THE RIGHT TO DIGITAL PRIVACY IN INDIA: JUDICIAL RECOGNITION IN PUTTASWAMY VERSUS THE LEGISLATIVE DELAY UNDER THE CONSTITUTION OF INDIA

Abstract

The nine-judge bench in Justice K S Puttaswamy (Retd) v Union of India (2017)¹ recognised informational privacy — inclusive of a right to be forgotten — as a fundamental right under Article 21 of the Constitution. Indian High Courts subsequently gave that recognition practical force, ordering de-indexing of judicial records and search-engine suppression of reputationally damaging content. When Parliament enacted the Digital Personal Data Protection Act, 2023² (DPDP Act), however, it chose a narrow “right to erasure” under section 12(c) that is confined to the data principal–data fiduciary relationship and is silent on search-engine de-indexing, historical public records, and criminal acquittals. This article argues that the DPDP Act adopts a data-controller-centric model that underprotects the dignity-centred right recognised in Puttaswamy and its progeny, creates a legislative-judicial divergence requiring urgent reform, and falls short when measured against comparator frameworks such as GDPR Article 17³ and the UK Data Protection Act 2018.⁴

I. Introduction

“Today, a strange kind of unfairness happens when someone is found not guilty of a crime, but the internet still shows their old court and police records. Years later, anyone can find these documents just by searching the person’s name. This destroys their chance to start fresh, even though the court’s ‘not guilty’ verdict was meant to let them move on with their life.” European courts addressed this phenomenon through the right to be forgotten, given dramatic expression when the Court of Justice of the European Union ordered Google to de-index a Spanish citizen’s old debt notice in Google Spain SL v Agencia Española de Protección de Datos (2014).⁵

“India reached the same point—giving people this right—but through a different route: its courts interpreting the Constitution. In a major 2017 Supreme Court case called Puttaswamy, Justice Kaul ruled that people have a right to control their own personal information, and that this includes the right to be forgotten.” as part of Article 21.⁶ High Courts translated that recognition into remedies: the Delhi High Court in Jorawar Singh Mundy v Union of India (2021)⁷ directed de-indexing of a judgment identifying an acquitted lawyer; the Karnataka High Court in Vasunews LLC v Google LLC⁸. The courts carefully weighed two competing interests: the media’s freedom to report, and an individual’s right to remove old, harmful content that is no longer relevant. But when Parliament finally passed a data protection law, Section 12(c) of the DPDP Act clearly did not live up to the standards the courts had set. This article looks at that gap, explains why it raises constitutional concerns, and suggests how to fix it.

II. Constitutional Genealogy of the Right to Be Forgotten

A. The Puttaswamy Foundation

Prior to 2017, the Supreme Court’s decisions in MP Sharma v Satish Chandra (1954)⁹ and Kharak Singh v State of UP (1963)¹⁰ denied any free-standing constitutional right to privacy. Puttaswamy reversed that position unanimously. Justice Chandrachud’s concurring opinion — now the most cited — articulated a tripartite structure: spatial privacy, decisional autonomy, and informational self-determination.¹¹ The third limb is directly relevant here. Informational self-determination means you have the right to ask for your personal data to be deleted or removed from search results when there is no good reason for it to still be out there. Justice Kaul was yet more explicit, stating that individuals should have “the ability to control the dissemination of material” relating to their past.¹² In both these court rulings, before allowing any intrusion on privacy, the judges ran a careful balancing test, checking whether the government’s goal was important, whether the privacy restriction was truly necessary, and whether the harm caused was worth it. The DPDP Act’s list of exemptions ignores this careful balancing act entirely.

B. High Court Applications

In a case called Mundy, the Delhi High Court used the Puttaswamy privacy framework to order Indian Kanoon and Google to remove a narcotics case judgment from search results. The person named in that judgment had later been found not guilty. Justice Pratibha M Singh weighed the public’s right to access court records against that person’s right to dignity and rebuilding their career. She ruled that keeping the acquittal judgment freely available in search engines forever was a violation of Article 21.¹³ Two things about this court decision are especially important. First, the order to remove the judgment wasn’t just given to the court or the government, it was also given to Indian Kanoon, a private website that collects and publishes legal documents. The person who won the case never gave Indian Kanoon permission to have their data in the first place, so there was no direct data-sharing relationship between them. Second, the court didn’t use a simple rule that says ‘data must be deleted once the original purpose is over.’ Instead, it looked at European GDPR cases and used a ‘balancing test’, weighing the person’s privacy and dignity against the public’s interest in keeping the information available.

The Karnataka High Court’s engagement in Vasunews was more nuanced: it recognised a spectrum of protection calibrated to whether the subject was a public figure, whether the publication remained newsworthy, and whether continued availability was proportionate to the legitimate public interest.¹⁴ Earlier decisions of the Rajasthan and Gujarat High Courts¹⁵ had similarly recognised that individuals whose criminal cases had concluded retained an interest in the expungement of related records. All these court rulings, read together, build a strong right to be forgotten. Courts decide each case by balancing the person’s harm against public interest—so the protection is wider, more tailored to the facts, and based on the Constitution’s guarantee of privacy. The DPDP Act, by comparison, offers a much narrower and less flexible version of this right.

III. The DPDP Act, 2023: Statutory Analysis of the Erasure Provision

A. Text and Structure of Section 12(c)

Section 12(1)(c) of the DPDP Act entitles a data principal to request “erasure of personal data that is no longer necessary for the purpose for which it was collected, unless the retention of such personal data is necessary for compliance with any law for the time being in force.”¹⁶ The provision operates within the data principal–data fiduciary binary: a data fiduciary is defined as any person who “determines the purpose and means of processing of personal data.”¹⁷ You can only ask a company to delete your data if they got it from you in the first place through your agreement or a business deal. If they just found your information somewhere else, this law doesn’t force them to erase it.

B. Four Structural Gaps

First, the consent-relationship prerequisite: Section 12(c) of the DPDP Act is useless against companies that collect and display public information without ever dealing directly with the person. For example, Indian Kanoon gathers court judgments from public records, and Google simply lists what is already online. Neither company ever asked the person for permission to use their data. The DPDP Act offers no way to force these kinds of companies to delete the information, yet they are exactly the ones causing the most damage to people who have been acquitted.

Second, the narrow purpose-completion test: Section 12(c) of the DPDP Act gives only one reason to delete your data: if it is no longer needed for the original purpose it was collected for. In contrast, the European GDPR gives six different reasons, including when the processing was illegal, when the person has a valid objection, or when the data belongs to a child. The Indian law is much narrower. It does not cover those situations. Also, in the Mundy case, the court used a balancing test, weighing the person’s harm against public interest. It did not simply ask whether the original purpose was finished. These two different tests can lead to opposite results.

Third, the absence of a de-indexing obligation: Under European law, if a website deletes your data, it must also tell search engines like Google to remove it. India’s DPDP Act has no such rule. So even if you get a website to erase your information, the law does not force Google to stop showing it in search results. Courts have stepped in to fix this problem, but the statute itself hasn’t.

Fourth, unqualified exemptions: Section 17 of the DPDP Act exempts the operation of Chapter III (including section 12) for law enforcement, journalistic, research, and national security purposes without any proportionality qualifier.¹⁸ GDPR Article 17(3) carves out analogous exceptions but qualifies each by a necessity requirement. The absence of a proportionality proviso in section 17 is directly inconsistent with the constitutional standard from Puttaswamy, which held that any interference with informational privacy must be necessary, proportionate, and no more restrictive than required.¹⁹

C. Relationship with Pre-Existing Legislation

The DPDP Act supplements rather than displaces the IT Act, 2000²⁰ and the SPDI Rules, 2011.²¹ Section 79 of the IT Act provides a broadly construed safe harbour for intermediaries including search engines that do not initiate, select, or modify content.²² Indian law protects websites from being sued, and the DPDP Act doesn’t force Google to remove old search results. So if you want your acquittal record off Google, you must go to the High Court, a lengthy and expensive process most people cannot afford. The law helps you in business dealings with companies, but not against the wider internet.

IV. Comparative Analysis: GDPR and UK Data Protection Act 2018

GDPR Article 17(1) provides six distinct erasure grounds, codifying the Google Spain principle.²³ The GDPR lets you erase data processed unlawfully and forces compliance with court suppression orders, India’s Act has neither. Europe also makes companies alert search engines to de-index; India’s Board lacks the power to order de-indexing at all.

The UK Data Protection Act 2018 goes further in one critical respect. Section 47(3), within the law enforcement processing chapter, expressly permits erasure of personal data derived from law enforcement records, including court records and even where the original processing was lawful, if continued retention is no longer necessary.²⁴ This provision directly addresses the Mundy scenario. India has no equivalent. The UK also benefits from detailed ICO guidance clarifying that de-indexing requests to search engines fall within the scope of the erasure right,²⁵ Other countries give their regulators clear powers that India lacks. Comparing these systems shows India needs three key fixes: more reasons to allow data deletion; a clear rule that search engines and legal websites like Indian Kanoon count as data holders covered by the law; and a balancing test for every exception, so privacy is weighed against other interests.

V. The Case for Reform and Proposed Interventions

The difference between what the courts ordered and what Parliament wrote is not a minor legal mistake, it is a constitutional issue. When Parliament makes laws that affect fundamental rights like privacy, those laws must protect those rights strongly enough to pass the Supreme Court’s balancing test. The Puttaswamy judgment clearly stated that informational privacy requires “legislative protection in the form of a data protection statute” to be made effective.²⁶ A statute that protects data principals in commercial relationships but leaves them without remedy against search engines and aggregators falls short of that constitutional mandate.

The case is strongest for criminal acquittal records. The right to rehabilitation recognised by the Supreme Court in juvenile justice contexts²⁷ and implicit in the provisions of the Bharatiya Nagarik Suraksha Sanhita, 2023 for destruction of certain records²⁸ is directly frustrated by the permanent digital availability of acquittal judgments. It means anyone can still find the accusation online.

This article proposes four changes. First, section 12(c) should include grounds for erasure: unlawful processing, objection by the data principal, judicial orders and processing of minors data. Second, search engines and content aggregators should be considered “data fiduciaries” for the data they index. Third, a new provision should require notification, like GDPR Article 17(2). Fourth, exemptions must be balanced with a proportionality test.

Pending legislative reform, courts should apply a four-stage proportionality inquiry when adjudicating right-to-be-forgotten writ petitions: (i) does the data fall within the scope of informational privacy under Article 21; (ii) is the data subject a public figure in respect of the relevant information; (iii) is continued circulation proportionate to the legitimate public interest; and (iv) are less restrictive alternatives such as anonymisation or temporal de-indexing available? This framework, drawn from Puttaswamy and elaborated in Anuradha Bhasin v Union of India (2020),²⁹ would bring judicial practice into closer alignment with constitutional principle without awaiting legislative action.

VI. Conclusion

Indian courts have developed a right to be forgotten based on Article 21. The DPDP Act 2023 provides a remedy that addresses commercial relationships but not compelling cases like criminal acquittals. The statute sees erasure, as a consumer right; courts see it as a right rooted in dignity. The protection of privacy depends on legislative architecture, which is currently incomplete.

References

1. Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (India).
2. Digital Personal Data Protection Act 2023 (No 22 of 2023) (India).
3. Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L 119/1.
4. Data Protection Act 2018 (UK).
5. Case C-131/12 Google Spain SL v Agencia Española de Protección de Datos [2014] ECR I-0000 (CJEU).
6. Puttaswamy (n 1) [527]–[532] (Kaul J).
7. Jorawar Singh Mundy v Union of India & Ors WP (C) 3918/2021 (Delhi HC, 2021).
8. Vasunews LLC & Anr v Google LLC & Ors (2021) Karnataka HC (unreported).
9. MP Sharma v Satish Chandra, District Magistrate, Delhi AIR 1954 SC 300.
10. Kharak Singh v State of UP AIR 1963 SC 1295.
11. Puttaswamy (n 1) [357]–[375] (Chandrachud J).
12. ibid [524] (Kaul J).
13. Mundy (n 7) [19]–[22].
14. Vasunews (n 8) [14]–[17].
15. Dharamraj Bhanushankar Dave v State of Gujarat SCA 1854/2015 (Gujarat HC, 2015); XYZ v State of Gujarat WP (PIL) 191/2016 (Gujarat HC, 2016).
16. DPDP Act 2023 (n 2) s 12(1)(c).
17. ibid s 2(i).
18. ibid s 17.
19. Puttaswamy (n 1) [370]–[376] (Chandrachud J).
20. Information Technology Act 2000 (No 21 of 2000) (India).
21. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, notified under s 43A of the IT Act 2000.
22. IT Act 2000 (n 20) s 79.
23. GDPR (n 3) art 17.
24. Data Protection Act 2018 (UK) (n 4) s 47(3).
25. Information Commissioner’s Office, “Right to Erasure” (ICO Guidance, 2023) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/> accessed 1 August 2024.
26. Puttaswamy (n 1) [376]–[377] (Chandrachud J).
27. Sampurna Behura v Union of India (2018) 4 SCC 433, [15].
28. Bharatiya Nagarik Suraksha Sanhita 2023 (No 46 of 2023) s 478.
29. Anuradha Bhasin v Union of India (2020) 3 SCC 637, [95]–[101].

Primary Sources — Legislation

1. Bharatiya Nagarik Suraksha Sanhita 2023 (No 46 of 2023) (India)
2. Code of Criminal Procedure 1973 (No 2 of 1974) (India)
3. Constitution of India 1950
4. Data Protection Act 2018 (UK)
5. Digital Personal Data Protection Act 2023 (No 22 of 2023) (India)
6. Information Technology Act 2000 (No 21 of 2000) (India)
7. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011
8. Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L 119/1

Cases

1. Anuradha Bhasin v Union of India (2020) 3 SCC 637
2. Case C-131/12 Google Spain SL v Agencia Española de Protección de Datos (AEPD) [2014] ECR I-0000 (CJEU)
3. Dharamraj Bhanushankar Dave v State of Gujarat SCA 1854/2015 (Gujarat HC, 2015)
4. Jorawar Singh Mundy v Union of India & Ors WP (C) 3918/2021 (Delhi HC, 2021)
5. Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1
6. Kharak Singh v State of UP AIR 1963 SC 1295
7. MP Sharma v Satish Chandra, District Magistrate, Delhi AIR 1954 SC 300
8. Sampurna Behura v Union of India (2018) 4 SCC 433
9. Vasunews LLC & Anr v Google LLC & Ors (2021) Karnataka HC (unreported)
10. XYZ v State of Gujarat WP (PIL) 191/2016 (Gujarat HC, 2016)

Secondary Sources

1. Divan S and Sengupta A, “The Right to Privacy” in Rishad Chowdhury and Arghya Sengupta (eds), The Indian Constitution: A Very Short Introduction (OUP 2019)
2. Information Commissioner’s Office, “Right to Erasure” (ICO Guidance, 2023) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/>
3. Ministry of Electronics and Information Technology, “Report of the Committee of Experts on a Data Protection Framework for India” (B N Srikrishna Committee, July 2018)
4. Raman M, “The Curious Case of the Right to Be Forgotten in India” (2022) 7 Indian Journal of Law and Technology 1
5. Werro F (ed), The Right to Be Forgotten: A Comparative Study of the Emergent Right’s Evolution and Application in Europe, the Americas, and Asia (Springer 2020)