How Government Bodies Must Navigate Data Protection Obligations Under India’s DPDP Regime: State Power, Citizen Data and Accountability

Posted On - 10 February, 2026 • By - Aniket Ghosh

Introduction: When the State Becomes the Largest Data Fiduciary

No entity in India processes personal data at the scale, depth, and inevitability of the State, with government systems creating a comprehensive digital profile of individuals through identity, welfare, tax, health, education, land, transport, and policing databases. Rapid digitisation over the past decade through e-governance, digital public infrastructure, smart cities, and data-driven welfare has further intensified the volume and centralisation of citizen data. With the DPDP Act, 2023 and the DPDP Rules, 2025, this data ecosystem has entered a new legal phase, subjecting the State, for the first time, to a statutory regime grounded in legality, proportionality, purpose limitation, and accountability; this article examines the application of the DPDP framework to government bodies, including the scope of State exemptions, the role of public authorities as data fiduciaries, lawful processing and data sharing, data protection, enforcement exposure, and practical compliance strategies.

Applicability of the DPDP Act to Government and Public Authorities

A. The State Is Squarely Within Scope

The DPDP Act squarely brings the State within its scope by applying to all entities that process digital personal data, including Central and State government departments, local authorities, regulators, PSUs, statutory bodies, smart city SPVs, and public-private partnerships performing public functions. The Act does not differentiate between commercial and sovereign data processing for applicability; instead, it permits only limited and purpose-specific exemptions, marking a significant departure from earlier assumptions of blanket State immunity.

B. Government Bodies as Data Fiduciaries

Government authorities act as data fiduciaries under the DPDP Act wherever they determine what personal data is collected, the purposes for which it is used, and how it is processed, linked, or retained. This fiduciary role extends across functions such as welfare delivery, regulation and enforcement, licensing, taxation, and urban governance or surveillance. While technology vendors, system integrators, and cloud service providers engaged by the State typically operate as data processors, the ultimate fiduciary responsibility remains with the concerned public authority.

Large-scale population databases may qualify government bodies as Significant Data Fiduciaries (SDFs), triggering enhanced governance obligations.

The State Exemption: Narrow Carve-Out, Not Blanket Immunity

A. Understanding the Exemption Architecture

The DPDP Act adopts a narrowly tailored exemption architecture for State processing, permitting exemptions only for specific functions such as safeguarding sovereignty and integrity, ensuring the security of the State, maintaining public order, and preventing, investigating, or prosecuting offences. These exemptions are purpose-specific, function-limited, and contingent on executive notification, and they do not amount to a general carve-out for all forms of government data processing.

B. Why Exemptions Will Be Closely Scrutinised

In the post-Puttaswamy framework, where privacy is recognised as a fundamental right, any reliance on exemptions under the DPDP Act will be subject to close scrutiny and must satisfy the tests of legality, necessity, proportionality, and procedural safeguards. Overbroad invocation of exemptions, especially for routine administrative or welfare-related processing, risks constitutional challenge and heightened judicial review.

The requirement of valid consent under the DPDP Act raises a fundamental dilemma in government contexts, where consent must be free, informed, specific, unambiguous, and capable of withdrawal. Where the State effectively demands data by linking disclosure to access to benefits, services, or legal compliance, the freedom of consent becomes questionable. As a result, government processing will often need to rely not on consent but on statutory mandate or necessity for the performance of a public function, provided such reliance is clearly documented, strictly purpose-limited, and transparently communicated to citizens.

B. Welfare Schemes and Conditionality

Welfare programmes often condition access on Identity verification, linking across databases, and continuous data updates. Absent strong legal justification and safeguards, such conditionality risks violating forcing consent through deprivation, a concern courts are likely to examine closely.

Welfare Databases, Profiling and Function Creep

A. From Delivery to Surveillance

Welfare and governance databases that are originally created for benefit delivery or subsidy targeting are often later repurposed for fraud detection, predictive analytics, behavioural profiling, or policy enforcement. Under the DPDP Act, such function creep violates the principle of purpose limitation unless it is explicitly authorised by law, transparently disclosed to individuals, and accompanied by appropriate safeguards.

B. Data Linking Across Departments

Cross-linking databases across sectors such as health, education, taxation, land records, and policing enables the creation of comprehensive, 360-degree citizen profiles. While such integration may be administratively efficient, it significantly magnifies the harm arising from errors or data breaches, increases surveillance risks, and raises serious proportionality concerns. The DPDP framework therefore implicitly discourages unchecked horizontal data sharing in the absence of a clear legal basis.

Smart Cities, Surveillance and Urban Data

A. Continuous Monitoring as Personal Data Processing

Smart city initiatives increasingly rely on continuous monitoring technologies such as CCTV, facial recognition systems, automated traffic management, command-and-control centres, and IoT sensors that track movement and behaviour. These systems involve ongoing processing of personal data, often without any meaningful opt-out for individuals. Under the DPDP Act, such surveillance must meet strict standards of necessity and proportionality, be accompanied by adequate notice and transparency, and adhere to limited retention periods; the invocation of “security” alone will not justify unlimited or indiscriminate data capture.

B. Facial Recognition and Biometric Risk

The use of facial recognition and other biometric technologies by public authorities substantially heightens the risks of misidentification, chilling effects on civil liberties, and long-term erosion of individual rights. Given the sensitivity and irreversibility of biometric data, such processing by the State is likely to attract the highest levels of judicial and regulatory scrutiny under the DPDP framework.

Law Enforcement, Policing and Data Retention

A. Criminal Justice Data

Police and enforcement agencies process highly sensitive personal data, including arrest and investigation records, CCTV and body-camera footage, and call and location data. While certain exemptions under the DPDP Act may apply, authorities remain obligated to define clear retention periods, prevent unauthorised secondary use, and ensure robust data security; indefinite retention without explicit statutory backing is therefore legally vulnerable.

B. Predictive Policing and AI Tools

The use of AI-driven tools for crime prediction, risk scoring, and crowd analytics raises significant concerns under both the DPDP framework and constitutional law, particularly in relation to opacity, bias amplification, and group-based profiling. Such systems must be grounded in clear legal frameworks with defined safeguards, rather than justified solely on the basis of administrative efficiency or convenience.

Data Sharing with Private Entities and PPPs

A. Public–Private Partnerships (PPPs)

In public–private partnership models, government data is frequently shared with technology vendors, analytics providers, and consultants. The DPDP Act requires clear allocation of roles between data fiduciaries and data processors, robust contractual safeguards, and strict limits on data reuse and monetisation, reinforcing that public data cannot automatically be converted into a private commercial asset.

B. Monetisation of Government Data

Efforts to monetise anonymised government datasets must contend with persistent risks of re-identification, potential group-level harm, and the practical impossibility of obtaining meaningful consent at scale. Under the DPDP framework, assumptions that government-held data is freely exploitable or commercially deployable by default are no longer sustainable.

Cross-Border Transfers and Sovereignty Concerns

As government systems increasingly rely on global cloud providers and overseas analytics engines, cross-border transfers of public data raise acute sovereignty concerns. Under the DPDP Act, such transfers are permitted only to jurisdictions specifically notified by the government, and for public authorities this requirement directly intersects with issues of national security, data sovereignty, and strategic autonomy. Poorly governed or non-compliant transfers therefore carry not only legal risk but also potential geopolitical fallout.

Data Breaches in Government Systems

A. Mandatory Breach Notification

The DPDP Act and its Rules mandate notification of personal data breaches to the Data Protection Board of India and, where applicable, to affected individuals, and these obligations apply equally to government bodies.

B. Systemic Harm

Data breaches involving government systems can simultaneously affect millions of individuals, facilitate large-scale identity fraud, and significantly undermine public trust in governance, with reputational and political consequences that often exceed the impact of financial penalties.

Penalties, Enforcement and Constitutional Risk

A. Monetary Penalties

The DPDP Act empowers penalties up to INR 250 crore per contravention. While enforcement against the State may be calibrated, statutory exposure exists.

B. Judicial Oversight and PIL Risk

Beyond statutory penalties under the DPDP framework, government bodies are exposed to heightened judicial oversight through public interest litigation, constitutional challenges, and court-imposed restrictions. Non-compliance with DPDP norms can significantly strengthen claims of arbitrariness and violations of fundamental rights, increasing both legal and institutional risk.

Governance Roadmap for Government and Public Authorities

2. Exemption Discipline: Use exemptions narrowly, with documented justification.

3. Purpose Limitation and Retention Controls: Prevent function creep and indefinite storage.

4. Vendor and PPP Governance: Strengthen contracts and oversight of private partners.

5. Transparency and Citizen Trust: Adopt clear notices, grievance mechanisms and accountability structures.

Conclusion: From Digital State to Accountable State

The DPDP Act and Rules are not constraints on the State’s capacity to govern; they are instruments that reinforce its legitimacy. By embedding legality, proportionality, and accountability into the architecture of digital governance, the framework brings everyday data practices closer to constitutional values. For government bodies, compliance with data protection norms is therefore more than a legal requirement, as it is a democratic responsibility. Institutions that meaningfully internalise DPDP principles will be better equipped to earn public trust and build resilient, transparent, and rights-respecting governance systems for India’s digital future.