Published On: February 17th 20226
Authored By: Srijopriyo Das
Symbiosis Law School, Hyderabad
INTRODUCTION
The introduction of the Digital Personal Data Protection Act[1] was the first moment in the history of privacy jurisprudence in India, as it offered a legislative basis of personal data protection. Nonetheless, only after the announcement of the Digital Personal Data Protection Rules[2] did the law obtain operational importance? These Rules bring to reality abstract statutory principles in the form of enforcement obligations, mechanisms of compliance and procedures of regulation.
Although the DPDP Rules are intended to enhance data governance and accountability, they have also brought back constitutional issues on State surveillance, executive discretion and erosion of personal privacy. In a world where government is becoming more data-driven, the State has been exponentially increasing its desire to acquire personal data to serve its purposes, which include the delivery of welfare, national security, maintaining order and law enforcement.[3] This growth has added to the conflict between personal independence and State authority. The key issue that emerges based on the DPDP Rules, 2025, is whether the data protection system in India is sufficient to limit State surveillance according to the constitutional principles, or it encourages unlimited data access in the context of large-scale governmental exemptions. This paper will critically discuss this tension and whether the DPDP Rules offer a constitutionally viable balance between privacy and surveillance or not.
CONSTITUTIONAL FOUNDATIONS OF PRIVACY AND SURVEILLANCE
Under the Constitution, the status of privacy in India was clarified by the Supreme Court, where it recognised privacy as an inherent right to life and personal liberty under Article 21[4]. The concept of privacy was not made merely for protection from physical intrusion but as a broader right encompassing self-determination, decisional autonomy, and human dignity. Due to this, State power, particularly in relation to surveillance and data collection from its citizens, is limited.Â
The Court established that any State action that infringes upon the privacy of an individual must satisfy a threefold test. The exceptions are the existence of a valid law, the pursuit of a legitimate State aim, and proportionality between the means employed and the objective sought to be achieved[5]. Hence, the survey is not unconstitutional but is subject to strict scrutiny. This framework became the constitutional touchstone against which all subsequent data governance and surveillance regimes were expected to be evaluated.
However, with the advancement of technology, we see a transformation in surveillance from targeted monitoring to continuous and systematic data collection for monitoring. Digital footprints, metadata, biometric identifiers, and behavioural profiling can be accessed by the State databases[6]. In this context, the constitutional challenge is no longer confined to unlawful surveillance but extends to lawful yet excessive data collection that may undermine individual autonomy without overt coercion.
THE DPDP ACT AND THE OPERATIONAL ROLE OF THE 2025 ROLE
The Digital Personal Data Protection Act was introduced as a consent-based data protection regime that placed individuals, also referred to as Data Principals, at the centre of data governance. Data Fiduciaries are obligated to lawful processing, purpose limitation, data minimisation and security safeguards[7]. This Act also establishes enforcement mechanisms through the Data Protection Board of India[8].
The DPDP Rules[9] operate the framework by making consent procedures, notice requirements, and breach reporting obligations detailed. At the structural level, the Rules seek to make privacy more enforceable rather than merely aspirational. They also reflect an attempt to align Indian data protection norms with global practices in areas such as accountability and grievance redressal.
However, embedded within the operational framework are expansive provisions that allow the State to exempt itself from many of the obligations in the DPDP Rules[10]. Rules that raise serious constitutional concerns, as they directly affect the balance between privacy rights and State surveillance powers.
STATE EXEMPTIONS AND EXECUTIVE DISCRETION
The scope of exemptions that the State has to process personal data is one of the most disputable aspects of the DPDP Rules[11]. Government bodies can be exempted from central data protection rules for reasons like national security, sovereignty, civil order, and deterrence of offences. Although they have valid grounds in principle, these are determined in general and indefinite terms.
The fact that these exemptions are operationalised by delegated legislation as opposed to statutory safeguards means that the executive discretion is greatly increased. This is a question of ambiguity and a lack of objective standards for when and how exemptions can be applied. Constitutionally, this broad discretion endangers the legality aspect of the privacy test, in that people are not properly informed as to the extent to which the State can collect data.
In addition, the Rules do not impose self-authorisation or recurrence screening of data processing on surveillance. Lack of a mechanism of judicial or parliamentary checks and balances implies that critical decision-making relating to basic rights is, in effect, placed on executive evaluation. This centralisation of authority poses a constitutional issue that limitations on core rights cannot be made without providing strong procedural protections[12].
PROPORTIONALITY AND THE NORMALISATION OF SURVEILLANCE
The proportionality doctrine requires that State’s interference with privacy must be necessary, narrowly tailored, and the least intrusive means available. While the DPDP Rules recognise legitimate State interests, they do not require an analysis of democratic necessity before granting exemptions[13]. This omission risks transforming exceptional surveillance measures into routine administrative practices.
The other aspect of proportionality is with regard to data retention and secondary use. The DPDP Rules fail to give a specific limit within which a State agency can store personal information collected for exempt purposes. It does not even sufficiently limit the reuse of such information in different departments. These practices will weaken the original purpose of data collection and erode the concept of limiting purpose, which is paramount in constitutional privacy goals as well as international data protection standards. The circumvention of consent in the processing of State information is worrisome.
Consent is not a mere formal procedure but a demonstration of agency on an individual level. Though there are real cases when some State functions might really be in need of non-consent data collection, the blanket exception on the collection of consent without the additional requirements of transparency erodes informational autonomy.
Regrettably, people are not well-informed about the extent, purpose, and length of State data processing. Over time, such practices may risk normalising surveillance as a culture that operates within a legal framework but is outside constitutional morality[14].
ANALYSIS OF OVERSIGHT DEFICIT AND INSTITUTIONAL LIMITATIONS
The Data Protection Board of India is envisaged as the primary regulatory authority under the DPDP framework. But its ability to serve as an effective check on State surveillance is limited by structural limitations. Both the appointment and removal of the executive are dominated by the executive, which casts doubts on institutional independence[15].
 More importantly, the authority of the Board in exempted State agencies is not clear. When government actors escape the proper regulatory framework, the enforcement infrastructure is asymmetrical, with very high demands on non-State actors, and the State agencies are free to act without much accountability. This kind of asymmetry does not agree with the principle that the State, being the most powerful data processor, must be subjected to the highest degree of scrutiny.
The absence of a strong oversight framework also raises concerns about remedies that are available to individuals whose data is unlawfully processed by State agencies. Though the DPDP Act recognises a grievance redressal mechanism, its effectiveness against State agencies remains uncertain when exemptions apply. We should recognise that when remedies exist only in theory but are inaccessible in practice, which fails to satisfy the constitutional requirement, our inherent fundamental rights are breached[16].
Though theoretically judicial remedies exist, this does not mean that they can replace institutional oversight. Litigation is slow, costly and retaliatory, which is realised when the damage has been caused. A surveillance regime that upholds the rule of law should thus focus on preventive measures as opposed to post-facto measures. The current DPDP framework has an excessive burden that requires individuals to question the action of the State, instead of the State having to explain why it has intruded in the first place[17].
COMPARATIVE PERSPECTIVES
Comparative jurisdictions provide valuable insights into striking a balance between surveillance and privacy. In the European Union, under the GDPR, state surveillance is considered to be subject to tough necessity and proportionality criteria, which are closely monitored by independent supervisory bodies and judicial control[18]. Equally, in the United Kingdom, the surveillance activities are regulated by the statutory provisions that require warrants for surveillance by judges and review by parliament.
The DPDP system in India, in turn, is mainly based on executive self-regulation. Administrative efficiency is a valid issue, but it should not be used as an excuse to undermine constitutional protections. As Pastan’s experience shows, the surveillance regimes can obtain their legitimacy not by secrecy but by transparency and accountability[19].
CONCLUSION
The DPDP Rules, 2025, are a milestone towards the complete data protection of India. They, however, also reveal unanswered tensions between State surveillance and individual privacy. Although national security and maintenance of order are valid State interests, they cannot serve as unconstrained grounds of far-reaching data access.
Privacy, in the meaning the Constitution uses the term, is not a grant availed by the State, but a restraint on its power. India can focus on the success of its data protection structure in the long term based on its ability to internalise this principle. Lacking significant protection, autonomous control and a strict enforcement of proportionality, the DPDP regime is likely to turn to institutionalisation of surveillance instead of its regulation.
 The difficulty here is that digital governance can and must enhance the constitutional democracy, not undermine it.
REFERENCES
[1] Digital Personal Data Protection Act 2023
[2] Digital Personal Data Protection Rules 2025.
[3] Ministry of Electronics and Information Technology, Explanatory Note on DPDP Rules 2025.
[4] Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (SC).
[5] Ibid.
[6] Shyam Divan, Privacy and Surveillance in the Digital Age (OUP 2020).
[7] Digital Personal Data Protection Act 2023 ss 4–8.
[8] Joint Parliamentary Committee on Data Protection, Report on the Personal Data Protection Bill (2021).
[9] Digital Personal Data Protection Rules 2025.
[10] ibid r 7.
[11] ibid r 6
[12] Gautam Bhatia, The Transformative Constitution (HarperCollins 2019).
[13] Modern Dental College v State of Madhya Pradesh (2016) 7 SCC 353 (SC).
[14] Orin S Kerr, ‘The Problem of Perspective in Surveillance Law’ (2014) 97 Minnesota Law Review 965.
[15] Digital Personal Data Protection Act 2023 s 19.
[16] Shreya Singhal and Vrinda Bhandari, ‘Data Protection and Executive Power in India’ (2023) 8 NUJS L Rev 1.
[17] Anuradha Bhasin v Union of India (2020) 3 SCC 637 (SC).
[18] Regulation (EU) 2016/679 (General Data Protection Regulation).
[19] David Lyon, Surveillance Society (Open University Press 2001).
