The Right to Privacy in the Digital Age: An Analysis of the Constitutional Framework, the DPDP Act, 2023, and the Adequacy of Protection for Indian Citizens in the Era of Social Media and Surveillance
By Guru Legal
Keywords
right to privacy; digital age; Puttaswamy judgment; DPDP Act 2023; social media surveillance; data collection; Aadhaar; biometric data; Article 21; personal data protection; India; surveillance capitalism
Abstract
The right to privacy, recognised as a fundamental right under Article 21 of the Constitution by a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), is under unprecedented pressure in the digital age. The pervasive collection of personal data by social media platforms, e-commerce companies, government surveillance systems, and data brokers has created a surveillance ecosystem that increasingly constrains individual autonomy, chills free expression, and enables discrimination. This article examines the constitutional basis and scope of the right to privacy in India, the adequacy of the Digital Personal Data Protection Act, 2023 as a statutory instrument for realising this right, the specific privacy risks posed by social media, Aadhaar-linked databases, and commercial data aggregation, and the reforms needed to ensure that the constitutional right to privacy is not eroded by the imperatives of digital commerce and state surveillance.
I. Introduction
The digital revolution has created an environment in which every online activity every search query, every social media post, every financial transaction, every location ping generates data that can be stored, analysed, and monetised. The aggregate of this data constitutes a comprehensive profile of the individual: her preferences, relationships, health status, political views, and movements. This data environment creates enormous value for the companies and governments that collect and analyse it, but poses profound risks to the privacy, autonomy, and dignity of individuals. In India, with over 900 million internet users and one of the world’s most rapidly growing digital economies, the stakes could hardly be higher.
II. The Constitutional Foundation: Puttaswamy and Its Implications
The Supreme Court’s unanimous nine-judge bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1 definitively established the right to privacy as a fundamental right protected under Article 21 of the Constitution. The court held that privacy is intrinsic to life and liberty, and encompasses both the right to be left alone and the right of the individual to determine what information about herself she shares with the world. The decision overruled the earlier judgments in M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1964), which had denied a constitutional right to privacy.
The Puttaswamy judgment also established the three-part test for the constitutional validity of restrictions on the right to privacy: the restriction must be sanctioned by law; it must be necessary to achieve a legitimate state aim; and it must be proportionate to the aim pursued, being the least intrusive means available. This test provides the constitutional framework for evaluating the legality of government surveillance programmes, data collection mandates, and data sharing requirements.
III. Social Media and the Privacy Paradox
Social media platforms derive their business models from the collection, analysis, and monetisation of user data. The terms of service of major platforms require users to consent to the collection of extensive personal data including location, browsing history, contact lists, and behavioural data as a condition of accessing the service. This consent, invariably buried in lengthy and inaccessible privacy policies, is not the free and informed consent contemplated by the Puttaswamy framework: users who do not accept the terms cannot access the platform, and few have the technical sophistication to understand what data is collected or how it is used.
The DPDP Act, 2023 addresses this concern through its provisions on consent: data fiduciaries must obtain free, specific, informed, unconditional, and unambiguous consent, presented in a clear and plain language notice. The Act further provides that consent can be withdrawn at any time, and that the withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. These provisions, if rigorously enforced, would significantly improve the quality of consent in the social media context, though enforcement challenges remain significant given the complexity of data flows within and between platform ecosystems.
IV. Aadhaar, Biometric Data, and State Surveillance
The Aadhaar biometric identification system, which captures the fingerprints and iris scans of over 1.3 billion Indian residents, represents the largest biometric database in the world. The Supreme Court, in Justice K.S. Puttaswamy (Retd.) v. Union of India (2018) the Aadhaar judgment upheld the constitutional validity of the Aadhaar Act, 2016 in its application to the delivery of government subsidies and services, while striking down provisions that permitted private sector access to the Aadhaar database and the mandatory use of Aadhaar for bank account opening and mobile SIM registration. The judgment drew a clear distinction between state use of biometric data for legitimate welfare delivery purposes which it found proportionate and private sector use which it found disproportionate.
V. Conclusion
The right to privacy is a foundational element of human dignity and autonomy, and its protection in the digital age is one of the defining legal challenges of our time. The DPDP Act, 2023 represents a significant advance in India’s data protection framework, but its effectiveness as an instrument for realising the constitutional right to privacy depends on the robustness of the Data Protection Board, the quality of subsidiary regulations, and the political will to enforce the Act against powerful commercial and governmental data collectors. A truly protective privacy framework must place the data principal the individual at the centre, ensuring that digital technology serves human flourishing rather than enabling its suppression.
Bibliography
Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1 (Supreme Court of India).
Justice K.S. Puttaswamy (Retd.) v. Union of India (2018) (Aadhaar Judgment).
Digital Personal Data Protection Act, 2023 (India).
Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (India).
Constitution of India, Articles 19 and 21.
EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
