Linkedin Instagram Twitter

The Role of State Governments in India’s Data Protection Law

Introduction: Understanding Data Protection in India

India is moving forward with stronger data protection laws, and the new Digital Personal Data Protection Act, 2023 (DPDP Act) plays a major role in this. To guide the implementation of this law, the Ministry of Electronics & Information Technology (MeitY) released the Digital Personal Data Protection Rules, 2025 in January. These rules provide more details on how personal data should be collected, processed, and shared.

State Governments, in particular, have a significant role in this process. They handle large amounts of personal data and are also responsible for ensuring that the law is properly enforced. In this blog, we will explore how State Governments fit into the new data protection regime and the responsibilities they carry as data controllers, or data fiduciaries.

What Does “State” Mean in This Context?

In the context of the law, the word “State” does not just refer to the national or state-level governments. According to Article 12 of the Indian Constitution, it includes the Government of India, State Governments, local authorities (such as municipalities and panchayats), and even certain government-controlled agencies and corporations.

Over the years, courts have clarified the definition of “State” through key judgments. One significant case was Sukhdev Singh v. Bhagatram Sardar Singh Raghuvanshi, where the Supreme Court introduced the idea that the State can act through its agencies or organizations. In this case, the court explained that if a government agency carries out the functions of the State, it can be considered an “instrumentality” or “agency” of the State. Similarly, in Ramana Dayaram Shetty v. The International Airport Authority of India, the court used this expanded definition to show that even government-controlled corporations fall under the definition of “State.”

With these rulings in mind, it is clear that state governments and their agencies play a big role in implementing the DPDP Act. They are responsible for handling personal data when providing services such as welfare benefits, issuing licenses, or delivering public services.

State Governments as Data Fiduciaries

Under the DPDP Act, a data fiduciary is defined as any person or organization that determines how and why personal data is processed. Given that state governments handle large amounts of personal data in the course of providing services, they are considered data fiduciaries under this law.

For instance, when a state government provides welfare benefits or issues a license, it collects and processes personal data, making it responsible for protecting this information. This means that state governments must follow the rules laid out in the DPDP Act, such as ensuring that personal data is accurate, secure, and used for the intended purposes.

However, the law also provides some flexibility for state governments. According to Section 7(c) of the DPDP Act, state governments and their agencies can process personal data without the need to comply with the notice and consent requirements if it is necessary for the performance of their legal duties or in the interest of national security. This exemption gives state governments more room to handle personal data when fulfilling their responsibilities, such as maintaining public order or delivering essential services.

Additionally, Section 7(b) offers further relaxation by allowing state governments to process personal data without consent if they are providing subsidies, benefits, or services, and the data is already available in a government database. These provisions enable the government to operate smoothly while ensuring that citizens receive timely services without unnecessary delays.

Ensuring Responsible Data Processing

While the DPDP Act provides certain exemptions for state governments, it also emphasizes the need for responsible data handling. Even though state governments may not always need to obtain consent, they are still required to follow other important rules, such as ensuring the accuracy of the data, adopting technical safeguards, and protecting personal data from unauthorized access.

Moreover, State Governments are bound by the principle of purpose limitation, as laid out in Section 4(1)(b) of the Act. This means that personal data collected for one purpose (such as issuing a permit) should not be used for other unrelated purposes. For example, data collected for issuing a driver’s license should not be shared with another government department unless it is necessary for a related task. This is an important aspect of protecting citizens’ privacy and ensuring that their data is not misused.

Role in Law Enforcement and Security

In addition to providing services, state governments also play a key role in law enforcement. The DPDP Act gives governments the flexibility to process personal data for maintaining law and order or responding to emergencies. Sections 7(d) and 7(e) of the Act, for instance, allow state governments to process personal data for fulfilling legal obligations or complying with court judgments.

Another important provision is Section 17, which grants broader exemptions to data fiduciaries (including state governments) in cases where personal data is processed for protecting national security, maintaining public order, or other sensitive matters. However, even in these cases, governments must ensure that their actions are lawful and proportionate, as emphasized by the Supreme Court in the Justice K.S. Puttaswamy v. Union of India case, which recognized the right to privacy as a fundamental right.

Research, Archiving, and Statistical Purposes

State governments also play a role in using personal data for research, archiving, and statistical analysis. Section 17(2)(b) of the DPDP Act provides an exemption for processing personal data for these purposes, as long as the data is not used for making decisions that affect individuals. This allows governments to use personal data to study public health trends, develop new policies, or analyze the effectiveness of welfare programs.

While this provision gives governments more flexibility, it is important that they maintain high standards of data quality and protection. Proper use of data for research and analysis can help governments address social challenges and improve public services, but it must be done in a way that respects citizens’ privacy.

Conclusion: The Importance of Data Protection

In conclusion, state governments have a crucial role to play in implementing India’s new data protection laws. They are responsible for handling personal data while providing services, maintaining law and order, and conducting research. While the DPDP Act provides some exemptions for governments, it is essential that they follow the rules carefully and protect citizens’ privacy.

By doing so, State Governments can set a positive example for other public and private organizations in India and ensure that citizens’ personal data is handled with care and respect.

Arushi Aggarwal

(Senior Associate, Emerge Legal)

Related Posts

Our Practice Areas

Book Appointment
+91 8054639220

Call for legal service

Book Appointment
Facebook-f Twitter Linkedin-in Instagram

Disclaimer

This website has been designed only for the purposes of dissemination of basic information on Emerge Legal; information which is otherwise available on the internet, various public platforms and social media. Careful attention has been given to ensure that the information provided herein is accurate and up-to-date. However, Emerge Legal is not responsible for any reliance that a reader places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof. Reader is advised to confirm the veracity of the same from independent and expert sources.

This website is not an attempt to advertise or solicit clients, and does not seek to create or invite any lawyer-client relationship. The links provided on this website are to facilitate access to basic information on Emerge Legal, and, to share the various thought leadership initiatives undertaken by it. The content herein or on such links should not be construed as a legal reference or legal advice. Readers are advised not to act on any information contained herein or on the links and should refer to legal counsels and experts in their respective jurisdictions for further information and to determine its impact.

Emerge Legal advises against the use of the communication platform provided on this website for exchange of any confidential, business or politically sensitive information. User is requested to use his or her judgment and exchange of any such information shall be solely at the user’s risk.

Emerge Legal uses cookies on its website to improve its usability. This helps us in providing a good user experience and to also help in improving our website. By continuing to use our website without changing your privacy settings, you agree to use our cookies.

Terms of use and Privacy policy

Accept