India’s Data Protection Act: A Shield for Privacy or a Tool for State Surveillance?

India, hailed as the "world's largest democracy," is now witnessing a steady erosion of its democratic values. Colonial-era laws such as sedition and the Unlawful Activities (Prevention) Act (“UAPA”) are being alarmingly misused to curb dissent, while electoral practices are increasingly becoming unfree and unfair.

Although the use of UAPA and sedition is not new, their application has intensified, especially after the 2019 amendment to the UAPA. The amendment allowed the Central Government to arbitrarily decide who is a terrorist and what is an act of terrorism. This can also be done merely on the basis of a person’s writing. Additionally, the increasing frequency of internet shutdowns, content takedowns, and opaque digital censorship further narrows civic space and undermines accountability.

This shift is pushing India closer to an illiberal democracy—if not an outright authoritarian regime. Against this backdrop, one might reasonably ask: why would such a government enact a data protection law aimed at safeguarding privacy? While the Supreme Court’s judgment in K.S. Puttaswamy v. Union of India ([2017] 10 S.C.R. 569) provided the judicial impetus for privacy protection, the broader political and institutional motivations behind the Digital Personal Data Protection Act, 2023 (Data Protection Act, 2023) are far more complex.

This article explores how the government is weaponizing privacy to expand surveillance and evade accountability, leveraging the Data Protection Act, 2023, to strengthen state control at the expense of individual rights.

A Trojan horse for authoritarianism

Privacy is often regarded as a cornerstone of democracy, an essential safeguard that protects the freedom to think, speak, and associate without fear of state intrusion. In democratic societies, it serves as a buffer against arbitrary surveillance and government overreach. But privacy is not being used as a shield; it has been weaponized. The concept of privacy is being selectively invoked, not to protect individuals, but to shield the state from scrutiny. For instance, the government routinely cites “privacy concerns” to deny information requests under the Right to Information Act, even as it expands opaque surveillance measures like facial recognition systems, Aadhaar-based tracking, and the use of spyware such as Pegasus.

In India, this inversion is stark. Privacy is no longer a right exercised by citizens to limit state power; it is being recast as a tool for the state to expand control. Laws like the Data Protection Act, 2023, which claim to protect personal data, in fact, concentrate unchecked authority in the hands of the government. Rather than meaningfully empowering citizens with control over their data, the law enables the state and its partners to bypass consent, evade accountability, and restrict transparency. Data is power: it allows the state to map behaviours, target critics, micro-tailor propaganda, and suppress dissent. Far from being a democratic safeguard, the data protection law constructs a framework for digital authoritarianism—one in which control is exercised not in spite of privacy, but through its selective and strategic reinterpretation.

Erosion of the right to information

India’s Right to Information Act, 2005 (RTI Act), was originally intended to safeguard public access to information, ensuring transparency and accountability in governance. Section 8(1)(j) of the RTI Act exempted the disclosure of information that could lead to an unwarranted invasion of privacy, unless a larger public interest justified its release. The table below shows the increase in the use of this exemption over time:

Annual Use of the Privacy Exemption Under Section 8(1)(j) of the RTI Act (2020–21 to 2023–24). Source: Central Information Commission.

A final nail in the coffin was introduced with the enactment of Section 44(3) of the Data Protection Act, 2023, which effectively removes the public interest override from Section 8(1)(j). Public authorities can reject information requests without considering whether disclosure serves the public interest, eroding the balance between privacy and transparency. Furthermore, the Data Protection Act, 2023, repeals a critical safeguard in Section 8(1)(j), which ensured that information that could not be withheld from Parliament or a State Legislature could not be denied to the public. This marks a disturbing shift where privacy is not a shield for citizens, but a weapon for the state, used to justify opacity, and suppress accountability under the pretence of protecting privacy.

Expansion of surveillance and monitoring

For a while now, the Indian government has increasingly committed to embedding mass surveillance into its governance framework. The government’s reliance on biometric systems like Aadhaar identification and initiatives such as DigiYatra (a biometric-based system to streamline airport procedures) and the National Digital Health Mission (a government initiative to create a digital health ecosystem) exemplify its strategy of datafication. The data being collected is not only voluminous but also deeply invasive, encompassing biometric markers, geolocation data, health records, and educational history. Moreover, recent legislative developments—such as the Income Tax Bill, 2025, which permits the search and seizure of digital spaces based on vague “suspicions,” and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) (IT) Rules, 2021, which require platforms to trace users and remove content—have institutionalised this surveillance. Parallel initiatives, such as the Safe City project, exemplify how the collection of real-time visual data through AI-powered cameras and drones has become a standard practice, often implemented through opaque public-private partnerships.

If we view all this in the context of the Data Protection Act, 2023, the situation becomes grimmer. Section 17(2)(a) of the Data Protection Act, 2023, grants the government the authority to exempt any "instrumentality of the State" from its provisions, citing national security, public order, or foreign relations. While the term “instrumentality of the State” is not defined, Supreme Court rulings suggest it could include entities performing government functions or under state control, such as public sector firms or law enforcement agencies. This provision effectively enables the government to sidestep privacy protections and increase its surveillance capacity.

Companies collaborating with the government may also benefit from it, as Section 17(3) states that the government may exempt certain data fiduciaries, including startups, from data protection obligations. This is dangerous, as government-backed private initiatives like DigiYatra, which has been pushed down the public’s throat and has faced a barrage of criticisms, can be conveniently exempted from any meaningful data protection obligations. Moreover, the Data Protection Act, 2023, does not provide specific exemptions for journalists, despite concerns raised by the Justice Srikrishna Committee, which acknowledged that media freedoms must be preserved in a democracy. Without such protections, authorities could impose severe penalties on journalists (approximately $30 million) if they decide the reporting does not align with the "public interest."

These developments indicate that privacy is being re-engineered and selectively applied. It is being used as a shield to protect the state and its allies from scrutiny and accountability, while demanding transparency from citizens. In this inversion, privacy becomes less about protecting citizens and more about protecting power.

Government access to personal data

Section 36 of the Data Protection Act, 2023, complemented by Rule 22 of the Draft Digital Data Protection Rules, 2025 (Draft Rules), places the final cherry on the bitter cake of surveillance. Under these provisions, the Central Government can compel data fiduciaries to share personal information of the data principals without any safeguards. These provisions grant the Central Government broad powers to demand information from data fiduciaries or intermediaries for purposes listed in the Seventh Schedule of the Draft Rules. This includes purposes such as in the interest of national sovereignty and security, for performing statutory functions, and for fulfilling legal obligations. Acting through an authorised official, the government can specify the type of information required, set deadlines for its submission, and direct the entity not to disclose that such a request was made. It may also compel data fiduciaries to break End-to-End Encryption (E2EE), undermining user consent and platform commitments. This effectively allows the state to access personal data in secrecy, without notifying the individuals concerned or requiring judicial oversight.

For an Indian citizen, the government likely already has a 360-degree profile. Several reports and accounts of the Bhartiya Janata Party (“BJP”) (the current ruling party) workers/volunteers have established that the party uses its position as a leverage to collect data and create profiles of people. This is then used to personalize propaganda and political advertisements further.

Additionally, the increase in surveillance through the Indian government’s initiatives to install CCTVs in public areas for policing is also being used to thwart dissenters. All of this is being done by the government’s increasing use of vague and undefined terms, such as “public order,” “sovereignty,” and “security of the state,” as a legal tool to justify mass data collection and surveillance while evading accountability. These broad phrases, embedded in the Data Protection Act, 2023, allow sweeping exemptions without clear thresholds or oversight.

Cross-border data transfers

The Data Protection Act, 2023, along with the Draft Rules, introduces provisions that allow the transfer of personal data to other countries, conditional only upon restrictions imposed by the Central Government. However, the provisions do not specify any objective criteria for such restrictions, granting expansive discretion to the executive without legislative guardrails. Moreover, Rule 12(4) of the draft Rules effectively revives exclusive data localisation mandates for certain categories of personal data, to be identified at the discretion of the government based on committee recommendations.

By storing data locally, the government can gain easier access to personal information, potentially without adequate judicial oversight or privacy safeguards. As a result, privacy rights are steadily hollowed out under the guise of protection, while the state consolidates control over citizens’ digital lives.

Furthermore, India’s importance as a key market for big tech companies compels them to maintain a close relationship with the government. This has led to past compliance with government demands, such as adjusting content moderation policies, adhering to the IT Rules, 2021, and compliance with increasing demands for access to data. With the introduction of the Data Protection Act, 2023, this compliance is set to intensify as the law grants the government sweeping powers over data. In addition to the discretion on notifying the countries where cross-border data transfer is allowed, the government also has the ability to designate entities as "significant data fiduciaries," subjecting them to stricter oversight, or exempting any private company collaborating with it from certain data protection requirements. Failure to comply with these provisions can lead to costly consequences, giving companies even more reason to align with the government’s interests. Thus, the law strengthens the government’s leverage over these platforms and even countries, pushing them to prioritise regulatory compliance over user privacy, consolidating its control over the digital space.

Parallels with China

Let's consider China’s data protection model. Governed by a centralized authoritarian regime, China introduced the Personal Information Protection Law (PIPL) in 2021. Under the PIPL, the state enjoys full immunity for its own privacy violations, unrestricted access to citizens’ personal data, and broad discretion to blacklist foreign companies deemed threats to “national security.” It also mandates strict data localisation, requiring companies to store personal data within the country, without clearly defined security assessment standards. Enforcement rests with the Cyberspace Administration of China (CAC), a state-backed regulator and censor. A brief examination of the PIPL reveals unsettling parallels with India’s Data Protection Act, 2023. Though both are framed as privacy protections, they are rooted in the logic of state control and national security.

Companies like Yahoo and LinkedIn, among others, have exited the Chinese market due to regulatory burdens. While no major platform has exited the Indian market, the growing legal and operational pressures are making it a more difficult space to navigate. X (formerly Twitter) has challenged government censorship in court, and Meta has raised concerns about the country’s increasingly restrictive digital laws. In China, the absence of foreign competition has allowed domestic tech giants like TikTok, DiDi, and WeChat to dominate, protected by regulatory barriers designed to sideline global players. India’s embrace of domestic alternatives like the government-backed Koo app reflects this trend.

WhatsApp CEO Will Cathcart has warned of a looming “splinternet," a fragmented internet in which states isolate platforms within sovereign digital borders. Coupled with expanding surveillance powers and state control, this push for digital sovereignty poses serious risks. India’s credibility on privacy is also slipping internationally. In early 2023, the European Data Protection Supervisor blocked data transfers to India, citing inadequate safeguards and a lack of enforcement, highlighting the Act’s failure to meet global privacy norms.

Ultimately, the parallels between China’s PIPL and India’s Data Protection Act, 2023, point to a deeper global shift: the rise of digital authoritarianism masquerading as privacy protection. What India needs instead is a rights-based, transparent, and accountable data protection framework that truly upholds privacy, not one that enables power.