[Akshat Pal and Samya Rahul are second-year B.A. LL.B. (Hons.) students at National Law University, Jodhpur. This article examines the Sanchar Saathi app’s mandatory pre-installation directive and argues that its technical design, when combined with broad state exemptions under India’s Digital Personal Data Protection Act, enables mass surveillance that undermines constitutional privacy protections established in Puttaswamy. The author contends that the DPDP Act’s sweeping exemptions for state data processing, absence of granular consent, weakened RTI protections, and lack of a meaningful right to erasure create a framework that prioritizes state control over individual privacy.]
Introduction
The government, with its recent directive mandated the compulsory pre-installation of the Sanchar Saathi App on all smartphones, which has reignited concerns around data privacy and mass surveillance, as it places extensive user data under direct State control and oversight. Though it suffered backlash from the opposition and the government rolled back their directive. However, Sanchar Saathi’s design, its non-removable system integration, extensive permissions, automatic SIM registration, and interoperability with national identity systems have led to questions about individual autonomy, informational privacy, and state overreach. Additionally, this doesn’t change the bigger picture of data sovereignty which arises from the broad exemptions given to the State, under the Digital Personal Data Protection Act, 2023 [“DPDP Act”] which has led to the collectively enabled infrastructural surveillance.
- Constitutional Foundation of Informational Privacy in India
The Article 21 of the Indian Constitution acknowledges informational privacy as essential to personal liberty, autonomy, and dignity. In Justice K.S. Puttaswamy & Anr. vs. Union of India & Ors.[“Puttaswamy”], held privacy as a fundamental right intrinsic to dignity, decisional autonomy, bodily integrity, and informational self-determination. Furthermore, in the Justice K.S. Puttaswamy (Retd) vs. Union of India, by applying the Puttaswamy test, the court later declared the mandatory Aadhar linkages with SIM cards and bank accounts as invalid, as they lacked proportionality and adequate safeguards, emphasizing constitutional limits on data-driven governance.
At the same time, Puttaswamy left important gaps in the constitutional regulation of surveillance and data governance. Although the court gave a proportionality framework which required legality, legitimate state aim, rational nexus, necessity and procedural safeguards, it still did not clearly define the precise outlines of permissible surveillance or data collection, leaving these questions to future legislation and judicial scrutiny.
- Sanchar Saathi: From Public Utility to Surveillance Infrastructure
- Objective of the Government: Purpose versus Design
The Government’s purpose is to help citizens track lost phones, detect fraudulent SIMs, report misuse, cross-border cybercrime networks, and large-scale scams exploiting mobile infrastructure, but the underlying governmental objective is much broader.
The directive requires the app to be “readily visible” and ensures its functionalities cannot be “disabled”. This converts every smartphone into a vessel for state mandated software that the user cannot meaningfully refuse or control. In technical terms, a “non-removable” app usually requires system-level or root-level access, similar to the operating system itself or carrier-specific firmware. This design choice weakens the protections that prevent one app from accessing data from other apps, thus turning Sanchar Saathi into a permanent, non-consensual access point within the operating system.
- The Technical Anatomy of Sanchar Sathi
Sanchar Saathi consolidates multiple services and technical systems that enable extensive access to telecom-related personal data. These include the Central Equipment Identity Register [“CEIR”], Telecom Analytics for Fraud Management and Consumer Protection [“TAFCOP”], and Artificial Intelligence and Facial Recognition powered Solution for Telecom SIM Subscriber Verification [“ASTR”].
The CEIR forms the backbone of device management by correlating International Mobile Equipment Identity number [“IMEI”], which is a unique 15-digit identifier assigned to every mobile device, a hardware identifier embedded in every mobile phone with user SIMs IMEI data. It is used by telecom networks to identify, track, and block devices, especially in cases of theft or misuse. When combined with SIM identity, it enables authorities to infer device ownership, usage history, movement across regions, and even patterns such as frequent SIM swapping. A phone’s IMEI, unlike a SIM, cannot be easily changed, making it a persistent identifier that can be exploited for long-term surveillance.
Moreover, ASTR was deployed to detect fraudulent subscribers, but its method is functionally indistinguishable from mass surveillance. ASTR scans the database of over 134 crore mobile connections. It uses facial recognition algorithms to convert subscriber photos into metadata representations of the face. It then runs a ‘many-to-many’ comparison to find faces that appear across multiple SIM cards under different names. The government claims to have disconnected 0.78 crore mobile connections based on ASTR analysis. Although fraud prevention is a legitimate State objective, the means employed often involve large-scale processing of biometric data of individuals not suspected of wrongdoing, raising concerns regarding necessity and proportionality under constitutional privacy standards.
This creates a ‘360-degree profile’ of citizens. By linking a Face ID to a Mobile Number, and that Mobile Number to an Aadhaar, the state possesses a golden record of identity. With the Sanchar Saathi app pre-installed and tracking location, the state effectively has a real-time tracking device on every citizen.
- The DPDP Act: Privacy Protection or Statutory Immunity?
The DPDP Act’s most far-reaching consequence lies in its exemptions. While the Act claims to protect personal data, it expands the State’s ability to collect, process, retain, and shield information from public scrutiny at the same time. These exemptions weaken both informational privacy under Article 21 and institutional transparency under the Right to Information Act, 2005 [“RTI Act”].
- Consent Dilution and the Fiction of ‘Legitimate Use’
The DPDP Act both exempted the State from basic privacy safeguards and regulated the private actors. Section 7 of DPDP Act states, the State may process personal data without informed consent for wide categories of “legitimate uses,” such as compliance with law, providing of services, preventing crime, and performance of State functions. While these objectives primarily appear reasonable at the face, “legitimate use” becomes a catch-all defense for gathering and combining large amounts of personal identifiers, metadata, behavioral data, and device information across welfare, telecom, identity, and digital surveillance systems due to the lack of specific definitions, purpose limitations, judicial oversight, or procedural safeguards.
- The Illusion of Choice: Granular Consent
The absence of granular consent worsens the absence of personal choice. The DPDP Rule 3(b), does not give the data subject the right to consent to specific data uses. The subject must only be informed in “clear and plain language.” People are essentially compelled to choose between giving up large categories of data or losing access to necessary services. This defies both previous Personal Data Protection Bill, 2018 and international regimes like EU’s GDPR, Korea’s PIPA and China’s PIPL that enshrine purpose-specific consent, undermining the constitutional requirement of free, specific, and informed consent central to informational self-determination under Article 21. Additionally, even though Section 40(2)(b) of the DPDP Act gives the government the authority to create relevant regulations, the Rules do not address legacy data, information gathered prior to the DPDP Act’s implementation, leaving previously collected personal data outside of meaningful consent mechanisms.
Section 17 of the DPDP Act, which permits the Central Government to completely exempt any State instrumentality from core data protection obligations like consent, purpose limitation, data minimization, and data principal rights that too on broadly stated grounds like sovereignty, security, public order, or prevention of offenses, amplifies these consent and exemption regimes.
- Transparency Blackouts: DPDP and the Dilution of the RTI Act
The practical result is a transparency blackout when combined with the amendment to Section 8(1)(j) of the RTI Act via DPDP Section 44(3), which removes the public-interest override and permits officials to categorically deny “personal information”. The government can collect and process sensitive personal data without informed consent while also refusing to disclose how and why that data is being used. Public disclosures are left to executive channels like Press Information Bureau releases, which are optional and not subject to required standards of review or reasoned decision-making.
- The Ignored Right: ‘Right to Be Forgotten’
Although informational privacy under Article 21 includes the individual’s right to control, correct, and erase personal data, the DPDP Act does not recognize a right to be forgotten, particularly against the State. While Section 12 of the DPDP Act provides a limited right to correction and erasure, it is narrowly framed and does not apply robustly to government processing carried out under “legitimate use” or exemptions granted under Section 17 of the DPDP Act. This section doesn’t help when the State uses the data for a good reason or is exempt from rules. It also doesn’t specify how long it takes or how the State decides when someone requests data deletion or removal. As stated in Puttaswamy, and the Article 17 of the General Data Protection Regulation [“GDPR”], if people do not have the right to have their information erased then the government will have all their information forever. This information can be used to profile and surveil people. This shows that delisting and erasure are essential to dignity and privacy.
- Comparative Perspectives and Recommendations
The GDPR places stringent requirements for informed consent as under Recital 43, consent is not considered “freely given” if the performance of a contract is made conditional on consent that is not necessary for that service. While the US lacks a federal privacy law, its judiciary and local governments have aggressively pushed back against the kind of technology Sanchar Saathi employs in ASTR. San Francisco became the first major city to ban the use of facial recognition technology by city agencies, including the police. India’s use of ASTR to scan 134 crore faces without written consent would likely be illegal under such frameworks.
The EU also recently passed the AI Act, categorizing facial recognition as “High Risk” or “Unacceptable Risk” in public spaces. India, however, has no equivalent AI regulation, permitting ASTR’s algorithmic profiling to operate without statutory boundaries, public scrutiny, or safeguards against discrimination and automated decision-making.
To ensure that platforms align with constitutional privacy principles. Currently, under Section 17 of DPDP Act, the executive decides when an executive is exempt from the law, this creates conflict of interest. So, exemption under S.17 must require prior judicial oversight/authorization. Additionally, DPDP Act or IT Act must embed with Proportionality and Necessity Tests, such codification will regulate that data collection by state must follow strict necessity test,
Similarly, an Independent Data Protection Board [“DPB”] must be appointed, currently the government appoints the members. As the European Data Protection Authorities operate independently of the government which makes public audits, data minimization, and algorithmic transparency disclosures. Furthermore, the RTI Act must be restored as Section 44(3) of the DPDP Act diluted the RTI Act. The ‘Public Interest Override’ in Section 8(1)(j) of the RTI Act must be restored so that citizens and journalists can hold the government accountable for how it uses individual’s data.
- Conclusion
India’s evolving digital governance framework reflected in Sanchar Saathi has been facilitated by the broad exemptions accorded to the State under the DPDP Act. These exemptions dilute the privacy as given in Puttaswamy and enable extensive data collection, algorithmic analysis, and surveillance and AI monitoring. Without stronger safeguards, oversight, and enforceable rights, there is a real risk that conveniences and security-driven technologies may set them for intrusive surveillance. Therefore, the responsibility to ensure that technological progress does eclipse the freedoms and dignity of the people it is meant to serve.