Author: Prachi Talekar, K.G shah Law School, SNDT University
LinkedIn Profile: https://www.linkedin.com/in/prachi-talekar-b97941240?utm_source=share_via&utm_content=profile&utm_medium=member_ios
To the Point
The main problem with Indias Digital Personal Data Protection Act, which is also called the DPDPA from the year 2023 is that it is not applied equally. The Digital Personal Data Protection Act or the DPDPA is very tough on companies that do not handle data correctly.
However the Digital Personal Data Protection Act has some sections, like Section 12 and Section 17 that allow the government to process data without being checked.
This is not fair. It threatens the basic right to privacy that is given to people, in the Indian Constitution under Article 21.
The Digital Personal Data Protection Act creates a system where private companies are watched closely. The government is not.
Use of Legal Jorgon
A Data Fiduciary is like a person who decides how and why personal data is used.
They figure out the purpose and means of processing data.
The Data Principal is the individual who the personal data’s about.
This person is the owner of the digital footprint that is being talked about.
There is something called the Proportionality Test.
This is a standard that says if the state is going to interfere with someones rights it has to have a reason for doing so.
The state also has to make sure that its actions are actually going to achieve that goal.
It has to do this in the least intrusive way possible.
People have something called Informational Privacy.
This means that an individual has the right to control what happens to their information.
They get to decide who can share it store it and use it.
Then there is Ex- Facto Validation.
This is when a law or regulation is applied after something has already happened.
It is like getting approval, for something after it has already been done.
The state has something called Sovereign Immunity.
This is an idea that says the state cannot be sued without its own permission.
The state and its parts cannot be taken to court unless the state says it is okay.
When people are afraid to do something because they might get in trouble that is called a Chilling Effect.
This happens when the threat of trouble or state surveillance stops people from doing things that they are actually allowed to do.
The Data Principal and Data Fiduciary have to deal with these kinds of issues when it comes to data.
The Proof
Private companies have to pay a lot of money up to ₹250 crore if they do not follow the rules and there is a data breach.. The Central Government can say that some government agencies do not have to follow the main rules of the Act. They can do this if they think it is necessary for the countrys sovereignty, integrity or public order.
If we look closely at the law we can see that it does not say that the government needs a warrant from a judge to intercept data. It also does not say that someone outside the government has to check the privacy of government databases from time to time. Because of this big government projects like facial recognition systems and biometric tracking systems can work without getting permission from people. This is different from what private citizens have to do where they have to give permission and can also take it back. The data breaches and government agencies, like these are not following the rules that private companies have to follow.
Abstract
. This article checks if state exemptions in Indias data protection law are allowed by the constitution. The law helps people who own their data by giving them rights against companies that might use their data unfairly.. It has big problems, with how the state can watch people and collect their data.
The article looks at these exceptions to see if they follow what courts have already decided. It finds out that the current law does not pass the test that has been used to protect peoples privacy for a time.
The article says that by keeping government agencies from being checked by the rules that apply to companies the law makes these agencies less accountable. It also makes it less clear who has power in a country. This could turn a law meant to protect data into a tool for the state to watch its citizens.
Case Laws
1. Justice K.S. Puttaswamy v. Union of India is an important case from 2017.
The Supreme Court made a decision with all nine judges agreeing that Justice K.S. Puttaswamy v. Union of India says privacy is a big part of the right to life and personal liberty under Article 21.
The court said that if the state wants to look at peoples data it has to meet three conditions:
* The law has to be clear and written down which is called legality.
* The state has to have a reason for doing it which is called necessity.
* The state has to make sure it is using the intrusive method to achieve its goal, which is called proportionality.
Section 17 of the DPDPA does not follow the proportionality rule set by Justice K.S. Puttaswamy v. Union of India.
2. Shreya Singhal v. Union of India is another case from 2015.
The highest court in the land struck down Section 66A of the Information Technology Act because it was too broad and vague.
Shreya Singhal v. Union of India established that laws that are too broad and do not have limits can stop people from expressing themselves freely online.
The DPDPA has some exemptions that are worded in a way that’s similar to the problems found in Shreya Singhal v. Union of India especially the part about “public order”.
3. Anuradha Bhasin v. Union of India is a case from 2020.
In Anuradha Bhasin v. Union of India the Supreme Court said that any order to stop internet services or limit peoples freedoms has to be made public and can be reviewed by a court.
The court emphasized that the state cannot just restrict peoples freedoms without a reason, which goes against the exemptions in the DPDPA that are not reviewable.
4. Vrijesh Kumar v. State of Uttar Pradesh is a case from 2024.
Vrijesh Kumar v. State of Uttar Pradesh says that laws cannot create rules for different people, where some people are not responsible for their actions but others are punished for the same thing, which is against Article 14 the Right to Equality.
This ruling is important because Vrijesh Kumar, v. State of Uttar Pradesh shows that the DPDPA is not following this principle.
Conclusion
The DPDP Act is a step towards keeping Indias digital ecosystem safe.. The law will not really work if the government does not have to follow the same rules it makes for everyone else. This is a problem because it means the government is not accountable for what it does.
To really protect the freedom of people in India the DPDP Act needs to be changed. The changes should include making sure that judges can check what the government is doing having groups to make decisions about data protection and having rules that say the government cannot exempt itself from the law forever. The DPDP Act should be a protection for peoples rights not just a way to control businesses. The DPDP Act needs to change so it can really protect the rights of people, in India.
FAQ
Q1: Can the government process my data without consent under the DPDP Act?
Yes. Under specific clauses categorized as “legitimate uses,” such as national security, preventing public disorder, or the direct fulfillment of state subsidies and welfare benefits, the government is granted broad allowances that completely bypass the requirement for explicit consent.
Q2: What recourse does a citizen have if a government agency leaks their data?
While individuals can technically file complaints with the Data Protection Board of India (DPBI), the broad immunity shields granted to state actors under Section 17 make seeking civil damages or enforcing punitive fines against public agencies exceptionally difficult. The state effectively enjoys systemic protection that private enterprises do not.
Q3: How does India’s state exemption model compare internationally to the GDPR?
Unlike the European Union’s General Data Protection Regulation (GDPR), which subjects public bodies to uniform data protection principles, penalizes government infractions, and requires clear judicial warrants for security exceptions, India’s framework leans heavily toward executive self-regulation and sweeping sovereign exemptions.
Q4: Can the Data Protection Board of India (DPBI) independently investigate a government department?
The DPBI’s independence is constrained by the fact that its members are appointed entirely by the Central Government. Because the executive controls the composition of the board, its practical ability to impartially investigate and penalize high-level state surveillance or institutional data leaks is highly limited.
