Delhi High Court Seeks Centre's Response on PIL Challenging DPDP Act Provisions

In a significant development for India's evolving data privacy landscape, the Delhi High Court on February 18, 2026, issued a notice to the Union Government directing it to file its response to a Public Interest Litigation (PIL) that mounts a sweeping constitutional challenge against key provisions of the Digital Personal Data Protection (DPDP) Act, 2023 , and the recently notified DPDP Rules, 2025 . Filed by advocate Chandresh Jain , the petition alleges that these provisions enable unchecked state surveillance, excessive executive control, and a dilution of judicial oversight, thereby infringing fundamental rights under Articles 14, 19, and 21 of the Constitution. A bench comprising Chief Justice D.K. Upadhyaya and Justice Tejas Karia has listed the matter for hearing in April, signaling potential scrutiny of one of the country's cornerstone data protection laws.

This PIL arrives at a critical juncture, just months after the notification of the DPDP Rules in 2025, which operationalize the Act's framework for safeguarding personal data in an increasingly digital economy. Legal practitioners specializing in technology and constitutional law are closely watching, as the outcome could redefine compliance obligations, regulatory structures, and the balance between state security and individual privacy.

Background: The Genesis and Scope of the DPDP Act

The DPDP Act, 2023, marked India's first comprehensive legislation on personal data protection, enacted following the Supreme Court's landmark Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) judgment, which elevated privacy to a fundamental right under Article 21. The Act imposes obligations on data fiduciaries (entities processing personal data) to ensure consent-based processing, data minimization, and purpose limitation, while establishing the Data Protection Board (DPB) as the primary enforcer.

The 2025 Rules further detail implementation, including penalties outlined in the Act's schedule—up to INR 250 crore for breaches. However, critics, including petitioner Jain, argue that the Act and Rules create an overreaching executive apparatus rather than a rights-protective regime. Sections like 17 (government exemptions for security purposes), 36 (power to call for information), and 37 (blocking non-compliant platforms) are seen as tools for surveillance, echoing concerns from the Puttaswamy discourse on proportionate state interference.

The Act also amends the Right to Information (RTI) Act, 2005 via Section 44, exempting personal information of public officials, which Jain contends curtails transparency and public interest disclosures.

The PIL: Provisions Under Fire and Core Arguments

Jain's petition targets a broad array of sections: 17, 18, 19, 20, 21, 23, 29, 33, 34, 36, 37, 39, 40, and 44 of the DPDP Act, alongside Rules 17-23 of the 2025 Rules, and the penalty schedule. These are grouped into thematic assaults:

  • Government Exemptions and Surveillance (Section 17): The petition highlights "broad government exemptions from core data protection obligations," allowing access to personal data without consent for vaguely defined "sovereignty and integrity" reasons. Jain argues this facilitates "broad state surveillance" and "long-term storage of personal and behavioural data" without transparency, violating privacy's core under Puttaswamy.

  • Data Protection Board Composition and Control (Sections 18-21): The DPB, tasked with inquiries and penalties, is accused of being "entirely controlled by the government." Selection committees dominated by executive appointees undermine independence, creating an adjudicatory body beholden to the state.

  • Appellate Framework and Judicial Exclusion (Sections 23, 29, 39): Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and then the Supreme Court, "escaping any appellate or supervisory jurisdiction of the High Courts." Section 39's bar on civil court jurisdiction is decried as ousting constitutional courts. As the petition starkly puts it:

"The DPDP Act creates a closed loop of Executive power, where the first adjudicator (Data Protection Board) and the appellate authority (Telecom Disputes Settlement and Appellate Tribunal) both remain under Executive control, while Section 39 expressly bars the jurisdiction of civil courts. This structure is Constitutionally unsustainable and violates the human rights requirement of an independent adjudicatory body."

  • Penalties, Powers, and RTI Dilution (Sections 33, 34, 36, 37, 40, 44): Heavy fines (up to 4% of global turnover), platform blocking without hearing, expansive rulemaking, and RTI curbs are labeled arbitrary and disproportionate.

The plea invokes Articles 14 (equality and non-arbitrariness), 19(1)(a) (free speech via informational autonomy), and 21 (privacy and due process), asserting:

"The provisions ‘strike at the heart of human rights jurisprudence, Constitutionally guaranteed freedoms, and the democratic promise of a free society.’"

It seeks to strike down, read down, or sever these provisions for constitutional conformity.

Court Proceedings: Initial Directions

The Division Bench of Chief Justice Upadhyaya and Justice Karia promptly issued notice on the PIL, declining any interim relief but fixing a firm timeline for the Centre's counter-affidavit. This procedural alacrity underscores the gravity of the constitutional questions raised, especially given the Act's recent operationalization.

Legal Analysis: Constitutional Infirmities and Precedents

At its core, the PIL tests the DPDP framework against the proportionality doctrine from Puttaswamy, which mandates that state intrusions on privacy be rational, necessary, and proportionate. Section 17's exemptions mirror critiqued provisions in global laws like the US CLOUD Act but lack India's constitutional safeguards.

Under Article 14 , the petitioner's charge of arbitrariness in exemptions and penalties holds weight, akin to Shayara Bano v. Union of India (triple talaq) where manifest arbitrariness invalidated law. Article 21's privacy ambit, encompassing informational self-determination, is threatened by opaque data access (Section 36).

The most potent attack is on separation of powers and judicial independence. L. Chandra Kumar v. Union of India (1997) affirmed High Courts' Article 226/227 supervisory jurisdiction over tribunals as basic constitutional features. Section 39's ouster clause and TDSAT routing may falter here, as seen in recent challenges to tribunal-heavy regimes like the 2019 Tribunal Reforms Ordinance.

Moreover, executive dominance over the DPB evokes Union of India v. Madras Bar Association (2014), mandating judicial involvement in tribunal appointments for independence. The "closed loop of Executive power" quote encapsulates this systemic flaw.

Procedural fairness under Article 21 is impugned by blocking without hearing (Section 37), heavy penalties without graded enforcement (Schedule), and absent meaningful consent mechanisms.

Implications for Legal Practice

For data fiduciaries —tech giants, startups, e-commerce—the uncertainty could halt compliance investments pending clarity on exemptions and Board powers. Privacy lawyers anticipate a surge in advisory work, while constitutional litigators see opportunities to shape jurisprudence.

The RTI angle impacts public interest litigation, potentially limiting probes into governance via data requests. Firms may pivot to TDSAT appeals, demanding specialized telecom/data expertise.

Internationally, alignment with GDPR's stricter independence (EDPB) could be tested if provisions fall, affecting cross-border data flows.

Broader Ramifications: Surveillance, Democracy, and Digital Rights

The petition warns of a "surveillance state," where:

"The DPDP Act and DPDP Rules together enable broad state surveillance, long-term storage of personal data and behavioural data, excessive Executive control over the Data Protection Board, and opaque mechanisms for obtaining personal data without consent or transparency."

In a post-Aadhaar era, this resonates with fears of mission creep. Success could mandate judicial oversight in DPB selections, HC appeals, or narrowed exemptions, fortifying privacy against state power.

Failure might embolden similar models in AI/cyber laws, tilting towards security over liberty.

Looking Ahead

As the Centre responds, expect defenses rooted in legislative policy space and national security imperatives under Article 19(2). Yet, the PIL's comprehensive assault positions it for potential Supreme Court escalation, mirroring the Aadhaar trajectory.

This challenge underscores the tension in India's digital constitutionalism: protecting citizens in a data-driven world without ceding democratic safeguards. Legal professionals must track it closely, as it may recalibrate the DPDP's promise from protection to potential peril.