...
...
Next Story

DPDP Act: Trojan horse for State overreach

Though intended to protect data principal’s rights, the statute includes a way for government to collect data without the principal ever knowing

Published on: Jul 09, 2026 08:33 AM IST
Advertisement

In June, the Union government restricted access to Telegram across the country under the IT Act, citing paper-leak concerns. The company has since challenged the order in court, claiming it excessive. A few days later, on July 1, the IT ministry asked WhatsApp to suspend its new usernames feature while they consult on fraud and impersonation risks. While neither of these actions falls under Section 36, Digital Personal Data Protection (DPDP) Act, together, they highlight a trend of executive notices issued quickly with limited public explanations. This forms a useful reference for Section 36, which relies on similar discretion but focuses on personal data and is currently being reviewed by the Supreme Court.

When the DPDP Act comes into full effect in May 2027, over a billion citizens will have rights to know who holds their data, to correct it, and to delete it. (Representational image)
When the DPDP Act comes into full effect in May 2027, over a billion citizens will have rights to know who holds their data, to correct it, and to delete it. (Representational image)

When the DPDP Act comes into full effect in May 2027, over a billion citizens will have rights to know who holds their data, to correct it, and to delete it. That said, powers reserved for the government are significant but often overlooked.

Also read: Films like Satluj strengthen India’s democratic core

Section 36 permits the Centre to request information from any data fiduciary or intermediary related to the Act. Rule 23 of the DPDP Rules, 2025, and its Seventh Schedule define these requests as pertaining to national security, statutory obligations, and assessing “Significant Data Fiduciary” status. “Information,” as from IT Act’s definition, includes data, software, databases, and computer programmes, creating a wide scope that goes beyond standard compliance paperwork. Rule 23(2) further exempts these requests from being disclosed to the data principal (individual to whom the data belongs) if such disclosure could harm specified interests. Though intended to protect data principal’s rights, the statute includes a way for government to collect data without the principal ever knowing.

Following three petitions, the provision was taken up for examination by a five-judge Supreme Court bench. In February, the court chose not to pause the Act, denoting the issues raised as “complex” and “sensitive.” Petitioners argued Section 36 as vague, overly broad, and lacking an appeals process. While the Telegram and WhatsApp issues aren’t exactly a part of these petitions, they provide a practical context for understanding how notice-based, time-sensitive actions operate in such arenas. This is relevant for questioning whether procedural shortcomings of Section 36, applied to personal data with a non-disclosure clause, deserve similar examination.

Also read: Pakistan's Indus entreaties to the West hold little water

Other democracies handle similar provisions for national security differently. In the US, the Fourth Amendment and various rulings require government data access to have judicial or semi-judicial approval, although this is not always enforced effectively. The EU’s General Data Protection Regulation (GDPR) allows exceptions only when they are “necessary and proportionate,” overseen by independent authorities. Brazil’s Lei Geral de Proteção de Dados Pessoais (General Data Protection Law gained EU-designated “adequacy status” in January, thanks to its independent regulator, Autoridade Nacional de Proteção de Dados (National Data Protection Authority). Comparable laws in Japan, Thailand, and South Africa, all require clearly defined and demonstrable necessity, rather than open executive discretion.

The Supreme Court of India has already set the relevant standard. In Puttaswamy (2017), the Court stated that government intrusion into privacy must meet the trifecta of legality, necessity, and proportionality. Section 36 meets the first condition because it has a legal basis. The other two conditions are more questionable. Phrases like “sovereignty, integrity or security of India” are broadly defined and, elsewhere, have justified restrictions on press and internet connectivity. Without judicial oversight, mandatory notice to a supervisory body, or a time-limit on collection and holding of data, it is challenging to consistently demonstrate necessity and proportionality. The Data Protection Board, whose members are appointed through a government-led process, currently reviews complaints rather than requests under Section 36.

Foreign companies face a related challenge. Article 48 of the GDPR makes foreign data requests enforceable only through treaty mechanisms. Thus, a Section 36 demand involving a joint EU-Indian venture could lead to the kind of disputes Brazil’s ANPD model aims to prevent.

Three targeted reforms could improve Section 36 to better match constitutional standards and international practices: requiring prior judicial or semi-judicial approval for security-related requests; mandatory notice to Data Protection Board whenever a demand is made; and a proportionality safeguard that requires the government to outline the minimum information needed. As May 2027 approaches, these changes should be implemented to ensure that a law designed to protect a billion citizens’ data does not leave access largely unchecked due to one provision.

Tanya Verma is a graduate of Dr. Ram Manohar Lohiya National Law University (RMLNLU). The views expressed are personal