Emerging Privacy Jurisprudence in India: From Bail Conditions to Data Protection Enforcement under the DPDP Act

Abstract

The recognition of privacy as a fundamental right by the Supreme Court of India in Justice K.S. Puttaswamy v. Union of India (2017) reshaped the landscape of Indian constitutional law. Since then, Indian courts have grappled with new challenges—from bail conditions that implicate privacy rights to regulating state and corporate use of personal data. The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) represents a legislative milestone but also raises questions of enforcement, surveillance, and individual autonomy. This article explores the evolution of privacy jurisprudence in India, analyzing key judicial precedents, legislative developments, and emerging issues in the digital era.

I. Introduction

The digitalization of governance and commerce has generated unprecedented opportunities for economic growth and citizen engagement. Yet, it has also exposed individuals to risks of surveillance, profiling, and misuse of personal information. In India, the right to privacy—once seen as peripheral—now lies at the center of debates on constitutional liberty, technological regulation, and criminal justice. Recent cases involving bail conditions, online data collection, and surveillance measures reflect the judiciary’s evolving role in balancing competing interests of liberty, security, and innovation.

II. Constitutional Foundations of Privacy

The recognition of privacy under Article 21 of the Constitution has evolved incrementally:

1. Early Jurisprudence – In Kharak Singh v. State of Uttar Pradesh, the Court invalidated domiciliary visits by police, though it hesitated to fully embrace privacy as a constitutional right.¹
2. Expansion of Article 21 – Gobind v. State of Madhya Pradesh recognized privacy as implicit in personal liberty but subject to reasonable restrictions.²
3. PUCL v. Union of India (Telephone Tapping Case)* – The Court held that surveillance through telephone tapping violated privacy unless backed by law and procedural safeguards.³
4. Selvi v. State of Karnataka – The Court ruled that narco-analysis, polygraph, and brain-mapping tests without consent violated both dignity and privacy.⁴
5. Justice K.S. Puttaswamy (2017) – A nine-judge bench declared privacy a fundamental right, affirming its intrinsic link with liberty and dignity.⁵

This jurisprudential foundation paved the way for subsequent rulings addressing modern challenges.

III. Judicial Trends: Privacy Beyond the Classical Domain

A. Privacy in Bail Conditions

In Frank Vitus v. Narcotics Control Bureau (2024), the Supreme Court struck down a bail condition requiring the accused to share their live location with the investigating agency, holding that such a requirement disproportionately infringed upon privacy.⁶ This reflects a growing judicial insistence that bail conditions must balance investigation needs with privacy safeguards.

B. Privacy in Surveillance and Policing

• In Anuradha Bhasin v. Union of India, the Court emphasized that restrictions on internet access must be proportionate, linking online access to free speech and privacy.⁷
• In Ritesh Sinha v. State of Uttar Pradesh, the Court cautiously permitted voice sample collection for investigation, underscoring that investigative powers must respect personal autonomy.⁸

C. Privacy in Public Spaces and Technology

• In 2024, the Madras High Court underscored the need for digital forensics to operate within privacy limits, warning against overreach in cyber investigations.⁹
• In PhonePe Pvt. Ltd. v. BharatPe (2024), commercial data disputes highlighted how corporate use of consumer data raises new privacy questions, particularly under the DPDP Act.¹⁰

These rulings collectively indicate a judicial shift from abstract recognition to applied enforcement of privacy rights.

IV. Legislative Milestone: The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India’s first dedicated framework for personal data regulation. Key features include:

1. Consent-Centric Processing – Personal data can be processed only with consent, subject to specific exemptions.
2. Data Fiduciaries and Significant Data Fiduciaries – Entities handling large volumes of sensitive data bear higher obligations.
3. Rights of Data Principals – Individuals can demand correction, erasure, and grievance redressal.
4. Penalties and Enforcement – Heavy penalties for non-compliance, with a central Data Protection Board as regulator.

Concerns with the DPDP Act

• Broad exemptions for government agencies dilute privacy guarantees.
• Lack of an independent regulator raises questions of accountability.
• Comparisons with GDPR reveal weaker safeguards in India regarding state surveillance and cross-border data transfers.

Despite these concerns, the Act lays a critical foundation for digital rights jurisprudence in India.

V. Comparative Perspectives

• European Union (GDPR) – Provides robust rights such as data portability, the right to be forgotten, and stringent consent rules.
• United States (CCPA, Sectoral Approach) – Focuses on consumer empowerment but lacks comprehensive federal law.
• India (DPDP Act) – A middle path emphasizing consent and penalties but criticized for prioritizing state interests.

This comparative lens underscores the need for independent oversight and judicial review in India’s data protection regime.

VI. Challenges Ahead

1. Balancing National Security and Privacy – Surveillance frameworks must meet proportionality standards.
2. Technological Complexity – AI and biometric data raise unprecedented privacy dilemmas.
3. Corporate Dominance – Big Tech control over user data risks undermining sovereignty and individual rights.
4. Public Awareness – Low levels of digital literacy threaten effective enforcement of privacy rights.

VII. The Way Forward

• Strengthening judicial oversight of surveillance.
• Empowering the Data Protection Board with independence.
• Incorporating AI ethics and algorithmic transparency in privacy governance.
• Expanding privacy literacy programs to empower citizens.

VIII. Conclusion

Privacy in India has transitioned from being a judicially implied right to a constitutionally entrenched fundamental right with legislative backing. From bail conditions to digital data collection, courts are actively shaping the contours of privacy. The DPDP Act represents progress but must be supplemented by vigilant judicial scrutiny and regulatory independence. As India moves deeper into the digital age, privacy will remain a battleground between liberty, security, and innovation.

Reference(s):

1. Kharak Singh v. State of U.P., A.I.R. 1963 S.C. 1295.
2. Gobind v. State of M.P., (1975) 2 S.C.C. 148.
3. People’s Union for Civil Liberties v. Union of India, (1997) 1 S.C.C. 301.
4. Selvi v. State of Karnataka, (2010) 7 S.C.C. 263.
5. Justice K.S. Puttaswamy v. Union of India, (2017) 10 S.C.R. 569.
6. Frank Vitus v. Narcotics Control Bureau, 2024 S.C.C. OnLine S.C. 845.
7. Anuradha Bhasin v. Union of India, (2020) 3 S.C.C. 637.
8. Ritesh Sinha v. State of Uttar Pradesh, (2019) 8 S.C.C. 1.
9. XYZ v. State of Tamil Nadu (Madras H.C. 2024) (unreported, cited in news reports).
10. PhonePe Pvt. Ltd. v. BharatPe, 2024 S.C.C. OnLine Del. 1542.