Opinion Eight years after the ‘Puttaswamy’ privacy verdict, data protection remains a distant dream

The exemption economy

The DPDP Act already exempts all publicly available data through Section 3(c)(ii). This exemption allows India to sidestep the debate currently roiling the European Union, where courts and data protection bodies struggle to reconcile AI companies’ massive data scraping with General Data Protection Regulation (GDPR) privacy protections. When individuals post information publicly on blogs or social media, the Act no longer considers it private, meaning AI companies can likely scrape such content without violating the DPDP Act. But industry groups want more. The Internet and Mobile Association of India (IAMAI) demands that lawmakers exempt all AI training data from the Act’s scope, framing privacy protection as an obstacle to national competitiveness and progress against China and the United States.

Digital payment companies have joined this exemption parade. The National Payments Corporation of India, Amazon Pay, and Google Pay have all approached the Ministry of Electronics and Information Technology (MeitY) requesting temporary relief from consent provisions. These companies argue that seeking consent for each transaction would burden businesses excessively, complicate recurring payments, and raise compliance costs for small businesses.

Online gaming companies want exemptions from age-gating norms. They contend that obtaining parental consent, avoiding behavioural monitoring of children, and restricting targeted advertising would destroy free-to-play gaming business models. The DPDP rules detailed processes for collecting parental consent, including virtual tokens, but the industry has pushed back against these child safety measures.

The growing cost of ambiguity
These exemption requests reveal a deeper problem: Legislative uncertainty now plagues India’s data protection regime. Companies and industry bodies exploit this vacuum to lobby for broader exemptions. If the government grants these requests, it will fundamentally alter India’s data protection framework, hollowing out protections through blanket exemptions for training data and weakened age verification guidelines.

The government’s opaque consultation process deepens this uncertainty. While MeitY establishes consultation periods where stakeholders can submit comments, this process remains largely privileged and closed. Officials do not publicly disclose comments, making it impossible to understand why they ignore certain concerns, like removing protections for journalists, while advancing others.

Most data protection frameworks establish clear implementation timelines. The GDPR, adopted in 2016, took force two years later in 2018, giving businesses and regulators time to prepare. Today, the Indian government has not announced a commencement date for the DPDP Act’s provisions, though public comments suggest officials will create an onboarding period before enforcement begins. This indefinite delay creates a dangerous dynamic: The longer officials postpone implementation, the more time industry has to seek exemptions and weaken protections.

If granted, these exemption requests would create a data protection framework with more holes than protections. AI companies could train on vast datasets without consent, payment platforms could bypass consent requirements, gaming companies could continue targeting children, and journalists could face criminalisation for investigative work, all while citizens remain largely unprotected.

Returning to Puttaswamy’s vision

The Supreme Court in Puttaswamy recognised that “informational privacy is a facet of the right to privacy” and warned that “the dangers to privacy in an age of information can originate not only from the state but from non-state actors as well.” The Court urged the Union Government to “examine and put into place a robust regime for data protection,” emphasising that “creating such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”
Today, India faces the exact crossroads the Puttaswamy bench anticipated. The very “non-state actors” the Court warned about, tech companies, payment platforms, gaming firms, and AI developers, now actively seek to weaken the data protection regime before it takes effect. Each exemption request, whether framed as business efficiency or national competitiveness, moves India further from the “robust regime” the Court envisioned.

As India approaches the eighth anniversary of Puttaswamy, the question is not whether the citizens have a comprehensive right to informational privacy and need data protection; the Supreme Court settled that debate in 2017. The question is whether India will honour that constitutional mandate or allow industry to kill it through a thousand exemptions. The Court’s vision of a “careful and sensitive balance” requires not just legislative action, but the political will to resist endless exceptions. Until officials show that will, India’s data protection journey will remain exactly where it is today: Stalled, while citizens’ privacy hangs in the balance.

The writer is Senior Research Analyst, Carnegie India