UNIVERSITY INSTITUTE OF LEGAL STUDIES (UILS)

Subject Name: Data Privacy Laws

Course Code -21LLT-463

Ms. Sabrina Bath(Assistant Prof.)

DISCOVER . LEARN . EMPOWER

 Meaning and significance of privacy and data protection

Meaning of Data Privacy:

The term "data privacy" refers to the protection of personal information and the rights individuals have over
their own data.
➢ It concerns how personal data is collected, stored, used, shared and protected by organizations, as well as how
individuals can control access to their data.
➢ In essence, data privacy is about individuals' rights to control their personal information and ensuring
that organizations handle this information responsibly, securely and in compliance with laws and regulations.
➢ Focus: The individual’s right to control their personal information.
➢ Example: If a company collects a person's email address, data privacy involves whether that company has
obtained explicit consent to use the email address, whether the individual knows how the email will be used,
and whether they can opt-out or request deletion
Meaning of Data Protection:

Data protection refers to the measures and practices implemented to ensure the security and safety of
personal data from unauthorized access, loss or corruption. It is concerned with how personal data is secured
and protected from threats, including cyberattacks, data breaches and misuse.

➢ Focus: The safeguarding and security of personal data.

➢ Example: Data protection would involve ensuring that email addresses are encrypted when stored in a
database, using firewalls to prevent unauthorized access, and implementing strong password policies to
prevent internal misuse.
 Significance of Data Privacy and Data Protection

1.Protects Individual Rights and Freedoms: Ensures individuals control their personal data, preserving autonomy and
privacy as a fundamental human right.
2.Prevents Identity Theft and Fraud: Safeguards against identity theft, financial fraud and malicious activities by
protecting sensitive personal information.
3.Builds Consumer Trust: Companies that prioritize data privacy gain consumer confidence, enhancing customer loyalty
and long-term relationships.
4.Ensures Legal Compliance: Compliance with laws like The General Data Protection Regulation (GDPR), Digital
Personal Data Protection Act, 2023 (DPDPA) and Health Insurance Portability and Accountability Act (HIPAA) of 1996,
etc. prevents legal penalties, ensuring businesses adhere to regional and global data protection regulations.
5.Prevents Discriminatory Practices: Ensures personal data is used ethically, avoiding biased practices in areas like
credit scoring, hiring, and healthcare.
 Significance of Data Privacy and Data Protection (Cont.)

6. Protects Against Cyberattacks: Robust data protection measures (e.g., encryption, secure passwords) prevent
breaches that could expose sensitive data to cyberattacks.
7. Promotes Accountability and Transparency: Organizations are accountable for how they manage personal data,
ensuring transparency in data collection and usage practices.
8. Encourages Ethical Business Practices: Ethical handling of data builds trust with consumers and enhances
corporate reputation.
9. Supports Innovation with Responsible Data Use: Encourages the ethical and responsible sharing of anonymized
data for research and innovation, while protecting individuals' privacy.
10. Facilitates Cross-Border Data Flow: Strong data protection laws enable safe international data exchanges,
supporting global cooperation and trade.
 Difference between data privacy and data protection
Data Privacy Data Protection

Data Protection is the process of protecting data from external risks such as
Data Privacy refers to maintaining secrecy or keeping control of data access.
corruption, loss, etc.

It is all about authorized access means it defines who has authorized access to It is all about unauthorized access means if anyone has unauthorized access to
data. data then it keeps the data safe from its misuse.

Data Privacy is a legal process which helps in establishing standards and norms Data Protection is a technical control system which keeps data protected from
about accessibility. technical issues.

Data Privacy is the regulations or policies. Data protection is the security procedures and mechanism.

Data Protection is mainly controlled by the organization or company end. They

Data Privacy controls mainly exists at the end user level. The users must know
include all the required security measures to protect their data from being
which data is shared with whom and for what purpose.
exposed to illegal activities.

Data privacy teams are made of experts with law making, policies and some Data protection teams are made of experts from technical background,
technical experts. security background etc.
 Fundamental Concepts of Data Protection and Privacy

➢ The fundamental concepts of data protection and privacy refer to the key principles, practices and regulations that govern how
personal data should be handled, protected and controlled. They are aimed at ensuring individuals' personal data is treated responsibly
and securely by organizations, while also allowing individuals to maintain control over their own data. It includes the following:
1. Personal Data:
➢ Refers to information that can identify an individual, like names, addresses and biometric data.
➢ Protection of personal data ensures confidentiality and ethical use of individual information.
2. Data Controller and Data Processor:
➢ Data Controller: Determines how and why personal data is processed.
➢ Data Processor: Handles data on behalf of the controller.
3. Data Subject:
➢ The individual whose data is being collected.
➢ Has rights over their data, such as access, correction and deletion.
4. Consent:

➢ Permission given by the data subject for data collection and processing.

➢ Must be informed, specific and easily withdrawable.

5. Data Minimization:

➢ Collect only the minimum necessary data for a specific purpose.

➢ Reduces the risks of data misuse.

6. Purpose Limitation:

➢ Data should only be used for the purpose for which it was originally collected.

7. Transparency:

➢ Organizations must clearly inform individuals about how their data is used.

➢ Builds trust and awareness of rights.

8. Data Subject Rights:
➢ Access, Rectification, Erasure (Right to be Forgotten), Restriction, Portability, Objection.
➢ Rights to control how their data is used, accessed or deleted.
9. Accountability:
➢ Organizations must demonstrate their compliance with data protection laws.
➢ Involves policies and controls for data management.
10. Cross-Border Data Transfers:
➢ Personal data transferred across borders must remain protected.
➢ Requires safeguards, such as standard contractual clauses, to ensure data protection.
8. Data Security:
➢ Measures to protect data from unauthorized access, loss, or alteration.
➢ Includes techniques like encryption and firewalls.
9. Data Retention and Deletion:
➢ Personal data should only be kept as long as necessary and securely deleted when no longer needed.
10. Data Breach Notification:
➢ Organizations must notify authorities and individuals in case of a data breach.
➢ Helps mitigate harm and ensures accountability.
 GDPR and Data Protection Principles

Principles of Data Protection under GDPR: These principles form the foundation of data protection regulations like
the General Data Protection Regulation (GDPR), guiding organizations (called controllers) decide how and why
personal data should be processed. The seven key principles which are outlined in Article 5 of GDPR are:
1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly and in a transparent
manner to the data subject.
2. Purpose Limitation: Data should be collected for specific, legitimate purposes and not further processed in ways
incompatible with those purposes.
3. Data Minimisation: Only the minimum amount of personal data necessary for the intended purpose should be
collected.
4. Accuracy: Personal data must be accurate and kept up to date; inaccurate data should be corrected or deleted.
5. Storage Limitation: Data should only be kept for as long as necessary to fulfil the purposes for which it was
collected.
6. Integrity and Confidentiality (Security): Personal data must be processed securely, ensuring confidentiality,
integrity, and protection against unauthorized access or loss.
7. Accountability: Organizations must be able to demonstrate compliance with GDPR principles and take
responsibility for how they process personal data.
 Ethical Considerations and Legal Implications of Privacy and Data Protection

Ethical Considerations: Ethical considerations in privacy and data protection involve the moral principles and
responsibilities that organizations and individuals must follow when collecting, using and sharing personal data. These
considerations ensure that data handling practices are fair, transparent and respectful of individual rights. It includes the
following:

1.Informed Consent: Ensuring that individuals are fully aware of and agree to the data collection and usage practices before
their data is gathered.
2.Data Minimization: Collecting only the data that is necessary for a particular purpose and avoiding the collection of
excessive information that could lead to privacy risks.
3.Transparency and Accountability: Organizations should be open about how personal data is being used and be responsible
for its protection and any potential misuse.
4.User Control: Allowing individuals to have control over their personal data, such as the right to access, correct, and delete
data when necessary.
5.Fair Treatment: Using data in ways that do not discriminate against individuals or groups, and ensuring that data usage is
fair and just.
6.Impact on Society: Considering the broader societal implications of data collection, such as the risks of surveillance,
profiling, or creating inequalities based on data usage.
Legal Implications: Legal implications refer to the legal rules, frameworks and consequences associated with
privacy and data protection. These laws are designed to safeguard individuals' personal data and regulate how it is
processed and protected. It includes the following:

1.Data Protection Laws and Regulations: Countries and regions have specific laws (e.g., GDPR, DPDPA) that
mandate how personal data should be collected, processed, and stored.
2.Penalties for Non-Compliance: Organizations can face severe legal consequences, including fines and penalties,
for failing to comply with privacy laws and regulations (e.g., GDPR can impose fines up to 4% of a company's annual
revenue).
3.Data Subject Rights: Individuals have certain legal rights, such as the right to access their data, the right to correct
inaccuracies, and the right to delete or restrict data processing.
4.Cross-Border Data Transfers: Many laws impose restrictions on transferring personal data across borders to
ensure that the data is protected even when it moves internationally (e.g., under GDPR).
5.Breach Notification: Legal requirements exist for organizations to notify authorities and individuals if there has
been a data breach that compromises personal data.
6.Profiling and Automated Decisions: Legal rules govern the use of personal data in automated decision-making,
particularly where decisions have significant consequences for individuals (e.g., in hiring or credit scoring).
 Constitutional Aspect of Privacy
➢ The "constitutional aspect of privacy" refers to the protection of an individual's privacy rights under the framework of a
country's constitution, especially how privacy is understood and protected through constitutional provisions, legal interpretations
and judicial rulings.
➢ In simpler terms, it looks at how the right to privacy is derived from the Constitution—whether explicitly mentioned or inferred
from various provisions— and how courts interpret and safeguard it.
➢ Key Elements:
1.Constitutional Protection: Privacy rights can either be directly stated in the Constitution or inferred through various rights (like
the right to life, liberty, and equality).
2.Judicial Interpretation: Courts play a crucial role in interpreting the Constitution to establish privacy protections, especially when
privacy is not directly mentioned in the text, as seen in India and other countries.
3.Limits of Privacy: Constitutional privacy protections often come with certain limits, balancing individual privacy against other
important public interests, such as national security, public health, and law enforcement.
 Historical Context of Privacy in the Indian Constitution:
To understand the history of privacy rights in India and why it was not explicitly included in the Indian Constitution,
we need to look at the efforts made during the drafting of the Constitution, the discussions held in the Constituent
Assembly, and the arguments put forward by various key figures.

➢ The Advisory Committee on Fundamental Rights: The Advisory Committee on Fundamental Rights
(Fundamental Rights Sub- Committee) was a key body in the process of drafting the Indian Constitution. Its task
was to suggest and draft the Fundamental Rights that would be guaranteed to all citizens of India. Fundamental
rights are the basic rights and freedoms that every citizen is entitled to, such as the right to freedom of speech,
equality, and protection against discrimination.
The Proposal for Privacy Rights: The Fundamental Rights Sub-Committee had deliberations on various rights,
including the right to privacy. Several key members strongly supported the idea that privacy should be a fundamental
right:

1. K. M. Munshi: K. M. Munshi, a prominent member of the Constituent Assembly, was one of the advocates for
privacy rights. He supported the inclusion of the right to privacy in the Constitution, emphasizing the importance of
protecting individuals from unwarranted interference by the state or other authorities.
2. Harman Singh: Harman Singh also supported the inclusion of the right to privacy, arguing that it should cover
personal privacy, the sanctity of homes and protection against unreasonable searches.
➢ He put forth the argument that individuals must have protection from arbitrary actions by the government or
other bodies. Harman Singh's view was similar to the Fourth Amendment of the U.S. Constitution, which
guarantees the right of people to be secure against unreasonable searches and seizures and specifies that no
warrants should be issued except based on probable cause.
3. Dr. B. R. Ambedkar: Dr. B.R. Ambedkar, who is often regarded as the principal architect of the Indian
Constitution, also supported the notion of privacy. Dr. Ambedkar was particularly focused on protection against
arbitrary searches and seizures. He emphasized the need for individuals to be secure in their personal and private
matters, free from unwarranted interference by the state.
➢ Dr. Ambedkar supported the idea that constitutional protections should ensure that no one’s personal space or private
affairs could be disturbed without proper legal procedures and a valid reason.
Opposition to the Right to Privacy: On the other hand, there were opposing voices from within the Constituent Assembly,
particularly from B. N. Rau and Alladi Krishnaswamy Ayyar, who raised concerns about the impacts on law enforcement
and the powers of the police.
1. B. N. Rau: B. N. Rau, who was the constitutional advisor to the Constituent Assembly, voiced strong opposition to the
inclusion of privacy rights. His main concern was that protecting privacy through the Constitution could seriously
affect the investigative powers of the police. He argued that if the Constitution required a court warrant for every
search or seizure, it could complicate the police's ability to investigate crimes effectively. Rau felt that the
constitutional guarantee of privacy might make it difficult for authorities to gather evidence in criminal investigations.
➢ His argument essentially boiled down to the belief that investigative powers—such as searches and seizures—needed to
be unrestricted in certain situations to help maintain law and order. He felt that the right to privacy could serve as a
hindrance to police work, particularly in cases where immediate action was required, such as in preventing crime or in
national security matters.
3. Alladi Krishnaswamy Ayyar: Alladi Krishnaswamy Ayyar, another key member, shared similar concerns. He
argued that unrestricted police powers were crucial for investigations, particularly in situations where speed
and efficiency were required. He believed that limiting the police's ability to search individuals or seize
property without a warrant might cause delays in the investigative process and could ultimately affect public
safety.
➢ The Final Decision: After these intense deliberations, the Constituent Assembly was unable to reach a
consensus on the right to privacy. While many members, including Dr. Ambedkar and Harman Singh,
supported it, the concerns about law enforcement and police powers were significant enough to sway the
decision in the opposite direction.
➢ As a result, the right to privacy was not included in the final version of the Fundamental Rights chapter in
the Constitution.
➢ Constitutional Framework for Right to Privacy in India:
• Article 21 (Right to Life and Personal Liberty): The Supreme Court has interpreted this to include the right to privacy as part of
personal liberty.
• Article 14 (Right to Equality): Privacy is linked to equality, particularly in cases of discrimination and unequal treatment.
• Article 19 (Freedom of Speech and Expression): Protects personal expression, often connected to the right to privacy.

➢ "Privacy is Not an Absolute Right – It is Subject to Reasonable Restrictions”

1. Privacy is Not Absolute:
•Privacy is a fundamental right, but it can be restricted in certain situations.
•Restrictions may apply when privacy conflicts with national security, public order, decency, morality, or other public interests.
2. Two Key Exceptions to Privacy:
(a) Reasonable Restrictions: Privacy can be limited for reasons such as the interests of the sovereignty and integrity of India, the
security of the State, friendly relations with Foreign States, public order, decency or morality or in relation to contempt of court,
defamation or incitement to an offence [Article 19(2)].
(b) Conflict with Other Fundamental Rights:
•Privacy may be limited if it conflicts with other fundamental rights that serve the greater public good.
•Example: In Mr. X v. Hospital Z (1998), a man's right to privacy was overridden to protect his fiancée’s right to health.

3. The Test of Proportionality (Puttaswamy Judgment, 2017):

The test of proportionality ensures privacy restrictions are justified:
1.Sanctioned by Law: The restriction must be authorized by a law with a legal basis.
2.Fair and Reasonable Procedure: The restriction must follow a fair and non-arbitrary legal process.
3.Legitimate State Interest: The government must have a valid reason (e.g., national security, public health).
4.Proportionality of the Interference: The extent of privacy interference must be proportional to the need (e.g.,
monitoring only those involved in a security threat).
Landmark Judgments:

➢ MP Sharma v. Satish Chandra (1954): The court refused to recognise a right against search and seizure of documents, since the constitution-makers
had not provided for it.
➢ Kharak Singh v. State of UP (1964): The right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the
movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right
➢ Gobind v. State of Madhya Pradesh & Anr. (1975): The right to privacy must encompass and protect the personal intimacies of the home, the family,
marriage, motherhood, procreation and child rearing, and is subject to restriction only on the basis of compelling public interest.
➢ T. Sareetha vs T. Venkata Subbaiah (1983): The Andhra Pradesh High Court held that a woman’s choice to not cohabit with her husband, not have
marital intercourse and not to bear children were a part of the right to privacy and can be infringed only upon a superior state interest
➢ Smt. Saroj Rani vs. Sudarshan Kumar Chadha (1984): The decision in Sareetha was overturned. The law permitting restitution of conjugal rights was
considered to serve a social purpose (prevention of failing marriages) and was held valid.
➢ R. Rajagopal & Ors. vs. State of Tamil Nadu & Ors. (1994): The right to privacy is the right to be let alone and was also held enforceable against
private actors. This is inconsistent with the jurisprudence on most fundamental rights which are only enforceable against the state.
➢ People's Union for Civil Liberties vs. Union of India & Ors. (1996): The court provided interim procedural
safeguards on telephone tapping and held that proper procedural safeguards must be followed.
➢ Mr. X vs. Hospital Z (1998): This is also case of application of right to privacy against private actors, and it was held
that it must be balanced against public interest.
➢ Hinsa Virodhak Sangh vs. Mirzapur Moti Kuresh Jamat & Ors. (2008): What an individual chooses to eat is their
personal affair and decisional choice and part of their right to privacy.
➢ Jamiruddin Ahmed vs. State of West Bengal (2009): The Supreme Court declared a search illegal because the
authorities failed to record the reasons for conducting a warrantless search, despite having sufficient time to do so. The
judgment was overturned, and the appellant was released from jail. The Court emphasized that in cases like the NDPS
Act, compliance with legal procedures is crucial, as failure to do so infringes on an individual’s right to privacy.
➢ Selvi & Ors. vs State of Karnataka & Anr (2010): The compulsory administration of techniques such as narco analysis,

polygraph examination and brain-mapping is against the right to privacy and infringes upon one’s personal space.
➢ Ram Jethmalani and Ors. vs. Union of India (2011): The Supreme Court ordered the formation of an special

investigation team to monitor investigations into illegal foreign bank accounts. It ruled that while the government must
share information, the account details can only be disclosed if unlawful activities are proven, balancing the right to
information with privacy rights.
➢ In Re: Ramlila Maidan Incident v. Home Secretary, Union of India & Ors. (2012): Discussed the right to sleep and
the right to privacy as integral parts of the right to life. The court extensively discussed the various aspects relating to
the restrictions that could be imposed on the exercise of fundamental rights.
➢ Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017): The watershed decision in the judicial
history of India recognised the right to privacy as a distinguished fundamental right under Article 21 of the Constitution
of India.
 Dimensions of Right to Privacy

➢ Dimensions of Right to Privacy refer to the various aspects or areas of an individual's life that are protected from undue
interference, surveillance, or intrusion. These dimensions cover different aspects of personal autonomy and control over sensitive
information. The concept of privacy extends beyond just protecting physical space and includes personal data, financial details,
health information, and cultural identity, among others.

➢ The main dimensions of the Right to Privacy are discussed below:

1. Personal Privacy: Protects the personal life, relationships, and intimate spaces of an individual from intrusion or surveillance.
➢ Examples: Protection from government surveillance, privacy in relationships, freedom from media intrusion.
➢ Case Law: K.S. Puttaswamy v. Union of India (2017) – Right to Privacy recognized as a fundamental right, safeguarding personal
space and relationships.
2. Financial Privacy: Refers to the protection of an individual’s financial information, including bank details, transactions, and
credit card information.
➢ Examples: Safeguarding banking information, ensuring confidentiality during online transactions, protecting against identity
theft.
➢ Case Law: K.S. Puttaswamy (Retd.) v. Union of India (2017) – Concerns about Aadhaar linking financial data with various
services.
3. Intellectual Property (IP) Privacy: Protects the rights of individuals to control their intellectual creations like inventions,
artistic works, and business secrets.
➢ Examples: Copyright protection for authors, patent rights for inventors, protection of trade secrets for businesses.
4. National Security Privacy: Balances the state's need to ensure national security with the individual's right to privacy. While
governments may conduct surveillance for security, it must be done proportionally and with legal oversight.
➢ Examples: Surveillance for counter-terrorism purposes, intelligence gathering, with limitations to prevent abuse.
➢ Case Law: People's Union for Civil Liberties v. Union of India (1997) – Surveillance must be regulated by legal frameworks to
protect privacy.
5. Health Privacy: Ensures that an individual’s medical records, health status, and treatment information are kept
confidential and not disclosed without consent.
➢ Examples: Protection of sensitive health data, confidentiality regarding mental health or genetic conditions,
medical treatment records.
➢ Case Law: Mr. X v. Hospital Z (2002)– Ensuring medical records and treatment details are kept confidential.
6. Ethnic Privacy: Safeguards an individual’s ethnic, cultural, and racial identity from being disclosed or used in a
discriminatory manner.
➢ Examples: Protection from racial profiling, ensuring personal ethnic identity is not misused in hiring, law
enforcement or education.
 Evolution of Data Protection Laws

1. Early Roots of Privacy:

•Semayne case (1604): Recognized an individual's right to keep their home private, marking the early concept of privacy.
2. Expansion of Privacy Concept:
•Warren & Brandeis’ article (1890): Highlighted the need to protect privacy in a rapidly changing society.
3. International Recognition:
•Universal Declaration of Human Rights (1948): Article 12 formally recognized privacy as a human right, laying the foundation
for global privacy protections.
4. International Frameworks:
•OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980): Developed international
privacy protection frameworks, especially for cross-border data flows.
•GDPR: The EU's General Data Protection Regulation set global standards for personal data protection, influencing privacy laws
worldwide.
5. Data Privacy in India:
•Pre-2017: Privacy was not immediately recognized as a fundamental right in India.
• Justice K.S. Puttaswamy v. Union of India (2017): The Supreme Court ruled that privacy is a
fundamental right under Article 21 of the Constitution.
•Digital Personal Data Protection Act (2023): After years of debate, India passed its first
comprehensive data protection law, addressing privacy concerns in the digital age.
 Judicial Response to Personal Data Protection

Legal Landscape for Data Protection in India before the Digital Personal Data Protection Act, 2023:

❖The Information Technology Act, 2000 (IT Act)

➢formed the statutory basis for India’s data protection and privacy law.
➢Information Technology (Amendment) Act, 2008- introduced certain provisions relating to data protection
in India.
➢The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011 were introduced under s. 43A of the Information Technology Act, 2000.
Key Milestones:

❖ K.S. Puttaswamy v. UOI (2017) (privacy judgment)- watershed moment in the evolution of personal data
protection and privacy jurisprudence in India and kickstarted a movement for the introduction of a more robust and
comprehensive data protection regulation in India.
❖In 2017, B.N. Srikrishna Committee was formed to submit a detailed report on the introduction of the data privacy
law in India. In response, the Personal Data Protection Bill, first drafted in 2018 and subsequently revised in 2019 and
2021, sought to address data protection comprehensively.
❖Despite these efforts, there was no single comprehensive data protection law in place until the Digital Personal Data
Protection Act was introduced on 11 August, 2023 which unified and expanded upon these earlier frameworks to
create a more cohesive and rigorous data protection regime.
 Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017); Citation : 2017 (10) SCC 1

Case Brief: This case is a landmark decision in Indian constitutional law, affirming the right to privacy as a fundamental right under the
Constitution of India. The nine-judge bench of the Supreme Court delivered a unanimous ruling, recognizing privacy as an intrinsic
element of dignity, autonomy, and personal liberty, and integral to the freedoms guaranteed in Part III of the Constitution.

➢ Background: The case arose from a petition filed by Justice K.S. Puttaswamy, a retired judge, challenging the Aadhaar project
initiated by the government. The Aadhaar scheme, which involved collecting biometric and demographic data of Indian residents, was
questioned on the grounds of a violation of the right to privacy.
➢ In 2015, the issue of whether privacy was a fundamental right was debated, especially in the context of the Aadhaar project. The
Attorney General argued against the right to privacy, citing the decisions in M.P. Sharma v. Satish Chandra (1954) and Kharak
Singh v. State of Uttar Pradesh (1964), which had previously denied privacy as a fundamental right. Given the importance of the
issue and conflicting precedents, the matter was referred to a nine-judge bench.
➢ Key Issue: The primary issue before the bench was whether the right to privacy was a fundamental right under
Part III of the Indian Constitution, which guarantees fundamental rights like the right to life and personal liberty
under Article 21.

➢ Arguments
1. Respondents (State's Argument):
1. The State relied on previous judgments like M.P. Sharma and Kharak Singh, arguing that the Constitution
did not specifically recognize the right to privacy.
2. They contended that the framers of the Constitution did not intend for privacy to be a fundamental right.
2. Petitioners' Argument:
1. The Petitioners argued that the earlier rulings in M.P. Sharma and Kharak Singh were based on
outdated interpretations and should be overruled.
2. They contended that privacy is a natural right and should be read into the Constitution, particularly
under Article 21, which guarantees the right to life and personal liberty.
3. The Petitioners also advocated for a multi-dimensional model of privacy, emphasizing that it covers
personal choices, bodily autonomy, informational privacy, and the freedom to make decisions
without state interference. They linked the right to privacy to the Preamble and international human
rights standards.
Decision- The Supreme Court in a unanimous decision held that:

1. Right to Privacy is a Fundamental Right:

➢ The right to privacy is an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution and
forms part of the freedoms guaranteed by Part III of the Constitution.
➢ The Court overruled the earlier judgments in M.P. Sharma and Kharak Singh, which had denied privacy as a fundamental
right.

2. Privacy as a Broad and Overarching Right:

➢ Privacy is not a narrow right against physical intrusion but extends to bodily autonomy, choices, informational privacy, and the
freedom to control one's personal data.
➢ The Court rejected the argument that privacy was an "elitist construct" and emphasized that it applies to all individuals, regardless
of class, caste, or social status.
3. Limits on the Right to Privacy:
➢ While affirming the right to privacy, the Court also noted that this right is not absolute.
➢ State interference with privacy can be justified if it meets the following three conditions:
a) Legality – there must be a law that allows for such interference.
b) Need – there must be a legitimate state interest.
c) Proportionality – the means must be proportionate to the aim.
➢ Additionally, Justice S.K. Kaul added a fourth prong, requiring procedural guarantees to prevent abuse of state
power when interfering with privacy.

4. Privacy and Sexual Orientation: The Court recognized that sexual orientation is an essential aspect of privacy,
reflecting a commitment to equality and personal dignity.
5. Information Privacy:
➢ The Court explicitly recognized informational privacy as part of the right to privacy, addressing concerns about
data protection.
➢ While acknowledging the need for a comprehensive data protection law, the Court left the matter to Parliament
to legislate.

➢ Impact and Significance

1. Overruling Previous Judgments: This judgment overruled the M.P. Sharma and Kharak Singh cases, which
had previously held that the right to privacy was not a fundamental right under the Constitution. The Court's ruling
established privacy as an essential and enforceable right under Article 21.
2. Affirmation of Privacy as a Human Right: The Court emphasized that the right to privacy is not just a
national concern, but part of a global human rights framework, reflecting the growing importance of privacy in the
modern world.
3. Framework for State Intrusion: The judgment established clear guidelines for any state
intervention in privacy, ensuring that it is justified, proportionate, and legally sound.
4. Call for Data Protection Laws: The Court highlighted the need for robust laws to protect
personal data, urging Parliament to legislate a comprehensive data protection framework.
➢ The Tests for Privacy Infringement
The Court discussed various tests that should be used to evaluate infringements of privacy:
1. Reasonableness: The Court stressed that any law infringing on privacy must be just, fair and reasonable
under Article 21.
2. Proportionality: Several judges suggested a proportionality test (similar to European human rights
standards) to evaluate whether the government’s interference with privacy is justified by a compelling state
interest.
3. Compelling State Interest: It suggested a strict scrutiny test for privacy claims, especially those involving
major state actions. This would require the state to prove that the intrusion is justified by a significant public
interest.
➢ A New Standard: The Proportionality Test

A proportionality test emerged as a central standard for judging privacy infringements and outlined three
essential elements:
• Legality: There must be a law that allows for the privacy infringement.
• Legitimate Goal: The aim of the infringement must be legitimate (e.g., national security).
• Proportionality: The means used to achieve the goal must be proportionate to the harm caused.
• Procedural Safeguards: There should be safeguards to prevent the abuse of power.
➢ This proportionality test aligns closely with the European approach, which requires the government to show
that the privacy infringement is the least restrictive way to achieve its goal.
➢ Conclusion

The K.S. Puttaswamy case is a landmark judgment in Indian constitutional law, affirming
the right to privacy as a fundamental right under the Constitution. The judgment marks
a significant shift in the interpretation of fundamental rights in India, recognizing privacy
as a core value that protects individual autonomy, dignity and freedom. It also provides a
roadmap for balancing privacy rights with state interests and sets the stage for future
legislation on data protection.