Introduction

India’s digital ecosystem has witnessed explosive growth in data generation through e-governance, online services and citizen-centric schemes. In this context, protecting personal data has become a national priority. The recent Digital Personal Data Protection Act, 2023 (DPDP Act) marks India’s first comprehensive law on digital personal data.

Alongside this new law, existing statutes like the Information Technology Act, 2000 (IT Act), the Right to Information Act, 2005 (RTI Act), and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 shape the data protection framework. Importantly, state governments are deeply involved as both data collectors and service providers, making them key data fiduciaries under the law.

Legal Framework for Data Protection in India

India’s data protection regime is anchored by a combination of Union legislation and constitutional principles. The DPDP Act, 2023 formally recognizes the citizen’s right to protect personal data while permitting lawful processing. It defines a “Data Fiduciary” broadly as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”.

Under this Act, any government entity that collects or uses personal data – including State governments and their agencies – is a Data Fiduciary. The Act imposes obligations such as informing individuals about the use of their data, taking “appropriate technical and organisational measures” to prevent breaches, and ensuring data accuracy. Failure to comply (for example, negligent handling of sensitive data) attracts penalties under Section 72A and compensation under Section 43A of the IT Act, 2000.

The IT Act, 2000 (amended 2008) remains an important statute for data security. Section 43A (inserted by amendment) requires any “body corporate” that handles sensitive personal data to implement reasonable security practices or face compensation liabilities for negligence. Section 72A criminalizes unauthorized disclosure of information obtained in confidence: for instance, a person who knowingly shares another’s personal data (gained under a lawful contract) without consent can be punished with up to three years imprisonment.

Thus, even though the IT Act is an older law, it has data privacy implications that apply to state-run corporations and agencies as well. The law also empowers government to block unlawful websites (Section 69A) and secure critical networks (Section 70), which indirectly affects how States govern data access and network security.

The RTI Act, 2005 primarily advances openness and accountability by mandating disclosure of public records. However, it also contains important exemptions protecting personal information. Under Section 8(1)(j) of the RTI Act, any information that relates to personal data which “has no relationship to any public activity or interest” and which would cause an “unwarranted invasion of the privacy” of an individual need not be disclosed.

This means that when citizens seek information from state public bodies, purely private details are exempt unless a larger public interest demands it. State governments (through State Information Commissions) enforce these provisions, balancing transparency with privacy in state-held data. Thus, even an ostensibly “open” data policy must reckon with the RTI exemptions for personal data.

The Aadhaar Act, 2016 is another key law intersecting with data protection. It governs the collection and use of biometric and demographic data in India’s unique ID program. Under Section 28 of the Aadhaar Act, the Unique Identification Authority of India (UIDAI) is required to ensure the security and confidentiality of identity information and authentication records of individuals. Section 29 strictly prohibits sharing any core biometric information for any reason other than Aadhaar generation and authentication.

In other words, Aadhaar data (used extensively by state governments for welfare disbursement) is legally protected – unauthorized disclosure of this data can attract criminal penalties. The Supreme Court has also held that privacy is a fundamental right intrinsic to life and liberty under Article 21 of the Constitution. This constitutional backdrop reinforces that state actions with respect to personal data must comply with fundamental privacy norms, whether under the DPDP Act or any other law.

State Governments under the DPDP Act

Under Article 12 of the Constitution, “the State” includes the Government and Legislature of each State, local authorities, and other authorities within India or under the control of the Government of India. This broad definition makes it clear that state governments and their instrumentalities (for example, public sector undertakings, municipal bodies, departmental agencies, etc.) are all “State” actors.

Consequently, these state bodies are Data Fiduciaries under the DPDP Act. They determine the purposes and mean of processing citizens’ personal data in areas like law enforcement, health services, education, and social welfare. For example, when a state department collects Aadhaar numbers or health records to issue benefits, it is exercising a fiduciary role over citizens’ personal data.

The DPDP Act accommodates the government’s role by creating certain exemptions and flexibilities for State Data Fiduciaries. A key provision is Section 7(c), which allows the State or its instrumentalities to process personal data without consent if it is for “the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India” or in the interest of national sovereignty, security, or integrity.

In plain terms, this means state agencies do not need each citizen’s consent when processing personal data for statutory duties or critical state functions. Similarly, Section 7(d)–(h) provide additional exemptions for statutory obligations and emergencies, such as complying with a court order or addressing a public health threat. These clauses are intended to prevent the data protection law from hindering the legitimate functions of government.

At the same time, the DPDP Act imposes general obligations on state data fiduciaries. Section 8 mandates that any data fiduciary – including the State – must implement appropriate technical and organizational safeguards to secure personal data.

A State department holding citizens’ medical or legal information must therefore adopt strong security practices (e.g. encryption, access controls). In case of a data breach, the fiduciary must notify the Data Protection Board and affected individuals.

The Act also requires that personal data not be retained longer than necessary: upon withdrawal of consent or lapse of purpose, it must be erased unless retention is mandated by law. These obligations mean state governments must adapt their digital systems and procedures to comply with the DPDP Act’s security and data-minimization standards. For instance, if a state police database includes citizens’ personal records, the police department (as a fiduciary) must ensure that data is stored securely and deleted when no longer relevant.

State-Specific Data Policies and Initiatives

State governments have begun adopting their own data policies to leverage data for governance while addressing privacy. Tamil Nadu launched a comprehensive Tamil Nadu Data Policy in 2022. It aims to harness data for decision-making, integrate siloed databases, and promote open data for transparency. Crucially, the policy explicitly includes “protection of citizen privacy rights – by providing a framework to protect the privacy of the residents of the State” as one of its guiding objectives.

The policy envisions classifying data based on sensitivity and prescribing access protocols. For example, Tamil Nadu plans to routinely publish non-sensitive government data on an Open Data Portal, while ensuring appropriate safeguards on personal data. The policy also emphasizes principles such as openness balanced with legal conformity and privacy. By articulating privacy as a guiding principle, Tamil Nadu is signaling that its drive towards data integration will respect citizens’ data rights.

Telangana was the first state to adopt an open data policy, launching the Telangana State Open Data Policy (TSODP) in 2016. The TSODP was designed to improve transparency, accountability and innovation by making government data publicly available. It required departments to proactively publish datasets in open, machine-readable formats under permissive licenses.

The policy took inspiration from the National Data Sharing and Accessibility Policy (NDSAP) and the RTI Act, aiming to make departments create inventories of data, remove legacy constraints, and share non-sensitive information. For example, Telangana set up a state Open Data Portal hosting hundreds of datasets with APIs.

Although TSODP focused on open data rather than privacy, it acknowledges data sensitivity: it mandated that sensitive or “negative” data be protected and that open data releases consider privacy. Thus, Telangana’s model shows how a state can advance data access (an opportunity for innovation) while still managing sensitive personal information through classification and approval processes.

Odisha is in the process of adopting an Odisha State Data Policy (draft as of 2024) to improve governance through data management. The draft OSDP explicitly states that its scope and applicability have been defined “in adherence to Section 2(h) of the RTI Act, 2005, and the DPDP Act, 2023”.

It underscores that while enabling data-driven decision-making, the policy “ensures citizen privacy” and protects personal information from disclosure. Early reports indicate the Odisha policy will emphasize open formats and metadata for government-owned data, along with measures to prevent misuse of individual identity data.

Its stated principles include non-redundancy, interoperability, and specifically “the rights to privacy and information”. In effect, Odisha’s approach is to streamline access to government data for public-good uses (e.g. planning, disaster response) while codifying privacy protections for personal data.

Other states have taken smaller steps. For instance, some state e-Governance strategies mention data security standards for department applications. Several states (like Maharashtra, Karnataka, etc.) offer incentives for building data centers, which has implications for local data storage. A few states have cloud or IT policies that include data security clauses.

However, Tamil Nadu, Telangana and Odisha stand out for having comprehensive policies that explicitly address data sharing and privacy at the state level. These initiatives offer templates that other states could emulate, but actual implementation is still evolving.

Challenges for State Governments in Data Protection

State governments face several challenges in protecting data. Legislative constraints are significant: most aspects of digital communications and information technology fall under the Union List of the Constitution, meaning states cannot unilaterally legislate broadly on data protection.

For example, “posts and telegraphs, telephones, wireless, broadcasting” are Union subjects (Entry 31, List I), which has been interpreted to mean that comprehensive digital privacy laws must come from Parliament.

However, states do have scope under their own list – notably Entry 12 of List II (State List) allows states to legislate on “the development of industries and the regulation of mines and mineral development to preserve surface or underground water”, but more relevantly, some interpretations suggest it includes laws on public records.

As one analysis notes, under Entry 12 a state could enact laws for maintenance of public records and ensure citizens’ privacy of those records. In practice, no state has yet enacted its own data protection law under this entry, so states must generally operate under central laws like the DPDP Act.

Another challenge is capacity and resources. Implementing strong data protection and security measures requires technical infrastructure and trained personnel.

Many state departments use a mix of legacy paper records and newer IT systems. Upgrading all these systems to meet the DPDP Act’s security standards (e.g. encryption, access logs, breach notification mechanisms) can strain budgets.

Smaller states or rural local bodies may lack cybersecurity experts or funding for secure data centers. The disparity between states means some may lag in adopting best practices. Furthermore, state-run digital services are targets for cyber-attacks; for example, state government websites or databases have occasionally been breached or defaced. States must therefore invest in cybersecurity frameworks and incident response, which is challenging given limited expertise.

Privacy vs. Transparency is a perennial tension. States are eager to make data open for research and citizen services (as seen in open data policies), but they must also safeguard personal information. Balancing RTI’s mandate for disclosure with privacy protections requires careful guidelines.

For instance, a citizen’s educational or health records may have legitimate public interest if aggregated statistically but must be anonymized. States need clear protocols to de-identify data or reject RTI requests that would violate Section 8(1)(j). Mistakes can lead to privacy breaches or litigation. Some confusion may arise over which data qualifies as “personal” and how to handle data requests from government and public alike.

Coordination with the Centre is another issue. Many digital systems (like the Aadhaar database, income tax, border control) are centralized, so state databases often interact with Union systems. States need to align their policies with national rules and approvals.

For example, any changes to how Aadhaar data is collected or shared by states must conform to the Aadhaar Act and UIDAI regulations. States must also heed guidelines issued by the MeitY or the DPDP Board, which may specify standards or model clauses. Ensuring that state rules (if any) do not conflict with central law requires legal expertise and sometimes dialogue with Union ministries.

Lastly, public awareness and trust can be lacking. Citizens may not fully understand data protection rights under new laws. State governments must educate the public about how their data is used (e.g. via privacy notices in vernacular languages) and provide grievance redress.

Historically, some state records (like those related to caste or health) have been leaked or improperly shared due to lax controls. Building systems that citizens trust – for example by promptly removing their data on request or compensating for breaches – will be crucial. Without public trust, even well-designed state data initiatives may meet resistance or fear.

Opportunities and Recommendations

Despite the challenges, there are significant opportunities for state governments in the new data era. Properly protected data can improve governance and public services. States can use aggregated citizen data to target welfare schemes better, reduce leakages, and tailor health and education programs.

For example, linking data across departments (while preserving privacy) can minimize exclusion and inclusion errors in subsidies. States can establish Data Governance frameworks – setting up data protection officers, audit processes, and standard operating procedures – to build confidence in data use. The provisions of the DPDP Act essentially mandate that approach, and states can leverage it to institutionalize best practices.

Inter-state collaboration is another opportunity. States could work together to harmonize their data-sharing rules (especially neighboring states with cross-border migrants). The DPDP Act envisions a central Data Protection Board; similarly, states could form a forum to share experiences and develop model guidelines. Moreover, states should invest in training public servants on data protection (for instance, forming state-level “privacy cells” or certification programs).

The growth of data centers in India is beneficial for states too. By attracting and building local data centers (as some states already incentivize, states can keep citizens’ data within Indian jurisdiction, which aids protection. This also spurs economic development in IT. Similarly, states can use “open-by-default” policies for non-sensitive data to foster innovation (for example, giving startups access to anonymized transport or environmental data to build solutions).

Statutorily, states could proactively use the powers they have. Under Entry 12 of List II, a state legislature could draft a law for maintenance of public records with built-in privacy safeguards. Even if rarely used today, this could provide a legal backing for data protection at the local level (beyond central laws). States can also amend existing laws (like state police or health laws) to include specific privacy protections, since these subjects fall under state lists.

Finally, integrating privacy into policy design is key. As seen in Tamil Nadu’s data policy and the draft Odisha policy, explicitly including privacy principles creates accountability. States might adopt “Privacy by Design” approaches for e-governance projects, conducting impact assessments before launching new data collection. Encouraging citizen feedback and transparency reports can further improve trust.

Conclusion

The role of state governments in India’s data protection regime is pivotal and multifaceted. State agencies collect and process vast amounts of personal data in delivering public services. Under the DPDP Act, 2023 and related laws, these agencies are recognized as data fiduciaries with clear obligations to safeguard information. State policies like Tamil Nadu’s, Telangana’s, and Odisha’s demonstrate a growing acknowledgment that privacy and open data must go hand-in-hand.

At the same time, states face challenges of legal scope, resources, and balancing openness with citizens’ rights. By strengthening legal and technical capacity, collaborating with the Centre and other states, and centering privacy in policy design, state governments can turn these challenges into opportunities. Well-implemented state data protection measures will bolster governance, innovation, and public trust, advancing India’s digital transformation in a rights-respecting manner.

Find out the role of Indian state governments in protecting data. Understand the hurdles and opportunities. Reach out today.