State vs Centre: Who Should Control Your Data?

In an increasingly digital India, the question of who controls your personal data has never been more pertinent. With the Digital Personal Data Protection Act, 2023 (DPDP Act) establishing a new framework for data protection, a crucial conversation emerges: should your personal information be primarily under the purview of the central government or state governments? This question strikes at the heart of India’s federal structure and has significant implications for citizens’ privacy rights.

The New Data Protection Landscape

The DPDP Act represents India’s first comprehensive attempt to regulate personal data processing across both public and private sectors. While the Act creates a unified national framework, it simultaneously establishes a complex relationship between central and state authorities regarding data governance.

The recent publication of the draft Digital Personal Data Protection Rules, 2025, by the Ministry of Electronics & Information Technology (MeitY) in January 2025 aims to operationalise the DPDP Act by providing detailed implementation guidelines. These draft rules are currently open for public consultation, reflecting the government’s stated commitment to a collaborative approach in developing this framework.

India’s approach to data protection reflects its constitutional structure. Unlike unitary systems where central governments maintain exclusive control over most regulatory matters, India’s federal framework distributes powers between the Centre and States, creating unique considerations for data governance.

The Central Government’s Position

The central government, through MeitY, has positioned itself as the primary architect of India’s data protection regime. This centralised approach offers several advantages:

1. Uniform Standards: A centralised framework creates consistency in data protection practices across the country, preventing a patchwork of varying state regulations.
2. International Alignment: The Central Government can more effectively align India’s data protection standards with global frameworks like the EU’s GDPR.
3. Technological Infrastructure: Centralised governance allows for standardised implementation of technological safeguards and security measures.
4. National Security Considerations: The Centre’s broader view of security threats enables more comprehensive protection against data breaches with national implications.

However, this approach also raises concerns about excessive concentration of power. The exemptions provided to the central government under Section 17(2) of the DPDP Act, which permits processing personal data in the interests of “sovereignty and integrity of India” or “security of the state”, are particularly broad.

These exemptions reflect similar provisions in other data protection laws globally, but without robust independent oversight mechanisms, they create potential for broad interpretation.

The Case for State Control

State governments occupy a unique position in India’s data ecosystem:

1. Proximity to Citizens: States often have a closer relationship with citizens, potentially allowing for more responsive and contextually appropriate data governance.
2. Local Service Delivery: As primary providers of numerous public services, states collect and process vast amounts of citizen data through welfare schemes, healthcare, and education initiatives.
3. Cultural and Linguistic Considerations: States can better account for regional variations in digital literacy and provide localised approaches to privacy awareness.
4. Constitutional Mandate: Under the Constitution’s federal structure, states have significant responsibility for many areas that generate personal data, including aspects of healthcare, education, and local governance.

Several states have already demonstrated leadership in digital governance. For example, Tamil Nadu established a dedicated Safe and Ethical Artificial Intelligence Policy in 2020 that includes provisions for data governance, while Telangana developed the Telangana Data Sharing Protocol to manage government data sharing. These state-level initiatives demonstrate how regional approaches can address specific data governance challenges within the national framework.

Furthermore, Article 12 of the Constitution, as interpreted by the Supreme Court in cases like Sukhdev Singh v. Bhagatram Sardar Singh Raghuvanshi (1975) and Ajay Hasia v. Khalid Mujib Sehravardi (1981), establishes states as constitutional entities with distinct identities. This constitutional status suggests they should maintain appropriate autonomy in governing data collected through state functions.

The Dual Role Dilemma

Both central and state governments face a dual role in the data protection framework:

1. As regulators responsible for implementing and enforcing data protection laws
2. As data fiduciaries processing massive amounts of citizen data themselves

This dual role creates an inherent tension, as governments must essentially regulate their own data processing activities. The DPDP Act acknowledges this tension through various exemptions provided to government entities under Sections 7 and 17.

The challenge becomes particularly acute when we consider the volume of data held by governments. From Aadhaar details to tax records and from property registrations to health information, governments at all levels have become significant repositories of personal data in the country.

According to the Economic Survey 2022-23, over 1.3 billion Indians have Aadhaar identification, and the government maintains numerous other databases containing citizen information. This scope of data processing raises important questions about accountability and oversight in data protection.

The Draft Rules of 2025 attempt to address this tension by proposing procedural frameworks for government data processing. However, they still leave significant discretion to both central and state authorities in determining when exemptions apply.

Balancing Federalism and Privacy

The right to privacy, recognised as a fundamental right by the Supreme Court in Justice K.S. Puttaswamy vs. Union of India (2017), requires a careful balancing act within India’s federal structure. Consider these key aspects:

Consent and Government Data Processing

The DPDP Act grants significant exemptions to government entities from obtaining consent when processing personal data. Section 7(c) permits processing without consent for “performance of any function under law” or in the “interest of sovereignty and integrity of India”.

This raises a critical question: Should states have the same broad exemptions as the centre? The Act currently treats all government entities similarly in this regard, but the practical implementation may reveal differing standards.

The Research and Statistical Exemption

Section 17(2)(b) of the Act exempts data processing for research, archiving, and statistical purposes from most requirements, provided that personal data isn’t used for decisions specifically related to the data principal and processing follows prescribed standards.

This creates opportunities for evidence-based policymaking at both central and state levels but also requires careful safeguards to prevent misuse.

Lessons from Aadhaar Implementation

The implementation of Aadhaar provides instructive insights into the challenges of balancing central directives with state-level implementation. While the Unique Identification Authority of India (UIDAI) was established as a central authority, the actual enrolment and service delivery integrated with Aadhaar involved significant state government participation.

In Puttaswamy v. Union of India (2018), the Supreme Court upheld the constitutional validity of Aadhaar while striking down certain provisions and establishing limitations on data sharing. The Court recognised both the national interest in a unified identification system and the need for robust data protection safeguards.

This experience demonstrates the importance of clearly delineating responsibilities between central and state authorities while establishing unambiguous accountability mechanisms for data protection.

Legislative Framework Considerations

The question of legislative jurisdiction adds another layer to this discussion. The DPDP Act has been enacted by Parliament, but many aspects of data governance touch on subjects that may involve state jurisdiction as well.

For instance, health data protection involves both national health programmes and state-administered healthcare facilities. This overlapping jurisdiction necessitates careful coordination between levels of government.

Finding the Right Balance

The ideal approach likely lies not in choosing between central or state control but in creating a collaborative framework that leverages the strengths of both while implementing appropriate checks and balances:

1. Tiered Regulatory Structure: Establish a tiered framework where the Centre sets minimum standards and States can enhance protections based on regional needs, similar to models established in other federal systems.
2. Independent Oversight: Create truly independent data protection authorities that can oversee government data processing activities at all levels.
3. Transparency Requirements: Mandate disclosure of data processing activities by all government entities, regardless of exemptions.
4. Proportionality Testing: Require both central and state governments to document how their data processing activities meet the proportionality test established in the Puttaswamy judgement.
5. Inter-governmental Data Sharing Protocols: Develop clear protocols for data sharing between different levels of government with appropriate safeguards.
6. Data Protection Impact Assessments: Implement assessments for government initiatives that involve significant data processing to evaluate privacy implications before implementation.

This cooperative federalism approach would maintain national consistency while respecting state autonomy and regional diversity.

Your Role in the Dialogue

As citizens in this emerging data protection landscape, your engagement matters:

1. Stay Informed: Understand the provisions of the DPDP Act and how they affect your rights. The MeitY website currently provides information about the Act and Draft Rules.
2. Participate in Consultations: When governments seek feedback on data protection rules, contribute your perspective through official consultation processes.
3. Exercise Your Rights: Under the DPDP Act, you have rights to access, correct, and erase your personal data, even when processed by government entities.
4. Engage with Civil Society: Organisations like the Internet Freedom Foundation and Centre for Internet and Society actively work on digital rights issues in India and provide educational resources.
5. Practise Digital Hygiene: Be mindful about what information you share with both private companies and government services.

The debate around federalism in data governance directly affects how your personal information is handled by institutions you interact with daily.

Conclusion

The question of whether the Centre or States should control your data doesn’t have a simple answer. The most effective approach will require thoughtful cooperation between both levels of government, with rigorous safeguards and citizen participation.

As India’s data protection framework continues to evolve following the DPDP Act’s passage, we must collectively ensure that federalism enhances rather than diminishes privacy protections. The goal should be a system where both central and state governments serve as responsible stewards of your data—not just powerful controllers.

The ultimate test of any data governance model—whether centralised or federal—will be its ability to uphold the constitutional right to privacy while enabling the legitimate use of data for governance and development. This balancing act requires ongoing vigilance from citizens, civil society, and the judiciary to ensure that power over personal data is exercised responsibly at all levels of government.