What does the Right to Privacy mean?
Privacy is a notoriously difficult concept to define. The Supreme Court in Puttaswamy approached it through multiple lenses, ultimately recognising at least three interrelated dimensions:
- Bodily / physical privacy — control over one's body, including reproductive choices, refusal of medical treatment, and sexual autonomy.
- Informational privacy — control over personal data, including health records, financial information, biometric details, communication metadata.
- Decisional privacy — the right to make intimate decisions about one's life, relationships, lifestyle and beliefs without state interference.
The Court drew on a global tradition — Samuel Warren and Louis Brandeis's seminal 1890 Harvard Law Review article "The Right to Privacy," American Fourth Amendment jurisprudence, German and Israeli Constitutional Court verdicts, and the European Convention on Human Rights. But the verdict's authority comes from anchoring privacy within the existing text of the Indian Constitution — specifically Article 21 (right to life and personal liberty) and other Part III rights.
Pre-Puttaswamy: 60 years of contrary precedent
For most of the Constitution's history, the Supreme Court had explicitly held that the Right to Privacy was NOT a Fundamental Right. Two early cases established this view:
M.P. Sharma v. Satish Chandra
8:0 A 8-judge bench held that the Indian Constitution does not specifically recognise a fundamental right to privacy. The framers did not intend to incorporate the American Fourth Amendment's protection against unreasonable searches.
Kharak Singh v. State of UP
6:1 A 6-judge bench held that the right to privacy was not a guaranteed right under the Constitution. Justice Subba Rao's dissent argued that privacy was implicit in Article 21 — a position that would only become the majority view 55 years later.
Smaller benches over the next 50 years carved out narrow privacy protections — telephone tapping (PUCL v. Union of India, 1997), DNA testing in paternity cases (Sharda v. Dharmpal, 2003), medical records (Mr. X v. Hospital Z, 1998). But the foundational question — whether privacy itself was a Fundamental Right — remained unresolved by a larger bench.
The trigger for resolution came from an unexpected source: the Aadhaar challenge. Petitioners challenged the constitutionality of the Aadhaar scheme partly on privacy grounds. The Union government argued — citing M.P. Sharma and Kharak Singh — that there was no Fundamental Right to Privacy. The matter was referred to a 9-judge bench in 2017 to definitively decide this question.
Puttaswamy (2017): the foundational verdict
Justice K.S. Puttaswamy, a retired Karnataka High Court judge, had filed the original petition challenging Aadhaar in 2012. By the time the 9-judge bench heard the privacy question, the case had become a vehicle for resolving the broader constitutional issue.
The bench: 9 judges, led by Chief Justice J.S. Khehar. Heard for 7 days. Decided unanimously on 24 August 2017. Six separate opinions were written, all converging on the central holding. Justice D.Y. Chandrachud wrote the lead opinion for himself and three others.
The unanimous holding:
- The Right to Privacy is a Fundamental Right intrinsic to the right to life and personal liberty under Article 21, and to other freedoms guaranteed by Part III.
- M.P. Sharma (1954) and Kharak Singh (1962) are overruled to the extent they held privacy was not a fundamental right. Justice Subba Rao's dissent in Kharak Singh is vindicated.
- Privacy has both negative and positive content — the state cannot violate it, but also has obligations to protect it from third-party violations.
- Privacy is not absolute — like all rights, it can be restricted by law, but any restriction must satisfy the proportionality test.
- Privacy includes informational self-determination — control over how one's personal data is collected, used, shared.
"Privacy is the constitutional core of human dignity. The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State and non-State actors and allows the individuals to make autonomous life choices." — Justice D.Y. Chandrachud, Puttaswamy (2017).
Justice Chandrachud's opinion contained a particularly striking passage on Justice Khanna's lone dissent in ADM Jabalpur (1976) — the Emergency-era habeas corpus case. Chandrachud described Khanna's dissent as a "constitutional duty" and effectively overruled the ADM Jabalpur majority. This was a remarkable moment of the Court reckoning with one of its darkest hours.
The proportionality test — when can the state restrict privacy?
Privacy, like other Fundamental Rights, is not absolute. Puttaswamy and subsequent cases have refined the test for valid restrictions.
The four-part proportionality test
- Legality — there must be a law authorising the restriction (no executive fiat allowed).
- Legitimate state aim — the restriction must pursue a legitimate state interest such as national security, public order, prevention of crime, or protection of others' rights.
- Proportionality (means-ends) — the means adopted must be proportionate to the aim. The "least restrictive alternative" principle applies — if a less intrusive method achieves the same aim, it must be preferred.
- Procedural safeguards — appropriate due process, oversight mechanisms, and remedies must exist.
This four-part test was first articulated by Justice Chandrachud in his Puttaswamy opinion (drawing on German constitutional jurisprudence) and refined in the Aadhaar verdict (2018), Anuradha Bhasin (2020), and DPDP-related challenges. It is now the standard test for any state action restricting a Fundamental Right under Article 21.
The Aadhaar verdict (2018) — privacy meets welfare state
Justice K.S. Puttaswamy v. Union of India (Aadhaar)
4:1 5-judge Constitution Bench upheld the Aadhaar Act 2016 as constitutional with modifications. CJI Dipak Misra led the majority; Justice Chandrachud dissented.
The Aadhaar Act mandated biometric authentication for various services. Petitioners argued the scheme violated privacy by collecting biometric data of 130 crore Indians. The government argued it was essential for targeted welfare delivery and prevention of leakages.
The verdict's pragmatic compromise:
- Aadhaar can be made MANDATORY for: PAN card, Income Tax filing.
- Aadhaar CANNOT be made mandatory for: bank accounts, mobile SIM cards, school admissions.
- Section 57 struck down — private entities (telecom companies, banks, schools) cannot demand Aadhaar.
- Children's rights protected — no child can be denied benefits for lack of Aadhaar; consent of guardian required.
- Money Bill route upheld — the Aadhaar Act was passed as a Money Bill (bypassing Rajya Sabha). The Court held this was valid because the Act primarily concerned subsidies (Article 110(1)(g)). Justice Chandrachud strongly dissented on this point — a position vindicated in the 2022 Supreme Court Roger Mathew verdict on Money Bill abuse.
Justice Chandrachud's dissent argued that the Aadhaar architecture failed the proportionality test — less intrusive alternatives existed for welfare delivery, and the data collection was disproportionate to legitimate aims. The dissent was widely praised in legal academia and influenced subsequent privacy-related judgments.
Post-Puttaswamy: privacy reshapes Indian law
Within five years of Puttaswamy, the privacy doctrine had reshaped multiple areas of Indian law.
Navtej Singh Johar v. Union of India
5:0 Decriminalised Section 377 IPC to the extent it criminalised consensual same-sex relations between adults. The Court relied heavily on Puttaswamy's decisional privacy — the right to make intimate choices about one's relationships. Sexual orientation was held to be intrinsic to identity.
Joseph Shine v. Union of India
5:0 Struck down Section 497 IPC (adultery). The Court held the provision treated women as property of their husbands, violated equality (Article 14), liberty (Article 21), and decisional privacy. Adultery remains a ground for divorce but is no longer a criminal offence.
Anuradha Bhasin v. Union of India
Internet shutdowns case from J&K. Held that indefinite internet shutdowns violate Article 19(1)(a) and the right to trade. Shutdowns must satisfy the proportionality test — necessity, suitable means, least restrictive alternative. Set procedural safeguards for shutdown orders.
Manohar Lal Sharma v. Union of India (Pegasus)
Petition alleging the Indian government used the Pegasus spyware on journalists, activists, opposition politicians. The Court constituted an independent technical committee to investigate. The committee's August 2022 report found malware on 5 of 29 phones examined, but could not definitively attribute to NSO/Indian government. Ongoing.
Supriyo v. Union of India (Marriage Equality)
5:0 5-judge bench held that there is no fundamental right to marry (the matter is for Parliament). However, the Court reaffirmed Navtej's protection of same-sex relationships under Puttaswamy. The Court directed that same-sex couples cannot be discriminated against in access to social welfare and financial services.
The Digital Personal Data Protection Act 2023
Puttaswamy's mandate for legislative protection of privacy took six years to materialise. The Justice B.N. Srikrishna Committee submitted a draft Personal Data Protection Bill in 2018. Multiple iterations were tabled, withdrawn, and revised. Finally, on 11 August 2023, the Digital Personal Data Protection Act 2023 received Presidential assent.
The DPDP Act 2023 is India's first comprehensive data protection law. Key features:
- Applicability: Processing of digital personal data in India, plus offshore processing related to offering goods/services to Indians.
- Consent-centric framework: Personal data can only be processed for a lawful purpose for which consent has been given (or for "certain legitimate uses" enumerated in the Act).
- Notice and consent: Data fiduciaries must notify individuals before/at the time of collection.
- Rights of individuals (Data Principals): Right to access, correct, erase data; right to grievance redressal; right to nominate (post-death data rights).
- Data Protection Board of India: Quasi-judicial body to enforce the Act. Operationalisation pending as of 2026.
- Significant Data Fiduciaries (SDFs): Companies meeting specified criteria face additional obligations including appointment of a Data Protection Officer.
- Penalties: Up to ₹250 crore for failure to take reasonable security safeguards; ₹150 crore for breach of children's data rules.
- Exemptions: State agencies can be exempted in interests of sovereignty, security, public order. This has drawn criticism for creating broad surveillance carve-outs.
- Cross-border data transfer: Currently permissive (can transfer to any country except those notified) — much less restrictive than EU GDPR.
Comparison with EU GDPR:
| Feature | India DPDP 2023 | EU GDPR 2018 |
|---|---|---|
| Consent | Required, with certain exemptions | Required, with narrow exemptions |
| Children's data | Parental consent for under-18s | Parental consent for under-16s (variable) |
| State agency exemptions | Broad | Limited; principle of proportionality |
| Cross-border transfers | Permissive (exclude notified countries) | Restrictive (adequacy decisions required) |
| Penalties | Up to ₹250 crore | Up to 4% of global annual turnover |
| Right to be forgotten | Yes (right to erasure) | Yes |
| Data portability | Not explicit | Yes |
The Act's main critique: excessive state exemptions. Privacy advocates argue the Act allows surveillance to continue largely unconstrained, in tension with Puttaswamy's mandate. The Pegasus case investigation is one test of whether the law actually constrains state surveillance.
Continuing challenges and open questions
- Surveillance reform: The Telegraph Act 1885 and IT Act 2000 surveillance provisions have not been overhauled despite Puttaswamy. The B.N. Srikrishna report's recommendations on surveillance oversight remain unimplemented.
- DPDP Act operationalisation: The Data Protection Board has not been constituted as of early 2026; rules are still being finalised.
- AI and biometric privacy: Facial recognition technology deployment by police and railways raises new privacy questions not explicitly addressed by current law.
- Pegasus accountability: The ongoing Supreme Court case has not yet conclusively attributed the spyware deployment.
- Cross-border data flows: How India's permissive framework interacts with GDPR-style restrictive regimes is unclear, especially for Indian IT services exporters.
- Section 230-equivalent: Platform liability for content (Shreya Singhal struck down Section 66A in 2015) remains contested under the IT Rules 2021.
UPSC Previous Year Questions
UPSC Mains GS-2 2024
"What is the importance of the Digital Personal Data Protection Act 2023? Examine its key provisions and the challenges in its implementation in light of the Puttaswamy verdict." — Frame the answer around the 4-part proportionality test, the Act's key provisions, and the broad state exemption critique.
UPSC Mains GS-2 2021
"What are the major challenges to the digital economy in India? Discuss the steps taken by the government to address them, especially with respect to data protection." — Connect Puttaswamy → Srikrishna Committee → multiple Bill iterations → DPDP Act 2023.
UPSC Prelims 2018
"With reference to the right to privacy as a fundamental right in India, which of the following statements is/are correct? 1. The Supreme Court has interpreted privacy as flowing from Article 21. 2. The verdict explicitly overruled earlier verdicts denying privacy." — Both statements are CORRECT.
UPSC Mains tip — high-scoring answer template
For any privacy question: (1) Define under Puttaswamy 2017 (9-judge bench, unanimous, overruled M.P. Sharma + Kharak Singh). (2) Three dimensions — bodily, informational, decisional. (3) 4-part proportionality test (legality, legitimate aim, proportionality, procedural safeguards). (4) Apply to current issue (DPDP, AI, surveillance, etc.). (5) Conclude with the constitutional balance — privacy is fundamental but not absolute; state must justify restrictions through the proportionality lens.