Author: Rishika Choudhary, Indore Institute of Law
To the Point
India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) promise a cleaner, more accountable way to handle our personal data in a world where governments and tech giants collect it by the truckload. But here’s the rub: while they give citizens some real tools like demanding data deletion or fixing errors they also hand the state massive exemptions for “security” reasons and let Big Tech off with mostly self-policing. It’s a framework caught between building a welfare state that uses data to deliver subsidies efficiently and risking a setup where the government and platforms treat our info like a colonial resource to exploit. The real question? Does this law empower everyday people, or does it just formalize who holds the power in our digital lives?
Think about it practically. You’re applying for a government scheme via an app, and suddenly your data flows to multiple agencies for “verification.” Great for getting your benefits faster, but what if that same system flags you for surveillance without a real check? Or when Facebook (Meta) or Google uses your browsing history to push political ads do the new rules actually rein them in, or just add more paperwork? This tension isn’t abstract; it’s playing out now as India races to digitize everything from welfare to elections.
Use of Legal Jargon
Under the DPDP Act, individuals become data principals the owners of their personal data (anything that identifies you digitally, like your phone number or location). Data fiduciaries (companies, apps, or even government departments) who decide how and why to process that data owe duties of fair and transparent processing, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and deletion/erasure.
“Significant data fiduciaries” (think Google, Amazon) face extra burdens: mandatory Data Protection Impact Assessments (DPIAs), appointing an India-based Data Protection Officer (DPO), and independent audits.
The regime introduces consent managers neutral intermediaries to help principals track and withdraw consents and a Data Protection Board of India (DPBI) for inquiries, penalties (up to ₹250 crore), and appeals. But here’s the jargon-heavy catch:
Section 17(2)(a) exemptions let the Central Government bypass almost everything for “sovereignty and integrity of India, security of the State, friendly relations with foreign States, public order, or preventing incitement to any cognizable offence.” The DPDP Rules flesh this out with “legitimate uses” for welfare delivery (no consent needed for subsidies) and verified digital notices, but the Board’s members are appointed by a government-dominated Search-cum-Selection Committee, raising institutional independence red flags under Article 14’s arbitrariness doctrine.
Cross-border transfers get a green light if the destination ensures “adequacy” or via contracts, but no outright bans unlike GDPR’s stricter tiers. And children’s data? Parental consent is mandatory, with a carve-out for “educational institutions.” This lingo masks a core shift: from privacy as an absolute right (per Puttaswamy) to a qualified one, balanced against state welfare and economic goals.
The Proof
Let’s break down the evidence without the fluff.
First, the wins. The DPDP Act nails down rights we’ve begged for: right to access (see your data), correction (fix mistakes), erasure (delete it), grievance redressal (complain to the fiduciary first, then DPBI), and even nomination for posthumous data handling. Processing must be via free, specific, informed, unconditional, unambiguous consent no more vague “I agree” pop-ups or “legitimate uses” like employment or emergencies. Breaches? Notify the DPBI and affected principals within 72 hours. Penalties bite hard, enforced by a lean, digital-first Board.
But flip to the shadows. State exemptions under Section 17 are a blank cheque: no notice, no consent, no accuracy duties if it’s for national security. Critics like the Internet Freedom Foundation call this “legalised mass surveillance,” especially post-Pegasus, where phone-tapping bypassed courts. The Rules amplify this by allowing “voluntary” data sharing for welfare like Aadhaar-linked DBT but without caps on retention or secondary use.
On Big Tech: Sure, “significant fiduciaries” must do DPIAs and appoint DPOs, but enforcement? The DPBI’s budget, staffing, and appeals process are all executive-controlled. No class actions, no judicial oversight pre-penalty. Compare to EU’s GDPR: independent Data Protection Authorities, fines up to 4% of global turnover, and citizen lawsuits. India’s model feels like trusting the fox to guard the henhouse government notifies platforms of “unlawful content” under IT Rules anyway, now with data powers layered on.
Data backs the colonialism angle. India’s digital public infrastructure (Aadhaar, UPI, Digi Locker) processes billions of data points yearly, ostensibly for welfare (₹34 lakh crore DBT saved, per govt). But leaks like the 2023 Astro registry breach exposing 800 millionaire routine, with no real deterrence. Platforms? Meta alone faces 20+ Indian lawsuits yearly for data misuse, yet compliance is performative. The Rules’ “consent managers” sound good, but they’re private entities regulated by… the government. Power asymmetry persists: citizens click “accept,” states and corps harvest endlessly.
Welfare proof? DPDP explicitly carves out “provision of subsidies, benefits, or services” from consent needs progressive for inclusion (rural poor get schemes faster). But without proportionality guardrails, it risks mission creep: today’s subsidy data becomes tomorrow’s voter profile.
Abstract
India’s DPDP Act, 2023 and Rules, 2025 mark a pivotal shift from data free-for-alls to structured governance, embedding informational self-determination amid booming digital welfare (Aadhaar, CoWIN) and platform dominance. Yet, expansive state exemptions, executive capture of the DPBI, and welfare-linked processing invite data colonialism where citizens’ data fuels state/corporate ends with scant reciprocity. Applying Puttaswamy’s legality-legitimate aim-proportionality triad and Article 14 scrutiny, this piece dissects power reconfigurations across state surveillance, platform fiduciary duties, and principal empowerment. Findings: Formal rights advance, but structural biases (ungoverned exemptions, weak enforcement) tilt towards centralised control, demanding reforms like independent Board selection, narrowed exemptions, and judicial previews to actualise digital welfare over dystopian extraction.
Case Laws
Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1 – The Privacy Magna Carta
This nine-judge bench overruled earlier precedents, declaring privacy intrinsic to Article 21’s life and liberty, with informational privacy as its core. Justice Chandrachud’s lead opinion laid the proportionality doctrine:
legality (lawful basis)
legitimate aim
rational nexus
least intrusive measure
proportionality stricto sensu (benefits outweigh harms)
procedural safeguards.
Applied to Aadhaar-like systems, it demanded data protection laws with narrow security exceptions directly pressuring DPDP’s Section 17. Dissenting voices (Chelameswar J) warned against state overreach, echoing today’s exemption critiques.
Justice K.S. Puttaswamy v. Union of India (Aadhaar Case, 2018) 10 SCC 512
Upholding Aadhaar’s core for subsidy targeting (legitimate aim, minimal intrusion), the Court struck private use (Mandate 2(b)), data-sharing mandates (Mandate 7), and 18-year retrospective permanence. Sikri J stressed “possibility of surveillance” voids measures; Bhushan J flagged profiling risks. DPDP inherits this: welfare processing okays Aadhaar 2.0, but exemptions mirror struck provisions, demanding Puttaswamy-compliant narrowing (e.g., time-bound, judicially reviewed security uses).
Kaushal Kishor v. State of UP (2023) – Free Speech + Privacy Interface
Tangentially, this expanded Article 19(2) restrictions but reaffirmed privacy’s role in curbing state/platform harms. Relevant for DPDP’s speech-data nexus: political microtargeting via personal data implicates both rights.
Recent Echoes: Media NL v. Union (2024) on IT Rules
Challenged government takedowns; SC stressed intermediary independence. Parallels DPDP’s fiduciary-platform duties courts may soon test if data rules enable indirect censorship.
These cases form the doctrinal spine: DPDP must pass Puttaswamy’s muster or face invalidation.
Conclusion
DPDP and Rules are a half-step forward. They codify Puttaswamy’s vision into statute consent, erasure, accountability fuelling digital welfare that could lift millions (think seamless UPI-DBT). Platforms face new scrutiny, nudging fairer data markets.
Yet, the colonialism creeps in via design flaws. Blanket exemptions invite abuse (recall 2021 Pegasus denials turned admissions). DPBI’s executive leash undermines enforcement why trust a government-appointed body to fine its own for data overreach? Welfare processing, sans strict firewalls, risks “function creep” from rations to repression.
Fixes aren’t rocket science: Amend for CEC-like Board independence (Article 324 analogy), mandate judicial warrants for exemptions, cap welfare data retention at 3 years, enable class actions. Globally, Brazil’s LGPD or EU’s EDPB offer blueprints hybrid regulators with teeth.
Ultimately, this law reflects India’s tightrope: Harness data for development without birthing a surveillance state. Citizens must litigate, platforms self-regulate better, and Parliament iterate. Otherwise, “digital welfare” becomes a polite term for data serfdom. Get involved demand DPIA disclosures, test erasure rights. Your data, your power, or so the Act claims.
Deep Dive: State Exemptions in Practice
Section 17 isn’t just legalese; it’s operational. Post-2023, agencies like CBI or IB can process data sans notice for “public order.” Rules add “voluntary undertakings” for welfare—noble, but Aadhaar exclusions hit 10% beneficiaries. Puttaswamy (Aadhaar) read down similar breadth; expect PILs arguing DPDP fails “narrow tailoring.”
Big Tech’s Leash—or Illusion?
Meta’s 2024 India revenue: ₹50,000 crore, mostly ads fuelled by data. DPDP tags them “significant,” mandating audits. But Rules delay full compliance to 2026, and appeals stay in executive courts. GDPR fined Meta €1.2bn for transfers; India’s max? Toothless without global enforcement.
Citizen Empowerment: Real or Paper?
Surveys (Mozilla 2024) show 70% Indians never read privacy policies. Consent managers help, but dark patterns persist. Erasure rights shinemtest via NPCI apps but without free legal aid, they’re elite tools.
Comparative Lens
GDPR: Citizen-first, strict transfers. China’s PIPL: State-first, localisation. DPDP splits the difference, leaning statist fits “data sovereignty” rhetoric but risks isolation.
Policy Roadmap
Legislate: Narrow exemptions to court-approved cases.
Regulate: Bifurcate DPBI into executive (rules) + judicial (adjudication) wings.
Empower: Fund digital literacy, class actions.
Tech: Blockchain consents for verifiability.
India’s at an inflection. Choose welfare over colonialism—before data defines us.
FAQS
Q1: Can the government access my data without telling me under DPDP?
Yes, for sovereignty/security/public order via exemptions, but it must still secure data—no free pass on breaches. Courts may demand proportionality post-Puttaswamy.
Q2: How do DPDP Rules make welfare schemes better?
No consent needed for subsidies/services; faster DBT, fewer leaks via verified digital KYC. But retention limits missing.
Q3: Will Big Tech like Google change much?
DPIAs, DPOs, audits—yes, but enforcement lags. Fines hurt, but appeals favour them.
Q4: What’s the biggest flaw?
DPBI independence—government picks, funds, directs it. Fix via statutory overhaul.
Q5: Is DPDP constitutional?
Likely yes on rights, shaky on exemptions. PIL inevitable.
