Data privacy at risk as political parties exploit legal loopholes

ON August 4, the Supreme Court dismissed a special leave petition (SLP) seeking to challenge the Madras High Court’s interim injunction order of July 21, wherein the high court restrained the Dravida Munnetra Kazhagam (DMK) from allegedly collecting Aadhaar card details during its ‘Oraniyil Tamil Nadu‘ door-to-door membership drive.

The order highlighted troubling gaps in accountability and transparency, focussing sharply on profiling that involves the collection of sensitive personal information (religious affiliation, caste, ethnicity, income) and questioned the authenticity of “informed consent", the bedrock of any legitimate data protection framework.

Loopholes and omissions in data protection law

Voter-profiling has long been part of Indian politics. Parties across the spectrum have built extensive datasets to enable targeted messaging, customised advertisements and focussed voter outreach.

Political parties, in the guise of aiding people in availing themselves of government schemes or organising membership drives, are collecting personal data without explaining to voters the real purpose behind such collection.

The Saral app, used by the Bharatiya Janata Party (BJP) to connect with voters, along with the Sevamitra app, used by the Telugu Desam Party, has been criticised for its opaque privacy notices, raising concerns about whether consent from users can be considered informed.

The Sevamitra app facilitates an extensive collection of biometric and booth-level voter data in Telangana and Andhra Pradesh.

Other major parties, including the TMC and Congress, have reached voters directly via unsolicited calls, further blurring the line between service and surveillance.

These practices result in ‘function creep’, where data gathered ostensibly for welfare is used for political profiling and targeting, eroding both privacy and fairness.

The Digital Personal Data Protection Act (DPDPA), 2023, along with its 2025 rules, aims to create a cohesive data protection regime for India. The Act designates the entity or person collecting data as a data fiduciary. Section 4(1)(a) mandates that data fiduciaries obtain free, specific, informed, unconditional and unambiguous consent for each data collection tied to a clear purpose.

However, Section 7(b) allows the government and its agencies to process personal data without consent when providing subsidies or benefits. It has been seen how political parties are harvesting data collected by the government for various welfare schemes to create voter profiles and engaging in micro-targeting.

Moreover, the Act exempts this data from erasure obligations, permitting its indefinite retention and potential use beyond the original intent.

Unlike jurisdictions such as in the United Kingdom, which under the General Data Protection Regulation explicitly covers door-to-door data collection and requires political parties to have a legal basis and provide clear privacy information, the DPDPA does not contain a similar explicit provision and does not regulate profiling activities.

Moreover, the DPDPA’s broad definition of ‘personal data’ does not differentiate ordinary from sensitive information, such as religious belief or caste, which in turn lacks additional safeguards.

Although the law gives the Union government the power to designate certain entities as Significant Data Fiduciaries (SDFs) if they are handling large, sensitive or strategically important datasets, it sets no clear, binding thresholds, leaving the process to government discretion.

This means that political parties are unlikely to be subjected to the Act’s most stringent accountability measures, such as requiring them to have mandatory data protection officers or conduct routine impact assessments, regardless of the scale and sensitivity of their data operations.

Furthermore, crucial rights of a data subject remain out of reach since the data collected would fall within the ambit of Section 7(1)(b) and, therefore, the right to access, erasure and correction would not be applicable despite being recognised as fundamental pillars of Fair Information Practice Principles (FIPPs).

Apart from this, the vague understanding of reasonable security safeguards, skewed composition of the data protection board and lack of a compensation mechanism prescribed in the DPDPA and rules do not inspire confidence in the robustness of the data protection regime.

The crisis of transparency and the democratic cost

Transparency is further compromised as political parties remain exempt from the Right to Information Act, 2005, shielding their data practices from public scrutiny. This opacity runs contrary to the transparency principles emphasised by the Supreme Court in the electoral bonds judgment.

The Supreme Court, through its recent order, while rejecting the SLP, has underscored that keeping a record of a citizen’s predilections is a serious concern.

These judicial interventions highlight that privacy is fundamental to a healthy democracy. Without robust safeguards and genuine accountability, the democratic process risks being influenced more by those holding extensive data than by the will of the voters.

Utkarsh Yadav is a final year student at Dr Ram Manohar Lohiya National Law University, Lucknow and Harshita Gupta  is a final year student at National Law University, Jodhpur.

Comments