India’s pursuit of a formidable data privacy regime encapsulates a broader struggle to assert digital self-determination without severing vital global linkages. The Digital Personal Data Protection Act (DPDPA), 2023, heralded as a landmark, remains an embryonic construct, an overture, of India’s sovereignty ambitions.
However, beneath the rhetoric of consumer rights and regulatory compliance lies a more profound quandary: Does this framework enshrine individual agency, or does it merely reallocate dominion, shifting control from foreign entities to the state’s hands? With broad exemptions for state actors, the very institution tasked with oversight risks becoming its greatest beneficiary.
India stands at an inflection point. Will it sculpt a governance model that cements privacy as an inalienable right, or will it drift into a paradigm where sovereignty becomes a euphemism for state hegemony?
The true measure of the DPDPA lies not in its text but in its execution. If wielded with foresight, India could redefine global privacy norms and forge a digital economy that champions innovation without compromising personal autonomy. If not, sovereignty will remain an illusion, merely a shift in custodianship, not a triumph of individual freedom.
The leitmotif of India’s data governance framework has ostensibly been the protection of personal data, yet an underlying paradox emerges: while the DPDPA ostensibly safeguards user autonomy, it simultaneously entrenches state dominion over digital assets.
Unlike the General Data Protection Regulation (GDPR), which enshrines individual agency through independent supervisory bodies, India’s approach aggregates expansive discretionary power within the executive, raising concerns about regulatory impartiality and institutional autonomy.
The law’s broad exemptions for state entities compel an urgent inquiry. If data protection equates to state hegemony over personal information, then we must confront an unsettling reality—one where privacy is not an inherent right but a conditional privilege dictated by the state.
India’s approach, in many respects, evokes China’s Personal Information Protection Law (PIPL)—not in magnitude, but in its underlying ethos. The ascendant theme of data nationalism, a doctrine predicated upon the localisation of data to mitigate exogenous control, appears more aligned with state-centric prerogatives than with the protection of the citizenry. This presents a dilemma: Does regulatory sovereignty translate into individual empowerment, or does it merely reallocate data monopolies from foreign conglomerates to domestic entities?
The Data Protection Board, envisaged as the principal enforcement authority under the Act, remains unduly tethered to executive dominion, undermining its institutional independence and the credibility of its adjudicatory functions. As per Rule 16 of the Draft Data Protection Rules, 2025, the Board’s appointments and operations are under government control, leaving little room for neutral oversight.
Given that the government is the largest data collector, how impartial can a state-controlled regulator be? If the body responsible for enforcing privacy laws lacks true independence, can individuals genuinely expect protection from misuse of their data?
The principle of individual data autonomy is not just an abstract ideal; it is one reinforced by historical events. When governments gain unchecked control over personal information, the consequences often extend beyond governance into suppression of civil liberties.
History provides clear evidence of how excessive state control over data has led to widespread surveillance and loss of individual freedoms. A striking case is that of East Germany’s Ministry for State Security (Stasi), which, from 1950 to 1990, constructed one of the most comprehensive surveillance systems in history.
The agency accumulated an extensive collection of citizen records, spanning over 111 kilometres of files, audio recordings, and images. This vast data repository was used to monitor individuals, stifle dissent, and maintain control over the population. The lesson is evident—when individuals lose control over their own data, the state gains unchecked power that is often wielded to subdue rather than protect.
In more recent history, the 2013 disclosures by Edward Snowden brought to light the U.S. National Security Agency’s (NSA) PRISM program, which engaged in mass surveillance of both domestic and foreign individuals. Even within a democratic system, the absence of oversight led to significant privacy violations, demonstrating that democratic structures alone do not safeguard against the risks of pervasive data collection. This serves as a cautionary parallel for emerging digital governance frameworks, including India’s evolving data privacy regime—where a lack of transparency could open the door to similar overreach.
An ongoing example of centralised data control is China’s Social Credit System, which aggregates personal information to assign individuals a “trustworthiness” score, influencing their financial, professional, and social opportunities. The implications of such a system highlight the dangers of allowing governments to dictate the use of personal data. For any country striving to balance regulation with fundamental rights, this example serves as a warning against the perils of data-driven social control.
The DPDPA mandates principles of data minimisation, explicit consent, and purpose limitation, mirroring international best practices. However, its enforcement mechanisms remain tenuously defined, particularly with respect to state-backed enterprises and sectors classified as critical to national security.
Unlike GDPR’s robust independent data protection authorities, India’s enforcement architecture remains susceptible to executive overreach. It raises profound concerns about selective regulatory scrutiny.
India’s data privacy trajectory cannot be construed in isolation. The global data governance landscape is increasingly bifurcated between the US-led market-driven model, the EU’s human rights-centric framework, and China’s state-centric paradigm. India’s regulatory stance, while purportedly sui generis, is, in reality, a delicate balancing act between these competing global paradigms.
The Government of India’s approach to data diplomacy is exemplified in its push for Digital Public Infrastructure (DPI) frameworks, including Aadhaar, UPI, and ONDC. These systems aim to challenge foreign tech dominance but also expand state oversight over digital transactions. Similarly, India’s strict stance on cross-border data transfers—justified as a move toward “data sovereignty”—could isolate it from global digital trade, limiting its potential as a leader in the tech-driven economy.
Further, India’s restrictive stance on cross-border data flows, ostensibly an exercise in data sovereignty, risks undermining its position in global data trade negotiations. Unlike Japan’s Data Free Flow with Trust (DFFT) model, which fosters regulated cross-border data exchanges, India’s insular approach may inadvertently diminish its digital export potential, stymieing its aspirations for technological pre-eminence on the global stage.
To conclude, India’s data privacy trajectory, while still in its infancy, is at a decisive crossroads. With a rapidly digitising economy and a population that is both highly connected and increasingly aware of privacy rights, India has the opportunity to architect a data protection framework that is not just regulatory compliance but a bold assertion of individual sovereignty.
The Digital Personal Data Protection Act (DPDPA), 2023, marks a significant milestone in India’s digital evolution, yet its true litmus test lies in the nuances of its execution. India has long championed the protection of personal data, but the regulatory framework it now envisions is not merely about individual empowerment; it is equally about fostering a structured, sovereign, and innovation-friendly digital ecosystem.
The Act’s oversight mechanisms underscore a pivotal question: How can India seamlessly reconcile data privacy, economic dynamism, and governance efficiency without compromising any one element?
A well-calibrated, transparent, and adaptive regulatory architecture, one that embeds strong safeguards, institutional accountability, and ethical data stewardship, will not only reinforce trust but also cement India’s position as a vanguard of digital governance, ensuring that the rights of individuals remain paramount in an era of rapid technological transformation.
-30-
Copyright©Madras Courier, All Rights Reserved.
You may share using our article tools. Please don't cut articles from madrascourier.com and redistribute by email, post to the web, mobile phone or social media.
Please send in your feed back and comments to editor@madrascourier.com
