Riyan Paul Mathew
Abstract
The DPDP Act 2023, envisioned to fill the legal lacunae on digital privacy, falls largely short of its statement of objects and reasons. By carving out three tiered exemptions for governmental activity, covering national security and public order, criminal investigation, and statistical research, and removing meaningful timelines for the erasure or control of personal data, it has effectively negated the Right to Be Forgotten as articulated in Justice K.S. Puttaswamy (Retd.) v. Union of India. Comparing these exemptions against the UK’s Data Protection Act 2018, this essay argues that the DPDP Act departs at each tier from the proportionality standard the Supreme Court held to be constitutionally necessary, reflecting a governance philosophy that treats governmental discretion as a substitute for procedural safeguards.
Introduction
India’s Digital Personal Data Protection Act, 2023 (DPDP Act/the Act) represents the culmination of a decade-long debate over the shape of the country’s data protection regime. Thus far, the law regarding digital privacy was mainly derived from the IT Act of 2000, but with the notification of the rules under the DPDP Act in November of 2025, this legal lacuna has now been filled. The Act’s Statement of Objects and Reasons declares its purpose as providing for the ‘processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.’ This promise of a modern, rights-based framework centred around consent and fair use, however, is belied by specific provisions, particularly around government retention of data and access to private data for criminal investigations, that reveal a rather different set of priorities.
The DPDP Act allows for broad governmental exemptions in dealing with private data, ignoring recommendations of procedural safeguards and guidelines from the Justice BN Krishna Committee report. Furthermore, the choice to categorically classify surveillance as a legitimate activity seems to step over the spirit of the Supreme Court judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India.
In Puttaswamy, the Court makes two fundamental points of enduring relevance, firstly, the right to privacy derived from the right to life under Article 21, and secondly, the need for individuals to be able to control the ‘life cycle’ of their personal data, specifically with respect to its use and erasure. While the Court did not lay down explicitly a right to be forgotten, the judgment recognises that in an age where data exists without a lifespan, the inability of the individual to move past their past can have adverse consequences. Significantly, the Court also lays down a proportionality standard for any restriction on the right to privacy, requiring that it be legal, necessary and accompanied by procedural safeguards. It is against this standard that each tier of exemption will be examined.
This underlying rationale is further solidified by the judgment’s reliance on European cases such as Tele2 Sverige, which struck down indiscriminate data retention laws and served as examples of how constitutional democracies ought to approach government access to personal data.
The DPDP Act’s inadequacy becomes even more pronounced when compared with the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 (DPA 2018/the DPA) which have strong procedural safeguards allowing for government surveillance within reasonable limits without violation of the right to privacy.
This essay seeks to analyse the specific provisions in the DPDP Act providing the aforementioned unrestrained power for governmental surveillance while comparing them to corresponding provisions in the DPA 2018 which was enacted reflecting the principles of the GDPR. In doing so it seeks to examine to what extent the right to privacy, termed a primordial right by the Apex Court, has been upheld.
Analysis: A Tiered System of Exemptions
The provisions of the Act create three tiers of exemptions for governmental functioning, where the extent of the exemption correlates with the invasiveness of the function. Similar tiered exceptions are found both in the GDPR and the DPA, however the levels of exemption and underlying philosophy vary greatly.
Tier 1, National Security/Public Order
At the most extreme end of the spectrum we have Section 17(2)(a) of the DPDP Act which provides a blanket exemption from all provisions in relation to data security, accountability, data processing requirements, data erasure timelines, data principal rights, etc. This section is applicable for all data fiduciaries (agencies involved in collecting and processing personal data) as the government may notify, so long as the fiduciary operates in the interest of national security, sovereignty or public order.
One can imagine that our intelligence agencies will be granted this exemption, providing state sanction for surveillance without meaningful restriction. The sole regulation enforced upon such agencies would be through Rule 23, which dictates that data collection must be signed off on by an officer appointed by the centre or by the head of said agency. Effectively, this grants the agency the power to decide what information they want, what they do with it and on whose authority.
While the Rules specify life cycles for data held by private entities ranging from one to three years in Schedule 3, the provision is inapplicable for agencies notified under Section 17(2)(a).
Looking at this tier against the proportionality standard in Puttaswamy, it is difficult to see how an exemption that removes the requirement of lawful processing under Section 8(1) can itself be considered necessary and proportionate. Chandrachud J’s concurrence in Puttaswamy makes clear that proportionality demands more than a legitimate aim, requiring an active nexus between the means and the aim alongside procedural safeguards against abuse. An agency that is accountable only to its own head and decides for itself what data it needs and what it does with it cannot meet this standard.
In stark contrast, the DPA lays down a framework for exemptions in the interest of National Security and Sovereignty without necessarily handing a blank cheque to intelligence agencies. Part 4 of the DPA lays down the rules to be followed by data ‘controllers’ (same meaning as data fiduciaries) who do so in the interest of national security and sovereignty.
The DPA Section 111 requires agencies to obtain a National Security Certificate from a minister of the crown (defined as member of cabinet or advocate general of Scotland) while section 110 exempts them from a majority of the provisions otherwise applicable for intelligence activities in Part 4. Unlike under the DPDP Act, the data fiduciary must declare the extent of data required and the purpose as under Section 111(2), however, the text of the DPA indicates that these categories may be quite broad and far reaching. One crucial difference however is that under Section 111(3) the grant of the certificate is subject to appeal before a tribunal. Nevertheless, Section 110 of the DPA provides broad far-reaching exemptions in the interest of national security, including restricting the rights of data principals (referred to as subjects in the DPA) and ignoring erasure timelines.
The two significant differences between the legislations would be that firstly while the DPDP Act seems to place implicit trust in the government in notifying agencies, the DPA allows for even these certifications to be challenged, adding a layer of accountability. Secondly, the DPDP Act, by exempting notified agencies from all provisions, also exempts them from the reasonable security and processing standards defined in the rules as well as the requirement for lawful use of data as under Sections 8(1) and 8(5). The DPA however chooses not to grant such broad exemptions, ensuring that data controllers must still abide by the principles of security (as defined in Section 107) and lawfulness. While even these provisions do not fully protect the rights of data subjects, they do ensure that a national security exemption is not a blank cheque to intelligence agencies.
The DPDP Act seems to treat the exemption as the norm and the right as the exception, a position that stands in direct contradiction to its own Statement of Objects and Reasons and to the proportionality architecture mandated by the Supreme Court in Puttaswamy.
Tier 2, Investigation of Offences and Judicial Use
The second level of exemption is created by Section 17(1) of the Act. This exemption extends to, among other functions, investigation into any offence in the country and use of data in the judicial system. Under this section, fiduciaries are exempted from a variety of the functional provisions of the Act, including rights of data principals and erasure timelines. They are however subject to act in a lawful manner under Section 8(1), which the first tier was exempted from. Further, they are also subject to reasonable security safeguards defined in Rule 6.
The security safeguards envisioned in the Act include encryption, restricted access to records, logs recording data access to ensure there is no unauthorised access and maintenance of said logs for up to one year or as long as stipulated by any other law in force. These safeguards apply equally to both private and public fiduciaries, and both remain answerable to the Data Protection Board of India set up under the Act if reasonable security safeguards are not maintained.
The proportionality concern under this tier is more specific but no less troubling. Puttaswamy recognises an individual’s control over the life cycle of their personal data as part of the right to privacy. The exemption from notice under Section 17(1) cuts directly into this. A person whose data has been collected and retained in the course of a criminal investigation, regardless of whether they are ever charged, has no way of knowing this has happened and therefore no way to seek erasure. A right that cannot be exercised in practice is no right at all.
Upon inspection of the DPA’s provisions for similar use however, we see a marked difference. The DPA through Sections 45, 46 and 47 and 47 ensures for data subjects the right to approach the data controller and demand to know what personal data the controller has, the right to correct any data in their possession as well as the right to demand erasure if their data is held without cause. The rights however can be restricted if disclosing the information could potentially compromise an ongoing investigation or protect public security, this decision is subject to appeal under Section 165 and the subject also has the right to submit a complaint to the commissioner under Section 51.
Unlike in the DPDP Act, under the DPA controllers are required to inform data subjects of any data leaks and the extensive logging and security requirements under the DPA provide for a comprehensive code of conduct for data controllers, largely clearing any ambiguity regarding what reasonable standards may mean. The DPA also calls for the creation of the post of Data Protection Officer to ensure compliance with the security and processing standards laid down in the Act, which is in keeping with the system of accountability that the DPA seeks to create.
Most substantively, the DPDP Act exempts agencies under Section 17(1) from issuing notices to data subjects when their personal data is processed, undermining the transparency requirements that fiduciaries are normally subject to. The DPA avoids this by stipulating under Section 44 that data processing must be accompanied by proper notification to data subjects. This notification must include the rights available to the subjects, the right to complain to the commissioner, the right to appeal and most importantly the life cycle of the data or the criteria upon which the life cycle will be decided.
It is worth pausing on what this contrast actually reflects. The DPA’s notification requirement rests on a simple premise: that a legitimate purpose for processing data does not mean the individual forfeits the right to know about it. The DPDP Act treats exemption from notice as a natural consequence of the investigative function, as though transparency and investigation are inherently at odds. The DPA demonstrates that they need not be, and it is important to ask why the DPDP Act proceeds as though they are.
While the DPA treats the right to erasure as fundamental and creates channels to ensure its enforcement, the DPDP Act treats it like a privilege that may be excused by the nature of the state function. The exemption from both erasure and notice for government fiduciaries may create a situation where personal data may be collected and stored indefinitely without a subject ever knowing, and it is important to ask whether the fact that the fiduciary in question is the state is sufficient justification for such a broad waiver of the right to privacy.
Tier 3, Statistical and Research Activities
Section 17(2)(b) of the Act deals with fiduciaries involved in research and statistical activities. While exempted from the remainder of the Act, including data principal rights, this section is still subject to Schedule 2 restrictions and Rule 6 reasonable security guidelines.
Schedule 2, which regulates these activities, has to do mainly with the standards of processing to be followed. However, upon closer inspection, we find that it delegates all meaningful decisions back to the agencies it is supposed to govern. For example, clause (c) restricts the data that may be collected to what is necessary, but it is not subject to prior approval as to what may be necessary and neither are the agencies answerable to anyone for the same. Similarly clause (e) requires that data is not held for longer than necessary, again in the absence of someone outside the agency to make these decisions, the clauses mean little to nothing. Furthermore, the standards of processing to be applied remain undefined, the vague provisions of Schedule 2 provide a blank slate to these fiduciaries, extinguishing any hope for proper regulation of personal data.
Most importantly, with respect to Section 17(2)(b) which is exempted from data principal rights, erasure timelines are not challengeable before the Data Protection Board, yet again undermining the right to be forgotten. Puzzlingly, under Schedule 2, activities under Section 7(b), related to provision of subsidies, licences etc., must notify data principals of means of contacting data fiduciaries and require that data processing meet the standards set out by the central government or any other law in force at the time, but Section 17(2)(b) is exempted from this too. Thus, Schedule 2, which was supposed to define what reasonable processing practices are for activities under Sections 7(b) and 17(2)(b), reflects back at the central government to decide what these processing standards may be, without actually defining them.
The proportionality concern in this tier is subtler but ultimately the same problem. Research and statistical exemptions may well be justified, and Puttaswamy itself acknowledges that the right to privacy is not absolute. But proportionality still requires that even justified exemptions go no further than necessary. Where the standards are set by the very agencies being regulated and there is no avenue for challenge before the Data Protection Board, what we have is not a calibrated restriction, it is simply no restriction at all, with purposive language papering over the gap.
The DPA on the other hand takes a more restricted approach to personal data processing for research and statistical purposes. It allows for exemptions for these activities however only if it is demonstrated that they do not in any way damage or cause distress to the subjects and the data should only be recorded in a manner that the subject may not be identified individually, as laid down in Schedule 2 para 27 of the DPA.
Furthermore, the DPA only allows for these exemptions when they are necessary to safeguard the objective towards which data is collected. Thus it is not a blanket exemption but a case-based, limited exemption. Notably however, both the DPA and the DPDP Act do not allow for the use of such personal data to make specific decisions with respect to a data subject, ruling out risks of profiling based on personal data.
For research and statistical functions, the exemptions in the DPDP Act and DPA do not show a great difference on the surface. Both have purposive exemptions, both lay down principles of processing to be followed and have well-defined security guidelines. However, the crucial distinction is in terms of whether or not these principles are actionable. The blanket exemption under Section 17(2)(b) exempts these functions from challenge before the Data Protection Board; the DPA maintains the structure of accountability by opening up processing even for research and statistical purposes to enquiries and action by the information commissioner and the tribunals created under it.
In both cases, the right to be forgotten has been waived through the exemptions provided, which may be a necessary step for the purposes of research and statistics. But the DPA does a better job of protecting the privacy of data subjects by mandating that data be stored in a manner such that an individual data subject is not identifiable through the data. While the DPDP Act does not allow decisions about data subjects using collected data, the lack of anonymisation requirements is a significant privacy concern that the Act seems entirely comfortable with.
Conclusion
A comparative analysis of the DPDP Act and the DPA reveals fundamental differences in governance philosophy, most strikingly with respect to institutional trust. While the Indian Act places great trust in the government and its functionaries, the UK Act takes a much more restrictive approach, trying to ensure that the possibility of violation is minimised as much as is reasonably possible.
The Puttaswamy judgment interprets the right to privacy as implicit in the right to life under Article 21, effectively envisioning a legal landscape in which individuals could escape perpetual data profiling and retention. The proportionality framework it lays down, requiring that restrictions on the right to privacy be legal, necessary and procedurally guarded, is not merely aspirational, it is a constitutional requirement. Yet the categorical exemption of government agencies from the restrictions under the Act means that the largest repositories of personal data fall entirely outside its protections. Across all three tiers, the DPDP Act falls short: Tier 1 offers no procedural safeguard whatsoever; Tier 2 denies the data subject even the knowledge that their data has been processed; and Tier 3 leaves it to the regulated agencies to define the limits of their own regulation.
While the DPDP Act 2023 marks a significant milestone in India’s data protection laws, its provisions remain in constitutional dissonance with the proportionality framework articulated in Puttaswamy. The right to be forgotten, the individual’s ability to control the life cycle of their own data, as envisioned in that judgment, remains unsatisfied in the present form of the Act. That the government’s own Statement of Objects and Reasons promises more makes the shortfall harder to excuse.
Riyan Paul Mathew is a first-year undergraduate student pursuing a B.A. LL.B. at NALSAR, Hyderabad
NUALS Law Journal 