NO, India’s Data Protection Law does not fully protect you or your privacy
Here is the proof
When your phone lights up, someone somewhere learns something about you.
Not because you allowed it consciously. Not even because you agreed to it after reading the long terms and conditions form. But because the law allows it.
India’s Digital Personal Data Protection Act, 2023 often introduced as the country’s first comprehensive privacy law, promises consent, accountability, and rights over personal data. While on paper it gives citizens the right to access their data, correct it, and even request deletion in some cases, the story becomes more interesting when the State enters the picture.
Because while the law protects your data, it also gives the government significant legal room to use it.
Under the DPDP framework, organisations that collect your data called data fiduciaries must usually obtain consent before processing it. Your name, phone number, location, financial records, browsing behaviour, and biometric data all fall within the category of “digital personal data.” The law requires companies to explain why they collect this information and to keep it secure
But consent is not always required.
The government can legally process personal data without consent under section 7 and 17 of the law.
For instance, data can be accessed or processed for preventing, detecting, or investigating offences, enforcing legal claims, or carrying out judicial functions.
The Central Government has the power to exempt its own agencies from parts of the law if it believes doing so is necessary for various reasons pertaining to India’s sovereignty. Section 7c of the DPDP act allows the government and any of its fiduciaries to be entirely exempted from consent requirements including requirements to notify the users.
This means that the same law designed to protect personal data also creates pathways for the State to access and process it. In some cases, the law even allows government bodies to retain personal data indefinitely, regardless of whether the original purpose for collecting it has been fulfilled.
Citizens may not always have the right to demand its deletion.
No other institution can collect such large amounts of data at such a large scale. Cross linking databases across sectors lead to comprehensive 360 degree citizen profiles but also significantly increases the chances of data breaches and surveillance risks.
Every little click on your phone, your aadhaar authentication at your bank, your metro card tap from your daily journey, your digital payments, your health records on government portals, your location permissions on apps that interact with state systems. Each one is a small fragment of you stored somewhere in a database. Individually, they mean very little. Together, they become a profile.
The modern State does not only govern territory. It increasingly governs information about the people within it.
“State Instrumentalists” a term left undefined within the act has been observed by experts as so ambiguous that any body or entity carrying out government operation can be deemed as one. The ambiguous definition gives power to any entity to access citizen information without consent in the name of the nation. The worse aspect of the same is that very few citizens are aware that their data is within the fingertips of a so called “state instrumentalist’
Rule 23 of the DPDP act further allows the Union government to ask for data for personal information from any data fiduciary or intermediary for reasons such as sovereignty or integrity of India or the security of the state. In practice this means that the government can compel any data holding entity to furnish user data en masse, merely by invoking rule broad and vague reasons such as security of the state under rule 23 of the DPDP act.
The act further silences the whistle through rule 22 of the DPDP act wherein data fiduciaries cannot disclose the fact that data has been shared with the government in situations where it is likely to prejudicially affect the sovereignty and integrity of India.
While the bill talks of privacy rules and creating consensual barriers, it tied the hands of its own citizens by delaying the enforceable time of aspects such an ability to take back permissions, right to correct or delete data and clear consent till mid 2027.
This act has further restricted the scope of Right to Information as the public interest provision of the RTI act has been amended wherein any information, even if asked in public interest can be denied by the authorities. The absence of data minimisation requirements, appellate mechanisms to challenge government demands and unclear definitions for broad terms like sovereignty and integrity of India has heightened concerns about unchecked surveillance leading to the possibility of restricting speech and dissent.
And so the question is no longer whether your data exists in government systems. It does.
The more interesting question is
How clearly do we understand the laws that allow it to be there?
