The Right to Privacy in the Digital Age: An Indian Perspective

- Devranjan Singh Shekhawat, B.B.A LL.B (H), XTH Sem., 5th Year

Introduction

In an era where digital technology has seamlessly integrated into our daily lives, the question
of individual privacy has emerged as both vital and vulnerable. With every click, swipe, and
tap, our personal data is being collected, processed, and stored—often without our informed
consent or awareness. From smartphones to smart homes, from online banking to social media
interactions, the contours of privacy have extended far beyond physical boundaries to what is
now known as informational privacy.

The rapid pace of digital transformation in India, spurred by initiatives like Digital India, has
undeniably empowered citizens. Yet, it has also exposed them to unprecedented levels of
surveillance, data mining, and algorithmic profiling. In this digital age, the fundamental right
to privacy has found itself at the crossroads of innovation, governance, and individual
autonomy.

The Indian legal landscape has responded to this paradigm shift through a landmark judicial
pronouncement in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), wherein the
Supreme Court of India unequivocally declared the Right to Privacy as a fundamental right
under Article 21 of the Constitution. This decision laid the constitutional foundation for
protecting privacy in a digitally driven democracy.

However, the recognition of the right is merely the beginning. The challenges of implementing,
regulating, and enforcing privacy norms in a digital environment—riddled with surveillance
mechanisms, porous cybersecurity frameworks, and unchecked corporate data practices—pose
complex legal and ethical dilemmas. As India strides forward with data-centric policies,
including the recent Digital Personal Data Protection Act, 2023, the balance between state
interest, technological progress, and citizen privacy remains delicate and evolving.

This article delves into the constitutional development of the right to privacy in India, its
relevance and challenges in the digital age, key legal frameworks, international comparisons,
and the road ahead for safeguarding this essential right in the world’s largest digital democracy.
Constitutional Evolution of the Right to Privacy in India

A. Pre-Puttaswamy Era: A Fragmented Understanding

The journey of recognizing privacy as a constitutional right in India began in a fragmented and
cautious manner. During the early years of constitutional interpretation, the courts displayed
reluctance in acknowledging privacy as a standalone right.

1. M.P. Sharma v. Satish Chandra (1954)

In this case, an eight-judge bench of the Supreme Court dealt with the issue of search
and seizure under Article 20(3) of the Constitution. The Court held that the
Constitution did not explicitly provide a right to privacy, and therefore, such a right
could not be read into the existing provisions. This judgment became a precedent for
subsequent judicial hesitation in elevating privacy as a fundamental right.

2. Kharak Singh v. State of U.P. (1962)

In this case, the Court examined police surveillance practices under Article 21 (right to
life and personal liberty). While the majority denied the existence of a constitutional
right to privacy, Justice Subba Rao’s dissenting opinion laid an early foundation,
asserting that the right to privacy is intrinsic to personal liberty. His views, though in
the minority, later gained prominence in future judicial thought.

Together, these decisions revealed a judicial tendency to prioritize state powers and public
order over personal liberties, particularly in the absence of explicit constitutional text affirming
a right to privacy.

B. Post-Puttaswamy Era: A Landmark Recognition

The constitutional jurisprudence on privacy underwent a monumental transformation in the

landmark judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). A nine-
judge constitutional bench unanimously held that the right to privacy is a fundamental right,
protected under Article 21 of the Constitution and also emanating from Articles 14 and 19.
Key Highlights of the Judgment:

• Overruling Previous Judgments: The Court categorically overruled M.P. Sharma and
Kharak Singh to the extent they denied the right to privacy.

• Expanded Interpretation: Privacy was recognized as an essential facet of dignity,

autonomy, bodily integrity, and informational self-determination.

• Framework for Regulation: The judgment laid down a three-fold test for any
invasion of privacy – legality, necessity, and proportionality – setting a high bar for
permissible limitations.

The Court emphasized that in an age of big data, informational privacy is central to protecting
democratic values. Justice D.Y. Chandrachud observed that privacy is not surrendered when
data is shared with private entities, thus widening the ambit of state and corporate
accountability.

C. Other Relevant Judicial Developments

Post-Puttaswamy, the Indian judiciary has continued to reinforce privacy in digital contexts:

• Internet and Mobile Association of India v. RBI (2020) – The Supreme Court quashed
the RBI’s banking ban on cryptocurrency trading and emphasized the need for
proportional restrictions on digital freedoms.

• Anuradha Bhasin v. Union of India (2020) – The Court recognized access to the
internet as a medium to exercise freedom of speech, thus linking digital access with
fundamental rights.

• Binoy Viswam v. Union of India (2017) and Aadhaar Judgment (2018)** – Addressed
the balance between biometric data collection and individual consent.

These cases collectively underscore the dynamic and evolving nature of privacy in India’s
constitutional ecosystem, especially in response to digitalization.

Challenges to Privacy in the Digital Age

Despite judicial recognition, the implementation and protection of privacy rights in the digital
sphere face significant and multifaceted challenges:

A. Surveillance and Data Collection

1. State-Sponsored Surveillance

o Government surveillance systems like the Central Monitoring System (CMS),

NATGRID, and NETRA operate with minimal transparency and judicial
oversight.

o The rise of facial recognition technologies and biometric databases, such as

Aadhaar, have raised concerns about mass surveillance and profiling.

2. Lack of Legal Safeguards

o India lacks a comprehensive surveillance law with strong procedural

safeguards, leaving citizens vulnerable to arbitrary data access.

B. Corporate Data Exploitation

1. Data Harvesting by Private Entities

o Tech giants, social media platforms, and mobile applications routinely collect
vast volumes of personal data including user locations, preferences, and
behavioral patterns.

o Practices such as algorithmic profiling, targeted advertising, and third-party

data sharing have blurred the lines of informed consent.

2. Opaque Terms and Conditions

o Users are often forced to accept exhaustive and vaguely worded privacy
policies, leading to a de facto erosion of their autonomy and choice.

C. Cybersecurity Threats

1. Rising Incidence of Data Breaches

 o India has witnessed frequent data leaks affecting entities such as banks, telecom
operators, and government agencies.

o Ransomware attacks, phishing, and identity theft are increasing, with

insufficient remedial mechanisms for victims.

2. Digital Illiteracy and Lack of Awareness

o A vast segment of the population remains unaware of digital hygiene practices,

making them easy targets for exploitation.

o There is a pressing need for digital literacy programs to educate users about
safeguarding their personal information.

In summary, while the recognition of the right to privacy by the Indian judiciary marks a
constitutional milestone, its enforcement in the digital ecosystem demands robust legal
frameworks, institutional accountability, and technological safeguards. The next frontier in
privacy law must bridge the gap between legal recognition and technological realities.

Legal and Regulatory Framework Governing Privacy in the Digital Age

The recognition of privacy as a fundamental right in India necessitated the creation of an

effective legal ecosystem capable of translating this right into practical safeguards. However,
India’s legal and regulatory framework on data privacy and digital rights is still evolving, often
criticized for being fragmented and reactive. The following statutes and policies currently serve
as the pillars of data protection and privacy regulation in India.

A. The Information Technology Act, 2000 (IT Act)

The IT Act, 2000 is India’s primary legislation governing cyber activities, including certain
aspects of data protection. Though not originally designed as a data privacy law, key
amendments and rules provide a skeletal framework for privacy safeguards.

1. Section 43A
 o Holds a body corporate liable for negligence in implementing and
maintaining reasonable security practices, if it causes wrongful loss or gain
to any person.

o Provides for compensation to affected individuals but lacks punitive deterrents

and comprehensive standards.

2. Section 72A

o Punishes any person who discloses personal information without consent,

obtained while providing services under lawful contract.

o Offers limited scope and applies primarily to service providers.

While the IT Act laid the groundwork, its effectiveness has been questioned due to narrow
applicability, weak enforcement, and absence of user-centric remedies.

B. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code)
Rules, 2021

These rules aim to regulate the conduct of intermediaries like social media platforms,
messaging apps, and OTT services.

• Due Diligence Obligations: Intermediaries must publish privacy policies, respond to

complaints, and take down unlawful content within set timelines.

• Traceability Clause: Significant social media intermediaries must enable traceability

of originators of messages, which has drawn criticism for undermining end-to-end
encryption and user privacy.

• Grievance Redressal: Appointment of grievance officers and compliance officers to

handle complaints, yet often viewed as non-independent and over-regulated.

These Rules reflect an attempt to create accountability, but critics argue they tilt towards
surveillance and censorship, thereby risking the chilling of free speech and compromising
user privacy.

C. The Digital Personal Data Protection Act, 2023

The most significant legislative development in India’s privacy regime is the Digital Personal
Data Protection (DPDP) Act, 2023. Enacted in the wake of the Puttaswamy judgment, the
DPDP Act seeks to provide a comprehensive legal framework for processing personal data.

Key Features:

• Consent-Based Processing: Personal data may be processed only after obtaining free,
informed, and specific consent from individuals (termed "Data Principals").

• Purpose Limitation: Data must be collected for a specific and lawful purpose, and
retained only as long as necessary.

• Rights of Data Principals:

o Right to access information

o Right to correction and erasure

o Right to grievance redressal

• Obligations on Data Fiduciaries: Entities processing data must maintain security

safeguards, data audits, and report breaches.

• Data Protection Board of India: An adjudicatory body to enforce the Act, impose
penalties, and resolve grievances.

Criticisms:

• Sweeping Exemptions to the State: The Act allows the government to exempt any
agency from its provisions on grounds like national security and public order, raising
fears of surveillance.

• Lack of Independent Regulatory Authority: The Data Protection Board lacks

constitutional or statutory independence.

• Weakens RTI Framework: By restricting access to personal data of public officials,

the Act may dilute the Right to Information Act, 2005.

Despite its limitations, the DPDP Act is a crucial step toward establishing data protection
jurisprudence in India. However, effective implementation and future amendments will
determine whether it genuinely safeguards digital privacy.

D. Other Sector-Specific Regulations

 1. Telecom Sector – TRAI Guidelines

o Telecom Regulatory Authority of India (TRAI) mandates customer data

confidentiality in telecom services.

o Guidelines against unsolicited commercial communications and spam

messages.

2. Banking and Finance – RBI Guidelines

o Require data localization, customer consent, and cybersecurity measures by

financial institutions.

3. Aadhaar and UIDAI Regulations

o Post-Puttaswamy, Aadhaar Act amendments prohibit sharing of core biometric

data.

o Yet concerns persist over voluntary-consent misuse and data linking

mandates by service providers.

These regulations play a supplementary role but lack interoperability and a common privacy
standard, highlighting the need for an overarching framework.

In conclusion, India’s regulatory architecture for digital privacy is gradually maturing. While
the Digital Personal Data Protection Act, 2023 marks a long-overdue legislative shift, it must
be fortified with transparency, accountability, and independent oversight. Bridging
legislative intent with digital reality remains the next challenge for Indian policymakers and
jurists.

V. International Comparison: Global Privacy Standards vs. India

As digital privacy becomes a cornerstone of democratic governance worldwide, various

jurisdictions have enacted comprehensive data protection laws to ensure the protection of
individual rights. A comparative analysis helps to situate India’s emerging privacy regime
within the broader international context and reveals both its strengths and shortcomings.

A. European Union – General Data Protection Regulation (GDPR)

The GDPR, effective since May 2018, is widely regarded as the gold standard for data
protection legislation globally. It applies to all entities processing the personal data of EU
residents, irrespective of the entity’s geographical location.

Key Features:

• Broad Definition of Personal Data: Includes identifiers like names, IP addresses,

location data, and even psychological profiles.

• Data Subject Rights: Includes the right to access, rectification, erasure (the “right to
be forgotten”), portability, and objection.

• Data Protection Officers (DPOs): Mandatory for large-scale processors to ensure

internal compliance.

• Heavy Penalties: Violations can result in fines of up to €20 million or 4% of global

turnover.

Comparative Insight:

• GDPR’s independent supervisory authority model and robust consent framework

outpace India’s DPDP Act, which lacks autonomy in its oversight mechanism and
grants wide exemptions to the state.

• India can draw from GDPR’s transparency and enforcement mechanisms to

strengthen its data governance model.

B. United States – Sectoral and Rights-Based Approach

The United States follows a sectoral approach to privacy, with different laws for different
types of data:

• Health Insurance Portability and Accountability Act (HIPAA) – for healthcare data

• Children’s Online Privacy Protection Act (COPPA) – for children under 13

• California Consumer Privacy Act (CCPA) – a more holistic state-level law granting
rights to consumers regarding personal information

Key Features:
 • Emphasis on consumer rights and business obligations

• A mix of state and federal laws, leading to fragmentation

• The Fourth Amendment also provides limited constitutional protection against

unreasonable searches and seizures

Comparative Insight:

• Unlike India, where a fundamental right to privacy is judicially recognized, the U.S.
still lacks a comprehensive federal privacy law.

• However, U.S. laws are often stronger in corporate accountability and sector-specific
clarity, areas India’s laws must continue to refine.

C. United Kingdom – UK GDPR and Data Protection Act, 2018

Post-Brexit, the UK has retained the essence of the GDPR through its UK GDPR, which is
supplemented by the Data Protection Act, 2018.

• Maintains individual-centric rights

• Facilitates cross-border data transfer with “adequacy” decisions

• The Information Commissioner’s Office (ICO) plays a central role in regulation and
enforcement

Comparative Insight:

India’s data protection regime lacks an independent regulator akin to the ICO, reducing
public trust and the effectiveness of enforcement.

D. Other Countries:

• Brazil – Lei Geral de Proteção de Dados (LGPD)

Inspired by the GDPR, Brazil’s LGPD ensures data processing transparency, user
rights, and establishes the National Data Protection Authority (ANPD).
 • South Africa – Protection of Personal Information Act (POPIA)
POPIA ensures responsible processing of personal information by both public and
private bodies, and includes remedies for violations.

• Singapore – Personal Data Protection Act (PDPA)

Balances business interests and individual privacy, emphasizing consent,
notification, and data breach response mechanisms.

E. India’s Position in Global Privacy Landscape

While India has taken significant strides with the enactment of the Digital Personal Data
Protection Act, 2023, it still lags behind mature privacy regimes due to:

• Absence of strong regulatory autonomy

• Vague provisions related to state surveillance exemptions

• Limited enforcement capabilities

• Over-centralized grievance redressal

India must strive to align its framework with international best practices, particularly
regarding data fiduciary accountability, user empowerment, and independent oversight.

The global privacy discourse demonstrates that effective privacy protection is not just about
statutory recognition, but about robust institutions, cultural respect for autonomy, and
vigilant enforcement. As India continues to evolve in the digital space, international models
like the GDPR offer valuable lessons in shaping a rights-respecting digital ecosystem.

Conclusion

The recognition of the right to privacy as a fundamental right by the Supreme Court in Justice
K.S. Puttaswamy v. Union of India marked a transformative moment in India’s constitutional
history. In the digital age, where personal data has become the new currency and surveillance
technologies are increasingly pervasive, the scope of privacy has expanded far beyond the
physical realm to encompass one’s digital footprint, identity, and autonomy.
India's evolving legal framework—anchored in the Digital Personal Data Protection Act,
2023—demonstrates a commendable step toward aligning with global privacy norms.
However, persistent gaps such as broad governmental exemptions, lack of an independent
regulator, and weak enforcement mechanisms remain critical challenges. The rapid pace of
technological innovation, coupled with increasing state and corporate control over personal
data, calls for continuous legal adaptation, strong institutional safeguards, and widespread
digital literacy.

To truly uphold the constitutional promise of privacy, India must strive to strike a delicate
balance between individual liberty, national interest, and economic innovation, ensuring
that the right to privacy remains resilient, enforceable, and inclusive in the face of digital
disruption. The journey from M.P. Sharma to Puttaswamy reflects the judiciary's progressive
role, but the real test lies in transforming judicial declarations into tangible protections for
every citizen in the digital era.