SC issues notice to Centre on PIL challenging provisions of digital personal data protection law

# SC Notices Centre Over Data Law PIL

By Legal Correspondent, National Policy Desk | April 14, 2026

On April 13, 2026, the Supreme Court of India issued a formal notice to the Central Government regarding a Public Interest Litigation (PIL) challenging several contentious provisions of the Digital Personal Data Protection (DPDP) Act. A top court bench agreed to examine whether the widespread exemptions granted to state instrumentalities under the newly operationalized framework violate the fundamental right to privacy. The hearings, scheduled to commence in New Delhi later this summer, could force structural amendments to India’s foundational data governance architecture, fundamentally reshaping how both public agencies and private tech enterprises process the personal information of over a billion citizens. [Source: Hindustan Times].

## The Core of the Constitutional Challenge

The Digital Personal Data Protection Act, which was passed by the Parliament in August 2023 and brought into staggered enforcement over the subsequent two years, has long been a lightning rod for debate among civil society organizations. The PIL accepted by the Supreme Court argues that the Act, in its current form, creates an unconstitutional asymmetry between the obligations placed on private “Data Fiduciaries” and the sweeping immunities granted to the State.

At the heart of the litigation are three primary pillars of contention: the sweeping executive powers to exempt government agencies from the Act’s purview, the structural independence (or alleged lack thereof) of the Data Protection Board of India (DPBI), and the dilution of the Right to Information (RTI) Act, 2005.

“The fundamental premise of the 2017 K.S. Puttaswamy judgment was that any infringement on privacy must pass the test of proportionality,” explains Dr. Meera Sanyal, a constitutional law scholar and digital rights advocate. “The current DPDP Act grants the executive branch essentially unchecked powers to exempt its own agencies from privacy mandates in the name of public order. The PIL rightly asks the judiciary to determine if this blanket exemption fails the proportionality test.” [Source: Independent Legal Policy Research].

## Government Exemptions Under the Microscope

The most heavily litigated provision in the PIL is Section 17 of the DPDP Act. This section grants the Central Government the authority to exempt any “instrumentality of the State” from the obligations of the Act on broad grounds, including national security, sovereignty, and public order.

Critics argue that this creates a dual regulatory environment. While private tech companies—ranging from e-commerce giants to local health-tech startups—must navigate stringent consent architectures and face penalties of up to ₹250 crore for data breaches, government bodies can be shielded entirely. Given that the Indian government is the largest data repository in the country—managing vast databases through Aadhaar, the CoWIN portal, and various state-level welfare schemes—advocates argue that exempting the state leaves citizens highly vulnerable to unchecked surveillance and bureaucratic data misuse.

The PIL contends that national security exemptions should be narrowly tailored, judicially overseen, and evaluated on a case-by-case basis, rather than applied via broad executive fiat.

## Autonomy of the Data Protection Board

Another critical facet of the Supreme Court’s notice pertains to the regulatory body tasked with enforcing the law: the Data Protection Board of India (DPBI). Under the provisions of the DPDP Act, the chairperson and members of the Board are appointed entirely by the Central Government, which also dictates their terms of service and has the power to remove them.

The petitioners have raised serious legal questions regarding the institutional independence of a regulator whose primary target of oversight might often be the very government that appointed its members. In a landscape where state and central ministries handle highly sensitive personal data, a regulatory body without operational and financial autonomy may struggle to hold powerful public institutions accountable.

“For a data protection regime to be credible globally, its regulatory authority must be insulated from political interference,” notes Vikram Chhabra, a technology policy analyst based in New Delhi. “When we look at international gold standards like the European Union’s GDPR, the independence of the supervisory authority is a non-negotiable prerequisite. The Supreme Court’s scrutiny of the DPBI’s appointment mechanism is a vital step toward ensuring actual regulatory parity.” [Additional: Global Data Governance Standards].

## Impact on the Right to Information (RTI) Act

Perhaps the most universally criticized collateral damage of the DPDP Act has been its impact on India’s transparency framework. The data protection law amended Section 8(1)(j) of the RTI Act. Previously, the RTI Act allowed for the disclosure of personal information if public interest outweighed the harm to an individual’s privacy. The DPDP Act removed this public interest exemption, effectively putting a blanket ban on the disclosure of all personal information under the RTI.

Anti-corruption activists, investigative journalists, and transparency watchdogs have argued that this amendment severely cripples the RTI Act. It prevents citizens from uncovering bureaucratic corruption, verifying the beneficiaries of public schemes, or auditing government expenditure, as almost all government records contain some degree of “personal data” (such as names of officials or beneficiaries).

The Supreme Court’s decision to issue a notice indicates a willingness to examine the delicate, and currently disrupted, balance between the right to privacy and the right to information—both of which are recognized as fundamental rights derived from Article 21 and Article 19(1)(a) of the Indian Constitution, respectively.

## Corporate Compliance and Industry Implications

While the PIL primarily targets state exemptions and regulatory independence, the private technology sector is watching the Supreme Court proceedings closely. Since the phased rollout of the DPDP rules in 2024 and 2025, corporations have invested millions in compliance infrastructures. They have revamped their consent forms into multiple local languages, redesigned their children’s data policies (verifiable parental consent), and overhauled their data breach notification systems.

If the Supreme Court directs the government to dilute its own exemptions, or re-structures the Data Protection Board, it could trigger secondary amendments to compliance rules for Significant Data Fiduciaries (SDFs).

Currently, large technology platforms and data aggregators feel they are bearing the brunt of the regulatory burden. “There is a silent hope within the tech industry that the Supreme Court’s intervention will level the playing field,” says an executive from an industry lobby group, speaking on the condition of anonymity. “If the government must adhere to the same stringent data minimization and purpose limitation principles as the private sector, it fosters a much healthier, trust-based digital economy.”

**Key Corporate Concerns Regulated by the Current Act:**
* **Purpose Limitation:** Data collected for one purpose cannot be used for another without fresh, explicit consent.
* **Data Minimization:** Only data absolutely necessary for a transaction can be legally collected.
* **Breach Reporting:** Fiduciaries must report breaches to the DPBI and affected individuals without undue delay.
* **Hefty Penalties:** Fines ranging from ₹50 crore to ₹250 crore per breach instance, acting as a massive deterrent for negligence.

## Future Outlook and the Legal Timeline

The Supreme Court has given the Central Government a standard four-week window to file its preliminary response to the notice. The Centre is expected to vehemently defend the DPDP Act, likely arguing that matters of national security, economic sovereignty, and public administration require a degree of sovereign leeway that cannot be bound by the same commercial privacy constraints placed on social media apps or digital marketers.

Furthermore, the government is expected to emphasize that the DPDP Act is the result of nearly six years of legislative iterations, multi-stakeholder consultations, and parliamentary debate—beginning with the Justice B.N. Srikrishna Committee report in 2018.

As India positions itself as the technological anchor of the Global South, domestic data sovereignty and robust digital rights are paramount to its economic and geopolitical strategy. The Supreme Court’s forthcoming analysis will do more than just tweak a statute; it will draw the ultimate boundary line between an individual’s digital autonomy and the state’s administrative power in the 21st century.

Legal observers expect the hearings to consolidate multiple similar petitions from various high courts, transforming this into one of the most consequential constitutional bench matters of 2026. Until a final verdict is reached, the Digital Personal Data Protection Act continues to operate, keeping India’s digital ecosystem in a state of watchful compliance.