In India, privacy has long been understood as an implicit constitutional value, though not explicitly mentioned in the text. Over the decades, the Supreme Court gradually recognized privacy as part of the freedoms guaranteed by the Constitution. For example, in Kharak Singh v. State of UP (1962) the Court held that the Constitution does not expressly guarantee a general right to privacy. Later rulings underlined privacy’s importance: in Justice KS Puttaswamy v. Union of India (2017) a nine-judge bench unanimously declared that “the right to privacy is an intrinsic part of life and personal liberty under Article 21”. This landmark verdict overruled earlier precedents (such as Kharak Singh) and enshrined privacy as a fundamental right. Below, we examine the historical and constitutional evolution of privacy in India, then explore how the digital revolution – with mass surveillance, data breaches and big-data profiling – is testing these guarantees. We also survey key laws (the IT Act, 2000 and the new Digital Personal Data Protection Act, 2023) and assess challenges in enforcing privacy protections.

Historical and Constitutional Background of Privacy in India

From the founding of the Republic, Indian courts have struggled to fit privacy within the Constitution. During the Constituent Assembly debates, the framers debated adding an explicit privacy right but ultimately declined, noting that existing laws (like the Criminal Procedure Code) already regulated search and seizure. In the first decade of independence, the Supreme Court held that the Indian Constitution lacked a Fourth Amendment–style privacy right. In M.P. Sharma v. Satish Chandra (1954), an eight-judge bench refused to read a general privacy guarantee into Articles 19 or 21. Kharak Singh v. State of UP (1962) later tested a police regulation allowing domiciliary surveillance. The Court struck down night-time raids but emphatically observed that the “right of privacy is not a guaranteed right under the Constitutio. In Govind v. State of Madhya Pradesh (1975), similar police regulations were upheld despite concerns they were “perilously near unconstitutionality”.

A significant shift occurred in the 1990s. In R. Rajagopal v. Tamil Nadu (1994) the Court recognized a privacy interest as part of Article 21, subject to exceptions for free speech. Then, in PUCL v. Union of India (1997) (the “telephone tapping case”), the Court declared that wiretapping without authority violates Article 21 and laid down strict guidelines for any lawful surveillance. This marked the first time the Court vindicated privacy against state intrusion, holding extensive phone-tapping unconstitutional and mandating oversight committees for interception orders. Thus by the late 1990s, privacy – though still implicit – had gained firm footing in Indian law.

Landmark Judgments on Privacy

The watershed case came in Justice KS Puttaswamy v. Union of India (2017). A nine-judge bench unanimously held that privacy is a fundamental right under the Constitution. The Court explicitly overruled Kharak Singh to the extent it denied privacy protection, and reaffirmed decisions that viewed privacy as part of personal liberty. Chief Justice Dipak Misra and Justice Chandrachud (writing for four judges) emphasized that privacy is the “core of dignity” and autonomous choice in a democratic society. In addition to Puttaswamy I (2017), the Court reaffirmed privacy in related cases, e.g. Puttaswamy II (2018) (upholding Aadhaar with privacy safeguards) and various decisions protecting sexual orientation, reproductive rights, and data protection under the privacy umbrella. Collectively, these judgments mean that any law or action infringing privacy must satisfy a strict test of legality, necessity and proportionality under Article 21.

The Right to Privacy in the Digital Era: Emerging Threats

The proliferation of digital technologies has vastly expanded the arenas in which privacy can be breached. Personal information is now routinely collected, stored and analyzed at scale by governments and companies. Four major categories of new threats stand out; first is State Surveillance, where the modern surveillance systems (CCTV networks, internet monitoring tools, spyware) empower the state to monitor citizens more closely than ever. For example, India’s Central Monitoring System (CMS) enables government agencies to tap directly into all mobile, landline and internet communications without telecoms’ intervention. Tools like network-traffic analysis and biometric databases further extend surveillance reach. Experts warn that these programs are governed by outdated statutes (the 1885 Telegraph Act and IT Act 2000) that give broad powers but lack judicial oversight. In practice, courts and activists have documented cases of potential abuse (for instance, phone-tapping of politicians) that chill free expression. As one analysis notes, India’s surveillance infrastructure now “facilitates unprecedented access to personal data, raising concerns about unchecked state overreach”. Second is Data Breaches and Hacks, where the centralization of data also magnifies the impact of security failures. In 2023 one of India’s largest ever breaches was uncovered: personal details of ~81.5 crore citizens (names, phone numbers, Aadhaar and passport numbers, addresses) were found for sale on the dark web. Similarly, hackers have repeatedly compromised government databases (e.g. health records, financial registries), exposing citizens’ sensitive information. Cybersecurity experts note that “high-profile breaches, like the 2019 Aadhaar leak, demonstrate the risks associated with centralized databases”. These incidents highlight how a single security lapse can violate the privacy of millions, undermining trust in both government and industry data holders. They underscore the need for robust legal protections and cybersecurity standards to safeguard personal data.

Third is Social Media Profiling, Social networks and internet platforms collect vast amounts of user data to power targeted advertising, recommendations and content curation. Such profiling can reveal intimate details about users’ beliefs, health, finances and more, often without their explicit understanding. The Cambridge Analytica scandal (2018), where Facebook data on Indian users was allegedly harvested for political profiling, exemplifies this danger. India’s telecom regulator has openly acknowledged that “the existing framework for protection of personal data by companies… is insufficient”. In practice, large tech firms remain largely self-regulated in India, and users have limited control over how their social media data is analyzed or shared. This raises concerns not only about targeted marketing but also about potential manipulation of public opinion and elections. Fourth is Big Data Analytics, beyond social media, various industries leverage big data algorithms to make decisions about individuals (credit scoring, insurance, recruitment, law enforcement risk scores, etc.). When these systems use personal data without transparency, they can entrench biases or invade privacy. For instance, e-commerce and fintech platforms aggregate purchase histories and biometric data, sometimes sharing insights across business partners. The PRS analysis of India’s new privacy law cautions that unchecked data processing for targeted advertising or recommendations “may have adverse implications for the privacy of individuals,” including profiling harms. In short, any large-scale data collection – whether by private companies or government – can compromise privacy if not bounded by clear purpose limits and user consent.

Legislative Framework: IT Act, 2000 and the Digital Personal Data Protection Act, 2023

India’s first major cyber law, the Information Technology Act, 2000, introduced the earliest data protection provisions. The Act criminalized various computer-related offenses and included limited safeguards: for example, Section 43A (added later) required companies to implement “reasonable security practices” for sensitive personal data and imposed liability for breaches, and Section 72A penalized unauthorized disclosure of passwords. However, the IT Act was never designed as a comprehensive privacy statute. As PRS Legislative notes, “India does not have a standalone law on data protection. Use of personal data is regulated under the IT Act, 2000”. Critically, the IT Act lacked provisions granting individuals enforceable rights (aside from a small compensation remedy under Section 43A) and set relatively low penalties. In practice, enforcement under the IT Act was limited, and privacy in digital spaces remained largely unprotected.

In August 2023, India enacted its first dedicated data privacy law: the Digital Personal Data Protection Act, 2023 (DPDP Act). This law applies to all processing of “digital personal data” (online or digitized offline data) in India. Its key features include:

• Consent and Purpose: Personal data can only be processed with an individual’s informed consent for a specified lawful purpose. Data fiduciaries (entities deciding why and how data is used) must publish notices before collection and only use data as permitted. Individuals may withdraw consent at any time. (Certain “legitimate” uses – e.g. government service delivery, medical emergencies or voluntary sharing – are exempt from consent requirements.)
• Rights of Individuals: The Act grants data principals (individuals) explicit rights: to obtain information about how their data is processed, to seek correction or erasure of their data, and to file grievances. It also allows individuals to nominate representatives in case of incapacity. (However, critics note that the DPDP Act does not include rights such as data portability or the “right to be forgotten” that exist in some other regimes.)
• Obligations on Data Fiduciaries: Companies and agencies handling personal data must take “reasonable security safeguards” to prevent breaches, maintain data accuracy, and inform the authorities (Data Protection Board) plus affected persons in event of a breach. Fiduciaries must also delete personal data once its purpose is served (storage limitation). Notably, many obligations (including storage-limitation) do not apply to government entities under this Act.
• Data Protection Board: The Act establishes a statutory Data Protection Board of India to oversee compliance. The Board can investigate complaints, order penalties, and direct action on breaches. However, PRS analysis flags governance concerns: Board members serve short two-year terms (with reappointment possible), which “may affect the independent functioning of the Board”. Appeals from the Board will lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
• Exemptions for the State: Most controversially, the Act provides broad exemptions for government agencies. Rights of data principals and duties of fiduciaries “will not apply” for data processing related to crime prevention or legal claims. Further, the central government may by notification exempt any government processing in the interest of national security, public order, or similar aims. In practice, this means the State can collect and retain personal data with minimal legal constraint so long as it invokes security or public order.

In summary, the DPDP Act marks a major step in codifying privacy protections – for the first time Indians have clear statutory rights over personal data. It requires consent, mandates basic security standards, and creates an enforcement body. On the other hand, the Act has been criticized for its large carve-outs: it leaves government-held data broadly unregulated and does not ensure independent oversight of state surveillance. Ensuring this law truly safeguards privacy will depend on how its exemptions are interpreted and on the Board’s effectiveness.

Conclusion

India has made remarkable strides in recognizing privacy as a constitutional right. The Supreme Court has declared privacy fundamental (especially in Puttaswamy, requiring that any intrusion be lawful, necessary and proportionate). Meanwhile, the new DPDP Act 2023 finally gives legal force to individual data rights and imposes duties on data handlers. However, the evolving digital landscape poses thorny challenges. Mass surveillance systems, data-driven profiling and frequent cyber-attacks continue to push the boundaries of privacy protections. To address these, India must reinforce its legal framework. Experts urge narrowing the State’s exemptions in the DPDP Act, establishing independent oversight for surveillance (for example, by requiring prior judicial authorization for intercepts), and strengthening penalties for violations.

On the technology side, incorporating privacy-by-design (strong encryption, user control tools) and fostering data minimization practices can help mitigate risks. The government should also engage civil society and privacy experts when formulating rules, to ensure diverse perspectives. At the same time, awareness campaigns and digital literacy can empower citizens to exercise their rights. As one analysis notes, balancing security and privacy is not just a technical issue but a moral imperative. In the years ahead, India’s commitment to privacy will be measured by how well it translates its constitutional ideals into practice in the digital domain – ensuring that the “principles of legality, necessity and proportionality” enshrined by Puttaswamy truly govern all data collection and use.

.    .    .

Sources: 

• Authoritative Supreme Court judgments (e.g. Puttaswamy),  legislative materials (Information Technology Act, 
• Digital Personal Data Protection Act), and analyses by legal scholars, PRS, 
• Human Rights Watch, 
• International privacy experts, and reputable news outlets. 
• The citations above provide direct references to these primary and secondary sources.