India’s newly notified Digital Personal Data Protection (DPDP) Rules have sparked a wave of commentary online, but one remark captures the essence better than any official press release: “Wherever public data is held by private organisations, the government, in order to ensure its protection, wants a backdoor entry into it.”
Wrapped in bureaucratic language, this idea is presented as benign oversight. But look closely, strip away the euphemisms, and we find a genuine oxymoron: you cannot protect a system by designing a built-in vulnerability. A backdoor is not a security feature. It is a structural flaw—one that will eventually be used by those unscruplous players who were never meant to have access.
India’s new data protection framework, while a step forward in many respects, carries precisely this contradiction at its core. On the one hand, it demands consent, minimisation, transparency, and accountability from private actors. On the other, it grants sweeping discretionary powers to the State that undermine the very protections the law claims to erect. The “guardians” of our data are asking for a master key, assuring us it will be used only for our safety. But history, technology, and constitutional logic warn otherwise.
What the DPDP Act and Rules Actually Do
The DPDP Act, 2023 creates India’s first comprehensive privacy framework. It defines the rights of individuals (“Data Principals”), duties of organisations (“Data Fiduciaries”), and enforcement mechanisms via the Data Protection Board. The newly notified Rules flesh out these foundations—mandating breach reporting, age-verification for children, “reasonable security safeguards,” detailed notices, and compliance structures for significant databanks.
In its corporate-facing architecture, the law is serious, robust, and in line with global norms. It penalises lax security heavily. It obligates companies to erase unnecessary data. And it imposes meaningful transparency obligations.
But the promise of universal privacy protections evaporates the moment we examine two sections—Section 17 and Section 36—which together create a parallel regime for the State.
Section 17: The Broad Escape Hatch
Section 17(2)(a) allows the Central Government to exempt any “instrumentality of the State” from most obligations of the Act on grounds such as:
sovereignty and integrity of India,
security of the State,
friendly relations with foreign states,
maintenance of public order,
preventing incitement to cognisable offences.
This list is so expansive—and so loosely defined—that almost any department, agency, or police wing could be granted permission to process data without consent, without purpose limitation, without erasure obligations, and without transparency.
The exemption is not narrow or conditional. It is not limited to specific investigations. It is not subject to judicial oversight. It is a blanket permission slip the executive may issue to itself.
In effect, the State demands privacy protections from others that it refuses to apply to itself.
Section 36: A Master Key Disguised as a Clause
If Section 17 opens the escape hatch, Section 36 hands the State the master key. The provision states simply:
“The Central Government may require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for.”
On its face, this reads as a benign administrative power. But the wording is breathtakingly broad. There is:
no limitation to anonymised or aggregated data;
no requirement to demonstrate necessity or proportionality;
no judicial warrant requirement;
no obligation to notify the individual whose data is accessed;
no post-facto review, audit trail, or reporting mechanism.
Placed alongside older surveillance laws—such as Section 69 of the IT Act and the Interception Rules of 2009, which already permit decryption orders—the DPDP’s master-key provision completes the architecture. Not only can government agencies exempt themselves from safeguards; they can compel private companies to open their vaults too.
This is not an incidental drafting oversight. It is a systemic design choice.
Why Backdoors Make Everyone Unsafe
The notion that the State can have “lawful access” while leaving encryption intact for everyone else is technically untenable. Encryption does not differentiate between benign and malign actors. A backdoor, once created, is a vulnerability for all.
Global experience tells us:
Encryption backdoors in TSA luggage locks were reverse-engineered and published online.
The Clipper Chip experiment in the United States collapsed under scrutiny.
The UK’s recent attempt to compel Apple to weaken encryption led Apple to disable advanced security features rather than compromise global user safety.
Cybersecurity consensus is unequivocal: there is no such thing as a secure backdoor.
If the government can silently bypass or weaken protections, so can rogue insiders, cybercriminals, hostile governments, or anyone who discovers the same entry point.
To weaken encryption “for safety” is to weaken safety itself.
India’s Surveillance Legacy: Old Wine in a New Bottle
India’s privacy regime has long suffered from an asymmetry between State power and citizen protection. The DPDP framework inherits this imbalance. The country’s surveillance toolkit already includes:
Central Monitoring System (CMS),
NETRA (Network Traffic Analysis system),
Lawful Interception Systems deployed at telecom gateways,
Decryption orders under Section 69 of the IT Act.
The Supreme Court’s Puttaswamy judgment—declaring privacy a fundamental right—demands legality, necessity, and proportionality for any intrusion. Yet, DPDP’s Section 17 and Section 36 meet none of these standards.
Instead of elevating privacy norms, the new framework consolidates State access.
Do Safeguards Exist? Yes. Are They Enough? No.
The DPDP regime does impose strong obligations on companies:
mandatory “reasonable security safeguards”;
significant penalties for breaches;
children’s data protections;
clear consent and notice requirements;
structured compliance reporting.
But these are asymmetrical. They bind the private sector, not the State.
The biggest gaps remain precisely where they matter most:
No independent judicial authorisation for State access.
No independent oversight body insulated from the executive.
No transparency obligations on government departments.
No user right to challenge State intrusions.
No requirement that surveillance be targeted or proportionate.
A privacy law that applies rigorously to companies but lightly to the State amounts to half a shield.
What a Truly Balanced Framework Would Look Like
For India to reconcile security with liberty, it must strengthen—not dilute—constitutional safeguards. The following reforms are essential:
1. Narrow and Precisely Defined Exemptions
Limit Section 17 to intelligence and law-enforcement functions dealing with clearly defined, serious offences. Remove vague terms like “public order.”
2. Rewrite Section 36
Introduce judicial warrants, strict specificity, documented necessity, and post-facto accountability for all data-access directions.
3. Explicit Protection for Encryption
Statutorily bar the creation of backdoors. Lawful access must be case-specific, not systemic.
4. Independent Oversight
Strengthen or reconstitute the Data Protection Board to mirror EU-style autonomous regulators with investigative powers over government agencies.
5. Transparency and Remedies
Require annual reporting on the volume and nature of government data-access requests and allow delayed user notification.
6. A Comprehensive Surveillance Law
Replace the outdated and fragmented interception framework with a modern statute aligned with constitutional principles.
Conclusion: A Master Key Is Not a Security Instrument
The Unintended Vulnerability in the Name of Protection
The title of this essay encapsulates the paradox before us: the guardians of your data want a master key—because they claim it makes you safer. While the statute may not intend to provide the State with 24×7 omnibus access to private data, its architecture creates precisely that danger. The unintended consequence is clear: compliance with the new law and rules can open a systemic vulnerability, one that sophisticated hackers—state or non-state—can exploit. Such weaknesses risk far more than identity theft or siphoning of funds. They threaten to become entry points for attacks on India’s digital sovereignty, financial systems, and national security.
Why No Democracy Should Carry a Hidden Key
A society cannot enhance security by weakening its protective systems. Nor can trust survive when the State reserves for itself an unreviewable right to quietly enter private databases. Privacy is not a hurdle; it is a pillar of democratic dignity, personal autonomy, and—after the Supreme Court’s Puttaswamy decision—a Fundamental Right. A data protection law with a built-in backdoor is like a vault with a secret duplicate key: harmless only until the wrong hands find it. India has indeed taken a historic step by enacting its first privacy law, but unless the loopholes are sealed, we risk ending up with protection in name and vulnerability in fact. Real data protection demands one non-negotiable rule: no master keys—not even for the guardians.