A comprehensive examination of how an ancient human instinct became one of the most contested and consequential legal rights of the modern era
Origins: A Right as Old as Civilisation
The right to privacy did not spring fully formed from the pen of a judge or legislator. It emerged, slowly and unevenly, from the deepest layers of human moral instinct, the conviction that every person possesses an inner world that ought not to be invaded without consent. Long before “privacy” was given a name in a legal courtroom, it was felt as a condition of dignified existence. Temples afforded sacred personal space. Common law recognised the home as a castle. Epistolary correspondence was accorded protection not because a statute said so, but because civilised society understood that to read another’s private letter was to violate the person. This intuition, that each individual holds a zone of selfhood exempt from external intrusion, is the seed from which the legal right to privacy eventually grew.
The formalisation of this instinct in Western legal thought begins, in earnest, with the ancient relationship between the state and the individual. Greek political philosophy, Roman law, and later the natural law tradition of Locke and Kant each contributed threads to a fabric that would eventually become recognisable as privacy doctrine. John Locke’s framework of property, including “property in the person”, provided an early vocabulary for describing what is at stake when the self is invaded. Immanuel Kant offered something deeper: a moral philosophy grounded in the absolute duty to treat every person as an end in themselves, never merely as a means. For Kant, to spy upon another’s private life, to expose the intimacies of their personality to public scrutiny without consent, was not merely wrong in its consequences; it was a violation of the categorical imperative, a failure to respect the equal moral worth that defines personhood. This Kantian foundation would reappear, centuries later, in constitutional courts across the world.
The Philosophical Architecture: Dignity, Autonomy, and Individuality
Three philosophical pillars underpin the modern conception of privacy: dignity, autonomy, and individuality. While these concepts overlap, each adds a distinct dimension to why privacy matters.
The Dignity Dimension
The philosopher Edward Bloustein, writing in 1964, argued that all invasions of privacy, however diverse in their fact patterns, share a single underlying wrong: a violation of human dignity and individuality. His intervention was a direct response to Dean Prosser’s claim that so-called privacy cases in American tort law were really protecting a heterogeneous mix of interests (reputation, emotional tranquillity, and intangible property) with no unifying foundation. Bloustein returned to the seminal 1890 article by Samuel Warren and Louis Brandeis, which first articulated a legal “right to privacy” in the Harvard Law Review, to recover its deeper argument: that even where a person’s reputation is unaffected and their equanimity undisturbed, an invasion of their private sphere is nevertheless a wrong, because the interest being violated is the interest in one’s own personhood.[i] [ii]
This dignity-based view connects directly to Kant’s moral philosophy: to treat a person’s body, intimacies, or personal information as an object available for public consumption is to treat them as a means rather than an end. The woman whose photograph is reproduced in an advertisement without consent suffers not merely an economic loss but a dignitary harm; she has been appropriated, rendered instrumental, deprived of authority over her own image. Privacy, on this view, is the legal expression of the moral requirement to respect persons as persons.
The Autonomy Dimension
John Stuart Mill offered a different, though compatible, foundation. For Mill, privacy protects an individual’s capacity to conduct “experiments in living”, to make unconventional choices, develop unorthodox opinions, and chart a life course free from the crushing conformity imposed by social surveillance. Mill’s concern was not abstract: he observed, from nineteenth-century England, how the weight of social pressure upon individuals, greater even than the pressure of law, could extinguish the spark of genuine individuality. If people know they are being watched, they self-censor; they conform; they become something less than themselves.
Contemporary theorist Julie Cohen has updated this Millian insight for the digital age, arguing that privacy “shelters dynamic, emergent subjectivity from the efforts of commercial and government actors to render individuals and communities fixed, transparent, and predictable”. The individual is not a static bundle of preferences to be analysed and optimised; they are a becoming, a project in perpetual development. Privacy protects the space within which that development can occur authentically, free from the distorting influence of constant observation.[iii]
Autonomy, as Jennifer Nedelsky and others have noted, is never purely individual: we are “constituted, yet not determined” by our relationships and social context. This relational conception of autonomy has important consequences for privacy law. It means that privacy protection cannot be reduced to protecting bounded, atomistic individuals from external intrusion; it must also account for the social dimensions of personhood and the ways in which surveillance and data collection can reshape who we are and who we are allowed to become.
The Informational Dimension
The third and most urgent contemporary dimension of privacy concerns information. The philosopher Ferdinand Schoeman observed that what makes information private is, in large part, its importance to our conception of ourselves and our relationships. When someone discloses intimate information to another, they are not merely exchanging data; they are extending trust, and in doing so, constituting a relationship. The capacity to control the flow of personal information is therefore not peripheral to selfhood but constitutive of it.
The digital revolution has made this insight both more important and more difficult to protect. Every transaction leaves electronic tracks; every interaction generates data. Alex Pentland’s work on social data illustrates the capacity of aggregated information, individually innocuous details about movement, consumption, and communication, to construct a comprehensive portrait of an individual’s personality, preferences, and social connections. As Daniel Solove has theorised, the danger of modern surveillance lies not in the exposure of any single sensitive fact but in the aggregation of information fragments, each benign in isolation, into a detailed portrait of the person that the person never consented to create or share.[iv] To know that someone bought a certain book is trivial; to know their daily movements, health searches, financial transactions, social networks, and political associations, simultaneously and in combination, is to know something far more intimate and far more dangerous. [v]
The Common Law Foundations: Warren and Brandeis
The modern legal history of privacy begins with a celebrated law review article. In 1890, Samuel D. Warren and Louis D. Brandeis published “The Right to Privacy” in the Harvard Law Review, prompted — legend has it — by Warren’s irritation at newspaper coverage of his family’s social events. The article is remarkable for its ambition: it argued that the common law had always protected, in scattered forms, a general right to be “let alone,” and that the time had come to recognise this as a coherent legal principle.[vi]
Warren and Brandeis rejected the reduction of privacy injuries to consequences — harm to reputation, emotional distress, or loss of property — arguing instead that the underlying interest was something more fundamental: the right of an individual to control what is said, written, and shown about them. They drew on copyright doctrine, which protected an author’s right to decide whether to publish their thoughts, and extended its logic: if law protects the right to control the dissemination of one’s intellectual productions, why not one’s personality, one’s image, one’s intimate life? [vii]
The Warren-Brandeis article became the foundational text of American privacy law and resonated far beyond the United States. It planted the idea that privacy is not a privilege of the powerful; it is a right that attaches to every person, a precondition for the enjoyment of liberty itself. Bloustein’s 1964 response to Prosser, discussed above, was the philosophical continuation of this project: an attempt to show that the diverse categories of privacy torts that had developed over the preceding seven decades shared a single moral foundation in human dignity and individuality.[viii]
Privacy in Indian Constitutional History: The Long Journey to Puttaswamy[ix]
In India, the journey of privacy from instinct to fundamental constitutional right was neither smooth nor inevitable. The early post-independence jurisprudence of the Supreme Court was equivocal. In M.P. Sharma v. Satish Chandra (1954), an eight-judge bench held that the Indian Constitution did not guarantee a right to privacy akin to the Fourth Amendment of the US Constitution.[x] In Kharak Singh v. State of Uttar Pradesh (1963), a six-judge bench rejected, by majority, the proposition that privacy was a fundamental right, though Justice Subba Rao, dissenting, recognised it as inherent in the right to liberty.[xi]
Subsequent decisions gradually built up a privacy jurisprudence, almost despite these early denials. Gobind v. State of M.P. (1975) held that any right to privacy must encompass the “personal intimacies of the home, the family, marriage, motherhood, procreation, and child rearing,” and that a claimed privacy right must be “a fundamental right implicit in the concept of ordered liberty”. The Court held that individuals have a sphere, borrowed from Justice Brandeis, where they should be “let alone”.[xii] Through R. Rajagopal v. State of Tamil Nadu (1994)[xiii], People’s Union for Civil Liberties v. Union of India (1997)[xiv], and other decisions, the Supreme Court steadily expanded the recognised content of privacy, tracing it through the right to life and personal liberty in Article 21 and the freedoms guaranteed in Article 19.[xv]
The Aadhaar Context and the Nine-Judge Bench
The definitive moment arrived in Justice K.S. Puttaswamy (Retd.) v. Union of India, decided by a nine-judge bench in 2017. The case arose from a constitutional challenge to the Aadhaar project, India’s biometric identification system, which collects fingerprints and iris scans from residents and links them to a unique twelve-digit number. The challenge raised the fundamental question: Does the Indian Constitution guarantee a right to privacy, and if so, does the Aadhaar project violate it?[xvi]
The nine judges were unanimous: privacy is a fundamental right, inherent in every individual as a natural right, and constitutionally protected under Article 21 and the broader framework of Part III of the Constitution. The judgment is a landmark not merely for its conclusion but for the depth and sophistication of its reasoning. Privacy was held to inhere in every individual by virtue of their humanity; it is “inalienable and attaches to every individual as a precondition for being able to exercise their freedom”. Justice Sapre observed that the right to privacy “is indeed inseparable and inalienable from human being”.
The Court identified three core dimensions of privacy: (i) spatial control — the right to create private spaces; (ii) decisional autonomy — the right to make intimate personal choices about one’s body, family, and faith; and (iii) informational control — the right to control the dissemination of personal information. Justice Nariman, in his concurring opinion, specifically addressed informational privacy as protecting “a person’s mind,” recognising the individual’s right to control information personal to them, since unauthorised use of such information infringes the right to privacy.
The judgment articulated the triple test — or the test of proportionality — as the constitutional standard for evaluating any encroachment on privacy: (i) there must be a law in existence; (ii) the law must serve a legitimate State aim; and (iii) the restriction must be proportionate, meaning it must achieve its aim through the minimum invasion of the right necessary. This three-limbed test draws on both Article 21 jurisprudence and comparative constitutional law from Germany, South Africa, and elsewhere, and was applied with rigour to the various provisions of the Aadhaar Act.[xvii]
The Court’s application of the proportionality test produced a nuanced outcome. It upheld the core of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the use of biometric authentication to target delivery of State subsidies, benefits, and services, as serving a legitimate State interest in ensuring that scarce public resources reach intended beneficiaries and eliminating duplicate or fraudulent claims. However, it struck down Section 57, which had permitted private entities to use Aadhaar authentication, finding no compelling justification for the disproportionate data exposure that mandatory authentication by private parties would create. Similarly, it struck down the mandatory linking of Aadhaar with bank accounts as failing the proportionality test — finding that depriving existing account holders of the ability to operate their accounts unless they completed Aadhaar seeding amounted to a disproportionate invasion of informational privacy.
Critically, the Court recognised the danger of data aggregation: each individual authentication by an Aadhaar number holder creates a record of where the person was and what service they accessed. In isolation, these records may seem harmless; in aggregation, they disclose “the nature of the personality — food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation”. The creation of a centralised identification infrastructure that could enable comprehensive profiling of individuals was identified as a structural privacy risk requiring legislative and architectural safeguards.
The Puttaswamy judgment also placed an important positive obligation on the State: not merely to refrain from invading privacy, but to create a “viable legal regime which recognises, respects, protects, and enforces informational privacy”. This positive obligation, that the state must legislate to protect individuals against non-state actors as well, directly foreshadowed and necessitated the enactment of the Digital Personal Data Protection Act.[xviii]
From Judgment to Legislation: The DPDP Act, 2023
The Puttaswamy judgment created the constitutional mandate; the Digital Personal Data Protection Act, 2023 (DPDP Act) represents Parliament’s response. Enacted as Bill No. 113 of 2023 and passed in the Seventy-fourth Year of the Republic, the Act declares its purpose in its preamble: “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”. This dual recognition of privacy as a right and data processing as a legitimate social necessity reflects the balancing act at the heart of all privacy law.[xix] [xx]
The Act’s conceptual architecture is significant. It replaces the traditional European vocabulary of “data controller” and “data subject” with the Indian terms Data Fiduciary (any person who determines the purpose and means of processing) and Data Principal (the individual to whom the data relates). This terminological shift is not merely cosmetic; it invokes the law of fiduciary relationships, with its connotations of trust, duty of care, and accountability. The Srikrishna Committee’s report[xxi], noted by the Supreme Court in Puttaswamy itself, explained that the aim was to create a “trust-based relationship” between the entity collecting data and the individual whose data is collected.[xxii]
Consent as the Foundation
Central to the Act’s design is consent. The consent given by a Data Principal must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action”. This formulation mirrors the requirements articulated in the Puttaswamy judgment and reflects the GDPR’s consent standard. The Act requires that every request for consent be presented in clear and plain language, with the option to access it in English or any language specified in the Eighth Schedule to the Constitution. Consent is granular; it is limited to the personal data necessary for the specified purpose, so that a telemedicine app cannot, for example, use a consent to provide health services as authorisation to access the user’s contact list.[xxiii]
Critically, the Act affirms that consent may be withdrawn at any time, with the same ease with which it was given. Upon withdrawal, the Data Fiduciary must cease processing and direct any Data Processors to do the same, unless continued processing is authorised by another legal basis. This right of withdrawal operationalises the Puttaswamy vision of informational control: the individual retains ongoing authority over their data, not merely at the moment of collection.[xxiv]
Rights of the Data Principal
The Act enumerates a set of substantive rights for the Data Principal that translate the constitutional right to privacy into actionable legal entitlements:
- The right to access information about what personal data is being processed, by whom, and shared with whom
- The right to correction and erasure — to have inaccurate data corrected, incomplete data completed, and unnecessary data erased
- The right to grievance redressal — a right to effective mechanisms for complaints, backed by the Data Protection Board of India
- The right to nominate a successor to exercise these rights in the event of the Data Principal’s death or incapacity
These rights are not absolute. The Act provides for exemptions in the interests of national security, law enforcement, judicial and quasi-judicial functions, and public health emergencies.[xxv] The exemption framework reflects the Puttaswamy court’s recognition that the right to privacy is subject to legitimate State interests — but the triple test ensures that such exemptions must be proportionate and lawful.[xxvi]
Obligations of Data Fiduciaries
The Act imposes comprehensive obligations on Data Fiduciaries. They must implement “appropriate technical and organisational measures” to ensure compliance; protect personal data against breach through “reasonable security safeguards”; notify the Data Protection Board and affected Data Principals promptly in the event of a breach; and erase data once it is no longer needed for the specified purpose. Significant Data Fiduciaries — those handling large volumes of sensitive data, posing higher risks to individual rights, or capable of impacting national security or electoral democracy — face additional obligations: appointment of a Data Protection Officer, independent data audits, and periodic Data Protection Impact Assessments.
The Act also addresses the protection of children, prohibiting tracking, behavioural monitoring, and targeted advertising directed at minors, and requiring verifiable parental consent before processing a child’s data. These provisions respond directly to the documented harms of algorithmic profiling of children in the digital economy.
The Rules of 2025: Giving the Law Its Teeth
The Digital Personal Data Protection Rules, 2025, represent the next layer of the regulatory architecture — translating the Act’s broad principles into detailed operational requirements. The Rules address the manner of consent notice, the registration and obligations of Consent Managers, the process for verifiable parental consent, the standards for Data Protection Impact Assessments, and the procedures of the Data Protection Board of India. Together, the Act and the Rules construct an integrated data protection regime that — while drawing heavily on the GDPR’s framework — is adapted to India’s specific constitutional context, language diversity, and digital public infrastructure.
The Enduring Tension: Surveillance, Development, and the Democratic Individual
The journey from Warren and Brandeis’s 1890 article to the DPDP Rules of 2025 traces more than a century of legal and philosophical development. But it also reveals an enduring tension that no statute can fully resolve: the tension between the individual’s need for a protected inner life and the State’s legitimate interest in knowing about its citizens for purposes of welfare delivery, security, and governance.[xxvii]
The Puttaswamy judgment, and the DPDP Act that followed it, represent India’s most sophisticated attempt to navigate this tension. They recognise that privacy is not the enemy of development — it is its precondition. A State that profiles its citizens comprehensively, that knows their location at every moment, their health, their finances, their associations, is not a welfare state but a surveillance state. And as the Court recognised in Puttaswamy, the existence of concentrated and centralised State power — even without its actual use — creates a chilling effect upon the ability of citizens to think, speak, and associate freely. Privacy, in the final analysis, is not merely a personal comfort or a bourgeois luxury. It is, as the nine judges unanimously held, a necessary condition precedent to the enjoyment of every other guarantee in Part III of the Constitution — the foundation upon which the entire architecture of fundamental rights rests.[xxviii]
As Justice Bobde observed: “Privacy constitutes the basic, irreducible condition necessary for the exercise of personal liberty and freedoms guaranteed by the Constitution. It is the inarticulate major premise in Part III of the Constitution”. From the Kantian moral imperative to respect persons as ends in themselves, through Warren and Brandeis’s articulation of the right to be let alone, through the Puttaswamy judgment’s recognition of privacy as a fundamental and natural right, to the DPDP Act’s framework of consent, fiduciary duty, and enforceable rights — the story of privacy is the story of civilization’s ongoing effort to protect the individual against the power of the collective. It is a story far from finished.[xxix]
[i] https://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
[ii] https://stem.elearning.unipd.it/pluginfile.php/1000752/mod_resource/content/0/Warren%2C%20Brandeis%20%20The%20right%20to%20privacy.pdf
[iii] https://harvardlawreview.org/wp-content/uploads/2013/05/vol126_cohen.pdf
[iv] https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2074&context=faculty_publications
[v] https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?params=/context/faculty_publications/article/2074/&path_info=A_Taxonomy_of_Privacy.pdf
[vi] https://stem.elearning.unipd.it/pluginfile.php/1000752/mod_resource/content/0/Warren%2C%20Brandeis%20%20The%20right%20to%20privacy.pdf
[vii] https://stem.elearning.unipd.it/pluginfile.php/1000752/mod_resource/content/0/Warren%2C%20Brandeis%20%20The%20right%20to%20privacy.pdf
[viii] https://stem.elearning.unipd.it/pluginfile.php/1000752/mod_resource/content/0/Warren%2C%20Brandeis%20%20The%20right%20to%20privacy.pdf
[ix] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[x] https://jajharkhand.in/wp/wp-content/judicial_updates_files/07_Criminal_Law/21_search_and_seizure/M._P._Sharma_And_Others_vs_Satish_Chandra,_District_…_on_15_March,_1954.PDF
[xi] https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2016/09/Kharak-Singh-v-State-of-UP.pdf
[xii] https://indiankanoon.org/doc/845196/
[xiii] https://indiankanoon.org/doc/501107/
[xiv] https://indiankanoon.org/doc/31276692/
[xv] https://indiankanoon.org/doc/845196/
[xvi] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xvii] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xviii] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xix] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xx] https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf
[xxi] https://prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill,%202018_0.pdf
[xxii] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xxiii] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xxiv] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xxv] https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
[xxvi] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xxvii] https://stem.elearning.unipd.it/pluginfile.php/1000752/mod_resource/content/0/Warren%2C%20Brandeis%20%20The%20right%20to%20privacy.pdf
[xxviii] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
[xxix] https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
(This article has been written by Tanmaya Nirmal, TAU, National e-Governance Division. For any comments or feedback, please write to tanmaya.nirmal@digitalindia.gov.in and negdcb@digitalindia.gov.in)
[1] https://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
[1] https://harvardlawreview.org/wp-content/uploads/2013/05/vol126_cohen.pdf
[1] https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2074&context=faculty_publications
[1] https://indiankanoon.org/doc/845196/
[1] https://indiankanoon.org/doc/501107/
[1] https://indiankanoon.org/doc/31276692/
[1] https://indiankanoon.org/doc/845196/
[1] https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf
[1] https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
(This article has been written by Tanmaya Nirmal, TAU, National e-Governance Division. For any comments or feedback, please write to tanmaya.nirmal@digitalindia.gov.in and negdcb@digitalindia.gov.in)
