Does Privacy Protect Secrecy or Control?
Introduction
Let’s say it upfront. Privacy today is about control, not secrecy, but this has not always been the case. For a long time, privacy was treated as something you lost the moment information was shared, often defended through the familiar “nothing to hide” argument. If you were not concealing anything, there was supposedly no privacy left to protect.
Courts, however, have moved away from this idea. They have recognised that the real harm does not lie only in disclosure, but in the loss of control over how personal information is collected, used, and repurposed. This shift marks a deeper change in how privacy is understood in the digital age. To see why secrecy fails and control survives, it is necessary to examine both approaches and the reasoning behind the law’s preference for one over the other.
Privacy as Secrecy
To understand this, we can take the help of a prominent event: the 9/11 terror attacks. After the incident, the Bush administration sanctioned the NSA to conduct wide-scale surveillance without warrants. The government relied on the familiar “nothing to hide” argument, which essentially goes like this: if you have nothing to hide, you don’t need to worry, because a small sacrifice of privacy is worth national security. This argument, however, has major flaws, which courts later relied upon to move away from a secrecy-based understanding of privacy.
Flaws of the “Nothing to Hide” Argument
First, this approach affects freedom of expression. People behave differently when they know they are being watched. They do not feel free to be themselves and instead maintain a more formal and cautious behaviour. This effectively harms freedom of speech, especially in situations where individuals want to be vulnerable, informal, or expressive without fear of observation.
Second, it raises concerns related to the principle of natural justice. Data collected may appear harmless when viewed individually, but it forms meaningful patterns when combined. Authorities rely on these patterns to carry out profiling by assessing habits, beliefs, and relationships. Since citizens are not informed about what data is being collected or how it is being used, they are nevertheless being judged. This undermines the principle of audi alteram partem, which requires that both sides be heard. Here, individuals are not even aware that such a “judgement” is taking place, let alone being given an opportunity to participate in it.
Finally, this approach fails to fulfil one of the basic aims of the justice system: providing an opportunity to correct oneself. Data once collected does not simply disappear. It is stored and can later be combined with other data points to form patterns that suggest wrongdoing. The problem is not just that citizens are being judged, but that they are being judged without even knowing when or what they are being judged for. When individuals are unaware of the alleged “wrong”, there is no meaningful opportunity to explain, clarify, or correct it. A system that reaches conclusions in this manner moves away from fairness and towards silent assessment.
Privacy as Control
The idea of privacy as control did not emerge in a vacuum. It can be traced back to the German Census Case, often referred to as the Great Census decision. The case arose out of concerns surrounding large-scale data collection by the State and the growing discomfort with how personal information was being systematically gathered and stored. At its core, the case forced the court to confront a simple question: can individuals truly be said to enjoy privacy if their personal data is constantly collected, even when nothing is actively concealed?
Relying on the German Constitution, the Constitutional Court rejected the narrow view that privacy exists only to protect secrecy. Instead, it introduced the concept of the right to informational self-determination, often understood as part of the broader right of personality. This marked a clear shift in thinking. Under this approach, privacy does not vanish the moment information is disclosed. Disclosure does not signal the end of privacy; rather, it changes the nature of the protection that privacy requires.
The focus, therefore, shifts from whether information is hidden to whether individuals retain control over their personal data. What matters is who decides how data is collected, how long it is stored, for what purpose it is used, and with whom it is shared. Even when information is visible or voluntarily provided, privacy continues to exist as long as individuals have meaningful influence over these decisions. The concern is no longer secrecy alone, but the ability to exercise agency over personal information.
This understanding reflects how data functions in the modern world. Information rarely remains confined to its original context. Data shared for one purpose can be stored, combined with other datasets, and reused in ways that were never anticipated at the time of disclosure. The real harm arises not because information was once shared, but because individuals lose control over how that information moves, changes, and is interpreted over time. By framing privacy as control, the law recognises that the central threat lies in the unchecked use and repurposing of personal data, not merely in its exposure.
Enactments
This shift from secrecy to control is not limited to theory. It is reflected clearly in modern legal frameworks. Instruments like the GDPR, India’s Digital Personal Data Protection Act, and even constitutional privacy jurisprudence after Puttaswamy (2017) all move in the same direction.
The GDPR does not treat privacy as a right that disappears once information is shared. Instead, it is built around ideas such as consent, purpose limitation, data minimisation, and the right to object. These concepts only make sense if privacy is understood as control over personal data, not mere secrecy. Even when data is disclosed, individuals retain a say in how it is used and reused.
A similar approach is visible in India’s DPDP Act. The law focuses less on whether data is secret and more on how data fiduciaries collect, process, store, and retain personal data. Obligations are placed on those handling data precisely because disclosure alone is not considered the end of privacy.
This understanding also finds strong support in Justice K.S. Puttaswamy v. Union of India (2017). The Supreme Court rejected the idea that privacy survives only in secrecy and instead recognised privacy as a matter of autonomy, dignity, and informational control. The judgment makes it clear that the Constitution protects an individual’s ability to decide how personal information is used, even in a connected and data-driven world.
Together, these developments ground the control-based approach firmly in law. They show that privacy today is not about hiding information, but about retaining authority over it.
Conclusion
The debate between secrecy and control ultimately reflects a shift in how privacy is understood. Treating privacy as secrecy assumes that protection ends once information is disclosed, an approach that struggles to survive in a world built on constant data sharing and surveillance. As seen through judicial reasoning and modern data protection frameworks, this view no longer captures the real source of harm.
Privacy today is better understood as control. It protects an individual’s ability to decide how personal information is collected, used, stored, and repurposed over time. In doing so, the law recognises that the true threat lies not in exposure alone, but in the loss of agency that follows when data moves beyond an individual’s influence. This shift from secrecy to control marks a more realistic and durable foundation for privacy in the digital age.
