Right to Privacy in India: From Judgment to Law

How we reached the privacy question

For a long time, the Indian Constitution did not clearly say, “there is a right to privacy”. Earlier Supreme Court cases in the 1950s and 60s (like M.P. Sharma and Kharak Singh) had even suggested that there was no general fundamental right to privacy in Part III of the Constitution.

Meanwhile, the State’s use of personal data kept growing:

• Aadhaar – a massive biometric ID project – involved fingerprints, iris scans, and demographic data of over a billion people.
• Technology enabled surveillance, profiling and big data analytics on a scale never seen before.

So when Aadhaar was challenged in court, one key question popped up:

Does the Indian Constitution protect a fundamental right to privacy at all?

This question came to the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India, a petition filed by a retired High Court judge challenging Aadhaar. Because earlier judgments had doubted privacy as a right, a 9-judge Bench was formed to decide this once and for all.

The Puttaswamy verdict: privacy becomes a fundamental right

On 24 August 2017, the 9-judge Bench delivered a unanimous decision in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2017).

What exactly did the Court say?

• Privacy is a Fundamental Right
  The Supreme Court held that the right to privacy is a fundamental right protected under Articles 14, 19 and 21 of the Constitution. Earlier judgments denying this status were overruled.
• Privacy has a Wide Meaning
  Privacy includes:
  Bodily privacy (health, physical body),
  Decisional privacy (personal choices like marriage and sexuality),
  Informational privacy (control over personal data).
• Privacy is Not Absolute
  The State can restrict privacy only if four conditions are satisfied:
  Existence of law,
  Legitimate State purpose,
  Proportionality,
  Procedural safeguards.
• Need for Data Protection Law
  The Court stressed the urgent need for a strong data protection framework to safeguard personal data from misuse by both the State and private entities.

So, Puttaswamy did two big things:

• Politically/legislatively: It created pressure on the government to pass a modern data protection law.
• Constitutionally: It declared privacy a fundamental right.

This case is discussed in detail in Right to Privacy Case (Justice K.S. Puttaswamy v. Union of India) by EBC.

From judgment to law: the long road to a data protection statute

The journey from Puttaswamy (2017) to the DPDP Act (2023) was slow and messy. Think of it as several drafts and rewrites of the same movie.

Step 1: Srikrishna Committee and the 2018 Draft

• In July 2017, just before the privacy judgment, the Government set up a Committee of Experts on Data Protection chaired by Justice B.N. Srikrishna.
• Its job: study data protection issues and draft a proposed law.
• On 27 July 2018, the Committee submitted:
  • A detailed Report (“A Free and Fair Digital Economy”) and
  • A draft Personal Data Protection Bill, 2018.

This draft clearly drew from Puttaswamy – it focused on informational privacy, consent, purpose limitation, and a data protection authority

Step 2: Personal Data Protection Bill, 2019 – and its withdrawal

• Based on the 2018 draft, the government introduced the Personal Data Protection Bill, 2019 in Parliament in December 2019.
• It was referred to a Joint Parliamentary Committee (JPC), which studied it for years and suggested wide-ranging changes.
• The Bill attracted criticism (including from Justice Srikrishna himself) for giving broad exemption powers to the State, raising fears of an “Orwellian” surveillance State.
• Finally, in August 2022, the government withdrew the 2019 Bill, promising a “simpler” and more modern law.

Step 3: Digital Personal Data Protection Bill, 2022 → 2023

• November 2022: Government released the Digital Personal Data Protection Bill, 2022 for public consultation – a much shorter and more streamlined draft.
• After revisions, the Digital Personal Data Protection Bill, 2023 was:
  • Approved by the Cabinet on 5 July 2023.
  • Introduced in Lok Sabha on 3 August 2023,
  • Passed by Lok Sabha on 7 August and Rajya Sabha on 9 August,
  • Received Presidential assent on 11 August 2023 as the Digital Personal Data Protection Act, 2023 (DPDP Act, Act 22 of 2023).

At this point (August 2023), India finally had a data protection law on paper, clearly shaped by the privacy principles announced in Puttaswamy. But it was not yet operational — many provisions needed to be “brought into force” through notifications and detailed Rules.

For a clearer and more detailed understanding, you may refer to this book.

The DPDP Act, 2023: what it actually does

The Digital Personal Data Protection Act, 2023 is India’s first comprehensive data protection statute. Its very long title directly echoes Puttaswamy: it aims to process data in a way that recognises both individuals’ right to protect their personal data and the need for lawful data processing.

Scope: whose data, what data, where?

The Act applies to:

• Digital personal data – i.e. data in digital form that can identify an individual.
• Data collected online, or offline but later digitised.
• Processing within India, and also outside India where it relates to offering goods or services in India.

It does not cover anonymised data or non-digital offline data.

Key roles: “data principal” and “data fiduciary”

The Act uses simple but powerful concepts:

• Data Principal – the individual to whom the personal data relates (essentially, “you”).
• Data Fiduciary – any person, company, start-up, or government department that decides why and how your personal data is processed.
• Significant Data Fiduciary (SDF) – large or high-risk entities (based on volume of data, sensitivity, risk, etc.) that have extra obligations such as Data Protection Officer (DPO), data audits, impact assessments, etc.

Consent, “legitimate uses” and notices

The DPDP Act is consent-centric, but with practical flexibility:

• Consent must be:
  • Free, specific, informed and unambiguous, and
  • Given through a clear affirmative action (no pre-ticked boxes).
• Data Fiduciaries must give a plain-language notice explaining:
  • What data is being collected,
  • For what purpose,
  • How long it will be stored,
  • How to exercise your rights.
• You can withdraw consent at any time, and the organisation must make that as easy as giving consent.

At the same time, the Act recognises that some processing is necessary without consent – called “legitimate uses” (for example, compliance with law, medical emergencies, employment-related uses, etc.).

Rights and duties of individuals

The Act converts Puttaswamy’s abstract privacy principles into practical rights:

As a Data Principal, you have rights to:

• Access your personal data and know how it is being used.
• Correction and erasure of inaccurate or outdated personal data.
• Grievance redressal – every data fiduciary must provide a way to complain.
• Nomination – you can nominate someone to exercise your data rights if you die or are incapacitated.
• Withdraw consent whenever you want.

You also have duties, like not filing false complaints or providing false information; violating these can attract a penalty up to ₹10,000

Extra protection for children

The Act is particularly strict about children’s data:

• Anyone under 18 is treated as a child.
• Verifiable parental consent is required to process a child’s data.
• No processing that is detrimental to a child’s well-being.
• No tracking, behavioural monitoring or targeted advertising directed at children.

Violating these obligations can attract penalties up to ₹200 crore.

Cross-border data transfers

Unlike earlier drafts that talked about strict localisation, the DPDP Act takes a more flexible approach:

• In principle, cross-border transfer of personal data is allowed,
• But the government can notify “restricted” countries where transfer is not permitted

Enforcement: Data Protection Board of India and penalties

• The Act establishes the Data Protection Board of India (DPBI) as an adjudicatory body to handle complaints and impose penalties.
• DPBI was brought into force on 13 November 2025 under notified provisions of the Act.
• Penalties are heavy:
  • Up to ₹250 crore for failure to maintain reasonable security safeguards,
  • Up to ₹200 crore for not reporting a data breach or for violations relating to children,
  • Up to ₹50 crore for other contraventions,
  • Up to ₹10,000 on individuals for misuse of rights.

But even after the Act was passed, it needed detailed rules to actually operate in real life. That is where the DPDP Rules come in.

The DPDP Rules, 2025: turning privacy into everyday practice

From draft to final rules

• On 3 January 2025, the government (MeitY) released Draft Digital Personal Data Protection Rules, 2025 for public consultation.
• These drafts filled in crucial details: how to verify consent, timelines for responding to user requests, reporting breaches, cross-border transfer procedures, etc.

After months of consultation and revision, the government finally notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025. This is the moment when India’s data protection regime became fully operational. Many news reports described it as: “Eight years after the Supreme Court made privacy a fundamental right, India’s digital personal data protection law goes live.”

What do the Rules actually do?

To find out more about the DPDP ACT, 2023, you may check this resource.