Right to Privacy Post-Puttaswamy: Evolving Jurisprudence in India

Abstract

The landmark decision in Justice K.S. Puttaswamy (Retd.) v. Union of India[1] fundamentally transformed Indian constitutional jurisprudence by recognizing privacy as a fundamental right under Article 21 of the Constitution. This article examines the evolution of privacy jurisprudence following the Puttaswamy verdict, analyzing its application across diverse contexts including digital rights, surveillance frameworks, bodily autonomy, and data protection regimes. Despite the constitutional recognition, significant challenges persist in translating judicial pronouncements into enforceable legal and institutional frameworks. This article critically evaluates post-Puttaswamy developments, identifies implementation gaps, draws comparative insights from global privacy regimes, and proposes recommendations for strengthening India’s privacy protection architecture.

I. Introduction

The right to privacy has emerged as one of the most contested and consequential rights in contemporary constitutional discourse. In an era marked by unprecedented technological advancement, mass surveillance capabilities, and data-driven governance models, the protection of individual privacy has become both more critical and more complex. The Supreme Court of India’s unanimous recognition of privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India[2] marked a watershed moment in Indian constitutional law, overturning decades of judicial ambivalence and aligning India with global human rights standards.

This article undertakes a comprehensive examination of India’s privacy jurisprudence in the post-Puttaswamy era. It analyzes how courts have applied and expanded the privacy doctrine, evaluates the legislative response to the Court’s call for data protection laws, identifies persistent challenges in implementation, and situates Indian developments within comparative constitutional frameworks. Through this analysis, the article seeks to assess whether the promise of Puttaswamy has translated into meaningful protection of privacy rights or remains largely aspirational.

II. Background and Significance of the Puttaswamy Judgment

The nine-judge Constitution Bench in Puttaswamy delivered a unanimous and emphatic verdict: the right to privacy is intrinsic to the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution.[3] This holding marked a decisive break from earlier jurisprudence that had cast doubt on privacy’s constitutional status.

Overruling Prior Precedents: The Court explicitly overruled its earlier decisions in M.P. Sharma v. Satish Chandra, District Magistrate, Delhi[4] and Kharak Singh v. State of Uttar Pradesh,[5] which had held that the Constitution did not guarantee a right to privacy. The Bench comprised nine separate but concurring opinions, each contributing distinct perspectives on privacy’s scope and foundations. Justice D.Y. Chandrachud’s lead opinion articulated privacy as encompassing informational self-determination, bodily autonomy, and decisional privacy.

Constitutional Foundations: The Court grounded the right to privacy not only in Article 21 but also in the fundamental freedoms guaranteed under Part III of the Constitution. Privacy was recognized as essential to human dignity and individual autonomy—values that form the bedrock of constitutional democracy. The judgment emphasized that privacy enables individuals to exercise meaningful choices about their lives, relationships, and identities.

Global Alignment: By recognizing privacy as a fundamental right, the Supreme Court harmonized Indian constitutional law with international human rights standards, including the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. This alignment signaled India’s commitment to protecting individual liberty in an increasingly interconnected world.

III. Post-Puttaswamy Jurisprudential Developments

Following the Puttaswamy verdict, Indian courts have grappled with applying the privacy framework to diverse and evolving contexts. These developments reveal both the doctrine’s expansive potential and the challenges of implementation.

1. The Aadhaar Litigation: The most significant post-Puttaswamy case was Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar Constitution Bench),[6] decided in 2018. The five-judge Constitution Bench upheld the constitutional validity of India’s biometric identification program, Aadhaar, while simultaneously imposing crucial limitations. The Court struck down provisions that permitted private entities to access Aadhaar data without adequate safeguards, prohibited the retention of authentication transaction records beyond six months, and mandated stringent data protection measures. This judgment demonstrated the Court’s attempt to balance technological innovation and administrative efficiency with privacy protection.

2. Bodily Autonomy and Sexual Privacy: Courts have extended privacy protections to matters of sexual orientation and intimate relationships. Building on the foundation laid in Puttaswamy, the Supreme Court in Navtej Singh Johar v. Union of India[7] decriminalized consensual same-sex relations, recognizing that privacy encompasses the right to intimate personal choices. Similarly, the right to reproductive autonomy has been recognized as falling within privacy’s ambit, though this remains a developing area of law.

3. Surveillance and State Overreach: The Pegasus spyware controversy brought questions of state surveillance to the forefront. In response to petitions alleging government-sponsored surveillance of journalists, activists, and opposition leaders, the Supreme Court constituted a technical committee to investigate.[8] While the Court did not deliver a definitive ruling on the substantive issues, the case underscored growing concerns about executive power to conduct surveillance without adequate legal safeguards or judicial oversight.

4. COVID-19 and Emergency Measures: The pandemic tested privacy protections as governments deployed contact-tracing applications and imposed mandatory disclosure requirements. Courts were called upon to balance public health imperatives against individual privacy rights, with mixed results in terms of privacy protection.

IV. Digital Privacy and the Data Protection Framework

The Puttaswamy judgment emphasized that India’s constitutional recognition of privacy required corresponding legislative infrastructure, particularly in the digital domain. The Court specifically called for a comprehensive data protection law to regulate the collection, storage, and processing of personal information.

Legislative Evolution: In response to the judicial mandate, the government initiated the process of drafting data protection legislation. The Personal Data Protection Bill underwent multiple iterations before being withdrawn and replaced. The Digital Personal Data Protection Act, 2023,[9] represents the current legislative framework, though its adequacy remains subject to debate among privacy advocates, technology experts, and legal scholars.

Key Features of the Data Protection Regime: The Act attempts to establish principles of data minimization, purpose limitation, and user consent. It creates obligations for data fiduciaries and provides individuals with rights to access, correct, and erase their personal data. However, critics argue that the Act contains broad exemptions for government agencies, potentially undermining its effectiveness in protecting citizens from state surveillance.

Institutional Mechanisms: The legislation establishes the Data Protection Board of India as the regulatory authority responsible for enforcement. The effectiveness of this body in protecting privacy rights will depend significantly on its independence, resources, and willingness to hold powerful entities, both government and corporate, accountable.

Remaining Gaps: Despite legislative progress, significant gaps persist. The interplay between data protection law and sectoral regulations remains unclear. The framework for regulating emerging technologies such as artificial intelligence, facial recognition, and biometric surveillance is underdeveloped. Moreover, questions about cross-border data flows and international data transfers require further clarification.

V. Challenges in Implementation and Enforcement

The recognition of privacy as a fundamental right and the enactment of data protection legislation represent crucial steps forward. However, translating these formal legal protections into lived reality presents formidable challenges.

1. Legal Fragmentation and Ambiguity: India’s privacy protection landscape is characterized by overlapping and sometimes contradictory legal provisions. Multiple statutes—including the Information Technology Act, 2000, various sectoral regulations, and the new data protection law—govern different aspects of privacy without clear coordination. This fragmentation creates confusion for both rights-holders and duty-bearers, complicating enforcement efforts.

2. Surveillance Laws and Executive Power: Despite constitutional privacy protections, surveillance frameworks such as the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009,[10] and subsequent amendments grant extensive surveillance powers to executive authorities with limited judicial oversight. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021,[11] further expand government powers to demand user information and content removal, raising concerns about privacy and free expression.

3. Institutional Capacity Deficits: Effective privacy protection requires robust institutional mechanisms for redress and enforcement. India currently lacks comprehensive privacy protection authorities with adequate resources, technical expertise, and independence. The newly established Data Protection Board’s effectiveness remains to be tested. Courts face heavy caseloads and often lack the technical expertise necessary to adjudicate complex privacy cases involving emerging technologies.

4. The Pegasus Affair and Accountability Gaps: The Pegasus spyware case exemplifies the challenges of holding government agencies accountable for privacy violations. Despite credible allegations of unlawful surveillance targeting journalists, activists, and political figures, the investigation has yielded limited transparency or accountability. This episode reveals the difficulty of enforcing privacy rights against powerful state actors, particularly in matters involving national security claims.

5. Digital Literacy and Public Awareness: Effective privacy protection depends not only on legal frameworks but also on public understanding of privacy rights and available remedies. Many Indians, particularly in rural areas or among marginalized communities, lack awareness of their privacy rights or the means to enforce them. Digital literacy initiatives remain inadequate to meet the scale of the challenge.

6. Corporate Data Practices: Large technology companies, both domestic and international, collect vast amounts of personal data from Indian users. While the data protection law imposes obligations on these entities, enforcement challenges persist. The economic and political power of major technology companies can impede effective regulation, and the global nature of digital services complicates jurisdictional issues.

VI. Comparative Perspectives on Privacy Protection

Examining privacy protection frameworks in other jurisdictions provides valuable insights for strengthening India’s approach and identifying best practices and potential pitfalls.

1. The European Union’s GDPR Model: The European Union’s General Data Protection Regulation[12] represents perhaps the most comprehensive and influential data protection framework globally. The GDPR establishes strong individual rights, imposes significant obligations on data controllers and processors, and provides for substantial penalties for violations. India’s data protection legislation draws inspiration from the GDPR model but differs in significant respects, particularly regarding government exemptions and enforcement mechanisms. The GDPR’s emphasis on accountability, transparency, and individual control offers lessons for strengthening India’s framework.

2. United States: Sectoral Approach and Constitutional Limitations: Unlike India’s recognition of privacy as a fundamental constitutional right, the United States lacks a comprehensive constitutional privacy guarantee. American privacy protection relies primarily on sectoral legislation covering specific domains such as health information, financial data, and children’s online privacy. The recent overturning of Roe v. Wade in Dobbs v. Jackson Women’s Health Organization[13] has further complicated the American privacy landscape, demonstrating the vulnerability of privacy protections that lack firm constitutional foundations. India’s constitutional approach provides a more robust foundation, though implementation challenges persist.

3. Canadian Jurisprudence on Informational Autonomy: The Canadian Supreme Court has developed sophisticated privacy jurisprudence emphasizing informational self-determination and reasonable expectations of privacy. Cases involving digital searches, surveillance, and data collection have established important principles that balance law enforcement needs with individual rights. Canada’s framework for independent oversight of intelligence agencies through the Office of the Privacy Commissioner offers a potential model for India.

4. South Africa’s Constitutional Privacy Protections: South Africa’s Constitution explicitly recognizes privacy as a fundamental right, and the country has developed both constitutional jurisprudence and comprehensive data protection legislation. South Africa’s experience demonstrates how constitutional privacy guarantees can be operationalized through effective legislation and institutional mechanisms, though enforcement challenges remain.

5. Emerging Economies and Digital Governance: Countries such as Brazil, Kenya, and Indonesia have recently enacted comprehensive data protection laws, reflecting global recognition of privacy’s importance in the digital age. These jurisdictions face similar challenges to India in balancing innovation, security, and rights protection while building institutional capacity for enforcement.

VII. The Way Forward: Strengthening India’s Privacy Protection Architecture

Realizing the promise of Puttaswamy requires concerted efforts across multiple dimensions—legal, institutional, technological, and societal.

1. Comprehensive Legal Reform: India needs to harmonize its fragmented privacy protection landscape. This includes clarifying the relationship between the data protection law and other statutes, closing gaps in sectoral coverage, and addressing emerging challenges such as artificial intelligence, biometric surveillance, and Internet of Things devices. Surveillance laws require urgent reform to incorporate meaningful judicial oversight, necessity and proportionality tests, and robust safeguards against abuse.

2. Institutional Strengthening: The Data Protection Board must be established as a truly independent regulator with adequate resources, technical expertise, and enforcement powers. India should consider creating specialized privacy protection authorities at both central and state levels, modeled on successful international examples. Judicial capacity-building is essential, including training programs for judges on privacy law and emerging technologies.

3. Transparency and Accountability Mechanisms: Government agencies with surveillance or data collection powers must be subject to rigorous transparency requirements and independent oversight. Regular public reporting on surveillance activities, data breaches, and privacy complaints is essential for accountability. Whistleblower protections for those exposing privacy violations should be strengthened.

4. Technological Safeguards: Privacy must be embedded in the design of technological systems through privacy-by-design principles. Government systems handling citizen data should incorporate state-of-the-art security measures, encryption, and data minimization practices. India should invest in developing privacy-enhancing technologies and supporting domestic technology solutions that prioritize privacy protection.

5. Public Education and Digital Literacy: Widespread public education campaigns are necessary to build awareness of privacy rights and available remedies. Digital literacy programs should include privacy and data protection components. Civil society organizations play a crucial role in educating citizens and advocating for privacy protection.

6. Corporate Accountability: Effective enforcement of data protection obligations against corporate entities requires adequate regulatory resources and political will. Regular audits of data practices, mandatory breach notification requirements, and meaningful penalties for violations are essential. India should also address the market dominance of large technology platforms that may inhibit competition and user choice regarding privacy protections.

7. International Cooperation: Given the global nature of digital services and data flows, international cooperation on privacy protection is essential. India should actively engage with international privacy frameworks, negotiate adequate data protection agreements with other jurisdictions, and participate in developing global norms for privacy protection while ensuring these frameworks respect Indian constitutional values and sovereignty.

VIII. Conclusion

The Puttaswamy verdict established a constitutional foundation for privacy rights in India, marking a transformative moment in the nation’s legal and constitutional evolution. The Supreme Court’s recognition that privacy is intrinsic to human dignity and individual liberty elevated privacy from a contested legal concept to a fundamental constitutional guarantee. This achievement should not be understated, it provides the normative and legal foundation necessary for protecting individual autonomy in an era of unprecedented technological change and data-driven governance.

However, constitutional recognition alone is insufficient. The post-Puttaswamy period has revealed both progress and persistent challenges. While courts have extended privacy protections to diverse contexts and the legislature has enacted data protection legislation, significant implementation gaps remain. Surveillance frameworks continue to grant extensive powers to executive authorities with limited oversight. Institutional mechanisms for enforcement remain underdeveloped. Public awareness of privacy rights is inadequate. The balance between state interests, including national security, law enforcement, and administrative efficiency, and individual liberty remains contested and precarious.

Translating the promise of Puttaswamy into reality requires sustained commitment across all branches of government, robust civil society advocacy, corporate responsibility, and public engagement. Privacy must not remain a theoretical constitutional right but must be actively protected through effective legal frameworks, independent institutions, technological safeguards, and vigilant oversight. Only through such comprehensive efforts can India honor the vision articulated by the Supreme Court: a society where individual dignity, autonomy, and privacy are respected as fundamental values worthy of the strongest legal protection.

The journey from constitutional declaration to meaningful protection is long and complex. The Puttaswamy verdict initiated this journey; the destination, a society where privacy rights are genuinely protected and enforceable, remains a work in progress that will require ongoing attention, reform, and advocacy.

References

[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 
[2] Id.
[3] INDIA CONST. art. 21.
[4] M.P. Sharma v. Satish Chandra, District Magistrate, Delhi, AIR 1954 SC 300 
[5] Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 
[6] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1 
[7] Navtej Singh Johar v. Union of India, (2018) 10 SCC 1 
[8] See Manohar Lal Sharma v. Union of India, Writ Petition (Civil) No. 1164 of 2021 
[9] Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023)
[10] Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 
[11] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 
[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), 2016 O.J. (L 119) 1
[13] Dobbs v. Jackson Women’s Health Organization, 597 U.S. ___, 142 S. Ct. 2228 (2022)