How India Handles Online Privacy and Surveillance
India's privacy landscape is defined by a fundamental tension: the constitutional right to privacy (established as fundamental in Justice K.S. Puttaswamy v. Union of India, 2017), and a state with extensive surveillance capabilities and broad legal authorities to access private data.
The Puttaswamy judgment — a nine-judge Constitution Bench ruling — held that privacy is an intrinsic component of life and liberty under Article 21; it is not absolute and can be restricted by law that is proportionate to a legitimate state aim and procedurally sound.
This constitutional foundation informed the DPDPA 2023; it also provides the framework for evaluating the legality of India's surveillance architecture — telephone interception, internet surveillance, CCTV networks, Pegasus spyware deployment, and the proposed NATGRID (National Intelligence Grid) data aggregation system.
 |
| Representational Image: How India Handles Online Privacy and Surveillance |
The Information Technology Act's
Section 69 authorises interception, monitoring, and decryption of
computer-based communications. NATGRID — proposed to aggregate data from 21
government databases including railways, airlines, banking, immigration, and
telecom — is still partially under development; civil society organisations
argue it creates an infrastructure for comprehensive citizen surveillance that
the Puttaswamy proportionality test cannot justify.
What You Need to Know
- Puttaswamy
2017 (Right to Privacy): nine-judge bench; unanimously held privacy is a
fundamental right under Article 21; privacy has multiple dimensions
(physical, decisional, informational, dignity); justified restrictions
must satisfy proportionality (legality, legitimate aim, necessity,
proportionality in the strict sense); the judgment is the constitutional
foundation for DPDPA and for challenging disproportionate surveillance.
- Telecommunications
Act 2023 interception provisions: Section 20 of the new Act continues
lawful interception authority; Home Secretary or designated officer can
authorise interception for national security, public safety, or prevention
of crime; TRAI separately regulates telecom service provision; the Act
expands the telecom security framework compared to the predecessor law.
- NATGRID:
National Intelligence Grid — an integrated database aggregating 21
government databases for intelligence agency access; under development
since 2010; civil society describes it as a "pervasive surveillance
infrastructure"; operational status and extent of actual aggregation
have not been officially confirmed.
- Pegasus
in India (2021): documented targeting of Indian journalists, activists,
opposition politicians, and government officials' phones with NSO Group's
Pegasus spyware (see Vertical 7, Article 24); Supreme Court constituted
technical committee; government neither confirmed nor denied; committee
found government non-cooperative; no accountability established.
- DPDPA
government exemptions: Section 17 of DPDPA exempts state data processing
for sovereignty, security, and public order from most DPDPA obligations;
exemptions extend to preventing and detecting offences; the effect is that
surveillance-related government data processing is largely exempt from the
data protection rights framework.
How It Works in Practice
1. Lawful interception at scale: India's
telecommunications interception infrastructure allows government agencies (IB,
RAW, state intelligence bureaus, police) to request telecom operators to
intercept specific phone calls and data communications. Section 69A (IT Act)
allows government to order platforms to share user data; Section 69 allows
decryption requirements. The absence of judicial authorisation for most
interception orders — which can be issued by executive officers — is a
significant departure from the "prior judicial authorisation" model
that civil society considers constitutional best practice.
2. CCTV and facial recognition expansion: India's
Smart Cities Mission has funded extensive CCTV installation across 100 smart
cities; Delhi alone had approximately 300,000 CCTV cameras by 2023; at
airports, railway stations, and public spaces, CISF and police use facial
recognition systems for identification. The legal framework for facial
recognition — biometric data processing under government surveillance — is not
specifically regulated; the DPDPA's biometric data protections nominally apply
but the government exemptions substantially limit their effect on state
surveillance.
3. Social media monitoring: India's state police
forces, IB, and central intelligence agencies monitor social media for
"anti-national" content, security threats, and civil unrest signals;
the IT Rules' message traceability requirements (for WhatsApp) are designed
partly to enable retrospective identification of message originators for
security investigations. The documented cases of journalists and academics
targeted for social media posts (Operation Sindoor detentions, university
student cases) illustrate that social media monitoring informs specific legal
actions.
4. The Aadhaar-surveillance concern: Civil society
has consistently raised concerns that Aadhaar's authentication logs — recording
every time a citizen authenticates for welfare access, banking, or telecom —
create a comprehensive timeline of an individual's economic activities that
could be accessed by intelligence agencies. The Virtual ID system (which
provides authentication without revealing the actual Aadhaar number to
authenticating entities) addresses third-party tracking but not government
access to UIDAI's central logs.
5. The DPDPA's impact on surveillance is limited: The
DPDPA's extensive government exemptions mean it does not substantially
constrain India's surveillance state; the constitutional right to privacy
(Puttaswamy) is the more important legal check on surveillance, requiring
proportionality; but proportionality challenges require individual litigation
before courts rather than regulatory enforcement, making accountability for
disproportionate surveillance slow and resource-intensive.
What People Often Misunderstand
- India's
surveillance architecture is extensive but not as documented as democratic
transparency would require: The absence of transparency reporting
(government disclosures of how many interception orders were issued) makes
it impossible to assess the scale of India's surveillance operations; the
absence of transparency is itself a governance concern.
- The
DPDPA does not protect individuals from state surveillance: The law's
government exemptions are specifically designed to preserve state security
surveillance capacity; the DPDPA's protections apply primarily to
commercial data processing, not to state surveillance.
- Puttaswamy's
proportionality test is real but enforcement is weak: The
constitutional privacy right is genuine; judicial enforcement against
specific surveillance operations — rather than general frameworks — is
resource-intensive and rarely pursued; the practical protection is weaker
than the constitutional text suggests.
- India's
surveillance concerns are shared by democracies globally: US metadata
surveillance (NSA PRISM), UK's GCHQ operations, France's DGSI, and other
democracies all operate extensive surveillance programmes under executive
authorisation; India's situation is broadly comparable to other large
democracies, not uniquely exceptional.
- Facial
recognition lacks specific legal basis in India: Unlike UIDAI (which
has a specific statute) or telephone interception (which has specific
rules), facial recognition deployment in public spaces in India lacks
specific statutory authorisation; its legality under the Puttaswamy
framework has not been adjudicated.
What Changes Over Time
The DPDPA Rules' elaboration of biometric data processing requirements may create some specific protections for facial recognition data, even in commercial contexts; the government's treatment of its own facial recognition deployments under the same rules will be tested through litigation.
The proposed Personal Data Protection and Intelligence Amendment legislation —
consolidating data protection and surveillance oversight in a single framework
— has been discussed but not introduced.
Sources and Further Reading
- IAPP
— India DPDPA Rules: https://iapp.org/news/a/notes-from-the-asia-pacific-region-india-releases-dpdpa-rules-ai-governance-guidelines
- reframeTech
— Aadhaar privacy: https://www.reframetech.de/en/2024/11/13/aadhaar-and-the-rise-of-digital-public-infrastructure-in-india/
- Carnegie
Endowment — India Cybersecurity: https://carnegieendowment.org/research/2025/09/mapping-indias-cybersecurity-administration-in-2025?lang=en
- Institut
Montaigne — India DPI privacy: https://www.institutmontaigne.org/en/expressions/indias-digital-public-infrastructure-success-story-world