, No. 22 of 2023, Gazette of India, Aug. 11, 2023.

²⁶ Id. § 3(b), 4–7.

²⁷ Press Release, Ministry of Electronics and Information Technology (MeitY), Formation of Data Protection  Board, Apr. 2025, https://www.meity.gov.in.

²⁸ DPDP Act, § 17.

²⁹ Internet Freedom Foundation, Initial Comments on DPDP Act, Oct. 2023, https://internetfreedom.in.

³⁰ In re Public Interest Foundation v. Union of India, W.P. (C) No. 372/2024 (pending).

³¹ Information Technology Act, No. 21 of 2000, § 43A; Telecom Regulatory Authority of India (TRAI),  TCCCPR, 2018.

³² MeitY, Draft Digital India Bill, June 2025 (on file with author).

³³ European Union, Regulation 2016/679, General Data Protection Regulation, art. 51–59.

³⁴ XYZ Media Pvt. Ltd. v. Union of India, W.P. (C) No. 1083/2025 (Del. H.C.); Asha Ramesh v. TechSecure  India Ltd., W.P. No. 1742/2025 (Kar. H.C.).

³⁵ Arun, supra note 12.

³⁶ Puttaswamy, (2017) 10 S.C.C. 1, 181–183.

³⁷ NITI Aayog, supra note 14.

³⁸ Greenleaf, supra note 18.

³⁹ PRS Legislative Brief, supra note 2.