Privacy, Surveillance, and State Interest: Appraising the DPDP Act through a Constitutional Perspective

-Krishna Preetham Kanthi*

[This post is part of the Data Protection Special Blog series: "Beyond Encryption: Tech & Data Protection". This series will feature blogs, such as the present one, which explore and analyse the reshaping of data security and privacy in an era of evolving technology, legal frameworks and regulations.]

Abstract

The rapid evolution of and widespread  reliance on technology has revolutionized modern life by enhancing convenience, efficiency, and connectivity across various walks of life.  However, this shift has also increased the risk of unauthorised access of personal data, making electronic storage of the same extremely vulnerable and prone to misuse by various entities, including the government. While certain legislations grant the government the authority to collect and process data for lawful purposes, India's much awaited Digital Personal Data Protection Act, 2023, governing personal data remains ambiguous and raises concerns  whether such data will be gathered responsibly, under legitimate grounds, and used appropriately.

This article delves into one such provision, Section 36, which gives government such unbridled powers, without any procedural safeguards or adequately defined grounds. This article scrutinizes the same in the light of established constitutional principles in the realm of privacy, discussing the prerequisites which the government ought to follow, while accessing personal data.  The Author also highlights potential consequences of this ill-drafted provision and presents a comparative view of the laws from common law and civil law jurisdictions which aims to prevent governmental overreach, protecting the sacrosanct right to privacy.

Keywords: Article 21, Right to Privacy, Compelling State Interest, Surveillance, Procedural Safeguards, Judicial Oversight.

Introduction

India, being  the second most targeted country by cybercriminals, with the crime rate, standing at 445.9 per 1,00,000 people, regularly encounters security threats, not only from outsiders, but from within, in the form of borderless terrorism. These are addressed via a plethora of laws, which play a crucial role in monitoring communications and exchange of information in the digital sphere. In addition, unauthorized exchange, theft, and misuse of personal data are also a few key areas of concern, which frequently escape the radar of such regulations. Instances of such unauthorised transfer have been flagged and potential misuse by the government has been observed  in Europe, with the General Data Protection Regulation, which was enacted as means to protect personal data. With the recent Personal Data Protection regime brought out in India, a debate has erupted surrounding the same, which calls for a critical analysis of  its provisions framed in pursuance of a similar aim.

Section 36 of the Digital Personal Data Protection Act, 2023 (“Act”) grants the government broad exemptions from complying with the key provisions of the Act before processing personal data for purposes thereunder. While framed as essential for governance and law enforcement, the provision has drawn criticism for its vague language, lack of oversight, and potential for misuse. The objective of the Act is to balance the right of individuals to protect their personal data with the need of processing such data for lawful purposes, however, Section 36 in its current form could possibly tilt this balance in favour of the State, allowing government agencies to bypass obligations of the data processor under the Act without adequate oversight or accountability.

Inquiring into the provision, the author firstly delves into the theoretical foundations of privacy as a fundamental right, in the light of constitutional jurisprudence. Further, the author critically evaluates the surveillance provisions within the Act, juxtaposing them against established constitutional principles and alludes upon the ramifications ensuing from the provision thereafter. Lastly, the author gives a comparative perspective, contrasting the provision with both, domestic and internation, drawing attention to the flaws in the framework, which legitimizes the unwarranted State interference into  privacy.

Deconstructing Section 36: Highlighting the lacunae in the provision

Section 36 of the Act enables the government to require either the Data Protection Board or any Data Fiduciary or Intermediary to furnish any information which the government may call for, on the grounds stipulated by Rule 22 read with 7th Schedule of the Draft Digital Personal Data Protection Rules, 2025 (“Rules”)  such as ‘Interest of Sovereignty and Integrity of India and Security of State’ or ‘ performance of any function under any law’. Further, Rule 22 also stipulates that the Data Fiduciary or an Intermediary shall not disclose the fact that the data has been shared in situations where it is likely to “prejudicially affect the sovereignty and integrity of India or security of the State”, except with the written permission of the concerned authority. A few activists argue that this provision hereby gives the Government a form of surveillance power, which, without adequate oversight, could facilitate covert surveillance programs, circumventing checks and balances and resulting in excessive data collection. Such authority might be expansive, creating an environment where the state’s power to requisition personal data becomes questionable, turning it into a virtually unchecked venture.

The analysis focuses on the shortcomings of Section 36 of the Act, relying heavily on the precedents and constitutional principles, revealing the true colour and a potential risk of the said provision being enforced.

These are discussed hereunder:

1. Inadequate and Broad Guidelines

It is a well-known constitutional principle that Fundamental Rights are not absolute, but are subject to reasonable restrictions. In the case of Justice K. S. Puttaswamy , where Right to Privacy was declared to be a Fundamental Right under Part III of the Constitution, the Supreme Court (“SC”) provided for the reasonable restrictions on the same, which are, the grounds of ‘Legitimate State or Public Interest’.  As the Constitution does not explicitly mention of this right, the Court adopted from the American Jurisprudence, the aspect of ‘Compelling State Interest’ which had to be ‘narrowly tailored’ as a reasonable restriction in the realm of privacy. While illustrating this concept, the Court observed that the law must be narrowly framed to achieve the very objects intended to be fulfilled, without leaving room for interpretation crossing the required bounds, enabling undesired reach, causing breach of privacy and such claims must undergo a strict scrutiny. Moreover, the Court held that while applying the standard of compelling state interest, their validity should be assessed severally, based on the specific context of each case.

Rule 22 enables the Central Government to require any fiduciaries and intermediaries to furnish information for the purposes specified in the Seventh Schedule of the Rules.  These purposes include the State using personal data of a data principal in the “interest of sovereignty and integrity of India or security of the State”; and any information furnished for the “performance of any function under any law” or “for fulfilling any obligation under any law’.

Section 36 and Rule 22, read in consonance, highlight the grounds on which information can be furnished, but do not seem to be narrowly tailored, not adhering to stricter levels of scrutiny, which potentially results in a widened scope of arbitrary invasion into privacy. The rule, by merely using the phrase “sovereignty and integrity of India or security of the State” or “performance of any function/disclosure of any information for fulfilling any obligation under any law” without framing additional guidelines gives the government a greater ambit to arbitrarily extract information, including personal data such as financials and biometrics.

Thus, Section 36 of the Act, empowers the Government to seek information, as and when it needs, without completely fulfilling the prerequisites and the reasonable restrictions thereon, which the precedents have established. It can be said that Section 36  gives a wide scope for misuse, such as fetching information in the situations which do not demand a compelling state interest/public interest, narrowly tailored limitations of which do not exist, as a result of potential ulterior motives, leading to arbitrary and unjust invasion of privacy.

While addressing a similar provision from the erstwhile Telegraph Act (now, Telecommunications Act) , the SC observed that in the absence of just and fair procedure for regulating the exercise of power, it is not possible to safeguard the rights of the citizens, guaranteed by the Constitution. Nonetheless, the SC indicated that invasion of privacy requires strict standards of scrutiny, especially when it is done by the state, and whether it is reasonable shall be decided by a judicial mind. In the present scenario, Section 36 which gives scope for arbitrary interference of privacy needs a thorough Constitutional examination to determine whether it is Fair, Just, and Reasonable.

2. Lack of Procedural Safeguards.

Incorporating procedural safeguards against arbitrary State interference has been held to be an important facet of any statute, as it ensures that there is no arbitrary violation of Fundamental Rights, which aid in striking a balance between reasonable restrictions and the entitlement to exercise the said Right. This has been observed in multiple cases, not only involving the right to privacy, but other rights under Article 21.

In the case of People’s Union for Civil Liberties vs Union Of India, the SC held that it is imperative to include procedural safeguards to rule out arbitrariness and prevent uncontrolled and arbitrary phone tapping, which is a way through which privacy can be invaded, contingent on certain circumstances. The Court, in a  subsequent  judgement, held that the procedure which deals with the modalities of regulating a Fundamental Right falling within Article 21 has to be “fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself”.

It can be said that procedural safeguards are the handmaids of Justice and since, the power of the government is colossal as compared with the power of an individual, their freedom can be safe only in presence of a guarantee of fair treatment. Thus, it is the ‘Procedural Safeguards’ which guard against arbitrary action of the Government.

Section 36 r/w Rule 22, prima facie, neither contains any kind of procedural safeguards against excessive and arbitrary collection of data nor provides for any kind of judicial scrutiny of the data collected and whether the corresponding purpose for collecting data is permissible under the Statute. Not only should there be procedural safeguards in the Act, but they also should be independent, avoiding a conflict of interest where the same authority responsible for surveillance also determines its legitimacy. Procedural safeguards being one of the prongs of proportionality as propounded by Justice S.K. Kaul, in Justice K.S. Puttaswamy ,which the Section 36 clearly lacks, also requires a thorough constitutional scrutiny, in the light of the risk of misuse by Government agencies in an unjust, unfair  and unreasonable manner.

Comparative and Critical Perspective

At this juncture, with the lacunae being critically analysed, it is important to view Section 36 in the context of laws enacted with aligned purposes. These are the IT Act, 2000 (which regulates the monitoring of electronically stored or communicated information) and the Telecommunications Act, 2023 (which regulates phone tapping), both of which allow the state to invade privacy on legitimate grounds, adhering to the reasonable restrictions, placing the state’s actions within the Constitutional bounds. These laws impose stricter safeguards, including narrowly defined grounds for interference, mandating the reasons to be written and recorded by the agencies. Moreover, it specifies a time limit for retention of these records. The corresponding rules also cast a duty on the intermediaries by which they must implement strict internal checks to prevent unauthorized access to such interception and ensure confidentiality. Lastly, a statutory review mechanism, operational once in 2 months, which can order the destruction of information obtained beyond the bounds of the Act was incorporated as a procedural safeguard against misuse of these provisions.

In stark contrast, Section 36 of the Act lacks even the essential prerequisites, i.e., procedural safeguards, and a review mechanism. The provision also lacks the guidelines for the government to adhere, such as obligation for written justifications. Further, the absence of a clear retention period for collected data increases the risk of indefinite storage,  shedding light on serious concerns about unchecked state surveillance and potential misuse of personal data.

These procedural safeguards, though seemingly fair, are often criticised for the absence of judicial oversight, which could impartially examine the government’s authority under the said provisions. Historically, the abuse of surveillance powers has been a persistent concern, for overreach and unauthorized data collection. In 1990, Chandra Shekhar (then Member of Parliament)  made a public accusation against the government of illegal phone tapping and recently, the Telangana phone-tapping case underscored these concerns. despite having procedural safeguards in place, these irregularities are attributed solely to the absence of an impartial judicial oversight, leading to misuse of the provision. However, in the case of the DPDP Act, the risk is even greater since the very foundational aspect, which are the procedural safeguards against arbitrary interference, that ought to be the part and parcel of any law infringing the fundamental rights are nowhere to be found. Such incidents expose critical gaps in India’s surveillance framework, highlighting the potential risks of the Act.

Further, as noted above, Rule 22 of the Rules stipulates that data fiduciaries can disclose their act of sharing data with the government only if it does not prejudicially affect the sovereignty and integrity of India or security of the State. However, as the grounds for the determination of these prejudicial effects remaining undefined, and in the absence of the oversight of an independent authority, there remains significant room for arbitrary interpretation and usage of the provision discussed herein. These lacunae increase the risk of arbitrary data requisition, particularly concerning sensitive personal data. Thus, the criticism of Section 36 of the Act lies in the fact that firstly, there is an absence of detailed guidelines and adequately defined grounds for exercising such authority and secondly, lack of procedural safeguards which ensure legitimate use of such provision.

Insights from EU and USA

It is also worthwhile to present a comparative view of such laws across various jurisdictions. In Europe, the Court of Justice of the European Union ruled that indiscriminate data transmission (including Bulk Personal Datasets) by electronic communication providers to security agencies is unjustifiable in a democratic society and emphasized the necessity of independent judicial or administrative oversight over decisions related to data retention, automated analysis, and real-time data sharing. Further, in the Unites States of America, this is dealt with, by various acts which mandate the access to data only pursuant to a judicial warrant based on a probable cause that the communications contain evidence of a crime. This practice existed since 1967, as the SC held that search and seizure encompass both tangible and non-tangible entities, made it obligatory for the authorities to obtain a Judicial Warrant.

Concluding remarks

The data protection regime, being the need of the hour in the age of rapid technological advancements, requires strict protocols to be followed in dealing with Personal Data. However, certain exemptions to the regime cannot be lost sight of, aiding in research, medical emergencies, compliance with the law, and for maintaining security and public order. Technological advancements have resulted in such a state of affairs where Electronic Communications, Gadgetization, and Digitization are playing a crucial role in easing our lives, however, the legitimate use of these resources can never be guaranteed.

Beyond these violations of privacy, one of the most detrimental consequences apart from violation of privacy could be the Chilling Effect on Free Speech. This is a phenomenon wherein a chain of events inevitably leads to self-censorship, where people choose not to express certain ideas, fearing negative consequences of the same, effectively violating their right to free speech under Article 19(1)(a). The impact of surveillance in creating a chilling effect is a widely acknowledged phenomenon and such mechanisms can be misused as tools to suppress dissenting political opinions or ideologies that challenge mainstream narratives, especially, in the light of there being no procedural safeguards. As vagueness and overbreadth are both linked to the concept of the chilling effect, the grounds herein are open to broad interpretation, overpowering the government to extract a wide range of data, leading to which people may self-censor themselves from exercising their right to free speech on internet based platforms.

Justice Subba Rao, while illustrating the chilling effect of surveillance, observed that while a person under surveillance may physically move, their ability to act and interact freely is severely restricted in the fear of being constantly monitored, which prevents them from freely exercising their rights. Thus, these potential ill-effects, which could be an outcome of such vaguely drafted provisions, highlight the importance of detailed guidelines which need to be precise, both in substance and procedure.

Hence, the current times necessitate robust regulatory frameworks, both in substance and procedure to ensure accountability in governance law enforcement. Section 36 r/w Rule 22, tacitly embodies flaws such as the absence of narrowly defined grounds for data requisition and procedural safeguards against arbitrary surveillance. The absence of such elements in the statute, grants the government overreaching powers to access personal data with minimal accountability, creating a framework that could facilitate unchecked surveillance, weakening the ethos of the Constitution. It is high time that we, as the world’s largest democracy, adopt the best practices from fellow common law regimes, such as, the principle of having a strong judicial oversight through warrants to authorize surveillance and an independent, impartial review mechanism. Law Enforcement and Fundamental Rights both need due consideration, while diligently maintaining surveillance as a delicate balance between rights and their corresponding restrictions, upholding the Spirit of the Constitution.

*The Author is a fourth-year B.A. LLB. (Hons.) student at the Symbiosis Law School, Pune.