Right to Privacy Post-Puttaswamy: Evolving Jurisprudence in India

Leave a Comment / Legal Articles / By

Published On: September 9th 2025

Authored By: Smaranika Sen
The West Bengal National University of Juridical Sciences

Abstract

The right to privacy, has always been a burning topic among the Indian subcontinent. Since years, it has been under the scrutiny that whether it should be considered as our fundamental right or not. Various judgments have been passed until in the case of Justice K.S. Puttuswamy (Retd.) v Union of India (2017), where the right to privacy was recognised and was given the status of fundamental right. This gave a new meaning to the concept of individual liberty. In today’s digital age, where India is itself becoming digital India, the requirement of privacy is very important. It is so because the technology now is becoming advance and almost everything is becoming digital, making it important to upheld dignity, liberty, autonomy under the Indian Constitution. This paper demonstrates how the right to privacy has evolved especially after the landmark judgment of Puttaswamy case was passed. It also analyses the policy recommendations that could be best fit for strengthening India’s privacy framework.

Keywords: Privacy, constitution, liberty, autonomy, technology, data, digital.

Introduction

In an era, which is constantly developing its technology, the rights related to liberty, autonomy, anonymity, has to be redefined and reshaped. The individual rights which are under state surveillance or state controlled or if we put it in a better way; what could be under state’s control or under the government knowledge has to be redefined. [1]The right to privacy tries to state such boundaries and identify what is an individual’s private right absolutely free from any control or surveillance. The paradigm shift of Right to Life and liberty under Article 21 of Indian Constitution has come since the passing of Puttuswamy judgment. In this judgment, the Court stated that privacy is an intrinsic to human dignity, and individual liberty. Whether any state is permitted to infringe privacy of any individual was now decided through a test: through legality i.e. whether its is backed by law, necessity i.e. whether it serves any legitimate aim or not, and proportionality i.e. what are the least intrusive means.[2] It is to be noted that privacy is not just an aspect of existing fundamental right, rather it is a necessary component itself. It places individual as the centre most subject of the constitutional scheme and prevents any kind of tyranny from state. Let us have a brief look into the Puttuswamy judgment before diving into the evolvement of right of privacy.

Puttuswamy Judgment: A brief insight

During the hearing of the constitutional validity of India’s biometric identity AADHAR, the petitioner argued that such identity was a breach and was perhaps unconstitutional to the right to privacy. [3]In respond to such argument of the petitioner, the Attorney General argued that the Indian Constitution does not uphold of recognise the fundamental right to privacy. He further stated that even in the past, the Supreme Court has not recognised the right to privacy as a fundamental right. However, two years later, since such argument, the nine-judge bench of the Supreme Court assembled to decide upon this burning question that whether ‘right to privacy’ is a fundamental right or not. This is a very crucial case, as it is the fifteenth time in almost sixty-seven years, the nine-bench judge has assembled to decide a grave matter.[4]

In the year of 2017, the nine-judge bench declared that the right to privacy will be upheld and considered as a fundamental right. Though the Puttuswamy judgment was eventually delivered in the context of the AADHAR case, yet the judgment should not be understood only in that context. The requirement of making privacy as a fundamental right dwelled from many incidents where the State tried to encroach upon the liberty of an individual or infringed into the personal lives of its citizens. Now, as we are growing into a digital world, where data is the new asset, individual’s data is mostly upon the world of internet. Therefore, in this rapidly developing situation, privacy as a fundamental right is not only limited to individual liberty, it also implies data protection. Moreover, reproductive rights, informational privacy, gender identity, and many more comes under the protection of the fundamental right of privacy under the constitution.[5]

The evolvement of privacy in the digital age

After the passing of Puttaswamy judgment, there has been a rapid evolvement of technology. From mere data driven applications to AI models, applications, there has been a boom in the world of technology. Therefore, the data of individuals were now mostly in the digital world. Individuals now started to safeguard their information in the digital realm as well, and eventually the concept of privacy also started evolving with the dynamics of the rapidly developing technology. Data collection by state or non-state actors also came under the concept of data protection. Even the social media platforms introduced several features that further complicated the privacy landscape.[6] Many e-commerce platforms and mobile applications were found to be collecting vast amount of personal data of individual, without any proper consent. In the year of 2021, there was a massive outrage of public, when the big giant social-tech company ‘Meta’ was found to be in a data sharing controversy with ‘Whatsapp’. This eventually created a sense of fear and outrage among the public that till what extent are their personal information are secured, are their data being used for any commercial purpose or not or whether their data are being sold to any third-party applications.[7] In the year, 2017, the popular online food delivery app ‘Zomato’ experienced a massive data breach, where various users’ data were stolen.[8] In another case, a ransomware attack happened at AIIMS in 2023, where almost 40 million users’ data were not operational.[9] In the same year, a massive cyberattack happened against Indian Railways, where millions of passengers’ personal data were stolen by dark web. [10]There was also a data leak that happened at HDFC Bank, where the banking information of multiple users were leaked, this led to a huge risk of online financial fraud.[11] Data breaches cause extreme harm. They not only harm individuals but also the state institutions, thereby leading to a stronger requirement of data privacy.

Issues of the digital world

In this new digital era, there are certain things that has to be considered, in order to protect personal data or information thereby enhancing data protection. Certain terms that should be followed by both state or non-state actors, even the commercial companies, social media platforms, banking platforms, healthcare industries and others. The terms are as follows:

  • Consent Fatigue: In this new digital era, consent holds a very deeper meaning. Consent is now not only required in the traditional contracts, but also e-contracts. E-contracts are much more than the digital version of contracts. It also includes any kinds of terms and conditions that the users agree to whenever they sign into any applications or any websites. The issue which arises while giving is this consent is that most of the times, it is observed that the users are unaware of what they are giving consent to, thereby eventually their data is being unknowingly used by online platforms. This is known as consent fatigue. Consent fatigue is something that needs to be eradicated in order to promote data protection and privacy.
  • Surveillance Capitalism: It is an economic process where through human experiences and interactions, data is extracted and such data is eventually monetized. Unlike traditional capitalism, here behavioural data is exploited without consent. Giant platforms like Info-tech industries, social media platforms, commercial platforms, etc collects massive volumes of data. Such data are collected not only through users’ input but also through their behavioural patterns like browsing patterns, searches, voice commands. Now, these data collections are mostly opaque as they are very superficially mentioned in the ‘terms and conditions’ which the users’ generally agree to when they sign in, thereby the give an implied consent to it. These data are eventually used for training algorithms for predictive analytics or they are used for influence or manipulating behaviour. In the last stage, these data are now used for monetization, as these help the companies to promote or advertise such goods that is on the mind of the user.[12]
  • Privacy Paradox: It can be described as a dilemma between an individual’s concern about consent and privacy and their actual online behaviour. This actually creates a paradox in the digital ecosystem. These majorly happens as users are unable to understand privacy terms and conditions, privacy policies are too long and technical, many applications leave no choice other than data sharing.[13]
  • Blurring by design: This can be stated as an intentional use of complexity, vagueness, or misleading user interface in the digital ecosystem to make the privacy controls inaccessible, confusing or ineffective, thereby making the users unable to upheld their right to privacy. The digital platforms do so by hiding important information, using technical means, misleading consent options, or by creating a default data collection mechanism. [14]

While the Puttuswamy judgment gave the citizens the right to privacy as a fundamental right in its intrinsic form of dignity, autonomy and liberty, the evolving digital ecosystem have created a pressure that continues to undermine the right to privacy. The digital ecosystem has created a lot more concerns in the world of privacy. The following are:

  1. Burden upon the users

Though the Supreme Court has considered informational privacy as a part of the bigger realm of Right to privacy, yet the evolving dynamics of technology has made the burden of protecting privacy to the users’ end, thereby creating lot of confusions. These happen generally due to click fatigue, vague consent mechanisms or dark user interface patterns, complex privacy frameworks or manipulative terms and conditions. This leads to a threatening situation as the digital platforms showcases that they had ask for consent from the users whereas the users are unaware of what they are giving consent to.[15]

  1. Bypass of proportionality and necessity tests

In the Puttuswamy judgment, for invasion of privacy a proportionality test was prescribed. However, state and non-state actors are mostly observed to bypass it. It has been observed in the case of surveillance capitalism, where private corporations engage with users’ behavioural patterns without any statutory regulations. Even government surveillance programs continue without any justified laws, or such laws are outdated in comparison to today’s digital world. These eventually leads to the collection of huge volumes of data without any proper legal standards.[16]

Certain case laws related to privacy

In the case of Anuradha Basin v Union of India (2020), stated that the access to internet is a fundamental right of every individual of the state. The Court further stated that the restrictions imposed on the usage of internet should be temporary and should only be used by the state in grave matters.[17] Though this case directly doesn’t touch the aspect of privacy, yet it showcased the interdependency of privacy with digital rights.

In the Peagasus Spyware case, the Supreme Court stated that the state surveillance shouldn’t be arbitrary in nature. It should conform with the constitutional norms, therefore, it should upheld privacy as a very important aspect. Whenever the question of government surveillance arises, the major threat comes to the privacy of millions, thereby state should handle this surveillance in case of utmost need and handle them with utmost care.[18]

Various High Courts and even the Supreme Court has stated that the ‘Right to be Forgotten’, is an important facet of privacy. This is essentially required in today’s age of online reputational harm. Courts have further stated that there should be always a striking balance established between the Right to Privacy and Right to Freedom of Speech and Expression.[19]

Necessary requirements for structural protections for upholding privacy

  • Stronger legislative mandates: There should be strict laws made for data collection, data usage, data retention etc.
  • Independent regulatory bodies: Bodies like Data Protection Board should be absolutely independent and carry-on protecting data eventually the privacy of individuals.
  • Privacy by design: Digital companies and governmental online applications should inbuilt privacy in their websites or make it as a default.
  • Redressal mechanisms: In case of privacy breach: in case of breach, users should get remedy very easily.
  • Regulation of manipulative patterns: Dark patterns, vague user interface should be strictly regulated.

These are some of the practices that should be done, in order to keep at par with the growing technology so that the privacy is never compromised. [20]

The Digital Personal Data Protection Act, 2023: An analysis

India formulated an Act that tries to protect personal data or information. In 2023, as a response to the evolving digital ecosystem, India formulated the DPDP Act. The Act states about data fiduciary – data principal relationship, consent mechanisms, rights of data principals and the establishment of Data protection Board. However, the Act is not as stringent as the EU’s GDPR. It lacks independence of the Data Protection Board. Moreover, it is observed that the Act is more tend towards State and corporate interests than upholding the privacy rights of the individuals.[21]

Conclusion

Undoubtedly, the Puttuswamy judgment reshaped the concept of privacy in the Constitution of India. However, the evolvement of the rapidly development of technology, where the giant AI has come into picture and the country aspires to be a digital country, the laws relating to privacy has also to be reshaped and redefined with time. India’s formulation of the Digital Personal Data Protection Act is a significant step towards protecting data and upholding the right to privacy. However, the gaps should also be addressed that are observed in the Act in order to protect the privacy of individual in its truest form. Thus, the right to privacy has evolved and is constantly evolving with the dynamics of technology.

References

[1]Shreya Atrey and Gautam Bhatia, New Beginnings: Indian Rights Jurisprudence After Puttaswamy.

[2] Alok Prasanna Kumar, Privacy After Puttaswamy, 52(51) Econ. & Pol. Wkly. (Dec. 23, 2017), https://www.epw.in/journal/2017/51/privacy-after-puttaswamy-judgment/privacy-after-puttaswamy.html.

[3] Ujwal Nirgudkar, A Critical Analysis of the Aadhaar Judgment, 5(2) Int’l J. Legal Insight 101 (2019).

[4] Supra note 1

[5] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1 (India).

[6] Lawful Legal, Right to Privacy After Puttaswamy: Evolving Dimensions in the Digital Era, https://lawfullegal.in/right-to-privacy-after-puttaswamy-evolving-dimensions-in-the-digital-era/ (last visited July 9, 2025).

[7] Competition Comm’n of India, India Restricts WhatsApp Sharing Data with Other Meta Entities, Imposes $25.4 M Fine, Reuters (Nov. 18, 2024), https://www.reuters.com/technology/indias-competition-regulator-imposes-254-mln-fine-meta-whatsapps-2021-privacy-2024-11-18

[8] Zomato Hacked: Hackers Steal Data of 17 Million Users, The Econ. Times (May 24, 2017), https://economictimes.indiatimes.com/small-biz/startups/zomato-hacked-hackers-steal-data-of-17-million-users/articleshow/58742044.cms

[9] Five AIIMS Servers Hacked, 1.3 TB Data Encrypted in Cyber Attack: Govt to Parliament, ET (Feb. 2023), https://health.economictimes.indiatimes.com/news/hospitals/aiims-ransomware-attack-key-patient-data-at-risk-of-leak-sale-on-dark-web/95820909

[10] Sneha Saha, Indian Railway Data Leak: Personal Data of Over 3 Crore Passengers Leak, Up for Sale on Dark Web, India Today (Dec. 28, 2022), https://www.indiatoday.in/technology/news/story/indian-railway-data-leak-name-and-phone-number-of-over-3-crore-passengers-leak-up-for-sale-on-dark-web-2314606-2022-12-28 

[11] Miklos Zoltan, Data of Around 600,000 HDFC Bank Clients Leaked by Hackers, Privacy Affairs (Mar. 23, 2023), https://www.privacyaffairs.com/hdfc-bank-data-leak/ 

[12] Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (2019)

[13] Spyros Kokolakis, Privacy Attitudes and Privacy Behaviour: A Review of Current Research on the Privacy Paradox Phenomenon, 64 Computers & Security 122 (2017), https://doi.org/10.1016/j.cose.2015.07.002

[14] Woodrow Hartzog & Frederic D. Stutzman, Obscurity by Design, 88 Wash. L. Rev. 385 (2013).

[15] Bruce Schneier, Now Isn’t the Time to Give Users Control of Their Data, Wired (Nov. 24, 2021), https://www.wired.com/story/dont-give-users-control-over-data.

[16] Supra note 5

[17] Anuradha Bhasin v. Union of India, (2020) 3 SCC 637 (India).

[18] Manohar Lal Sharma v. Union of India, Writ Petition (Criminal) No. 314 of 2021, (2021) 10 SCC 1 (India).

[19] Vrinda Bhandari & Renuka Sane, The Right to Be Forgotten in India: A Regulatory Deep Dive, 16(2) Indian J. L. & Tech. 1 (2020).

[20] Drishti Singh, The Right to Privacy in India’s Digital Era: A Post-Puttaswamy Perspective, 3(3) Int’l J. Legal & Soc. Sci. Stud. 634, 634–37 (2023).

[21] Id at 636

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe
Scroll to Top