Right to Privacy Post-Puttaswamy: Evolving Jurisprudence in India

Abstract

This paper explores the transformation of the right to privacy in India following the landmark Supreme Court ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India. The judgment recognized privacy as a fundamental right under Article 21 of the Constitution, marking a significant departure from prior jurisprudence. The study reviews key legal developments since the verdict, including constitutional scrutiny of the Aadhaar scheme and concerns around state surveillance, particularly in light of the Pegasus spyware controversy. It also critically examines legislative efforts such as the Digital Personal Data Protection Act, 2023, and assesses ongoing challenges posed by facial recognition technologies, artificial intelligence, and digital platforms. Furthermore, it addresses the role of privacy in protecting bodily autonomy and personal decision-making in areas like reproductive rights and LGBTQ+ identities. Drawing from global legal practices, the paper identifies institutional shortcomings and underscores the need for stronger oversight, public awareness, and a rights-based approach to technological governance. It concludes that privacy in the digital age must be actively protected through robust laws, ethical frameworks, and constitutional accountability.

Keywords: Privacy Rights, Article 21, Puttaswamy Case, Data Protection Law, Surveillance Regulation, DPDPA 2023, Artificial Intelligence, Facial Recognition, Reproductive Autonomy, LGBTQ+ Rights, Comparative Law, Digital Governance

Introduction

Although the Indian Constitution does not explicitly mention the term “privacy,” the jurisprudence surrounding Article 21 — which guarantees the right to life and personal liberty — has progressively interpreted it to encompass the right to privacy. This interpretation was definitively affirmed in the landmark judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), wherein a nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right, intrinsic to human dignity and liberty.^[1]

The Puttaswamy decision overruled earlier precedents that denied constitutional protection to privacy, thereby reshaping the constitutional landscape of India. It laid a robust normative and legal foundation for addressing issues related to state surveillance, digital data protection, bodily autonomy, and informational privacy. However, despite the judgment’s transformative potential, the effective realization and enforcement of the right to privacy continue to face significant challenges—ranging from legislative inadequacies and institutional inertia to the complexities introduced by emerging technologies and data ecosystems.

The Puttaswamy Judgment: A Doctrinal Shift

The Justice K.S. Puttaswamy (Retd.) v. Union of India judgment marked a decisive doctrinal shift in Indian constitutional law.^[2] In a unanimous decision, the nine-judge Constitution Bench of the Supreme Court unequivocally held that the right to privacy is a fundamental right, protected under Article 21 of the Constitution as an essential facet of the right to life and personal liberty. The Court also recognized its intersections with other fundamental freedoms enshrined in Part III of the Constitution. Crucially, the Court overruled earlier decisions such as M.P. Sharma v. Satish Chandra^[3] and Kharak Singh v. State of Uttar Pradesh,^[4] which had previously denied the existence of a constitutionally guaranteed right to privacy.

Key Doctrinal Takeaways:

• The right to privacy is not a privilege of the elite but a core element of dignity and liberty.
• It encompasses decisional autonomy, bodily integrity, and informational self-determination.
• Any State action that restricts the right to privacy must pass the three-fold test of:
  • Legality: There must be a valid law that authorizes the restriction.
  • Necessity: The restriction must pursue a legitimate state aim.
  • Proportionality: The measure must be proportionate to the objective sought to be achieved.

This judgment not only constitutionalized the right to privacy but also embedded within it a robust normative framework to evaluate state action, particularly in the context of surveillance, data collection, and personal freedoms.

Post-Puttaswamy Developments

The Puttaswamy judgment provided a constitutional foundation for privacy, but its application has been tested in subsequent cases.

1. Aadhaar and Privacy Limits
   In K.S. Puttaswamy (Aadhaar-5J.) v. Union of India (2018), the Supreme Court upheld the Aadhaar scheme for welfare purposes but struck down provisions allowing private access and indefinite data retention. While the majority found the scheme met the tests of legality, necessity, and proportionality, critics argue it compromised individual privacy in favour of state efficiency.^[5]
2. Pegasus Surveillance Case
   In Manohar Lal Sharma v. Union of India, concerning alleged Pegasus spyware use, the Court ordered an independent inquiry, stressing that “national security” cannot override constitutional rights without scrutiny. It reaffirmed the need for judicial oversight in surveillance, aligning with Puttaswamy principles of accountability and proportionality.^[6]

 Data Protection and Informational Privacy

The Puttaswamy ruling underscored the urgent need for a comprehensive legal framework to protect individuals’ informational privacy, especially in the digital age. Recognizing the growing risks associated with data collection and processing, the Court called for legislation that balances individual rights with legitimate state interests. In response, the legislative process has unfolded gradually, marked by several drafts and growing public debate.

The Personal Data Protection Bills: A Legislative Timeline

Following the Puttaswamy verdict, the Indian government constituted the B.N. Srikrishna Committee, which released a draft Personal Data Protection Bill in 2018.^[7] This version emphasized user consent, data minimization, and independent oversight. However, it did not progress beyond the drafting stage.

In 2019, a revised bill was introduced in Parliament. While it retained some protective features, it significantly expanded government powers to exempt state agencies from compliance, drawing concern from civil society and privacy advocates.^[8] This version was eventually withdrawn in 2022.

A new law, the Digital Personal Data Protection Act (DPDPA), 2023, was enacted to replace these earlier iterations. It represents India’s first comprehensive statute on digital data protection.^[9]

Key Provisions of the DPDPA, 2023

• Purpose-Specific Processing: Data fiduciaries must process personal data lawfully and only for clearly defined purposes.
• User Rights: Individuals, referred to as data principals, are entitled to request access to their personal data and seek correction, updating, or deletion.
• Government Powers: The Central Government may exempt certain public bodies from compliance requirements, citing reasons such as national security or public order.

Critical Concerns:

Despite being a milestone, the DPDPA has triggered several concerns:

• Wide Government Discretion: The Act permits the executive to grant broad exemptions to its own agencies, raising fears of unchecked surveillance.^[10]
• Weak Oversight Mechanism: The Data Protection Board, created under the Act to enforce compliance, lacks sufficient autonomy from the government, potentially undermining its effectiveness.^[11]
• Vague Terminology: Phrases such as “public interest” and “national security” remain undefined, leaving room for arbitrary interpretation and misuse.^[12]

While the DPDPA fulfils the legislative mandate set by Puttaswamy, critics argue that its current design falls short of providing robust safeguards for privacy, particularly in light of expanding digital state functions and surveillance technologies.

Privacy and Digital Technologies

The rise of digital infrastructure and emerging technologies has significantly intensified the challenges to personal privacy. From facial recognition systems to algorithmic profiling and opaque artificial intelligence (AI) systems, individual autonomy is increasingly subject to digital surveillance and data-driven governance. These developments demand urgent regulatory scrutiny within the constitutional framework established in Puttaswamy.

1. Facial Recognition and Artificial Intelligence

The government’s increasing reliance on Facial Recognition Technology (FRT), particularly in policing and public surveillance, has sparked constitutional concerns. In India, such systems have been deployed without any enabling legislation or statutory safeguards. The lack of a legal framework, transparency, or independent oversight violates the core principles of legality, necessity, and proportionality laid down in Puttaswamy.^[13]

Moreover, AI-powered surveillance systems—particularly those relying on biometric identifiers—carry the risk of profiling, misidentification, and disproportionate targeting, especially of marginalized communities. Without clear limitations and judicial oversight, such technologies can infringe upon the fundamental right to privacy and erode democratic accountability.

2. Social Media and Platform Regulation

Private digital platforms such as WhatsApp, Facebook (now Meta), and others have come under legal and public scrutiny for their handling of personal data. In particular, changes to WhatsApp’s privacy policy have raised concerns about data sharing with parent company Meta and third parties.

The WhatsApp Privacy Policy case, currently pending before the Delhi High Court, will likely serve as a precedent for determining the scope of privacy protections in the context of private entities.^[14] The case tests the application of Puttaswamy principles to horizontal privacy—that is, between private parties—and addresses whether users can meaningfully exercise control over their personal information in a digital ecosystem dominated by powerful intermediaries.

The evolving jurisprudence in this domain underscores the tension between technological advancement and constitutional protections, necessitating robust, transparent, and enforceable data governance models.

Bodily and Decisional Privacy

The Puttaswamy judgment established that the right to privacy extends beyond informational control and includes the protection of bodily integrity and decisional autonomy. This broader conception of privacy safeguards an individual’s freedom to make intimate personal choices without unwarranted interference from the state or society.

This doctrine has directly influenced critical legal developments in the areas of reproductive rights, sexual orientation, and gender identity, thereby reinforcing the link between privacy and dignity.

Judicial Recognition of Bodily Autonomy

• In Navtej Singh Johar v. Union of India, the Supreme Court decriminalized consensual same-sex relations by reading down Section 377 of the Indian Penal Code. The Court held that sexual orientation is an essential attribute of privacy and personal dignity, and that criminalizing private consensual acts violated fundamental rights under Articles 14, 15, and 21.^[15]
• In Suchita Srivastava v. Chandigarh Administration, the Court recognized reproductive choice as a fundamental aspect of personal liberty and bodily autonomy. The judgment affirmed that a woman’s decision to carry or terminate a pregnancy falls squarely within the ambit of the right to privacy under Article 21.^[16]

Legislative Developments

The Medical Termination of Pregnancy (Amendment) Act, 2021 expanded access to abortion by extending the permissible gestation period in certain cases and enhancing confidentiality protections. While the amendment is a progressive step toward recognizing reproductive autonomy, concerns remain regarding the privacy of medical records, especially in light of digitized health systems and data-sharing practices.

Robust safeguards are necessary to ensure that sensitive health information related to pregnancy, sexual health, or gender identity is not misused or disclosed without consent. The principles laid down in Puttaswamy must guide both legislative drafting and institutional implementation to protect bodily and decisional privacy in practice.

Comparative Jurisprudence

The recognition of privacy as a fundamental right in Puttaswamy aligns Indian constitutional jurisprudence with evolving global standards. While India’s approach reflects a growing commitment to privacy in the digital era, comparative analysis reveals both convergence and divergence in legal frameworks and institutional safeguards across jurisdictions.

International Approaches to Privacy

• United States: The Fourth Amendment to the U.S. Constitution protects individuals from unreasonable searches and seizures by the state. While the U.S. does not recognize privacy as a single unified right, judicial interpretations—especially in cases like Katz v. United States—have expanded its scope to encompass expectations of privacy in communications and personal spaces.^[17]
• European Union: The General Data Protection Regulation (GDPR) represents one of the most comprehensive data protection frameworks globally. It upholds principles such as consent, data minimization, purpose limitation, and user rights, including the right to erasure and data portability. The GDPR is enforced by independent data protection authorities across EU member states, ensuring strong institutional oversight.^[18]
• South Africa: Section 14 of the Constitution of South Africa explicitly enshrines the right to privacy, including protection from the unlawful collection and misuse of personal information. South Africa also has dedicated data protection legislation—the Protection of Personal Information Act (POPIA)—enforced by an independent Information Regulator.^[19]

The Indian Context: Gaps and Institutional Challenges

Despite the landmark Puttaswamy ruling, India’s privacy regime remains in a transitional phase. Unlike the EU or South Africa:

• India lacks a constitutionally entrenched independent oversight authority dedicated to privacy and data protection.
• The recently established Data Protection Board under the DPDPA, 2023, does not enjoy full autonomy from the executive.
• There is no clear culture of data ethics or accountability, either within government agencies or among private entities handling sensitive information.

While Indian jurisprudence on privacy is evolving in line with international standards, the institutional infrastructure necessary to enforce and operationalize these rights remains underdeveloped. Bridging this gap requires robust regulatory frameworks, independent oversight, and sustained public discourse on privacy ethics and digital rights.

Challenges in Implementation

Despite the progressive expansion of privacy jurisprudence post-Puttaswamy, the enforcement of privacy rights remains limited due to several structural and systemic issues:

• Inadequate legislative framework: Surveillance continues to be regulated by outdated statutes such as the Indian Telegraph Act, 1885 and the Information Technology Act, 2000, which lack comprehensive privacy safeguards and oversight mechanisms.^[20]
• Opacity in surveillance practices: State surveillance programs function with minimal transparency or independent scrutiny, undermining the constitutional mandate of accountability and proportionality.^[21]
• Limited public awareness: Widespread digital illiteracy impairs individuals’ ability to understand, assert, or enforce their privacy rights, particularly in rural and marginalized communities.^[22]
• Judicial delays: Enforcement through public interest litigation or individual remedies is hindered by judicial backlog and procedural delays, making effective redressal costly and inaccessible for many.^[23]

The Way Forward

To effectively implement the constitutional principles laid down in Puttaswamy, India must undertake the following institutional and legal reforms:

1. Enact a comprehensive surveillance law that mandates prior judicial authorization and provides for independent oversight to ensure accountability and proportionality in state surveillance.^[24]
2. Strengthen the Digital Personal Data Protection Act (DPDPA) by guaranteeing the structural and functional independence of the Data Protection Board of India to ensure impartial enforcement.^[25]
3. Enhance transparency in state-led data initiatives such as Aarogya Setu and Digi Locker by mandating public disclosure of data collection, retention, and sharing practices.^[26]
4. Promote digital literacy and expand access to legal aid mechanisms to empower individuals, particularly in vulnerable communities, to assert their privacy rights and seek redress.^[27]
5. Develop and enforce ethical standards for the use of artificial intelligence and algorithmic decision-making in public governance to prevent bias, discrimination, and opacity.^[28]

Conclusion

The Puttaswamy judgment firmly established privacy as a foundational constitutional right, integral to dignity, liberty, and autonomy. Yet, translating this principle into practice remains a complex task, hindered by legislative delays, unchecked state surveillance, and the disruptive pace of technological advancement. To prevent the right to privacy from becoming merely symbolic, it is essential to ensure continuous judicial oversight, strong legislative frameworks, and informed public participation. The future of privacy jurisprudence in India must be shaped by a rights-based approach—one that safeguards individual freedoms while embracing innovation in a constitutionally compliant manner.

References

^[1] Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1.

^[2] Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1.

^[3] M.P. Sharma v Satish Chandra AIR 1954 SC 300.

^[4] Kharak Singh v State of Uttar Pradesh AIR 1963 SC 1295.

^[5] K.S. Puttaswamy (Aadhaar-5J.) v Union of India (2018) 1 SCC 809.

^[6] Manohar Lal Sharma v Union of India (2021) SCC OnLine SC 985.

^[7] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital

^[8] Economy: Protecting Privacy, Empowering Indians (MeitY, 2018).

^[9] Digital Personal Data Protection Act 2023, Act No. 22 of 2023 (India).

^[10] Apar Gupta, ‘India’s Data Protection Bill Gives the Government Sweeping Powers’ (The Wire, 12 December 2019) https://thewire.in/law/data-protection-bill-analysis accessed 22 July 2025.

^[11] Prasanna S, ‘The Data Protection Board: An Oversight Body Without Independence’ (Internet Freedom Foundation, 18 August 2023) https://internetfreedom.in/dpb-autonomy-critique accessed 22 July 2025.

^[12] Udbhav Tiwari, ‘Digital Personal Data Protection Act: Unpacking the Loopholes’ (The Hindu, 18 August 2023) https://www.thehindu.com/opinion/dpdp-loopholes accessed 22 July 2025.

^[13]  Internet Freedom Foundation, ‘Project Panoptic: India’s Use of Facial Recognition Technology’ (2023) https://panoptic.in accessed 22 July 2025.

^[14] Karmanya Singh Sareen v Union of India W.P. (C) No. 7663 of 2016 (Delhi High Court).

^[15] Navtej Singh Johar v Union of India (2018) 10 SCC 1.

^[16] Suchita Srivastava v Chandigarh Administration (2009) 9 SCC 1.

^[17]  Katz v United States 389 US 347 (1967).

^[18] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L119/1.

^[19] Constitution of the Republic of South Africa, 1996, s 14; Protection of Personal Information Act 4 of 2013 (South Africa).

^[20] Indian Telegraph Act 1885; Information Technology Act 2000.

^[21] Puttaswamy v Union of India (2017) 10 SCC 1, para 180–182.

^[22] Chinmayi Arun, ‘Privacy in the Age of Big Data: India’s Informational Privacy Imperative’ (2019) 14(2) Law and Policy Review 34.

^[23] Gautam Bhatia, The Transformative Constitution (HarperCollins 2019) 243–245.

^[24] Justice B N Srikrishna Committee Report, ‘A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians’ (2018).

^[25] Digital Personal Data Protection Act 2023, s 19–25.

^[26]   Internet Freedom Foundation, ‘Aarogya Setu: A Missed Opportunity for Privacy by Design’ (2020) https://internetfreedom.in/aarogya-setu-analysis/ accessed 20 July 2025.

^[27] Prashant Iyengar, ‘Digital Literacy and Data Justice in India’ (2022) 17(1) Indian Journal of Law and Technology 72.

^[28] Vidushi Marda, ‘Artificial Intelligence Policy in India: A Framework for Ethical Regulation’ (2021) 13(3) Journal of Technology Regulation 54.