Introduction

In 2017, Justice K.S. Puttaswamy, a 91-year-old retired judge, won the case that declared privacy a fundamental right under Article 21 of the Constitution. The trigger was Aadhaar, India's biometric identity system, which had collected the fingerprints and iris scans of over a billion citizens. The judgment came seventy years after Independence, precisely because information technology had, for the first time, made the question urgent: a government and corporations could now hold, link, and analyse more information about a citizen's life than that citizen themselves could recall. The technology that promised efficient governance simultaneously created the infrastructure for unprecedented intrusion.

---

ADDITIONAL INFORMATION — ALTERNATIVE OPENINGS

Alternative Opening — Quote-Based Edward Snowden wrote in Permanent Record (2019) that privacy is an absolute prerequisite for the flourishing of any meaningful relationship between an individual and a state. This essay examines how information technology in India has tested that prerequisite, through Aadhaar, surveillance, and data breaches.

---

Thesis Statement

Information technology has not created the desire to know about others, an ancient human and state impulse. It has removed every practical barrier that once limited that impulse: cost, scale, and detection. This essay examines privacy violation through IT across four dimensions: state surveillance, biometric and identity databases, corporate data breaches, and law enforcement technology, each connected by a single thread: the same infrastructure built for legitimate purposes—governance, identity, convenience, and safety—becomes, without safeguards, the infrastructure of intrusion. It closes with what India's legal framework still requires.

We begin with the state, whose surveillance powers IT has expanded most dramatically.

---

DIMENSION I: STATE SURVEILLANCE — WHEN SECURITY BECOMES INTRUSION

Section 69 of the IT Act, 2000, permits government interception of communications for national security. In 2021, the Pegasus Project revealed that spyware capable of accessing a phone's messages, camera, and microphone had been used against Indian journalists, opposition politicians, and Supreme Court staff connected to a sexual harassment case. The Supreme Court, in October 2021, formed a technical committee, observing that the state cannot get a "free pass" merely by citing national security.

Internet shutdowns are surveillance's blunter counterpart. Access Now's #KeepItOn coalition recorded India leading the world in internet shutdowns for the sixth consecutive year in 2023, concentrated in Jammu and Kashmir and Manipur. The Anuradha Bhasin v. Union of India (2020) judgment, arising from the prolonged Kashmir shutdown, held that indefinite restrictions were disproportionate and that orders must be published and periodically reviewed.

State surveillance operates on communications. The next dimension concerns something more permanent: the biometric and identity data that, once collected, cannot be changed if compromised.

DIMENSION II: AADHAAR AND BIOMETRIC DATABASES — THE PERMANENT IDENTIFIER

Aadhaar, the world's largest biometric database, links over 1.3 billion fingerprints and iris scans to a single number used for subsidies, banking, and SIM cards. The Puttaswamy judgment (2017) upheld Aadhaar's core but struck down its mandatory linkage to bank accounts and mobile numbers, applying the proportionality test: any privacy infringement must be backed by law, serve a legitimate aim, and use the least intrusive means.

The risk is permanence. A password can be changed after a breach. A fingerprint cannot. In 2018, the French security researcher known as "Elliot Alderson" demonstrated that Aadhaar data was accessible through an unsecured government utility's API, an incident the UIDAI disputed but which led to tightened access controls. In Rajasthan, the Bhamashah Yojana, the state's pioneering family identity database launched in 2008 and later integrated with Aadhaar, became a template later adopted nationally for DBT delivery, demonstrating both the developmental promise and the consolidation risk of linking welfare delivery to a single biometric identity.

Government databases concentrate risk in one place. Corporate platforms, holding data on hundreds of millions of Indians for commercial reasons, present a parallel and equally documented risk.

DIMENSION III: CORPORATE DATA BREACHES — WHEN CONVENIENCE BECOMES EXPOSURE

In 2021, Air India disclosed a breach affecting 4.5 million passengers, exposing passport and credit card details collected by its data processor, SITA, in a global aviation industry attack. In 2023, reports citing a dark web listing alleged that data linked to the Indian Council of Medical Research's COVID-19 testing records, potentially including Aadhaar and passport numbers of a very large number of citizens, had been exposed; the CERT-In confirmed investigating the incident, illustrating how data collected for public health purposes during the pandemic became a long-term liability.

Within Rajasthan, the Rajasthan Police Cyber Crime Cell, established under the state's cybercrime coordination framework, has handled a rising volume of complaints linked to financial fraud through compromised personal data, including cases where leaked KYC details from telecom and banking databases were used for SIM-swap fraud targeting residents of Jaipur and Jodhpur. The Rajasthan SOG (Special Operations Group) has periodically busted fake call centre operations in Jaipur and Bharatpur running international tech-support scams using illegally obtained personal data of foreign nationals, a reminder that data privacy violations are not only inbound threats to Indians but also outbound harms enabled from Indian soil.

Breaches expose data already collected. Law enforcement technology raises a different concern: data actively gathered about citizens in public spaces, often without their knowledge.

DIMENSION IV: FACIAL RECOGNITION AND PUBLIC SURVEILLANCE — THE WATCHED CITY

Facial Recognition Technology (FRT), deployed by several state police forces, operates in India largely without dedicated legislation. Delhi Police's use of FRT during investigations into the 2020 riots and at protest sites was criticised by the Internet Freedom Foundation for lacking a published legal basis or accuracy audit.

Comparitech's 2021 global surveillance index found Indian cities, including Hyderabad, Chennai, and Delhi, among the most camera-dense in the world. Rajasthan's Safe City projects, funded under the Nirbhaya Fund in Jaipur and Jodhpur, expanded CCTV networks significantly for women's safety, a legitimate and welcomed goal, but one for which clear public rules on footage access, retention periods, and audit remain limited at the municipal level, the same governance gap that runs through every dimension examined so far.

Across surveillance, biometric databases, corporate breaches, and public cameras, the pattern is identical: legitimate purpose, expanding infrastructure, and a persistent gap in the rules governing access. The way forward must close that gap.

---

WAY FORWARD

The Digital Personal Data Protection Act, 2023, India's first comprehensive data law, establishes consent requirements, a Data Protection Board, and penalties up to Rs 250 crore. But its Section 17(2)(a) exemption for government processing in the interest of state security, without judicial oversight or sunset clauses, leaves the central tension Puttaswamy identified largely unresolved. India needs judicial pre-authorisation for surveillance and FRT, dedicated facial recognition legislation, mandatory breach disclosure timelines, and state-level digital literacy campaigns, the kind Rajasthan's Digital Seva Yojana could extend to teach the 1.35 crore women it has equipped with smartphones not just how to use technology, but how to protect themselves within it.

---

Conclusion

From Justice Puttaswamy's challenge to Aadhaar, to the Pegasus revelations, to breaches affecting millions of Indian passengers and patients, to the cameras now watching Jaipur's streets, information technology in India has consistently delivered its promised benefits—identity, convenience, safety—alongside an unintended cost: the erosion of the private sphere the Constitution promises to protect.

Ambedkar insisted that liberty, equality, and fraternity form an inseparable trinity. A citizen who does not know whether their data, their face, or their communications are being watched cannot exercise liberty freely, cannot trust that the state treats all citizens equally in its surveillance, and cannot build the fraternity that requires confidence in shared rules. The technology that connects India to the world must not become the technology that exposes every Indian within it.

"Privacy is the constitutional core of human dignity." — Justice K.S. Puttaswamy v. Union of India (2017)

---

Practice makes perfect! This model answer was structurally evaluated and crafted using NibandhAI. Practice writing your own essays, get instant AI-evaluated feedback, and master the art of UPSC Mains Answer Writing with Drona Studio. Start drafting your essay now.

---

This essay addresses the RPSC Mains Essay Paper (GS Paper — Essay), Year 2024. Relevant to: UPSC, RPSC, UPPSC, UKPSC, and all State Services Essay Papers. Dimensions covered: Right to Privacy, Puttaswamy Judgment, Aadhaar, Data Protection Act 2023, Pegasus, IT Act Section 69, Data Breach, Facial Recognition, Cyber Crime, Digital Rajasthan. Estimated length: 10 to 11 pages.