Published On: October 28th 2025
Authored By: Ammar Ahmad
BABU BANARASI DAS UNIVERSITY, LUCKNOW
Abstract
“Privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being.” — Justice D.Y. Chandrachud
The Right to privacy has consistently evolved from implied to explicit right at the heart of the Indian constitution. The Apex court with its nine-judge bench delivered the landmark judgment in Justice K.S. Puttaswamy (Retired) v. Union of India (2017),[1] which recognized the Right to privacy as the fundamental right under Article 21 (Right to life and personal liberty). Part III of the Indian constitution deals with the fundamental rights. Right to privacy is now one of the fundamental rights of the Indian citizens. It further examines the conceptual development of privacy as a right across jurisdictions and the challenges and problems faced by the digital economy and surveillance.
Introduction
Right to privacy is now a fundamental right after the Supreme Court landmark judgment in K.S. Puttaswamy v. Union of India (2017),[2] where the retired judge named Justice K.S. Puttaswamy filed a case in 2012, challenging the government’s Aadhaar scheme (required individuals to share fingerprints and personal data for the identification process). The issue that was placed before the honorable court: “Is privacy a fundamental right under Indian constitution?” The Apex court overruled its earliest precedents and held Privacy a fundamental right under Article 21 of the Indian constitution. This right protects the individuals’ private lives, their personal information, and protects them from unwarranted interference and restrictions. Privacy means to have control over your personal life, information, and property without unnecessary interference and surveillance. It’s a jus natural[3] right of one’s own choices.
Early Recognition of Privacy in International Law
Privacy as a whole was first recognized by Article 12 of the Universal Declaration of Human Rights (UDHR, 1948).[4] Article 12 of the UDHR states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This was one of the first attempts to recognize privacy as a vital element of human dignity and liberty. Other than the UDHR, the International Covenant on Civil and Political Rights (ICCPR, 1966),[5] repeats and strengthens the UDHR’s recognition. Article 17 of the ICCPR states: “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” ICCPR uses a similar statement to Article 12 of the UDHR. The only difference between the two statements lies in the fact that ICCPR added the word ‘unlawful’ twice. These articles by the UDHR and ICCPR led privacy to become an essential and enforceable international human right. These provisions were revolutionary because they recognized and tied privacy as a part of human dignity, freedom, liberty and rights.
Indian Legal Context of Privacy Before Explicit Recognition
The Indian constitution came into force on 26 January 1950. The makers of the Indian constitution did not expressly mention the right to privacy as a fundamental right. Their primary concern was about freedoms like speech, assembly, movement, and protection of the rights and equality. The earlier precedents of the Apex court also rejected privacy as a fundamental right. This could be seen by the judgment delivered by the Apex court in M.P. Sharma v. Satish Chandra (1954),[6] where the Apex court held that “When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American fourth amendment, we have no justification to import it into a totally different fundamental right by some process of strained construction.” And in Kharak Singh v. State of Uttar Pradesh (1964),[7] Justice Ayyangar said: “The right of privacy is not a guaranteed right under our constitution, and therefore the attempt to ascertain the movements of an individual is merely a manner in which privacy is invaded and is not an infringement of a fundamental right guaranteed in Part III.” The realization began with Gobind v. State of MP (1975),[8] where the court prudently acknowledged privacy as a part of human right and dignity. Later, in R. Rajagopal v. State of Tamil Nadu (1994),[9] the court to a great extent recognized privacy as a right of the individuals against the media’s unwarranted intrusion in the citizens’ private lives and information. The real necessity came in People’s Union for Civil Liberties v. Union of India (1997),[10] where the phones of journalists, politicians and private individuals were being tapped without their permission, knowledge and safeguards. This infringement raised serious concerns about the privacy of the individuals. Then there came the Apex court’s final landmark judgment in K.S. Puttaswamy v. Union of India (2017), which explicitly includes the Right to privacy as the fundamental right under Article 21, which includes Right to life and personal liberty.
United States Recognition of Privacy as a Right
The Fourth Amendment[11] of the United States constitution also clearly states: “The right of the people to be secure in their persons, house, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.” The amendment aims to protect the individual from unreasonable searches and seizure by the government and police. This amendment doesn’t solely address the right to privacy, but it prohibits the controlling authority from unreasonable searches and prevents them from issuing warrants without probable cause. It can be seen as a foundation element of the right to privacy. United States v. Jones (2012) and Riley v. California (2014) further accelerated the principle of privacy.
Earlier Legislation and Framework of Privacy in India
In India, the Information Technology Act, 2000,[12] was the first attempt to protect privacy in the digital world. This act connects to the Right to privacy mainly because of its provisions. Such as Section 43A (included by the 2008 amendment of the IT Act), though Section 43A has been superseded by the Digital Personal Data Protection Act, 2023,[13] which provides stronger and more comprehensive protection for data protection in India. Section 72[14] (penalizes anyone for breach of confidentiality and privacy), with imprisonment up to 2 years and fine up to ₹1 lakh. Section 72A (punishment for disclosure of personal information in breach of lawful contract), with imprisonment up to 3 years and fine up to ₹5 lakh. These were some of the early provisions or the first attempts to prevent and protect the privacy of individuals in India.
Recognition of Privacy as a Fundamental Right
Before the Apex court’s final landmark judgment in K.S. Puttaswamy v. Union of India (2017), privacy was not explicitly included as the fundamental right of the individuals. The Apex court’s earlier precedents clearly show that Indian law did not expressly confer the right to privacy like the United States Fourth Amendment. It was in 2017 when the nine-judge bench overruled their earlier decision and included privacy as the fundamental right of the Indian citizens under Article 21 (Right to life and personal liberty). The aim of including privacy under Article 21 clearly demonstrates that it protects not only physical privacy but also informational privacy and personal dignity. Government actions like phone tapping, information collection, and surveillance are all subject to the test of necessity and legality. In 2018,[15] the Apex court restricted the mandatory Aadhaar use only to welfare schemes and subsidies, while striking it down for other services such as SIM cards and school admission. The judgment of the Puttaswamy case directly led to the drafting of the Personal Data Protection Bill (2019),[16] and eventually the Digital Personal Data Protection Act, 2023.
Challenges and Problems of Privacy in the Digital World
The main challenges and problems that often hinder the security and protection of privacy in the digital era lie in the fact that India, along with other digital countries, is being driven towards artificial intelligence, e-commerce platforms, and the digital economy. Social media platforms (Instagram, Facebook, WhatsApp, Messenger, and YouTube, etc.), online shopping, and other various mobile apps are constantly storing, collecting, and sharing their users’ vast amounts of information and data. If the data is not handled according to the data protection laws, this may expose the individuals to lack of privacy and security, and they shall suffer data breach and compromise. The problem is not new, but the ways of accessing and sharing data in the digital era have advanced. Cyberattacks and hacking have exposed and raised serious questions about privacy as a right. Many thousands of individuals still lack the knowledge and awareness of how their data and information are being processed, used, stored and shared. This further creates complications, challenges and imbalance between the individuals’ rights and those sharing and controlling the information and data. The real gap lies between individuals’ awareness and government overreach. India is not only increasing in population but also in lack of privacy. As mentioned above, large sections lack the knowledge of the rights and privileges. In rural areas, the violations of privacy often go unnoticed and unchallenged due to illiteracy, poor communication and lack of knowledge and awareness about privacy and its misuse.
Conclusion
The evolution of privacy as a fundamental right can be traced back to M.P. Sharma v. Satish Chandra (1954), where the Apex court denied privacy as the right of Indian citizens. The Puttaswamy landmark judgment was the turning point for the constitutional evolution and fundamental rights of the citizens. Yet, the recognition alone is not sufficient in the digital world revolution and with India being in a developing phase. The Digital Personal Data Protection Act, 2023, is India’s first dedicated law for protecting data in the digital era. But this law also allows the central government broad exemption for state-related activities. Further, the penalties for violations of privacy can go up to ₹250 crores (depending on the sensitivity of data), but funds go to the central government and not to the victims whose data has been sacrificed. Section 44(3)[17] of the DPDP Act, 2023, significantly alters and undermines the Right to Information (Article 300A), Section 8(i)(j).
The change may strengthen privacy protection, but at the cost of weakening public oversight, thereby removing the crucial balance between privacy and transparency. The main problem is that the majority of India’s population don’t know that they’re being tracked. Social media platforms such as Instagram, Facebook, WhatsApp, Twitter, and YouTube ask for individuals’ private information. This could often lead to compromising large amounts of data and information of the users by hackers who steal the most sensitive information of the users. Cyberattacks and state surveillance often lead to loss of privacy as a right. According to the Exploding Topics report,[18] there are 600 million cyberattacks per day and nearly 54 people per second fall victim to cyberattacks. According to the Trend Micro Cyber Security Risk Report 2025,[19] India ranks 2nd globally in email threats, contributing 6.9% to global detections and nearly 24% to Asia’s total. India holds 3rd place globally in malware detections, responsible for 4.74% of all global threats. India’s average organizational cost of a data breach has hit INR 220 million in 2025,[20] up approximately 13% from 2024. Details of more than 30,000 students and alumni were exposed (caste, financial data, contact info).[21] Data was apparently accessible for years.
India needs awareness about privacy and its violation that causes data breach, identity theft and compromise of personal information. Recognizing privacy as a fundamental right is not enough until that right is properly protected and respected as a fundamental right of the Indian Constitution. Only then shall privacy truly serve and stand as the cornerstone of freedom in the digital world.
References
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 [90], available at https://indiankanoon.org/doc/127517806/ (last accessed Sept. 2, 2025).
[2] The landmark judgment of the Apex court that recognized privacy as a fundamental right of Indian citizens.
[3] Principle of law derived from nature or reason rather than from human legislation.
[4] Universal Declaration of Human Rights (adopted Dec. 10, 1948, UNGA Res 217 A(III)) (UDHR) art. 12.
[5] International Covenant on Civil and Political Rights (adopted Dec. 16, 1966, entered into force Mar. 23, 1977), 999 UNTS 171 (ICCPR) art. 17.
[6] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300 (Headnote), available at https://indiankanoon.org/doc/1306519/ (last accessed Sept. 5, 2025).
[7] Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 [20], available at https://indiankanoon.org/doc/619152/ (last accessed Sept. 6, 2025).
[8] Gobind v. State of Madhya Pradesh, (1975) 2 SCC 148.
[9] R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632.
[10] People’s Union for Civil Liberties v. Union of India, (1997) 1 SCC 301.
[11] U.S. Const. amend. IV, National Constitution Center, https://constitutioncenter.org/ (last accessed Sept. 7, 2025).
[12] The Information Technology Act came into force on Oct. 17, 2000. The Act gives legal recognition for transactions carried out by means of electronic data and digital signature.
[13] The Digital Personal Data Protection Act was introduced after the withdrawal of the Personal Data Protection Bill, 2019. This Act is introduced to protect the privacy of individuals in the digital environment.
[14] Information Technology Act, 2000.
[15] Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar case), (2019) 1 SCC 1 [332(f)], [447].
[16] The Personal Data Protection Bill was introduced to regulate how personal data of individuals are collected, used, stored, and shared. However, it was withdrawn in August 2022.
[17] The Digital Personal Data Protection Act, 2023, § 44(3).
[18] Exploding Topics, How Many Cyber Attacks Occur Each Day? (2025) (Aug. 27, 2025), https://explodingtopics.com/blog/cybersecurity-stats (last accessed Sept. 9, 2025).
[19] Trend Micro, Trend Micro Cybersecurity Risk Report 2025: India (June 10, 2025), https://www.trendmicro.com/en_in/about/newsroom/press-releases/2025/2025-06-10.html (last accessed Sept. 9, 2025).
[20] IBM, India Records Highest Average Cost of a Data Breach at INR 220 Million in 2025: IBM Report (Aug. 7, 2025), https://in.newsroom.ibm.com/2025-08-07-India-Records-Highest-Average-Cost-of-a-Data-Breach-IBM (last accessed Sept. 10, 2025).
[21] IIT-Roorkee Data Breach: Personal Details of 30,000 Students, Alumni Exposed Online for Years; Caste, Finances, Contact Details at Risk, Times of India (Aug. 10, 2025), https://timesofindia.indiatimes.com/city/dehradun/iit-roorkee-data-breach-exposes-personal-details-of-30k-alumni/articleshow/123220043.cms (last accessed Sept. 10, 2025).
