RIGHT TO PRIVACY POST-PUTTASWAMY EVOLVING JURISPRUDENCE IN INDIA

INTRODUCTION

India, home to over 800 million internet users, stands at the cusp of a digital revolution. While this technological growth brings immense opportunities for innovation, economic development, and governance, it simultaneously exposes citizens to unprecedented privacy risks. From intrusive state surveillance programs to expansive private data collection and algorithmic profiling, the notion of personal liberty is undergoing constant transformation. These developments call into question the adequacy of existing legal protections for individual autonomy and dignity.

The landmark judgment in justice K S Puttaswamy (Retd) v Union of  India [(2017) 10 SCC 1] ^[1] marked a constitutional watershed by recognising the right to privacy as a fundamental right under Article 21 of the Constitution. The recognition laid the groundwork for reshaping India’s data protection landscape and placed privacy at the heart of democratic citizenship in the digital age. However, with the proliferation of artificial intelligence, biometric technologies, and platform economies, new privacy concerns continue to emerge. Therefore, India’s legal framework must evolve in tandem with digital innovation to ensure that the right to privacy remains meaningful and enforceable.

This article examines the evolution of  privacy jurisprudence in India, analyses the strengths and limitations of the Digital Personal Data Protection Act, 2023^[2], and discusses the critical balance between individual rights and state interests. Comparative insights from global frameworks and targeted recommendations are offered to strengthen India’s approach to digital privacy.

FROM MARGINAL RECOGNITION TO FUNDAMENTAL RIGHT: THE EVOLUTION OF PRIVACY JURISPRUDENCE

India’s recognition of privacy rights has not been linear. For decades, judicial interpretation failed to explicitly recognize privacy as a constitutionally protected right. In Kharak Singh v State of Uttar Pradesh [AIR 1963 SC 1295]^[3], the Supreme Court invalidated unauthorized  domiciliary visits as infringing on personal liberty but rejected the notion  of privacy as an independent right. The Court’s reasoning reflected a limited understanding of individual autonomy and a deference to state authority.

In Gobind v State of Madhya Pradesh [(1975) 2 SCC 148]^[4], the court cautiously acknowledged that certain facets of privacy could be protected under Articles 19 and 21, but only if they met the threshold of reasonableness. This marked a slow but steady shift from state-centric governance toward individual rights, albeit with limitations rooted in national security and public order concerns.

The transformative moment came with the Puttaswamy judgment in 2017.             In response to challenges to the Aadhaar scheme, a nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental, inalienable right implicit in Article 21. The Court broadened the scope of privacy to include decisional autonomy, bodily integrity, and informational self-determination. Importantly, it introduced a three-fold test—legality, legitimate aim, and proportionality—to assess the constitutionality of state actions infringing on privacy. This framework has since served as the cornerstone for evaluating privacy violations, influencing subsequent judgments and legislations.

The impact of Puttaswamy was evident in the K S Puttaswamy v Union of India (Aadhaar Case) [(2019) 1 SCC 1]^[5], where the Supreme Court upheld Aadhaar for welfare benefits but struck down its mandatory linkage with mobile numbers and bank accounts. This case reaffirmed the requirement of proportionality and the need of state action to be narrowly tailored.

DIGITAL TECHNOLOGIES AND THE PRIVACY PARADOX

India’s digital landscape has expanded rapidly, bringing both efficiencies and risks. The Digital India initiative, e-governance platforms, and Aadhaar have revolutionized service delivery, making welfare schemes more accessible and efficient. Aadhaar, as the world’s largest biometric identity system, has linked over a billion Indians to state services, banking, taxation, and health care.

However, thus unprecedented data centralization has raised deep concerns about privacy. The Supreme Court in the Aadhaar case recognized the dual nature of such systems—beneficial in some respects but dangerous when used without proper legal safeguards. Cases of data breaches, unauthorized profiling, and leaks of Aadhaar details have demonstrated the fragility of data security and the urgent need for stricter regulatory oversight.

At the same time, the private sector’s data practices complicate the picture. E-commerce platforms, social media apps, and fintech services regularly harvest vast amounts of  user data. The 2021 WhatsApp metadata, sparked outrage and legal petitions. Users were concerned about surveillance capitalism and the commodification of personal data.

Moreover, the rise of facial recognition technologies (FRTs), predictive policing tools, and artificial intelligence systems in small cities and law enforcement contexts poses an existential threat to privacy. These tools are often deployed without public consultation, data protection impact assessments, or judicial oversight, thereby violating the principles of legality and proportionality. The lack of transparency in algorithms and the potential for discrimination—especially against marginalized communities—warrants an urgent legal and ethical response.

THE DPDP ACT, 2023: PROMISE AND PITFALLS

In response to the need for a comprehensive data protection framework, the India Parliament enacted the Digital Personal Data Protection Act (DPDP), 2023^[6]. The act applies to both government and private data fiduciaries and introduces penalties up to  Rs.250 crore for data breaches. It also establishes a Data Protection Board of India to adjudicate disputes and enforce compliance. These features reflect an effort to align Indian law with international privacy regimes, notably the EU’s General Data Protection Regulation (GDPR)^[7].

Yet, the DPDP Act suffers from critical flaws. Most notably, it grants wide exemptions to the government under ambiguous term like “national security” and “public order,” without requiring judicial or parliament scrutiny. This dilutes the Puttaswamy  proportionality standard and opens the door to unchecked state surveillance.

Additionally, the Act does not provide users with key rights enjoyed under the GDPR, such as the right to be forgotten, right to data portability, and right to object to processing. Furthermore, the Data Protection Board is not independent, as its members are appointed and overseen by the central government, potentially compromising its objectivity and effectiveness.

Civil society and legal scholars have argued that the DPDP Act represents a missed opportunity to enact a rights-based privacy framework. Its state-friendly orientation risks undermining the very principles enshrined in Puttaswamy.

RECONCILING PRIVACY AND SECURITY: THE LEGAL DILEMMA

A recurring tension in privacy jurisprudence is the balancing of individual rights with national security. This tension is especially stark in India, where surveillance mechanisms like the Central Monitoring System (CMS) and National Intelligence Grid (NATGRID) function without explicit legislative framework or independent oversight.

While Puttaswamy clearly mandates that any infringement on privacy must satisfy legality, necessity, and proportionality, India’s surveillance regime continues to operate under opaque executive notifications. This lack of transparency undermines both judicial scrutiny and public accountability.

The Pegasus spyware scandal (Manohar Lal Sharma V Union of India (2021) SCC OnLine SC 1153)^[8] in 2021, in which journalists, human rights activists, and opposition leaders were allegedly targeted, shocked the nation. The Supreme Court responded by forming a technical committee to investigate the matter and emphasized that  surveillance, if conducted, must adhere to constitutional safeguards.

Another contentious issue is the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules require messaging platforms like WhatsApp to enable traceability of originators of messages. However, this directly threatens  end-to-end encryption, which is a key element of digital privacy and cybersecurity. In WhatsApp LLC v Union of India WP (C) No 682 of 2021^[9](Pending), the Delhi High Court is examining whether such traceability mandates are compatible with the constitutional right to privacy under Puttaswamy.

GLOBAL MODELS AND THEIR RELEVANCE FOR INDIA

To build a robust and rights-respecting privacy regime, India can learn from comparative international models. The EU’s GDPR is widely regarded as the gold standard in data protection. It provides individual with enforceable rights, mandates privacy-by-design, and holds entities accountable through independent supervisory authorities. The GDPR also mandates data breach notifications, impact assessments, and cross-border data transfer regulations.

In contrast, the United States follows a sector-specific model, with laws like the California Consumer Privacy Act (CCPA) offering fragmented protections. The absence of a comprehensive federal law has led to inconsistencies and loopholes in enforcement.

Canada’s Privacy Act provides a middle ground, incorporating judicial oversight, public transparency, and independent regulators. It requires government agencies to justify surveillance and data collection based on necessity and proportionality.

India, while crafting its privacy regime, must ensure that it incorporates the principles of autonomy, transparency, accountability, and oversight found in these models. Crucially, the legal framework must be grounded in constitutional values and adapted to India’s social and technological realities, such as the scale of Aadhaar and linguistic diversity.

KEY RECOMMENDATIONS FOR A PRIVACY-FIRST FRAMEWORK

In light of the above analysis, the following recommendations are proposed to strengthen India’s privacy regime:

1. Narrow Government Exemptions: Redefine terms like “state security” and “public order” with precision and subject all state surveillance to judicial approval.
2. Establish an Independent Regulator: Ensure that the Data Protection Board functions autonomously, free from executive influence, with a fixed tenure and transparent
3. Introduce User-Centric Rights: Grant data subjects the right to erasure, correction, portability, and objection to processing–mirroring international best practices.
4. Mandate Judicial Oversight for Surveillance: All surveillance operations should be approved by a competent judicial body to ensure compliance with the Puttaswamy test.
5. Enforce Algorithmic Accountability: Require entities using AI and automated decision-making systems to disclose how personal data is processed and provide redressal mechanisms.
6. Public Awareness and Digital Literacy: Launch nation-wide campaigns to inform citizens of their data right, build capacity among regulators, and encourage responsible digital behaviour.
7. Mandatory Data Protection Impact Assessments (DPIAs): For high-risk processing activities, DPIAs should be conducted and made available for scrutiny.

CONCLUSION

The Puttaswamy judgement was a turning point in Indian constitutional jurisprudence, affirming privacy as a fundamental right integral to human dignity.Yet, the challenges of the digital age–ranging from mass surveillance to algorithmic profiling–require continuous legal and institutional innovation.

While the DPDP Act, 2023, is a long-awaited step toward codifying privacy protections, its overbroad state exemptions, limited user rights, and lack of independent oversight raise serious concerns. A rights-based and transparent legal framework-backed by strong institutions and active civil society engagement-is essential to ensure that privacy remains a lived and enforceable reality.

In a world where data is power, protecting privacy is not merely a legal necessity-it is a democratic imperative.

REFERENCES

^[1] K S Puttaswamy (Retd) v Union of india [(2017) 10 SCC 1]

^[2]Digital Personal Data Protection Act, 2023

^[3] Kharak Singh v State of Uttar Pradesh [AIR 1963 SC 1295]

^[4] Gobind v State of Madhya Pradesh [(1975) 2 SCC 148]

^[5] K S Puttaswamy v Union of India (Aadhaar  Case) [(2019) 1 SCC 1]

^[6]Digital Personal Data Protection Act (DPDP), 2023

^[7] EU’s General Data Protection Regulation (GDPR)

^[8] Manohar Lal Sharma V Union of India (2021) SCC OnLine SC 1153

^[9] WhatsApp LLC v Union of India WP (C) No 682 of 2021 before Delhi High Court