Siddharth Johar*

Introduction

Since Justice K.S.Puttaswamy (Retd) vs Union Of India (2017) (‘Puttaswamy I’) affirmed the right to privacy, there has been critical focus on the development of a data protection legislation in India. This culminated with the Digital Personal Data Protection Act, 2023 (‘DPDPA’) and its recent Draft Digital Personal Data Protection Rules, 2025 (‘Draft DPDP Rules’). Several scholars have highlighted that this legislation is a far stretch from a comprehensive legislation that protects the rights of citizens.

However, there has been limited focus on the indirect collection of personal data, further emboldened under the recent Draft DPDP Rules – by requiring private sector entities to furnish “information” to the Central Government. This statutory compulsion is part of a global phenomenon where large technology companies are positioned as ‘Surveillance Intermediaries’, given their control over digital communication channels. Big Tech companies have reported a substantial increase in data requests by law enforcement agencies globally, with Meta’s last Government Requests for User Data Report highlighting that more than a quarter of these requests are coming just from India.

This piece analyses Section 36 of the DPDPA and Rule 22 of the DPDP Rules, in light of these debates. It argues that this provision fails the test of proportionality as established by the Supreme Court of India (‘SCI’) in Puttaswamy I. To support this assessment, this piece relies on constitutional assessment of surveillance measures directed at privately-held data in Europe and the United States. It argues that the present provision is unconstitutional and deeply inadequate, which attempts to legalise the excessive surveillance measures undertaken by the state and necessarily disturb the balance of power between the citizen and the state.

The Miscellaneous Section With(out) A Purpose

Per Section 36 of the DPDPA, the Central Government can require the Data Protection Board, Data Fiduciary, or an Intermediary to provide the entity with “any such information”, provided that it shall be for the “purposes of the Act”. This provision is a unique addition, being notably absent from the erstwhile Draft Digital Personal Data Protection Bill, 2022. As Raghavan argues, the placement of an administrative coercive power under the miscellaneous section of the Act does not correlate with the broader focus of a data protection legislation. Hence, it becomes necessary to highlight the different aspects of this section.

First, the Section also effectively expands the legal entities this provision applies to, including the Data Protection Board and Intermediaries apart from Data Fiduciaries, despite S. 69 of the Information Technology Act, 2000 (‘IT Act’) and its subordinate rules covering access to information with Intermediaries.

Second, the Draft DPDP Rules provide that information be requested for “purposes defined under the Rules under Seventh Schedule” (as opposed to S. 36’s “purposes of the Act”) and include “personal data” within the meaning of information that can be requested from the above-mentioned entities. The Seventh Schedule provides 3 purposes to be followed in such cases. First, in the interest of sovereignty and integrity of India or security of the state, second, for performance of any function or disclosure for fulfilling any obligation under “any law”, or third, carrying out assessments to determine a Significant Data Fiduciary.

There is a pertinent question on whether the executive can expand the nature of coercive power provided under the Act; these concerns have also been raised generally in delegation of rule-making power. The courts have characterised this phrase as a ‘limiting factor’ to the overall power provided to the executive, such that the exercise of the power must have a nexus with the underlying purposes of the Act. These purposes depend not just on the purpose derived from preamble but also the express provisions of this Act, which in this case are S. 7(c) and (d) which provide that the processing of personal data can be done for certain legitimate uses on the same grounds, and S. 10(1) which allows the Central Government to designate a Significant Data Fiduciary based on certain factors (including on the volume and sensitivity of data).

However, the predominant concern is the overall expansion of the grounds under which information can be requested. This is because the previous grounds of disclosure from the private sector or Data Fiduciaries were limited to “prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences” (as in the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011, Rule 6) or were purpose-limited by limiting themselves to disclosure to the independent Regulatory Authority to enable it to investigate or enquire on matters related to an offence under the DPDPA (as in the Personal Data Protection Bill, 2019, S. 52).

Third, there is a substantial reduction in safeguards provided under this section, compared to the IT Act and the erstwhile communications legislations such as the Telegraph Act, 1885 (now the Telecommunications Act, 2023) which allow systematic access to privately held personal data by relying on national security grounds. These legislations have a common framework, providing substantive pre-conditions for the request such as a requirement of “occurrence of any public emergency” or the need to assess whether the request is “necessary or expedient”.

The second aspect is that these legislations have a comprehensive procedural framework to operationalise these provisions. In contrast, S. 36 omits both these substantive safeguards and a procedural framework for exercise of the power, thereby diluting the safeguards that have previously constrained state’s access to data under different surveillance laws. This omission indicates not just a departure, but a considerable regression in rule-making on surveillance governance in India. Raghavan argues that this raises a larger concern about excess delegation of powers, as this provision does not provide standards and guidance for the executive in exercise of its powers. The standards and guidance in the present case are also in the nature of procedural safeguards, which is critical in the determination of the breadth of discretion being delegated.  It is pertinent to note here that the Central Government has the residual power to make rules under S. 40(2)(z).

The Rules notably leave the question of “authorized person” to request information to state discretion, as well as who can decide the instrumentalities which use this provision and the officer which can ask for this information. The determination of ‘authorized person’ is especially crucial as the officer presumably ought to have appreciation/experience of law and the legitimacy to apply legal categories of “occurrence of any public emergency” and “necessary or expedient”, should be able to adequately follow internal protocols and be institutionally accountable for their actions. Therefore, surveillance laws often require high-ranking or senior officers to pass competent orders, with junior-ranking officers being allowed only in specific circumstances with greater procedural safeguards. Even the determination of instrumentalities which can use these powers is extremely crucial, with certain bodies like state police being disallowed even under the rules and the extension of these powers to tax authorities and civil and military intelligence agencies being constitutionally challenged.

Furthermore, the Central Government retains the power to restrict disclosure of the request itself from the public, where such disclosure is likely to affect the sovereignty and integrity of India or security of the state (presumably Purpose 1). This provision expands the obligation under S. 11(2), that prohibits sharing information about other Data Fiduciaries (State) who shall collect personal data from predominant Data Fiduciary (Private Sector Entity) concerning “prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences”. The deficiencies in S. 36 definitely raise considerable questions regarding the constitutionality of this provision, as it directly engages with the right to privacy under Article 21. Therefore, this paper shall now assess the  constitutionality of this provision in the next section.

Surveillance And The Constitution

In Puttaswamy I, the SCI articulated a privacy interest in information of individuals such that non-consensual disclosure of information engages this right and also provided a framework to assess the constitutionality of state action. Although the question of surveillance was not specifically litigated in Puttaswamy I, Bhatia highlights that the question of surveillance has been central to the constitutional development of the right to privacy.

This right is engaged regardless of whether the state directly collected this information or indirectly did so from an intermediate entity, with the SCI in District Registrar and Collector v. Canara Bank  expressly rejecting that an individual loses their privacy interest in a document once it is provided to a third-party. In the present case, Puttaswamy I and II (Justice KS Puttaswamy (Retd.) v. Union of India ) would now require an evaluation of first, the legality of the restraint, second, the legitimacy and suitability of the restraint, third, the necessity of the restraint, fourth, the balancing of the restraint with the rights engaged, and fifth, procedural safeguards. This section shall specifically focus on the latter four aspects, since the legality of the restraint is not particularly in question.

Legitimacy of Aims

The legitimacy step assesses whether the state’s measure has a valid purpose and of sufficient importance to warrant overriding a constitutional right. Article 21, unlike Article 19, does not provide enumerated grounds under which it can be restricted. Bhandari and Lahiri have highlighted that Puttaswamy I itself has accepted national security and prevention of crimes as acceptable state aims in restraining Article 21. However, even though Article 21 does not contain enumerated grounds, pervasive collection of ‘personal data’ without any specific indication can also engage Article 19, which does provide enumerated grounds.

In Manohar v. Union of India , SCI highlighted how surveillance implicates both these rights, with surveillance measures often resulting in self-censorship and limitations on media freedom. In Europe, courts have noted the mutually reinforcing nature of the rights, with privacy being seen as a prerequisite for free expression on digital communication channels. Even in the United States, scholars have highlighted that surveillance implicates both First and Fourth Amendment, the former since surveillance can impact an individual's “intellectual habits” as well as their relational ties. Furthermore, Article 19 kicks in since the term ‘personal data’ can include even communications data (as also explained by the example provided by the Ministry on the usage of this provision), which retains a free speech interest. Although courts there have been trapped under different enquiries in the First and Fourth Amendments, the SCI should avoid this since the constitutional tradition has shifted from viewing rights in siloes.

This reading would disallow the state from restraining the right by relying on purposes it itself defines under the Act, such as Purpose 2 and 3, and instead require them to provide constitutionally defined grounds for collection of information (Purpose 1). This does not entail that Purpose 1 and Purpose 2 should not be scrutinised further, given that scholars have earlier highlighted how this stage often establishes an easier burden for the state.

I would agree with Lakra that courts should further scrutinise these aims. The scrutiny of these aims is critical due to the growing problem of mission-creep in state surveillance, whereby the apparatus created for serious crimes (like terrorist offences) is used for other lesser crimes, for the targeting of journalists and political opponents, or even for the policing of marginalised communities for non-criminal behaviour.

In La Quadrature du Net and others, the court established a hierarchy of aims for which surveillance can be undertaken keeping this in mind with national security on top, thereafter serious crimes, and lastly crimes without qualification. Each stage justifies a decreasing level of intrusion into the right. Watt highlights that this hierarchy allows a fair assessment of the means provided, which should not continuously subject individuals to state scrutiny without probable apprehension of danger. This brings us to the purposes outlined in S. 36 and Rule 22, which is considerably expansive. The explanation offered by MEITY is that the purpose of this section is to help in investigation of situations where the police find the possibility of “illegal activity”. If this were the predominant intention of this section, the Rule could have been limited to “interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India” which has been consistently used in the Act (S. 17(1)(c) and S. 11(2)). Instead, Rule 22 relies on a blanket phrase which would permit greater intrusion into the right to privacy.

Suitability Stage

The suitability stage requires evaluation of the rational nexus between the disclosure of information and the stated aims. This nexus should not be remote so as to render it unreasonable or manifestly arbitrary, which is a less stringent test that evaluates a logical connection rather than evidence-based connection. There exists an ostensible connection between surveillance of individuals and the goals of prevention and detection of crime and it enables tactical intelligence gathering for threats to national security.

However, the rational nexus between access to data and  Purpose 3 would be especially weak. The determination of a Significant Data Fiduciary by the Central Government is hinged on several factors under S. 10(1), of which two concern personal data of the individual (‘volume and sensitivity of data’, ‘risks to the rights of Data Principal’) and the rest have been minimally defined and remain vague (such as ‘risk to electoral democracy’). However, both these aspects do not necessarily require the sample-set of individual level personal data to make this determination.

The corresponding The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 also allow the determination of a ‘significant’ intermediary under Rule 2(1)(v), through the state’s policy determination based on total number of registered users. Even the determination of “sensitivity” of a class of personal data has, across various iterations of the DPDPA, been based on specifically provided factors such as an expectation of confidentiality with respect to that data or the specific harm that would follow from processing. Both these factors are policy decisions that are taken on a prior basis, and not after the evaluation of a data-set. On the contrary, the “sensitive” nature of the data would work against the need for disclosure of data to the state, since the very classification of the data merits higher protection and protection against profiling by the state.

The predominant intention behind the designation of this class of data is that there exists a greater risk of discrimination and harm due to the processing of this data or the misuse of such data. As Bokil and others have highlighted, Indian states continue to maintain and digitise vast criminal databases that have been grounded in caste-based preventive surveillance. In this case, there is an immediate risk of the disclosure of personal data to state instrumentalities, when such data may reveal or correlate with a person’s caste or ethnicity. Even though sensitive data as a category does not exist under the DPDPA anymore, it would be critical to note that this distinction has been accepted constitutionally by both J. Sikri’s Majority opinion  (¶ 160, J. Sikri) and J. Chandrachud’s minority opinion (¶ 148, J. Chandrachud) in Puttaswamy II.

Necessity Stage

The necessity stage analyses the contribution of the measure with respect to the restraint of fundamental rights, and the state is required to adopt the ‘least restrictive’ means to achieve the object. In this stage, the court has to consider whether there exist lesser intrusive options that fulfil the state’s objective to the same extent. The application of this principle would entail that the surveillance measure should be restricted to cases where they are necessary to achieve the legitimate aims. This raises two concerns in the present case.

The first concern is regarding the nature of surveillance, whether the provision enables bulk surveillance or targeted surveillance. Even the Ministry’s explanation suggests the possibility of roving enquiries. Though the bulk surveillance has not yet received constitutional scrutiny, courts have continuously required that the surveillance of information necessarily has to be ‘targeted’. This is indicated by the framing of both communications legislations and the internet law, with the Telegraph Act and IT Act requiring a substantive pre-condition that the information be necessarily required for the achievement of purposes mentioned under the Act. Bhatia has also argued that, in light of this scheme, courts have read down the statute such as in Gobind v. State of Madhya Pradesh, where the SCI read in the requirement of “gravity” of offence.

In Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others, the Court of Justice of the European Union (‘CJEU’) highlighted that “general and indiscriminate” transmission of data is comprehensive in that it applies even to individuals against no evidence to suggest that their conduct might have a link with the objective of national security. The Court held that access to data in this form without adequately relying on “objective criteria” which define the circumstances and conditions of access, does not meet the criteria of necessity. Therefore, S. 36 and Rule 22, by not expressly restricting the scope of access to necessary situations where there exists reasonable and objective criteria, do not pass this stage.

This raises a larger concern regarding transmission of “any personal data” without any qualifications of specificity or the nature. In Carpenter v. United States, an important factor in the assessment of whether a surveillance measure is hit by the Fourth Amendment was the ‘indiscriminate’ nature of collection. This factor predominantly assesses whether the surveillance measure collects even non-incriminating information about a suspected individual, apart from collection of information from others. In La Quadrature du Net, the nature of personal data collected became crucial, with the Court rendering different conclusions on the seriousness of intrusion with respect to locational and traffic data, identification data, metadata and IP addresses. This enabled the court to analyse specific arguments on the necessity of collection of data, such the collection of IP addresses as being one of the only means of resolution of copyright infringements.

Although scholars have highlighted that there is first, a possibility of deference towards the state’s arguments on difficulty of achieving the goals in a similar manner, and second, an tilt towards technological solutions instead of social strategies–  there is still merit in identification of data collected. Rojszczak argues that underlying specific demarcation of personal data is also an assessment of the sensitive nature of the data, such as that concerning ethnicity, race, or sex. Per Rojszczak, the court's concern is the ability of certain forms of data-sets to allow profiling of an individual. Under data protection law, profiling is particulary suspect, defined as a form of automated processing of personal data to evaluate or predict certain personal aspects of the person – such as their economic situation, health, and personal preferences and beliefs. Bhatia highlights that both the majority and minority opinion in Puttaswamy II converged on the point that profiling is unconstitutional. Scholars have even highlighted how the combination of surveillance, data mining and algorithmic analysis can increasingly blur the purposes and objects of surveillance, allowing manipulation of individuals, greater information of their emotional states, and put into risk equality values. Therefore, being receptive to the nature of personal data collected would be crucial in the assessment of constitutional values being challenged.

Balancing Stage and Procedural Safeguards

The next step in the proportionality test is the balancing stage, which analyses whether the impact on rights is so invasive that it creates an imbalance with the state aim. At this stage, the existence of procedural safeguards also becomes crucial, as the possibility of abuse of the law becomes an important factor. 

In Puttaswamy I, a common thread across judgements was the privacy harms of surveillance, with J. Kaul noting that the modern life of technology enables collection of information at such a pervasive scale that the state can become the “Big Brother” at any point (¶ 591, J. Kaul). The eventual argument that J. Kaul wishes to reach is that a surveillance system that characterises each individual with suspicion is particularly constitutionally suspect. Gupta has highlighted the approach of courts in this stage is also the perceived threat to security as well as the efficacy of the surveillance measure. In recent years, there has been emerging evidence that there exists a negligible success rate in the prevention of terrorism and general law enforcement efforts through mass surveillance, with The President’s Review Group on Intelligence and Communications Technologies (USA) highlighting its potential to impede law enforcement efforts. In Europe, it has been particularly seen that there exists a pervasive lack of data on the efficacy of mass surveillance mechanisms and state push back against providing evidence in support of their measures.

Furthermore, the DPDPA, by failing to provide a comprehensive framework for operationalisation of access to privately held personal data, opens excessive potential for abuse. In PUCL v. Union of India, the predominant problem of such laws without procedural safeguards was raised, and SCI expressly laid down guidelines that formed the eventual Rule 419A of the Indian Telegraph Rules, 1951. These procedural safeguards include aspects such as: designating a high-ranking officer as the competent requesting officer, and procedural safeguards if this power is delegated to a junior officer, measures for keeping records on the intercepted communications such as who had access to the material or the copies made from the communications, and executive review mechanism through review committees with powers to destroy records or cease interception. Presently, the DPDPA does not even sufficiently pass the minimum safeguards requirement established by PUCL or even have a functional Data Protection Authority with investigatory powers, thereby failing at the stage of balancing. The “authorized officer” under the legislation has been left to the discretion of the state, and does not include the requirement of seniority. This lack of minimum safeguards also leave questions of onward sharing of information and data silos, competency and independence of judicial and quasi-judicial oversight, limitations on duration, and security measures that have been appreciated in other jurisdictions and not extensively developed in India– far away from any discussion.

Multiple scholars such as Chinmayi Arun have highlighted the “thin” nature of these safeguards which have increasingly created an opaque system, with little third-party scrutiny and individual means of redressal which indicates a global trend of s ‘proceduralist’ approach towards surveillance measures. Zalnieriute argues that this ‘procedural fetish’ assumes proportionality, functionality, and effectiveness of the surveillance measure, considerably diluting standard setting by courts. Bhandari and Lahiri argue Puttaswamy I and II have allowed us to think through these troubles, permitting greater inter-branch scrutiny by the judiciary. An alternate approach to inter-branch scrutiny is through quasi-judicial authorities like the independent Data Protection Authority itself, which across the world also regulates usage of data by state authorities and even activities of national security institutions (such as in Canada). Therefore, the court can and should take into consideration the development of law after PUCL and avoid the trap of proceduralist approach. Moreover, the present legislation also excludes the possibility of user notification, as the State has the total discretion for non-disclosure on requests relating to Purpose 1. In Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, the ECHR particularly stressed on the importance of user notification, highlighting how post-surveillance notification can be done after termination of the surveillance measure without jeopardising the purpose of the surveillance. In the present case,  the lack of such notification can hamper judicial redress and fundamental values of transparency.

As Kharbanda argues, transparency is a critical tool in protecting against abuse of surveillance powers, encouraging external oversight and public debate for reform, exposing systemic abuses, and promoting public trust. Furthermore, the lack of user-notification can make it difficult to challenge state exercise of power or have a standing before courts, as indicated in the Pegasus case – whereby extensive forensic examination had to be undertaken to determine whether surveillance had occurred. The redressal of individual grievance has specifically been discussed by the CJEU in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, whereby the court not only noted the right to an effective remedy of individuals but also required that these avenues have adequate independence and power of review. The overall implication is that surveillance measures can effectively escape public or judicial scrutiny, especially since the state also actively attempts to not provide this information by ordering destruction of orders.

Conclusion

An important aspect which requires further scrutiny is the role of the intermediate private entity in this debate and their potential to act as a form of inter-branch scrutiny. As Rozenshtein observes, ‘Surveillance Intermediaries’ still hold large discretion in processing requests to data, in how critically they evaluate the legality of requests, how they slow the process by stressing on procedure, or how they minimise their capacity to respond by implementing end-to-end encryption. However, since this power is not by design, the actual response of intermediaries is subject to variation over time, across companies, and across incentives. This dynamic increasingly puts into question our assessment of these surveillance measures, since actors involved are just not the state and the citizen.

In this paper, I nevertheless focus on the standard proportionality inquiry of Section 36 of the DPDPA and Rule 22 of the Draft DPDP Rules. I highlight that the present section is a unique addition, unsupported by previous iterations of Data Protection Law. Furthermore, I argue that the present section does not pass the muster of proportionality. I attempt to show that, first, the State needs to concretely define their objectives, especially in light of the enumerated grounds of Article 19, second, the State has not shown a rational nexus between the collection of personal data and Purpose 3 (designation of Significant Data Fiduciary), and third, the existence legislation fails to pass the necessity and balancing stage, given the ‘general and indiscriminate’ nature of collection without comprehensive and adequate safeguards.

*Siddharth Johar is a B.A., LL.B. (Hons.) student at the National Law School of India University (NLSIU), Bengaluru