Right to Privacy as a Fundamental Right: Evolution and Challenges

Abstract

This article examines the evolution of privacy as a fundamental right, tracing its development from early philosophical conceptions to its current status in constitutional and international law. Through analysis of landmark jurisprudence across jurisdictions, the paper explores how privacy rights have been articulated, expanded, and contested over time. The article argues that while privacy has gained recognition as a fundamental right across diverse legal systems, its protection faces unprecedented challenges in the digital age that require innovative legal responses. Particular focus is given to the Information Technology Act 2000, the Indian Penal Code, and the Digital Personal Data Protection Act, 2023. The analysis reveals how legislative frameworks often create asymmetrical protections that favor state power over individual rights, highlighting the urgent need for balanced regulatory approaches that safeguard privacy while accommodating legitimate governmental interests in an increasingly data-driven society.

Introduction

Privacy laws govern the regulation, collection, storage, and use of personally identifiable information (PII) by individuals, organizations, and governments. The objective of privacy laws is to grant individuals the right to control their personal information, including awareness of what data is being collected, how it is used, and who has access to it. These laws also provide rights to access, correct, or delete such data when necessary. Privacy legislation serves to regulate data practices and protect against cybercrimes such as identity theft, fraud, unauthorized surveillance, and data breaches. Furthermore, it establishes a framework that promotes trust in digital platforms, ensuring smooth functionality for online services, commerce, and communication while encouraging innovation and compliance.

The right to privacy is fundamental as it protects human dignity, personal security, and individual autonomy. Breaches of individual privacy often lead to reputational damage, embarrassment, emotional distress, and financial harm.

Historical Evolution

The philosophical origins of the right to privacy can be traced to Ancient Greece, where society was divided into two spheres: the polis, referring to the public sphere of the city-state, and the oikos, which encompassed private household affairs. This distinction laid the groundwork for understanding the boundaries between public and private life.

The US Constitution, which came into effect in 1789, did not explicitly grant the right to privacy but contained provisions that implied similar protections. This historical context illuminates the gradual recognition of privacy as an essential human right.

This analysis leads to the central thesis: the right to privacy has evolved from a limited common law concept into a widely recognized fundamental right, but its effective protection faces unprecedented challenges in the digital era that demand adaptive legal frameworks and a renewed commitment to privacy protection.

Current Legislative Framework in India

Information Technology Act, 2000

Section 72 of the Information Technology Act 2000 represents one of India’s earliest legislative efforts to address data privacy concerns. The provision states that any person who secures access to any electronic record, book, register, correspondence, information, document, or other material without the consent of the person concerned and discloses such information shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to one lakh rupees, or both. This Act marked the beginning of legal recognition for the protection of personal information in India’s digital landscape.

Aadhaar Act, 2016

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, contains several crucial privacy provisions:

Section 29 addresses restrictions on sharing and use of identity information. It mandates that core biometric information (such as fingerprints or iris scans) collected under this Act shall not be shared with anyone for any reason and shall only be used for generating Aadhaar numbers and authentication purposes. The section further requires that identity information must only be used for purposes clearly specified to individuals at the time of authentication and cannot be disclosed without prior consent.

Section 30 relates to sensitive electronic data, classifying biometric information collected and stored electronically under this Act as “electronic record” and “sensitive personal data or information” that must not be misused.

Gaps in Current Legal Framework

Despite these legislative provisions, multiple significant gaps continue to exist in India’s privacy protection framework:

1. Lack of comprehensive data protection authority
2. Excessive government exemptions
3. Inadequate informed consent mechanisms
4. Weak enforcement mechanisms
5. Poor cybersecurity infrastructure
6. Absence of meaningful user empowerment

Case Study: Facebook Inc v. Union of India

The case of Facebook Inc v. Union of India (2019) highlights significant gaps in India’s data protection and digital regulation framework, particularly concerning intermediaries such as social media platforms and messaging applications. The Supreme Court, while addressing petitions demanding mechanisms to trace originators of harmful online content, revealed several critical issues:

• Lack of clear legal standards: There was no comprehensive legal regime balancing the need for traceability of harmful content with users’ right to privacy
• Technical-legal conflicts: The Court noted the tension between end-to-end encryption and demands to identify message originators, demonstrating the absence of structured legal solutions
• Jurisdictional challenges: Many intermediaries are foreign-based and lack local grievance officers, raising serious questions about jurisdiction and enforcement of Indian laws

The Digital Personal Data Protection Act, 2023

Until 2023, India lacked a standalone comprehensive framework to govern data protection. The Digital Personal Data Protection Act (DPDP), which received presidential assent on August 11, 2023, represents a significant milestone in Indian privacy legislation.

Key Provisions and Principles

The DPDP Act establishes several fundamental principles:

• Lawful, fair, and transparent processing of personal data by organizations
• Purpose limitation: Personal data usage must be limited to the purpose for which it was collected
• Data minimization: Only personal data necessary for achieving specific purposes should be collected
• Accuracy: Reasonable efforts must be made to ensure personal data remains accurate and up-to-date
• Storage limitation: Data should be retained only for the duration necessary for the stated purpose
• Security safeguards: Reasonable measures must be implemented to prevent unauthorized collection or processing

Implementation Status

As of the current date, while the DPDP Act has been enacted, it is not yet fully operational. The Act stipulates that different provisions will come into effect on dates appointed by the Central Government through official notifications, allowing for a phased implementation approach.

Critical Analysis of the DPDP Act

Despite its comprehensive appearance, the DPDP Act contains several problematic provisions that create concerning asymmetries in privacy protection:

Asymmetrical Treatment of State and Private Entities

The Act creates a troubling imbalance between obligations imposed on private entities versus government agencies. While establishing a privacy framework for private actors, the legislation simultaneously carves out significant exceptions favoring government powers.

Section 7(b) contains a particularly problematic provision allowing governmental bodies to bypass consent requirements when citizens have previously consented to any state benefit. This administrative convenience facilitates potential cross-database integration by government agencies, effectively undermining purpose limitation principles that would otherwise require data deletion once the original purpose is fulfilled.

Dual-Layer Exemption Structure

The Act’s exemption framework merits critical scrutiny:

Section 17(1)(c) provides reasonable exemptions from notice and consent requirements for legitimate law enforcement purposes, including “prevention, detection, investigation or prosecution” of legal violations.

However, Section 17(2)(a) extends this significantly by creating an additional pathway for complete exemption from the entire regulatory framework. This provision permits the government to designate agencies that operate entirely outside privacy constraints when broadly defined national interests like “sovereignty,” “security,” or “public order” are invoked.

The redundancy between these provisions suggests the legislative intent was to create zones of complete regulatory immunity rather than balanced exemptions.

Children’s Data Protection Concerns

While Sections 9(1-3) establish important safeguards including parental consent requirements and profiling prohibitions, Section 9(4) creates an open-ended exemption mechanism. This provision allows governmental authorities to exempt “any data fiduciary or class of data fiduciaries” from children’s protection requirements subject to unspecified conditions. The absence of clear criteria governing these exemptions creates significant potential for inconsistent application.

Surveillance Concerns

Section 44(3) establishes governmental data access mechanisms with insufficient safeguards. While purportedly structured within legal parameters, the provision’s broad language raises legitimate concerns about potential surveillance expansion and executive overreach that could fundamentally compromise informational privacy.

Recommendations

To address these legislative gaps and strengthen India’s privacy protection framework, several key reforms are recommended:

Institutional Reforms

• Establish an Independent Data Protection Authority with genuine autonomy and enforcement powers
• Implement judicial oversight for government exemptions under the DPDP Act
• Create specialized privacy courts for expedited resolution of data protection disputes

Legislative Improvements

• Limit government exceptions through clear, narrowly defined safeguards
• Strengthen consent frameworks that apply consistently to both public and private entities
• Implement data localization requirements for critical personal data to enhance protection
• Harmonize existing legal frameworks, including updating Section 403 of the Indian Penal Code to explicitly address data misappropriation

Awareness and Capacity Building

• Launch comprehensive public awareness campaigns through various media channels
• Develop digital literacy programs to empower citizens in protecting their privacy rights
• Establish training programs for law enforcement and judiciary on privacy rights

Conclusion

The evolution of privacy rights in India represents a remarkable constitutional journey, from early judicial skepticism to the watershed K.S. Puttaswamy (Privacy) v. Union of India judgment establishing privacy as fundamental to human dignity. However, the implementation of this right through legislation reveals a concerning imbalance between state power and individual protections. The Digital Personal Data Protection Act of 2023, while a significant first step, contains critical asymmetries that threaten to undermine the constitutional vision articulated by the Supreme Court.

The privacy framework in India requires recalibration through several key reforms: establishing truly independent oversight mechanisms with enforcement authority; implementing stronger consent frameworks that apply consistently to both public and private entities; adopting data localization requirements for sensitive personal information; limiting governmental exemptions through clear judicial oversight; and harmonizing existing legal frameworks to address contemporary privacy challenges comprehensively.

India stands at a critical juncture in its privacy jurisprudence. Only by addressing these structural imbalances can India fulfill the promise of privacy as a genuine fundamental right in the digital age—one that empowers citizens while enabling responsible innovation and legitimate governance.

References

1. Nixon Peabody LLP. “What is the Right to Privacy?” Available at: https://www.nixonpeabody.com/insights/articles/2023/09/14/what-is-the-right-to-privacy
2. iPleaders Blog. “Different Aspects of Right to Privacy under Article 21.” Available at: https://blog.ipleaders.in/different-aspects-of-right-to-privacy-under-article-21/
3. University of Michigan Safe Computing. “History of Privacy Timeline.” Available at: https://safecomputing.umich.edu/protect-privacy/history-of-privacy-timeline
4. DLA Piper Data Protection. “India.” Available at: https://www.dlapiperdataprotection.com/?t=law&c=IN