Published On: October 11th 2025
Authored By: Azaa Junaid
Faculty of Law, Aligarh Muslim University
Abstract
The recent technological advancements have changed how personal data is acquired, processed, and scrutinized, thereby escalating threats to privacy breaches. Privacy recognized internationally as a fundamental human right, is a cornerstone of individual autonomy and dignity.
This article explores the evolution of the concept of privacy, with a focus on its judicial recognition in India, in the landmark Puttaswamy judgment. It delves into challenges posed by big data analytics. The paper further analyzes existing laws and regulatory frameworks created to protect data privacy while focusing on their limitations in the digital age. The tension between the state’s power of surveillance and the individual’s right to privacy is addressed, evaluating the balance between security needs and personal freedom. The article also highlights the pressing need for an adaptive legal framework capable of protecting privacy in an era of accelerating technological advancements.
Introduction
The development of technology has been extremely beneficial to humans. Nevertheless, many of our liberties are currently in danger due to the advancement of technology. As technology advances and more data is continuously collected and processed in the marketplace, the right to privacy is becoming increasingly important.[1] The digitalization process has led to the emergence of several criminal activities, including but not limited to data fraud, hoax contacting, and cyber harassment. When users provide their private information to websites for businesses, state authorities, digital networking companies, or interaction intelligence services, it can often be misused. The acquisition, archiving, surveillance, recording, accessing, processing, dissemination, maintenance, etc. of data is not expressly governed by law anywhere in the country.
International Recognition Of The Right to Privacy as a Fundamental Right
The international community has identified the right to privacy as a basic human right that serves as the basis for several other rights. Privacy, as a right, is recognised in the Universal Declaration of Human Rights (UDHR), 1948, and the International Covenant on Civil and Political Rights (ICCPR), 1966. Article 12 of the UDHR and Article 17 of the ICCPR provide legal protection to persons against ‘arbitrary interference’ with one’s privacy, family, correspondence, home, reputation, and honour.[2]
The privacy rights of those communities are recognised and safeguarded by special conventions for the protection of the rights of special groups, in addition to international treaties like the UDHR and ICCPR. Children are protected by the law from arbitrary and unlawful invasions of their home, family, correspondence, and privacy under Article 16 of the Convention on the Rights of the Child, 1989. Their honour and reputation are also protected from unlawful attacks. In a similar vein, Article 14 of the 1990 International Convention on the Rights of All Migrant Workers and Members of Their Families shields migrant workers and their families from illegal invasions of their privacy, residence, and correspondence, as well as from defamatory remarks made about them in public.[3]
Various regional groupings have acknowledged and safeguarded the right to privacy for their citizens. For instance, the European Convention on Human Rights guarantees the right to private and family life, albeit with exceptions for national security, health, morals, and the protection of others’ rights. Similarly, the Arab Charter on Human Rights protects against arbitrary interference with privacy, family matters, or correspondence. The American Convention on Human Rights prohibits arbitrary or abusive interference in private life, family, home, or correspondence. Additionally, the Convention for the Protection of Individuals concerning
Automatic Processing of Personal Data aims to respect human rights, particularly the right to privacy. The Asia-Pacific Economic Cooperation Privacy Framework ensures the protection of informational privacy during the free flow of information in the region.
Concept of an Individual’s Right to Privacy
As a new discipline, privacy is still a growing area of law theoretically, but in normal words, privacy can be traced back to human existence. For any man to be able to work and contribute to society positively and freely, it becomes necessary that a man has some “me” time. Right to Privacy essentially means for a person to enjoy individual autonomy and confidentiality.
The concept of an individual’s right to privacy is multifaceted. It makes reference to the special right that internet users have over the gathering, storing, and sharing of their personally identifiable information. A person’s identification details, interests, and the personal information of people they are related to, together with information about their education, well-being, and finances, are all considered forms of private data. Private information may be cleverly used for a range of purposes, including government surveillance and profit-making for businesses. The Apex Judicial Authority declared the “Right to Privacy” to be a basic right in August 2017, notwithstanding the Indian Constitution’s lack of explicit recognition of this right.[4] There is barely any regulation protecting data, despite multiple administrative initiatives, and no data safeguarding agency exists in India currently. However, India has come a long way in recognising the privacy of an individual.
Indian Judicial Recognition Of the Right To Privacy
In M.P. Sharma v. Satish Chandra,[5] The Supreme Court decided that the right to privacy is not guaranteed by the Indian Constitution. The bench was considering whether a search order granted under Section 96(1) CrPC[6] is in violation of Article 19(1)(f) of the Constitution.[7]The Apex Court’s dissenting opinion in Kharak Singh v. State of Uttar Pradesh, warrants special attention since it recognised that the right to privacy as a fundamental right is protected by Article 216 and 19(1)(d) of the Indian Constitution.[8] The Supreme Court ruled that the expansion of the right to privacy to include telecommunications is a serious violation of an individual’s rights during its discussion of the issue of telephone tapping.[9] Furthermore, the Supreme Court acknowledged the boundary between mental and bodily privacy.[10]
According to the decision in Unique Identification Authority of India v. Central Bureau of Investigation, it is against the policy to share biometric data of an individual who has been assigned an Aadhaar number with any third entity in the absence of express authorization.
Following this, the benchmark ruling in K.S. Puttaswamy v. Union of India,[11] where the Unique Identity Scheme was considered, the privacy concern was addressed. Recognizing that there is no clear framework for privacy in the Constitution of India, the constitutional bench had to decide whether the right to privacy is guaranteed by the Constitution and, if so, where it stems from. This judgment distinguished itself from earlier precedents by making the unequivocal conclusion that the Indian Constitution protects privacy as a fundamental right.[12]
Before the Information Technology Act’s Sections 43-A and 72-A being recognised as fundamental rights under Article 21 of the Indian Constitution,13 the Telegraph Act of 1885, which regulated communication interception, was the only law protecting an individual’s personal data. Organizations that collected data are subject to requirements under the recently passed Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which are designed to protect personal information.
It would be proper to recall a quote from Russian American Writer and Philosopher Ayn Fans here: “Civilization is the progress toward a society of privacy. The savage’s whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.”[13]
Big Data and Its Relationship with Privacy
Big data has been defined in various ways. The report by META Group (now Gartner) in 2001 defined big data using three Vs: volume, velocity, and variety (Laney, 2001). Big data is high-volume, high-velocity, and/or high-variety information assets that demand cost-effective and innovative forms of information processing to enable enhanced decision-making and automation processing. Other characteristics of big data are articulated by different features such as scalability (Marz & Warren, 2015), veracity (Marr, 2014), value, variability (McNulty, 2014), and granularity. It is rare for datasets to satisfy all characteristics. Thus, most of the time, big data agencies determine the permutations and combinations of these characteristics and classify them as ‘big data.’[14]
Big data is a new paradigm of data-driven decisions. The quantity of data that is being generated by smartphones, televisions, social media networks, sensor-driven devices, and many other such networks that we constantly use in our daily lives. Big data looks for correlation rather than causation, the ‘what’ rather than the ‘why’. Big data comprises a variety of data types including text, imagery, and video.
Big data is sourced from diverse channels like news articles, social media, images, and videos, spanning both developed and developing nations. Technological advancements facilitate the acquisition and interpretation of this data, presenting opportunities to address societal challenges. However, the extraction of insights from big data and metadata, including personal details and browsing history, raises concerns regarding privacy infringement and human rights violations by governmental and corporate entities.
Since the 1970s, US industry in particular has been keen to accumulate large amounts of information on consumers and run algorithms against that data, but over the past twenty years, this form of data mining and automated decision-making has seen a rapid increase (Privacy International, n.d.). Privacy International has identified that this type of data analysis has expanded to passenger profiling, anti-terrorist systems, border management (i.e., automated-targeting system), and money laundering (i.e., suspicious transaction reporting and analysis).[15]
Emerging technologies that enable data transfer without direct human interaction pose a potential threat to privacy, as seen in the rise of the Internet of Things (IoT). The IoT encompasses interconnected devices, machines, and even living beings with unique identifiers. Moreover, there’s a growing industry focused on big data, offering solutions to governments and companies. This has led to increased data collection through various means, including surveillance, data merging, sensor technologies, and the expansion of the IoT. Governments are implementing legislation and programs to collect vast amounts of personal and sensitive data to provide services to their populations.
In recent years, political leaders and businesses have been proclaiming big data a a solution for a diverse range of problems, from corruption, providing government services and entitlements, fighting against diseases, etc.[16]
Laws Relating To Data Privacy And Other Measures
India has taken significant steps to safeguard citizens’ privacy rights through legislative measures and regulations. Notable privacy laws and regulations in India include:
- The Information Technology Act, 2000
The Information Technology Act, 2000 (IT Act) was one of India’s first major steps towards addressing cybersecurity and data protection. It defines the legal framework for electronic transactions and outlines penalties for unauthorized access and data breaches.
- The Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019 (PDP Bill) aims to protect individuals’ personal data and regulate its processing. Once enacted, this comprehensive law will govern the collection, use, and storage of personal data by both government and private entities.
- Aadhaar Act, 2016
The Aadhaar Act established the legal framework for the Aadhaar system, India’s biometric identification program. It addresses concerns related to the privacy and security of citizens’ biometric and demographic information.
- Other Data Protection Measures in India
India employs various data protection strategies to safeguard personal information in the digital age:
- Data Localization
Certain sensitive categories of data, such as financial and health information, may require storage and processing within India’s borders. Data localization enhances data security and minimizes the risk of unauthorized access.
- Consent Mechanisms
The PDP Bill emphasizes obtaining informed and explicit consent from individuals before collecting and processing their personal data. Consent mechanisms ensure transparency and empower individuals to exercise control over their data.
- Data Protection Officers (DPOs)
Under the PDP Bill, certain organizations may be required to appoint Data Protection Officers responsible for overseeing data protection and privacy compliance.
- Privacy by Design
Adopting a privacy-by-design approach ensures that privacy considerations are incorporated into the development of products and services from the outset.
State’s Power of Surveillance
Privacy is associated with liberty, but it is also associated with privilege, with confidentiality, with nonconformity and dissent, with shame and embarrassment, with the deviant and the taboo, and with subterfuge and concealment. Individuals’ right to privacy has been complicated by the emphasis on security and the numerous developments in surveillance and information technology. Increasingly, individuals are being asked to give up more and more of their privacy in the name of state or national security.[17]
It has been observed that governments and private entities are gathering, retaining, and scrutinizing vast amounts of citizens’ data under the guise of enhancing public services, improving user experience, and ensuring citizen safety and security. However, concerns have arisen regarding the lack of transparency and accountability in the development of algorithms used for data processing, questionable security measures employed in storing and managing large datasets, excessive reliance on big data over traditional analytical methods, and the emergence of new digital inequalities. The following section will delve into how governments and various companies collect, store, utilize, transmit, and recycle collected data for various purposes, highlighting the threats posed to the right to privacy in the era of Big Data.
The Right To Privacy Under Surveillance Allowances In India:
As for legislation regarding Internet surveillance in India, the Information Technology Act, 2000, contains the related provisions; considering that in this contemporary age, communication over the internet encapsulates the majority of what would be considered “private communication” in terms of vulnerable data, this form of interception is the most relevant with regards to surveillance of private communication.
Under Section 69 of the IT Act, the government is permitted to monitor internet data for a variety of general purposes related to the interests of the country. Following in order, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 establish the legal framework for the procedural aspects of Section 69 surveillance.
Section 69 of the IT Act allows for the interception, monitoring, and decryption of digital information as long as it is done in the interest of India’s sovereignty and integrity and other such goals, or the prevention of or investigation of an offense; however, it notably includes the addition of “the occurrence of public emergency of the interest of public safety”, which largely broadens the ambit of power allowing for surveillance by discretion.[18]
Whilst the IT Interception Rules stipulate the procedure that must be followed for a valid issuance of interception directions, there is a lack of provision for judicial authorisation or surveillance oversight, despite their being the best-suited for carrying out legal tests and ensuring interference with privacy carried out in this manner is compliant with the principles of proportionality and necessity.[19]
Rule 5 of the IT Rules 2011 specifically requires the subject’s consent to be provided in writing before the collection of personal data. This rule only applies to sensitive personal data or information, which significantly narrows the application of the rule requiring consent before personal data collection.
However, in a move that underscores the importance of safeguarding privacy, the High Court of Bombay, in the case of Vinit Kumar v. Central Bureau of Investigation, emphasized that unless there is a clear threat to public safety or the welfare of individuals, authorizing the interception of phone calls and tapping is not justified. This stance strongly supports the principle of privacy protection, especially concerning intrusive surveillance methods, except in cases where there is a genuine risk to public safety. This judgment significantly limits the discretion of surveillance authorities in determining the necessity of call interception or tapping, preventing unjustified data interception based solely on subjective surveillance discretion.
Conclusion
The Court’s examination of the right to privacy materialised at the correct time. India has begun to embrace electronic governance. The statistics on web connections demonstrate that the public’s enthusiasm is shifting to information technology-based processes. Keeping this in mind, a privacy ombudsman could be a practical way to ensure that the state doesn’t in any way exploit its position while the parliament works to pass explicit laws to regulate such a right. Identical procedures are used in the UK, where the Investigatory Powers Tribunal, a court, is in charge of restricting the state’s surveillance authority and making sure that no one’s right to privacy is violated. Additionally, a legal body might order a process for evidence-based decryption. In an attempt to persuade the courts that decryption is required, the law enforcement agency must, by this strategy, provide adequate corroboration before the courts.[20]
In the European Union, the examination of antitrust issues extends beyond just pricing strategies and encompasses five aspects of competition: price, production, quality, choice, and innovation. The EU is concerned that firms often use customer data for their own gain, potentially diminishing the quality of services provided. Antitrust regulations come into play when such degradation arises from mergers or the abuse of market dominance. In several merger cases like Microsoft-Skype, Facebook-WhatsApp, and Microsoft-LinkedIn, the EU focused on non-price factors. To safeguard consumer well-being, the EU enacted the General Data Protection Regulation. Although the Personal Data Protection Bill, which aimed to establish a Data Protection Authority to prevent data exploitation, was shelved, it included penalties for unauthorized processing or transfer of personal data and for re-identification of personal data without user consent, pending further reforms.
India is moving towards a more user-privacy-friendly regime, along with maintaining the provisions that preserve national security. The nation can draw inspiration from foreign jurisdictions and model a further robust framework, which would attract several digital giants to choose India as their governing jurisdiction. This will aid India in achieving its goal of becoming a five trillion-dollar economy.
References
[1] Privacy in India in the Age of Big Data’ (DEF India, 24 March 2024) <https://www.defindia.org/wp-content/uploads/2018/04/Privacy-in-India-in-the-Age-of-Big-Data.pdf> accessed 24 March 2024
[2] Right to privacy, iPleaders (24 March 2024) <https://blog.ipleaders.in/different-aspects-of-right-to-privacy-under-article-21/> accessed 24 March 2024.
[3] The International Convention on Migrant Workers and its Committee (1 October 2005) <https://www.ohchr.org/sites/default/files/Documents/Publications/FactSheet24rev.1en.pdf> accessed on 20 August 2025
[4] K S Puttaswamy v Union of India AIR 2017 SC 4161
[5] (1954) 1 SCR 1077
[6] Code of Criminal Procedure 1973, s 96(1)
[7] Constitution of India 1950, art 19(1)(f)
[8] Constitution of India 1950, art 19(1)(d)
[9] People’s Union for Civil Liberties v Union of India AIR 1997 SC 568, (1997) 1 SCC 301
[10] Selvi v State of Karnataka AIR 2010 SC 1974, (2010) 7 SCC 263
[11] Right to privacy (n 1).
[12] Right to privacy in digital age’ (Manupatra, 23 March 2024) <https://articles.manupatra.com/article-details/Right-to-Privacy-in-Digital-Age> accessed 23 March 2024
[13] Right to privacy and media’ (SSRN, 24 March 2024) <https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID4644715_code4943788.pdf?abstractid=4644715> accessed 24 March 2024
[14]Privacy in India in the Age of Big Data’ (DEF India, 24 March 2024) <https://www.defindia.org/wp-content/uploads/2018/04/Privacy-in-India-in-the-Age-of-Big-Data.pdf> accessed 24 March 2024
[15] supra n 12, 6
[16] Ibid
[17] Right to Privacy in Digital Era’ (SSRN, 24 March 2024) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3678224> accessed 24 March 2024
[18]Surveillance and Privacy in India’ (Legal Service India, 24 March 2024) <https://www.legalserviceindia.com/legal/article-10439-surveillance-and-privacy-in-india.html> accessed 24 March 2024
[19] Ibid
[20] supra n 10, 6
