The Quiet Expansion
India's surveillance architecture has grown more powerful in the past three years than in the preceding two decades. The Telecommunications Act, 2023, the Digital Personal Data Protection Act, 2023, and the lingering Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 together create a framework in which the executive can intercept, monitor, and demand decryption with minimal independent review. Enforcement guidance issued in early 2026 — extending interception obligations to over-the-top communication services and reiterating duties on significant social media intermediaries — confirms a trajectory that civil society, industry, and constitutional scholars have been warning about since Justice K.S. Puttaswamy v. Union of India (2017) recognised privacy as a fundamental right.
People of Internet supports India's legitimate national security interests. Cross-border terrorism, organised online fraud, and child-safety crimes demand modern investigative tools. But the nine-judge Puttaswamy bench was unambiguous: any restriction on privacy must be lawful, necessary, proportionate, and accompanied by procedural safeguards. India's current trajectory satisfies the first test and increasingly fails the other three.
Three Layers, One Problem
Three instruments now define how the Indian state engages with private digital communications.
The Telecommunications Act, 2023 consolidated and broadened powers previously scattered across the Indian Telegraph Act, 1885 and the Indian Wireless Telegraphy Act, 1933. Section 20 permits interception in the interest of "public safety" and "public emergency" — terms the statute does not define with precision. Authorisation rests with the executive; there is no statutory requirement of prior judicial review, no obligation to publish aggregate transparency data, and no independent oversight body equivalent to the United Kingdom's Investigatory Powers Commissioner.
Section 69 of the Information Technology Act, 2000, read with the 2009 Interception Rules, allows the Centre and States to direct any "intermediary" to intercept, monitor, or decrypt information. The 2009 Rules were drafted before end-to-end encrypted messaging was mainstream; their continued application to modern encrypted services creates compliance demands that are technically impossible without weakening security for every user.
The IT Rules, 2021, particularly Rule 4(2), require "significant social media intermediaries" providing primarily messaging services to enable identification of the "first originator" of information. WhatsApp's constitutional challenge before the Delhi High Court remains pending. The petitioners' core argument is technical, not ideological: traceability and end-to-end encryption are mathematically incompatible. To trace one message, you must redesign cryptography for everyone.
The Proportionality Deficit
Compare India's framework with peer democracies. The European Court of Human Rights in Big Brother Watch v. United Kingdom (2021) required prior independent authorisation for bulk interception regimes. Germany's Federal Constitutional Court extended privacy protections extraterritorially in its 2020 BND judgment. Even the United States — hardly a privacy maximalist — requires Foreign Intelligence Surveillance Court approval for surveillance of US persons.
India has no equivalent. The PUCL v. Union of India (1997) safeguards — review committees of executive officers — were a stop-gap a quarter century ago, drafted for analogue telephone tapping. Today, when a single interception order can capture a citizen's entire digital life, an executive committee reviewing its own department's orders is not meaningful oversight.
The DPDP Act was an opportunity to recalibrate. Instead, Section 17(2)(a) empowers the Union government to exempt any "instrumentality of the State" from the Act's protections on broadly defined grounds. The promised Data Protection Board does not meaningfully extend to government processing.
Why This Matters for Innovation
This is not only a rights problem; it is an economic one. India aspires to a one-trillion-dollar digital economy by 2030. That vision depends on three preconditions: trust in domestic platforms, willingness of foreign firms to host Indian user data locally, and credibility of Indian-origin services abroad. Disproportionate surveillance erodes all three.
The Internet Society's 2020 traceability analysis warned that mandates incompatible with end-to-end encryption would degrade India's competitive position relative to jurisdictions offering clearer, narrower frameworks. NASSCOM and IAMAI submissions during DPDP consultations consistently flagged surveillance uncertainty as a material concern for foreign investment. Investors price legal risk; opaque interception regimes are legal risk.
A Proportionate Path Forward
People of Internet supports a reform agenda that would preserve India's investigative capacity while restoring constitutional balance:
- Judicial pre-authorisation for targeted interception, with emergency provisions reviewable within 72 hours, modelled on the UK Investigatory Powers Act 2016.
- An independent oversight body empowered to inspect, audit, and publish aggregate statistics — analogous to Australia's Inspector-General of Intelligence and Security.
- A statutory bar on mandates that require breaking encryption. Lawful access should proceed through metadata analysis, targeted lawful hacking under judicial warrant, or international cooperation under mutual legal assistance treaties.
- Narrowing Section 17 of the DPDP Act so government exemptions are time-bound, purpose-bound, and subject to Data Protection Board review.
- Annual transparency reporting by the Ministry of Home Affairs on the number of interception orders issued, renewed, and rejected.
None of these reforms would weaken India's ability to investigate genuine threats. Each would strengthen the constitutional foundation on which India's digital economy must be built. Surveillance and innovation are not opposites — but only when surveillance is bounded by law, reviewed by courts, and proportionate to the harm it seeks to prevent. The current trajectory delivers neither full security nor full freedom. India can do better, and Puttaswamy requires that it does.