Social Justice & Welfare·Basic Structure

Right to Privacy — Basic Structure

Constitution VerifiedUPSC Verified

Version 1Updated 9 Mar 2026

Explore This Topic

Definition Detailed Explanation Landmark Judgments Basic Structure Amendments UPSC Importance Prelims Strategy Mains Strategy Prelims MCQs Mains Questions MCQ Practice Predicted 2026 Revision Notes Current Affairs

Basic Structure

The Right to Privacy in India has evolved significantly, culminating in its recognition as a fundamental right by the Supreme Court in the landmark K.S. Puttaswamy v. Union of India (2017) judgment. This right is now considered an intrinsic part of Article 21 (Right to Life and Personal Liberty) and draws sustenance from other fundamental rights like Article 14 and Article 19.

It is not an absolute right and can be subjected to reasonable restrictions, provided they meet a stringent three-part test: legality, legitimate state aim, and proportionality. This proportionality test requires that any restriction must be necessary, suitable, and the least intrusive means to achieve a legitimate state objective.

The recognition of privacy as a fundamental right necessitated a robust legal framework for data protection, leading to the enactment of the Digital Personal Data Protection Act (DPDPA) 2023. This Act governs the processing of digital personal data, outlining the rights of data principals (individuals) and the obligations of data fiduciaries (entities processing data).

Key features include the requirement for explicit consent, provisions for 'deemed consent' in certain scenarios, establishment of the Data Protection Board of India for enforcement, and rules for cross-border data transfers.

The Right to Privacy encompasses various dimensions, including informational privacy (control over personal data), bodily privacy (autonomy over one's body), decisional autonomy (freedom to make personal choices), and communicational privacy (confidentiality of communications).

Understanding this right is vital for UPSC aspirants, as it intersects with constitutional law, governance, technology, and social justice, reflecting the dynamic balance between individual liberties and state power in a rapidly digitizing India.

Important Differences

vs Pre-Puttaswamy Era

Aspect	This Topic	Pre-Puttaswamy Era
Constitutional Status	Ambiguous; not explicitly recognized as a fundamental right. Conflicting judgments (M.P. Sharma denied, Kharak Singh denied but dissent argued, Govind recognized limited).	Unequivocally recognized as a fundamental right under Article 21, flowing from human dignity. Settled by a nine-judge bench.
Legal Framework	No comprehensive data protection law. Privacy issues addressed through sectoral laws (e.g., IT Act 2000, common law torts) and judicial interpretations.	Paved the way for and led to the enactment of the Digital Personal Data Protection Act (DPDPA) 2023, providing a comprehensive statutory framework.
Judicial Approach	Cautious, often deferential to state power, and fragmented. Lack of a clear, consistent doctrine on privacy.	Proactive, rights-centric, and principled. Established a clear proportionality test for state interference, strengthening judicial review.
Enforcement Mechanisms	Limited and fragmented, relying on existing laws or common law remedies. No dedicated regulatory body for data protection.	Stronger enforcement through the DPDPA 2023, including the establishment of the Data Protection Board of India and significant penalties for non-compliance.
Individual Empowerment	Individuals had limited recourse against privacy violations, especially from the state, due to the lack of fundamental right status.	Individuals are significantly empowered with constitutional backing and statutory rights (e.g., right to consent, right to access, right to erasure) against both state and private entities.

The shift from the Pre-Puttaswamy to the Post-Puttaswamy era marks a paradigm change in India's privacy jurisprudence. Before 2017, the Right to Privacy was an ambiguous concept, lacking explicit constitutional recognition and a comprehensive legal framework. Judicial pronouncements were often conflicting, leading to uncertainty regarding its enforceability. The Puttaswamy judgment fundamentally altered this by declaring privacy a fundamental right, thereby providing a robust constitutional basis and paving the way for the Digital Personal Data Protection Act 2023. This transition signifies a move towards a more rights-centric approach, empowering individuals with stronger legal recourse against privacy infringements by both state and private actors.

vs EU (GDPR) and US Privacy Laws

Aspect	This Topic	EU (GDPR) and US Privacy Laws
Approach	India (DPDPA 2023): Comprehensive, principle-based, but with significant state exemptions. Focus on 'Data Principal' and 'Data Fiduciary'.	EU (GDPR): Comprehensive, rights-based, strict. Focus on 'Data Subject' and 'Data Controller/Processor'. US: Sectoral, fragmented, common law, and constitutional (4th Amendment).
Consent	India (DPDPA 2023): Requires free, specific, informed, unambiguous consent. Includes 'deemed consent' for certain legitimate uses.	EU (GDPR): Requires explicit, unambiguous consent. US: Varies by sector; often opt-out or implied consent.
Extraterritoriality	India (DPDPA 2023): Applies to processing outside India if related to offering goods/services to Data Principals in India.	EU (GDPR): Strong extraterritorial reach, applies to processing of EU residents' data by entities outside EU. US: Limited, generally applies to US entities or data within US.
Enforcement Body	India (DPDPA 2023): Data Protection Board of India (DPBI).	EU (GDPR): Independent Data Protection Authorities (DPAs) in each member state. US: Federal Trade Commission (FTC) and various sectoral regulators.
State Exemptions	India (DPDPA 2023): Broad exemptions for government agencies in matters of national security, public order, etc.	EU (GDPR): Limited exemptions for public authorities, subject to strict oversight. US: Government surveillance governed by specific laws (e.g., FISA) and Fourth Amendment.

Comparing India's DPDPA 2023 with global privacy regimes reveals distinct approaches. The EU's GDPR is a gold standard, offering comprehensive, rights-based protection with strong enforcement and limited state exemptions. The US adopts a sectoral approach, relying on a patchwork of laws and constitutional principles. India's DPDPA, while principle-based like GDPR, incorporates 'deemed consent' and provides broader exemptions for the state, reflecting a balance between individual rights, state interests, and the unique challenges of a developing digital economy. This comparison highlights India's evolving position in international data governance and the diverse philosophies underpinning privacy protection worldwide.