In the grand architectural blueprint of digital governance, India’s digital personal data protection (DPDP) framework, comprising the DPDP Act of 2023 and its accompanying rules of 2025, present themselves as a fortress preserving and protecting individual privacy. Yet, it has a critical design flaw: its most formidable defences are oriented exclusively outwards, towards private entities, while leaving the rear gate not merely unguarded, but actively propped open for the Orwellian State.

The framework creates a perilous artificial dichotomy, imposing a rigorous, if imperfect, regime upon corporations while anointing the State as the unassailable and primary aggressor against the very civil right it purports to protect. It is a fundamental reorientation of the social contract in the digital age, one that places the citizen’s most intimate digital self at the mercy of the sovereign, devoid of the procedural safeguards that are the bedrock of a constitutional democracy.

The constitutional spirit, invigorated by the K S Puttaswamy (2018) case, recognised privacy as an intrinsic component of Article 21. This right ought not to be deprived except by a procedure established by law—a procedure that must be fair, just, and reasonable, as laid down in the Maneka Gandhi (1978) case. The entire DPDP framework creates the mirage of a substantive right for the individual while simultaneously constructing vast, nebulous exclusion zones for the State. The exemptions culminate in the chilling expanse of the Seventh Schedule of the DPDP rules.