
This article is written by Pavni Dua of OP Jindal Global University, an Intern under Legal Vidhiya
ABSTRACT
This article examines the evolving legal tensions between data privacy and national security in the post-surveillance era, shaped significantly by mass digital surveillance practices revealed in the aftermath of the Snowden disclosures. Through a comparative and doctrinal analysis of international, European Union, and Indian legal frameworks, the paper explores how courts and legislatures have attempted to reconcile state security imperatives with the protection of fundamental privacy rights. Focusing on key developments such as the GDPR, the K.S. Puttaswamy judgment, and India’s Digital Personal Data Protection Act, 2023, the article highlights persistent accountability gaps and structural weaknesses that enable expansive surveillance. It argues that while privacy has achieved constitutional and human rights recognition, its effective enforcement remains constrained by disproportionate security practices and excessive executive discretion.
KEYWORDS
Data Privacy, National Security, Mass Surveillance, Post-Surveillance Era, Right to Privacy, Necessity and Proportionality, Digital Personal Data Protection Act, 2023 State Surveillance and Accountability
INTRODUCTION
The exponential growth of digital technologies has transformed data into one of the most powerful instruments of governance in the modern state. In the post-surveillance era—defined by the global impact of the Edward Snowden revelations—legal systems across the world have been forced to confront an increasingly fraught tension between data privacy and national security. While governments justify expansive surveillance measures as essential tools for preventing terrorism and safeguarding public order, such practices often operate in direct conflict with constitutional guarantees of privacy, dignity, and individual autonomy. This conflict is no longer theoretical; it is embedded in legislative frameworks, judicial decisions, and everyday technological infrastructures that enable the collection, storage, and analysis of personal data on an unprecedented scale. By examining international developments alongside the European Union’s robust rights-based framework and India’s evolving constitutional and statutory responses, this article seeks to critically assess whether contemporary legal regimes genuinely balance security imperatives with privacy protection, or whether they instead normalise a surveillance paradigm that erodes fundamental rights under the guise of necessity.
Michel Foucault posited the importance of knowledge and its role as a tool in power dynamics, a perspective that aligns closely with the current use of data. Data privacy is nothing but a poorly constructed illusion in the 21st century. Our data is being distributed, often without explicit consent, to third-party users, governments, and corporations. However, it is almost expected of corporations to compromise public interests in order to gain profits; governments, on the other hand, are run by elected officials supposedly working for the best interests of their citizens. What data is deemed necessary to collect and what constitutes a breach of privacy is a question that governments and courts have often tried to answer, seeking the perfect balance between them, while safeguarding national security is the goal that should ideally be strived for. However, that is often not the case.
TECHNOLOGY AND SURVEILLANCE
Governments often argue for the importance of surveillance to prevent terrorist attacks and maintain national security, a prime example of such was the NSA’s response to the Edward Snowden revelations in 2013. The first Snowden document to be published by the Guardian was a secret court order showing that the NSA was collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers. To this, Senator
Dianne Feinstein, the chair of the Senate intelligence committee, responded, “The call-records program is not surveillance. It does not collect the content of any communication, nor do the records include names or locations. The NSA only collects the type of information found on a telephone bill: phone numbers of calls placed and received, the time of the calls and duration.” However, this was largely contested by privacy activists who claimed that the collection of this data violated legal boundaries and included personal information. It was claimed by the NSA that such surveillance was being conducted to prevent another catastrophe like the 9/11 attacks; however, it was never actually made clear how the collection of this data actually correlates to such prevention.
THE CRISIS
The current legal crisis is inseparable from the technological shift that made mass digital surveillance feasible. The core technical innovation was the capacity for bulk metadata collection, the systematic collection of communication data (who called whom, when, for how long, from where) on a massive scale, rather than interception of content. Intelligence agencies around the world led the argument that the collection of such data is necessary for intercepting terrorist activities, yet courts and privacy advocates countered that metadata is deeply revealing of personal life and constitutes a substantive infringement on privacy rights. The NSA’s PRISM programme, which tapped into the user data of Apple, Google, Facebook, etc., revealed the extent to which surveillance can take place in the modern world. It also exposed shortcomings in the FISA Amendment Act in December 2022 about the scale of surveillance the law enabled, and shortcomings in the safeguards it introduced.
The revelations catalyzed immediate political reaction, triggering judicial and legislative scrutiny across the European Union, which views data privacy as a fundamental human right. The European Union adopts a particularly robust approach, elevating data protection to a standalone right in Article 8 of the Charter of Fundamental Rights of the European Union (CFR). This right is distinct from the general right to privacy (CFR, Article 7) and mandates strict purpose limitation and data minimization. Regulations like the General Data Protection Regulation (GDPR), which establishes strong rights for individuals over their personal data, such as access, rectification, and erasure, also strengthen data privacy concerns. Newer laws, such as the AI Act and Data Act, further build on this framework to address artificial intelligence and data from connected devices.
Privacy is generally understood as essential to human dignity and the exercise of free thought, expression, and association. If the state can monitor a citizen’s communications, the chilling effect undermines democratic participation and dissent. National security is recognised as a legitimate and essential sovereign function of the state. It is considered an overriding public interest that can justify the limitation of fundamental rights. Mechanisms and principles have been derived to help us understand the perfect equilibrium between privacy and national security. The “Necessity” Test states that any limitation on fundamental rights must be justified by being strictly necessary and proportionate to the legitimate security objective pursued. This judicial test requires that the surveillance measure chosen must be the least intrusive means available to achieve the security goal. However, this is contradicted by agencies collecting metadata in bulk, which is often deemed to be more than necessary. The NSA, in the case of the Snowden revelations, claimed that to find the needle in the haystack, they needed access to the whole haystack. This violates the core principle of the necessity test as well as a myriad of privacy laws.
INDIAN CONTEXT
When we consider the Indian context, it also consists of its fair share of controversies and leaks. One of the most infamous being the Aadhar Data Breach, where 1.1 billion Indians had their personal data leaked. In 2018, private details like names, bank info, and biometric data of millions of Indians became accessible via WhatsApp sellers and unprotected systems of entities like Indane (LPG), stemming from access given to former ministry employees and unsecured APIs, raising serious concerns about the security of India’s massive digital identity database managed by the UIDAI. While in this case, the leak was committed by third-party agents aiming to benefit from selling information, it reveals a deep gap on the part of the UIDAI, over a systemic failure of access security and oversight. There are often questions raised even on the existence of Aadhar cards, which demand from all citizens not only their basic information, such as names and addresses, but also have begun to record biometric data, which has vast potential for misuse in case of any sort of abuse or breach.
Indian courts have, ever since the K.S Puttaswamy judgement, have had a largely expansive view of Indian citizens’ right to privacy. The case established the Right to Privacy as a fundamental right under India’s Constitution, stemming mainly from Article 21 (Right to Life & Personal Liberty). A nine-judge Supreme Court bench unanimously held that privacy protects individual dignity, autonomy, and personal choices, covering intimate aspects like family, marriage, and sexual orientation, but noted it’s not absolute and can be restricted by laws meeting strict necessity, proportionality, and legitimate state purpose tests. The court deemed privacy an intrinsic part of fundamental rights, drawing from Articles 14 (Equality), 15 (Non-Discrimination), 19 (Freedoms), and primarily Article 21 (Life & Liberty). The case in fact, originated from concerns and challenges to India’s biometric Aadhar ID System regarding the protection of data and government surveillance.
An essential part of the Puttaswamy judgment was laid down in the form of a legal principle safeguarding citizen data. The “right to be forgotten” principle allows individuals to request the removal of their personal information from search results under specific circumstances. This principle originated in the European Union with the EU’s General Data Protection Regulation (GDPR) and key court cases like the Google Spain case establishing its foundation, but was applied to the Indian subcontinent during the course of the Puttaswamy judgment. The court noted that individuals should have control over their digital information and not be perpetually defined by their digital past. This principle has been strengthened by subsequent decisions of the high courts in India. The Delhi High Court has recognised the right to be forgotten as an inherent part of the right to privacy. It has also extended the right to individuals in criminal cases, such as in a case where a person was acquitted and sought to have search results about the case removed. The Kerala High Court has stated that the right cannot override principles of open justice and public interest.
THE DPDP ACT
The most recent legislation in India on data privacy is the Digital Personal Data Protection Act, 2023, meant to create a framework for protecting digital personal data, balancing privacy rights with lawful processing by establishing rules for collecting, using, and storing data, giving individuals rights (consent, access, correction), and imposing obligations and hefty penalties on Data Fiduciaries (companies) for non-compliance. The Act was passed in August 2023, with key provisions and the DPDP Rules, 2025 (issued in late 2024/2025) bringing it into force in phases, with full obligations expected by mid-2027. However, the act has raised several concerns, broadly related to government surveillance and excessive power. The government’s broad powers to exempt itself, demand information from companies, and retain data for an unlimited period can result in mass surveillance. In addition, it is noted that the act does not apply to publicly shared data, which means that if you post something on social media through a public account, companies are legally allowed to process and use that data for training their AI or whatever purpose they decide.
Another concern is related to the government’s unchecked power to block access to websites or content on advice from the Data Protection Board in case of repeated offenses by the entity or in the “interests of the general public” This broad phrasing goes beyond the already controversial powers of the government to block content under section 69A of the Information Technology Act of 2000. Additionally, the powers of a Data Protection Board to advice on blocking “content” is problematic given that the Board is entrusted with issues related to data protection and “content” is a broader ambit than other regulations such as the IT Act already deal with. The language of the act gives a lot of discretion to the government bodies, leaving wide scope for the exercise of delegated legislation, which leaves room for the formation of rules beyond the discussed parliamentary provisions in the act. The DPDP Act also amends the RTI Act of 2005 to state that the government is not obliged to disclose information that relates to personal information. Earlier, this could be overridden in case of a larger public interest. By making this amendment, the Bill weakens the RTI Act, as the government has one more broad ground to deny information requested. “A new era of corruption will be introduced as personal data like assets and liabilities, education qualifications of corrupt officials, won’t be sought under the RTI Act,” MP Adhir Chowdhury pointed out in the parliament. Concerns were also raised regarding the validity of the consent obtained from users when it leaves out key pieces of information. There was also the issue of the Data Protection Board members being appointed by the central government, which essentially could result in abuse of power, as the board could end up being a “puppet” of the central government.
More recently, the government had to roll back its mandate of pre-installation of the Sanchar Sathi app in smartphones because of data privacy concerns. The Sanchar Saathi app, an initiative of the Department of Telecommunications, was designed to assist Indian mobile users in tracking and blocking lost smartphones, as well as in preventing identity theft and fraud etc. On 28 November 2025, a government order gave major smartphone companies 90 days to ensure that this app is pre-installed on all new devices intended for sale in India, with a provision that users cannot disable it. This move was widely criticised, as concerns were raised regarding surveillance and data collection. According to cybersecurity group TraceX Labs, the mandatory Sanchar Saathi application functions as a “spyware-like system” due to its forced installation, non-removable design, and broad device permissions. The government, in response, revoked the order stating that, “Given Sanchar Saathi’s increasing acceptance, the Government has decided not to make the pre- installation mandatory for mobile manufacturers.” However, allegations of spying and misuse of data remained rampant surrounding the app’s discussion.
CONCLUSION
In a world of constant surveillance and monitoring, privacy is truly a hoax; all of us must remain vigilant to ensure some semblance of privacy in our lives. In furtherance of that, I would like to reiterate the importance of data in today’s landscape. Data is a form of currency, and is used by governments, agencies and corporations in a manner that often compromises citizen interests. The controversies demonstrate a critical gap between India’s constitutional commitment to privacy and its statutory and institutional capacity to implement it. Future solutions require coordinated legislative, judicial, and technological action centered on closing this accountability deficit. The balance between data privacy and national security in the post-surveillance era is the defining legal challenge of the 21st century. India’s legal journey, anchored by the constitutional recognition of privacy in the Puttaswamy judgment, provides a powerful case study in the struggle to translate high constitutional ideals into effective statutory governance. The most pressing need for us today is the comprehensive revision of colonial-era surveillance laws to explicitly incorporate the Puttaswamy standard of necessity and proportionality. Only through a series of key structural and legislative reforms can India and the global community establish a stable, rights-respecting digital environment that sustains both security and individual liberty.
REFERENCES
- Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, No. 18, Acts of Parliament, 2016 (India).
- Charter of Fundamental Rights of the European Union arts. 7–8, 2012 O.J. (C 326) 391, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT.
- Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India), https://www.meity.gov.in/data-protection-framework.
- Dianne Feinstein, The NSA Call-Records Program Is Constitutional, USA Today (Oct. 20, 2013),
https://www.usatoday.com/story/opinion/2013/10/20/nsa-call-records-program-sen-dianne-feinstein-editorials-debates/3112715/. - European Convention on Human Rights art. 8, Nov. 4, 1950, 213 U.N.T.S. 221, https://www.echr.coe.int/documents/convention_eng.pdf.
- Foreign Intelligence Surveillance Act Amendments Act of 2008, Pub. L. No. 110-261, 122 Stat. 2436 (codified as amended at 50 U.S.C. §§ 1881a–1881g), https://www.congress.gov/110/plaws/publ261/PLAW-110publ261.pdf.
- Foucault, Michel, Discipline and Punish: The Birth of the Prison (Alan Sheridan trans., Vintage Books 1977).
- General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016 O.J. (L 119) 1,
https://eur-lex.europa.eu/eli/reg/2016/679/oj. - Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, The Guardian (June 5, 2013),
https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order. - Google Spain SL v. Agencia Española de Protección de Datos, Case C-131/12, ECLI:EU:C:2014:317 (Ct. Just. Eur. Union 2014),
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0131. - Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India), https://www.indiacode.nic.in/handle/123456789/1999.
- K.S. Puttaswamy v. Union of India, (2017) 10 S.C.C. 1 (India),
https://indiankanoon.org/doc/127517806/. - PRISM Surveillance Program, Nat’l Sec. Agency (U.S.) (revealed 2013),
https://www.nsa.gov/news-features/declassified-documents/. - Right to Information Act, 2005, No. 22, Acts of Parliament, 2005 (India), https://www.indiacode.nic.in/handle/123456789/2065.
- Sanchar Saathi Initiative, Ministry of Communications, Gov’t of India,
https://sancharsaathi.gov.in. - TraceX Labs, Technical Assessment of the Sanchar Saathi Application (2025), https://tracextech.com.
- Unique Identification Authority of India, Aadhaar Data Security Framework, https://uidai.gov.in.
- U.S. Const. art. II, § 2, cl. 1.
Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.