Skip to content

Consent and the Aadhaar Judgments: Puttaswamy and After

The Indian constitutional frame that shapes biometric-consent law globally: Justice K.S. Puttaswamy (Retd) v Union of India 2017 (the nine-judge bench Supreme Court ruling that privacy is a fundamental right under Article 21, the implications for state biometric collection), the 2018 Aadhaar judgment (the five-judge bench ruling that upheld Aadhaar for welfare delivery but struck down s.57 mandatory private-sector use), the subsequent narrowings + clarifications + the Digital Personal Data Protection Act 2023 alignment, and the comparative jurisprudence from EU + US + UK courts on consent + lawful basis for biometric processing.

Last updated:

Share

The Indian Supreme Court's nine-judge bench in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) unanimously held that privacy is a fundamental right under Article 21 of the Constitution, overruling two earlier decisions that had denied it. This established a four-part proportionality test (legitimate aim, suitability, necessity, proportionate balance) as the constitutional standard for all state biometric collection. The five-judge bench in the 2018 Aadhaar judgment applied that test to uphold compulsory biometric enrolment for government welfare delivery while striking down Section 57, which had authorised mandatory private-sector Aadhaar authentication. Across India, the EU, and the UK, courts have converged on one principle: consent is not the operative basis for government biometric collection; proportionality and necessity are.

The Puttaswamy judgment (2017) established that privacy is a fundamental right under Article 21 of the Indian Constitution, setting a proportionality test for all state biometric collection. The 2018 Aadhaar ruling upheld welfare-delivery use while striking down mandatory private-sector authentication. Both decisions are compared here against parallel jurisprudence from the European Court of Human Rights (S and Marper v. UK) and US courts.

Key takeaways

  • In 2017, all nine judges in Justice K.S. Puttaswamy v. Union of India held that privacy is a fundamental right, overruling two earlier decisions that denied it.
  • The proportionality test from Puttaswamy (legitimate aim, suitability, necessity, proportionate balance) mirrors the ECHR Article 8 test applied in S and Marper v. UK (2008).
  • The 2018 Aadhaar bench (4:1) upheld the core biometric enrolment scheme for welfare delivery but struck down Section 57, which had allowed private companies to require Aadhaar authentication.
  • Consent is almost never a valid basis for government biometric collection; the operative standard across India, the EU, and the UK is necessity and proportionality.
  • India's DPDP Act 2023 aligns with the Puttaswamy framework but its broad Section 17 State exemptions create unresolved tension with the proportionality standard.

In August 2017, all nine sitting judges of a specially constituted bench of the Supreme Court of India held that privacy is a fundamental right guaranteed by Article 21 of the Constitution of India, which protects the right to life and personal liberty. The judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India, running to more than 500 pages across six concurring opinions, is one of the most consequential constitutional pronouncements in Indian legal history. It overruled two earlier decisions of the Supreme Court (M.P. Sharma v. Satish Chandra, 1954, and Kharak Singh v. State of U.P., 1963) that had held, in different ways, that the Indian Constitution did not guarantee a fundamental right to privacy.

The immediate cause of the nine-judge reference was a challenge to the Aadhaar biometric identification system, whose technical architecture is covered in the iris recognition and Aadhaar deployment topic, which by 2017 had enrolled the fingerprints and iris scans of more than 1.1 billion Indian residents. The Government of India had argued, in proceedings before a smaller bench, that there was no fundamental right to privacy in the Constitution, which would have meant that the Aadhaar programme's compulsory biometric enrolment could not be challenged on privacy grounds. The nine-judge bench settled the constitutional question unanimously, but the larger question of whether Aadhaar itself was constitutional was remitted to a five-judge bench, which delivered its judgment in September 2018.

The Puttaswamy and Aadhaar judgments are best understood alongside the parallel jurisprudence of the European Court of Human Rights, the US Supreme Court, and UK courts, each of which has addressed when state collection and retention of biometric data crosses from a legitimate security measure into a violation of the right to private life. The frameworks these courts have developed provide a comparative baseline for the Indian Supreme Court's proportionality reasoning.

By the end of this topic you will be able to:

  • Explain the constitutional basis of the Puttaswamy 2017 ruling and the four-part proportionality test it established for state interference with privacy.
  • Distinguish what the 2018 Aadhaar judgment upheld from what it struck down, and identify the ratio decidendi of both the majority and Justice Chandrachud's dissent.
  • Apply the S and Marper v. UK (2008) framework to analyse retention schedules for biometric data of unconvicted individuals.
  • Identify why consent is structurally inadequate as a lawful basis for government biometric collection, and state the alternative standard used across Indian, EU, and UK law.
  • Translate the proportionality standard into concrete system-design requirements for retention schedules, access controls, and oversight mechanisms in forensic biometric databases.

The 2017 Puttaswamy Judgment: Privacy as a Fundamental Right

The nine-judge bench in Puttaswamy (2017) was convened specifically to resolve the conflict between the 1954 and 1963 decisions, which subsequent benches had declined to follow but had also never formally overruled. The bench was constituted under the presidency of then Chief Justice J.S. Khehar and included Justices J. Chelameswar, S.A. Bobde, R.K. Agrawal, R.F. Nariman, A.M. Sapre, D.Y. Chandrachud, S.K. Kaul, and S.A. Nazeer. All nine held that privacy is a fundamental right. They divided, however, on the jurisprudential basis and the precise contours of that right.

Justice D.Y. Chandrachud, writing for four judges, located privacy within the trilogy of Articles 14 (equality), 19 (freedom of speech, expression, movement, and association), and 21 (life and personal liberty). He argued that privacy is not a free-standing right but inheres in each of these guarantees and in the broader constitutional scheme. His opinion drew extensively on comparative jurisprudence from the United States (Griswold v. Connecticut, 1965; Roe v. Wade, 1973; Lawrence v. Texas, 2003) and from the European Court of Human Rights (S and Marper v. United Kingdom, 2008, a case directly concerning biometric data retention). Privacy, he held, encompasses the right to control one's personal information, to make autonomous decisions about one's own life, and to be free from State surveillance. The opinion explicitly addressed informational privacy, holding that individuals must have the ability to control information about themselves, which is the constitutional foundation for data-protection regulation.

Justice J. Chelameswar's concurring opinion emphasised the right to be let alone, drawing on Samuel Warren and Louis Brandeis's 1890 Harvard Law Review essay. Justice S.K. Kaul grounded privacy in personal liberty and individual dignity, stressing that the constitutional guarantee is not absolute and is subject to reasonable restrictions, but that any restriction must be lawful, necessary, and proportionate. The proportionality test articulated in Puttaswamy 2017 (legitimate state aim, suitability of means, necessity, and proportionate balancing) became the doctrinal framework applied in the 2018 Aadhaar judgment and has been applied consistently by the Supreme Court and High Courts in subsequent cases involving state surveillance, phone tapping, and data collection.

S and Marper v. UK: The ECHR Parallel

The European Court of Human Rights delivered its Grand Chamber judgment in S and Marper v. United Kingdom on 4 December 2008. The case concerned two applicants: S., a minor acquitted of attempted robbery, and Mr Marper, acquitted of harassment. Both had had their fingerprints, cellular samples, and DNA profiles taken on arrest. Under the Criminal Justice Act 2003, England and Wales retained biometric data indefinitely regardless of acquittal, and the police had declined to delete S. and Marper's records.

The Grand Chamber held, by 17 votes to zero, that the indefinite retention of fingerprints, cellular samples, and DNA profiles of unconvicted persons violated Article 8 ECHR (right to respect for private and family life). The court's reasoning proceeded in two stages:

  1. Retention of fingerprint and DNA data constituted an interference with the right to private life regardless of whether the data was actually used in any specific investigation, because the mere retention created a risk of misuse and affected the way individuals related to the State.
  2. The interference was not "necessary in a democratic society" because England and Wales's blanket retention policy (no distinction between suspects, unconvicted persons, and convicted offenders; no time limit; no deletion mechanism) went further than necessary to detect and prevent crime. The court contrasted England and Wales with Scotland, which deleted biometric records of unconvicted individuals within specified periods.

S and Marper led directly to the Protection of Freedoms Act 2012, which reformed England and Wales's retention regime to require deletion of DNA profiles and fingerprints of unconvicted adults within specified periods (with exceptions for serious offences) and created the National DNA Database Strategy Board to oversee retention decisions. It remains the leading ECHR authority on biometric data retention and has been cited by courts in Ireland, Germany, and India.

Outcome comparison: S and Marper v. UK (2008) and Puttaswamy v. UoI (2017) share a common proportionality structure despite a
Outcome comparison: S and Marper v. UK (2008) and Puttaswamy v. UoI (2017) share a common proportionality structure despite arising under different constitutional frameworks.

The 2018 Aadhaar Judgment: What Survived and What Did Not

The five-judge bench (Chief Justice Dipak Misra, Justices A.K. Sikri, A.M. Khanwilkar, D.Y. Chandrachud, and Ashok Bhushan) delivered its judgment in Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. (the consolidated Aadhaar constitutionality case) on 26 September 2018. The majority (4:1, with Justice Chandrachud dissenting) upheld the Aadhaar Act 2016 as constitutional in its core application to government welfare delivery and taxation services. The majority also struck down Section 57 of the Aadhaar Act, which had permitted private companies and individuals to require Aadhaar authentication for their own purposes, as unconstitutional.

The majority's reasoning on upholding the core of Aadhaar rested on proportionality:

  • Legitimate aim: preventing leakage of welfare subsidies through fake beneficiary identity was accepted as sufficient.
  • Necessity: biometric authentication was suitable and necessary because paper-document-based verification had proven inadequate.
  • Proportionality: the privacy intrusion (collection and central storage of fingerprints and iris scans of approximately 1.2 billion people) was held proportionate to the benefit, given that the UIDAI architecture stores only the encrypted template and does not, the majority held, enable real-time tracking of individuals' movements or transactions.

Justice Chandrachud's dissent is intellectually significant and has been widely cited in subsequent litigation. He held that the Aadhaar Act was a Money Bill and had been passed improperly through the Lok Sabha without a vote of the Rajya Sabha, which he regarded as a fraud on the Constitution. He also held that the Aadhaar architecture enables the creation of a "panopticon state" through the metadata of authentication events. A determined government could use that metadata to reconstruct individuals' movements, associations, and behaviours over time, constituting a disproportionate privacy intrusion. His dissent anticipated, in 2018, the surveillance-concern arguments that have since been raised about Aadhaar in academic literature and before Parliamentary committees.

The most practically consequential holding was the striking down of Section 57. Before the judgment, several private entities including telecom operators and financial institutions were requiring Aadhaar authentication as a condition of service. The majority held that a private entity's interest in verifying customer identity does not meet the standard of public interest that can justify compulsory biometric authentication under Article 21's proportionality framework. The Aadhaar Act was subsequently amended in 2019 to permit a voluntary, offline Aadhaar-based e-KYC system for private entities, distinct from the mandatory authentication used for government services.

Subsequent Narrowings, Clarifications, and the DPDP Act's Alignment

The Puttaswamy/Aadhaar architecture has been applied and extended in several significant cases:

  • Shafin Jahan v. Asokan K.M. (2018): the Supreme Court affirmed the right to choose one's partner as falling within the privacy guarantee.
  • Navtej Singh Johar v. Union of India (2018): a five-judge bench struck down Section 377 of the Indian Penal Code insofar as it criminalised consensual adult same-sex conduct, explicitly grounding the decision in Puttaswamy.
  • Anuradha Bhasin v. Union of India (2020): the Supreme Court applied the proportionality test to the suspension of internet services in Jammu and Kashmir, requiring publication of suspension orders and a demonstration of necessity and proportionality for any extended shutdown.

For biometric privacy specifically, the High Courts of several states have applied the Puttaswamy proportionality standard to challenges involving police fingerprinting, face recognition at checkpoints, and CCTV surveillance. The Delhi High Court in 2019 dismissed a petition challenging Delhi Police's use of a face-recognition system at the Kumbh Mela on procedural grounds, without reaching the merits, leaving the constitutional question open. The Karnataka High Court in 2020 applied the Puttaswamy framework to a challenge involving biometric attendance monitoring of government employees, holding the scheme constitutional but requiring the government to demonstrate a genuine need for the biometric system rather than less intrusive alternatives.

The DPDP Act 2023 is formally aligned with the Puttaswamy framework. Its Statement of Objects and Reasons cites the fundamental right to privacy as the constitutional foundation for the statute, and its consent-first architecture reflects the Puttaswamy proportionality standard for state interference with private information. The Act's Section 17(2)(b) allows the Central Government to exempt State instrumentalities from the Act's provisions in the interests of sovereignty, security, and public order, which must, under Puttaswamy, be exercised proportionately and with procedural safeguards. Practitioners have noted that the breadth of the Section 17 exemptions could, if exercised expansively, render much of the Act's protection illusory for individuals dealing with government biometric systems, a tension that the Data Protection Board of India (once constituted) and courts will need to resolve.

CaseJurisdictionBiometric issueOutcome
S and Marper v. UK (2008)ECHR / UKIndefinite retention of fingerprints + DNA of unconvicted personsViolation of Art 8 ECHR; led to Protection of Freedoms Act 2012
Puttaswamy v. UoI (2017)India (9-judge SC bench)Whether privacy is a fundamental right (Aadhaar challenge trigger)Privacy is a fundamental right under Art 21; proportionality test established
UIDAI v. CBSE / Aadhaar case (2018)India (5-judge SC bench)Constitutionality of Aadhaar biometric enrolment + private-sector useCore scheme upheld; s.57 private-sector mandatory use struck down
In re Clearview AI, Inc. Consumer Privacy Litigation, No. 1:21-cv-00135 (N.D. Ill.)US (Federal District Court)BIPA claims against face-recognition data aggregatorSettlement approved March 2025: class members to receive a 23% equity stake in Clearview AI, valued at approximately $51.75 million
Carpenter v. United States (2018)US Supreme CourtWarrant requirement for cell-site location recordsWarrant required; Katz reasonable-expectation test extended to digital data
State biometric collectionproposedIs the service essential (welfare, policing,border control)?YesNoConsent structurallyinvalid: power imbalance, norealistic alternativeApply proportionality test (Puttaswamy, ECHRArt 8, BIPA necessity)Four-limb proportionality test (all must be satisfied)1. Legitimate aim:substantial publicinterest?2. Suitability: doesbiometric methodachieve the aim?3. Necessity: no lessintrusive alternativeavailable?4. Balance: privacy costproportionate to publicbenefit?Collection lawful: India Art 21, ECHRArt 8(2), GDPR Art 9(2)(g)Collection unlawful: failsconstitutional or ECHR proportionalityreviewDecision gateLawful outcomeUnlawful / consent failureStep
Consent fails the power-imbalance gate in all three jurisdictions: the operative lawful basis for state biometric collection is necessity plus proportionality, not consent.

Implications for Forensic Practice and System Design

The Puttaswamy and Aadhaar judgments, read alongside S and Marper and R (Bridges), have operational implications for forensic science laboratories, biometric system developers, and law-enforcement agencies designing or operating biometric databases. The proportionality standard must be translated into system architecture and operating procedure before collection begins, not retrofitted after deployment.

For retention schedules, the proportionality standard means that indefinite retention of biometric records of unconvicted individuals is constitutionally suspect under Puttaswamy (applying the Article 21 proportionality test) and violates Article 8 ECHR under S and Marper. In England and Wales, the Protection of Freedoms Act 2012 enacted a structured retention framework:

  • DNA profiles of unconvicted adults are generally deleted within three to five years (depending on the offence).
  • Fingerprints of unconvicted adults are deleted at the same time as DNA profiles.
  • Convicted individuals' records are retained for the duration of their sentence plus a rehabilitation period.

In India, there is no equivalent statutory framework for police fingerprint database retention. NCRB (National Crime Records Bureau) guidelines exist but are administrative, not statutory. Post-Puttaswamy, a retained fingerprint database with no deletion policy for records of acquitted individuals is constitutionally vulnerable to challenge.

For database access controls, the proportionality standard implies that access to biometric databases should be restricted to the purpose for which the data was collected. A fingerprint collected for immigration control cannot, under proportionality reasoning, be made available to a tax authority without fresh legal authority. This functional separation of databases is now explicitly required by the DPDP Act's purpose-limitation principle (Section 6(1)) and by GDPR Article 5(1)(b). The Aadhaar Act attempts this through the Section 29 prohibition on sharing identity information for non-Aadhaar purposes, and UIDAI's technical architecture isolates the biometric database from the authentication result (which confirms only "yes/no" without revealing the biometric template).

For oversight and audit, the Puttaswamy standard's procedural-safeguard component requires that biometric systems have independent oversight mechanisms that can detect and correct misuse. This translates to audit logging of all database queries (who queried, against which records, for what stated purpose), independent review of querying patterns to detect function creep, and accessible mechanisms for individuals to challenge incorrect records. The GDPR Article 15 right of access and the DPDP Act Section 11 right of access both give individuals a mechanism to discover what biometric data is held about them, which creates a practical audit trail beyond the official one.

  1. Establish a documented legal basis before collection
    Identify the specific statutory provision authorising biometric collection (for government: the enabling Act or constitutional provision; for private entities: the DPDP Act legitimate use or GDPR Art 9(2) exception). Document the necessity and proportionality analysis before any collection begins. For BIPA-covered activities, obtain written releases before the first scan.
  2. Define a retention schedule tied to the purpose
    Set a specific retention period in the system design, not in the SOP manual. Systems should auto-delete records when the purpose lapses (conviction expiry, case closure, employment termination). Retention periods should be publicly stated where required (GDPR Art 30, BIPA written policy).
  3. Implement purpose limitation at the system level
    Design database access controls so that queries from one functional area (e.g. criminal investigation) cannot access records collected for another purpose (e.g. immigration). Log all cross-purpose access attempts as exceptions for review.
  4. Conduct and publish a Data Protection Impact Assessment
    GDPR Art 35 requires a DPIA for high-risk biometric processing. The DPIA should cover data flows, identified risks, proportionality analysis, and safeguards. R (Bridges) found the absence of adequate demographic-bias assessment in the AFR DPIA to be a legal defect.
  5. Build an independent oversight mechanism
    Designate an oversight body with authority to audit queries, investigate complaints, and impose remediation. The UIDAI model (a statutory authority with its own grievance redress mechanism) is one approach. GDPR's Data Protection Officer requirement (Art 37-39) is another. The key criterion from Puttaswamy is independence from the operational authority.
Key terms
Puttaswamy 2017
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1: nine-judge bench Supreme Court of India judgment holding that privacy is a fundamental right under Article 21 of the Constitution and establishing a four-part proportionality test for state interference with privacy.
Proportionality test (Puttaswamy)
The four-part standard from Puttaswamy 2017 for assessing the constitutionality of state interference with privacy: (1) legitimate state aim, (2) suitability of means, (3) necessity (no less intrusive alternative available), (4) proportionate balance between privacy cost and public benefit.
Section 57 (Aadhaar Act, struck down)
The provision of the Aadhaar Act 2016 that permitted private companies and individuals to require Aadhaar authentication for their own purposes, struck down by the Supreme Court in the 2018 Aadhaar judgment as disproportionate and lacking sufficient public-interest justification.
S and Marper v. UK (2008)
European Court of Human Rights Grand Chamber judgment holding that indefinite retention of fingerprints, cellular samples, and DNA profiles of unconvicted individuals in England and Wales violated Article 8 ECHR; the leading authority on biometric data retention and a frequently cited precedent in Indian courts.
R (Bridges) v. Chief Constable of South Wales Police (2020)
UK Court of Appeal decision holding that the deployment of automated facial recognition by South Wales Police lacked a sufficiently clear and precise legal framework under Article 8(2) ECHR, and that the data-protection impact assessment inadequately addressed algorithmic bias.
UIDAI (Unique Identification Authority of India)
The statutory authority established by the Aadhaar Act 2016 to operate the Aadhaar biometric identification system, oversee enrolment, and administer the authentication infrastructure. UIDAI is the data fiduciary for Aadhaar biometric templates.
Informational privacy
The dimension of the right to privacy, articulated in Justice Chandrachud's Puttaswamy 2017 opinion, that grants individuals the right to control information about themselves and to prevent the State from using collected data for purposes beyond the original collection rationale.
Protection of Freedoms Act 2012 (UK)
UK statute enacted in direct response to S and Marper v. UK, which reformed the retention framework for DNA profiles, fingerprints, and footwear impressions; requires deletion of records of unconvicted adults within specified periods and established the National DNA Database Strategy Board.
DPDP Act s.17(2) exemptions
Provisions of India's Digital Personal Data Protection Act 2023 allowing the Central Government to exempt State instrumentalities from the Act's requirements in the interests of sovereignty, security, or public order; the breadth of these exemptions has been identified as a potential source of conflict with the Puttaswamy proportionality standard.
Consent imbalance
The structural condition recognised by EU data-protection authorities and courts under which formal consent to biometric collection is not freely given because the data subject has no realistic alternative (e.g. government welfare, employment). The consequence is that consent cannot serve as the lawful basis for such collection, and a proportionality-based public-interest ground must be used instead.
Practice
Question 1 of 5· 0 answered

The 2017 Puttaswamy judgment overruled which two earlier Supreme Court of India decisions that had held privacy was not a fundamental right?

Does the Puttaswamy judgment apply to private companies collecting biometric data?
The fundamental rights guaranteed under Part III of the Indian Constitution, including Article 21, are traditionally enforceable only against the State and State instrumentalities, not directly against private parties. The 2018 Aadhaar judgment's striking down of s.57 addressed private-sector Aadhaar authentication, but primarily through statutory interpretation of the Aadhaar Act rather than direct horizontal application of Article 21. Private-sector biometric collection is now primarily governed by the DPDP Act 2023, which applies to private entities as data fiduciaries and draws its constitutional foundation from the Puttaswamy right to privacy, but through statutory rather than direct constitutional mechanism.
Does India have a statutory retention schedule for police fingerprint records like the UK's Protection of Freedoms Act 2012?
No. As of mid-2026, India does not have a statutory fingerprint or DNA retention schedule equivalent to the Protection of Freedoms Act 2012. The NCRB operates the National Automated Fingerprint Identification System (NAFIS) under administrative guidelines rather than a statutory framework. Post-Puttaswamy, indefinite retention of fingerprints of unconvicted or acquitted individuals is constitutionally suspect under the Article 21 proportionality standard, but no court has yet issued a definitive ruling requiring deletion of specific categories of records. The DPDP Act's storage-limitation principle (s.8(7)) applies to personal data including biometrics for private entities, but the s.17(2) State exemptions create uncertainty about its application to police databases.
If Puttaswamy requires consent for biometric collection, how did the 2018 Aadhaar judgment uphold compulsory enrolment under s.7?
The majority in the 2018 Aadhaar judgment applied Puttaswamy's proportionality standard, not the consent standard. It held that the collection of biometric data for Aadhaar welfare authentication did not require individual consent because it met the proportionality test: the aim of preventing subsidy fraud was legitimate, biometric authentication was necessary (alternatives had failed), and the privacy intrusion was proportionate given UIDAI's 'yes/no' authentication architecture. The judgment reflects the principle, confirmed in EU law and UK jurisprudence, that consent is not the only valid basis for biometric collection: necessity and proportionality in pursuit of a legitimate public interest is an independent, sufficient basis for state biometric programmes.

Test yourself on Fingerprint Sciences with free, timed mocks.

Practice Fingerprint Sciences questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.