Privacy after Puttaswamy: Where’s the Line?

Abstract

The Supreme Court’s unanimous recognition of privacy as a fundamental right in K.S. Puttaswamy v. Union of India (2017) marked a watershed moment in Indian constitutional jurisprudence. This article examines the contours of the right to privacy in the post-Puttaswamy era, analyzing how the Court’s proportionality framework applies to contemporary digital challenges including the Aadhaar program, Pegasus surveillance allegations, and evolving information technology regulations. Through analysis of landmark judgments and legislative responses, this piece explores where constitutional boundaries lie between individual privacy and state interests in an age of big data, digital surveillance, and unprecedented technological intrusion into personal autonomy.

I. Introduction

On August 24, 2017, the Supreme Court of India unanimously recognized privacy as a fundamental right guaranteed by the Constitution.[1] The majority opinion, authored by Justice D.Y. Chandrachud on behalf of Chief Justice Khehar and Justices Agrawal, Nazeer, and himself, represented the culmination of a legal journey that began in 2012 when Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court, filed a writ petition challenging the constitutional validity of the Aadhaar scheme introduced by the UPA Government.

In this historic decision, the nine-judge bench unanimously recognized a fundamental right to privacy of every individual guaranteed by the Constitution, within Article 21 in particular and Part III as a whole. The decisions in M.P. Sharma v. Satish Chandra[2] and Kharak Singh v. State of U.P.[3] were overruled. Since the 2017 judgment, the fundamental right to privacy has been cited as precedent in various landmark judgments such as Navtej Singh Johar v. Union of India[4] and Joseph Shine v. Union of India.[5]

In recent times, privacy considerations arising from the Cambridge Analytica scandal, the WhatsApp-Facebook privacy sharing arrangement, the Apple-FBI dispute, the Snowden leaks, and the Aadhaar Act have dominated headlines. The rise of data analytics and the increasing availability, storage, and ease of mining personal information online has created a public policy conundrum over balancing the benefits of big data with threats to the right to privacy.

Countries across the world have responded to these concerns by revisiting their privacy legislation and imposing additional safeguards. The EU General Data Protection Regulation (GDPR) came into force in May 2018, replacing the EU Data Protection Directives of 1995, in a bid to adapt the EU data protection framework to address modern technology privacy challenges.[6] In 2016, the U.S. and the EU also entered a new data transfer framework agreement—the “Privacy Shield”—intended to protect the privacy of data of European users stored in the U.S. The Obama White House commissioned various reports on big data and privacy, and various consumer privacy bills have been introduced in the U.S.

Meanwhile in India, after the reference in 2015, the nine-judge bench of the Supreme Court unanimously ruled in K.S. Puttaswamy v. Union of India that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and other freedoms guaranteed by Part III of the Constitution. Although the court was unanimous in recognizing privacy as a fundamental right, nuanced differences emerged regarding the precise tests applicable in case of a violation of the right.

During the course of the hearing in Puttaswamy, the government constituted a committee of experts chaired by Justice B.N. Srikrishna to, inter alia, review data protection norms in India and make recommendations. The Committee released a White Paper on Data Protection in 2017, and submitted its final report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” along with a draft law—the Personal Data Protection Bill, 2018—in July 2018.[7] This led to a healthy public debate on the way forward.

The discourse today rests on the growing body of work that has examined the jurisprudential development of privacy law in India and the various model privacy frameworks that have been drafted over the years. In the early years, privacy concerns were mostly related to the State. The advent of big data and the Internet of Things moved the discussion to privacy infringements by the private sector. The lines between the two are now indistinct, especially because the State is increasingly able to use the private sector to improve surveillance—often for reasons of efficiency in service delivery or concerns about national security—bringing us back to the threats imposed by the State.

Against this background, this article’s contribution to the debate is three-fold. First, we seek to conceptualize the right to privacy post-Puttaswamy in the age of the internet and big data, and its implications for the State and private actors. We explain why privacy matters, both in the context of the State and private entities, and the blurring distinction between them. Second, we examine those aspects of the draft Bill that touch upon the public-private distinction, evaluating how it has fared in regulating the actions of the State and private sector, with a broad focus on consent, surveillance, and the interaction between the State and private sector. Third, we emphasize the implementation challenges of legislation given the weak state capacity in India. We focus on two aspects of implementation—namely regulation-making and enforcement—and highlight that both give substantial power to the State over its regulated entities. We argue that considering the privacy concerns against State action, the challenge to implementation in the area of personal data may only be exacerbated.

II. The Aadhaar Case: Establishing the Proportionality Framework

In 2018, a five-judge Constitution Bench of the Supreme Court examined whether Aadhaar—a government scheme in which residents receive a unique identification number after providing their biometric and demographic details—violates the right to privacy.[8] Building upon the 2017 Puttaswamy judgment that recognized privacy as a fundamental right, the Court articulated a clear framework for assessing when state action impinging on privacy is constitutionally permissible.

The Constitutional Foundation

The Court reaffirmed that the right to privacy is a fundamental right, protecting it as an integral part of the right to life and personal liberty under Article 21 and as part of the freedoms guaranteed by Part III of the Constitution. Privacy protects individual autonomy and recognizes an individual’s ability to control crucial aspects of life. However, the Court clarified that the right to privacy is not absolute and is subject to reasonable restrictions that can be imposed on fundamental freedoms under Part III of the Constitution.

The Three-Part Proportionality Test

The Court established that any law encroaching upon privacy will be scrutinized based on the test of proportionality, which requires satisfaction of three conditions:

1. Legality: There must exist a law passed by a competent legislature that places restrictions on the right to privacy. This ensures that privacy is not infringed by arbitrary executive action or informal government policies.

2. Legitimate Aim: The law must be necessary and have a legitimate aim—meaning there must be a rational connection between the aim and the means taken to achieve it. The State must demonstrate that the purpose of the privacy limitation serves a legitimate public purpose such as national security, preventing crime, public health, or delivery of welfare benefits.

3. Proportionality: The law must be proportionate, meaning it should involve the least amount of intrusion on the right to privacy. The means adopted must be the least intrusive way to achieve the goal, and the extent of the privacy invasion must not exceed what is necessary. This component ensures that the State does not overreach or act disproportionately, even in the name of national interest.

The Aadhaar Judgment

Applying this test, the Supreme Court upheld the constitutional validity of the Aadhaar Act on the grounds that it does not violate the fundamental right to privacy. The Court found that Aadhaar does not establish pervasive surveillance but ensures data protection and security. However, the Court struck down certain provisions of the Act and recommended changes, which led to the enactment of the Aadhaar and Other Laws (Amendment) Act, 2019.

Significantly, while mandatory linking of Aadhaar with PAN cards was upheld as serving a legitimate state interest in preventing tax evasion, mandatory linking with bank accounts and mobile phone numbers was declared unconstitutional as it failed the proportionality requirement. The Court struck down Section 57 of the Aadhaar Act, which had allowed private companies to require Aadhaar for service provision, finding this exceeded the permissible scope of state action.

The Court emphasized that the means adopted to achieve a legitimate state aim must be carefully tailored and not disproportionate or excessive. This nuanced approach—upholding Aadhaar’s core framework while striking down its overreach—exemplifies how the proportionality test operates as a meaningful constitutional safeguard.

III. Pegasus: Privacy, Press Freedom, and National Security

The Pegasus controversy brought the tension between privacy rights and national security claims into sharp focus. In response to allegations that the Indian government used Israeli-developed Pegasus spyware to conduct surveillance on journalists, activists, and opposition figures, the Supreme Court established a technical committee to investigate and articulated important principles regarding state surveillance.

Understanding Pegasus

Pegasus is spyware developed by the Israeli firm NSO Group designed to infiltrate smartphones—both Android and iOS—and turn them into surveillance devices.[9] NSO Group has affirmed that it sells the software only to governments, marketing it as a tool to track criminals and terrorists through targeted spying rather than mass surveillance.

The spyware exploits undiscovered vulnerabilities or bugs, meaning a phone could be infected even if it has the latest security patches installed. In 2016, smartphones were infected using a technique called “spear-phishing”—text messages or emails containing malicious links were sent to targets, requiring the target to click the link. By 2019, Pegasus evolved to employ zero-click installation without requiring any interaction by the target. It could infiltrate a device through a missed call on WhatsApp and could even delete the record of the missed call, making it impossible for users to know they had been targeted. Pegasus also exploits vulnerabilities in iMessage, giving it backdoor access to millions of iPhones. The spyware can also be installed through a wireless transceiver located near a target.

The Pegasus Project Revelations

The Pegasus Project, an international investigative journalism effort, revealed that various governments used the software to spy on government officials, opposition politicians, journalists, activists, and many others. Reports indicated that the Indian government used it to spy on approximately 300 people between 2017 and 2019.[10]

The Supreme Court’s Response

A case was filed in the Supreme Court accusing the government of indiscriminate spying. The government refused to file a detailed response to the allegations made by the petitioners, citing national security as a reason. The government also requested permission to set up its own probe, which was rejected by the Court. The Court held that such a course of action would violate the settled judicial principle against bias—namely, that “justice must not only be done, but also be seen to be done.”

The Supreme Court underlined three key imperatives:

1. The Right to Privacy of Citizens: Reaffirming that privacy remains a fundamental right even in matters involving national security.

2. Freedom of the Press: Protecting the press includes the right of journalists to ensure protection of their sources.

3. Limits on National Security Claims: National security cannot serve as an unlimited shield by the government to block disclosure of facts related to citizens’ rights.

The Court cited Ram Jethmalani v. Union of India[11] to emphasize that the Government should not take an adversarial position when the fundamental rights of citizens are at stake. The Court held that while the Union of India may decline to provide information citing security of the State or other specific immunity under a statute, they must prove and justify the same.

The Court established a technical committee with seven terms of reference, including determining who procured Pegasus and whether the petitioners in the case were indeed targeted by use of the software. The Court also asked the committee to make recommendations on a legal and policy framework on cybersecurity to ensure the right to privacy of citizens is protected.

IV. Impact on Information Technology Rules and Regulations

The Puttaswamy judgment, recognizing privacy as a fundamental right under Article 21 of the Indian Constitution, has significantly impacted various IT rules and regulations. This landmark decision established that any state intrusion into privacy must meet the proportionality test discussed above. This framework has implications for surveillance laws, data protection, and the regulation of digital platforms.

Surveillance Measures

The judgment emphasized the need for proportionality and legality in state surveillance. This means that surveillance measures, including those under the Information Technology Act, 2000 (IT Act), must be justified by a legitimate aim, be proportionate to that aim, and be implemented in a fair and reasonable manner.

Data Protection Framework

The Puttaswamy case laid the foundation for comprehensive data protection legislation in India. After several iterations, Parliament enacted the Digital Personal Data Protection Act, 2023, which aims to safeguard personal data processed in India, imposing restrictions on how data is collected, stored, and used.[12] This legislation represents a culmination of the Srikrishna Committee’s work and subsequent policy developments.

Regulation of Digital Platforms

The ruling has also influenced the regulation of social media and other digital platforms, emphasizing the need for transparency and accountability in their data handling practices. Various IT Rules promulgated under the IT Act have been challenged and scrutinized through the lens of the Puttaswamy framework.

Key Principles Emerging from Puttaswamy

1. Proportionality Test: The Puttaswamy judgment introduced the proportionality test to assess the validity of any state intrusion into privacy. This test requires a balancing act between the state’s interest and the individual’s right to privacy.

2. Constitutional Morality: The judgment highlighted the importance of constitutional morality, establishing that data exploitation by the state or corporations without consent constitutes a violation of fundamental rights.

3. Informational Self-Determination: The ruling emphasizes that individuals have the right to control their digital footprint and how their personal information is used.

Despite the Puttaswamy judgment, challenges remain in ensuring the effective implementation of privacy protections, particularly in the context of evolving technologies and surveillance practices. In essence, the Puttaswamy case has reshaped the legal landscape surrounding privacy in India, particularly in the context of information technology. It has raised the bar for state actions that impinge on privacy and has spurred the development of new laws and regulations to protect citizens’ data and digital rights.

V. Legislative and Regulatory Evolution

The Information Technology Act, 2000

In 2008, key amendments were made to the Information Technology Act, 2000, to address data privacy concerns:[13]

1. Section 72A: This provision made infringement of data privacy a punishable offense, creating criminal liability for unauthorized disclosure of personal information.

2. Sensitive Personal Data Rules: Rules were enacted under the IT Act to protect sensitive personal data, including medical and sexual history and biometric information.

While these measures represented useful steps forward, they proved insufficient, and comprehensive data protection legislation became necessary to provide adequate protection in the digital age.

Article 21 and the Right to Privacy

The right to privacy gained constitutional recognition in India through the landmark Puttaswamy judgment (2017), where the Supreme Court declared it to be a fundamental right under Article 21. The Court recognized that all individuals have the right to be left alone, make decisions about their private choices, and be protected against exploitation of their personal data. The right to privacy also encompasses the “right to be forgotten.”

To operationalize these rights, the Central Government passed the Digital Personal Data Protection Act, 2023, to prevent exploitation of personal data by online businesses. This legislation aligns with global practices such as the European Union’s General Data Protection Regulation (GDPR), which came into force in May 2018. These protections are significant, and sustained efforts are needed to implement these laws effectively on the ground.

Privacy remains a crucial and evolving issue in the age of the internet. Government regulation must keep pace with emerging challenges. The right to privacy is based on the idea that certain inherent choices about ourselves and our practices are inseparable from human personality, and we should be able to control information about ourselves and choose with whom we share it. This “private information” is increasingly threatened as technology companies accumulate vast amounts of our data through social media, online purchases, browsing, and search activity.

Dimensions of Privacy

Privacy includes various aspects: bodily integrity, personal autonomy, control over personal information, safeguarding against government interference, and preserving the freedom to dissent, move, or think.

Judicial Application: Telephonic Privacy

The Chhattisgarh High Court in 2023 held that recording telephonic conversations without consent violates the right to privacy under Article 21.[14] Consequently, such recordings cannot be submitted as evidence in court without proper authorization and compliance with legal requirements.

VI. Drawing the Constitutional Line: Post-Puttaswamy Analysis

The Supreme Court’s judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) marked a constitutional watershed by declaring that the right to privacy is a fundamental right under Part III of the Constitution, specifically rooted in Articles 14, 19, and 21. However, the Court clarified that this right is not absolute. It introduced a structured doctrine to determine when and how the State can intrude upon privacy. This doctrine—the proportionality test—draws the constitutional line between an individual’s privacy and the State’s interests in governance, security, and welfare.

Where the Line Is Drawn

This test establishes where the constitutional “line” is drawn. Any action that fails even one element of this test is unconstitutional and hence invalid. For example, in the Aadhaar case (2018), the Supreme Court upheld Aadhaar as constitutional for welfare delivery, stating it satisfied the three-part test. However, it struck down mandatory linking of Aadhaar with bank accounts and mobile numbers, as these measures failed the proportionality requirement. Similarly, in cases like the Pegasus spyware controversy, the Court expressed serious concern because the government failed to demonstrate any lawful basis or legitimate aim, let alone prove proportionality.

Expanding Conception of Privacy

Post-Puttaswamy, the meaning of privacy has expanded significantly. Privacy is no longer limited to bodily or spatial privacy; it now encompasses informational privacy, autonomy over personal decisions, data protection, and control over personal digital footprints. This broader conception reflects the realities of life in a digitally interconnected world where personal data has become a valuable commodity.

Implementation Challenges and Ambiguities

Despite this progressive interpretation, the lack of comprehensive implementing mechanisms and clear statutory frameworks has created ambiguity. While the Supreme Court has established a robust framework for protecting privacy, many government actions escape judicial scrutiny due to vague laws or lack of transparency. In such cases, the line between privacy and intrusion becomes vulnerable and blurry.

In essence, the line between privacy and state intrusion after Puttaswamy lies at the intersection of legality, legitimacy, and proportionality. It is not a fixed barrier but a constitutional checkpoint—one that must be vigilantly protected through active public awareness, judicial review, and legislative clarity. The judgment laid down the ethical and constitutional boundaries, but its enforcement requires constant vigilance, especially in an era of increasing digital surveillance, artificial intelligence, and biometric profiling. Without strong oversight, even a right as fundamental as privacy can be quietly eroded.

VII. Conclusion

Following the K.S. Puttaswamy judgment in 2017, a committee was established under Justice B.N. Srikrishna to discuss methods to protect the right to informational privacy of Indians. In its report, the committee submitted a Draft Data Protection Bill along with comprehensive recommendations. The Puttaswamy verdict marked a constitutional milestone, yet privacy remains vulnerable in practice.

Aadhaar’s extensive data collection, Pegasus surveillance allegations, and restrictive IT rules raise urgent questions about personal freedom in the digital age. Article 21 promises dignity and autonomy, but the right to privacy’s real power lies in effective implementation. The proportionality test provides a constitutional framework, but it requires robust institutional mechanisms, transparent government action, and an informed citizenry to function effectively.

Privacy must be defended not just in courts, but in public conscience—through awareness, accountability, and constant pushback against unchecked state overreach. The journey from constitutional recognition to practical protection remains ongoing. As technology continues to evolve and create new vectors for surveillance and data exploitation, the vigilance of courts, legislatures, civil society, and citizens becomes increasingly critical. The Puttaswamy judgment provided the foundation; building the structure of privacy protection in India remains a work in progress that demands sustained attention and commitment from all stakeholders.

References

[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[2] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300 (India).
[3] Kharak Singh v. State of U.P., AIR 1963 SC 1295 (India).
[4] Navtej Singh Johar v. Union of India, (2018) 10 SCC 1 (India).
[5] Joseph Shine v. Union of India, (2019) 3 SCC 39 (India).
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 2016 O.J. (L 119) 1.
[7] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (July 2018), available at https://www.meity.gov.in.
[8] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1 (India) (Aadhaar judgment).
[9] For technical details on Pegasus spyware, see Citizen Lab, University of Toronto, The Pegasus Project, available at https://citizenlab.ca.
[10] The Pegasus Project, Forbidden Stories (July 2021), available at https://forbiddenstories.org/case/the-pegasus-project/.
[11] Ram Jethmalani v. Union of India, (2011) 8 SCC 1 (India).
[12] The Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023).
[13] The Information Technology Act, No. 21 of 2000, INDIA CODE (2000), as amended by the Information Technology (Amendment) Act, 2008.
[14] For judicial pronouncements on telephonic privacy, see general privacy jurisprudence under Article 21 as developed in Puttaswamy and subsequent cases.