Introduction
The Ministry of Electronics & Information Technology (“MeitY”) published a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”), on January 3, 2025. These were formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”), which was passed by Parliament, and received presidential assent on August 11, 2023. The DPDP Act aims to regulate the processing of personal data, and contains requirements for collection, processing and sharing of personal data.
The Draft Rules intend to provide further clarity and regulatory specifications for implementing the Act. In line with the consultative approach that has been adopted towards lawmaking, the Central Government, through MeitY, sought comments and feedback on the Draft Rules. The goal is to create a well-balanced framework, which will be responsive to the needs and requirements of all relevant stakeholders, including the public, the Government, and industry.
Among these stakeholders, State Governments find themselves in a unique position. Not only do they play the role of implementing agencies, administrative bodies and enforcement authorities, they also act as data fiduciaries to the citizens whose personal data they hold or process. In this piece, we will examine the primary roles to be performed by State Governments in India under the evolving data protection regime.
Role of States as Providers of Goods and Services
The expression ‘State’ under Article 12 of the Constitution includes the Government and Parliament of India, Government and the Legislature of each of the States, all local authorities, and other authorities within the territory of India or under the control of the Government of India.
The courts have interpreted the scope of Article 12 in various significant judgments. In Sukhdev Singh v. Bhagatram Sardar Singh Raghuvanshi[1], Justice K. K. Mathew originated the doctrine of agency or instrumentality of the state. The Supreme Court held that a state, being an abstract entity, can only act through the instrumentality or agency of natural or juridical persons. Therefore, if the state acts through a corporation, such corporation becomes an agency or instrumentality of the State. Thus, the key question is whether the body in question is acting as an agency or an instrumentality of the government. The judicially developed concept of ‘agency or instrumentality of the state’ has effectively expanded the scope of Article 12.
Further, landmark judgments such as Ramana Dayaram Shetty v. The International Airport[2] and Ajay Hasia v. Khalid Mujib Sehravardi[3] have elucidated on the expanded scope of Article 12. In doing so, the Court has relied on tests such as quantum of financial assistance the entity receives from the State, and the existence of deep and pervasive governmental control inter alia.
Given the construct of Article 12 of the Constitution, State Governments in India would constitute data fiduciaries under the DPDP Act. Section 2(i) of the Act defines ‘data fiduciary’ as meaning “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”. State Governments engage in the delivery of a variety of goods and services to citizens, and perform various administrative and legal duties. Many of these activities would require personal data of citizens to be held and processed by State Governments. This would render State Governments to be data fiduciaries under the Act, who would be bound by the obligations, conditions and requirements that are stipulated under the Act.
Moreover, since State Governments would fall within the general meaning ascribed to the phrase ‘State and its instrumentalities’ (as contained within the Act), they would get the benefit of certain relaxations and exemptions that the Act attributes to this category of data fiduciaries. Perhaps most critically, Section 7(c) of the Act enables the State or any of its instrumentalities, in their capacity as data fiduciaries, to process personal data without the need to comply with the notice and consent regime of the Act, if such processing is for the “performance of […] any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India, or security of the State”. This provision provides States (including the Central Government, State Governments and their instrumentalities) with elbow room to process personal data of citizens without their consent, as long as it is being done under a law or in the interests of sovereignty/ security.
In addition to this general enablement, there is also a specific exemption provided to States from the notice and consent regime under Section 7(b) of the Act, where States provide data principals with a “subsidy, benefit, service, certificate, license or permit”, where consent has been previously provided, or where the personal data in question is available in any database, register, book or other document that is maintained by the Government and notified by the Central Government. In similar vein, Sections 7(f), 7(g) and 7(h) of the Act enable States to respond to medical emergencies, threats to public health disasters and breakdowns of public order by processing personal data without having to obtain consent from the relevant data principals.
Taken together, these provisions appear to adopt a facilitative approach towards State Governments aiming to deliver goods and services to its citizens. Two points, however, should be noted here. One, Section 7 only provides limited relaxation from the requirement to obtain consent. All other requirements of the Act, such as the need to adopt technical and organisational measures, reasonable security safeguards, and ensuring completeness, accuracy, and consistency of data, need to be complied with. States must, therefore, be mindful of their duties and obligations under the Act, with respect to the personal data they may be processing.
Two, notwithstanding the exemption from the notice and consent regime, States will still be bound by the principle of purpose limitation vide Section 4(1)(b) of the Act. States would, therefore, do well to ensure that citizens’ personal data, collected for the purposes of delivery of goods and services, does not end up being processed for other reasons. This would significantly impact data sharing between government departments.
Role of States in Law Enforcement and Executive Capacity
In their role as law enforcement and executive authorities, States may not only rely on the general legitimate use exemption provided under Section 7(c) of the Act, but also on certain other legitimate use provisions such as Sections 7(d) and 7(e), that relate to fulfilling of disclosure obligations and compliance with judgments or decrees.
Reliance may also be placed on Section 17 of the Act, that provides a much wider berth to relevant data fiduciaries in terms of exemptions. Sections 17(1)(b) and 17(1)(c) may be leveraged by States for discharging of quasi-judicial, regulatory and supervisory matters; and for law enforcement purposes, respectively. Section 17(2), which is an exemption from every other provision of the Act, applies to the instrumentalities of the State, as may be notified by the Central Government, in the interests of sovereignty and integrity of India, security of the State, maintenance of public order, etc.
It should be noted here that unlike the legitimate use exemptions under Section 7, the exemptions under Section 17 apply much more widely to not just notice and consent, but also matters such as technical and organisational measures, breach reporting etc. Section 17(2) goes a step further and creates a blanket exemption for certain notified data fiduciaries.
While States may be tempted to use these exemptions liberally, it would be prudent to continue putting in place safeguards and protocols for processing of personal data in its agencies’ possession. Notwithstanding the exemptions provided under the Act, the right to privacy remains a fundamental right recognised by the Supreme Court in the Justice K.S. Puttuswamy[4] judgment, and the principles of legality, legitimacy and proportionality need to be upheld by the State Governments while dealing with the personal data of citizens.
It is, therefore, crucial for State Governments to put in place robust internal protocols to ensure checks and balances that comply with the test of proportionality in letter and spirit. These may be operationalised through tools such as Standard Operating Protocols, internal policy documents, and FAQs to guide State Government departments towards responsible processing of personal data. Such safeguards would ensure procedural fairness and transparency, consequently boosting citizen confidence.
Role of States in Research, Archiving and Statistical Purposes
Section 17(2)(b) of the Act creates a blanket exemption from the applicability of the rest of the Act in cases where personal data is being processed for the purposes of researching, archiving, or for statistical purposes, implying that the personal data is not being used for taking any decision specifically related to the data principal, and further subject to such processing being carried out in accordance with standards as may be prescribed.
This provision provides States with the opportunity to seamlessly leverage personal data in their possession for pursuing reach, development and welfare-related goals, and for enabling policy formulation basis empirical data and evidence. However, for this provision to be meaningfully utilised, care will have to be taken to ensure that robust standards and practices are maintained for data quality, accuracy and protection, and that the purposes for which such data is being used are at all times related to research, archiving and statistics. Clinical and well thought through use of such data can go a long way in addressing socio-economic challenges and driving growth and innovation in sectors such as agriculture, health, climate change, social-justice, welfare and sustainable development.
Conclusion
Given the federal set up of the Indian republic, State Governments will have a critical role to play in the country’s emerging data protection ecosystem. In this piece, we have analysed three dominant roles to be performed by State Governments under the DPDP regulatory framework and mapped these roles to their concomitant obligations under the Act. These are (i) role of States as providers of goods and services, (ii) role of States in law enforcement and executive capacity, and (iii) role of States in research, archiving and statistical purposes.
The stance that States adopt in relation to protection of personal data of citizens will act as a trendsetter, not only for other government instrumentalities in the country, but also for industry players and private enterprises acting as data fiduciaries. Consequently, State Governments should ensure robust internal protocols to ensure checks and balances that comply with the test of proportionality. Tools such as Standard Operating Protocols, internal policy documents, and FAQs may be considered to promote responsible practices while processing personal data within the government. It is, therefore, hoped that State Governments play a proactive and responsible role in protecting personal data of citizens, as India ushers in its new data protection era.
For further information, please contact:
Arjun Goswami, Partner, Cyril Amarchand Mangaldas
arjun.goswami@cyrilshroff.com
[1] AIR 1975 SC 1331.
[2] 1979 AIR 1628.
[3] 1981 1 SCC 722.
[4] AIR 2017 SC 4161.