Government Access to Data under the DPDP Act, 2023: Exemptions, Surveillance Concerns, and Safeguards

Posted On - 23 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) grants broad exemptions to the government for processing personal data without consent in the name of national security, sovereignty, public order, and law enforcement. While this ensures flexibility for state functions, it has triggered concerns over mass surveillance, lack of judicial oversight, and limited accountability.

For businesses, government access requests create operational and reputational challenges: fiduciaries must comply with lawful directions while safeguarding individual rights and maintaining global compliance commitments. This essay analyses the statutory exemptions, evaluates safeguards, compares India’s model with global regimes, and provides practical corporate guidance for responding to government requests.

Introduction: Privacy and the State

Privacy is a fundamental right in India (Justice K.S. Puttaswamy v. Union of India, 2017). Yet, like all rights, it is subject to reasonable restrictions. Governments worldwide reserve powers to access personal data for security and governance. The DPDP Act reflects this tension: it enshrines privacy protections but provides broad exemptions for the State.

Statutory Exemptions under the DPDP Act

The Act allows processing without consent in cases such as:

1. National Security and Sovereignty: Processing necessary for the interests of India’s sovereignty, integrity, and security.

2. Law Enforcement: Investigation, prevention, detection, or prosecution of offences.

3. Public Order: Processing necessary to maintain public order.

4. Government Functions: Providing subsidies, benefits, services, or licenses.

5. Legal Obligations: Compliance with law or court orders.

Scope and Breadth of Exemptions

  • No Judicial Pre-Authorisation: Unlike GDPR’s proportionality test, Indian authorities may access data without prior judicial review.
  • Vague Grounds: Terms like “public order” and “security of the State” lack precise definitions, allowing broad interpretation.
  • No Explicit Transparency Obligations: Fiduciaries are not required to publish statistics on government requests.

Surveillance Concerns

1. Mass Surveillance Potential: Broad exemptions could legitimise bulk data collection (telecom metadata, social media monitoring).

2. Chilling Effect: Citizens may self-censor due to fear of government monitoring.

3. International Criticism: Weak safeguards may hinder India’s data adequacy recognition by the EU.

4. Overlap with Other Laws: Telecom surveillance under Telegraph Act, interception under IT Act Section 69, and CERT-In directions all coexist with DPDP.

Safeguards in the DPDP Act

The Act includes limited safeguards:

  • Proportionality Principle: Government must ensure processing is “necessary and proportionate.”
  • Board Oversight: The Data Protection Board may indirectly assess complaints of misuse, though its jurisdiction over state surveillance is unclear.
  • Fundamental Rights Check: Judicial review under Articles 32 and 226 remains available, though reactive.
  • Compared to global regimes, safeguards are modest.

Global Comparisons

GDPR (EU)

  • Public interest exemptions allowed but subject to necessity and proportionality tests.
  • Surveillance laws in Member States subject to CJEU scrutiny.

U.S. (FISA, CLOUD Act)

  • Judicial oversight for foreign intelligence surveillance.
  • CLOUD Act allows cross-border requests but requires due process.

UK (Investigatory Powers Act)

  • Interception and data retention powers with judicial commissioners reviewing warrants.

India (DPDP)

  • Executive discretion dominates, with limited independent oversight.

Implications for Corporates

Businesses face dual risks:

  • Legal: Must comply with lawful government orders or face penalties.
  • Reputational: Risk of backlash if perceived as complicit in overbroad surveillance.

Illustrative Corporate Scenarios

Scenario 1: Telecom Operator

  • Government requests metadata of subscribers in border regions citing “public order.”
  • Operator must verify order’s validity under DPDP and telecom laws.
  • Must comply, but document request for audit.

Scenario 2: Fintech Platform

  • Law enforcement demands transaction logs of a fraud suspect.
  • Fiduciary must comply with lawful request.
  • Must ensure request is specific and documented.

Scenario 3: Social Media Platform

  • Agency seeks bulk user activity data for monitoring misinformation.
  • Platform must evaluate scope – narrow data for specific purpose vs. broad dragnet.
  • Consider escalation to legal review before complying.

Practical Corporate Guidance

Step 1: Verification of Lawful Basis: Ensure request cites lawful authority (statute, order, or notification).

Step 2: Internal Escalation: Route all government requests through legal/compliance teams. DPO (if SDF) must be informed.

Step 3: Documentation: Maintain records of requests, responses, and data shared. Document rationale for compliance or refusal.

Step 4: Narrow Compliance: Share only what is lawfully required and avoid over-disclosure.

Step 5: Transparency (Where Possible): Publish anonymised “transparency reports” on volume of government requests.

Step 6: Global Alignment: Ensure response strategy aligns with cross-border commitments (e.g., GDPR restrictions on transfers to governments).

Risks of Mishandling Government Requests

  • Regulatory Penalties: Non-compliance with lawful orders may invite sanctions.
  • Civil Liability: Over-compliance could expose fiduciary to claims from Data Principals.
  • Reputational Harm: Perceptions of enabling surveillance may erode trust.
  • Global Conflicts: Compliance with Indian requests may breach foreign privacy laws.

Compliance Strategies

1. Government Request Policy: Formal written policy for handling requests.

2. Training: Staff trained to route requests to legal/compliance teams.

3. Technology Safeguards: Segregated systems to extract only relevant data.

4. Legal Audits: Regular reviews of requests received and responses provided.

5. Engagement with Regulators: Industry associations should lobby for clearer safeguards.

Conclusion

The DPDP Act provides broad exemptions for government access, prioritising sovereignty and law enforcement over privacy. For corporates, this creates a compliance tightrope: obey lawful requests while protecting trust and avoiding overreach.

Key takeaways:

  • Exemptions cover national security, law enforcement, and government benefits.
  • Safeguards are limited compared to GDPR and UK/EU regimes.
  • Businesses must adopt structured processes to verify, document, and narrowly comply with requests.
  • Transparency reporting and legal oversight are essential to balance trust with compliance.

India’s privacy regime is therefore dual-faced: strong obligations for businesses, but wide exemptions for the State. Navigating this asymmetry will be one of the greatest compliance challenges under the DPDP Act.

Co–Authored by :- Aurelia Menezes