The Indian government last month notified the latest iterations of the Digital Personal Data Protection Act and the Digital Personal Data Protection Rules, which together constitute the country’s data protection regime and are set to unfold in a phased manner over 18 months. The moment marked the culmination of an almost seven-year legislative trajectory, beginning with the release of the first draft of a data protection bill in 2018 that was followed by subsequent versions in 2019 and 2021. The government withdrew the latter iteration, intending to replace it with a simpler, leaner framework, which has now become the DPDPA.
Although these earlier drafts were imperfect, they nevertheless represented substantive efforts to construct a meaningful data-protection framework and, in many respects, offered stronger safeguards than those found in the present act. By contrast, the DPDPA is excessively consent-centric, incorporates broad exceptions and exemptions and lacks clear definitions or guiding criteria for several crucial concepts, thereby creating significant operational and interpretive uncertainty.
The act also does not provide adequate safeguards or robust mechanisms to ensure accountability and transparency. The DPDPA entrenches a state-centric architecture of control and facilitates data extractivism, consolidating power in the hands of the state and select private entities, particularly “ domestic champions.” These entities, not individual data principals, emerge as the primary beneficiaries of this prolonged legislative process.
In this piece, I examine how the DPDPA Rules enable metadata-based surveillance, an aspect that remains severely underexplored in current policy and scholarly discourse, including how to situate these developments within the broader metadata-surveillance architecture evolving in India.