By- Chahak Khare, UG Law Student, Amity University Noida
ABSTRACT
At every forward of a message on WhatsApp in India, a subtle legal contradiction simmers. On one side sits Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which mandates that a Significant Social Media Intermediary offering messaging services develop an "in-built capability" to trace the "first originator" of any message upon government request. On the other side rests the Digital Personal Data Protection Act, 2023, and its subordinate Rules of 2025 is a regime based on the "minimality and purpose limitation" principle.
This article contends that these two regimes cannot survive one another without one succumbing to the other. Traceability, by definition, requires a permanent, cross-system tracking apparatus for billions of messages and a pervasive surveillance infrastructure that is structurally at odds with the "minimality and purpose limitation" obligations imposed by Section 8 of the DPDP Act and Rules 3 and 5 of the DPDP Rules, 2025.
This article seeks to explore this conundrum by examining, first, the logical impossibility of adherence to both regimes; second, the constitutional implications from the Supreme Court’s landmark ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India; and third, the real-world implications for the 500 million Indians whose communications lie at the heart of this paradox. India, it will be argued, may have inadvertently crafted a contradictory regime.
I. TWO STATUTES, ONE IMPOSSIBLE COMPLIANCE
With the passage of the Digital Personal Data Protection Act in 2023, Parliament promised to give statutory force to the Supreme Court's historic 2017 ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India. In its nine-judge decision, the Court recognised a fundamental right to privacy, which the State could only violate if its intrusion was proportional, necessary, and narrowly tailored and subject to procedural safeguards. The DPDP Act institutionalised these principles for Data Fiduciaries by requiring them to collect and store only that personal data that was "necessary for the specified purpose" and for no longer than required.
.jpeg)
