Author – Tanishka Ranjan, Vivekananda Institute of Professional Studies
To the Point
In 2025, the Supreme Court of India delivered a landmark decision in Internet Freedom Foundation v. Union of India, upholding the Digital Personal Data Protection Act (DPDP Act), 2023, as constitutionally valid while reading down certain provisions to protect citizens’ fundamental right to privacy under Article 21.
The Court held that while the right to privacy is intrinsic to personal liberty and dignity, reasonable restrictions can be imposed to ensure national security, public order, and digital governance efficiency. However, it struck down or “read down” provisions that allowed the government unchecked power to exempt its agencies from compliance obligations.
This ruling reconciles India’s growing digital governance framework with its constitutional privacy obligations, originally recognized in Justice K.S. Puttaswamy v. Union of India (2017).
Use of Legal Jargon
1. Digital Personal Data Protection Act (DPDP Act), 2023: India’s first comprehensive data protection law governing the collection, processing, storage, and transfer of personal data by both government and private entities.
2. Data Fiduciary: Any entity (government, company, or individual) that determines the purpose and means of processing personal data.
3. Data Principal: The individual whose personal data is being collected or processed.
4. Consent Manager: A registered platform facilitating the management and withdrawal of user consent for data processing.
5. Right to Privacy: A fundamental right recognized under Article 21 as part of the right to life and personal liberty (Puttaswamy Case, 2017).
6. Proportionality Test: A judicial standard ensuring that State interference with fundamental rights must be lawful, necessary, and proportionate to the objective sought.
7. Reasonable Restriction: A constitutional limitation imposed under Article 19(2) and Article 21 to balance individual liberty with collective interest.
8. Exemption Clause (Section 17, DPDP Act): Provision allowing the Central Government to exempt any government agency from data protection obligations under certain grounds such as national security.
The Proof
Background
Following the recognition of privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India (2017), the Indian government undertook the task of codifying a comprehensive data protection law. After several iterations, the Digital Personal Data Protection Act, 2023 was enacted.
While the Act aimed to create a structured framework for personal data protection, several civil society groups, including the Internet Freedom Foundation (IFF), Software Freedom Law Center (SFLC), and Common Cause, challenged the law before the Supreme Court on the grounds of excessive delegation, executive overreach, and violation of the right to privacy.
Petitioners’ Arguments
1. Unfettered Executive Power: Petitioners argued that Section 17 gave the government absolute discretion to exempt any public authority from compliance, effectively nullifying the law’s core purpose.
2. Lack of Independence of Data Protection Board: The Data Protection Board of India (DPBI), constituted under the Act, was criticized for being entirely under executive control, compromising its impartiality.
3. Vague Consent Mechanisms: The law’s provisions on deemed consent were alleged to violate informational autonomy, as individuals could lose control over how their data was processed.
4. Absence of Judicial Oversight: The petitioners contended that surveillance and data-sharing exemptions lacked judicial or parliamentary scrutiny, enabling mass data profiling.
Government’s Defence
The Union Government defended the Act as constitutional and necessary, asserting that:
* The DPDP Act is designed to strike a balance between individual privacy and economic innovation.
* Exemptions are essential for national security, law enforcement, and public welfare.
* The Data Protection Board functions as an independent adjudicatory authority with administrative linkage, not control, by the government.
The government cited international precedents—such as the UK Data Protection Act, 2018 and Singapore’s PDPA—where national security exemptions also exist.
Supreme Court’s Analysis
The five-judge Constitution Bench, led by Chief Justice D.Y. Chandrachud, adopted a balancing approach grounded in the proportionality doctrine.
(a) On Fundamental Right to Privacy:
The Court reaffirmed that informational privacy forms a core part of Article 21 and cannot be overridden by executive discretion. Every restriction on privacy must satisfy:
1. Legality (existence of valid law);
2. Legitimate state aim; and
3. Proportionality (least restrictive means to achieve the aim).
(b) On Section 17 (Exemption Power):
The Court read down Section 17, holding that while exemptions for national security are permissible, they must:
* Be based on written, reasoned orders;
* Be subject to periodic parliamentary review; and
* Not permit blanket exemptions.
This reading preserved the provision’s constitutionality while ensuring accountability.
(c) On Data Protection Board Independence:
The Court directed the government to reconstitute the Data Protection Board through an independent selection committee akin to the model used for other regulatory bodies (e.g., SEBI, TRAI), ensuring autonomy and fairness.
(d) On Consent and User Rights:
The Court emphasized that consent must be free, informed, specific, and revocable, aligning Indian law with global data protection standards like the EU’s GDPR.
The Judgment
The Supreme Court upheld the Digital Personal Data Protection Act, 2023 as constitutionally valid, subject to:
* Reading down Section 17 to prevent misuse;
* Strengthening the independence of the Data Protection Board; and
* Mandating transparency in exemptions and data-sharing processes.
In effect, the Court preserved the law’s functional utility while embedding privacy safeguards through interpretative constitutionalization.
Abstract
The Digital Personal Data Protection Act, 2023, and the Supreme Court’s 2025 ruling together represent the second phase of India’s privacy jurisprudence—moving from mere recognition of the right to privacy (2017) to the implementation of a rights-based data governance framework.
The judgment affirms that data protection is not anti-development but a pillar of democratic digital governance. By aligning domestic law with global data privacy norms, the Court struck a constitutional equilibrium—ensuring that the State’s interest in digital security does not eclipse citizens’ informational self-determination.
This decision positions India as a global leader in privacy-compatible governance, promoting trust in digital systems, e-governance, fintech, and artificial intelligence regulation.
Case Laws and Related Precedents
1. Internet Freedom Foundation v. Union of India (2025) – Supreme Court of India ➤ Upheld the DPDP Act while reading down Section 17; emphasized proportionality and accountability in privacy restrictions.
2. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1 ➤ Recognized the right to privacy as a fundamental right under Article 21.
3. Puttaswamy (Aadhaar Case) v. Union of India (2018) 1 SCC 809 ➤ Reiterated the proportionality test for data collection and State surveillance.
4. Maneka Gandhi v. Union of India (1978) 1 SCC 248 ➤ Laid down the foundation for due process and procedural fairness under Article 21.
5. Selvi v. State of Karnataka (2010) 7 SCC 263 ➤ Extended privacy protection to the mental sphere, restricting involuntary data extraction.
6. Shreya Singhal v. Union of India (2015) 5 SCC 1 ➤ Struck down Section 66A of the IT Act, reinforcing the necessity of constitutional safeguards in digital regulation.
7. EU General Data Protection Regulation (GDPR), 2018 ➤ Cited by the Court as a comparative model for consent, data minimization, and user autonomy principles.
Conclusion
The Supreme Court’s 2025 decision on the DPDP Act represents a constitutional milestone for digital India.
It demonstrates that technological governance and fundamental rights need not be antagonistic; rather, they can coexist through balanced regulation.
Key Highlights:
* Validation of the DPDP Act ensures India now has a comprehensive privacy statute with enforceable rights.
* Judicial oversight of government exemptions guarantees transparency.
* Empowerment of data principals places citizens at the center of the digital ecosystem.
* Independent data protection authority ensures accountability and trust in governance.
In the long run, this judgment will shape India’s approach to artificial intelligence, fintech regulation, cybersecurity, and cross-border data flows. It cements the Supreme Court’s role as the guardian of digital constitutionalism—ensuring that in the age of algorithms, human dignity remains supreme.
FAQs
Q1. What is the Digital Personal Data Protection Act, 2023?
A1. It is India’s first comprehensive law regulating the collection, storage, and processing of personal data by government and private entities, ensuring individual consent and accountability.
Q2. Why was the DPDP Act challenged in the Supreme Court?
A2. Petitioners argued that the Act granted unlimited power to the government to exempt its agencies from compliance and lacked independent oversight, violating Article 21.
Q3. What did the Supreme Court decide?
A3. The Court upheld the Act but read down provisions allowing unchecked exemptions. It also directed the government to ensure the independence of the Data Protection Board.
Q4. How does this ruling affect citizens?
A4. Individuals now enjoy stronger privacy rights, explicit consent control, and a legal avenue for redress against data misuse.
Q5. Does the DPDP Act apply to foreign companies?
A5. Yes. It applies to all entities processing personal data within India or offering goods/services to Indian residents, even if they operate abroad.
Q6. How does this compare to GDPR?
A6. Like the EU’s GDPR, India’s DPDP Act emphasizes consent, purpose limitation, and user rights, though it allows broader state exemptions under judicial oversight.
Q7. What is the significance of this case for India’s digital future?
A7. It lays the groundwork for ethical AI governance, data localization, and cross-border digital trade, ensuring India’s leadership in the global digital economy.
Q8. What’s next after this judgment?
A8. The government must establish an independent Data Protection Board, draft model consent frameworks, and issue rules for grievance redressal and data sharing within 6 months.
Final Thought
The 2025 Supreme Court judgment on the DPDP Act is a milestone in India’s digital constitutional evolution. It marks the dawn of an era where data privacy is not merely a policy concern but a constitutional promise—a promise that technology will serve the people, not the other way around.
