Right to Privacy, Evolution, Puttaswamy & the DPDP Act
In the landmark K.S. Puttaswamy (2017) case, a nine-judge Bench of the Supreme Court held that the Right to Privacy is a Fundamental Right, intrinsic to the right to life and personal liberty under Article 21. This guide covers its evolution, significance, challenges, the proportionality test, and the latest on the DPDP Act 2023 & Rules 2025.
The Right to Privacy is a human right enshrined in numerous international covenants — reflected in Article 12 of the Universal Declaration of Human Rights, 1948 and Article 17 of the International Covenant on Civil and Political Rights, 1966. In the K.S. Puttaswamy case, the Supreme Court ruled that privacy is a fundamental right, protected intrinsically under the right to life and personal liberty.
Privacy is a right enjoyed by every human being by virtue of their existence. It extends to aspects such as bodily integrity, personal autonomy, protection from state surveillance, dignity and confidentiality.
What is the Right to Privacy?
The right to privacy is a fundamental aspect of individual autonomy, allowing people to make personal choices free from unwarranted interference. It encompasses the right to control one's personal information, maintain confidentiality, and make autonomous decisions without interference.
- Need: essential for upholding human dignity and freedom — it allows individuals to express themselves, engage in personal relationships and participate in society without fear of surveillance or discrimination.
- Indian context: in 2017, the Supreme Court affirmed this right in the landmark Puttaswamy v. Union of India case, recognising privacy as a constitutional and fundamental right under Article 21 of Part III of the Constitution.
- International framework: Article 12 of the UDHR (1948) and Article 17 of the ICCPR (1966) establish safeguards against "arbitrary interference" with an individual's privacy, family, home, correspondence, dignity and reputation.
Right to Privacy — Evolution
The Constitution makers did not directly envisage the Right to Privacy; it does not find explicit mention in Part III. The judiciary has interpreted it over decades:
| Case / Law | Year | What It Held |
|---|---|---|
| M.P. Sharma v. Satish Chandra | 1954 | Made a passing reference to privacy while deciding whether searches and seizures were unreasonable. |
| Kharak Singh v. State of UP | 1961 | On police surveillance of history-sheeters, ruled that privacy was not a guaranteed fundamental right. |
| Gobind v. State of MP | 1975 | Introduced the American "compelling state interest" test — privacy yields to a larger, convincing state interest. |
| PUCL v. Union of India | 1997 | Held that individuals have a privacy interest in the content of their telephone communications. |
| IT Act (amended, Sec. 43A) | 2000 / 2008 | Made companies compromising sensitive personal data liable to pay compensation; eight privacy rules framed. |
The Puttaswamy Judgement (2017)
A nine-judge Constitution Bench delivered the landmark decision in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2017).
- Judgement: the Court ruled that the Right to Privacy is "intrinsic to life and personal liberty" and is inherently protected under Article 21 and as part of the freedoms guaranteed by Part III. In doing so, it overruled its own eight-judge bench (M.P. Sharma) and six-judge bench (Kharak Singh) judgements on the privacy question.
- Significance: by making privacy intrinsic to life and liberty, it is available not just to citizens — anyone can move the courts under Articles 32 and 226 for justice. Privacy became an essential ingredient of other fundamental freedoms in Part III.
Puttaswamy also held that privacy is not absolute. Any State restriction on privacy must pass a three-fold (proportionality) test:
1. Legality — there must be a valid law authorising the intrusion; 2. Legitimate State aim — the restriction must serve a legitimate goal; 3. Proportionality — there must be a rational nexus between the object and the means, and the least intrusive measure must be used. This test was later applied in the Aadhaar judgement (2018), which upheld Aadhaar with restrictions.
Right to Privacy — Significance
- Right to life with dignity: privacy is linked to the right to life and dignity, shielding individuals from actions that undermine personal respect.
- Freedom of expression: it lets individuals express, explore and share ideas without fear of judgment or retribution, strengthening democratic discourse.
- Protection from surveillance: it guards against intrusive tracking by both government and private entities, preserving security in personal spaces.
- Data protection: in the digital age, it safeguards personal data against unauthorised access — vital for identity, financial security and trust in digital services.
Right to Privacy — Challenges
- Conflict with other rights: prioritising privacy over other fundamental rights is hard — e.g., during COVID-19, the right to life was weighed against privacy and prioritised.
- Digital divide: many, especially in rural areas, lack awareness and resources to protect their privacy, leaving them vulnerable to data misuse.
- Communications surveillance: surveillance via tapping or interception is governed by the Indian Telegraph Act, 1885 and the IT Act, 2000, which permit the State to intrude on grounds of national security, friendly foreign relations and public order.
- Judicial clarity: despite Puttaswamy, clear legal frameworks for implementation and enforcement remain limited, complicating privacy protection.
Government Steps to Protect Privacy
B.N. Srikrishna Committee
The government appointed the B.N. Srikrishna Committee, an expert group on data protection led by Justice B.N. Srikrishna. In July 2018, it submitted its report, proposing a Draft Data Protection Bill and key principles to safeguard privacy and data rights.
Digital Personal Data Protection (DPDP) Act
Following the 2017 Puttaswamy judgment, the Srikrishna Committee's recommendations culminated in the Digital Personal Data Protection Act, which regulates the processing of digital personal data.
- Applicability: applies to all data — whether originally online or offline and later digitised — in India, and also to processing of digital personal data beyond India's borders.
- Alternate disclosure mechanism: allows two parties to settle complaints through a mediator; provides for a Data Protection Board.
- Precedence in conflict: its provisions are in addition to other laws, but in case of conflict, this Act prevails to the extent of the conflict.
- Penalties: offences and penalties apply for non-compliance.
- Exemptions: for notified agencies (security, sovereignty, public order); research/archiving/statistics; start-ups or notified fiduciaries; enforcing legal rights; judicial/regulatory functions; preventing/investigating offences; processing non-residents' data under foreign contracts; approved mergers/demergers; and locating defaulters and their assets.
Statutory Regulation
Surveillance is overseen under the Indian Telegraph Act (1885) and IT Act (2000), permitting lawful interception with procedural safeguards. The National Cyber Security Policy and CERT-In promote data protection, cyber security and breach response.
DPDP Act 2023 & DPDP Rules 2025 — Latest Status
The Digital Personal Data Protection Act, 2023 was enacted on 11 August 2023, and the DPDP Rules, 2025 were notified by MeitY on 13–14 November 2025, operationalising the Act through a staggered, phased timeline:
| Phase | From | What Comes Into Force |
|---|---|---|
| Phase 1 | Nov 2025 | Establishment of the Data Protection Board of India (DPBI) (appeals lie to TDSAT) |
| Phase 2 | Nov 2026 | Registration and obligations of Consent Managers |
| Phase 3 | May 2027 | Substantive obligations — notice & consent, security safeguards, breach reporting, Significant Data Fiduciary duties, and Data Principal rights |
- Key actors: Data Principal (the individual), Data Fiduciary (who decides purpose/means), Data Processor, Consent Manager, and Significant Data Fiduciary (SDF).
- Rights of individuals: to be informed, access, correct, erase, grievance redressal, and nominate a representative.
- Penalties: up to ₹250 crore for failure of reasonable security safeguards; up to ₹200 crore for breach-notification failures or violations relating to children's data; up to ₹50 crore for other breaches.
- RTI link: the DPDP Act amended Section 8(1)(j) of the RTI Act, 2005, aligning the transparency regime with the Puttaswamy privacy standard — a much-debated change.
Right to Privacy — Way Forward
- Strengthen judicial oversight: ensure surveillance is authorised, proportionate and essential.
- Public awareness campaigns: help citizens understand data-privacy risks and assert their rights.
- Technology and privacy innovation: promote end-to-end encryption and anonymisation.
- Clear surveillance regulations: balance national security with privacy, specify data-retention limits and ensure transparency.
- Private-sector accountability: strict rules against unauthorised data sharing and profiling, with mandated transparency.
Frequently Asked Questions (FAQs)
Is the Right to Privacy a fundamental right in India?
Which Article of the Constitution protects the Right to Privacy?
What was the Puttaswamy case about?
Is the Right to Privacy absolute?
What is the DPDP Act 2023, and what is its current status?
Which international instruments recognise the Right to Privacy?
Q1 (Prelims 2021): 'Right to Privacy' is protected under which Article of the Constitution of India?
(a) Article 15 (b) Article 19 (c) Article 21 (d) Article 29 — Ans: (c)
Q2 (Prelims 2018): Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty. Which of the following correctly and appropriately imply this?
(a) Article 14 and the 42nd Amendment (b) Article 17 and DPSP in Part IV (c) Article 21 and the freedoms guaranteed in Part III (d) Article 24 and the 44th Amendment — Ans: (c)
Puttaswamy did more than add a right — it re-read the whole Constitution through the lens of dignity. For the aspirant, the trick is to pair the doctrine (privacy under Article 21) with the discipline (the proportionality test) and the machinery (the DPDP Act) — that triad is a complete answer. — Legacy IAS Faculty
Key Takeaways
- Puttaswamy (2017), a nine-judge Bench, made the Right to Privacy a Fundamental Right under Article 21, overruling M.P. Sharma and Kharak Singh.
- The right evolved through M.P. Sharma (1954), Kharak Singh (1961), Gobind (1975) and PUCL (1997) before Puttaswamy settled it.
- Privacy is not absolute — restrictions must clear the three-fold proportionality test (legality, legitimate aim, proportionality), applied in the Aadhaar case (2018).
- Internationally anchored in Article 12 UDHR and Article 17 ICCPR; challenges include surveillance (Telegraph Act 1885, IT Act 2000), the digital divide and weak enforcement.
- The DPDP Act 2023 and DPDP Rules 2025 (notified Nov 2025) operationalise data protection in phases through May 2027, with a Data Protection Board and penalties up to ₹250 crore.
- Way forward: judicial oversight, clear surveillance law, privacy-tech, awareness and private-sector accountability.
Master Polity the Right Way with Legacy IAS — Bangalore
Expert faculty, structured GS & Optional guidance, and Bangalore's most trusted UPSC coaching — all under one roof.


