The Right to Privacy in India and the DPDPA

Justice Puttaswamy's significance extends beyond the declaration of privacy as a fundamental right. The judgment established a three-part test for any restriction on privacy: legality (prescribed by law), legitimate aim (serving a recognised state objective), and proportionality (the restriction must be proportionate to the need). Every provision of the DPDPA must satisfy this test. Consent requirements under Section 6, breach notification under Rule 7, and cross-border transfer restrictions under Section 16 are all exercises of the State's regulatory power over informational privacy, constrained by the proportionality standard the Court established.

For organisations, this means that the DPDPA is not merely a compliance framework. It is the operationalisation of a constitutional right. Non-compliance is not just a regulatory risk. It is a failure to respect a right that the Supreme Court has placed on the same constitutional footing as the right to life and personal liberty. This framing elevates data protection from a technical obligation to a governance imperative.

Informational Self-Determination

The right to access, correct, and erase personal data gives statutory form to the Puttaswamy principle that individuals must retain control over their informational identity. Data Fiduciaries must build operational systems for rights fulfilment.

Proportionate Processing

The DPDPA's purpose limitation and consent requirements embody the proportionality test. Processing must serve a lawful purpose, and the means must be proportionate to the end. Excessive data collection violates both the statute and the constitutional standard.

Data Security as Constitutional Duty

Security safeguards are not merely regulatory requirements. They are the operational expression of the State's positive obligation to protect the fundamental right to privacy. Failure to implement reasonable safeguards is a constitutional as well as statutory failure.

Dignity and Autonomous Choice

The right to withdraw consent reflects the constitutional principle that dignity requires autonomous choice. A Data Principal who cannot freely withdraw consent has been denied a constitutionally protected freedom.

Legitimate State Restriction

The DPDPA's legitimate uses (Section 7) and government exemptions (Section 17) must pass the Puttaswamy proportionality test. Any exemption that is disproportionate to its stated aim is vulnerable to constitutional challenge.

Cross-Border Sovereignty

Data transfer restrictions under Section 16 are an exercise of informational sovereignty. The restricted country list reflects the State's assessment of which jurisdictions provide adequate protection for the constitutional right of Indian data principals.

The Proportionality Standard and Its Compliance Implications

The Puttaswamy proportionality test requires that any restriction on privacy be (i) sanctioned by law, (ii) necessary for a legitimate aim, and (iii) proportionate to the objective. This framework operates as a constitutional overlay on every DPDPA provision. When the Data Protection Board evaluates a Data Fiduciary's conduct, the proportionality of its data processing, retention, and security measures will be assessed against this constitutional standard. Organisations that build compliance programmes aware of this framework will be better positioned to defend their processing decisions.

"The right to privacy is not an absolute right. But every restriction on it must be proportionate, necessary, and sanctioned by law. The DPDPA is the law. The question is whether your compliance meets the proportionality standard."

Is the right to privacy a fundamental right in India?

Yes. In Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), the nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right protected under Article 21 of the Constitution of India. This right includes informational privacy, which is the right of individuals to control personal information about themselves.

How does the Puttaswamy judgment relate to the DPDPA?

The Puttaswamy judgment created the constitutional mandate for a data protection law. The Court held that the State has a positive obligation to protect the right to privacy, including through legislation governing the collection, use, and protection of personal data. The DPDPA, 2023 is the legislative fulfilment of this obligation.

Can the DPDPA's provisions be challenged as unconstitutional?

Any provision of the DPDPA that restricts the right to privacy must satisfy the three-part Puttaswamy test: legality, legitimate aim, and proportionality. Provisions that fail this test, including government exemptions under Section 17, could be challenged before the courts on constitutional grounds.

What is informational privacy under Indian law?

Informational privacy, as defined in the Puttaswamy judgment, is the right of individuals to control the dissemination of personal information. It encompasses the right to determine when, how, and to what extent information about oneself is communicated to others. The DPDPA operationalises this through consent requirements, purpose limitation, and data principal rights.

Get the Constitutional Privacy Compliance Brief

This brief maps the Puttaswamy proportionality framework to each DPDPA obligation, providing a constitutional lens for compliance programme design.