Privacy — including informational privacy, decisional autonomy, and bodily integrity — is a fundamental right protected under Article 21 of the Indian Constitution.

The Legal Question Before the Court

The reference arose from constitutional challenges to the Aadhaar scheme — India's biometric digital identity programme. At the heart of these challenges was the question of whether the State could compel individuals to submit biometric data and link it to access government services, without violating any fundamental right.

The government argued there was no fundamental right to privacy under the Indian Constitution. It relied on two Supreme Court decisions — M.P. Sharma v. Satish Chandra, AIR 1954 SC 300 (eight-judge bench), and Kharak Singh v. State of U.P., AIR 1963 SC 1295 (six-judge bench) — which had held, or were read to hold, that privacy is not a fundamental right. The nine-judge bench was constituted to resolve this fundamental constitutional question.

The Court's Decision

All nine judges unanimously held that the right to privacy is a fundamental right guaranteed under Part III of the Constitution of India, and specifically under Article 21 (right to life and personal liberty). The court overruled the contrary observations in M.P. Sharma and Kharak Singh.

Privacy was held to be a multidimensional right encompassing at minimum: (i) decisional autonomy — the right to make intimate personal choices free from State interference; (ii) informational privacy — the right to control personal information about oneself; and (iii) bodily integrity — protection against unwanted physical intrusion. Like all fundamental rights, privacy is not absolute. It is subject to reasonable restrictions in the interests of legitimate state aims, provided such restrictions satisfy the proportionality test.

The Court's Reasoning

The six-judge plurality opinion authored by Justice D.Y. Chandrachud (as he then was) situated the right to privacy within the broader framework of constitutional morality and the evolving interpretation of fundamental rights. The court held that the Indian Constitution must be interpreted as a living document that responds to the legitimate aspirations of its citizens. The framers of the Constitution did not enumerate privacy as a separate right, but its content is implicit in the cluster of rights in Articles 19 and 21.

The court observed that human dignity — which is foundational to the Constitution — cannot be preserved without protecting privacy. The right to be left alone, to control information about oneself, and to make personal choices that affect primarily the individual are essential to a life of dignity. Privacy enables the development of individual personality and the exercise of other fundamental rights.

The proportionality test the court prescribed requires the State to demonstrate: (a) a legitimate aim; (b) a rational connection between the measure and the aim; (c) necessity — the measure is the least restrictive means of achieving the aim; and (d) proportionality stricto sensu — the benefits outweigh the harm to individual rights.

Practical Implications — What This Means Today

Puttaswamy is the constitutional bedrock of India's data protection framework. The Digital Personal Data Protection Act, 2023 (DPDPA) — which came into force in August 2023 — was enacted directly in response to the jurisprudential mandate of this decision. The DPDPA imposes consent, purpose limitation, data minimisation, and accountability obligations on data fiduciaries (businesses that collect and process personal data). Non-compliance attracts penalties of up to ₹250 crore per instance.

For businesses operating in India — particularly technology companies, financial services institutions, healthcare providers, and any enterprise maintaining customer databases — Puttaswamy has concrete operational consequences. Privacy by design, data protection impact assessments, and lawful bases for processing are no longer best-practice recommendations; they are constitutional imperatives backed by statutory penalties.

For NRIs and cross-border data flows, the ruling also anchors privacy as a core value that Indian law will protect regardless of the jurisdiction in which data is stored or processed. Any data processing arrangement involving Indian personal data must be compliant with the constitutional standard Puttaswamy establishes.

Relevant Statutory Provisions

  • Article 21, Constitution of India — Right to life and personal liberty — privacy held to be encompassed within this right
  • Article 19, Constitution of India — Rights to speech, movement, privacy-related freedoms
  • Digital Personal Data Protection Act, 2023 — Statutory expression of the constitutional right to informational privacy
  • Information Technology Act, 2000, Section 43A — Compensation for failure to protect personal data — pre-DPDPA framework

Analysis by Vinode V. Luka, Advocate | Published: May 2026 | Last reviewed: May 2026