India

Overview

India’s privacy framework is defined by a fundamental contradiction between a 2017 Supreme Court ruling recognizing privacy as a fundamental right (Puttaswamy v. Union of India, unanimous nine-judge bench) and the operational reality of the world’s largest biometric database (Aadhaar, 1 billion+ registrants), three mass surveillance programs (CMS, NATGRID, NETRA), and sweeping government interception powers under IT Act Section 69 with no prior judicial authorization required.^[1]

The Digital Personal Data Protection Act (DPDPA) 2023, enacted August 11, 2023, is India’s first comprehensive data protection law. However, it grants the Central Government the power to exempt any agency from all provisions for reasons of national security. The Data Protection Board — the DPDPA’s enforcement body — was brought into force on November 13, 2025, but core operational provisions do not take full effect until May 2027. A constitutional challenge to the DPDPA is pending before the Supreme Court.^[2]

India joined SSPAC (SIGINT Seniors of the Pacific) in 2008 and is the only country that is simultaneously an SSPAC member and a Quad partner (with the US, Japan, and Australia) while also maintaining membership in the Shanghai Cooperation Organisation (SCO) alongside Russia and China, and BRICS. RAW produces the highest volume of SSPAC reports after the United States.^[3]

Data Protection Board of India

The Data Protection Board of India was established under the DPDPA 2023 and brought into force on November 13, 2025. The Board will function entirely online to handle complaints, investigate data breaches, and impose penalties, with inquiries to be completed within six months (extendable in three-month blocks with written reasons). Maximum penalty: INR 2.5 billion (approximately $30 million).^[4]

As of early 2026, the Board is still being constituted and no enforcement actions have been taken. Core operational provisions of the DPDPA — including conditions for consent managers (November 2026) and full data fiduciary obligations (May 2027) — are being phased in over 18 months. India’s data protection enforcement lags years behind South Korea’s PIPC and Japan’s PPC, both of which are actively imposing penalties.^[2]

Key Legislation

Digital Personal Data Protection Act (DPDPA) 2023

The DPDPA (enacted August 11, 2023; Rules notified November 13, 2025) rests on seven principles: consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability. Consent must be “free, specific, informed, unconditional and unambiguous” with pre-checked boxes prohibited. Data fiduciaries bear the burden of compliance; data processors have no direct obligations under the Act.^[5]

Critical limitations compared to the GDPR: no data portability right, no right to erasure in many contexts, and the Central Government can exempt any agency from all provisions for national security, public order, or sovereignty. Cross-border transfers are permitted unless the government restricts transfers to specified countries. The DPDPA applies only to digital personal data, excluding offline processing.^[5]

Information Technology Act 2000 (Section 69)

Section 69 empowers the Central Government or State Government to direct any agency to intercept, monitor, or decrypt any information transmitted through any computer resource, in the interest of sovereignty, security, friendly relations with foreign states, public order, or prevention of incitement to cognizable offenses. No prior judicial authorization is required — authorization is administrative (typically the Home Secretary). The IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, specify procedural safeguards, but critics note these lack independent oversight.^[6]

Telecommunications Act 2023

Replacing the Indian Telegraph Act 1885 for modern communications, the Telecommunications Act 2023 was partially enforced in 2024. Section 20 authorizes interception orders by Central or State Government agencies on broad grounds including “friendly relations with foreign States” and “public order.” The 2024 Interception Rules grant emergency powers including temporary possession of telecommunications services. Review committees meet bi-monthly to evaluate compliance, but key safeguards from the 2007 Rules — including penalties for corporate non-compliance with unauthorized surveillance — were omitted from the 2024 framework.^[7]

Aadhaar Act 2016

Provides the legal framework for the Aadhaar biometric identification program. Upheld by the Supreme Court in 2018 (Puttaswamy II) with restrictions: mandatory for tax filing and government subsidies, but cannot be required by private companies for verification.^[8]

Aadhaar: The World’s Largest Biometric Database

The Aadhaar system, administered by the Unique Identification Authority of India (UIDAI), assigns a 12-digit identification number to every resident. Biometric data collected includes all 10 fingerprints, iris scans, and a facial photograph, alongside demographic data (name, address, date of birth). Over 1 billion residents are registered, representing nearly the entire population of 1.4 billion.^[8]

In Puttaswamy v. Union of India (August 24, 2017), a nine-judge bench of the Supreme Court unanimously recognized privacy as a fundamental right under Article 21 of the Constitution — a landmark 547-page judgment that established the constitutional basis for challenging surveillance programs. In the subsequent 2018 Aadhaar judgment, a five-judge bench upheld the Aadhaar Act by a 4-1 majority, finding it passes the three-fold test of the privacy judgment, but imposed restrictions on mandatory private-sector use and unlimited data storage.^[9]

Despite these judicial limits, Aadhaar remains linked to bank accounts, mobile phone numbers, tax records, and government welfare programs. The scale of centralized biometric data, combined with the mass surveillance programs described below, creates an infrastructure of identification and tracking that no other democracy operates at comparable scale.^[8]

Surveillance and Intelligence

Intelligence Agencies

RAW (Research and Analysis Wing), established 1968, conducts external intelligence and is India’s primary foreign intelligence agency. IB (Intelligence Bureau), established 1887, is the domestic intelligence agency responsible for counter-intelligence, counter-terrorism, and internal security — the oldest intelligence agency in Asia. NTRO (National Technical Research Organisation), established 2004, handles technical intelligence including SIGINT, operating under the National Security Adviser in the Prime Minister’s Office. The Multi-Agency Centre (MAC) enables real-time intelligence exchange among RAW, IB, and military intelligence.^[10]

Mass Surveillance Programs

Central Monitoring System (CMS): Under development since 2009, the CMS centralizes the interception process and allows security agencies to bypass telecommunications companies to directly intercept communications — including text messages, social media posts, and phone calls — in real time. By eliminating the telecom operator from the interception chain, CMS removes a potential check on unauthorized surveillance.^[11]

NATGRID (National Intelligence Grid): Links databases across 21 categories of data from agencies including the Income Tax Department, banks, insurance companies, Indian Railways, immigration, and telecommunications providers. Enables investigation and law enforcement agencies to access real-time information across these interconnected databases.^[11]

NETRA (Network Traffic Analysis): Operated by the Defence Research and Development Organisation (DRDO), NETRA monitors internet traffic including direct messages, personal emails, and blog posts. Uses keyword filters to identify content of interest, with the capability to analyze even encrypted messages. While CMS taps telecommunications networks, NETRA monitors internet-based communications.^[11]

A Delhi High Court petition sought to stop data collection through CMS, NATGRID, and NETRA, citing breach of privacy. The Centre urged the Court to dismiss the petition. The surveillance programs operate with no comprehensive legislative framework and no independent judicial oversight — authorization comes through executive orders under IT Act Section 69 and the Indian Telegraph Act Section 5.^[12]

Pegasus Spyware Scandal (2021)

The Pegasus Project investigation identified over 300 Indian phone numbers on a leaked list of suspected surveillance targets. Alleged targets included ministers, opposition leaders (an associate of Congress leader Rahul Gandhi), journalists (Siddharth Varadarajan of The Wire, Paranjoy Guha Thakurta), Supreme Court judges, election commissioners, human rights lawyers, and activists.^[13]

On October 28, 2021, the Supreme Court ordered an independent probe by a three-member technical committee. The committee confirmed malware on 5 of 29 devices examined, but stated it could not be conclusively identified as Pegasus. The government refused to cooperate with the investigation and adopted a “neither confirm nor deny” position on procurement. As of 2024, no accountability has resulted from the investigation, and critics argue the Supreme Court’s silence effectively legitimizes spying on government critics.^[14]

Facial Recognition

The National Crime Records Bureau (NCRB) is deploying the Automated Facial Recognition System (AFRS) as a pan-India platform for police use. Delhi Police is implementing facial recognition under the Safe City Project, with plans for 10,000 high-resolution CCTV cameras across the capital in 2025. Mobile FRS vans patrol high-crime zones with cameras that alert on faces matching criminal databases with more than 60% similarity. Between September and November 2024, the technology helped North Delhi police arrest at least 70 individuals. No legal framework governs the deployment of facial recognition in India.^[15]

Oversight

India has no independent oversight body for intelligence operations. There is no parliamentary intelligence committee with operational access, no independent judicial review of interception orders, and no statutory whistleblower protection for intelligence personnel. Authorization for interception is administrative (Home Secretary level), not judicial. Review committees under the Telecommunications Act meet bi-monthly but operate with limited transparency. The absence of oversight has been repeatedly criticized by civil society organizations and international human rights bodies.^[6]

Data Retention

India does not have a comprehensive mandatory data retention law. However, Unified License Agreement conditions imposed by the Department of Telecommunications require telecom operators to retain call detail records (CDRs) and subscriber data for specified periods. ISPs are required to retain server logs. The Telecommunications Act 2023 reinforces these obligations and adds data localization requirements mandating that certain user data be stored within India.^[7]

The DPDPA 2023 requires data fiduciaries to retain personal data only as long as necessary for the purpose of processing, but the government’s broad exemption powers under the Act undermine this principle — any agency exempted from the DPDPA has no statutory limitation on data retention.^[5]

Internet Infrastructure and Cable Surveillance

The National Internet Exchange of India (NIXI), a not-for-profit company established by the Ministry of Electronics and Information Technology in 2003, operates Internet exchange nodes across seven core locations — Mumbai, Chennai, Noida, Kolkata, Bangalore, Hyderabad, and Ahmedabad — with additional NOC sites expanding to over a dozen cities including Gurgaon, Lucknow, Indore, and Guwahati. NIXI’s purpose is to keep domestic internet traffic within India rather than routing it through international exchange points, reducing latency and keeping data on Indian soil. DE-CIX Mumbai, an extension of the world’s largest Internet exchange by peak traffic, also operates in India, providing international carrier-neutral peering.^[31]

India is a major submarine cable hub, with approximately 17 international cable systems landing at 14 cable landing stations across five coastal cities: Mumbai (the primary hub, with stations operated by Tata Communications, Reliance Jio, and Bharti Airtel), Chennai, Cochin, Tuticorin, and Trivandrum. Tata Communications operates the largest share, managing three cable landing stations in Mumbai and one in Chennai. Recent additions include the MIST cable system (NTT, 2023) connecting Mumbai to Singapore and Malaysia, and the planned India-Asia-Xpress (IAX) and India-Europe-Xpress (IEX) systems backed by Reliance Jio.^[32]

India’s cable infrastructure intersects directly with its mass surveillance architecture. The Central Monitoring System (CMS) is designed to centralize interception at the telecommunications infrastructure level, bypassing operators entirely — a capability that extends to cable landing stations carrying international traffic. IT Act Section 69 authorizes interception of information transmitted through “any computer resource,” language broad enough to encompass cable landing station equipment. The Indian defense contractor Shoghi Communications Systems manufactures submarine cable monitoring systems (SCL-SCMS) designed for tapping fiber-optic submarine cables — one of the few publicly documented cases of a country developing indigenous cable-tapping hardware for its own intelligence agencies.^[33]

The Telecommunications Act 2023 reinforces this infrastructure’s surveillance potential through data localization requirements mandating that certain user data be stored within India. By forcing more international traffic through Indian cable landing stations and requiring domestic data storage, the Act increases the volume of communications accessible to CMS interception and NETRA internet monitoring. Combined with SSPAC membership, India’s cable infrastructure serves both domestic mass surveillance and international signals intelligence cooperation.^[7]

International Data Sharing Agreements

SSPAC (SIGINT Seniors of the Pacific)

India formally accepted the SSPAC invitation in June 2008. Indian representation comprises officials from RAW, NTRO, and the Aviation Research Centre (ARC). RAW produces the highest volume of SSPAC reports after the United States. Immediately after joining, a series of Counter Terror Deployed Analysts (CTDAs) were sent to India for 2-3 month periods. India’s SSPAC participation enables intelligence sharing on counterterrorism through the CRUSHED ICE secure network.^[3]

Quad (US-Japan-Australia-India)

The Quad drives cooperation on critical and emerging technologies, cyber security, and maritime domain awareness. India is the only country that is simultaneously a Quad member, an SSPAC partner, and a member of the SCO and BRICS — a dual positioning that creates tension between Western intelligence alignment and relationships with Russia and China.^[16]

US-India Mutual Legal Assistance Treaty

The US-India MLAT was signed at New Delhi on October 17, 2001 and provides for “the widest measure of mutual assistance” in connection with investigation, prosecution, prevention, and suppression of offenses. Assistance includes taking testimony, executing searches, transferring persons in custody, and forfeiture of proceeds.^[17]

US-India Defense Agreements

Three foundational defense agreements deepen intelligence sharing: LEMOA (Logistics Exchange Memorandum of Agreement, 2016), COMCASA (Communications Compatibility and Security Agreement, 2018, enabling encrypted communications between Indian and US forces), and BECA (Basic Exchange and Cooperation Agreement, 2020, sharing geospatial intelligence including maps, nautical charts, and satellite data). Together these agreements integrate Indian and US military intelligence infrastructure to a degree unprecedented in the bilateral relationship.^[18]

SCO and BRICS

India is a full member of the Shanghai Cooperation Organisation (SCO) alongside Russia and China, and participates in BRICS (Brazil, Russia, India, China, South Africa). These parallel memberships create a unique intelligence posture: India shares counterterrorism intelligence with the US through SSPAC and the Quad, while simultaneously participating in security cooperation frameworks with US strategic competitors.^[16]

The Privacy Backdoor Effect

India’s combination of mass surveillance programs, broad interception powers, and international intelligence partnerships creates the most extensive set of parallel data access pathways documented in this directory:

• SSPAC: India’s highest-volume SSPAC reporting partner after the US; RAW, NTRO, and ARC all represented
• CMS/NATGRID/NETRA: Three mass surveillance programs operating with no independent oversight
• IT Act Section 69: Administrative (not judicial) authorization for interception of any digital communication
• DPDPA exemptions: The Central Government can exempt any agency from all data protection provisions
• BECA/COMCASA/LEMOA: Integrated US-India military intelligence infrastructure
• Aadhaar: Biometric identification of 1 billion+ residents linked to financial and telecommunications records

The DPDPA 2023’s broad government exemption power means that data nominally protected by India’s first data protection law can be accessed by any agency the Central Government chooses to exempt, with no judicial review of the exemption decision.

Recent Developments

DPDPA Rules Notified (November 2025)

On November 13, 2025, MeitY notified the Digital Personal Data Protection Rules 2025, following a 10-month wait since draft Rules were released January 3, 2025. Data Protection Board provisions brought into force the same day. Consent manager registration: November 2026. Full data fiduciary obligations: May 2027.^[2]

Constitutional Challenge to DPDPA (2025)

The Supreme Court issued notice on a constitutional challenge to both the DPDPA 2023 and the 2025 Rules, raising questions about the Act’s broad government exemption powers and the independence of the Data Protection Board.^[19]

Telecommunications Interception Rules (2024)

The Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024 were formulated under the Telecommunications Act 2023. Key safeguards from the 2007 Rules were omitted, including explicit penalties for telecom companies that fail to prevent unauthorized surveillance.^[7]

Delhi Facial Recognition Expansion (2024–2025)

Delhi Police rolling out 10,000 facial recognition CCTV cameras under the Safe City Project. Mobile FRS vans deployed in high-crime zones. At least 70 arrests between September and November 2024 using facial recognition matching.^[15]

Pegasus Investigation Stalls

Despite the Supreme Court’s 2021 order for an independent probe, no accountability has resulted. The government’s refusal to confirm or deny Pegasus procurement remains unchanged. Civil society organizations argue the Court’s subsequent silence effectively legitimizes the surveillance.^[14]

Sources