The government has notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operational framework of India’s new data protection law. These Rules, along with the DPDP Act, 2023, set out obligations for private data fiduciaries, introduce consent and notice requirements, and establish procedures for breach reporting and data retention.
However, while private companies now face stricter compliance expectations, both the Act and Rules preserve sweeping exemptions for the State. Together, these carve-outs mean the government can continue accessing, re-purposing and processing personal data with limited external oversight.
The core architecture of these exemptions sits in Section 7 of the Act, which allows the State to process personal data in the interests of detecting or prosecuting offences, or “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, [and] maintenance of public order”.
Furthermore, Section 17 of the Act allows notified State bodies to process personal data without adhering to many of the obligations that bind private entities, including consent requirements, purpose limitation and minimisation standards.
Importantly, these exemptions cover functions linked to detecting, preventing or prosecuting offences, as well as activities justified on grounds of India’s sovereignty, integrity, security, public order or foreign relations. One must note here that as the Act does not define these grounds narrowly, government agencies can rely on them in a wide array of circumstances.
Notably, the DPDP Rules operationalise this framework further through the Second and Seventh Schedules, which outline processing for welfare schemes and authorise broad categories of government access. Also, Rule 23 gives the Central Government the power to demand information from any data fiduciary or intermediary and, in some cases, prohibit the entity from informing affected individuals.
Exemptions And Expansion Of State Discretion
Legal services organisation SFLC.in told MediaNama that “Section 17 of the DPDP framework carves out a regulatory vacuum for the processing of personal data by the State”. The organisation also noted that these carve-outs are not narrow. “In reality, these provisions essentially place processing of and access to personal data by the government in a regulatory vacuum, where there is no compulsion to abide by the safeguards built into the DPDP framework,” SFLC.in noted.
Additionally, their analysis highlights that the Act does not require judicial approval, independent authorisation or proportionality checks for these exemptions, leaving broad discretion with State authorities. They point out that, “The DPDP framework excludes pre-existing accountability and oversight thresholds established under the interception and monitoring rules of Telecommunication and Information Technology…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
