In the grand architectural blueprint of digital governance, India’s digital personal data protection (DPDP) framework, comprising the DPDP Act of 2023 and its accompanying rules of 2025, present themselves as a fortress preserving and protecting individual privacy. Yet, it has a critical design flaw: its most formidable defences are oriented exclusively outwards, towards private entities, while leaving the rear gate not merely unguarded, but actively propped open for the Orwellian State.
The framework creates a perilous artificial dichotomy, imposing a rigorous, if imperfect, regime upon corporations while anointing the State as the unassailable and primary aggressor against the very civil right it purports to protect. It is a fundamental reorientation of the social contract in the digital age, one that places the citizen’s most intimate digital self at the mercy of the sovereign, devoid of the procedural safeguards that are the bedrock of a constitutional democracy.
The constitutional spirit, invigorated by the K S Puttaswamy (2018) case, recognised privacy as an intrinsic component of Article 21. This right ought not to be deprived except by a procedure established by law—a procedure that must be fair, just, and reasonable, as laid down in the Maneka Gandhi (1978) case. The entire DPDP framework creates the mirage of a substantive right for the individual while simultaneously constructing vast, nebulous exclusion zones for the State. The exemptions culminate in the chilling expanse of the Seventh Schedule of the DPDP rules.
Purpose 2 of the rules allows the use of personal data for the “performance of any function under any law for the time being in force”. This is not a targeted exception for national security, safeguarded by judicial oversight; it is a bottomless pit of authority.
A municipal corporation clearing garbage, a transport department issuing a bus pass, or a ministry formulating a new scheme—all can invoke this provision to access, process, and share the most intimate details of a citizen’s life. The privileged sanctity of attorney-client communications, the confidential dialogue between doctor and patient, the private correspondence between spouses—all can be vacuumed into the State’s digital repository, not pursuant to a judicial warrant based on probable cause, but on the mere assertion of a statutory function.
When this is read in conjunction with Section 15(c) of the Act, which imposes a duty on the individual not to suppress material information for State-issued documents, the framework effectively compels self-incrimination, turning the citizen into a compelled witness against themselves in the State’s digital ledger.
It grants the State and its instrumentalities a carte blanche to process personal data for the provision of any “subsidy, benefit, service, certificate, license or permit”. The definitions provided in rule 5(2) are so breathtakingly expansive that they cover virtually every interaction an individual has with the State. “Under law” is construed as any function performed under “any law... in force”, while “under policy” and “using public funds” create parallel, non-statutory universes of data collection power.
This means that applying for a driver’s licence, a passport, a university seat, or a ration card becomes a tacit and coerced surrender of personal data, with the State empowered to do virtually anything with it under the vague and overarching “specified purpose”. The notion of meaningful, informed consent—the bedrock of any data protection regime—is rendered redundant when the alternative to providing data is the denial of an essential service or a legal entitlement. The State, which in political theory is merely an association of individuals constituted for collective good, has through this framework positioned itself as a panoptic entity with an insatiable appetite for the personal data of its constituents.
From a technological and forensic standpoint, the framework’s handling of data erasure and security is not just inadequate; it is a testament to a profound misunderstanding of the digital substrate. The rules speak of ‘erasure’ as if it were a simple, binary event—a file deleted from a desktop. This is a dangerous anachronism. Let us deconstruct the lifecycle of a single digital artefact, such as a photograph on a smartphone. This image is not a monolithic object but a complex constellation of data: a header, pixel arrays with colour values, metadata tags detailing the precise location coordinates, camera settings, and time stamps. When a user consents to its storage, this constellation is not merely written to the phone’s NAND flash memory; it is often synchronised to a cloud infrastructure, where it may be broken into shards, encrypted, and distributed across multiple data centres for redundancy and performance.
Now, consider the command to ‘erase’. On the device, a file system deletion often merely marks the storage blocks as ‘available’, leaving the underlying magnetic orientations or charge traps in a flash cell perfectly readable to forensic tools like EnCase or FTK until overwritten.
In the cloud, the process is even more opaque. The erasure might involve deleting pointers in a metadata database, but the actual data shards may persist in backup systems, cached Content Delivery Networks, or within log files for an indeterminate period.
The rules demand erasure after specified periods but are silent on the technical standard required. Is a logical delete sufficient, or is a multi-pass overwrite (for example, DoD 5220.22-M) mandated? For solid-state drives with wear-levelling algorithms, even an overwrite command offers no guarantee, as the controller may redirect it to a different physical block. True, immutable destruction requires physical degaussing (for magnetic media) or physical shredding of the NAND chips themselves—a process the rules do not even begin to contemplate. This ambiguity renders the right to erasure and destruction virtually meaningless, leaving the individual’s digital ghost to persist indefinitely in the digital ether, vulnerable to State retrieval at a whim.
Furthermore, the rules’ “reasonable security safeguards” for the State, as outlined in Rule 6 and the Second Schedule, are a list of best practices devoid of any meaningful, auditable enforcement mechanism against the sovereign. While a private data fiduciary faces the Data Protection Board’s sanctions for a breach, who audits the State’s own data warehouses? The State is exempt from the very accountability it imposes on others. In an era of sophisticated cyber-espionage from State and non-State actors, this creates a catastrophic point of failure.
The Indian government, through its Aadhaar infrastructure, DigiLocker, and myriad other digital public goods, is amassing one of the world’s most extensive and sensitive biometric and demographic databases. The framework does not impose a stringent, independent, and transparent obligation on the State to fortify this treasure trove against foreign intelligence agencies or cybercriminals. Instead, rule 15 concerning international transfers focuses only on restricting data fiduciaries, while the State itself operates under a separate, opaque set of rules. Citizens’ data, collected under compulsion, is left exposed not only to domestic misuse but to global threats, with the State acting as a negligent custodian. The State’s ‘schutzstaffel’, or protection force, is not a paramilitary force but its digital infrastructure, empowered by this legal framework.
The DPDP rules are a masterpiece of misdirection. They gesticulate vigorously towards the real and present dangers posed by Big Tech, while quietly institutionalising the most comprehensive surveillance apparatus independent India has ever contemplated. It fails the test of technological rigour by speaking in the vague language of a bygone digital era, ignorant of the forensic realities of data persistence. The individual is left with a parchment guarantee against private entities, while their digital soul is rendered as a permanently accessible and vulnerable asset of the State.
Manish Tewari | MP, lawyer, and former Union I&B minister
(Views are personal)
(manishtewari01@gmail.com)
