Index
Introduction
1. What is Rule 23? (The "Call for Information")
At its core, Rule 23 is the government’s "Master Key."
It empowers the Central Government to legally demand information from any Data Fiduciary (companies like Google, Facebook, your bank, or a private hospital) or Intermediary (like your Internet Service Provider).
How it works:
-
The Power: The government issues an order requiring a company to "furnish such information as may be called for."
-
The Grounds: To trigger this rule, the government only needs to cite reasons related to the "sovereignty and integrity of India" or the "security of the State."
The "Gag Order" (The Critical Detail)
The most alarming part of this rule is found in Sub-rule (2). It acts as a legal gag order.
If the government requests your data under the pretext of national security, the company is forbidden from telling you that your data was handed over. You, the Data Principal, are left completely in the dark.
2. Why is this Controversial?
Critics argue that Rule 23 effectively legalizes a "surveillance backdoor" without the necessary democratic checks and balances. Here are the three main concerns:
-
No Judicial Oversight: Unlike a traditional search warrant, the government does not need a judge’s permission to demand this data. An executive order is sufficient.
-
Vague Definitions: Terms like "sovereignty" or "security of the State" are incredibly broad. Critics fear these terms could be stretched to investigate political dissent, target journalists, or suppress opposition under the guise of security.
-
Violation of "Purpose Limitation": When you give your location data to a cab app, you consent to it being used for transportation. Rule 23 allows the government to bypass that consent and access the data for an entirely different purpose (surveillance).
3. The "Common Man" Reality Check
How does this affect you? To understand the impact, we have to look at two different scenarios: when the Government wants something from you, and when you want something from the Government.
Scenario A: The Government Wants YOUR Data
Imagine the government wants to see your WhatsApp chat logs, your bank transaction history, or your travel movements recorded by a ride-sharing app.
-
The Action: Under Rule 23, they demand this data from the private company.
-
The Response: The company must comply.
-
The Silence: Due to the gag order, the company is legally banned from notifying you.
-
The Result: Your privacy is breached, and you will likely never know it happened.
Scenario B: YOU Want Data FROM the Government
This is where the power imbalance becomes obvious. The DPDP Act classifies the Government as a "Data Fiduciary," theoretically making them responsible for your data. However, this creates a conflict:
The Good News: You have the "Right to Access"
If a government department (like the Passport Office) holds your data, you can ask them: "What data of mine do you have?" or "Who have you shared it with?" They are legally required to answer you.
The Bad News: The Death of RTI
Previously, the Right to Information (RTI) Act was a tool for citizens to expose corruption. You could demand lists of beneficiaries to ensure government contracts weren't being given to a politician's relatives.
However, the DPDP Act has amended Section 8(1)(j) of the RTI Act.
-
The Change: The government can now refuse an RTI request if the information relates to the "personal information" of any person.
-
The Impact: If you try to investigate a scam by asking for a list of people who received government grants, the government can reject the request, claiming that the list contains names, and therefore, "privacy" prevents them from releasing it.
Summary: Who Holds the Power?
The following table illustrates the stark difference in power dynamics introduced by Rule 23 and the DPDP amendments:
| Feature | Can the Government do it? | Can the Common Man do it? |
| Demand Data | YES. Via Rule 23, they can demand your data from private companies, often secretly. | YES (Partial). You can demand your own data from the Govt, but not general data (due to RTI dilution). |
| Transparency | Low. They can hide data requests under the umbrella of "National Security." | High (Only for Self). You have the right to know how your specific data is used, but not how public funds are distributed to others. |
| Oversight | Internal. No court warrant required. | Limited. Investigating the state via RTI has become significantly harder. |
The Bottom Line
Rule 23 highlights a paradoxical shift in Indian democracy.
If you (the citizen) want data from the government to check for corruption, the law now makes it harder, citing the privacy of others. However, if the government wants data about you, Rule 23 allows them to take it from private companies without a warrant, without your consent, and without ever telling you.
The DPDP Rules, 2025, have indeed created a privacy framework—but it appears to be a framework where the State’s privacy is absolute, and the citizen’s privacy is conditional.