Legal Framework for Surveillance — Current Affairs 2026

The Digital Personal Data Protection (DPDP) Act, 2023, is India's first comprehensive data protection law. While it aims to protect personal data, Section 17(2)(a) grants broad exemptions to government agencies from many of its provisions for purposes like national security, public order, and prevention of cognizable offences. This raises critical questions about how the 'proportionality test' established in Puttaswamy will be applied to these exemptions. Critics argue that these exemptions could potentially legitimize mass surveillance without adequate safeguards, while the government maintains they are necessary for national security. From a UPSC perspective, understanding the balance (or imbalance) between data protection and state surveillance powers under this new law is crucial for both Prelims and Mains, especially concerning fundamental rights and internal security.

UPSC Angle: Analyze the DPDP Act's exemptions for government agencies in light of the Puttaswamy judgment's proportionality test. Discuss the potential for misuse versus the stated necessity for national security. Evaluate its impact on privacy rights and the future of digital surveillance in India.

In April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions under Section 70B of the IT Act, 2000. These directions mandate VPN providers, data centers, cloud service providers, and virtual asset service providers to store specific user data (e.g., names, email IDs, IP addresses) for a period of five years or longer. They also require reporting of cyber incidents within six hours. While CERT-In stated these measures are crucial for cyber security and incident response, many privacy advocates and tech companies criticized them as infringing on user privacy and potentially facilitating mass surveillance. Several VPN providers even ceased operations in India due to these requirements. This highlights the ongoing tension between national cyber security imperatives and individual data privacy, directly impacting the legal framework for digital surveillance.

UPSC Angle: Examine the legal basis of CERT-In's directions under the IT Act. Discuss the arguments for and against data retention mandates in the context of cyber security and privacy. Analyze the economic and privacy implications for individuals and businesses, and how these directions fit into the broader surveillance framework.