[This article has been authored by Anvesha Singh and Preeshita Singh, fourth-year B.A. LL.B. students at Symbiosis Law School, Hyderabad. It examines the United States’ June 2025 policy requiring international student visa applicants to undergo social media vetting, arguing that it violates privacy rights and suppresses free speech. The authors highlight how India’s Digital Personal Data Protection Act falls short in protecting citizens from foreign digital surveillance, and push for legal reforms to address this gap.]
Abstract
On June 18th, 2025, the United States (“U.S.”) implemented a controversial policy (“Policy”) requiring all applicants of international student visas to be subjected to social-media vetting. This sweeping mandate constitutes a blatant violation of the right to privacy and signals the emergence of a panopticon-like surveillance system. By attempting to police personal ideologies under the guise of national security, this policy turns digital footprints into tools of ideological assessment. Through this analysis, the article contends that if liberal democracies like the U.S. continue to implement opaque and unilateral surveillance regimes, they risk legitimising the very authoritarian digital practices they publicly oppose. The article also examines India’s Digital Personal Data Protection Act (“DPDP”) and argues for its strengthening, especially in contexts involving foreign digital overreach. The Policy has the effect of turning the social media profile of visa candidates into dossiers, initiating a kind of surveillance-based assessment to determine whether any individual is conforming to their ideology or not. With over 3 lakh Indian students contributing more than $8 billion annually to the U.S. economy, the impact is far-reaching, raising issues across two dimensions: right to privacy and freedom of speech.
Introduction
Foreign students who have applied for education and exchange visas for the U.S. now have to put their social media profiles in public settings. This policy is applicable to F (academic), M (vocational), and J (exchange) visa classifications. This covers all the platforms mentioned in the DS-160 visa application form, giving the U.S. officials the right to investigate posts, comments, and messages to assess online behaviour. Rather than continuing with the traditional, fact-based vetting, which concerns criminal background checks, among other things, the U.S. government has implemented a much more intrusive system that is based on ideology. The policy includes “comprehensive and thorough vetting” of the applicants, and each visa decision is framed as a national security assessment. This suggests that visa adjudication now hinges not just on criminal or financial background but also on whether an applicant’s online behaviour aligns with U.S. national interests and values, raising questions about ideological vetting and freedom of expression.
Not only does it jeopardise an applicant’s sensitive personal data, it also curtails an individual’s freedom of speech. In a desperate attempt to appear ‘safe’, applicants may scrub their online histories and refrain from making any political remarks. Needless to say, such surveillance suppresses free speech as visa applicants would indulge in self-censorship, deleting any online activity that may risk getting flagged. Evidently, the Policy has raised issues of legality and privacy, and this article captures its implications across 2 dimensions: right to privacy and freedom of speech.
Since May 2019, the U.S. State Department has required most visa applicants to provide their social media identifiers. In contrast, the present notification takes a more invasive approach by explicitly asking applicants to make their personal social media content fully accessible to officers. While the 2019 notification merely introduced the collection of social media identifiers for the purpose of verifying applicants’ identities, the U.S. Authorities have now progressed into a controversial zone by forcing applicants to expose their online interactions.
What Do Constitutional and International Law Say?
In Justice K.S. Puttaswamy v. Union of India, the seminal case regarding the right to privacy, Justice Chandrachud warned that in the digital age, governments have unprecedented power to watch over citizens, which can easily turn into a threat to individual freedom. Under the Policy, applicants are forced to hand over their entire online lives or risk having their visas denied.
International law recognises privacy as a core human right. Article 12 of the Universal Declaration of Human Rights (“UDHR”) and Article 17 of the International Covenant on Civil and Political Rights (“ICCPR”) both prohibit arbitrary interference with an individual’s privacy. Although the UDHR does not have binding force, the ICCPR is a treaty obligation for its state parties, requiring them to ensure that surveillance or data collection does not take place in an unlawful or arbitrary manner. The Human Rights Committee has clarified the scope of this obligation in several decisions. In Toonen v. Australia, the Court held that the right to privacy under Article 17 extends to protection against unwarranted surveillance and discrimination. In Weiss v. Austria, the Committee emphasised that any interference must comply with the principles of legality, necessity, and proportionality. These standards were further elaborated in Council’s General Comment No. 16 (1988), which sets out a three-part test requiring that interferences be based on clear law, pursue a legitimate objective such as national security, and be strictly proportionate to that aim.
Applying this framework to the Policy, the measure of requiring applicants to expose their private social media data does not satisfy the test. While visa screening may be argued to serve a legitimate state interest in national security or immigration control, the policy lacks a clear statutory foundation accessible to affected individuals, thereby failing the legality requirement. Further, blanket access to private communications of all applicants is indiscriminate and disproportionate, as it does not distinguish between genuine threats and ordinary individuals. It also does not demonstrate necessity, since less intrusive alternatives such as targeted checks based on specific risk indicators are available.
A cardinal principle of data privacy is data minimization, which requires that entities collect only such personal data as is strictly necessary for achieving a clearly defined and legitimate purpose. Collection of data beyond what is essential is considered excessive and contrary to this principle. In the present case, the requirement of granting access to private social media accounts as part of visa screening does not meet the threshold of necessity. The purpose of visa adjudication can reasonably be achieved through conventional means such as document verification, background checks, and security clearances. Indiscriminate access to social media profiles amounts to collection of data that is neither directly relevant nor proportionate to the stated objective. Therefore, such a measure violates the principle of data minimization and reflects an excessive intrusion into personal privacy.
For Indian citizens, the concern becomes acute because a foreign government is subjecting them to invasive digital scrutiny without adequate safeguards or remedies. This raises the critical question of how India, as a state party to the ICCPR, can protect its citizens’ internationally recognised privacy rights from foreign digital overreach that would not withstand scrutiny under the legality, necessity, and proportionality standards.
Limitations of India’s DPDP Act
Section 3(b) of the DPDP Act, 2023 states that the law will apply to the processing of personal data outside India only if the entity doing the processing is acting in connection with goods or services offered to persons within India. The term “services” in this provision is ordinarily understood to mean commercial, consumer or other non-sovereign offerings such as banking, e-commerce, software, health care, or telecom services. Services usually involve a voluntary transaction or contractual relationship between a provider and a recipient. Reviewing visa applications by a foreign government does not qualify as a commercial or consumer service because it is a sovereign function performed in fulfillment of immigration control and regulatory authority. That being so, the U.S. government, when it reviews visa applications, is not offering services to Indian citizens in the sense envisaged under Section 3(b). Accordingly, the DPDP Act does not extend to such processing. Section 13 of the Act grants Data Principals the right to a grievance redressal mechanism against Data Fiduciaries or Consent Managers for violation of their obligations under the Act or breach of their rights. Because visa screening is not a service under Section 3(b), rights under Section 13 would not protect Indian citizens in this instance.
In contrast, the GDPR sets a benchmark in protecting the privacy rights of EU citizens by extending its scope and ambit beyond their territorial boundaries. Article 3(2)(b) of the GDPR states that it would be applicable when personal data of individuals located in the EU is processed by organisations outside the EU, if the processing involves tracking or observing those individuals’ behaviour within the EU. This opens up the possibility for EU citizens to challenge the US visa policy. The Indian legislation lacks such a firm stance when it comes to foreign surveillance. The key difference between both the legislations is that DPDP does not concern itself with the processing of data if it’s done by a foreign government. This is a loophole that needs to be addressed, especially because the nature of the data being accessed by the authorities is sensitive.
What compounds this vulnerability is the limited scope of redressal mechanisms available to Indians. The Judicial Redress Act, 2015 (Section 2(a)) extends some Privacy Act protections to citizens of select ‘designated countries’ (mostly EU nations). It allows foreign citizens to bring civil actions in U.S. courts if a U.S. federal agency mishandles their personal data. The same is not afforded to Indian citizens since India is not a designated country. This creates a very problematic asymmetry where students are forced to disclose their sensitive personal data under the garb of national security, and yet they are denied the procedural safeguards and accountability mechanisms that U.S. citizens or nationals from the abovementioned designated countries enjoy.
Conclusion
“Thoughtcrime does not entail death: thoughtcrime is death.”
-George Orwell
Today, posting dissenting opinions or criticisms online can result in visa rejections and even jeopardize your future by stripping you of the opportunity to study in a prestigious university to which you were admitted. The idea of “thoughtcrime” from George Orwell’s 1984 aligns with the punishment of ideological nonconformity detected via digital footprints. While national security is a legitimate concern, it should not entail a precondition of surrendering one’s privacy rights in order to be eligible for a U.S. visa.
Undoubtedly, India’s current data protection framework is quite progressive. However, it lacks the necessary provisions to address extraterritorial data misuse or digital surveillance. India must closely inspect its loopholes with regard to how the DPDP Act is rendered inapplicable in a situation like visa screening of students, simply because it refuses to look beyond actions that are related to providing “goods and services”.
In this context, steps to strengthen the DPDP Act may be seen by the U.S. as an attack on its sovereignty. Hence, this will only be achieved through proper diplomatic channels, considering the U.S.’s stance on national security, especially with the current geo-political situation. Additionally, India’s addition to the Judicial Redress Act will only happen as a result of strong dialogue between both countries.
A more balanced approach could involve relying on third-party verification mechanisms, such as background checks conducted through universities, employers, or past immigration records, which provide reliable information without unnecessary intrusion into personal communications. Additionally, authorities may adopt a consent-based disclosure model, where applicants voluntarily share limited and relevant information, such as professional profiles or public social media activity, instead of being compelled to open all private accounts to scrutiny. This would allow security interests to be addressed while respecting individual privacy.