Right to Privacy

0 0 Wednesday, 10 June 2026 2026-06-10T21:42:00+05:30 Edit this post
The Right to Privacy in India: A Complete Guide for Every Citizen Imagine this. You are sitting in your living room, scrolling through your phone, loo

The Right to Privacy in India: A Complete Guide for Every Citizen

Imagine this. You are sitting in your living room, scrolling through your phone, looking at photos, checking your bank balance, maybe messaging a friend about something personal. You assume that what you do on your phone stays between you and the screen. But somewhere in the background, apps are collecting your location, your contacts, your shopping habits, and even your health data. Now ask yourself a simple question: do you really have a right to keep all of this private?
In India, the answer to that question has changed dramatically over the last few years. What was once a vague idea discussed mostly by lawyers and activists has now become a fundamental right protected by the Constitution and backed by a brand new law. This article is a deep dive into everything you need to know about the right to privacy in India, written in plain language so that every citizen can understand where we stand, how we got here, and what the future might look like.

The Long Road to Recognition

For many years, privacy in India existed in a strange grey zone. The Constitution did not mention the word "privacy" explicitly. When the founding fathers drafted the document in 1950, they were focused on freedom, equality, and justice. They could not have imagined a world where a smartphone knows more about you than your own family does. Because of this absence, the government and courts often argued that privacy was not a fundamental right, which meant it could be taken away or limited much more easily than rights like freedom of speech or equality before the law.
This argument held ground for decades. In two major cases during the 1950s and 1960s, the Supreme Court of India actually ruled that privacy was not a fundamental right under the Constitution. The logic was simple: if it is not written down, it does not exist as a fundamental guarantee. This created a situation where the government could intercept phone calls, conduct surveillance, and collect personal information without facing strong constitutional challenges.
But society changed. Technology exploded. Mobile phones became common. The internet arrived. Social media platforms began collecting enormous amounts of personal data. Suddenly, the old arguments felt outdated and even dangerous. Citizens began asking harder questions. If the government could link your Aadhaar number to every service you use, did you have any real control over your personal information? If a private company could track your location 24 hours a day, was that not a violation of something fundamental?
These questions finally came to a head in a historic legal battle.

The Landmark Judgment That Changed Everything

In 2017, the Supreme Court of India delivered a judgment that will be remembered as one of the most important in the country's legal history. The case was formally known as Justice K.S. Puttaswamy (Retd.) versus Union of India. It was a massive case heard by a bench of nine judges, which is rare and signals extraordinary constitutional importance.
The core issue was whether privacy is a fundamental right under the Constitution of India. The petitioners argued that privacy is essential to human dignity and personal liberty. They pointed out that without privacy, other rights become meaningless. What is the point of freedom of speech if the government is listening to every conversation? What is the value of personal liberty if your movements are tracked constantly?
The government, on the other hand, argued that privacy was an elitist concept and that recognizing it as a fundamental right would harm welfare programs, national security, and law enforcement. They claimed that privacy could not be absolute and that making it a fundamental right would create endless legal obstacles for legitimate state actions.
After intense deliberation, all nine judges unanimously agreed that privacy is indeed a fundamental right. They held that it is intrinsic to Article 21 of the Constitution, which guarantees the right to life and personal liberty. The Court explained that privacy is not about hiding wrongdoing; it is about the right to be left alone, the right to control information about oneself, and the right to make personal choices without unwanted interference.
This judgment was revolutionary. It meant that any law or government action that violated privacy would now have to pass the test of being fair, just, and reasonable. It also meant that the government could not simply claim national security or public interest to justify any invasion of privacy. There would have to be proper legal procedures, proportionality, and safeguards.
The Puttaswamy judgment laid the foundation for everything that followed. It forced the government to take data protection seriously and set the stage for India's first comprehensive privacy law.

Understanding the Digital Personal Data Protection Act, 2023

For years after the 2017 judgment, India debated what its data protection law should look like. Multiple drafts were prepared, revised, and criticized. Finally, in August 2023, Parliament passed the Digital Personal Data Protection Act, often called the DPDP Act. This was a historic moment because it was the first time India had a standalone law dedicated entirely to protecting personal data in the digital world.
The Act was officially notified in November 2025, along with detailed rules that explain how it will actually work in practice. The implementation is happening in phases, giving companies and government bodies time to adjust. Some provisions related to setting up the regulatory body became effective immediately, while the core compliance rules for businesses will become fully enforceable by May 2027.
The law applies to the processing of digital personal data within India. This means it covers data collected online or data collected offline that is later digitized. It also applies to companies outside India if they are offering goods or services to people within India. So a foreign website or app that targets Indian users cannot escape this law simply by having its servers abroad.
The Act introduces several important concepts that every citizen should understand:
  • Data Principal: This is you. It is the individual whose personal data is being processed. If you are under 18 years of age, your parent or legal guardian acts as the Data Principal on your behalf.
  • Data Fiduciary: This is any person or organization that decides why and how your personal data should be processed. This includes companies, government agencies, and any other entity that collects and uses your data.
  • Data Processor: This is someone who processes data on behalf of a Data Fiduciary. The Act does not directly impose obligations on processors, but it requires Data Fiduciaries to ensure that their processors follow the law through proper contracts.
  • Consent Manager: This is a new concept introduced by the Act. Consent Managers are independent entities registered with the government that help you manage your consent across different services through a single platform. They act as a bridge between you and the companies that want your data.

How Consent Works Under the New Law

One of the most important features of the DPDP Act is its focus on consent. Under this law, your personal data can generally only be processed if you have given your consent. This sounds simple, but the Act adds important details that make it much more meaningful than the old system of clicking "I agree" without reading anything.
Your consent must be free, specific, informed, unconditional, and unambiguous. It requires a clear affirmative action on your part. This means companies cannot bury consent inside lengthy terms and conditions. They cannot use pre-ticked boxes or assume your silence means agreement. They must tell you exactly what data they want, why they want it, and what they will do with it.
Before asking for consent, a Data Fiduciary must give you a notice that includes:
  • A clear description of the personal data they want to collect
  • The specific purpose for which it will be used
  • A description of the goods or services that the processing enables
  • Information about how you can exercise your rights
  • How you can contact the Data Protection Board if you have a complaint
Importantly, you have the right to withdraw your consent at any time. The company must make the withdrawal process as simple as the process of giving consent. Once you withdraw consent, the company must delete your data unless there is a legal requirement to keep it.
There are some exceptions where consent is not required. These are called "certain legitimate uses" and include situations like:
  • When you voluntarily provide your data for a specific purpose and do not object to its use
  • When the government processes data to provide you with a benefit, service, certificate, or license
  • During medical emergencies or for health services
  • When necessary to maintain public order or safety
  • For employment-related purposes
These exceptions are meant to balance privacy with practical needs, but they are narrowly defined and cannot be used as loopholes to ignore privacy protections.

Your Rights as a Data Principal

The DPDP Act gives you several important rights that empower you to take control of your personal information. These rights are not just theoretical; they are meant to be practical tools that you can use in your daily life.
  • Right to Access Information: You have the right to know whether a Data Fiduciary is processing your personal data, and if so, to obtain a summary of what data is being processed and for what purpose. You can also ask for information about the identities of other Data Fiduciaries with whom your data has been shared.
  • Right to Correction and Erasure: If your personal data is inaccurate, misleading, or no longer relevant, you can request that it be corrected or updated. You can also ask for your data to be deleted or erased, especially if you have withdrawn consent or if the data is no longer needed for the original purpose.
  • Right to Grievance Redressal: Every Data Fiduciary must provide a way for you to raise complaints and concerns. They must appoint a grievance officer and respond to your complaints in a timely manner.
  • Right to Nominate: You can nominate another person to exercise your rights on your behalf in case of your death or incapacity. This is especially useful for elderly individuals or those with serious health conditions who want a trusted family member to manage their digital affairs.
These rights are designed to be accessible, and the Act requires companies to publish clear procedures for how you can exercise them. If a company refuses to honor your rights, you can escalate the matter to the Data Protection Board of India.

Special Protections for Children and Vulnerable Persons

The DPDP Act recognizes that children and persons with disabilities need extra protection because they may not fully understand the risks of sharing personal data online. For anyone below 18 years of age, consent must be obtained from a parent or legal guardian. Companies cannot process children's data in a way that could cause harm to their well-being.
The rules specify that Data Fiduciaries must verify that the person giving consent is actually an adult. They can do this by using reliable information they already have, by asking for voluntary identity details, or by using government-issued tokens or credentials. This verification process is meant to prevent children from pretending to be adults or strangers from pretending to be parents.
There are narrow exceptions to the parental consent requirement for specific types of organizations like healthcare providers, schools, and childcare services, but only when the processing is directly related to providing health services, education, or essential care. Even in these cases, the protections against tracking, monitoring, and targeted advertising aimed at children remain strong.
For persons with disabilities, the Act allows lawful guardians to act on their behalf, ensuring that vulnerable adults are not exploited or left without protection in the digital space.

The Role of the Data Protection Board of India

A law is only as strong as its enforcement mechanism. To ensure that the DPDP Act is not just words on paper, the government has established the Data Protection Board of India. This body is responsible for monitoring compliance, investigating complaints, and imposing penalties when companies violate the law.
The Board has the power to:
  • Direct Data Fiduciaries to take specific measures after a data breach
  • Investigate complaints from individuals about privacy violations
  • Impose monetary penalties for non-compliance
  • Accept voluntary undertakings from companies that commit to fixing their practices
  • Hear appeals and make binding decisions
If you are unhappy with a decision made by the Board, you can appeal to the Telecom Disputes Settlement and Appellate Tribunal, commonly known as TDSAT. This creates a two-tier system where your grievances can be heard and properly addressed.
The Board is designed to operate with a digital-first approach, meaning it will use technology to handle complaints, conduct investigations, and communicate with the public. This is important in a country as large as India, where millions of people might need to access the system.

Penalties That Make Companies Take Notice

One of the reasons the DPDP Act has generated so much attention is its penalty structure. The Act does not rely on criminal sanctions like jail time. Instead, it uses heavy financial penalties that can seriously hurt a company's bottom line. The Data Protection Board can impose fines after giving the organization a reasonable opportunity to explain itself.
The penalties are structured as follows:
  • Failure to implement reasonable security safeguards: up to 250 crore rupees
  • Failure to notify the Board and affected individuals about a data breach: up to 200 crore rupees
  • Failure to meet special obligations for processing children's data: up to 200 crore rupees
  • Failure to meet obligations as a Significant Data Fiduciary: up to 150 crore rupees
  • Breach of voluntary undertakings given to the Board: equivalent to the penalty for the underlying violation
  • Other breaches of the Act: up to 50 crore rupees
  • Violation of duties by a Data Principal, such as submitting false information: up to 10,000 rupees
These numbers are not small. A penalty of 250 crore rupees is roughly 30 million dollars. For many companies, especially startups and mid-sized businesses, this could be devastating. The message is clear: privacy compliance is not optional, and the cost of ignoring it is very high.

What Are Significant Data Fiduciaries?

The Act introduces a special category called Significant Data Fiduciaries, or SDFs. These are entities that process very large volumes of personal data, handle sensitive data that could pose significant risks to individuals, or have an impact on national security, public order, or even electoral democracy. The central government can designate any entity as an SDF based on these factors.
SDFs face stricter obligations than ordinary Data Fiduciaries. They must:
  • Appoint a Data Protection Officer based in India who serves as the main point of contact for privacy matters
  • Engage an independent data auditor to review their compliance regularly
  • Conduct annual Data Protection Impact Assessments and audits
  • Report the findings to the Data Protection Board
  • Ensure that their technical and algorithmic systems do not cause unfair outcomes or harm to individuals
  • Follow additional data localization requirements for certain categories of data specified by the government
This category is likely to include major tech companies, large banks, telecom operators, and e-commerce platforms. The idea is to recognize that some organizations have so much power over personal data that they need to be held to a higher standard of accountability.

Cross-Border Data Transfers and Global Connectivity

In today's connected world, data rarely stays in one country. When you use an international app, your data might be stored on servers in the United States, Europe, or Singapore. The DPDP Act addresses this reality by allowing the transfer of personal data outside India, but with conditions.
The central government can restrict transfers to certain countries or territories through notification. This means the government can blacklist countries that do not provide adequate protection for Indian citizens' data. The rules suggest that these restrictions may focus on whether foreign governments or their agencies can access the transferred data.
For Significant Data Fiduciaries, there may be additional restrictions on transferring certain categories of personal data and traffic data outside India. The government can designate specific types of data that must remain within the country, especially if they relate to national security or critical infrastructure.
This approach tries to balance two competing needs: the need to allow businesses to operate globally and the need to protect Indian citizens from having their data exposed to foreign surveillance or weak privacy laws.

Government Exemptions and the Balance of Power

No privacy law is complete without a discussion of government exemptions. The DPDP Act does allow the central government to exempt certain government agencies from some provisions of the law in the interest of national security, public order, and prevention of offences. This has been one of the most debated aspects of the law.
Critics argue that these exemptions are too broad and could be used to conduct mass surveillance without proper safeguards. They point out that the Act does not always require the government to specify procedural safeguards when granting exemptions, which was a feature of earlier drafts.
Supporters argue that some flexibility is necessary for intelligence agencies, law enforcement, and national security operations. They say that requiring the same consent and notice procedures for a terrorism investigation would make the country less safe.
The truth probably lies somewhere in the middle. While national security is undeniably important, the risk of misuse is real. The effectiveness of the law will depend on how the government uses these exemptions and whether the Data Protection Board and the courts can provide meaningful oversight.

Data Breaches and What Companies Must Do

A data breach is every internet user's nightmare. It happens when an unauthorized person gains access to personal data that a company is holding. This could be through hacking, employee negligence, or poor security practices. The DPDP Act takes data breaches very seriously and imposes strict obligations on companies when they occur.
When a Data Fiduciary discovers a personal data breach, it must:
  • Notify the Data Protection Board without delay, providing details about the nature of the breach, how many people are affected, what data was compromised, and what caused the breach
  • Submit a follow-up report within 72 hours with more detailed information about remedial actions, investigation findings, and proof that affected individuals have been notified
  • Inform the affected Data Principals promptly through their registered communication channels
The 72-hour timeline is strict and aligns with international standards like the European GDPR. It forces companies to act quickly rather than trying to hide breaches or delay disclosure. The requirement to inform affected individuals is also crucial because it allows people to take protective measures, such as changing passwords or monitoring their bank accounts.
The Act also requires companies to implement reasonable security safeguards to prevent breaches in the first place. These include encryption, access controls, data masking, monitoring systems, regular backups, and contractual security measures with third-party vendors.

Data Retention and the Right to Be Forgotten

One of the practical issues with digital data is that it can last forever. A photo you posted ten years ago, a comment you made on a forum, or an old email address can remain online indefinitely. The DPDP Act addresses this through storage limitation principles.
Data Fiduciaries must erase personal data as soon as the purpose for which it was collected has been fulfilled and retention is no longer necessary for legal purposes. For large platforms like e-commerce sites, social media networks, and gaming platforms, there is a specific rule: they cannot retain personal data for more than three years after the user's last interaction with the service.
At the same time, all Data Fiduciaries must retain personal data, traffic data, and certain logs for at least one year. This minimum retention is necessary to support lawful requests, investigations, and legal proceedings. After this one-year period, the data must be erased unless another law requires longer retention.
This creates a balanced approach where data is kept long enough for legitimate purposes but not so long that it becomes a permanent record that could be misused years later.

How the DPDP Act Compares with Global Privacy Laws

India's new law did not emerge in a vacuum. It was influenced by global developments in data protection, particularly the European Union's General Data Protection Regulation, which came into effect in 2018. The GDPR set a high benchmark for privacy rights and has influenced laws in many countries.
Compared to the GDPR, the DPDP Act is simpler in some ways and stricter in others. It does not classify data into sensitive and non-sensitive categories, treating all personal data uniformly. It also does not include some rights that the GDPR provides, such as the right to data portability and the right to be forgotten in the same explicit way.
However, the DPDP Act has its own strengths. It focuses heavily on consent and accountability. It introduces the concept of Consent Managers, which is unique and could make it easier for individuals to manage their privacy across multiple services. Its penalty structure is designed to be financially severe without relying on criminal sanctions, which may make enforcement faster and more consistent.
When compared with other Asian laws like Singapore's Personal Data Protection Act or Brazil's LGPD, the DPDP Act stands out for its straightforward structure and its emphasis on a few clear legal bases for processing rather than a broad range of exceptions. This makes compliance more predictable for businesses while still maintaining strong protections for individuals.

What the DPDP Act Means for Ordinary Citizens

If you are an ordinary Indian citizen, the DPDP Act brings several practical changes to your daily life:
  • You will start seeing clearer privacy notices when you sign up for apps and websites. No more endless pages of legal jargon hidden behind a link.
  • You will have the right to ask companies what data they have about you and to correct or delete it.
  • If you have children, you will have more control over what data is collected about them online.
  • Companies will face real consequences if they mishandle your data or fail to protect it from hackers.
  • You will be able to use Consent Managers to centralize and simplify your privacy choices across different services.
At the same time, the Act also places some duties on you as a Data Principal. You must not provide false information or impersonate someone else when exercising your rights. You must not file frivolous or false complaints. These duties are minor and reasonable, designed to prevent abuse of the system.

Challenges and Criticisms

No law is perfect, and the DPDP Act has faced its share of criticism. Privacy advocates have raised several concerns:
  • The Act does not explicitly recognize the right to be forgotten, which would allow individuals to request removal of personal information from the internet.
  • It does not include data portability, which would let you move your data from one service to another easily.
  • The exemptions for government agencies are seen as too broad and lacking sufficient procedural safeguards.
  • The composition and independence of the Data Protection Board have been questioned, especially because members serve two-year terms with the possibility of reappointment, which some fear could affect their independence.
  • The Act does not regulate harms arising from data processing in the same explicit way that earlier drafts did.
These are legitimate concerns, and they will likely be tested in courts and through amendments in the coming years. The Act is a starting point, not a final destination, and India's privacy framework will continue to evolve.

The Future of Privacy in India

Looking ahead, the right to privacy in India is likely to become even more important. As artificial intelligence, facial recognition, biometric databases, and smart cities become more common, the amount of data collected about individuals will grow exponentially. The DPDP Act provides a foundation, but it will need to be supplemented with sector-specific rules, stronger enforcement, and continuous public engagement.
The phased implementation of the Act gives everyone time to adapt. Businesses can upgrade their systems. Citizens can learn about their rights. The government can build the institutions needed for effective oversight. By May 2027, when the core provisions become fully enforceable, India should have a much more robust privacy ecosystem.
Technology will keep advancing, and so will the threats to privacy. But with the Constitutional guarantee from the Puttaswamy judgment and the legal framework of the DPDP Act, India has taken the most important steps. The right to privacy is no longer a matter of debate. It is a recognized fundamental right, backed by law, and enforceable through institutions.

Conclusion

The journey of the right to privacy in India is a powerful example of how a society can adapt its laws to meet new challenges. From being dismissed as unimportant in the early decades of independence, privacy has risen to become a fundamental right protected by the Constitution and a comprehensive statutory framework.
For every Indian citizen, this means you now have stronger tools to protect your personal information. You have the right to know what data is being collected about you. You have the right to say no. You have the right to ask for corrections and deletions. And if someone violates these rights, there is a system in place to hold them accountable.
The Digital Personal Data Protection Act, 2023 is not just a law for tech companies and lawyers. It is a law for every person who uses a smartphone, shops online, accesses government services, or shares photos with friends. It is about dignity, autonomy, and the simple human need to have a private space in an increasingly connected world.
As we move forward, the real test will be implementation. Will companies respect the spirit of the law or just do the minimum to avoid penalties? Will the government use its exemptions responsibly? Will citizens exercise their rights actively? These questions will shape the future of privacy in India.
But one thing is certain. The right to privacy in India is no longer a dream or a demand. It is a reality, written into the Constitution and codified in law. And that is something every citizen should know, value, and protect.

Labels:

SHARE:

Twitter Facebook Google Pinterest

AUTHOR: Rabi Kumar Pandit

author-avatar
Hello, I am Rabi Kr. Pandit, the founder of this platform and a resident of Kolkata, India. I hold a degree in History, Political Science, and English, and I am currently pursuing my legal studies at Jogesh Chandra Chaudhary Law College under the University of Calcutta. I manage multiple educational blogs with the aim of delivering knowledge in a clear, structured, and accessible manner. My focus is on simplifying complex topics and presenting reliable information that benefits students and readers from diverse academic backgrounds.

COMMENTS

BLOGGER
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content