Author: Shubhi Gupta, Gautam Buddha University
ABSTRACT
The notion of privacy in India has undergone a significant transformation—from being recognized under common law to attaining the status of a constitutionally guaranteed right. A pivotal milestone in this evolution was the Supreme Court’s ruling in Justice K.S. Puttaswamy v. Union of India (2017), where the Court affirmed that the right to privacy is an essential element of the right to life and personal liberty guaranteed under Article 21 of the Constitution. Despite this recognition, by 2025, the right to privacy faces mounting challenges due to expanding digital surveillance, algorithm-driven data collection, and weak implementation frameworks. This article examines the current state of privacy in India amidst an increasingly data-driven and digitally connected society. It critically analyses the legal developments, recent laws, prominent judicial decisions, and global best practices to assess whether privacy remains a robustly protected right or merely a constitutional ideal struggling to find ground in practice.
TO THE POINT
India took a historic step in recognising the Right to Privacy as a fundamental right through the Supreme Court’s decision in the Puttaswamy case (2017). This was a landmark moment in constitutional law. However, in today’s digital environment, privacy faces new and complex threats. With technologies such as facial recognition, spyware like Pegasus, and the mass collection of personal data by tech companies, it has become increasingly difficult to draw a line between personal freedom and invasive monitoring.
Despite the introduction of the Digital Personal Data Protection Act, 2023, significant concerns about the effectiveness of privacy safeguards still persist.
Many experts argue that the law leans more towards protecting government interests and corporate convenience than individual rights. Broad exemptions for state authorities under vague categories like “public order” or “national interest” have raised eyebrows. Moreover, the lack of public awareness, weak enforcement infrastructure, and limited accountability mechanisms contribute to the problem. So, the real issue in 2025 isn’t whether privacy exists on paper—but whether it holds any meaningful power in the lives of ordinary citizens.
USE OF LEGAL JARGON
Understanding privacy in the modern legal context requires familiarity with key terms that frequently appear in legal and policy discussions:
• Informational Privacy: It refers to an individual’s right to regulate how their personal data is collected, processed, stored, and shared, particularly in digital environments. It emphasizes autonomy over personal information in an era dominated by data-driven technologies and surveillance systems.
• Proportionality Test: A legal framework used by courts to determine whether a restriction on a fundamental right is justified. It involves assessing whether the action is legal, necessary, proportionate, and accompanied by safeguards.
• Legitimate State Interest: A ground upon which the government may lawfully limit individual rights, such as protecting national security or maintaining public order.
• Data Fiduciary: Any organisation or authority—public or private—that collects and processes personal data, and is expected to do so responsibly, in the best interest of the individual.
• Surveillance Capitalism: A term describing the commercial practice of turning personal data into a commodity, often without the user’s informed consent.
• Constitutional Morality: A guiding principle that demands all actions of the State adhere to the core values of the Constitution, including justice, dignity, equality, and liberty.
• Reasonable Expectation of Privacy: A judicial test to evaluate whether an individual’s claim to privacy is legitimate based on the context and societal norms.
These terms are not just legal jargon—they form the conceptual backbone of contemporary debates on privacy and data protection in India and beyond.
THE PROOF
1. Jurisprudential Foundation
The recognition of the right to privacy in India didn’t emerge overnight—it evolved gradually through decades of legal reasoning. Initially, in cases like M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1963), the Supreme Court ruled that privacy was not a constitutionally guaranteed right. The perception of privacy as a legal right began to evolve during the 1970s. In Gobind v. State of Madhya Pradesh (1975), the Supreme Court suggested that the right to privacy may qualify as a fundamental right, though it could be restricted by reasonable limitations justified in the public interest. This gradual shift became more evident in Rajagopal v. State of Tamil Nadu (1994), where the Court clearly acknowledged the concept of informational privacy, particularly in the context of publishing personal information without consent. These judicial developments laid the foundation for the landmark Puttaswamy judgment in 2017, in which the Court firmly established that the right to privacy is an essential aspect of human dignity and personal liberty safeguarded under Article 21 of the Constitution.
2. Justice K.S. Puttaswamy v. Union of India (2017)
In Justice K.S. Puttaswamy v. Union of India, the Supreme Court unanimously declared that the right to privacy is a fundamental right, inherently connected to the constitutional guarantee of life and personal liberty under Article 21. The Court clarified that privacy is not a standalone right—it supports and strengthens other fundamental rights such as free speech, equality, and freedom of movement. To prevent misuse, the Court laid down a four-step test to evaluate whether any intrusion into privacy is constitutionally valid:
1. The action must be authorised by law.
2. It must pursue a legitimate objective.
3. Any restriction on the right to privacy must be proportionate to the legitimate aim it intends to achieve.
4. Adequate procedural safeguards must be in place.
This framework became the benchmark against which all privacy-related legislation, surveillance programs, and government actions are to be judged going forward.
3. Legislative Framework: DPDP Act, 2023
The Digital Personal Data Protection (DPDP) Act, passed in 2023, was introduced to address growing concerns over misuse of personal data. It introduces core principles such as consent-based data processing, defines the roles of entities like data fiduciaries, and recognises the rights of individuals (data principals). While the Act represents a significant legislative effort, it has not escaped criticism.
A major concern is Clause 17, which gives the government the power to exempt any of its agencies from the law’s provisions for broadly defined reasons such as “national interest.” This could undermine privacy protections altogether. Additionally, the Data Protection Board envisioned by the Act lacks full independence, raising doubts about its ability to enforce the law impartially. The law is also silent or vague on key areas like grievance redressal, cross-border data transfers, and data localisation requirements.
CASE LAWS
1. Justice K.S. Puttaswamy v. Union of India (2017)
The Supreme Court of India recognized the right to privacy as a fundamental aspect of the right to life and personal liberty guaranteed by Article 21 of the Constitution. The judgement overruled earlier decisions in M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1963), which had denied such a status. The Court held that privacy is intrinsic to life and personal liberty and encompasses various aspects including bodily integrity, personal autonomy, and informational privacy.
2. Puttaswamy (Aadhaar) v. Union of India (2018)
Following the 2017 privacy judgment, the constitutional validity of the Aadhaar scheme came under scrutiny in Puttaswamy (Aadhaar) v. Union of India. The five-judge bench upheld the Aadhaar project, especially its use in delivering welfare benefits, recognising it as a tool for targeted governance. However, it struck down provisions that mandated Aadhaar linking with bank accounts, mobile numbers, and private service providers, deeming them to be disproportionate intrusions on individual privacy.
3. Facebook Inc. v. Union of India (2021)
This case concerns the legality of traceability mandates imposed by the Indian government under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The government directed messaging platforms like WhatsApp to identify the first originator of certain flagged messages, raising concerns about end-to-end encryption and user privacy. The case is still under judicial consideration.
CONCLUSION
In 2025, the Right to Privacy in India exists more on paper than in practice. While the Supreme Court has firmly recognised it as a fundamental right in landmark judgments like Puttaswamy (2017), real-world enforcement remains weak. The increasing use of surveillance technologies, unchecked data collection by both state and private actors, and broad legal exemptions under laws like the DPDP Act, 2023 undermine the very essence of this right.
While the Act is a step forward, its loopholes—particularly vague government exemptions, limited independence of regulatory bodies, and lack of public awareness—raise concerns about the protection of individual autonomy in a data-driven world. Judicial interventions and public interest litigations continue to shape the privacy narrative, but implementation remains weak.
Hence, privacy in 2025 is not a myth, but a right under siege. The need of the hour is an empowered regulatory body, stronger legal safeguards, and greater civic engagement to ensure that privacy transitions from principle to practice.
FAQs
Q1. How does personal data differ from sensitive personal data?
• Personal data refers to any data that can identify an individual, like name, address, or mobile number.
• Sensitive Personal Data encompasses more private and confidential information such as health records, biometric details, sexual orientation, financial information, and religious or political beliefs.
Q2. Can the government legally intercept my phone calls or monitor my online activity?
Yes, under the Indian Telegraph Act and Information Technology Act, the government can intercept communication in the interest of national security, public order, or to prevent incitement to an offence. However, such actions must follow strict legal procedures and be proportionate to the threat.
Q3. Does the DPDP Act, 2023 allow individuals to delete their personal data?
Yes, under the DPDP Act, individuals (data principals) have the right to request the erasure of their personal data if the purpose for which it was collected is fulfilled or if consent is withdrawn. However, exceptions exist, especially for legal and security purposes.
Q4. What are ‘dark patterns,’ and how do they relate to privacy?
Dark patterns are manipulative user interface designs that trick users into giving consent or sharing more data than they intend to. For example, hiding the “opt-out” button or using misleading language. The DPDP Act has recognized dark patterns and focuses to restrict them.
Q5. What legal remedies do I have if my privacy is violated?
You can file a complaint with the Data Protection Board of India (under the DPDP Act), approach consumer courts for data breaches, or invoke your constitutional right under Article 226/32 by filing a writ petition in HC/SC if your fundamental right is infringed.
