K.S. Puttaswamy v Union of India (2017): How Nine Judges Made Privacy a Fundamental Right
On 24 August 2017 a nine-judge Supreme Court bench unanimously held privacy a fundamental right under Article 21 in K.S. Puttaswamy v Union of India, (2017) 10 SCC 1.
The Statutory Question
On 24 August 2017, a nine-judge bench of the Supreme Court of India handed down Justice K.S. Puttaswamy (Retd) and Another v Union of India, reported at (2017) 10 SCC 1, and settled a question that had unsettled Indian constitutional law for more than six decades: does the Constitution of India protect a fundamental right to privacy? The unanimous answer was yes. Privacy, the Court held, is intrinsic to the right to life and personal liberty guaranteed by Article 21, and it runs through the freedoms protected by Part III of the Constitution.
The difficulty was textual. The word "privacy" appears nowhere in the Constitution that came into force on 26 January 1950. Article 21 says only that "no person shall be deprived of his life or personal liberty except according to procedure established by law." For an unnamed right to be declared fundamental, the Court first had to confront two of its own far older decisions that had pointed the other way.
The first was M.P. Sharma v Satish Chandra (1954), decided by eight judges, which in a search-and-seizure dispute observed that the framers had not imported into India a privacy guarantee comparable to the United States Fourth Amendment. The second was Kharak Singh v State of Uttar Pradesh (1962), decided by six judges, where the majority struck down nocturnal domiciliary visits but declined to recognise a general right to privacy. Because these two benches were larger than the two and three-judge benches that had later upheld privacy through the 1970s and 1990s, a smaller bench could not simply prefer the newer view. The contradiction had to be resolved by a bench of nine.
The reference itself grew out of the Aadhaar litigation. When compulsory biometric enrolment was challenged, the Union argued that since M.P. Sharma (1954) and Kharak Singh (1962) held the field, no privacy right could be invoked at all. A three-judge bench referred the threshold question upward in 2015, and the matter was eventually placed before nine judges to decide a single issue: whether privacy is a fundamental right under the Constitution. The full text of the judgement is available on Indian Kanoon.
What the Court Held
The bench delivered its verdict through six separate but fully concurring opinions, with the plurality authored by Justice D.Y. Chandrachud for himself, the Chief Justice and two other judges. There was no dissent. The holding can be reduced to four propositions.
First, the right to privacy is a fundamental right, protected as an intrinsic part of the right to life and personal liberty under Article 21 and as part of the freedoms guaranteed by Part III. Second, M.P. Sharma (1954) and Kharak Singh (1962), to the extent that they held there is no fundamental right to privacy, stood overruled. Third, the right is not absolute: like every Article 21 right it can be restricted, but only through a fair, just and reasonable procedure. Fourth, any restriction must clear a three-fold test of legality, legitimate state aim and proportionality.
The Court also reached back to one of the darkest decisions in its own history. The plurality expressly held that the majority view in ADM Jabalpur v Shivkant Shukla (1976) — the Emergency-era habeas corpus case that had suggested the right to life itself could be suspended — was seriously flawed and stood overruled. Read alongside Maneka Gandhi v Union of India (1978), which had already demanded that any procedure under Article 21 be fair and reasonable, Puttaswamy completed the rehabilitation of personal liberty in Indian law.
| Decision | Year | Bench | What it said on privacy |
|---|---|---|---|
| M.P. Sharma v Satish Chandra | 1954 | 8 judges | No Fourth Amendment-style privacy guarantee read in |
| Kharak Singh v State of UP | 1962 | 6 judges | Struck down night visits; declined a general privacy right |
| Gobind v State of MP | 1975 | 3 judges | Recognised a qualified privacy right under Article 21 |
| R. Rajagopal v State of TN | 1994 | 2 judges | Privacy as a "right to be let alone" |
| PUCL v Union of India | 1997 | 2 judges | Telephone tapping engages privacy |
| K.S. Puttaswamy v Union of India | 2017 | 9 judges | Privacy is a fundamental right; earlier contrary views overruled |
Importantly, the nine judges did not decide whether Aadhaar itself was constitutional. That question returned to a five-judge bench, which ruled separately in September 2018. The 2017 judgement decided only the foundational point: privacy exists as a fundamental right, and every law and scheme that touches it must answer to that standard.
Reasoning
Privacy is intrinsic, not granted
The Court's central move was to treat privacy not as a free-standing right the Constitution forgot to write down, but as a value already embedded in the rights it did write. Human dignity, the bench reasoned, is the foundation of Part III, and privacy is what makes dignity, autonomy and liberty meaningful. A guarantee of life under Article 21 that ignored the inner sphere of the individual would, on this logic, be hollow.
The plurality identified at least three overlapping zones the right protects: bodily or physical privacy, informational privacy over personal data, and decisional privacy over intimate choices. Because privacy was found to flow from Articles 14, 19 and 21 read together, the Court held that a measure invading it must satisfy the standards of each — it cannot be arbitrary under Article 14, must respect the reasonable-restriction limits of Article 19, and must meet the fair-procedure requirement of Article 21 laid down in Maneka Gandhi (1978).
The three-fold proportionality test
Having recognised the right, the bench was careful to say in the same breath that it is not absolute. No fundamental right in Part III is. The plurality set out a structured standard the State must meet before it may lawfully intrude on privacy.
| Limb | Requirement | Plain-language meaning |
|---|---|---|
| Legality | There must exist a law | Executive action alone will not do; a valid statute is needed |
| Legitimate aim | The law must pursue a proper goal | National security, prevention of crime, welfare delivery and the like |
| Proportionality | Means must be rationally connected and least restrictive | The intrusion must be necessary and balanced against the objective |
This proportionality framework is the most consequential part of the judgement for day-to-day governance. After 24 August 2017, it is not enough for the State to assert a good intention; it must show that the law restricting privacy is precise, that its aim is legitimate, and that the method chosen is the least intrusive one capable of achieving that aim. The same test now shadows every data-collection mandate, surveillance power and disclosure requirement on the statute book.
Informational privacy and the call for a data protection law
The bench was acutely conscious that privacy in 2017 is largely informational. It noted that the State, banks, insurers and technology platforms now hold vast quantities of personal data, and that the dangers to the individual come as much from private aggregators as from the State. The plurality therefore urged the Union to put in place a carefully structured data protection regime that balances individual interests with legitimate state concerns.
That call did not stay on paper. It led to the Justice B.N. Srikrishna Committee, and ultimately to the Digital Personal Data Protection Act, 2023, India's first comprehensive data protection statute. The Reserve Bank of India's own Know Your Customer framework, which obliges every regulated lender to collect and store customer identity data, now operates within the constitutional boundary that Puttaswamy drew. The constitutional text of Article 21 is set out on India Code.
Practical Takeaways
Puttaswamy is not an abstract civil-liberties ruling; it reaches directly into how your financial data is collected, stored and shared. The judgement of 24 August 2017 gives individuals a constitutional anchor whenever the State or a regulated entity demands personal information.
For depositors and borrowers
- Every bank operates a Know Your Customer process mandated by the Reserve Bank of India; after Puttaswamy, the data collected must be confined to a legitimate aim and cannot be shared beyond what the law permits.
- In debt recovery, a lender enforcing security under the SARFAESI regime, or pursuing a borrower before a Debts Recovery Tribunal, handles sensitive financial and identity data; the proportionality standard limits how widely that information may be published or circulated.
- Credit information held by bureaus is personal data; the legitimate-aim and proportionality limbs constrain how long it is retained and to whom it is disclosed.
For investors
- Disclosures demanded by market regulators must rest on a valid law, not mere convenience, to survive the legality limb of the three-fold test.
- KYC duplication across brokers, depositories and funds is precisely the kind of over-collection the proportionality limb was designed to discourage.
For NRIs
- Non-residents who file Indian returns generate detailed financial records; before estimating your liability with the NRI tax calculator, remember that the data you disclose is protected by the same Article 21 standard.
- Moving funds abroad creates a paper trail across multiple intermediaries; plan transfers with the repatriation calculator, and know that informational privacy travels with that data under the 2017 judgement.
The common thread is leverage. Before Puttaswamy, an individual objecting to a data demand had little constitutional footing. After (2017) 10 SCC 1, the burden shifts: the entity demanding the data must justify it against legality, legitimate aim and proportionality.
| Who holds your data | Typical trigger | Constitutional check after 2017 |
|---|---|---|
| Banks and NBFCs | RBI-mandated KYC | Confined to legitimate aim; proportionate retention |
| Credit bureaus | Loan applications | Limited disclosure; bounded retention |
| Market intermediaries | Trading and demat accounts | Legality of every disclosure mandate |
| Tax authorities | Return filing, including NRIs | Fair procedure under Article 21 |
FAQ
Did Puttaswamy make Aadhaar unconstitutional?
No. The nine-judge bench on 24 August 2017 decided only one question — whether privacy is a fundamental right — and answered yes. It did not rule on Aadhaar's validity. That challenge went to a separate five-judge bench, which delivered its verdict in September 2018, upholding the Aadhaar Act in part while reading down some provisions. Puttaswamy supplied the constitutional yardstick; the Aadhaar judgement applied it.
Which earlier judgements did Puttaswamy overrule?
The Court overruled M.P. Sharma v Satish Chandra (1954), an eight-judge decision, and Kharak Singh v State of Uttar Pradesh (1962), a six-judge decision, but only to the extent that they had held there is no fundamental right to privacy. The plurality also held that the majority view in ADM Jabalpur v Shivkant Shukla (1976), the Emergency habeas corpus case, was seriously flawed and stood overruled.
Is the right to privacy absolute?
No. The bench was explicit that privacy, like every right in Part III, can be restricted. A restriction is valid only if it clears the three-fold test laid down in (2017) 10 SCC 1: there must be a law (legality), the law must pursue a legitimate state aim, and the means must be proportionate to that aim. An executive order without statutory backing, or a sweeping measure where a narrower one would do, fails this test.
Does Puttaswamy protect my financial data?
Yes, through the concept of informational privacy. The 2017 judgement expressly recognised that personal data held by banks, insurers, bureaus and platforms falls within the privacy guarantee under Article 21. Any law or practice that collects, stores or shares your financial information must satisfy legality, legitimate aim and proportionality. This is the constitutional foundation on which the Digital Personal Data Protection Act, 2023 was later built.
How does this judgement affect everyday banking?
Reserve Bank of India KYC norms still require lenders to verify your identity, but after 24 August 2017 the data they gather must be tied to a legitimate aim and handled proportionately. You gain a constitutional basis to question over-collection, indefinite retention or unauthorised sharing of your information, whether by a bank, an NBFC or a credit bureau acting under the recovery and lending framework.
What is the three-fold proportionality test in simple terms?
It is the checklist the State must satisfy before invading privacy. One, legality: a valid law must authorise the action. Two, legitimate aim: that law must serve a proper public purpose such as security or welfare. Three, proportionality: the intrusion must be rationally connected to the aim and no wider than necessary. If any limb fails, the measure is unconstitutional under the standard set in (2017) 10 SCC 1.
Why did it take nine judges to decide this?
Because two large earlier benches stood in the way. M.P. Sharma (1954) was decided by eight judges and Kharak Singh (1962) by six. Under the doctrine of precedent, a smaller bench cannot overrule a larger one, and later privacy-friendly rulings had come from two and three-judge benches. To authoritatively resolve the conflict, the matter had to go before a bench of nine, the largest convened for a constitutional question in many years.
Sources & Citations
- Justice K.S. Puttaswamy (Retd) v Union of India, (2017) 10 SCC 1 — Indian Kanoon
- The Constitution of India, Article 21 — Government of India
- Reserve Bank of India - Know Your Customer framework — Reserve Bank of India