The Missing Middle: Bridging the Gap Between State Exemptions and Citizen Autonomy under the Digital Personal Data Protection Act, 2023

Tanu Priya, ICFAI University, Dehradun

Sakshi Kothari, Assistant Professor of Law at ICFAI University, Dehradun

Abstract

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents a pivotal legislative effort to regulate personal data protection in India by embedding principles such as consent, purpose limitation, and data minimization. However, this Act suffers from a significant structural gap between the broad exemptions granted to the state and the autonomy afforded to citizens. While private entities are subjected to strict compliance obligations, the government is largely exempt from these obligations on vague grounds, including national security, public order, and crime prevention, without clear limits or prior oversight. This asymmetry undermines citizens’ control over their personal data and raises concerns of excessive state surveillance, opaque data practices, and weakened avenues for redress. The paper conceptualizes this deficiency as the “Missing Middle”—the absence of a balanced framework that aligns state powers with individual rights. To bridge this gap, the paper proposes a mandatory Public Interest Test, comprising criteria of legitimate aim, necessity, proportionality, temporal and scope limitations, and documented review mechanisms before any state exception can be invoked. Adopting such a test can reinforce democratic governance, bolster transparency, and ensure that data protection in India evolves as a robust constitutional value rather than a mere administrative measure.

The Missing Middle: Bridging the Gap Between State Exemptions and Citizen Autonomy under the Digital Personal Data Protection Act, 2023

In August 2023, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act) to regulate the collection and use of digital personal data.  This law is broadly based on the EU's GDPR and recognizes new data rights – for example, individuals can obtain a summary of all personal data held about them and request its correction or deletion – and imposes obligations on private data fiduciaries (companies and institutions). Its stated goal is to balance privacy with legitimate processing needs and the public good. However, in practice, the DPDP Act grants the government unusually broad powers. Critics argue that while several compliance burdens on industry have been reduced, the law grants the state "unfettered discretionary powers" in some crucial areas.  We will examine the government-specific exemptions in the DPDP Act, assess their impact on privacy and democratic oversight, compare India's approach to that of the EU and the UK, and suggest a formal "public interest" framework (with requirements of necessity, proportionality, and independent review) to limit them. 

Introduction

India enacted the Digital Personal Data Protection Act (DPDP Act) in 2023 to ensure the protection of citizens’ privacy in the digital age. This law aims to give citizens control over their data, hold companies accountable, and prevent data misuse. However, several significant exemptions granted to the government under the Act have raised concerns. These exemptions allow the government to bypass many provisions of the law—particularly when citing broad objectives such as national security, public order, or law enforcement.

This blog aims to provide an in-depth review of the state exemptions under the DPDP Act, understand how they impact citizens’ privacy and autonomy, and propose how the government’s powers can be balanced through mechanisms such as a “public interest test.”

Certain Legitimate Uses (Section 7)

While the DPDP Act generally requires consent for most data processing, it provides an exception under Section 7 (Chapter I) called “certain legitimate uses.” These grounds allow processing without notice or consent in specific situations, many of which involve the state or public functions. Key clauses include:

●      Government Services and Benefits Section 7(b): The state (and its agencies) can use personal data to provide or issue subsidies, benefits, services, certificates, licenses, or permits if the individual has already consented to state processing or if the data is already in existing government databases (digital or digitized). For example, once a citizen consents to providing data for a welfare scheme, different government agencies can reuse that data to provide related services without asking again. This aims to streamline administration, but it effectively creates data sharing between agencies without requiring fresh consent.

●      State Obligations and Security Section 7(c): Personal data may be processed by any agency for the purpose of performing functions under any law or in the interest of “the sovereignty and integrity of India, the security of the State,” etc. In other words, routine government duties and national security functions are explicitly considered “legitimate uses.” Similarly, Section 7(d) permits processing when the state or its bodies are required by law to disclose information, as long as the disclosure complies with existing laws.  Overall, these provisions mean that many common government functions—enforcing laws, internal administration, and even broad security objectives—bypass the Act’s default consent and notice requirements.

●      Judicial Orders Section 7(e): This section allows processing to comply with any judgment, decree, or order under Indian law, or for a foreign judgment relating to contractual claims.  Essentially, a court order can authorize data processing or sharing.

●      Emergencies and Disasters Section 7(f) to (h): This Act permits any processing necessary to address threats to life or health (7(f)), to deal with epidemics or public health crises (7(g)), or to ensure safety and assistance during disasters or breakdowns of public order (7(h)). These clauses cover common-sense emergencies (for example, allowing a hospital to access a critically ill patient’s data), but they are written very broadly. Notably, no independent oversight is required when agencies invoke these crises as justification.

●      Employment Section 7(i): Employers can process employee data (including to prevent corporate espionage or protect trade secrets) without consent, as long as it is for employment-related purposes. (This is a legitimate-use exemption rather than a purely “governmental” exemption, but it underscores the Act’s limited scope for consent even in private contexts.)

These “legitimate use” exemptions mean that if one of these conditions applies, a data fiduciary can legally process personal data without informing the individual or obtaining their consent. In practice, this allows government bodies to collect and use data with very little transparency. For example, once a citizen provides their Aadhaar or bank details to receive a benefit, agencies can use that data for other programs. While proponents argue that this avoids delays and duplication, privacy advocates warn that it creates a de facto integrated citizen profile without any consent safeguards. 

Broad Exemptions (Section 17)

Beyond the “lawful uses” of Section 7, Section 17 of the DPDP Act grants exemptions from almost the entire law. These far-reaching exemptions raise the most serious concerns:

●      State Agencies Section 17(2)(a): The Central Government may, by notification, exempt any “State agency” from all provisions of the Act in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, maintaining public order [or] preventing incitement to the commission of any cognizable offence. Importantly, “State agency” is not defined; legal precedent suggests it could include any body that performs public functions or is under the control of the government – from police and intelligence agencies to public sector companies. Thus, a notified agency can collect, retain, and process personal data without adhering to any DPDP safeguards (no notice, no consent, no security obligations, etc.), as long as it claims one of these broad national-interest grounds.

●      Downstream Data Sharing Section 17(2)(b): Any data “provided” to the Central Government by an exempted agency can also be processed by the Centre without complying with DPDP rules. In effect, once an agency is exempted, its data flows to all state entities without safeguards. (Since the law defines “Central Government” to include the executive, legislature, and judiciary, this exception is exceptionally broad.)

●      Law Enforcement Exception Section 17(1)(c): Any personal data processed by any entity (public or private) “in the interest of prevention, detection, investigation or prosecution of any offence or any contravention of any law” is exempt from several DPDP provisions. Specifically, such processing is exempt from all provisions of Chapter II (Fiduciary Obligations), except for the minimum safeguards in Sections 8(1) and 8(5);  From all the provisions of Chapter III (Data Principal Rights, including access, erasure, correction, etc.); and even from the restrictions on transferring data outside India (Section 16). In effect, any agency (including private firms) investigating wrongdoing can disregard core privacy rules, provided it can claim its purpose is law enforcement.

●      Data Retention and Erasure Section 17(4): Government bodies can retain personal data indefinitely, and there is no requirement to delete data once its original purpose has been fulfilled. The Act explicitly prevents data principals from demanding the erasure of any personal data collected by the government or its exempted agencies. In fact, the government is not even required to allow individuals to update or correct their data if the processing does not involve a decision affecting the individual. This is an extraordinary exemption: for example, once traffic video footage or telecom location data is collected by a state agency, it can be retained forever without any duty to purge unnecessary records.

●      Rule-Making Power Section 17(5): The government can also exempt classes of data fiduciaries (including private ones) from any part of the law for up to five years after its commencement. The law provides almost no guidance on how this power will be used or limited – an open invitation to broad exemptions. (Section 17(3) already allows for temporary relief for start-up’s, but Section 17(5) applies to any industry or function.)

Media and policy analysts have warned that these provisions create vast scope for surveillance and unchecked state power. One commentator noted that Section 17(2)(a) suggests “the complete non-applicability of the data protection law to certain state agencies.”  In the words of Anushka Jain, a lawyer at the Internet Freedom Foundation: “If you give certain agencies a complete exemption, you’re allowing them to do whatever they want. There’s no review, no safeguards... essentially building a 360-degree profile.”

Indeed, Section 17(1)–(4) creates a separate regime for the state that exempts it from most privacy obligations. Only narrow safeguard provisions (such as the Section 8(1) safeguards) technically still bind the exempted agencies, but with no practical checks on abuse, experts fear that these exemptions will be exploited to secretly surveil citizens.

Landmark Judgment: K.S. Puttaswamy v. Union of India (2017)

The constitutional recognition of the right to privacy in India is based on the landmark judgment in K.S. Puttaswamy v. Union of India (2017). This 9-judge Constitution Bench unanimously declared that privacy is a fundamental right, protected under Article 21 of the Indian Constitution (the right to life and personal liberty).

In this judgment, the Court held:

●      Any government data collection or surveillance measure must meet a four-pronged test of "legality, legitimate aim, necessity, and proportionality."

●      Any interference with privacy by the State will only be valid if it is authorized by law, serves a legitimate public interest, and is the least intrusive means available.

This judgment provides guiding principles for the interpretation of the DPDP Act, particularly concerning the provisions that grant exemptions to the government. If the government interferes with fundamental rights under Article 21 for data usage, it is mandatory for it to meet the standards laid down in the Puttaswamy judgment. 

Impact on Privacy, Autonomy, and Surveillance

●      These legal exemptions have profound consequences. First, individual privacy and autonomy are severely diminished. Citizens lose almost all control over how the state handles their data: there is no requirement to inform them, obtain consent, or allow data deletion. Once collected, data can be stored indefinitely and shared among agencies. This one-sided arrangement enables "deep surveillance," and as India's Supreme Court has emphasized, any limitations on the fundamental right to privacy must meet stringent tests of necessity and proportionality. Yet, the DPDP Act applies no such test when the government claims a state interest.

●      Second, these exemptions undermine democratic oversight and accountability. In open societies, intrusive state powers are typically subject to checks such as judicial warrants, legislative review, or a public interest test. In contrast, Section 17 allows the executive to unilaterally invoke broad categories (sovereignty, public order, crime) as justification. The Act includes no independent review or requirement for evidence. In effect, a government agency can decide for itself whether an action falls under an exemption and proceed without any scrutiny. This "unfettered discretion" is contrary to basic administrative law principles. As one expert points out, the law "fails to specify on what grounds [the exemptions] will be granted" and under what "conditions" they can be used. Removing the "public interest" override in the RTI (through the DPDP's amendment to Section 8(1)(j) of the RTI Act) also eliminates the only prior check on withholding official data.

●      The negative impact on transparency is already being felt.  Journalists and civil society groups have warned that, without exemptions for journalism or the public interest, journalists could be forced to seek consent from the very individuals they are investigating. In a democracy, the ability to scrutinize those in power—even accessing personal information about government officials—is crucial for accountability. Conversely, the broad privacy protections of the DPDP Act (when enforced by the authorities themselves) dramatically tilt the balance of power in favor of the state. In short, the balance struck by this Act so far is heavily skewed towards state privilege, at the expense of both the individual's right to privacy and society's right to information. 

Approaches in other countries

●      India’s approach to government access differs significantly from most other data protection systems. In the European Union, the processing of personal data by public authorities must be authorized by law and subject to limitations of necessity and proportionality. For example, Article 6(1)(e) of the GDPR permits processing “necessary for the performance of a task carried out in the public interest or in the exercise of official authority,” but it explicitly requires that the governing law pursue a public interest objective and be proportionate to the legitimate aim pursued.  Furthermore, law enforcement processing in the EU falls under a separate Law Enforcement Directive (LED), which mandates that data can only be accessed by competent authorities with appropriate safeguards. The LED explicitly limits exemptions to cases where there is a legitimate legal basis, including clear criteria, reporting, and oversight. In practice, European countries often require court warrants or strict agency protocols for surveillance or criminal investigations.

●      Similarly, the United Kingdom (which now operates under its Data Protection Act 2018 and UK GDPR) does not grant the government carte blanche. ICO guidance emphasizes that sharing data with law enforcement must be “necessary and proportionate,” and is typically done on a case-by-case basis. The DPA 2018 includes a narrowly defined “crime and taxation” exemption to relax certain individual rights, but only if compliance with those rights would genuinely hinder crime prevention, and even then, it is considered by authorities on a case-by-case basis. In short, while EU/UK law permits public authorities to process data for security or official functions, they emphasize procedural safeguards and purpose limitations that are absent in India’s law. 

A Public Interest Test: Necessity, Proportionality, Oversight

To bring the DPDP Act in line with fundamental rights and international norms, we propose

That government access to personal data be governed by a formal “public interest test.” Under such a Framework, any exceptions would require a clear demonstration of necessity, proportionality, and Oversight. Key components could include:

●      Necessity: Government entities must demonstrate that access to or processing of data is strictly Necessary to achieve a legitimate public interest objective, and that no less intrusive means are available. This affirms the Supreme Court’s Puttaswamy judgment that privacy can only be Curtailed by measures “that meet the stringent requirements of necessity, proportionality, legality, and Legitimate aim.” For example, law enforcement might be required to obtain a warrant or maintain a record of justification before broad data inquiries.

●      Proportionality: Any data collected or retained must be limited in scope and duration to what is Necessary for the public purpose.  All data should not be allowed to be retained indefinitely. Article 6(3) of the GDPR similarly mandates that any public-interest processing by law must be Proportionate to its purpose. India’s law should explicitly bind authorities to data minimization.

●      Principles: only relevant fields for the stated goal, and automatic deletion when the purpose Ends, unless further retention is indispensable (such as evidence in ongoing litigation).

●      Independent Oversight: Requests made by the state should be reviewed by an impartial body. For example, a judge, a tribunal, or the Data Protection Board. The necessity and proportionality. Principles, which have been endorsed by human rights bodies worldwide, call for “independent oversight Mechanisms” that can access all relevant information and assess the legitimacy of state surveillance. India’s DPDP already envisions an independent Data Protection Board;  Its mandate Could be expanded to include reviewing sensitive data access requests or auditing agencies granted exemptions for compliance. The most intrusive searches may require judicial warrants. Even where security is invoked, there should be subsequent review or public reporting to prevent abuse.

●      Transparency and Accountability: The government should publish aggregate statistics on how often and on what grounds data exemptions are used. Citizens (or their nominees) should have the right to know when their data has been accessed, unless doing so would jeopardize security. There should be legal remedies (such as punitive sanctions) for misuse of personal data by officials, strengthening the enforcement powers of the DPDP Board.

●      Prioritizing Public Interest: Finally, a mechanism similar to the public interest override mechanism in the RTI Act should be maintained. Personal data concerning public officials and matters of governance should be disclosed unless a compelling public interest is demonstrated. (The constitutional principle is that intrusions on privacy are only permissible if they are necessary/proportionate and serve a legitimate public accountability objective.) Reinstating the “larger public interest” clause for official data will help prevent corruption and ensure scrutiny by a free press. 

Conclusion: Recommendations

India's DPDP Act is a landmark in recognizing data privacy, but its government exemption provisions still risk making it a one-sided law. To restore balance and uphold democratic values, we recommend:

●      Limit the scope of exemptions. Redefine "State instrumentality" to include only those entities absolutely essential for security (e.g., defined security/intelligence agencies), and require any exemptions to be specified with clear limitations by law.

●      Incorporate necessity and proportionality. Amend the Act to explicitly state that any processing under Sections 7 or 17 must be necessary for a legitimate public purpose and proportionate in its impact on individuals. For example, add language requiring laws authorizing government data access to pass a proportionality test consistent with Article 21 jurisprudence.

●      Empower independent review. Require a warrant or DP Board authorization for accessing sensitive personal data (e.g., location records, communications) without consent. Strengthen the DP Board and judicial processes to enable them to monitor state compliance. For example, granting the Board the power to audit exemptions and issue binding orders would align with the accountability mechanisms demanded by Principle 10.

●      Set data retention limits and safeguard rights. Impose statutory limits on how long the government can retain personal data and mandate data deletion after the purpose is fulfilled (except for ongoing litigation). Maintain core data principal rights (access, correction, erasure) for government data as well, with limited exceptions.

●      Preserve public interest scrutiny. Reverse or modify the RTI amendment: allow disclosure of personal data of public officials when the public interest in oversight is clear.  It must be clearly acknowledged that the right to privacy, like any fundamental right, is not absolute and is subject to limitations in the face of a proven public interest, as determined by constitutional tests.

By implementing these safeguards, India can align its data laws with its constitutional promises and international best practices. The DPDP Act must ensure that state-sponsored intrusions into privacy are the exception, not the rule, and that they occur only under transparent and accountable circumstances. Only then can confidence be built that the law truly protects citizens, rather than subjecting them to perpetual digital surveillance.

References 

1.PRS Legislative Research – Legislative Brief on DPDP Bill, 2023https://prsindia.org/files/bills_acts/bills_parliament/2023/Legislative_Brief_Digital_Personal_Data_Protection_Bill_2023.pdf?utm_source=chatgpt.com

2.Software Freedom Law Center – Major Highlights of the DPDP Bill, 2023

https://sflc.in/major-highlights-of-the-digital-personal-data-protection-bill-2023/

3.https://www.medianama.com/2023/08/223-dpdp-bill-2023-government-exemptions-3/

Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC.

Justice K.S. Puttaswamy (Aadhaar-5J.) v. Union of India, (2019) 1 SCC.

Anuradha Bhasin v. Union of India, (2020) 3 SCC 637.

Maneka Gandhi v. Union of India, (1978) 1 SCC.248.

Digital Personal Data Protection Act, No. 22 of 2023,

Regulation (EU) 2016/679, art. 23 (General Data Protection Regulation)