Published on: 24th December, 2025
Authored by: Aditi Mohari
School of Law, Devi Ahilya Vishwavidyalaya
Abstract
This article explores the evolving landscape of data rights in India, focusing on the judicial interpretation of privacy rights from the Puttaswamy judgment to the enactment of the Digital Personal Data Protection (DPDP) Act, 2023. The Puttaswamy case laid the constitutional foundation for the recognition of the right to privacy as a fundamental right under Article 21, emphasizing autonomy, dignity, and informed consent.[1] Building on this foundation, the DPDP Act seeks to regulate the collection, processing, and storage of personal data, with a focus on balancing privacy with state interests in national security, law enforcement, and public welfare. Key features of the Act, such as consent frameworks, the rights of data principals, and government exemptions, are critically analyzed in light of constitutional principles, including proportionality and necessity. The article further discusses the potential role of the judiciary in interpreting and enforcing the Act’s provisions, with particular attention to emerging challenges such as government surveillance and lack of independent regulatory oversight. The paper concludes that while the DPDP Act represents progress in data protection, its implementation and future development will depend on ongoing judicial scrutiny to ensure a balance between privacy and public interest in an increasingly digitized society.
I. Introduction
In the digital era, personal data has emerged as both a valuable asset and a potential vector of harm. With the exponential growth in digital communication, e-governance, fintech, and surveillance technologies, the protection of personal data has become an essential component of democratic governance. Data rights, especially the right to informational privacy, have gained prominence not only in academic discourse but also in public consciousness. These rights are no longer limited to concerns of secrecy or intrusion but extend to issues of autonomy, consent, data localization, and algorithmic governance.
The Indian legal landscape has witnessed a paradigm shift in how data rights are understood and protected. This transformation began with the landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India,[2] where the Supreme Court unanimously affirmed the right to privacy as a fundamental right under the Constitution of India. The judgment laid the constitutional foundation for the development of data protection norms by explicitly recognizing the need for legal safeguards against state and non-state actors in the digital age.
Judicial interpretation has played a pivotal role in shaping the contours of privacy jurisprudence in India. Through progressive rulings, the judiciary has delineated the parameters within which individual rights must be respected and protected, even in the face of competing interests such as national security, public order, and economic development. The introduction of the proportionality principle in Puttaswamy has further enriched this discourse by offering a structured framework for balancing individual rights with legitimate state objectives.
Privacy and Individual Autonomy
Privacy is an integral part of a person’s life. Individual autonomy and privacy are closely related because privacy allows people the liberty to form their own decisions and choices, whether concerning relationships, bodies, or personal lives. Upholding human dignity is a fundamental value of a democratic country, and privacy is an essential element of human dignity. Legally, privacy acts as a shield, protecting people from public or governmental scrutiny. Various international conventions recognize privacy as a basic human right, such as Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.[3] Following the Puttaswamy ruling, privacy is now recognized as a basic or constitutional right in India.
This article aims to explore the evolution of judicial thought on data rights in India, beginning with the Puttaswamy judgment and extending to the contemporary statutory response in the form of the Digital Personal Data Protection (DPDP) Act, 2023. It examines how the judiciary has influenced the development of privacy and data protection norms and how future interpretations may shape the enforcement and scope of the DPDP Act.
Scope and Objectives:
– To trace the constitutional recognition and judicial development of the right to privacy in India.
– To analyze key judicial decisions post-Puttaswamy that have contributed to the discourse on data rights.
– To evaluate the extent to which the DPDP Act aligns with constitutional principles laid down by the judiciary.
– To assess the potential role of judicial review in interpreting and enforcing the DPDP Act in the future.
In doing so, the article contributes to a broader understanding of the symbiotic relationship between constitutional law and statutory evolution in the context of digital rights and governance.
II. The Constitutional Foundation of Data Rights: Puttaswamy Judgment
The landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) marked a watershed moment in the evolution of constitutional rights in India. It laid down the foundational jurisprudence for data rights by elevating the right to privacy to the status of a fundamental right. The case not only redefined the contours of Article 21 but also introduced judicial tools like the proportionality principle to evaluate the reasonableness of state action involving individual rights. In doing so, it set the stage for a rights-based framework for data protection and digital governance in India.
Recognition of the Right to Privacy as a Fundamental Right
In a historic and unanimous decision in August 2017, the Supreme Court held that the right to privacy is a constitutionally protected fundamental right, emanating primarily from Article 21, but also intersecting with various other fundamental freedoms. The judgment was authored by a plurality of justices, each contributing different facets of privacy, such as bodily integrity, informational self-determination, decisional autonomy, and dignity. Three central constitutional values were emphasized:
Autonomy: The right to privacy empowers individuals to make personal choices without unwarranted interference by the state or other entities. This includes the right to make decisions about one’s body, sexuality, and personal relationships.
Dignity: The Court held that privacy is essential to the preservation of human dignity. Any intrusion into one’s private space—be it through surveillance, data collection, or behavioral profiling—impinges on their self-respect and personhood.
Consent: A key theme of the judgment was that consent forms the ethical basis for any access to personal information. Informational privacy was seen as the individual’s ability to control the dissemination of personal data.
By recognizing the right to privacy as fundamental, the Court imposed a duty upon the state to ensure that any law or executive action that limits privacy must meet constitutional standards. This had far-reaching consequences, especially for India’s nascent data protection regime.
III. Expansion of Judicial Interpretation: Post-Puttaswamy Case Law
The Puttaswamy verdict laid a powerful constitutional foundation, but the real test of its effectiveness has been in its application. In the years that followed, Indian courts have grappled with applying the principles laid down in Puttaswamy to a range of real-world challenges involving surveillance, digital identity, internet restrictions, and privacy violations. This evolving jurisprudence reflects the judiciary’s engagement with balancing individual privacy with legitimate state objectives such as welfare, national security, and technological advancement.
1. Justice K.S. Puttaswamy (Aadhaar) v. Union of India (2018)
Shortly after the 2017 verdict, the Supreme Court delivered its judgment on the constitutional validity of the Aadhaar program in Justice K.S. Puttaswamy (Aadhaar) v. Union of India (2018), often referred to as Puttaswamy II.[4]
Key Issues and the Balancing Act
The core question was whether the Aadhaar scheme—which involved biometric authentication and centralized data storage—violated the right to privacy. Petitioners raised concerns over mass surveillance, data profiling, exclusion from welfare schemes due to authentication failures, and the lack of a robust data protection law. The Court, by a 4:1 majority, upheld the Aadhaar Act as constitutionally valid, but with significant caveats. It struck down several provisions that allowed Aadhaar to be used by private entities and limited its use to welfare schemes backed by legislation. The Court reasoned that the Aadhaar project served a legitimate state aim—ensuring targeted delivery of subsidies and benefits—and passed the proportionality test laid down in Puttaswamy I.
2. Internet Freedom and Surveillance
Post-Puttaswamy, the Indian judiciary has dealt with several cases concerning state surveillance, internet shutdowns, and the right to free expression in the digital space. These cases illustrate the expanding relevance of privacy jurisprudence in a technologically mediated public sphere.
Anuradha Bhasin v. Union of India (2020)
In the wake of the abrogation of Article 370 in Jammu & Kashmir, the government imposed a communication blackout, including a complete internet shutdown. In Anuradha Bhasin v. Union of India,[5] the Supreme Court examined whether such restrictions violated fundamental rights.
The Court held that freedom of speech and expression under Article 19(1)(a) and freedom of trade and commerce under Article 19(1)(g) extended to the internet. It emphasized that restrictions on internet access must be proportionate, legal, and subject to judicial review. The ruling reinforced the proportionality framework laid down in Puttaswamy, recognizing that indefinite or arbitrary internet shutdowns could not be justified under the guise of public order. Though the Court stopped short of lifting the shutdown, it mandated periodic review and publication of shutdown orders, setting a standard for future actions.
Pegasus Spyware Controversy
In 2021, allegations emerged that Pegasus spyware, developed by the Israeli NSO Group, was used to surveil Indian citizens, including journalists, activists, and politicians. In Manohar Lal Sharma v. Union of India and related petitions,[6] the Supreme Court took suo motu cognizance. A significant outcome was the formation of a technical committee to probe the allegations, with the Court asserting that the state cannot use national security as a blanket justification to avoid judicial scrutiny. The Court reaffirmed that citizens have a right to know whether their privacy has been compromised and emphasized accountability, transparency, and procedural safeguards. While the final findings of the committee were inconclusive, the proceedings underscored that judicial oversight is necessary even in matters of surveillance—a direct application of Puttaswamy’s proportionality doctrine.
3. Emerging Trends and Observations
The post-Puttaswamy period has revealed several important trends in judicial interpretation:
• Institutionalizing Privacy Rights: Indian courts are now more inclined to examine issues involving surveillance, internet regulation, and personal data collection through the lens of privacy rights. There is an increasing tendency to apply the four-part proportionality test, ensuring that intrusions are justified, necessary, and procedurally sound.
• Expansion Beyond Article 21: The courts are increasingly recognizing that data rights are not limited to Article 21. They intersect with freedom of expression (Article 19), equality (Article 14), and even freedom of profession (Article 19(1)(g)) in the context of digital businesses and economic activity.
• Anticipatory Engagement with Legislation: As the Digital Personal Data Protection (DPDP) Act, 2023, comes into force, courts are expected to play a critical role in interpreting its provisions in light of the constitutional principles laid down in Puttaswamy. Early challenges to exemptions, regulatory gaps, and enforcement mechanisms are likely to shape the operational landscape of the Act.
IV. Statutory Response and the DPDP Act, 2023
The Puttaswamy judgment marked a constitutional milestone by affirming the right to privacy as a fundamental right under Article 21 of the Indian Constitution. While this judgment laid the constitutional groundwork, it also underscored the urgent need for a comprehensive legislative framework to protect personal data. The vacuum in statutory protections and the increasing digitization of governance and commercial services prompted the Indian state to initiate a legislative response, eventually culminating in the Digital Personal Data Protection Act, 2023 (DPDP Act). This Act represents India’s first focused legislative attempt to regulate the processing of digital personal data, balance privacy with state and business interests, and establish a statutory data protection authority.
Legislative Journey Post-Puttaswamy
The judicial recognition of privacy in 2017 served as the catalyst for legislative action. Soon after the Puttaswamy judgment, the central government set up the Justice B.N. Srikrishna Committee to deliberate on data protection concerns and propose a legal framework. In 2018, the committee submitted a comprehensive report along with a draft Personal Data Protection Bill.[7] The report emphasized that privacy is an essential facet of individual autonomy and dignity, and any data protection law must be rights-centric, grounded in informed consent, and subject to independent oversight.
In 2019, the government introduced a revised version of this draft, the Personal Data Protection Bill, 2019, in Parliament. However, this version attracted considerable criticism for diluting user rights, granting excessive exemptions to government agencies, and establishing a central authority heavily under executive control. Due to these concerns, the Bill was eventually withdrawn in August 2022. In its place, a simplified and business-friendly Digital Personal Data Protection Bill, 2022 was introduced, which was passed by Parliament in 2023 as the DPDP Act. Unlike its predecessor, the 2023 Act reflects a shift towards regulatory pragmatism, emphasizing ease of compliance over rights-maximalism.
V. Conclusion
The evolution of data rights in India, from the landmark Puttaswamy judgment to the enactment of the DPDP Act, 2023, reflects a broader global trend towards securing privacy in the face of rapid technological advancement. While the Puttaswamy decision laid a firm foundation by recognizing the right to privacy as a fundamental right under Article 21, it also set the stage for legislative reforms in response to the digital age. The DPDP Act, by establishing a legal framework for personal data protection, attempts to balance the interests of privacy with the practical needs of economic and technological growth.
However, the Act’s implementation raises several important questions, particularly regarding the role of consent, the legitimacy of government exemptions, and the need for independent regulatory oversight. The judiciary will continue to play an essential role in shaping the interpretation of these provisions, ensuring that the Act upholds the constitutional guarantees of autonomy, dignity, and accountability. The Puttaswamy framework, with its emphasis on the proportionality principle, will be crucial in resolving these challenges and safeguarding individual privacy in a rapidly evolving digital landscape.
In conclusion, while the DPDP Act represents a significant step forward in the protection of personal data in India, it is only through the continued judicial engagement and constitutional scrutiny that the law will reach its full potential. The courts must ensure that the Act does not become a tool for unchecked surveillance but rather functions as a robust shield protecting individuals’ rights in the digital era. The future of data protection in India hinges on the ability of the judiciary to navigate the complex intersection of privacy, technology, and state power, ensuring that data governance evolves in a way that respects both individual rights and public welfare.
References
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1Â
[2] Id.
[3] Universal Declaration of Human Rights, G.A. Res. 217A (III), U.N. Doc. A/810, art. 12 (1948); International Covenant on Civil and Political Rights, art. 17, Dec. 16, 1966, 999 U.N.T.S. 171.
[4] Justice K.S. Puttaswamy (Aadhaar) v. Union of India, (2019) 1 SCC 1Â
[5] Anuradha Bhasin v. Union of India, (2020) 3 SCC 637Â
[6] Manohar Lal Sharma v. Union of India, Writ Petition (Civil) No. 10 of 2022Â
[7] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018).
