Privacy, once considered a luxury, is now recognized as a fundamental right. In a world driven by technology, where every click, swipe, and search generates data, the question of who controls this data has become central to individual liberty. In India, the right to privacy was declared a fundamental right by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017). But privacy is not only about surveillance or Aadhaar as it extends to how personal information is collected, stored, and used by both state and private actors. With India recently enacting the Digital Personal Data Protection Act, 2023, the landscape of privacy and data protection is evolving rapidly.
The Puttaswamy Judgment: A Constitutional Milestone
For decades, Indian courts had given mixed signals about privacy. Earlier cases such as M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1963) had doubted whether privacy was part of fundamental rights. This uncertainty ended when a nine-judge bench of the Supreme Court in Puttaswamy unanimously declared privacy as intrinsic to the right to life and liberty under Article 21.
The Court expanded privacy into three dimensions:
- Bodily Privacy – protection against intrusive medical or physical procedures.
- Informational Privacy – control over personal data.
- Decisional Privacy – autonomy in making intimate choices such as marriage, procreation, or lifestyle.
Importantly, the Court held that any restriction on privacy must pass the tests of legality, necessity, and proportionality.
Data Protection and the New Law
Following Puttaswamy, there was strong demand for a comprehensive data protection regime. After years of deliberation, Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act).
The Act introduces key principles:
- Consent: Organizations must seek free and informed consent before processing personal data.
- Purpose Limitation: Data can only be used for the specific purpose for which it was collected.
- Right to Access and Correction: Individuals can demand to know what data is held and seek correction.
- Right to Erasure: Individuals can ask for deletion of data when it is no longer necessary.
- Penalties: Heavy fines for data breaches or misuse, running into hundreds of crores.
This law applies not only to government but also to private companies, social media platforms, and online businesses.
Challenges in Enforcement
While the DPDP Act is a step forward, challenges remain. Many critics argue that government agencies have been given broad exemptions, which may weaken protections against state surveillance. The Act also does not establish a strong independent regulator comparable to the EU’s GDPR.
Additionally, public awareness remains low. Many individuals do not realize that clicking “I Agree” on a website allows companies to profile them extensively. Building a culture of privacy will take time and education.
Judicial Developments Beyond Puttaswamy
Indian courts have continued to expand privacy rights after Puttaswamy:
- Navtej Singh Johar v. Union of India (2018): The Court decriminalized consensual same-sex relations, linking privacy with dignity and decisional autonomy.
- Joseph Shine v. Union of India (2018): The Court struck down adultery as a crime, holding that state interference in private relationships violates privacy.
- X v. Hospital Z (1998, revisited in later cases): Courts have balanced privacy with competing rights, such as public health and the right to know.
Together, these cases show that privacy is not absolute; it must often be balanced with public interest, but the presumption is always in favor of liberty.
Practical Implications for Citizens
For ordinary people, privacy law is not abstract. It affects daily life:
- When a mobile app demands unnecessary permissions, it may be violating informational privacy.
- When hospitals disclose medical records without consent, it breaches bodily and informational privacy.
- When employers track personal devices, it interferes with decisional privacy.
Citizens should be aware of their rights under the DPDP Act and assert them — by demanding consent forms, challenging misuse of data, and reporting breaches.
Conclusion
The recognition of privacy as a fundamental right in Puttaswamy was a constitutional revolution. The enactment of the DPDP Act, 2023 has given this right a statutory backbone. Yet, the true test lies in implementation. As India digitizes rapidly, ensuring that individual autonomy is respected will require vigilant courts, responsible companies, and aware citizens.
For law students, privacy law is an evolving field that blends constitutional law, technology, and human rights. For citizens, it is a reminder that liberty today is not only about freedom from physical restraint but also about control over one’s digital identity.