By R. Suryamurthy
India has finally switched on its long-delayed data protection regime, and at first glance, the moment looks like a milestone — a country of 1.4 billion people stepping into the league of nations that take digital rights seriously. But peel back the official statements, the compliance countdowns and the carefully crafted rhetoric, and something far more unsettling comes into view. The new Digital Personal Data Protection Rules, 2025 demand strict, almost European-level discipline from companies and individuals — while giving the Indian state the unilateral authority to walk around the law whenever it chooses. That is the real story. Not the notices or the deadlines. The core fact is that the government has carved out for itself an escape hatch so wide it effectively places the state outside the perimeter of India’s own privacy regime.
Once that is recognised, the rest of the framework stops looking like a coherent privacy law and starts looking like a political compromise dressed in legal language. The EU’s GDPR holds governments and corporations to the same standard, which is why European regulators routinely haul state agencies and ministries to court. China’s PIPL, for all its authoritarian bluntness, is at least ideologically consistent: the state stands supreme over all digital data and declares it openly. The US, with its fragmented sectoral patches, still leans on agencies that are structurally insulated from day-to-day political whim. India, in contrast, has built something stranger — a hybrid that borrows the strictest corporate obligations from Europe, the most sweeping state exemptions from China, and the broad discretionary leeway of the American executive. It is a privacy model that inherits the weaknesses of all three systems and the safeguards of none.
The asymmetry is stark. Companies must encrypt, anonymise, obfuscate, tokenise and prepare breach reports within 72 hours. They must maintain access logs for a full year, build business continuity plans, verify age and parental consent, create plain-language notices, maintain grievance systems, invest in audits, and comply with stringent security controls. Citizens, on paper, are granted the right to access their data, correct it, erase it, and withdraw consent. But none of this is guaranteed if the data holder happens to be the government. A single executive notification — issued quietly, without parliamentary debate, without judiciary review, and without any obligation to disclose — can exempt any government agency from any of the law’s core provisions. Consent requirements can be dropped. Breach reporting can be waived. Purpose limitation can be suspended. It is not just a loophole; it is a self-granted general amnesty.
This is not how modern democracies build privacy architecture. The EU would consider it unthinkable for a government to exempt itself from a law that regulates personal data. Even China’s system, which gives the state sweeping authority, at least codifies the state’s supremacy explicitly and consistently. India does something more ambiguous: it speaks the language of rights and citizen empowerment while simultaneously reserving the sovereign ability to sidestep the very rights it celebrates. Privacy experts are already calling this the “original sin” of the DPDP Act — a design flaw so fundamental that it shapes everything downstream.
The enforcement body, the Data Protection Board of India, compounds this imbalance. It is presented as an independent authority but is, in practice, structurally tethered to the executive. Its members are appointed by the government. Its finances depend on the government. It has no statutory guarantees of autonomy. In Europe, data protection authorities have clear independence built into law. Even China’s regulators sit within predictable hierarchical structures. The US Federal Trade Commission, despite Washington’s politics, is designed to operate independently of the administration of the day. India’s DPBI is closest to an administrative tribunal — one whose independence depends on the goodwill of the very authority it may be required to scrutinise. A regulator designed this way cannot function as a counterweight. At best, it can arbitrate disputes between companies. At worst, it becomes a supervisory mechanism that applies pressure downward but not upward.
This might have been tolerable a decade ago, when India’s digital infrastructure was still young. Today, the stakes are vastly higher. India wants to be a global centre for artificial intelligence, data processing, cloud infrastructure and cross-border data flows. It wants foreign companies to build AI models here, host servers here, bring research labs here. But the rules governing those decisions — adequacy conditions, cross-border transfer norms, foreign surveillance safeguards, criteria for Significant Data Fiduciaries — have all been left vague or deferred to future notifications. No other major privacy regime leaves the heart of its international data architecture undefined after the law goes live. Europe’s system is dense but predictable. China’s is restrictive but transparent about its ideological priorities. America’s is fragmented but politically stable. India’s model is strict on paper, erratic in its details, and highly dependent on future executive decisions. For global firms planning multi-year investments, uncertainty is risk — and risk is expensive.
Nowhere is the contradiction clearer than in the treatment of children’s data. On paper, India’s protections are among the strongest in the world. Targeted advertising to minors is banned. Profiling is limited. Verifiable parental consent is mandatory. These are tough standards, stronger than COPPA in the US and comparable to the GDPR’s strictest interpretations. But the rules stop short of applying these protections to the government itself. School databases, scholarship portals, and Aadhaar-linked welfare systems may be fully exempted. This means India has created a regime where a private tutoring app must jump through multiple hoops to protect a child’s data, but a government department holding far more sensitive information may choose not to. No liberal democracy grants the state such sweeping freedom over children’s personal data. India has normalised it.
Even India’s most inventive idea — Consent Managers — suffers from the same flaw. In theory, these managers could revolutionise user agency: a single interface where citizens can track, manage and revoke consent across apps and services. But this only matters if consent is the foundation of the entire system. If the government can exempt itself from consent obligations, then a citizen may be able to revoke permissions from an e-commerce platform but not from a welfare database holding biometric records. That is not meaningful empowerment. It is user control within an artificially bounded sandbox — a power that evaporates the moment the request goes upward instead of sideways.
The world is already trying to decode what India is signalling. Europe will hesitate before granting adequacy because adequacy requires confidence that a partner nation restrains its own government access. The US will remain cautious because cloud and AI investments rely on predictable cross-border data rules, not discretionary exceptions. China may see India’s model as tacit endorsement of sovereign data supremacy — minus the transparency with which Beijing asserts it. India positions itself as a “fourth model,” but the question is whether this model has institutional depth or merely political convenience.
And so the debate boils down to a single, unavoidable question: Will the Indian government ever hold itself to the same standards it imposes on the private sector? The test is not theoretical. Will ministries report data breaches affecting millions of citizens? Will consent withdrawals actually apply to police or welfare databases? Will DPBI orders be published in full for public scrutiny? Will exemptions shrink over time, or will they expand until they swallow the rule? Every major privacy regime in the world lives or dies on this basic principle — that the law binds the state, not just the citizen.
If India wants to be seen as a serious digital democracy, it cannot build its privacy system on executive shortcuts. It cannot trumpet citizen rights while undermining them with silent notifications. It cannot demand trust from global companies while keeping the rules of international data flows open-ended. And it cannot promise individuals control over their data while reserving for itself the right to bypass the architecture of control.
A privacy law that restrains companies but spares the state is not a privacy law. It is administrative housekeeping masquerading as rights protection. India can still fix this — by narrowing exemptions, strengthening oversight, guaranteeing regulatory independence and acknowledging that the state, in a data-rich era, is the single most powerful actor in the ecosystem. But unless it confronts this foundational contradiction, the country will remain trapped between aspiration and reality: a democracy that celebrates digital rights in theory while governing digital life in a way that keeps genuine privacy perpetually out of reach. (IPA Service)
Bihar’s Unfair Results: Rahul Gandhi Gets It Wrong For One More Time 