India's first comprehensive data protection law — passed in 2023, but with sweeping government exemptions that hollow out its protections.
The DPDP Act gives Indian citizens data protection rights for the first time, but Section 17 allows the central government to exempt any government agency from all obligations — for 'sovereignty, security of the state, or public order.'
The DPDP Act (2023) requires consent for data processing, provides access and erasure rights, mandates breach notification, and creates the Data Protection Board of India for enforcement. Penalties up to INR 250 crore ($30M). Applies to processing of Indian citizens' data regardless of where the company is located. Significant data fiduciaries (major companies) face additional obligations including audits and data protection impact assessments.
Section 17 grants the central government power to exempt any government agency from the entire Act by executive notification. No parliamentary approval required. No sunset clause. The exemption can be for 'sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement.' This is the broadest government self-exemption in any modern data protection law. It makes government data processing entirely unaccountable.
India operates extensive surveillance through the Central Monitoring System (CMS), which gives intelligence agencies direct access to all telecom communications without operator involvement. The Pegasus spyware was used against journalists, opposition leaders, and activists (confirmed by Amnesty International's forensic analysis in 2021). Section 69 of the IT Act allows government interception of any communication. India has no independent surveillance oversight body — no judicial pre-approval is required for most interception.
Indian companies (Infosys, Wipro, TCS, Paytm, Ola, Zomato, Zerodha) and products with Indian operations face a dual reality. For private-sector misuse, the DPDP Act provides genuine protection. Against government access, there is no protection at all. The government exempted itself completely. India processes massive amounts of data for Western companies (IT outsourcing) — this data is accessible to Indian intelligence agencies with no legal check. The absence of an independent regulator (the Data Protection Board reports to the government) completes the picture: the entity being regulated controls the regulator.