In the year 2023, when India's Digital Personal Data Protection Act was passed, it was welcomed as a long overdue development in India's data protection framework. After nearly a decade of failed legislative efforts, a comprehensive data protection statute had finally materialized. The act begins with a language suggesting consent centric model of data governance: personal data may only be processed with the free, specific, informed, unconditional, and unambiguous consent of the data principal. Consent, accordingly, is presented as the Act's primary source of legitimacy.
However, the framework contains a substantial caveat in the very next section, which has received insufficient public scrutiny.
Section 7 of the Act establishes a category of “certain legitimate uses”, nine specifically defined situations in which a data fiduciary may process personal data without obtaining consent. The legislative justification for such exceptions is presented as pragmatic accommodations to operational realities, and in some cases, such as medical emergencies or employment related functions, being reasonably defensible. Section 7(b), however, is considerably broader. It authorizes the State and its agencies to process personal data for the provisions of subsidies, benefits, services, certificates, licenses or permits “as prescribed”, without requiring either consent or a statutory requirement of necessity or proportionality.
Consequently, much of the State's digital governance architecture, including Aadhaar linked welfare systems, DigiLocker, CoWIN exist outside the very consent framework the statute claims to establish. Far from being an unintended inconsistency, this asymmetry is integral to the architecture of the Act.
The wording of Section 7 imports the grammar of modern data protection regimes such as “legitimate use”, while departing from the substantive safeguards those terms ordinarily imply. By comparison, the GDPR permits certain forms of nonconsensual processing through “legitimate interests” ground under Article 6(1)(f), but only after balancing controller's interest against the fundamental rights and freedoms of the data subject. Crucially, the GDPR makes this proportionality assessment obligatory preserving the data subject's right to object. Section 7 of the DPDP Act, by contrast, imposes no comparable obligation. The statute efficiently assumes the balancing exercise has long concluded legislatively, thereby leaving little room for the interests of the data principal to figure in the analysis.
Section 17 exacerbates the issue, as under Section 17(1), on grounds of national security, sovereignty, and maintenance of public order, the Centre can wholly exempt any State instrument from complying with the Act. Such grounds are familiar, and seen before, especially in Article 19(2) of the Indian Constitution, having historically provided cover for executive overreach. The statute, however, imposes no requirements for the exemption to be narrow, as there is no demand for independent oversight, and no compulsion for relevant parties to record reasons for the same. As per the process, upon notification of the Central Government, the exemption is in practice, with no judicial approval as a prerequisite, without any post-hoc review mechanism.
The DPDP Rules, of year 2026, notified in November 2025 carried forward till May 2027 as an effective acquiescence period, does not remedy these deficiencies. Rule 23 defers the specifics of procedure to impending notifications, for the provision dealing with government access to personal data. There is a Second Schedule introduced, laying out benchmarks for state data processing, which are however technical protections, and not essential rights. Speaking nothing of proportionality, they do not require any nexus between the exempted activity and specified objective.
In the year 2017, Supreme Court in Puttaswamy, unanimously held privacy as a fundamental right under Article 21, further laid down a three-part test for restrictions imposed on this right. First, for the restriction to be based on a legislative mandate. Second, that it must serve a legitimate aim of the state. And thirdly, that the means must be proportional to state's objective, where there are no less restrictive alternatives available. The judgment, highlighted importance of independent oversight by a third-party assessment of executive's reach, when accessing personal information.
The DPDP Act's treatment of the State is inadequate as legality is satisfied on a formal level by Section 17 because of the statute. The objectives of national security and public order are valid. The requirements of the provisions, however, are not that the government must show the need for any given exemption, the need for the extent of data processing, or that the intrusion into privacy is proportionate to the objective pursued. Blanket immunity that has been issued by executive notification becomes effective without the need for any further act. In its public response to the rules, The Software Freedom Law Center (SFLC) stated that the DPDP framework is silent on the constitutional requirement for necessity and proportionality, as outlined in Puttaswamy, and the lack of judicial warrants or independent oversight of state access to personal data makes it hard for individuals to meaningfully assert their privacy rights.
The Delhi High Court issued notice to the Central Government on a PIL against provisions of the DPDP Act and Rules like Section 17 to 21, 23, 29 and 44 in February this year on grounds that these provisions together lead to executive dependent enforcement system, allow for opaque exemptions and give censorship powers without due procedural safeguards. The petition relies on the Puttaswamy case and argues that the impugned provisions allow the state to invoke broadly worded grounds for exempting its instrumentalities but doesn't allow for the type of oversight the SC found to be constitutionally required.
The petition, however, raises a broader concern, that goes far beyond explicit legal arguments, being the likelihood of a chilling effect on investigative journalism, and safeguarding confidentiality of informants. The Act's secrecy provisions, and in particular the blocking powers under the rules, are said to be broader than the corresponding provision in Section 69A of the IT Act 2000, without the procedural precautions accompanying the provision. When the state is able to process personal information without any real control over the processing and to prohibit dissemination of information on the processing without judicial scrutiny, the consequences for press freedom are clear.
It is something of a paradox that a data protection law is stricter on the regulation of private actors than state actors. A private company that wishes to process personal data must obtain structured consent, must provide a prescribed notice, must establish a lawful basis for processing and must be held accountable by the Data Protection Board. The state may exempt itself through executive notification on the basis of national security, a term that is not defined in the Act and is not limited.
Today, India's digital public infrastructure has become a part of almost all aspects of civic life. Information produced by welfare platforms, health registries and identity systems are more than just administrative records; they trace political connections, financial status, health status and travel. This asymmetry signifies the weakest facet of the Act's design.
This is not the only inversion in India. Numerous data protection systems make room for state processing. But the traditional rationale for such exemptions is that state processing, just because of its coercive nature, is also held to accountability through other mechanism, for instance, by judicial warrants, oversight, independent review. The DPDP Act takes away the statutory safeguards without providing alternative safeguards. The Act's supporters might respond that the Data Protection Board will serve as a check. However, from the beginning, the structural independence of the Board has been challenged: it's members are nominated by the Central Government, and the Board does not have jurisdiction where the State chooses to invoke an exemption under Section 17.
These arguments are not against an impossibly consent-based system where, say, a government hospital can't treat an unconscious patient without a digital signature, or a court can't enforce a judgment without the judgment debtors opt-in. The argument is going to be limited to, wherever the State processes personal data without the consent of the citizen, it must meet the Puttaswamy standard on the record. Need must be justified, it should not be taken for granted. The principle of proportionality needs to be evaluated. There needs to be an independent body, one that is neither an executive agency not a government appointment board, to review that evaluation.
The Delhi HC's hearing of the PIL is an opportunity. But if the Court takes the Puttaswamy approach and places heavy emphasis on the principles of proportionality, then it may be necessary for the legislature to implement true proportionality mechanisms into the state exemption framework, something the original drafters failed to incorporate. The staggered implementation dates of the DPDP Rules [with most substantive obligations beginning in May 2027], offer sufficient time to remedy the structural design prior to the full edifice coming into play.
The Indian data protection law was meant to empower citizens with meaningful control of their personal data. That control is currently limited to the state's borders. For a law, foundationally based on the assurance of Puttaswamy, this is a substantial letdown.
Views Are Personal.