From Puttaswamy to ABDM: A Constitutional Analysis of Informational Privacy in India’s Digital Health Ecosystem

---

Table of Contents

1. Introduction
2. Informational Privacy under Puttaswamy
3. The Legal Framework of ABDM
4. Consent and Patient Autonomy in ABDM
5. Privacy Risks in the Digital Health Ecosystem
6. The Constitutional Validity of ABDM
7. Reforming India’s Digital Health Privacy Framework
8. Footnotes

---

1. Introduction

Healthcare in India is undergoing a major digital transformation. With the introduction of the Ayushman Bharat Digital Mission (ABDM), health records, prescriptions, and medical histories can now be stored and shared digitally to improve access to healthcare services.^[1] While this promises greater efficiency and convenience, it also raises important questions about the privacy and security of sensitive personal health information. The landmark decision in Justice K. S. Puttaswamy (Retd.) v. Union of India^[2] recognised privacy as a fundamental right and emphasised the need to protect individuals from excessive intrusion into their personal lives. As India moves towards a digitally connected health ecosystem, it becomes essential to examine whether initiatives such as ABDM strike the right balance between technological innovation and the constitutional guarantee of informational privacy. This paper explores that question through the lens of the principles established in the landmark judgement.

---

2. Informational Privacy under Puttaswamy

The right to privacy was declared as a fundamental right by a bench of all five judges in Justice K. S. Puttaswamy v. Union of India (2017).^[3] The Supreme Court stated that privacy is an inherent aspect of human dignity, autonomy and personal liberty. Informational privacy was one of the many dimensions the Court recognised, and it became an important part of the privacy landscape in the digital world. Informational privacy is the right to control who collects, uses, holds and reveals personal information. The Court noted that rapid technological developments allow State and private actors to gather a lot of personal data on an individual, and therefore there is a need to ensure adequate protection against the misuse of that data.

The Court also set out that all measures affecting privacy had to meet the constitutional criteria of legality, legitimate state interest, necessity and proportionality. This has emerged as a constitutional standard to adjudicate data-governance frameworks in India. In light of India’s ambitious digital health initiative, the Ayushman Bharat Digital Mission (ABDM), it becomes relevant to Puttaswamy. ABDM’s objective is to build a unified digital health system by collecting and sharing sensitive health data. The mission directly involves issues of informational privacy because of how medical information has the potential of becoming one of the most personal types of data. The constitutional principles set out in Puttaswamy therefore inform how digital health innovation can be evaluated to ensure that its consent mechanisms, data sharing processes and privacy protections meet the expectations of given rights.^[4]

---

3. The Legal Framework of ABDM

Ayushman Bharat Digital Mission (ABDM) is India’s flagship initiative to establish a digital health landscape. It was launched by the Government of India to enable the digital storage and sharing of health records, making healthcare services more accessible and efficient. With ABDM, a patient gets a unique Health ID that provides healthcare providers access to the patient’s medical records, upon consent. ABDM’s legal principles are grounded in the constitution, government policies, and data protection laws.

Health data is very sensitive and the mission is based on consent — that is, patients must consent before their health data can be accessed or shared. This is in tune with the Supreme Court’s recognition of the right to privacy in Justice K. S. Puttaswamy (Retd.) v. Union of India.^[5] ABDM is also supported by the provisions of the Digital Personal Data Protection Act, 2023, which regulates the collection, processing, and storage of personal data.^[6] The Act aims to ensure that organisations processing health information keep it secure from misuse, unauthorised access and data breaches. The legal structure of ABDM thus seeks to balance technological advancement in the healthcare sector with constitutional rights that guarantee people control over their personal health data, dignity and privacy.

---

4. Consent and Patient Autonomy in ABDM

One key aspect of the ABDM framework is the use of patient consent for health data collection, storage, and sharing. The mission is based on the principle that people should be in control of who accesses their health information and why. This is in keeping with the Supreme Court’s understanding of privacy in Justice K. S. Puttaswamy (Retd.) v. Union of India,^[7] where privacy was understood not just as preventing information from leaving a person’s sphere, but as the ability to make meaningful choices regarding one’s information. Regrettably, the effectiveness of consent within the context of ABDM remains uncertain. For most patients, the technical aspects of consent might not be fully understood — particularly in rural and technologically under-resourced populations. Consent given online may be legally binding but not actually informed.

Additionally, the urgency of medical situations and the unequal negotiating power between a patient and a healthcare provider can make refusal difficult in practice. This raises a constitutional concern. Puttaswamy requires that consent be grounded in authentic freedom, not illusory freedom.^[8] Thus, the validity of ABDM should not be judged simply on the existence of consent mechanisms, but on whether patients exercise meaningful and informed control over their health data. The gap between formal consent and actual autonomy remains one of the least examined aspects of digital health governance in India.

---

5. Privacy Risks in the Digital Health Ecosystem

Health information is considered to be one of the most personal and sensitive types of data a person can share; it contains intimate details about an individual’s physical and mental health, lifestyle and medical history. Digitising this kind of data through ABDM increases efficiency but also multiplies privacy risks. A central concern is the risk of data leakage and illegal access. A centralised digital health ecosystem creates vast repositories of valuable personal data, which may be targeted by cyberattacks.^[9]

Despite generally sound security protocols, no digital system can be guaranteed immune to misuse or failure. A further underappreciated risk is “function creep” — the progressive use of medical information for non-medical purposes by governments or commercial actors. Insurers, employers, pharmaceutical corporations, or state entities may seek to access health information, potentially resulting in discrimination and surveillance.^[10] These risks are especially pronounced when health data is correlated with other digital identity systems that are susceptible to misuse.

---

6. The Constitutional Validity of ABDM

The constitutionality of ABDM must be assessed in the light of Puttaswamy. The Supreme Court established that limitations on the right to privacy must satisfy a four-part test: legality, legitimate state aim, necessity and proportionality. ABDM appears to satisfy the “legitimate state aim” criterion — improving healthcare delivery, enabling portability of medical records and expanding access to healthcare are important public interests. Governmental policy and statutory data protection measures further support the mission.

The harder question concerns proportionality. Although ABDM’s mission is legitimate, it must be ensured that the data collected and shared is minimally necessary for stated purposes. The constitutional concern arises in situations where data-sharing is extensive, or where inadequate data protection measures create risks of invasive data use. Accountability presents another difficulty. Puttaswamy^[11] stressed safeguards against arbitrary state action; however, ABDM’s governance structure is not yet supported by a comprehensive, health sector-specific privacy law. As a result, individuals currently lack clear redress mechanisms in the event of privacy interference. The constitutionality of ABDM, therefore, cannot be presumed solely on account of its consent and security features — it must continually satisfy the proportionality and accountability tests established by the right to privacy.

---

7. Reforming India’s Digital Health Privacy Framework

Current discussions on digital health governance in India largely focus on legal compliance and data security. While those concerns are valid, a truly constitutional approach requires a broader engagement with questions of power, accountability and individual autonomy. India urgently requires a specialised framework for the protection of health data. Medical information is uniquely sensitive and capable of revealing the most intimate details of a person’s life; it warrants protection beyond that afforded to general personal data. The absence of a dedicated legal regime for health-related information remains a significant weakness in the current system.

Second, the concept of consent within ABDM requires rethinking. Meaningful consent cannot be reduced to signing digital notices or clicking through a standardised list of consent forms. The system should incorporate language-friendly interfaces, granular and customisable disclosures, and re-consenting options to ensure that individuals genuinely understand and retain control over how their information is used.

Third, independent oversight mechanisms should be established to supervise data-sharing processes, investigate privacy violations and provide accessible remedies to affected persons. Constitutional protections are effective only when the institutions charged with enforcing them are adequately resourced and developed.

Furthermore, future expansions of ABDM should be preceded by mandatory privacy impact assessments. Before introducing new technologies or entering into new data-sharing arrangements, authorities should assess and publicly disclose the likely privacy impacts. The tendency to equate privacy with mere regulatory compliance represents a critical gap in the existing literature. This article argues instead that privacy must be understood as a constitutional value — intimately connected to dignity, autonomy and personal freedom — within the ABDM. Future reforms should aim not merely at technical data protection, but at preserving the constitutional relationship between citizens and the digital state.

---

Footnotes

1. National Health Authority, Ayushman Bharat Digital Mission: Health Data Management Policy (Government of India 2021).
2. Justice K. S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.
3. Ibid.
4. Puttaswamy (n 2).
5. Ibid.
6. Digital Personal Data Protection Act 2023 (Act 22 of 2023).
7. Puttaswamy (n 2).
8. Puttaswamy (n 2).
9. National Health Authority, Ayushman Bharat Digital Mission: Health Data Management Policy (Government of India 2021).
10. Ibid.
11. Puttaswamy (n 2).

---

References

Cases

Justice K. S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.

Legislation

Digital Personal Data Protection Act 2023 (Act 22 of 2023).

Official Publications

National Health Authority, Ayushman Bharat Digital Mission: Health Data Management Policy (Government of India 2021).