Author – Riya Raj
College – GD Goenka University
To the Point
We live in an age where a machine can predict your next purchase before you make it, where your face can unlock a door or flag you as a suspect, and where your daily browsing habits quietly build a dossier more detailed than anything a government file ever contained. Artificial Intelligence (AI) has arrived not with a knock at the door but through the window quietly, efficiently, and with little warning. The question India must urgently answer is this: as AI systems grow more powerful and more embedded in public and private life, does the right to privacy recognized as a fundamental right only as recently as 2017 stand any real chance of survival?
This article argues that while India has made commendable strides in recognizing privacy as a constitutional right, its legal and regulatory ecosystem remains woefully underprepared for the specific and sophisticated privacy threats posed by artificial intelligence.
Use of Legal Jargon
At the heart of this discussion lies the tension between informational self-determination the right of an individual to control data pertaining to oneself and the data maximalism that underpins modern AI systems. AI thrives on data: the more granular, the more behaviorally rich, the better. This creates a structural conflict with principles such as data minimization, purpose limitation, and consent-based processing, which form the bedrock of modern privacy jurisprudence globally.
The constitutional framework in India derives privacy protection primarily from Article 21 of the Constitution, which guarantees the right to life and personal liberty. The Supreme Court has, through a process of purposive interpretation, expanded this provision to encompass privacy as an intrinsic component of human dignity and autonomy. Further, Articles 14 and 19 intersect with privacy guarantees, mandating that any restriction must satisfy the tests of legality, legitimate aim, proportionality, and procedural safeguards the four-pronged standard authoritatively laid down in Justice K.S. Puttaswamy v. Union of India (2017).
The statutory landscape includes the Information Technology Act, 2000, particularly Section 43A (compensation for failure to protect sensitive personal data), Section 66E (punishment for violation of privacy), and Section 72A(punishment for disclosure of information in breach of lawful contract). The Digital Personal Data Protection Act, 2023now adds a legislative layer, establishing obligations around consent, data fiduciary accountability, and rights such as the right to erasure and the right to grievance redressal. Yet gaps remain, especially in addressing AI-specific risks like algorithmic profiling, automated decision-making, and inferences drawn from non-personal data.
The Proof
The evidence that AI poses a genuine and growing threat to privacy is no longer speculative but it is empirical. Consider facial recognition technology, which several Indian states have deployed at public gatherings, railway stations, and airports. In the absence of a specific legal framework governing its use, this constitutes what legal scholars would call surveillance without statutory sanction a direct affront to the doctrine of informational privacy. The National Crime Records Bureau’s Automated Facial Recognition System (AFRS), for instance, has proceeded with deployment despite the absence of a dedicated regulatory framework, raising serious questions about unbridled executive discretion.
Then there is the matter of algorithmic discrimination. AI systems trained on historically biased datasets can reproduce and amplify those biases in consequential decisions loan approvals, insurance premiums, hiring filters, and even bail risk assessments. When sensitive categories of data such as caste, religion, gender, or socioeconomic background are proxied through seemingly neutral variables, the outcome is what legal scholars term disparate impact structural discrimination that hides behind mathematical neutrality.
The threat of data breaches is equally documented. India was ranked among the top five countries in the world for data breaches in recent years, with major incidents affecting financial institutions, healthcare platforms, and government databases. AI systems, by virtue of processing and centralizing enormous volumes of personal data, become high-value targets. A single breach in an AI-powered health diagnostic platform, for instance, can expose biometric data, medical history, and behavioral patterns simultaneously consequences far more grave than a conventional data leak.
Furthermore, the proliferation of third-party data brokers and the opacity of black-box AI models means that individuals have little to no visibility into how their data is being used, who has access to it, and what inferences are being drawn. This directly undermines the constitutional mandate of transparency and accountability in state and private action alike.
Abstract
The intersection of Artificial Intelligence and the right to privacy presents one of the most complex jurisprudential challenges of the twenty-first century. In India, the right to privacy constitutionally recognized as a fundamental right under Article 21 faces unprecedented pressure from AI-driven surveillance, data aggregation, algorithmic profiling, and cyber threats. While the Supreme Court’s landmark judgment in Puttaswamy established a robust constitutional foundation, the existing statutory framework, including the IT Act, 2000, and the Digital Personal Data Protection Act, 2023, remains inadequately equipped to address AI-specific risks. This article examines the constitutional and statutory dimensions of privacy in the context of AI, analyzes relevant judicial precedents, and argues for a rights-centered, proportionality-driven approach to AI governance that integrates privacy as a foundational design principle rather than an afterthought.
Relevant Laws / Statutory Provisions
1. Article 21, Constitution of India, the primary constitutional guarantor of the right to life and personal liberty, interpreted expansively by the Supreme Court to include the right to privacy, dignity, and informational self-determination.
2. Article 19(1)(a) and Article 14, Freedom of speech and expression, and the right to equality, both of which are implicated when AI systems engage in surveillance, censorship, or discriminatory profiling.
3. Information Technology Act, 2000
Section 43A: Mandates compensation by body corporates for negligent handling of sensitive personal data.
Section 66E: Criminalizes intentional capture or transmission of images of a person’s private parts without consent.
Section 72A: Penalizes disclosure of personal information without consent in breach of a lawful contract.
4. Digital Personal Data Protection Act, 2023. It is India’s first dedicated data protection legislation. Establishes the framework of consent-based data processing, data fiduciary obligations, data principal rights (including the right to correction, erasure, and grievance redressal), and the creation of the Data Protection Board of India. Notably, however, it does not yet comprehensively regulate automated decision-making or AI-specific data processing activities.
5. The Aadhaar Act, 2016 which Governs the collection and use of biometric and demographic data for identity authentication. Its proportionality was partially upheld and partially struck down by the Supreme Court in the Aadhaar judgment of 2018.
Case Laws
1.Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
The constitutional watershed. A nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right under the Indian Constitution, intrinsic to Article 21 and to the broader freedoms guaranteed by Part III. The judgment recognized informational privacy as a distinct dimension of the right, directly applicable to data-driven technologies.
2.Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295
An early recognition of the tension between state surveillance and individual liberty. While the Court held that the right to privacy was not a standalone fundamental right at that time, it nonetheless struck down police regulations permitting nocturnal domiciliary visits as violative of Article 21 an early indication of the constitutional significance of personal liberty against surveillance.
3.Shreya Singhal v. Union of India, (2015) 5 SCC 1
Though primarily a free speech judgment, Shreya Singhal has significant implications for AI-driven content moderation and surveillance. The Supreme Court’s insistence on the distinction between discussion, advocacy, and incitement is a reminder that algorithmic systems cannot be permitted to suppress legitimate speech under the guise of privacy or security enforcement.
4.Maneka Gandhi v. Union of India, (1978) 1 SCC 248
Established that any law restricting personal liberty must satisfy the triple test of legality, fairness, and reasonableness a framework now applied to assess whether AI-enabled state action passes constitutional muster.
5.Justice K.S. Puttaswamy v. Union of India (Aadhaar), (2019) 1 SCC 1
The follow-up Aadhaar judgment applied the proportionality standard to biometric data collection, striking down provisions that permitted private entities to use the Aadhaar authentication system, thereby establishing that even legitimate state aims cannot justify disproportionate privacy intrusions.
Conclusion
The right to privacy did not arrive easily in Indian constitutional law it took decades of judicial evolution and a nine-judge bench to firmly establish it. It would be a profound institutional failure to allow that hard-won right to be quietly dismantled by algorithmic systems operating in the shadows of legal ambiguity.
Artificial Intelligence is not inherently hostile to privacy. Properly governed, it can be a tool for privacy enhancement smarter encryption, better anomaly detection, more granular consent management. But left ungoverned, or governed by frameworks designed for a pre-AI world, it will continue to erode the informational autonomy of individuals in ways that are invisible, irreversible, and deeply consequential.
What India needs is not merely a data protection law but a comprehensive AI governance framework that mandates algorithmic transparency, prohibits high-risk AI applications without prior impact assessments, gives individuals the right to contest automated decisions, and embeds privacy-by-design as a non-negotiable standard. Regulators, technologists, civil society, and the judiciary must collaborate not sequentially, but simultaneously because the pace of AI development will not wait for institutional consensus to be reached at leisure.
The Constitution guarantees dignity. Dignity, in the digital age, requires that individuals know what is known about them, control what is collected from them, and have recourse when that knowledge is misused. Any AI system that cannot accommodate those demands has no place in a constitutional democracy.
FAQs
Q1. Is the right to privacy an absolute right in India?
No. The Supreme Court has consistently held that the right to privacy, while fundamental, is not absolute. It can be restricted by the state provided the restriction satisfies the four-fold test of legality, legitimate aim, proportionality, and procedural guarantees, as articulated in the Puttaswamy judgment.
Q2. Does India have a specific law regulating AI and privacy?
As of now, India does not have a standalone AI regulation law. The Digital Personal Data Protection Act, 2023 provides a general data protection framework, but it does not specifically address AI-driven automated decision-making, algorithmic profiling, or facial recognition technology. Sectoral guidelines exist in limited areas, but comprehensive AI governance legislation is still pending.
Q3. What is ‘differential privacy’ and how does it help?
Differential privacy is a mathematical technique that allows AI systems to learn patterns from datasets without exposing the data of any individual user. By injecting controlled statistical noise into datasets, it ensures that the output of an AI model cannot be reverse-engineered to identify specific individuals making it a powerful privacy-preserving tool for AI development.
Q4. Can a citizen challenge an automated decision that affects them?
Under the Digital Personal Data Protection Act, 2023, data principals have limited rights to grievance redressal. However, a robust right to contest purely automated decisions such as those used in credit scoring or hiring is not yet explicitly codified in Indian law, unlike the GDPR in Europe, which provides for this right under Article 22. This remains a significant legislative gap.
Q5. What is ‘federated learning’ and why is it relevant to privacy?
Federated learning is an AI training technique where the model learns from data that remains on users’ local devices rather than being uploaded to a central server. This significantly reduces the risk of mass data collection and centralised breaches, making it an important privacy-preserving alternative for developing AI systems without compromising individual data.
