India took a significant step toward digital governance with the Digital Personal Data Protection Act (DPDP) in August 2023. This legislation marks the country’s first comprehensive attempt to establish a data protection framework. Yet as we approach the two-year mark, a substantial gap has emerged between legislative intent and implementation reality.

A Framework of Trust Under Strain

The DPDP Act established a promising conceptual foundation by designating individuals as “Data Principles” and entities handling data as “Data Fiduciaries.” This terminology, borrowed from trust law, establishes that our personal information fundamentally belongs to us, with organizations merely holding it in trust.

The framework includes meaningful deterrents—fines up to ₹250 crore for violations—and grants citizens rights to data erasure and correction. These provisions align with global best practices for data protection.

However, this architecture of trust exists alongside provisions that potentially undermine its foundation.

When Government Exempts Itself

Section 17 creates a significant loophole in the protective framework by allowing the government to exempt itself and its agencies from compliance. The justifications—”national security” and “public order”—remain deliberately undefined, creating a discretionary space where privacy protections may be suspended with minimal oversight.

This self-exemption mechanism represents a fundamental tension in the legislation: can a data protection framework effectively safeguard privacy when the state, as a major data collector, can opt out of its requirements?

From Protector to Profiteer: The VAHAN Database Precedent

The tension between protection and exploitation became visible in February 2021, before the DPDP Act’s passage, when Union Minister Nitin Gadkari informed Parliament that the government had earned over ₹100 crore by sharing citizens’ vehicle registration and driving license data from the VAHAN and SARATHI databases with 170 private entities.

“The ministry had earned a revenue of about ₹111 crore by providing access to VAHAN and SARATHI databases,” Gadkari stated in a written reply to the Rajya Sabha.

While this occurred under a 2019 Bulk Data Sharing Policy predating the DPDP Act, it established a precedent of treating citizen data as a revenue stream rather than a protected asset. The Act’s exemption provisions create uncertainty about whether such practices might continue despite the new privacy framework.

Digital Search and Seizure

 The landscape of data governance shifted in February 2025 with Finance Minister Nirmala Sitharaman’s introduction of the Income Tax Bill, featuring Clause 247. Set to take effect on April 1, 2026, this provision empowers tax officials to access emails, social media, banking records, cloud storage, and digital wallets by overriding access codes, without requiring court orders. Building on Section 132 of the 1961 Income Tax Act—which governs physical searches—Clause 247 extends these powers into the digital realm, triggered by suspicion of tax evasion or undisclosed assets.

While the bill doesn’t explicitly define the threshold as “mere suspicion,” its lack of judicial oversight and reliance on officer discretion have fueled concerns about a lowered bar for intrusion. Sitharaman defended the measure in Parliament, noting that tax authorities already leverage data from WhatsApp and Google Maps, arguing it formalizes necessary tools to combat evasion in a digital economy. Yet, as the bill awaits final approval, this expansion of state authority starkly contrasts with the DPDP Act’s stalled promise of privacy protections.

Regulatory Independence Deficit

The Data Protection Board (DPB), responsible for enforcing the DPDP Act, faces structural constraints that may limit its effectiveness:

●   Board members serve abbreviated two-year terms per Section 20(2)

●       The central government controls appointments directly through Section 20(1)

●   This creates inherent conflicts of interest when regulating government data practices

The structure marks a retreat from the more independent Data Protection Authority proposed in the 2019 bill. As Apar Gupta, Executive Director of the Internet Freedom Foundation, observed in January 2025: “For all practical purposes, [the] current Digital Data Protection Act law does not offer any real remedy… the protection it provides people and the exemptions it provides businesses — both are up to the government’s discretion without any foundational principle attached to it.”

This contrasts sharply with European models, where regulatory independence has enabled meaningful enforcement actions like Ireland’s €1.2 billion fine against Meta in 2023.

The Implementation Vacuum: Rules Pending, Protections Paused

Critical implementation milestones remain unreached nearly two years after the Act’s passage. As of April 2025, the operational rules defining the Data Protection Board’s procedures haven’t been notified, creating a regulatory vacuum.

This implementation delay follows a pattern seen with the 2019 Personal Data Protection Bill, which underwent years of deliberation before being withdrawn in 2022. The pattern suggests systemic hesitancy toward establishing effective privacy safeguards.

Surveillance Infrastructure: Building While Privacy Frameworks Wait

As data protection implementation stalls, surveillance capabilities continue expanding:

●   Facial recognition networks deployed through the Smart Cities Mission

●       The Centralized Monitoring System enabling warrantless communications interception

●   The National Intelligence Grid (NATGRID) connecting 21 government databases

This asymmetric development—accelerating data collection while delaying protection frameworks—creates growing privacy vulnerabilities.

Comparative Frameworks

India’s approach diverges from international standards in key ways:

●   The EU’s GDPR provides comprehensive protection with narrowly defined exemptions subject to proportionality tests

●   Brazil’s Lei Geral de Proteção de Dados offers a middle ground, starting with government oversight but transitioning toward regulatory independence

These alternatives demonstrate that effective data protection and legitimate security interests can be balanced through appropriate institutional design and oversight mechanisms.

Vulnerable Communities at the Privacy Frontier

The consequences of weak privacy protections fall unevenly across society:

●   Marginalized communities face heightened surveillance risks

●       Political activists experience greater scrutiny of their digital activities

●   Ordinary citizens lose control over personal information in commercial and governmental databases

This uneven impact raises questions about digital equality and the right to privacy as a universal protection rather than a conditional privilege.

From Paper Rights to Effective Protections

For the DPDP Act to fulfill its promise, several structural reforms appear necessary:

1. Regulatory Independence – Creating genuine autonomy for the Data Protection Board
2. Judicial Oversight – Narrowing government exemptions and requiring court approval
3. Transparent Processing – Mandating regular audits of data collection and usage
4. Constitutional Recognition – Implementing privacy as a fundamental right per the Puttaswamy judgment
   
   

The Sovereignty-Privacy Balance: Defining India’s Digital Future

India stands at a crossroads between two visions of data governance: one centering citizen rights and another prioritizing state discretion. The implementation choices made in the coming years will determine whether privacy becomes a meaningful right or remains a negotiable interest.

As citizens in a digital democracy, we face a fundamental question: Do we want a framework that treats our personal information as a right deserving robust protection, or as a resource to be leveraged for governmental and commercial purposes?

The answer will shape not just data practices, but the foundational relationship between citizens and the state in India’s digital future.