Author: Jatin Tiwari, Vivekananda Global University, Jaipur
Abstract
Constitutional Validity Challenge to Section 17, DPDP Act 2023: State Surveillance Exemptions
I. Statutory Framework: What Section 17 Actually Does TheDigital Personal Data Protection Act, 2023 (DPDP Act) establishes a consent-based framework for processing personal data. Under Sections 4 and 7, personal data may be processed only on the basis of the Data Principal’s free, specific, informed, unconditional, and unambiguous consent, or for specified “legitimate uses.” Meity The Data Fiduciary — any person, company, or government body determining the purpose and means of processing — bears the burden of proving valid consent was obtained and remains responsible for compliance, notice, purpose limitation, and security safeguards. DpdpaeduMeity Section 17 carves out sweeping exemptions from these protections. The two provisions most vulnerable to constitutional challenge are: Section 17(1)(c): Exempts processing for prevention, detection, investigation, or prosecution of offences, enabling non-consensual data collection by law enforcement without requiring prior judicial authorisation. Carnegieendowme Jurist Ijirmps Section 17(2)(a): Empowers the Central Government to notify and exempt any instrumentality of the State from the Act’s obligations on grounds of sovereignty, security of the State, friendly relations with foreign States, or public order — effectively creating a regime of blanket executive exemptions. Carnegieendowme FpfAs of June 2026, the DPDP Rules, 2025 (notified by MeitY on 14 November 2025) have operationalised the Act with phased compliance over 18 months, but they do not cure the constitutional deficiencies in Section 17 itself. Pib Meity.
II. The Constitutional Anchor: Article 21 and Informational Privacy
The constitutional challenge to Section 17 is grounded in Article 21 of the Constitution of India [1], which guarantees the right to life and personal liberty. The Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India ((2017) 10 SCC 1) wiki Jetir held that privacy is a fundamental right intrinsic to life and personal liberty under Article 21, read with Articles 14 and 19. Jetir Negd Critically, the Court identified informational privacy — an individual’s control over the collection, use, and dissemination of personal data — as one of the three core dimensions of the right to privacy, alongside spatial control and decisional autonomy. Negd The decisional autonomy dimension is of particular relevance in the surveillance context: State exemptions that permit unchecked data collection not only compromise informational control but also chill the exercise of individual choices and freedoms that depend on the reasonable expectation of privacy. This means that any State action that compels disclosure of personal data, or exempts State agencies from data protection obligations, directly engages the fundamental right under Article 21. Jetir 360info The DPDP Act, 2023 is Parliament’s statutory response to the constitutional privacy mandate recognised in Puttaswamy, designed to regulate processing of digital personal data while recognising individuals’ rights over their data. Ijcrt Negd The constitutional source of informational privacy, however, remains Article 21 — the Act cannot by its own terms diminish that constitutional guarantee. Jetir
To the point
I. Statutory Framework: What Section 17 Actually Does
The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a consent-based framework for processing personal data. Under Sections 4 and 7, personal data may be processed only on the basis of the Data Principal’s free, specific, informed, unconditional, and unambiguous consent, or for specified “legitimate uses.” Meity The Data Fiduciary — any person, company, or government body determining the purpose and means of processing — bears the burden of proving valid consent was obtained and remains responsible for compliance, notice, purpose limitation, and security safeguards. DpdpaeduMeity Section 17 carves out sweeping exemptions from these protections. The two provisions most vulnerable to constitutional challenge are: Section 17(1)(c): Exempts processing for prevention, detection, investigation, or prosecution of offences, enabling non-consensual data collection by law enforcement without requiring prior judicial authorisation. Carnegieendowme Jurist Ijirmps Section 17(2)(a): Empowers the Central Government to notify and exempt any instrumentality of the State from the Act’s obligations on grounds of sovereignty, security of the State, friendly relations with foreign States, or public order — effectively creating a regime of blanket executive exemptions. Carnegieendowme FpfAs of June 2026, the DPDP Rules, 2025 (notified by MeitY on 14 November 2025) have operationalised the Act with phased compliance over 18 months, but they do not cure the constitutional deficiencies in Section 17 itself. Pib Meity.
Legal Jargon
I.Article 21- Guarantees the Right to life and personal liberty
II. Informational privacy- Control over the collection,use, and sharing of personal data.
III. Data principal- The individual whose personal data is processed.
IV. Data Fiduciary- The entity responsible for processing personal data.
V. Consent-Based Framework- Processing personal data only after obtaining valid consent.
VI. Proportionality test- A constitutional test used to determine whether state interference with privacy is justified.
VII. Procedural Safeguards- Legal protections against arbitrary exercise of power.
VIII. Judicial Oversight- Review and supervision by courts.
The Proof
I. The Constitutional Anchor: Article 21 and Informational Privacy
The constitutional challenge to Section 17 is grounded in Article 21 of the Constitution of India [1], which guarantees the right to life and personal liberty. The Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India ((2017) 10 SCC 1) wiki Jetir held that privacy is a fundamental right intrinsic to life and personal liberty under Article 21, read with Articles 14 and 19. Jetir Negd Critically, the Court identified informational privacy — an individual’s control over the collection, use, and dissemination of personal data — as one of the three core dimensions of the right to privacy, alongside spatial control and decisional autonomy. Negd The decisional autonomy dimension is of particular relevance in the surveillance context: State exemptions that permit unchecked data collection not only compromise informational control but also chill the exercise of individual choices and freedoms that depend on the reasonable expectation of privacy. This means that any State action that compels disclosure of personal data, or exempts State agencies from data protection obligations, directly engages the fundamental right under Article 21. Jetir 360info The DPDP Act, 2023 is Parliament’s statutory response to the constitutional privacy mandate recognised in Puttaswamy, designed to regulate processing of digital personal data while recognising individuals’ rights over their data. Ijcrt Negd The constitutional source of informational privacy, however, remains Article 21 — the Act cannot by its own terms diminish that constitutional guarantee. Jetir
II. The Proportionality Test: The Primary Constitutional Standard The Puttaswamy judgment laid down that any State intrusion into the right to privacy must satisfy a three-fold (or four-fold) requirement: wiki Ccgnlud 1. Legality: There must be a valid law authorising the intrusion. wiki Globalnetworkin 2. Legitimate aim / Necessity: The measure must pursue a proper State objective. wiki Globalnetworkin 3. Proportionality: The intrusion must be proportionate to the objective — not excessive in relation to the goal. wiki Globalnetworkin 4. Procedural safeguards: Later commentary and academic analysis has elaborated this into a four-fold test adding the requirement of procedural safeguards, least restrictive alternative, and balancing — though the core Puttaswamy formulation remains the three-fold requirement. Doi Globalnetworkin Jurist The DPDP Act, 2023 is assessed against this Puttaswamy framework. The constitutional vulnerability of Section 17 lies precisely in its failure to satisfy the proportionality and procedural safeguard limbs of this test. Irjmets Rjwave
Case Laws
I. The constitutional challenge to Section 17 is grounded in Article 21 of the Constitution of India [1], which guarantees the right to life and personal liberty. The Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India ((2017) 10 SCC 1)wiki Jetir held that privacy is a fundamental right intrinsic to life and personal liberty under Article 21, read with Articles 14 and 19. Jetir Negd Critically, the Court identified informational privacy — an individual’s control over the collection, use, and dissemination of personal data — as one of the three core dimensions of the right to privacy, alongside spatial control and decisional autonomy. Negd The decisional autonomy dimension is of particular relevance in the surveillance context: State exemptions that permit unchecked data collection not only compromise informational control but also chill the exercise of individual choices and freedoms that depend on the reasonable expectation of privacy. This means that any State action that compels disclosure of personal data, or exempts State agencies from data protection obligations, directly engages the fundamental right under Article 21. Jetir 360info The DPDP Act, 2023 is Parliament’s statutory response to the constitutional privacy mandate recognised in Puttaswamy, designed to regulate processing of digital personal data while recognising individuals’ rights over their data. Ijcrt Negd The constitutional source of informational privacy, however, remains Article 21 — the Act cannot by its own terms diminish that constitutional guarantee. Jeti
II. K.S. Puttaswamy (Aadhaar) V. Union of India(2018)
The Information Technology Act, 2000 [2] and its Amendment [3] previously provided the regulatory architecture for data-related matters, including the Cyber Appellate Tribunal framework. The DPDP Act, 2023 operates as a successor framework for personal data protection, but the IT Act’s surveillance provisions — most critically Section 69, which permits the Central Government or a State Government to direct interception, monitoring, or decryption of any information through any computer resource in the interest of sovereignty, integrity, security of the State, friendly relations with foreign States, public order, or for preventing incitement to commission of a cognizable offence — remain in force and interact with Section 17 exemptions. The result is a dual-track surveillance regime: Section 69 of the IT Act provides the operational interception power, while Section 17 of the DPDP Act removes the data protection constraints that would otherwise apply to the data so collected. This interaction compounds the constitutional vulnerability of Section 17, and opposing counsel will invoke Section 69 as a parallel regime that Parliament has already sanctioned — an argument that must be met by demonstrating that the existence of one constitutionally suspect provision cannot validate another. The Aadhaar Act, 2016 [4]_Act_2016.pdf:chunk:2:page:2) provides a partial comparator: it contains exemption provisions for national security but was itself subjected to constitutional scrutiny in Puttaswamy (II) (the Aadhaar judgment); the specific holding on reading down provisions is not confirmed in the available Research Results and should be verified before reliance. The same reading-down approach may be available to the Court in respect of Section 17 — but only if the provision is capable of being narrowed without rewriting it entirely.
Main Discussion
I.. Layered Constitutional Challenge to Section 17
Layer 1: Overbreadth and Arbitrariness — Article 14 Challenge Section 17(2)(a) empowers the Central Government to notify exemptions for State instrumentalities based on open-ended grounds including “sovereignty,” “security of the State,” and “public order.” This creates a risk of blanket exemptions with no requirement of specificity, no time limits, and no independent prior authorisation. Carnegieendowme Fpf The constitutional infirmity here is two-fold: Excessive delegation: The provision delegates to the executive the power to determine which State agencies are exempt and on what grounds, without laying down any intelligible differentia or guiding principles. This is vulnerable to challenge under Article 14 as conferring uncanalised, arbitrary discretion on the executive. RjwaveIjirmps Overbreadth: The grounds of exemption — particularly “public order” — are so broad as to potentially swallow the rule. Any surveillance programme could be justified under “public order,” rendering the data protection framework illusory for citizens vis-a-vis the State. Carnegieendowme Rjwave ThePuttaswamy framework requires that the law authorisingintrusion be sufficiently precise and not confer unfettered discretion. Section 17(2)(a) fails this standard. Rjwave Ijcrt
Layer 2: Failure of Proportionality — The Core PuttaswamyLimb Even accepting that national security and law enforcement constitute legitimate State aims, Section 17 fails the proportionality limb of the Puttaswamy test wiki because: 1. No narrow tailoring: Section 17(1)(c) exempts all processing for “prevention, detection, investigation, or prosecution of offences” without requiring that the intrusion be the least restrictive means available. Jurist Ijirmps 2. No judicial oversight: Unlike comparable frameworks in other jurisdictions, Section 17 does not require prior judicial authorisation or independent oversight before State agencies access personal data. Rjwave Ijirmps 3. No time limits or sunset clauses: Exemptions under Section 17(2)(a) are indefinite, with no mandatory review or expiry. Carnegieendowme Fpf 4. No proportionality balancing mechanism: There is no statutory requirement that the State demonstrate that the benefit of the intrusion outweighs the privacy cost to the Data Principal. Rjwave Ijcrt These deficiencies collectively mean that Section 17 authorises broad State access to personal data amounting to surveillance without satisfying the proportionality standard mandated by Puttaswamy. Rjwave Ijirmps Fpf
Layer 3: Absence of Procedural Safeguards The Puttaswamyproportionality framework — as elaborated in subsequent academic and constitutional analysis — requires procedural safeguards as a distinct limb. Doi Globalnetworkin Section 17 provides none of the following: A requirement of prior notice to the Data Principal (except where such notice would defeat the purpose, which itself requires independent determination) A mechanism for post-facto judicial review of exemption notifications A Data Protection Board review of State agency exemptions Any grievance redressal mechanism for Data Principals whose data is accessed under Section 17 exemptions The DPDP Rules, 2025 Pib establish a digital Data Protection Board of India and a 90-day response timeline for certain Data Principal requests, but these procedural mechanisms are expressly inapplicable where Section 17 exemptions operate — the Rules do not cure the parent Act’s constitutional deficiency. Pib Rjwave
II. The Union’s Defence and How to Counter It The Union’s likely arguments: 1. The State will argue that Section 17 exemptions serve legitimate State aims — national security, law enforcement, and public order — which are recognised grounds under the Puttaswamy framework itself. Carnegieendowme Fpf2. Courts traditionally grant the legislature latitude in designing security and data-governance frameworks, particularly where national security is invoked. Fpf This judicial deference doctrine — rooted in the principle that courts are institutionally ill-equipped to second-guess executive assessments of security threats — will be a central plank of the Union’s defence. The Union will contend that Parliament’s choice to vest broad exemption powers in the executive reflects a deliberate policy judgment entitled to deference, and that the Court should not substitute its view of what procedural safeguards are adequate for Parliament’s own assessment. 3. The existence of a valid law (the DPDP Act itself) satisfies the “legality” limb of the Puttaswamy test. wiki Counter-arguments: Satisfying the “legality” limb does not exhaust the constitutional inquiry. The Puttaswamy test requires all three (or four) limbs to be satisfied cumulatively. A valid law that is disproportionate or lacks procedural safeguards still fails constitutional scrutiny. wikiGlobalnetworkin Rjwave The judicial deference doctrine in national security matters is not a licence for constitutional abdication. The Supreme Court has consistently held — including in Puttaswamy itself — that even security legislation must satisfy the proportionality standard; deference goes to the choice of means, not to the wholesale abandonment of constitutional safeguards. Where a provision confers uncanalised executive discretion with no procedural check whatsoever, the deference doctrine does not shield it from Article 14 scrutiny. Rjwave Fpf Legislative latitude in security matters does not extend to conferring uncanalised executive discretion. The intelligible differentia requirement under Article 14 applies even to security legislation. Rjwave Ijirmps The “legitimate aim” of national security does not justify means that are not narrowly tailored. The proportionality limb requires the State to demonstrate that the specific exemption is necessary and not excessive — a burden the Union cannot discharge for a blanket exemption provision. Globalnetworkin Ijcrt.
III. The Aadhaar Act, 2016 [4]_Act_2016.pdf:chunk:2:page:2) provides a partial comparator: it contains exemption provisions for national security but was itself subjected to constitutional scrutiny in Puttaswamy (II) (the Aadhaar judgment); the specific holding on reading down provisions is not confirmed in the available Research Results and should be verified before reliance. The same reading-down approach may be available to the Court in respect of Section 17 — but only if the provision is capable of being narrowed without rewriting it entirely.
Conclusion
Current Litigation Status and Practical Assessment
As of June 2026, no Supreme Court or High Court judgment has struck down Section 17 of the DPDP Act, 2023. Carnegieendowme Rjwave Fpf The constitutional challenge remains live and highly plausible under Article 21 privacy jurisprudence as established in Puttaswamy, but has not yet been adjudicated on merits. The DPDP Rules, 2025 (notified 14 November 2025) Pib have operationalised the Act but do not address the Section 17 constitutional deficiencies. The MeitY”Act and Policies” page was updated as recently as 25 May 2026 Meity, confirming no further amendment to Section 17 has been notified. Practical assessment for counsel: A writ petition under Article 32 (Supreme Court) or Article 226 (High Court) challenging Section 17(2)(a) as ultra vires Articles 14, 19, and 21 is maintainable and has strong doctrinal support from Puttaswamy. Rjwave The strongest ground is the proportionality challenge: the absence of narrow tailoring, judicial oversight, and procedural safeguards makes Section 17(2)(a) constitutionally unsustainable under the Puttaswamy framework. Doi Rjwave Ijcrt Under K.S. Puttaswamy v. Union of India (2017), privacy is a fundamental right under Article 21 (read with Articles 14 and 19), and any State intrusion must satisfy the three-fold requirement of legality, legitimate aim/necessity, and proportionality, with later commentary elaborating additional elements such as procedural safeguards and least restrictive alternative.wikiDoiGlobalnetworkinRjwave Relief sought should include: (a) reading down Section 17(2)(a) to require prior judicial authorisation for exemption notifications; (b) mandating time-limited exemptions subject to mandatory review; and (c) preserving Data Principal grievance redressalrights even where Section 17 exemptions apply. Limited direct judicial authority specifically on Section 17 was found in available sources as of June 2026. The challenge will be argued primarily on first principles from Puttaswamy and the constitutional framework under Articles 14, 19, and 21 [1].
FAQs
Q1. What is the Right to Privacy?
The Right to Privacy is a fundamental right protected under Article 21 of the Constitution of India.
Q2. What is the Digital Personal Data Protection Act, 2023?
It is a law enacted to regulate and protect the processing of digital personal data in India.
Q3. Who is a Data Principal?
A Data Principal is the individual whose personal data is being collected or processed.
Q4. Who is a Data Fiduciary?
A Data Fiduciary is a person, company, or government body that determines the purpose and means of processing personal data.
Q5. Why was the DPDP Act, 2023 introduced?
The Act was introduced to protect personal data, ensure privacy, and establish accountability in data processing.
Q6. What is Section 17 of the DPDP Act, 2023?
Section 17 provides certain exemptions to government agencies and law enforcement authorities from some provisions of the Act.
Q7. Which case recognized privacy as a fundamental right in India?
Justice K.S. Puttaswamy (Retd.) v. Union of India (2017).
Q8. Why is Section 17 controversial?
It is controversial because broad exemptions may affect privacy rights and could allow excessive State surveillance.
