The Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”) was enacted by the Indian Parliament on 11 August 2023 after several iterations of the bill. It took another two years before the Central Government brought DPDP Act into effect, on 14 November 2025, with the enactment of the Digital Personal Data Protection Rules, 2025 (“DPDP Rules” or “Rules”).

"The much-awaited DPDP Act promised to actualise the Indian Supreme Court's recognition of privacy as a fundamental right in 2017. The Act claims to balance protecting personal data with processing it for lawful purposes. However, numerous exemptions for governmental data processing reveal that it actually tilts toward Government control over personal data.

One major way in which the Act establishes the Central Government’s control over personal data of people is through Section 36 of the Act. This provision enables the Central Government to call for information from the Data Protection Board of India (“the Board”) and the platforms. Read with another provision (section 17(2)(a)), the processing of such data and information sought by the Central Government is not regulated under the DPDP Act. The Government is not bound by any restrictions and safeguards that apply to Data Fiduciaries.

For comparison, under the Act, among other things, a platform is required to:

·  provide a notice and obtain informed consent of users (Sections 5 and 6)

·  ensure completeness, accuracy and consistency of the data before using data to make a decision that affects the user (Section 8(3)).

·  implement appropriate technical and organisational measures, and take reasonable security safeguards to prevent breach of uses’ personal data (Sub-sections (4) and (5) of section 8)

·  erase personal data after the purpose of processing is exhausted (Section 8(7))

·  in the event of a personal data breach, give the Board and each affected user intimation of such breach (Section 8(6)).

None of these restrictions and safeguards apply to the Central Government when it calls for information or processes information.

Section 36 is a one-line provision that comes with scant information on when and how it can be used. As per the initial notification, the provision is set to come into force in May 2027 (eighteen months from the Act coming into force). However, MeitY wishes to bring certain provisions into effect immediately and is awaiting industry inputs. This article analyses the little we know of the provision, what it lacks, and what threats it poses.

What the Act and Rules Tell Us

Section 36 of the DPDP Act is merely a sentence long and allows the Central Government to call for any user data and information from the Data Protection Board and any platform collecting such data.

While this primary provision is vague regarding the scope of this power, Rule 23(1) of the DPDP Rules provides some definition. It restricts the Central Government’s authority to request information for the three specific purposes outlined in the Seventh Schedule.

The first purpose is the use of personal data “in the interest of sovereignty and integrity of India or security of the State” by the State. For this purpose, information can be sought by an officer of the State designated by the Central Government. The second purpose is the use of personal data for the performance of any function under any other Indian law, including the obligation to disclose information. The third and last purpose listed in the Seventh Schedule of the Rules is assessing a platform for whether it should be notified as a significant data fiduciary.

These three purposes hardly constrain the scope of the Central Government’s sweeping power. Broad phrases such as 'sovereignty and integrity of India' or 'security of the State' could be interpreted to include even peaceful dissent by the opposition against policies of the government of the day. Moreover, there is no mention of the evidentiary threshold required to demand such information.

The Question of Constitutionality

In K.S. Puttaswamy v. Union of India (AIR 2017 SC 4161), the Supreme Court recognised privacy as a fundamental right and within that, spoke of informational privacy as an essential facet of the right to privacy.

As part of the right to life and liberty, any infringement of informational privacy should be just, fair and reasonable (Maneka Gandhi v. Union of India, 1978 SCR (2) 621). For this, any infringement on this fundamental right by an authority should be proportional. The three-pronged proportionality test in Indian law requires: First, the action must be legitimate and sanctioned by law. Second, the extent of such interference must be proportionate to the need for such interference. Only the least restrictive measure can be resorted to by the State after considering alternatives. Third, there must be procedural guarantees against abuse of such interference (K.S. Puttaswamy (supra)).

Section 36 is likely to fail the proportionality test for not being the least restrictive measure. The Central Government has sweeping powers under the provision. In contrast, as per European Union’s data protection law, General Data Protection Regulations, while data can be processed for “legitimate interests” such as national security and public security, such use of personal data is dependent on the use being "necessary”.

Far from being the least restrictive measure, the right to privacy becomes a hollow promise when pitted against the power of the State. With section 36, the law seems to have provided the tools for its own undoing. The Central Government is not required to show any proof of suspicion, or provide reasons before calling for information from platforms or the Board.

Lack of Procedural Safeguards

The Supreme Court has held that in order to rule out arbitrariness in the exercise of power, it is necessary to lay down procedural safeguards so that the right to privacy of a person is protected (PUCL v. Union of India, (1997) 1 SCC 301).

The DPDP Act provides no procedural safeguards when the Central Government demands information. At minimum, there should be an independent review mechanism to scrutinise the Government's decisions to request specific information. The legislature had an opportunity to confer this function upon the Board. However, the Board under the Act has been reduced to a mere adjudicator, lacking any regulatory powers or authority to exercise oversight over the Government's decisions concerning the Act. In contrast, in the UK, the Investigatory Powers Commissioner independently reviews applications to access transmission of data from law enforcement and public authorities, to ensure it is only authorised where this is lawful, necessary and proportionate.

The absence of an independent review authority is particularly concerning given the broad purposes for which information may be sought. Since phrases such as 'security of the State' are susceptible to expansive and arbitrary interpretation, review by an independent authority is a critical safeguard that should have been embedded in the Act itself.

Notably, the Government is empowered to call for “information,” not merely isolated personal data points. This is significant because intermediaries increasingly use AI-driven systems that generate inferences about users—often opaque and unverifiable. Unlike platforms, the Central Government is not required to ensure accuracy, completeness or consistency of the data it processes.

The Act also fails to prescribe a requirement for the Government to provide reasons for its decision. Without recorded reasons, judicial review becomes nearly impossible. This is contrary to the well-settled legal principle that the authority exercising discretion needs to show through reasons in the order that it had made its decision after considering the evidence and facts before it. Provision of reasons makes judicial review meaningful (See Anuradha Bhasin v. Union of India, (2020) 3 SCC 637).

The Act leaves affected parties with no recourse. They lack any mechanism to challenge or appeal the Government’s request and may never even learn that their information was shared. Rule 23(2) of the Rules permits the Government to direct platforms to not disclose to the users that their information was provided to the State if such disclosure is believed to prejudice sovereignty, integrity or security of the State.

Privacy implications 

B.N. Srikrishna Committee of Experts on a Data Protection Framework for India had published a report which notes that “[s]urveillance should not be carried out without a degree of transparency that can pass the muster of the Puttaswamy test of necessity, proportionality and due process.” The absence of mechanisms to challenge or review Government decisions, combined with secrecy, raises serious privacy concerns for  Indian citizens —one in which people know the State has the power to process large amounts of personal data, but do not know what it knows about them and have no means of seeking redressal in cases of arbitrary enforcement.

In this regard, the European courts have been putting meaningful restraints on the power of public authorities to collect and process data in secret. The European Court of Human Rights has held that the national legislation needs to be sufficiently clear to give citizens an adequate indication as to the circumstances in which public authorities are empowered to resort to secret surveillance measures and must indicate the scope of discretion to give the individual adequate protection against arbitrariness.

Similarly, when surveillance practice by intelligence agencies in the UK was challenged, the Court of Justice of the European Union (CJEU) held that that national legislation requiring providers of electronic communications services to disclose traffic and location data to intelligence agencies through general and indiscriminate transmission exceeds the limits of what is strictly necessary and cannot be considered justified within a democratic society. It held that legislation must lay down clear and precise rules governing the scope and application of the measure and impose minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees to protect their data against the risk of abuse.

Such broad powers to access personal data can have the accompanying consequence of creating a chilling effect. This is when people increasingly self-censor, fearing consequences for sharing their ideas and thoughts, lest they be found, targeted and persecuted. The power of the Central Government to call for and process information, in its current form, can be used disproportionately against journalists and the opposition, as there exist no checks and balances. Such apprehension is not misplaced given that journalists are particularly vulnerable to becoming targets of unlawful or arbitrary surveillance. Unlawful surveillance against journalists and human rights’ defenders can result in their fundamental right to speech & expression being undermined.

The 2018 and 2019 bill iterations of the DPDP laws explicitly recognised any unexpected surveillance by the State and the resulting chilling effect as a “harm”. This was later omitted and instead, broad powers have been placed in the hands of the government through section 36.

The power of the Central Government under section 36 cannot be viewed in isolation. This provision must be understood within the broader landscape of governmental powers over personal data and India’s surveillance projects operating in a legal vacuum. The DPDP Act exempts publicly available data from its purview, effectively permitting unfettered data scraping (Section 2(c)(ii) of the Act). When combined with the Central Government's extensive powers under the Information Technology Act, 2000 —including the authority to block public access to information (section 69A), intercept, monitor or decrypt information (section 69), collect traffic data through computer resources (Section 69B), and the power to suspend internet access under the Telecommunications Act, 2023—a concerning picture emerges. Collectively, these provisions grant the government sweeping authority to collect, process, and regulate personal data across all digital platforms, with minimal oversight or accountability mechanisms in place. Besides this, the government has executed surveillance projects such as the Central Monitoring System and National Intelligence Grid/NATGRID, which seek to monitor citizens’ communications.

Without meaningful procedural safeguards, independent oversight, and accountability mechanisms, Section 36 of the DPDP Act severely undermines informational privacy and democratic freedoms in India.