Author: Vansh Saraswat, Faculty of Law, University of Allahabad
Abstract
The recognition of the right to privacy as a fundamental right in India through the landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) profoundly altered the trajectory of individual liberty in the country. With technological innovation growing rapidly, the right to privacy today finds itself tested in the realms of digital surveillance, data commodification, algorithmic governance, and biometric tracking. This article explores how privacy rights have evolved since the Puttaswamy decision, evaluates their relevance in modern data-driven governance, critiques weak legislative safeguards, and proposes policy reforms rooted in constitutional values and global best practices.
Introduction
In August 2017, the Supreme Court of India delivered a reformative landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India, declaring that the right to privacy is a fundamental right under Article 21 of the Constitution. This unanimous verdict by a nine-judge bench overruled earlier decisions such as M.P Sharma and Kharak Singh, which had denied such recognition. The judgment emphasized that privacy is intrinsic to life, dignity, and liberty.
This landmark ruling laid the groundwork for a robust jurisprudential shift — from a narrow view of privacy as mere seclusion to a multidimensional understanding encompassing informational, bodily, and decisional autonomy. However, post-Puttaswamy India has been witness to an alarming rise in digital intrusion, surveillance practices, biometric data harvesting, and algorithmic profiling.
As technology becomes deeply embedded in our daily lives, from Aadhaar authentication to facial recognition at public spaces, the line between convenience and coercion blurs. While Puttaswamy set the constitutional tone, its real-world implementation remains uneven, especially with emerging AI threats, weak data protection laws, and the increasing appetite of both State and corporations to control personal data.
This article critically analyses the evolving scope of the right to privacy after the Puttaswamy judgment and evaluates the efficacy of India’s legal and policy response in the face of 21st-century digital challenges.
The Puttaswamy Doctrine: Constitutional Foundations
It adopted a three-part test derived from international jurisprudence: legality, necessity, and proportionality. Any restriction on the right must:
Be backed by law,
Serve a legitimate state aim, and
Be proportionate, i.e., the means must not outweigh the ends.
This doctrine ensures that arbitrary, excessive, or unjustified intrusions by the State — or even private actors — do not override the dignity and autonomy of individuals. The Court emphasized that privacy is not a singular concept but a layered right: it includes bodily privacy (freedom from physical intrusions), informational privacy (control over personal data), and decisional autonomy (freedom to make intimate choices).
The judgment elevated privacy to the same plane as free speech and equality, grounding it within the evolving interpretation of fundamental rights. Importantly, it underscored that privacy is a precondition to the enjoyment of all other rights.
Yet, as noble as these principles are, they remain vulnerable when confronted with modern realities of digital data and surveillance ecosystems that operate beyond individual control or understanding.
Emerging Threats in the Digital Age
Despite the doctrinal clarity in Puttaswamy, India’s privacy landscape has witnessed increasing threats in the digital domain:
a. AI-Powered Surveillance Systems
The rapid deployment of facial recognition systems by police, municipal bodies, and the central government — often without judicial approval or citizen consent — has sparked fear of a surveillance State. Tools These systems often rely on biased, error-prone algorithms, leading to disproportionate targeting of minorities or marginalized groups.
b. Biometric Infrastructure and Aadhaar
The Aadhaar program, originally designed for welfare delivery, has morphed into a mandatory digital identity linked to bank accounts, SIM cards, and employment. The Supreme Court’s earlier ruling in 2018, restricted Aadhaar’s use but the loopholes remain. The centralization of biometric data and the lack of independent oversight raise serious concerns of mass surveillance and data breaches.
c. OTT Platforms and Behavioural Data Mining
Digital platforms like Netflix, Hotstar, Amazon Prime, and YouTube gather vast amounts of behavioural data — content watched, time spent, likes/dislikes — and use them to tailor advertising, content recommendations, and even influence political behavior. Users rarely understand what data is collected or how it is used. This invisible commodification of preferences leads to manipulation, profiling, and erosion of free will.
d. Internet of Things (IoT) and Smart Devices
From smartwatches to Alexa, devices now constantly listen, track, and store data — often without clear user consent. Permissions demanded by apps are intrusive and opaque. In many cases, users are unaware they have agreed to share sensitive data — such as health metrics, voice commands, or location history — with third-party data brokers.
e. Inadequate Legislative Safeguards
India lacked a dedicated data protection law for over a decade. The Digital Personal Data Protection Act, 2023, was a long-awaited development, but it has been criticized for giving sweeping exemptions to the State, allowing data processing without consent under vague “public interest” grounds. Moreover, the Act dilutes citizen autonomy, offers weak enforcement mechanisms, and lacks a truly independent Data Protection Board.
Global Comparisons and India’s Lag
While India grapples with privacy concerns, several nations have embraced more robust frameworks
European Union – GDPR (2016): The General Data Protection Regulation is the gold standard in data protection. It mandates clear user consent, the right to erasure (right to be forgotten), data portability, algorithmic transparency, and stiff penalties for violations.
United States – CCPA/CPRA (California): While the U.S. has a fragmented regime, California’s Consumer Privacy Acts provide rights to access, delete, and prevent sale of personal data.
United Kingdom – Data Protection Act, 2018: Post-Brexit, the UK retained GDPR standards, with high transparency obligations for both public and private data processors.
India, despite the Puttaswamy ruling, has been slow in translating judicial principles into enforceable regulatory frameworks. The lack of algorithmic accountability, absence of right to explanation, and inadequate remedies for violations leave citizens helpless in the face of digital overreach.
Judicial Oversight: Reality vs. Principle
Courts in India have occasionally intervened in data protection issues — notably in the Aadhaar judgment (2018) where some uses of Aadhaar were restricted. However, judicial activism has largely been limited to post-facto scrutiny rather than pre-emptive protection.
Despite Puttaswamy’s emphasis on proportionality, government projects like NATGRID, CMS (Central Monitoring System), and NETRA continue without significant judicial or parliamentary oversight.
Courts have also failed to decisively define “informational privacy” — leaving the State and corporations to self-regulate. The judiciary needs to expand the Puttaswamy doctrine in light of AI, data mining, and predictive analytics, which did not exist at the time of the judgment.
The forward way:Recommendations
To uphold the spirit of Puttaswamy in this digital world, India must adopt a multi-facit approach:
a. Stronger Data Protection Law
The current DPDP Act must be amended to limit State exemptions, ensure independent regulation, and include privacy-by-design mandates. The regulatory board should be autonomous, with powers equivalent to a constitutional authority.
b. Algorithmic Transparency and Right to Explanation
When AI or automated systems affect employment, loans, or policing, individuals should have the right to explanation. Black-box algorithms must be subject to human oversight and legal accountability.
c. Judicial Pre-Authorization for Surveillance
Any surveillance action must be preceded by judicial approval. A Surveillance Oversight Committee, independent of the executive, should periodically review ongoing surveillance projects.
d. Consent Reform and Public Awareness
Privacy policies should be simple, transparent, and written in regional languages. Citizens must be made aware of their rights through national campaigns, especially in rural and semi-urban areas.
e. Data Localisation with Safeguards
While data localization improves national control, it must not lead to unchecked surveillance. Storage mandates should be accompanied by strict access protocols and encryption standards.
f. Academic and Civil Society Involvement
Digital rights organizations, law schools, and privacy activists must be included in policy formulation and watchdog mechanisms. Privacy must become a democratic dialogue — not a bureaucratic decree.
Conclusion
The Puttaswamy judgment marked a constitutional milestone. But in practice, privacy in India remains at a puzzle. The digital ecosystem — from biometric databases to AI surveillance — threatens to hollow out this right unless matched by strong legislative, judicial, and societal resistance.
A democracy thrives on the freedom of the individual. Privacy is not a privilege for the elite; it is a shield for the vulnerable, a guarantee of dignity, and a milestone of constitutional morality. If India is to truly uphold the values enshrined in its Constitution, the right to privacy must be guarded, expanded, and enforced — not just in theory, but in every byte of our digital existence.
FAQs
Q1. Is the right to privacy absolute in India?
No. The Supreme Court held that privacy is subject to reasonable restrictions, but any invasion must pass the tests of legality, necessity, and proportionality.
Q2. How does facial recognition threaten privacy?
Facial recognition can track people in real time, create profiles, and be misused to stifle dissent or discriminate, all often without consent or regulation.
Q3. What is lacking in India’s Data Protection law?
The Digital Personal Data Protection Act, 2023, grants wide exemptions to the government, lacks an independent regulator, and does not cover algorithmic decision-making or cross-border data flows effectively.
References
1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1.
2. M.P. Sharma v. Satish Chandra, 1954 S.C.R. 1077.
3. Kharak Singh v. State of U.P., A.I.R. 1963 S.C. 1295.
4. Navtej Singh Johar v. Union of India, (2018) 10 S.C.C. 1.
5. Aadhaar (Targeted Delivery of Financial and Other Subsidies) Act, No. 18 of 2016 (India).
6. Digital Personal Data Protection Act, No. 22 of 2023 (India).
7. General Data Protection Regulation, Regulation (EU) 2016/679.
8. California Consumer Privacy Act, Cal. Civ. Code § 1798.100 (2018).
