Polity · Fundamental Rights · Article

Right to Privacy — Puttaswamy and Article 21.

A 9-judge bench unanimously declared right to privacy a Fundamental Right under Article 21 in 2017. Justice K.S. Puttaswamy v. Union of India. Overruled M.P. Sharma (1954) and Kharak Singh (1962).

For 67 years after the Constitution's adoption, the Indian Supreme Court was equivocal about whether the right to privacy was a Fundamental Right. M.P. Sharma v. Satish Chandra (1954, 8-judge bench) and Kharak Singh v. State of UP (1962, 6-judge bench) had held that privacy was not a Fundamental Right. Various subsequent judgments — Govind v. State of MP (1975), R. Rajagopal v. State of TN (1994) — had recognised privacy in specific contexts but the constitutional question remained open. The 2017 judgment in Justice K.S. Puttaswamy v. Union of India by a 9-judge bench resolved the question definitively. Privacy is a Fundamental Right protected primarily under Article 21. The 2021 and 2018 Prelims tested aspects of privacy. Hold the constitutional architecture, the Puttaswamy reasoning, and the Aadhaar implications.

Pre-Puttaswamy — uncertain status

The right to privacy has had a chequered history in Indian constitutional law.

M.P. Sharma v. Satish Chandra (1954). An 8-judge bench held that the Constitution does not expressly recognise a right to privacy. The Indian framers had considered including a privacy right but had decided against it. The Constitution's framers, the Court reasoned, would have explicitly mentioned privacy if they intended it as a Fundamental Right.

Kharak Singh v. State of UP (1962). A 6-judge bench held that the right to privacy is NOT a guaranteed Fundamental Right. The case involved police surveillance practices. The majority held that the U.P. Police Regulations permitting domiciliary visits were valid, though they read down some excessive provisions.

However, Justice Subba Rao's minority view held that privacy is essential to "personal liberty" under Article 21. This minority view became the foundation for later expansion.

Govind v. State of MP (1975). A 3-judge bench took a more nuanced view. Justice K.K. Mathew suggested that there might be a "limited right of privacy" emanating from various Fundamental Rights — Articles 19(1)(a), (d), and 21. The right was not absolute and could be limited.

R. Rajagopal v. State of TN (1994). Justice Jeevan Reddy held that the right to privacy is implicit in the right to life and liberty under Article 21. Privacy includes the right to be let alone. However, public officials' actions, when in the public domain, do not enjoy privacy protection.

PUCL v. Union of India (1997). Telephone tapping case. The Court held that telephone conversations are within the ambit of right to privacy. Wiretapping requires statutory backing and must follow specified procedures.

The constitutional doubt. Despite these judgments, the constitutional question remained unresolved:

(i) M.P. Sharma (8-judge bench) and Kharak Singh (6-judge bench) had explicitly denied privacy as Fundamental Right.

(ii) Subsequent judgments (Govind, Rajagopal, PUCL) had recognised privacy in specific contexts.

(iii) None of these later judgments was by a bench larger than M.P. Sharma; they could not formally overrule it.

(iv) The result was constitutional ambiguity — privacy was sometimes protected but not as a clearly recognised Fundamental Right.

The Aadhaar challenge — context. The Aadhaar programme (Unique Identification project) created urgent need to resolve the privacy question. Aadhaar required collection of biometric data — fingerprints, iris scans, photographs — from over a billion residents. Was this constitutional?

The Aadhaar challenge in Binoy Viswam v. Union of India (2017) raised privacy concerns. The Court referred the privacy question to a larger bench. A 9-judge bench was constituted to decisively resolve the constitutional question.

Puttaswamy v. Union of India (2017)

Justice K.S. Puttaswamy v. Union of India (2017) is a landmark Supreme Court judgment. The 9-judge bench unanimously held that the right to privacy is a Fundamental Right protected under the Constitution.

Composition of bench. The 9-judge bench: J.S. Khehar (CJI), J. Chelameswar, S.A. Bobde, R.K. Agrawal, R.F. Nariman, A.M. Sapre, D.Y. Chandrachud, S.K. Kaul, and S. Abdul Nazeer. Six separate opinions, but all concurring on the central holding.

Holding — main propositions.

One — Privacy is a Fundamental Right. The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as part of the freedoms guaranteed by Part III of the Constitution.

Two — Overruled M.P. Sharma and Kharak Singh. To the extent these judgments held that privacy is NOT a Fundamental Right, they are no longer good law. Govind and other subsequent judgments recognising privacy were affirmed.

Three — Privacy is multifaceted. The right covers:

(i) Bodily integrity — protection from physical invasions.

(ii) Mental autonomy — protection of thoughts, beliefs.

(iii) Decisional autonomy — including reproductive choices, marriage choices.

(iv) Informational privacy — control over personal information.

(v) Spatial privacy — protection of personal spaces.

(vi) Communication privacy — protection of correspondence and conversations.

Four — Privacy is intrinsic to dignity. Privacy is essential to human dignity, which is the foundation of all Fundamental Rights. The Court emphasized: "Privacy ensures that a human being can lead a life of dignity by securing the inner recesses of human personality from unwanted intrusion."

Five — Privacy is not absolute. Like other Fundamental Rights, privacy can be limited by:

(i) A law (legality requirement).

(ii) For a legitimate State aim (necessity).

(iii) Through proportionate means (proportionality).

This is the proportionality test for limitations on privacy.

Six — Constitutional sources. Privacy is grounded primarily in Article 21 (life and personal liberty), but also in:

(i) Article 14 (equality before law — protection from arbitrary State action).

(ii) Article 19 (six freedoms — speech, assembly, association, movement, residence, profession all have privacy dimensions).

(iii) Implicit in the Preamble's commitment to dignity, liberty, and equality.

Justice Chandrachud's opinion (writing for himself, CJI Khehar, Agrawal, and Nazeer JJ). Wrote that privacy is essential to:

(i) Liberty — a person needs privacy to make autonomous choices.

(ii) Dignity — exposure of personal aspects diminishes human dignity.

(iii) Identity — privacy enables one to be oneself.

(iv) Autonomy — privacy protects against State and private invasions.

Chandrachud J also overruled ADM Jabalpur v. Shivkant Shukla (1976) — the infamous emergency-era judgment that had held Article 21 could be suspended.

Justice Nariman's opinion. Privacy connects to Articles 14, 19, and 21. Reasonable restrictions must follow the proportionality test.

Justice Kaul's opinion. Strong defence of privacy as fundamental to liberty and democracy. Concerns about surveillance State, data protection.

The 2018 and 2021 Prelims — privacy questions

The 2018 Prelims tested privacy as part of right to life:

UPSC Prelims · 2018
Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty. Which of the following in the Constitution of India correctly and appropriately imply the above statement?
(a) Article 14 and the provisions under the 42nd Amendment to the Constitution (b) Article 17 and the Directive Principles of State Policy in Part IV (c) Article 21 and the freedoms guaranteed in Part III (d) Article 24 and the provisions under the 44th Amendment to the Constitution
Answer: (c) — Article 21 and the freedoms guaranteed in Part III. The Puttaswamy judgment grounded privacy primarily in Article 21 (life and personal liberty) and read it as encompassing the various freedoms in Part III. Other options are clearly wrong: (a) Article 14 + 42nd Amendment doesn't fit; (b) Article 17 (untouchability) and DPSPs don't directly establish privacy; (d) Article 24 (child labour) and 44th Amendment don't establish privacy.

The 2021 Prelims tested the specific Article:

UPSC Prelims · 2021
Right to Privacy is protected under which Article of the Constitution of India?
(a) Article 15 (b) Article 19 (c) Article 21 (d) Article 29
Answer: (c) — Article 21. The Puttaswamy judgment held that the right to privacy is intrinsic to right to life and personal liberty under Article 21. Although privacy also has aspects under Articles 14, 19, and others, the primary constitutional source is Article 21.

Both questions establish:

(i) Right to privacy is a Fundamental Right.

(ii) Its primary constitutional source is Article 21.

(iii) It also draws from other Fundamental Rights in Part III (Articles 14, 19).

(iv) It is intrinsic to right to life and personal liberty — not a separate enumerated right but a derived right.

The recognition of privacy as Fundamental Right has had wide-ranging implications:

(a) Aadhaar architecture — affected by privacy considerations (see next section).

(b) Decriminalisation of homosexualityNavtej Singh Johar v. Union of India (2018) — Section 377 IPC struck down on Article 21 (privacy) grounds.

(c) Adultery decriminalisationJoseph Shine (2018) — Section 497 IPC violates dignity and privacy.

(d) Right to die with dignityCommon Cause v. Union of India (2018) — privacy includes dignity in death.

(e) Personal Data Protection Bill / Digital Personal Data Protection Act 2023 — legislative response to privacy as Fundamental Right.

Aadhaar judgment (2018) — operational implications

The privacy holding in Puttaswamy (2017) had immediate operational implications for the Aadhaar programme. The 5-judge bench in Justice K.S. Puttaswamy v. Union of India (Aadhaar case) 2018 applied privacy doctrine to Aadhaar.

Holdings on Aadhaar.

One — Aadhaar Act 2016 is constitutionally valid. The Court upheld the basic Aadhaar architecture, including biometric collection, on grounds of:

(i) Legitimate State aim — providing welfare benefits, preventing leakage.

(ii) Proportionality — biometric data limited to specified purposes.

(iii) Privacy safeguards — though the Court found some provisions inadequate.

Two — Section 7 (welfare benefits) is valid. The Government can require Aadhaar for welfare benefits funded out of the Consolidated Fund of India. The Court held that linking Aadhaar to subsidies is a legitimate exercise of State power. The 2020 Prelims tested this.

Three — Mandatory linkage to bank accounts is INVALID. Section 57 of the Aadhaar Act, which permitted the Government to mandate Aadhaar for purposes other than welfare (including bank accounts, telecom services, etc.), was struck down. Private entities cannot mandate Aadhaar.

Four — Section 33(2) (national security disclosure) is INVALID. The provision permitting disclosure of Aadhaar information for national security purposes by joint secretary-level officers, without judicial oversight, was struck down as inadequate safeguard.

Five — Children's Aadhaar enrolment. Children below 6 cannot be subjected to Aadhaar requirements for school admission or other services. They retain right to opt out at 18.

Six — Data retention. Authentication records cannot be retained beyond 6 months (the Court held the original 5-year retention excessive).

Seven — Metadata. The Court restricted Aadhaar metadata retention. The 2020 Prelims tested this.

The 2020 Prelims tested Aadhaar provisions:

UPSC Prelims · 2020
Consider the following statements:
  1. Aadhaar metadata cannot be stored for more than three months.
  2. State cannot enter into any contract with private corporations for sharing Aadhaar data.
  3. Aadhaar is mandatory for obtaining insurance products.
  4. Aadhaar is mandatory for getting benefits funded out of the Consolidated Fund of India.
Which of the statements given above is/are correct?
(a) 1 and 4 only (b) 2 and 4 only (c) 3 only (d) 1, 2 and 3 only
Answer: (b) — Statements 2 and 4 correct. (1) WRONG — metadata retention rules limit it but the specific 3-month rule does not apply uniformly; the Court limited authentication records to 6 months. (2) CORRECT — Section 57 strike-down means State cannot share Aadhaar data with private corporations through contracts. (3) WRONG — Aadhaar is NOT mandatory for insurance products; the strike-down of Section 57 means private services cannot mandate it. (4) CORRECT — Aadhaar is mandatory for welfare benefits funded from Consolidated Fund (Section 7 upheld).

The 2018 Prelims tested Aadhaar card use:

UPSC Prelims · 2018
Consider the following statements:
  1. Aadhaar card can be used as a proof of citizenship or domicile.
  2. Once issued, Aadhaar number cannot be deactivated or omitted by the Issuing Authority.
Which of the statements given above is/are correct?
(a) 1 only (b) 2 only (c) Both 1 and 2 (d) Neither 1 nor 2
Answer: (d) — Both wrong. (1) Aadhaar is NOT proof of citizenship or domicile — it is only proof of identity and residence. (2) Aadhaar can be deactivated or omitted by UIDAI in cases of fraud, duplication, or other administrative reasons.

Personal data protection and surveillance

The Puttaswamy judgment created urgency for legislation on personal data protection. The constitutional recognition required statutory implementation.

Justice B.N. Srikrishna Committee (2017-18). The Government appointed Justice B.N. Srikrishna to recommend a data protection framework. The Committee's 2018 report proposed comprehensive data protection legislation.

Personal Data Protection Bill 2019. Based on the Srikrishna Committee report. Key provisions:

(i) Categories: personal data, sensitive personal data, critical personal data.

(ii) Data principal rights: access, correction, erasure, portability, withdrawal of consent.

(iii) Data fiduciary obligations: lawful basis for processing, purpose limitation, minimisation.

(iv) Cross-border data transfer restrictions.

(v) Data Protection Authority — for enforcement.

(vi) Penalties for violations.

The Bill faced controversies — particularly over Section 35 (Government exemptions) and data localisation requirements. It was withdrawn in 2022.

Digital Personal Data Protection Act 2023. The replacement legislation. Came into force after Presidential assent on 11 August 2023. Key features:

(i) Applies to processing of digital personal data within India.

(ii) Consent-based framework for processing.

(iii) Data Principal rights — access, correction, erasure.

(iv) Data Fiduciary obligations — purpose limitation, security safeguards, breach notification.

(v) Data Protection Board of India — adjudicatory body.

(vi) Cross-border data flows — generally permitted, with restrictions on specified countries.

(vii) Government exemptions — broader than international standards.

(viii) Penalties — up to ₹250 crore for major violations.

The DPDP Act 2023 is the principal data protection law. Implementation is ongoing — the Data Protection Board is being constituted; rules under the Act are being framed.

Surveillance and privacy. The constitutional framework affects various surveillance practices:

(i) Telephone surveillance — under Indian Telegraph Act 1885 and Information Technology Act 2000. Requires authorization at home secretary level (or equivalent). Subject to oversight committee review.

(ii) Email and electronic surveillance — IT Act 2000 Sections 69 and 69B. Similar safeguards.

(iii) CCTV and video surveillance — varies by State and context. Privacy considerations apply.

(iv) Facial recognition — emerging area. Privacy concerns about deployment by police, schools, employers, etc.

(v) Social media monitoring — by Government for various purposes. Privacy implications.

The proportionality test. Post-Puttaswamy, surveillance and data collection must satisfy:

(i) Legality — backed by valid law.

(ii) Legitimate aim — protection of national security, prevention of crime, etc.

(iii) Necessity — least intrusive means.

(iv) Proportionality — balanced against privacy interests.

Courts review surveillance schemes against this test. Several challenges to surveillance practices are pending or have been decided since 2017.

TakeawayRight to Privacy — recognised as Fundamental Right by 9-judge bench in Justice K.S. Puttaswamy v. Union of India (2017). Overruled M.P. Sharma (1954) and Kharak Singh (1962). Grounded primarily in Article 21 (life and personal liberty) and other Part III freedoms. Privacy includes bodily, decisional, informational, spatial, communication aspects. Limitations require legality, legitimate aim, proportionality. Aadhaar judgment (2018) — Section 7 valid (welfare benefits), Section 57 struck down (private use), Section 33(2) struck down. Digital Personal Data Protection Act 2023 — statutory framework. The 2018 Prelims (Q24): Article 21 + Part III freedoms. The 2021 Prelims (Q22): Article 21. The 2018 Prelims (Q4) on Aadhaar: not citizenship proof; can be deactivated. The 2020 Prelims (Q11) on Aadhaar: 2 and 4 correct.

What students must hold

Six points carry the weight. One, pre-Puttaswamy: M.P. Sharma (1954, 8-judge bench) and Kharak Singh (1962, 6-judge bench) had held privacy NOT a Fundamental Right. Subsequent judgments (Govind 1975, R. Rajagopal 1994, PUCL 1997) recognised privacy in specific contexts. Constitutional ambiguity persisted.

Two, Justice K.S. Puttaswamy v. Union of India (2017) — 9-judge bench, unanimous. Right to privacy IS a Fundamental Right. Grounded primarily in Article 21 (life and personal liberty); also draws from other Part III freedoms. Privacy is multifaceted — bodily integrity, decisional autonomy, informational, spatial, communication.

Three, limitations on privacy require: (i) legality (law-based); (ii) legitimate State aim; (iii) necessity (least intrusive means); (iv) proportionality. The proportionality test applies to all privacy intrusions.

Four, the 2018 Prelims (Q24): privacy is intrinsic part of right to life and personal liberty — Article 21 AND freedoms guaranteed in Part III. The 2021 Prelims (Q22): privacy is protected under Article 21.

Five, Aadhaar judgment (5-judge bench, 2018): Aadhaar Act 2016 valid; Section 7 (welfare benefits) upheld; Section 57 (private use) struck down; Section 33(2) (national security disclosure) struck down. The 2020 Prelims (Q11): statements 2 and 4 correct (cannot share with private corporations; mandatory for Consolidated Fund benefits). The 2018 Prelims (Q4): Aadhaar NOT proof of citizenship/domicile; CAN be deactivated.

Six, statutory implementation: Digital Personal Data Protection Act 2023 — replaces earlier PDP Bill 2019; consent-based framework; data principal rights; Data Protection Board of India; penalties up to ₹250 crore. Surveillance under Indian Telegraph Act 1885 and IT Act 2000 must satisfy proportionality test. For more, see Right to Freedom and Aadhaar and Fundamental Rights.

Frequently asked

Is the Right to Privacy a Fundamental Right in India?

Yes. The 9-judge bench in Justice K.S. Puttaswamy v. Union of India (2017) unanimously held that the right to privacy is a Fundamental Right protected under the Constitution. The judgment overruled M.P. Sharma (1954) and Kharak Singh (1962) which had held privacy was not a Fundamental Right. Privacy is grounded primarily in Article 21 (life and personal liberty) and the freedoms guaranteed in Part III.

Under which Article is the Right to Privacy protected?

Article 21 — Right to Life and Personal Liberty. The 2021 Prelims (Q22) tested this. The Puttaswamy judgment held that privacy is an intrinsic part of right to life and personal liberty. Although privacy also has dimensions under Articles 14 (equality) and 19 (six freedoms), the primary constitutional source is Article 21.

What did Puttaswamy v. Union of India (2017) decide?

The 9-judge bench unanimously held: (1) Right to privacy is a Fundamental Right protected under the Constitution. (2) Overruled M.P. Sharma (1954) and Kharak Singh (1962). (3) Privacy is multifaceted — bodily integrity, decisional autonomy, informational privacy, spatial privacy, communication privacy. (4) Privacy is essential to dignity. (5) Privacy is not absolute — limitations must satisfy legality, legitimate aim, necessity, and proportionality.

What was decided in the Aadhaar judgment (2018)?

The 5-judge bench held: (1) Aadhaar Act 2016 is constitutionally valid. (2) Section 7 (mandatory Aadhaar for welfare benefits from Consolidated Fund) is valid. (3) Section 57 (mandatory Aadhaar for private services like banks, telecom) is INVALID. (4) Section 33(2) (national security disclosure) struck down. (5) Authentication record retention limited to 6 months (not 5 years). Children must have option to opt out at 18.

What was tested in the 2020 Prelims about Aadhaar?

The 2020 Prelims (Q11) tested four statements. Correct: (2) State cannot enter into contracts with private corporations for sharing Aadhaar data (per Section 57 strike-down) AND (4) Aadhaar is mandatory for welfare benefits funded out of Consolidated Fund (per Section 7 upholding). Wrong: (1) the specific 3-month metadata retention rule and (3) Aadhaar mandatory for insurance products. Answer: (b) — 2 and 4 only.

What is the Digital Personal Data Protection Act 2023?

The principal data protection law in India. Came into force in August 2023. Replaces earlier Personal Data Protection Bill 2019 (which was withdrawn in 2022). Key features: consent-based framework for personal data processing; data principal rights (access, correction, erasure); data fiduciary obligations (purpose limitation, security safeguards, breach notification); Data Protection Board of India for enforcement; cross-border data flow restrictions; penalties up to ₹250 crore. Implementation is ongoing through rules and Board constitution.