India’s New Data Protection Regime Could Fuel Metadata Surveillance

Rudraksh Lakra is a research fellow with the Applied Law and Technology Research team at Vidhi. This post was written in their personal capacity.

The Indian government last month notified the latest iterations of the Digital Personal Data Protection Act and the Digital Personal Data Protection Rules, which together constitute the country’s data protection regime and are set to unfold in a phased manner over 18 months. The moment marked the culmination of an almost seven-year legislative trajectory, beginning with the release of the first draft of a data protection bill in 2018 that was followed by subsequent versions in 2019 and 2021. The government withdrew the latter iteration, intending to replace it with a simpler, leaner framework, which has now become the DPDPA.

Although these earlier drafts were imperfect, they nevertheless represented substantive efforts to construct a meaningful data-protection framework and, in many respects, offered stronger safeguards than those found in the present act. By contrast, the DPDPA is excessively consent-centric, incorporates broad exceptions and exemptions and lacks clear definitions or guiding criteria for several crucial concepts, thereby creating significant operational and interpretive uncertainty.

The act also does not provide adequate safeguards or robust mechanisms to ensure accountability and transparency. The DPDPA entrenches a state-centric architecture of control and facilitates data extractivism, consolidating power in the hands of the state and select private entities, particularly “ domestic champions.” These entities, not individual data principals, emerge as the primary beneficiaries of this prolonged legislative process.

In this piece, I examine how the DPDPA Rules enable metadata-based surveillance, an aspect that remains severely underexplored in current policy and scholarly discourse, including how to situate these developments within the broader metadata-surveillance architecture evolving in India.

The surveillance of metadata under the DPDPA

Under the DPDPA Rules, a data fiduciary is required to “retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing.” This obligation raises multiple concerns. To begin with, the terms traffic data and other logs are not defined in either the rules or the act. As a result, the scope of what must be retained remains uncertain.

Moreover, the retention of such metadata is expressly structured to enable the central government to requisition this information. This thereby enables unchecked state surveillance as it contains overly broad grounds for requisition, and lacks safeguards such as purpose limitation, data minimization and storage limitation.

Additionally, the rule authorizes the government to direct a “Significant Data Fiduciary” to ensure that specified personal data and traffic data are not transferred outside India, with the government maintaining sweeping powers to requisition information, including traffic data.

Traffic data and other logs are a subset of metadata, which is typically regulated under telecom or surveillance frameworks rather than under data-protection laws. Read together, however, they effectively create a pathway for metadata surveillance through the DPDPA without incorporating the procedural and substantive safeguards typically required in such legislation.

Metadata surveillance is particularly troubling because in the digital environment, it can reveal highly sensitive patterns of individual behavior, including habits, relationships, movements and social associations, often more comprehensively than the content of communications, especially when analyzed in bulk. Former CIA Director Michael Hayden infamously noted regarding the United States’ surveillance operations, “we kill people based on metadata.” Compounding this problem, legal safeguards governing metadata surveillance are generally weaker than those applicable to content data, premised on the mistaken assumption that metadata is inherently less sensitive.

Against this backdrop, it becomes essential to assess the potential scope of the retention obligations under these rules.

Under the narrow interpretation of them, retained traffic data would be confined to interactions strictly between the data fiduciary and the data principal as contemplated by the DPDPA, such as the issuance of notices, the expression or withdrawal of consent, the exercise of data-principal rights, grievance-redressal exchanges and breach-related communications. By contrast, the broad interpretation would extend the retention obligation to encompass all interactions and exchanges between an individual and the data fiduciary, thereby vastly expanding the scope of metadata preserved.

Both readings find some support in the language of rule, but the narrower interpretation is both legally defensible and desirable, because it constitutes the least intrusive measure capable of advancing the State’s stated objectives and ensures accountability without enabling disproportionate forms of surveillance.

The broader interpretation, by contrast, is troubling: it would dramatically enlarge the volume, granularity and sensitivity of retained metadata, heightening risks of over-collection, function creep and pervasive monitoring of individuals’ digital lives.

Under the narrower reading, retained traffic data would be limited to logs generated when the user engages in activities expressly contemplated by the DPDPA, such as giving, modifying or withdrawing consent; adjusting privacy settings; submitting access or correction requests; or filing consumer grievances with the data protection officer. Under the broader reading, however, the retention obligation could extend to every action a user performs on the platform, including log-in and log-out timestamps, profile-viewing patterns, accounts followed or unfollowed, engagement metrics, device identifiers, IP addresses and location metadata.

When aggregated, such information enables the construction of highly granular behavioral, relational and social-network profiles. Compounding these concerns, metadata is typically structured and machine-readable, and thus easier to algorithmically exploit than many forms of personal data. For these reasons, metadata retention, especially under a broad interpretive approach, poses acute risks to privacy, autonomy and algorithmic inference.

Metadata surveillance landscape in India

The early 2000s marked the beginning of a global shift toward mass metadata surveillance, with governments including the US, European Union and India moving toward the large-scale, centralized collection and retention by state agencies and regulated private intermediaries, justified on national security and counterterrorism grounds. These governments have sought to justify such programs on the grounds that metadata surveillance is less privacy-intrusive than content interception. A recurring pattern is that these initiatives were introduced in the aftermath of major terrorist attacks, such as the 2008 Mumbai attacks in India, and the exceptional measures enacted during crises gradually became normalized over time.

The Mumbai attacks also prompted the 2009 amendments to the Information Technology Act, 2000, which significantly restructured the interception framework, including the authorization of the collection of traffic data for the stated purpose of enhancing “cyber security” or identifying cyber threats. Yet its subsidiary rules permit the sharing of this data with law-enforcement agencies. Indicating that a key purpose was to facilitate surveillance while circumventing the more stringent safeguards applicable under Section 69, which regulates content interception.

A parallel retention regime exists under the Unified License, where the retention period for call records and internet usage data was extended from one year to two years in 2021. Under the Telecommunications Act, 2023, Section 22(2), much like Section 69A of the IT Act, ostensibly authorizes traffic-data collection for cybersecurity, but in practice opens significant avenues for surveillance. The relevant subsidiary enables the Union government or any authorized agency to collect data that may later be analyzed or processed for purposes unrelated to telecom cybersecurity. The relevant draft rule under it continues the trend of data localization and metadata retention. This ecosystem is further reinforced by the CERT-In Directions 2022, which mandate the retention of logs across “all ICT systems” for 180 days within India.” The breadth and ambiguity of these requirements, coupled with the non-binding nature of clarificatory FAQs, raise serious concerns.

Against this backdrop, the DPDPA and its rules represent not an isolated intervention but the latest layer in an expanding metadata-surveillance framework characterized by sweeping state discretion and weak safeguards.

To fully account for the rapidly evolving architecture of metadata surveillance, it is important to take stock of key developments over the past decade.

Since the 2013 Edward Snowden revelations about US mass-surveillance programs, the ability of law enforcement to access content data has been significantly curtailed due to the rise of stronger encryption standards for data both at rest and in transit. This phenomenon, commonly referred to as the “going dark” discourse, was triggered by the leaks, which catalyzed efforts to safeguard citizens’ privacy and strengthen the security of communications. The widespread adoption of unrecoverable encryption models has limited attempts to access content data.

In this context, metadata has grown even more valuable, as its collection remains largely unaffected by encryption and thus far more accessible to state authorities. The volume and granularity of metadata have expanded dramatically with the proliferation of smartphones and the rapid growth of Internet of Things (IoT) devices.

This backdrop partly explains the regulatory trajectory leading to today’s environment in India. Now, metadata sits at the heart of India’s surveillance landscape, demanding urgent safeguards and meaningful oversight to protect fundamental rights.