India

Overview

India’s privacy framework is defined by a contradiction between a 2017 Supreme Court ruling recognising privacy as a fundamental right (Puttaswamy, unanimous nine-judge bench) and the operational reality of the world’s largest biometric database (Aadhaar, 1 billion+ registrants), three mass surveillance programmes (CMS, NATGRID, NETRA) with no independent oversight, and warrantless government interception under IT Act Section 69.^[1]

The DPDPA 2023 (India’s first data protection law) grants the Central Government power to exempt any agency from all provisions for national security. Rule 23 of the 2025 Rules enables warrantless government data collection from any Data Fiduciary. India joined SSPAC in 2008 and is simultaneously a Quad partner and SCO/BRICS member. RAW produces the highest volume of SSPAC reports after the United States. A constitutional challenge to the DPDPA is pending before the Supreme Court.^[2][3]

Privacy Framework

The Data Protection Board (brought into force November 13, 2025) will handle complaints entirely online, with maximum penalty INR 2.5 billion (~$30M). As of early 2026, no enforcement actions have been taken; full data fiduciary obligations don’t take effect until May 2027.^[4]

The DPDPA 2023 requires consent that is “free, specific, informed, unconditional and unambiguous” but has critical limitations versus the GDPR: no data portability right, no right to erasure in many contexts, the government can exempt any agency, and it applies only to digital data. Section 44(3) weakened the Right to Information Act (120+ opposition MPs demanded repeal). IT Act Section 69 authorises administrative (not judicial) interception of any digital communication. The Telecommunications Act 2023 replaced the 1885 Telegraph Act with broad interception authority and emergency powers; key safeguards from 2007 Rules were omitted.^[5][6]

Aadhaar: The World’s Largest Biometric Database

Over 1 billion residents registered with all 10 fingerprints, iris scans, and facial photographs. Linked to bank accounts, mobile phones, tax records, and welfare programmes. The 2018 Supreme Court upheld Aadhaar with restrictions on private-sector use, but in January 2025, UIDAI expanded authentication to private sector e-commerce, travel, hospitality, and healthcare — reversing a core 2018 restriction. In February 2026, UIDAI launched a new app with selective attribute sharing and Google Wallet integration. The scale of centralised biometric data, combined with three mass surveillance programmes, creates identification and tracking infrastructure no other democracy operates at comparable scale.^[7][8]

Surveillance and Intelligence

Intelligence Agencies

RAW (Research and Analysis Wing, est. 1968): Foreign intelligence. IB (Intelligence Bureau, est. 1887): Domestic intelligence — the oldest in Asia. NTRO (National Technical Research Organisation, est. 2004): Technical intelligence/SIGINT under the National Security Adviser. Multi-Agency Centre (MAC): Real-time intelligence exchange among all agencies.^[9]

Mass Surveillance Programmes

CMS (Central Monitoring System): Centralises interception, bypassing telecoms entirely to directly intercept communications in real time. NATGRID: Links 21 categories of data from tax, banks, insurance, railways, immigration, and telecoms — processing 45,000 requests/month by 2025. The NPR (119 crore residents) was linked to NATGRID in December 2025; PM Modi ordered scale-up at November 2025 DGP conference. NETRA: DRDO monitors internet traffic using keyword filters, capable of analysing even encrypted messages. All three operate with no comprehensive legal framework and no independent oversight — authorisation comes through executive orders.^[10][11]

Pegasus Spyware

300+ Indian phone numbers on the Pegasus target list including ministers, opposition leaders, journalists, Supreme Court judges, and activists. Technical committee confirmed malware on 5 of 29 devices. Government refused to cooperate and adopted “neither confirm nor deny.” On April 29, 2025, the Supreme Court refused to release the report; the bench asked “What is wrong if a country is using spyware against terrorists?” — widely seen as judicial endorsement of covert surveillance.^[12]

Facial Recognition

The AFRS (Automated Facial Recognition System) is being deployed pan-India. Delhi Safe City Project: 10,000 cameras, mobile FRS vans, 70+ arrests in three months. Mahakumbh 2025: 2,700+ AI-integrated cameras. Independence Day 2025: matching against 3 lakh suspect database. All 17,171 police stations connected to CCTNS. No legal framework governs deployment.^[13]

Oversight

No independent oversight body for intelligence. No parliamentary committee with operational access. No judicial review of interception orders. No whistleblower protection. Authorisation is administrative (Home Secretary), not judicial.^[6]

Internet Infrastructure and Cable Surveillance

NIXI operates IXPs across seven core locations. DE-CIX Mumbai provides international peering. Approximately 17 cable systems land at 14 stations across Mumbai, Chennai, Cochin, Tuticorin, and Trivandrum. Tata Communications operates the largest share.^[14]

India’s cable infrastructure intersects directly with mass surveillance. CMS bypasses operators entirely at the infrastructure level, extending to cable landing stations. IT Act Section 69 covers “any computer resource” including cable equipment. The Indian defence contractor Shoghi Communications manufactures submarine cable monitoring systems — one of the few documented cases of a country developing indigenous cable-tapping hardware. The Telecommunications Act 2023’s data localisation requirements increase the volume of communications accessible to CMS and NETRA.^[15]

Data Retention

No comprehensive mandatory retention law. Unified License conditions require telecom operators to retain CDRs and subscriber data. ISPs must retain server logs. The Telecommunications Act 2023 adds data localisation requirements. The DPDPA requires retention only as long as necessary — but any agency exempted by the government has no statutory limitation.^[6]

International Data Sharing Agreements

SSPAC

India joined in 2008. RAW, NTRO, and ARC represented. RAW produces the highest volume of SSPAC reports after the United States. Counter-terrorism intelligence shared via CRUSHED ICE network. Counter Terror Deployed Analysts (CTDAs) sent to India immediately after joining.^[3]

Quad and Dual Positioning

India is the only country simultaneously in the Quad (US, Japan, Australia, India), SSPAC, SCO (with Russia and China), and BRICS. This dual positioning creates tension between Western intelligence alignment and relationships with US strategic competitors.^[16]

Mutual Legal Assistance: 39 Bilateral Treaties

India has 39 operational MLATs (Ministry of Home Affairs as Central Authority): Switzerland (1989), Turkey (1993), United Kingdom (1995), Canada (1998), Kazakhstan (2000), UAE (2000), Russia (2000), Uzbekistan (2001), Tajikistan (2003), Ukraine (2003), Mongolia (2004), Thailand (2004), Bahrain (2005), France (2005), South Korea (2005), Singapore (2005), South Africa (2005), United States (signed October 17, 2001, operational 2005), Belarus (2006), Mauritius (2006), Kuwait (2007), Spain (2007), Bulgaria (2008), Vietnam (2008), Mexico (2009), Egypt (2009), Hong Kong (2009), Bosnia-Herzegovina (2010), Iran (2010), Myanmar (2010), Sri Lanka (2010), Australia (2011), Bangladesh (2011), Indonesia (2011), Malaysia (2012), Azerbaijan (2013), Kyrgyz Republic (2014), Israel (2015), and Oman (2015). India can also make requests to non-MLAT countries on the basis of reciprocity.^[17]

The US-India MLAT is supplemented by three foundational defence agreements: LEMOA (2016, logistics), COMCASA (2018, encrypted communications), and BECA (2020, geospatial intelligence) — integrating Indian and US military intelligence infrastructure to an unprecedented degree.^[18]

The Privacy Backdoor Effect

India has the most extensive parallel data access pathways documented in this directory:

• SSPAC: Highest-volume reporter after the US; RAW, NTRO, and ARC all participate
• CMS/NATGRID/NETRA: Three mass surveillance programmes with no independent oversight
• IT Act Section 69 / Rule 23: Administrative warrantless interception and data access
• DPDPA exemptions: Any agency can be exempted from all data protection provisions
• BECA/COMCASA/LEMOA: Integrated US-India military intelligence infrastructure
• Aadhaar: 1 billion+ biometrics linked to financial and telecom records

Recent Developments

NATGRID-NPR Link (December 2025): The National Population Register (119 crore residents) was linked to NATGRID. PM Modi ordered scale-up at November 2025 DGP conference. NATGRID processing 45,000 requests/month.^[11]

Constitutional Challenge to DPDPA (February 2026): Supreme Court issued notice on challenge to DPDPA and Rules. Petition contends Section 44(3) unconstitutional, Board lacks independence, and Rule 23 violates Articles 14, 19, 21. Referred to larger bench for March 2026.^[19]

Pegasus Investigation Stalls (April 2025): Supreme Court refused to release technical committee report. Bench remarked that state spyware use against terrorists is unproblematic. Government maintains “neither confirm nor deny.”^[12]

J&K VPN Ban (December 2025–February 2026): 800–1,000 questioned, 100+ faced action for VPN use. RSF described J&K as an “information black hole.” India recorded 84 internet shutdowns in 2024 — the highest of any democracy.^[20]

Biometric Telecom KYC (September 2025): Draft rules propose mandatory biometric verification via BIVS for all 1.2 billion telecom subscribers, creating a unified biometric database linked to Aadhaar and accessible via Rule 23.^[21]

Aadhaar Private Sector Expansion (January 2025): UIDAI expanded Aadhaar authentication to e-commerce, travel, hospitality, and healthcare, reversing 2018 Supreme Court restrictions on private-sector use.^[8]

Sources