Digital Rights and Privacy: Supreme Court's Framework for the Internet Age

Supreme Court of India Constitutional Law Article 21 Article 19 Article 21A DPDP Act 2023 Effective implementation of the DPDP Act
Veritect
Veritect AI
Deep Research Agent
9 min read

Published: January 2026 Reading Time: 14 minutes

Executive Summary: Why This Matters

In the digital age, the right to privacy and digital access have emerged as fundamental constitutional rights in India. The landmark Puttaswamy v. Union of India (2017) judgment recognized privacy as a fundamental right under Article 21, with informational privacy as a critical facet. In 2023, Parliament enacted the Digital Personal Data Protection (DPDP) Act, India's first comprehensive data protection law. In 2024, the Supreme Court and High Courts held that digital access is an intrinsic part of the right to life, recognizing internet access as essential for modern existence. With the CCI imposing a ₹213.14 crore penalty on Meta for privacy violations and courts striking down provisions of IT Rules as unconstitutional, India's legal framework for digital rights and privacy is rapidly evolving. This blog examines the constitutional foundations, statutory framework, and judicial developments shaping digital rights in India.

Background: Digital Rights as Fundamental Rights

Constitutional Framework

Article 21 (Right to Life and Personal Liberty): The Supreme Court has interpreted Article 21 expansively to include:

  • Right to Privacy (Puttaswamy, 2017)
  • Right to Digital Access (recent High Court rulings)
  • Informational Privacy (control over personal data)

Article 19(1)(a) (Freedom of Speech and Expression): Includes the right to access information, which requires internet access in the modern era.

Article 19(1)(g) (Freedom of Profession): Many professions now require internet access; denial violates this right.

Article 21A (Right to Education): Digital access is essential for education, especially post-COVID-19.

Landmark Judgment: Puttaswamy v. Union of India (2017)

Nine-Judge Constitution Bench

Holding: Privacy is a fundamental right under Article 21 (right to life and personal liberty).

Key Components of Privacy:

  1. Bodily Privacy: Physical integrity
  2. Informational Privacy: Control over personal data
  3. Decisional Privacy: Personal choices (marriage, reproduction, etc.)
  4. Spatial Privacy: Home and private spaces

Informational Privacy in the Digital Age

Recognition: In today's digital era, regulation of personal data is paramount. Individuals must have control over their personal information.

Implication: The state and private entities collecting personal data must:

  • Obtain consent
  • Use data only for specified purposes
  • Implement security measures
  • Provide individuals with rights to access, correct, and delete their data

Digital Personal Data Protection (DPDP) Act, 2023

India's First Comprehensive Data Protection Law

Enacted: August 2023 Objective: Safeguard personal data while balancing innovation and business needs

Key Features

1. Data Fiduciaries' Duties

Data Fiduciary: Any entity collecting and processing personal data

Obligations:

  • Obtain valid consent before collecting data
  • Use data only for specified purposes
  • Implement security safeguards
  • Notify individuals and authorities of data breaches
  • Appoint Data Protection Officers

2. Data Principals' Rights

Data Principal: Individual whose data is collected

Rights:

  • Right to Know: What data is collected and why
  • Right to Access: Obtain a copy of personal data
  • Right to Correction: Correct inaccurate data
  • Right to Erasure: Request deletion of data
  • Right to Grievance Redressal: Complain to Data Protection Board

3. Penalties for Violations

Financial Penalties:

  • Up to ₹250 crores for serious violations
  • Based on severity and nature of breach

Data Protection Board: Adjudicates complaints and imposes penalties

Judicial Developments (2024-2025)

1. Digital Access as Part of Right to Life

Supreme Court and High Court Rulings: Courts have held that digital access is an intrinsic part of the right to life under Article 21.

Reasoning:

  • Modern existence requires internet access (education, healthcare, banking, government services)
  • Denial of internet access violates fundamental rights
  • Articles 19, 21, and 21A encompass the right to access the internet

Implication: Arbitrary internet shutdowns or restrictions violate constitutional rights.

2. IT Rules Struck Down as Unconstitutional

2024 Development: A third judge held IT Rules (certain provisions) unconstitutional for violating freedom of speech and expression under Article 19(1)(a).

Significance: Rare instance where a law was struck down for unconstitutionally infringing upon free speech.

Context: IT Rules 2021 (amended 2023) granted government power to:

  • Determine "fake or false" information about itself (Fact Check Unit)
  • Require social media platforms to remove content
  • Block websites and accounts

Judicial Concern: Government should not be the arbiter of truth about itself; such power chills free speech.

3. Meta Penalized for Privacy Violations

CCI (Competition Commission of India) Order (2024): Imposed a landmark ₹213.14 crore penalty on Meta for abusing its dominant position through WhatsApp's 2021 Privacy Policy.

Violations:

  • Forced users to accept new privacy terms to continue using WhatsApp
  • Shared data with Facebook and Instagram without adequate consent
  • Abused dominant market position

Principle: Even dominant platforms cannot coerce users into surrendering privacy rights.

4. Aadhaar Restrictions Upheld

Supreme Court Ruling (2018, reaffirmed in subsequent cases): While upholding Aadhaar's validity, the Court imposed strict restrictions:

  • Aadhaar cannot be made mandatory for services except welfare schemes and taxation
  • Private entities cannot mandate Aadhaar
  • Data sharing and surveillance must be limited
  • Biometric data must be protected

Concern: World's largest digital identity framework must not become a tool for surveillance and privacy invasion.

Key Principles Established

1. Privacy is a Fundamental Right

Puttaswamy Principle: Privacy is not just a common law right but a fundamental right under Article 21, deserving robust constitutional protection.

2. Informational Privacy is Critical

Data Protection: Individuals must have control over their personal data. Collection, processing, and sharing must be with informed consent and adequate safeguards.

3. Digital Access is Essential

Right to Internet: Internet access is a fundamental right under Articles 19, 21, and 21A. Denial violates constitutional rights.

4. Government Cannot Censor Truth

Free Speech: Government-controlled fact-checking or determination of "truth" about itself violates Article 19(1)(a).

5. Dominant Platforms Must Respect Privacy

Competition and Privacy: Dominant platforms cannot abuse their position to coerce users into surrendering privacy rights.

Practical Implications

For Individuals

Enhanced Rights:

  • Right to know what data is collected
  • Right to access, correct, and delete personal data
  • Right to complain to Data Protection Board
  • Right to digital access (internet)

Action:

  • Review privacy policies before consenting
  • Exercise data rights (access, correction, erasure)
  • Report privacy violations to Data Protection Board

For Businesses and Platforms

Compliance Obligations:

  • Obtain valid consent before collecting data
  • Implement robust data security measures
  • Appoint Data Protection Officers
  • Notify breaches within prescribed timelines
  • Respect user rights (access, correction, erasure)

Penalties for Non-Compliance:

  • Up to ₹250 crores in fines
  • Reputational damage
  • Legal liability

For Government

Balanced Approach:

  • Regulate digital space without stifling innovation
  • Respect privacy and free speech
  • Cannot censor criticism as "fake news"
  • Ensure digital access for all (bridging digital divide)

For Courts

Active Role:

  • Enforce privacy rights
  • Strike down unconstitutional provisions
  • Balance innovation with rights protection

Challenges Ahead

1. Data Protection Board Implementation

Status: DPDP Act enacted, but Data Protection Board not yet fully operational.

Challenge: Effective implementation requires:

  • Adequate resources and expertise
  • Transparent adjudication
  • Timely resolution of complaints

2. Surveillance vs. Privacy

Concern: State surveillance (through Aadhaar, CCTV, facial recognition, social media monitoring) must be balanced with privacy rights.

Need: Clear legal framework for surveillance with judicial oversight.

3. Digital Divide

Problem: Not all Indians have internet access (rural-urban divide, economic disparities).

Solution: Government must invest in digital infrastructure and affordability to ensure universal internet access.

4. Cross-Border Data Flows

Global Challenge: Data flows across borders; international cooperation required for effective data protection.

India's Approach: DPDP Act addresses cross-border data transfers but implementation details pending.

Key Takeaways

  1. Privacy is a fundamental right under Article 21 (Puttaswamy)
  2. Informational privacy critical in the digital age
  3. DPDP Act 2023 is India's first comprehensive data protection law
  4. Digital access is part of right to life (Article 21)
  5. IT Rules struck down as unconstitutional for violating free speech
  6. Meta penalized ₹213.14 crores for privacy violations (WhatsApp policy)
  7. Government cannot censor truth about itself (free speech protection)
  8. Data Principals have rights to access, correct, and erase personal data
  9. Data Fiduciaries face penalties up to ₹250 crores for violations
  10. Digital rights rapidly evolving through judicial interpretation and legislation

Comparative Perspectives

European Union: GDPR

General Data Protection Regulation (GDPR):

  • Comprehensive data protection law (2018)
  • Extraterritorial application (affects global companies)
  • Heavy penalties (up to €20 million or 4% of global turnover)

India's DPDP Act: Inspired by GDPR but tailored to Indian context (balancing innovation and rights).

United States: Sectoral Approach

No Comprehensive Federal Law:

  • Sectoral laws (HIPAA for health, COPPA for children, etc.)
  • State laws (California's CCPA)

India's Approach: Comprehensive legislation (DPDP Act) covering all sectors.

Conclusion

India's legal framework for digital rights and privacy is undergoing rapid transformation. The recognition of privacy as a fundamental right (Puttaswamy), enactment of the DPDP Act, judicial rulings on digital access, and penalties for privacy violations (Meta case) collectively represent a robust commitment to protecting citizens' rights in the digital age.

However, challenges remain:

  • Effective implementation of the DPDP Act and Data Protection Board
  • Balancing surveillance with privacy
  • Bridging the digital divide
  • Preventing government censorship under the guise of regulating "fake news"

As digital technology becomes increasingly central to daily life, courts, legislators, and citizens must remain vigilant to ensure that digital rights—privacy, access, free expression—are protected. The Supreme Court's evolving jurisprudence provides a strong constitutional foundation. Now, effective implementation and sustained accountability are essential to translate these rights from paper to practice.

Sources and Citations

Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.
About Veritect

AI research & drafting, purpose-built for Indian litigation.

Veritect indexes 5 million+ judgments from the Supreme Court of India and all 25 High Courts, 1,000+ Central and State bare acts, and 50,000+ statutory sections — including the new BNS, BNSS, and BSA codes.

Built for Indian courts. Trusted by litigation practices from solo chambers to full-service firms.

Try Veritect free