India’s DPDP Act and the National Population Register:

Conflict and International Comparisons

Introduction
In August 2023, India enacted the Digital Personal Data Protection Act, 2023 (DPDP
Act) to establish a comprehensive legal framework for personal data protection. This new
law seeks to balance individuals’ fundamental right to privacy with the state and
organizations’ need to process personal data for legitimate purposes. Around the same
time, India has been preparing to update its National Population Register (NPR) – a
nationwide database of residents – as part of the pending decennial census. The
convergence of a stringent data protection regime and a large mandatory population
database raises important questions. Key concerns include whether the NPR’s data
collection practices align with the DPDP Act’s consent and purpose-limitation
requirements, which authority has jurisdiction in case of disputes, and how any tensions
might be resolved. This report provides a fact-checked overview of the DPDP Act and
the NPR, analyzes potential conflicts between them, and examines how similar issues are
addressed in other jurisdictions (the United States, European Union, Singapore, and Saudi
Arabia). We ground the analysis in the legal status and developments as of late March
2025, with full citations to authoritative sources.

Digital Personal Data Protection Act, 2023: Background

and Status
Enactment and Scope: India’s DPDP Act, 2023 (Act No. 22 of 2023) was passed by
Parliament in early August 2023 (Lok Sabha on August 7 and Rajya Sabha on August 9)
and received Presidential assent on August 11, 2023. However, the Act’s provisions did
not take effect immediately. By law, the Act comes into force on dates notified by the
central government. As of March 2025, the DPDP Act’s implementation is underway but
not yet fully operational. Government announcements indicated that the Act is expected
to be brought into force by mid-2024, after the issuance of necessary implementation
rules and the establishment of enforcement bodies. In fact, draft Digital Personal Data
Protection Rules, 2025 were published for public consultation in January 2025 to flesh
out the Act’s operational details. This indicates that the regulatory framework is in
progress, with the new data protection regime anticipated to kick in during 2024–2025.

Mandate and Principles: The DPDP Act provides a legal framework for processing
“digital personal data” – essentially any personal data in digital form – in a manner that
“recognises both the right of individuals to protect their personal data and the need
to process such personal data for lawful purposes”. In other words, the Act’s mandate
is twofold: to safeguard individuals’ privacy and data rights, while also enabling data
processing for legitimate, lawful functions (whether by businesses or government). The
law applies across sectors (public and private) and focuses on personal data that is
digitized or collected online. Notably, it is limited to digital data; offline personal data is
outside its direct scope unless later digitized, a point that has drawn some criticism.

Key Provisions: The DPDP Act defines roles of Data Principal (the individual to whom
the data relates) and Data Fiduciary (the entity processing data). It requires that personal
data processing be based either on the data principal’s consent or on certain “legitimate
uses” explicitly permitted by the law. Consent, where required, must be free, informed,
specific, and explicit, and individuals have the right to withdraw consent at any time.
Even when consent is not required (i.e. under legitimate uses), the Act emphasizes
principles like purpose limitation (data can only be processed for the specific purpose it
was collected for) and data minimization (only data that is necessary for that purpose
should be collected and used). Crucially, the Act empowers individuals with rights to
access their data, request correction or erasure of their data, and to grievance redressal if
these rights are violated or if data is misused. Data fiduciaries, in turn, have obligations to
implement reasonable security safeguards, notify authorities of data breaches, and be
accountable for how they handle personal information.

Regulatory Authority: The DPDP Act establishes a dedicated regulatory body, the Data
Protection Board of India (DPB), as the centerpiece of its enforcement mechanism. The
DPB is to be set up by the Central Government (under Section 18 of the Act) and will
function as an adjudicatory authority to monitor compliance, investigate complaints, and
impose penalties for violations. The draft Rules, 2025 outline the composition and
operation of this Board – including the appointment of a Chairperson and members,
procedures for hearings (largely digital), and an appellate process. Although the DPB is
not yet operational (as of March 2025), it is expected to be constituted soon after the rules
are finalized. Once functional, individuals (Data Principals) will be able to file
complaints with the Board regarding any breach of the DPDP Act by data fiduciaries,
including government agencies. The Board will have powers to order remedial measures
and levy substantial financial penalties for non-compliance, thereby serving as an
enforcement and dispute-resolution forum under the Act.

Government Data and Exemptions: A pivotal aspect of the DPDP Act is how it treats
government data processing. Unlike some countries’ privacy laws that outright exempt
public-sector data, the DPDP Act does cover government bodies as data fiduciaries, but
with important carve-outs. Section 17 of the Act empowers the central government to
exempt certain agencies or departments (“instrumentalities of the State”) from some
or all provisions of the law on broad grounds such as the sovereignty or security of
India, public order, or similar interests. In effect, the Executive can via notification
exclude specified government data-processing activities from the Act’s requirements
(like consent, purpose limitation, etc.) by invoking national security or public interest.
This power has drawn criticism from privacy advocates for being too sweeping, as it
could theoretically be used to immunize mass surveillance programs or large databases
(like the NPR) from the protections the law grants to citizens. Government
representatives have argued such exemptions would be sparingly used for critical state
functions, but the exact contours will only be known as and when any notifications are
issued. As of March 2025, no specific exemption for the NPR or related activities had
been publicly notified (also because the Act itself is still coming into force). Therefore,
the default position is that the NPR, as a government data system, would be subject to the
DPDP Act’s provisions unless an exemption is made.

In summary, the DPDP Act is a landmark statute aimed at fortifying data privacy in
India. Its full enforcement awaits subsidiary rules and institutional setup in 2024. The
Act’s applicability to government initiatives like the NPR sets the stage for a potential
conflict between privacy norms and state data collection mandates, discussed next.

National Population Register: Purpose and Legal

Framework
What is the NPR? The National Population Register (NPR) is a comprehensive identity
database of all “usual residents” of India. It is intended to record demographic and certain
biometric information for every person residing in the country, whether citizen or foreign
national, and is maintained at local, state, and national levels. The NPR’s ultimate aim is
to serve as a foundational registry for population data and to facilitate the creation of a
National Register of Indian Citizens (NRIC) by distinguishing citizens from non-citizens.
In practical terms, the NPR involves a house-to-house enumeration of residents,
collecting key personal details and updating them periodically along with the national
census exercises.

Legal Basis: The NPR was first introduced in the wake of amendments to the citizenship
laws. It is authorized by provisions of the Citizenship Act, 1955 as amended, and more
explicitly by the Citizenship (Registration of Citizens and Issue of National Identity
Cards) Rules, 2003. Rules 3 and 4 of the 2003 Rules provide the framework for
establishing the NPR and, subsequently, the NRIC. Under this legal mandate, the central
government is empowered (through the Registrar General of Citizen Registration) to
compulsorily register every usual resident in a population register. The Office of the
Registrar General and Census Commissioner of India (under the Ministry of Home
Affairs) is the authority responsible for executing the NPR across the country. The
Registrar General acts as the National Registration Authority, overseeing data collection
and maintenance for the NPR as well as the eventual citizens’ register. In summary, the
NPR is not merely a policy program; it has a clear statutory foundation. Registration
in the NPR is mandatory for all residents by law, and it is a precursor to issuing National
Identity Cards to Indian citizens in the future.

Data Collected: The NPR exercise gathers extensive personal data from each resident.
According to official plans and past NPR rounds, 21 demographic data points are
collected for every individual. These include basic identity information (name, gender,
date of birth, place of birth, and address) and also additional details like the person’s
parents’ birth places, last place of residence, marital status, and unique
identification numbers (such as PAN card number, voter ID, driving license number,
and mobile phone number). Notably, Aadhaar number is also solicited and linked,
although authorities have mentioned that providing Aadhaar is “voluntary” in the NPR
context. In practice, Aadhaar data (including biometrics) can be used to update the NPR,
meaning the NPR and Aadhaar databases are interoperable to some extent. The NPR
additionally integrates biometric information: during earlier NPR updates, photographs
and fingerprints were collected, and more recently, rather than collecting fresh
biometrics, the NPR is leveraging Aadhaar’s biometric data to avoid duplication. The
data collection is typically done during the Census’s house-listing phase (which precedes
the population count), using digital devices or mobile apps for efficiency.

To illustrate the scope, in the last NPR update (2010–2015), enumerators recorded 15
fields in 2010 (name, DOB, etc.), and then additional fields like Aadhaar and mobile
number were added in the 2015 update. For the next planned update, a few new
categories (e.g. parents’ birth details) are to be included while some obsolete ones (like
ration card number) dropped. In sum, the NPR functions as a giant central repository
of personal information on everyone in India, making it akin to a national
demographic database.

Stated Purpose and Uses: The official purpose of the NPR, as per the Citizenship Rules,
is narrowly defined: it is to serve as the basis for creating the National Register of
Citizens (NRIC). In legal terms, once the NPR is compiled, the data can be verified and
filtered to identify Indian citizens and thereby build a citizens-only register. However,
government statements have attributed additional purposes to the NPR. It is often
promoted as a tool for “better targeting of government welfare schemes and
services”, by having up-to-date data on households and individuals. Planners argue that a
comprehensive population database helps administrators identify beneficiaries of
subsidies, financial inclusion programs, and other social welfare initiatives more
effectively. Another rationale given is national security and internal security: NPR is
seen as helping authorities track population movements and identify undocumented
immigrants or potential security risks, since it creates a verified identity infrastructure for
residents. Thus, the NPR is portrayed as strengthening both governance and security by
providing a single source of truth on residents’ identities.

It is important to note a discrepancy: the only statutorily mandated use of NPR data in
the law is for the NRIC (citizenship determination), yet the government often publicly
cites welfare and other administrative uses which are not explicitly mentioned in the legal
text. This mismatch has led to criticism that NPR data could be repurposed beyond what
the law initially envisaged – a phenomenon known as function creep. Indeed, parallels
are drawn to how data collected for India’s Aadhaar (unique ID) system was later used
widely for purposes not originally intended, until legal checks were imposed in 2018.
With NPR, there is concern that once a vast personal database is created, it may be
employed for “any purpose at any time” unless clear limits are in place.

Current Status (as of March 2025): The NPR is a rolling project that coincides with the
census cycle. The initial NPR enumeration was conducted in 2010 alongside Census
2011. A partial update (door-to-door survey) was done in 2015 to incorporate changes
like new Aadhaar numbers and phone contacts. The next full update of NPR was
scheduled to take place with the 2021 Census. In fact, the Government of India’s Union
Cabinet approved a plan in December 2019 for Census 2021 and simultaneous NPR
update, with a detailed budget allocated (₹3,941 crore specifically for the NPR). The
house-listing phase and NPR data collection were supposed to occur from April to
September 2020. However, the COVID-19 pandemic intervened, forcing postponement
of both the census and the NPR exercise in 2020. As of early 2025, these exercises have
not been completed. Repeated delays mean that India did not conduct the census in 2021,
and by 2025 there were doubts if it would be done that year either. The Union Budget
2025–26 provided only a fraction of the required funds, suggesting that the decennial
census (and NPR) might be further pushed to late 2025 or 2026. Government sources
indicated an optimistic timeline of initiating the census and NPR update in early 2025
with data ready by 2026, but official schedules remain unannounced. In short, the NPR
has not been updated for a decade (since 2015) and the planned 2020–21 update is still
pending. This timing is crucial: the DPDP Act came into being during this delay. So the
upcoming NPR data collection, whenever it occurs, will likely happen under the shadow
of the new data protection law. That intersection is where potential conflicts emerge.

Potential Conflicts Between the DPDP Act and NPR

The NPR, by design, is a government-mandated mass data collection program, whereas
the DPDP Act institutes stringent conditions on personal data processing, emphasizing
consent, transparency, and individual rights. This gives rise to several areas of tension:

• 1. Lawful Basis: Mandatory Collection vs Consent: A fundamental difference

lies in how personal data is obtained. The NPR is compulsory – residents do not
actively consent to providing their information; they are required by law to do so.
By contrast, the DPDP Act’s default rule is that personal data should be processed
with the consent of the individual, except in certain defined scenarios. Does NPR
fit into those scenarios? Under the DPDP Act, one of the “certain legitimate uses”
allowing non-consensual processing is likely compliance with a law or mandate
of the state. In other words, processing personal data “for the performance of any
function under law” can be interpreted as a permissible ground without consent
(similar to the concept of legal obligation/public interest in other data protection
regimes). The Citizenship Act and Rules provide that legal mandate for NPR, so
arguably NPR data processing would be considered a lawful purpose under the
DPDP Act even without individual consent. However, even if lawful, the DPDP
Act would still expect that core data protection principles are followed during
such processing. The concern is that NPR’s blanket approach – collecting data
from everyone by default – might conflict with the Act’s ethos of giving
individuals control. For example, the DPDP Act grants individuals the right to
notice about how their data will be used and the right to grievance redressal. In an
NPR exercise, residents are typically just told to provide information; they may
not receive a detailed privacy notice or have an option to opt out. There is thus an
inherent tension: can a person object to or refuse certain data being collected
in NPR on privacy grounds? Under current citizenship laws, no – it’s
mandatory. Under the DPDP Act, they normally could object unless it’s a
required legal purpose. Resolving this, the likely interpretation is that NPR data
 collection is a legitimate state function that does not require consent. Yet, best
practices of data protection (transparency, minimalism) should still apply.

• 2. Data Minimization and Purpose Limitation: The DPDP Act emphasizes

collecting only data that is necessary for a specified purpose and using it only for
that purpose. Here, NPR might overstep. Necessity: If the core statutory purpose
of NPR is to create a citizens register (NRIC), only data strictly needed for
establishing citizenship should be collected. Basic identity info and proof of
residence might suffice for that purpose. However, NPR currently asks for a much
broader set of data – e.g. Aadhaar number, driver’s license, mobile number, etc.
Some of these (like driver’s license or PAN) are not relevant to proving
citizenship; Aadhaar itself is explicitly not proof of citizenship. Thus, under a
strict data protection lens, NPR’s collection of such extra data could violate the
data minimization principle (collecting more personal data than necessary).
Similarly, purpose limitation: NPR data, by law, should be used to compile the
NRIC. But the government’s stated uses (welfare targeting, etc.) are outside that
narrow purpose. Using NPR data for welfare schemes or other analytics would
represent a change or expansion of purpose. The DPDP Act would typically
require that if data collected for one purpose is to be used for another, either the
new purpose should be compatible or fresh consent should be obtained. In case of
NPR, individuals aren’t asked consent for those secondary uses. This
misalignment of purpose – essentially function creep – is a direct conflict with
privacy principles. Unless the government codifies the broader purposes into the
law (thereby making them “official” purposes), using NPR data for welfare,
security or other aims could be challenged as unlawful under the DPDP Act’s
framework. The Internet Freedom Foundation’s analysis pointed out that NPR
exemplifies how open-ended data use can occur and recommended that any
public data collection like this have its purposes tightly anchored in legislation to
enable a proportionality test for each purpose.

• 3. Individual Rights vs State Ownership of Data: The DPDP Act endows data
principals (individuals) with certain rights: the right to confirm if their data is
being processed, to receive a copy of their data, to request correction of
inaccuracies, and even to request deletion of data in some cases. If the NPR falls
under the Act, would an individual be allowed to, say, review the information the
NPR holds on them and seek corrections? In practice, the NPR does have a
mechanism for correction of entries – for example, during verification stages or
by application, one can update mistakes in personal details. This is in line with
both good governance and with the DPDP Act’s right to correction. So here we
see potential compatibility rather than conflict: the NPR would need to ensure
individuals can access and correct their data, which is feasible. However,
deletion or opt-out is another matter. One of the rights under many data
 protection laws is to request erasure of data (“right to be forgotten”) or to
withdraw consent. In the context of a compulsory register like NPR, an individual
cannot ask for their data to be erased without legal authorization – being in the
register is mandatory by law. The DPDP Act does allow exemptions for data
processing that is mandated by law, so likely the right to deletion would not apply
to NPR data as long as it’s needed for that legal purpose. Nonetheless, there is a
tension if NPR data is retained indefinitely. The DPDP Act would encourage
that personal data not be kept longer than necessary. For NPR, how long will the
data be kept? Potentially forever, as it’s a continually updated register. There is no
clear data retention limit in the NPR scheme – it is meant to be maintained
permanently and updated periodically. This could conflict with the principle of
storage limitation, but again, one could argue the purpose (national registry) is
ongoing, justifying continual retention. The key point: individuals have limited
control over NPR data once given, compared to the strong control envisioned in
the DPDP Act. If someone believes their NPR data is misused or inaccurate,
under DPDP they could complain to the Data Protection Board. That sets up a
scenario of the DPB reviewing actions of a central government project (the NPR),
which raises questions of jurisdiction and accountability, discussed next.

• 4. Oversight and Jurisdictional Issues: The DPDP Act’s enforcement via the
Data Protection Board means any data fiduciary, including a government
department handling personal data, could be subject to inquiry and penalties for
non-compliance. The NPR is administered by the Ministry of Home Affairs
(through the Registrar General). Normally, government bodies are expected to
comply with the law, and the DPB would have authority to adjudicate complaints
against them as well. But two complications arise: (a) The central government’s
power to exempt itself (Section 17) could be used to shield the NPR operations
from the DPB’s scrutiny. If the government issues a notification exempting the
NPR (or the RGI) from the Act “in the interest of national security or public
order,” then neither the requirements nor the DPB’s jurisdiction would apply.
This is a real concern – privacy advocates have noted that such broad exemptions
could leave expansive programs like NPR entirely outside the purview of the
privacy law. It essentially becomes an executive decision whether the DPB can
oversee NPR-related grievances or not. (b) Even if no exemption is given, there is
a practical consideration of one arm of the government regulating another. The
DPB, while designed to be relatively independent, is still a body whose members
are appointed by the executive. There could be institutional reluctance to
aggressively enforce against a flagship government initiative. On the flip side, if
an individual’s privacy complaint (for example, misuse of NPR data by a local
official) goes to the DPB, the Board could find itself mediating between citizen
rights and government justifications. This is uncharted territory for India, and how
it will play out depends on the DPB’s assertiveness and the government’s stance
on transparency. Comparatively, India does not have a strong history of
independent data regulators yet, so this structure is novel. In any event, the
 existence of the DPDP Act means the NPR is no longer solely an internal
government matter; it potentially introduces external oversight over how NPR
data is handled, unless deliberately exempted.

• 5. Security and Sharing of Data (Interoperability): The DPDP Act mandates

data fiduciaries to ensure reasonable security safeguards for personal data, and to
prevent unauthorized access or breaches. The NPR database, given its sensitivity
(it contains personal details of over a billion people), is a high-value asset that
needs robust protection. A conflict would arise if NPR data were to be widely
shared across government agencies without adequate safeguards or if integrated
with other databases in ways that heighten risks of breaches or surveillance. For
instance, there have been proposals to link the NPR with databases like Aadhaar,
electoral rolls, tax data, etc., to create a 360-degree view of individuals for
governance. Such interoperability, while administratively useful, can pose privacy
risks. The DPDP Act doesn’t forbid linking databases, but it would classify such
combined processing as a new processing activity requiring its own lawful basis.
If different government databases start exchanging data, each such exchange
needs to be assessed for consistency with the original purpose and for necessity.
Another angle is data sharing with third parties: Would NPR data ever be
shared with state governments, or researchers, or (worst-case) leaked to private
entities? The law governing NPR (Citizenship Rules) actually prohibits public
access to NPR data; it’s meant for government use only. So in theory, NPR data
should not be disclosed except for official purposes. This aligns with DPDP Act
requirements that personal data not be disclosed to unauthorized persons.
Nonetheless, without transparent policies, citizens might fear that NPR could
enable surveillance if multiple databases are linked (for example, combining
travel history, bank details, etc., once a person’s NPR ID is a common key). The
DPDP Act’s emphasis on accountability would require that any such sharing or
new use of NPR data be documented and justifiable. A concrete example: if
tomorrow the government decides to use NPR data for a predictive policing
program (hypothetically), under the DPDP Act an individual could question the
legality of that use, since it deviates from original purposes and likely wasn’t
consented to. This again shows how the DPDP Act creates a legal avenue to
challenge expansions of NPR usage.

• 6. Conflict of Laws – Privacy vs Other Objectives: We should also consider

that the DPDP Act is not the only law in play. The Right to Information Act (RTI),
2005 intersects here too: personal details in NPR might be sought under RTI for
transparency, but DPDP aims to protect personal data from disclosure. In fact,
amendments were proposed to the RTI Act via the DPDP Act to exempt personal
information from disclosure. Similarly, there could be clashes with laws on
national security or immigration. The government might argue that certain uses of
 NPR data are vital for security (e.g. detecting illegal immigrants), and thus should
override privacy considerations. The DPDP Act does allow broad exceptions for
security, as noted. The resolution of any such conflict will depend on
proportionality – Indian courts, following the Puttaswamy privacy judgment, will
test if an infringement of privacy via NPR is justified by a larger state interest
with necessity and proportionality. The Aadhaar Supreme Court case (2018) set a
precedent: it upheld Aadhaar for welfare and tax purposes as proportionate, but
struck down its use for things like opening bank accounts or getting mobile
phones as disproportionate to the need. If a similar challenge arises for NPR,
courts may scrutinize whether each use of NPR data meets the test of necessity for
a democratic aim.

In summary, the NPR and the DPDP Act have somewhat opposing philosophies: one
treats data collection as a mandatory state exercise, the other treats data as belonging to
individuals with rights attached. They can be reconciled if the NPR strictly limits itself to
what is necessary and if the government is transparent about usage, aligning with data
protection principles. Indeed, constitutional experts argue that even in the absence of a
statute like DPDP, any large-scale non-consensual data collection must observe
principles of data minimization, purpose limitation, necessity, and proportionality to
be constitutional. The DPDP Act now codifies some of those principles. The conflict will
truly surface when the NPR is next updated: at that point, will the process be adjusted to
comply with DPDP (e.g. giving people privacy notices, ensuring only needed data is
asked, securing the data properly)? Or will the government invoke an exemption to
proceed unencumbered by these restrictions? That decision will significantly impact
privacy outcomes. Civil society’s stance has been that NPR should not be placed above
the law’s privacy requirements – for instance, IFF’s briefing warned against using the
DPDP Bill’s exemptions to exclude NPR from accountability. If the government heeds
that, it might voluntarily adopt privacy-preserving measures in the NPR process (short of
giving people a choice to not participate, which is not feasible, but measures like not
asking extraneous details and not repurposing data without legal basis). Alternatively, an
exemption may be invoked, which would then likely face public backlash or even legal
challenge given the Supreme Court’s privacy jurisprudence.

International Perspectives and Comparisons

To better understand how such conflicts between a data protection regime and a national
population database might be managed, it is useful to look at other jurisdictions:

United States: Sectoral Privacy and the Federal Privacy Act

The United States does not have a single omnibus data protection law akin to the DPDP
Act. Instead, it follows a sector-specific approach. However, for government-held
personal data, the key law is the Privacy Act of 1974. This law was enacted post-
Watergate, in part to curb government abuse of personal data. The Privacy Act protects
personal information collected by federal agencies and imposes a set of fair
information practice principles on them. For example, agencies must publish in a public
register what databases (“systems of records”) they keep and for what purpose, cannot
disclose personal records to other parties without the individual’s consent (barring certain
exceptions), and must allow individuals to access and correct their records. In essence,
the Privacy Act gives U.S. individuals rights over their data held by government and sets
conditions on inter-agency data sharing. It does not require consent for the government to
collect data in the first place (agencies can collect data if authorized by law), but it
emphasizes transparency and limited use.

National Population Data in U.S.: The U.S. does not have an NPR-equivalent that
continuously registers residents. The closest analog is the decennial Census, which
gathers population data every 10 years as mandated by the Constitution. Another is the
Social Security Administration’s records of all individuals with social security
numbers. Both are covered by strict confidentiality rules. In fact, the Census is governed
by Title 13 of the U.S. Code, which makes census personal data confidential for 72 years
and explicitly prohibits any other government agency (even law enforcement) from
accessing individual-level census responses. Violating census confidentiality is a federal
crime. This is a noteworthy approach: rather than giving people consent rights (you are
legally required to respond to the Census), the U.S. ensures privacy by legal insulation
of the data – it cannot be misused by the state itself. A historical reason was abuses in
the 1940s; since then laws have fortified the separation. Similarly, Social Security data is
protected by the Privacy Act and other statutes; it can only be used for specific welfare
program administration or as otherwise legally permitted, and individuals can request
their own records but not others’.

Regulatory and Redress Mechanisms: The U.S. has no dedicated data protection
authority. Instead, oversight of government data handling is internal and judicial. Each
agency has a privacy officer; the Office of Management and Budget (OMB) issues
guidance on Privacy Act compliance; and if individuals feel their Privacy Act rights are
violated (say an agency disclosed their data improperly or maintained inaccurate data
causing harm), they can sue the agency in U.S. federal court. For example, privacy
groups in 2025 invoked the Privacy Act to block a government initiative (codenamed
“DOGE”) from accessing federal records, arguing it overstepped legal bounds. This kind
of legal challenge is how conflicts are resolved in the U.S.: through the courts
interpreting the Privacy Act or specific laws.

In summary, the U.S. addresses the population register vs. privacy issue by restricting
usage and dissemination. The government can collect data for Census or Social Security
(no consent there), but strong laws like the Privacy Act and Title 13 ensure that data isn’t
misused or broadly shared. Independent watchdog agencies are minimal; instead,
transparency and the threat of litigation enforce compliance. For India, one lesson is that
even without an omnibus law, the U.S. put in place domain-specific safeguards
(something India could consider for NPR if DPDP exemption is invoked – e.g., impose
strict statutory confidentiality on NPR data and independent audit requirements).

European Union: Comprehensive Data Protection with Independent

Oversight
The European Union’s approach is the General Data Protection Regulation (GDPR),
which is a comprehensive privacy law covering both private companies and government
bodies in EU member states. Under the GDPR (and national laws implementing it),
government data processing is allowed but under defined legal bases and subject to
full oversight by independent regulators. For instance, EU governments often maintain
population registers or national ID systems (for example, Germany’s Melderegister,
Sweden’s population register, etc.), but these operate under specific national laws that
comply with GDPR principles. Typically, the legal basis for a population register is
“performance of a task carried out in the public interest or exercise of official authority”
(GDPR Art. 6(1)(e)), or a legal obligation (Art. 6(1)(c)). This means consent of
individuals is not required – much like India’s NPR, it’s mandatory. However, GDPR
imposes conditions even on such processing: the purpose must be explicit and
legitimate, only necessary data should be collected, data subjects must be informed of
how their data will be used, and appropriate security must be in place. Moreover,
individuals have rights (access, rectification, etc.) and can exercise them even against
government controllers.

Crucially, every EU country has an independent Data Protection Authority (DPA) that
supervises compliance. These DPAs have legal powers to investigate government
departments, and have not shied away from doing so. For example, there have been cases
where national or local authorities were fined for misusing personal data from citizen
registries. In the Netherlands, the tax authority was penalized for a scandal involving
improper use of a registry and profiling, violating GDPR. In Sweden, the DPA oversaw
how the population register data was used by other agencies. The GDPR provides for
cooperation mechanisms too, but in context of one country’s NPR, primarily the national
DPA is responsible. If a European citizen believes their data in a population register is
being misused (say data was shared with an unauthorized party or collected excessively),
they can lodge a complaint with the DPA. The DPA can then order the authority to
change practices or even impose fines (although often DPAs prefer to work with public
bodies to achieve compliance rather than punishment, unless the breach is egregious).
Additionally, citizens can take legal action in court under GDPR for compensation if
harm is caused by unlawful processing.

Resolution of Conflicts: The EU model essentially institutionalizes a balance: it

recognizes the state’s right to register population data (for governance, issuance of ID
numbers, etc.) but surrounds it with safeguards and independent checks. If a conflict
arises, say between a privacy requirement and a security requirement, GDPR does allow
exceptions for national security which is outside its scope (each country can have
separate laws for security agencies). But for civilian population registers, GDPR fully
applies. In practice, this means EU governments have adapted their population data
systems to meet privacy norms – e.g., limiting who can access the data, logging every
access (accountability), giving people some control like the ability to block certain
disclosures. A concrete example: Austria has a centralized population register and
assigns every resident a unique identifier, but by law that identifier cannot be used freely
by other agencies; it generates sector-specific IDs so that cross-matching databases is
harder without authorization. This is a privacy-by-design solution inspired by data
protection imperatives. Under GDPR’s influence, EU states have implemented such
measures to reduce risk of function creep and mass surveillance using population data.

Thus, the EU demonstrates that a strong privacy law and a population register can
coexist, if the law explicitly permits the register for specific purposes and an independent
authority ensures it’s not misused beyond that. The key takeaway for India is the role of a
truly independent regulator – the Data Protection Board in India would need similar
independence and resolve as EU DPAs to check any overreach in NPR usage. However,
the independence of India’s DPB is yet untested and it is part of the executive framework,
unlike EU DPAs which are statutorily independent bodies. International best practice
would suggest empowering the oversight body and clearly delineating permissible uses of
NPR data in law, to avoid conflict.

Singapore: Separation of Public and Private Data Protection Regimes

Singapore provides a contrasting model. Singapore’s main data protection legislation, the
Personal Data Protection Act (PDPA) of 2012, exempts the entire public sector from
its scope. The PDPA governs private sector organizations’ handling of personal data,
setting consent requirements and so forth, but it explicitly does not apply to government.
Instead, the Singapore government maintains its own set of rules and frameworks for
public sector data. Since 2001, internal Government Instruction Manuals have laid down
rules on how agencies collect, share, and secure personal data. In 2018, Singapore
enacted the Public Sector (Governance) Act (PSGA), which strengthened safeguards for
government data – including criminalizing unauthorized disclosure by public servants
and requiring inter-agency data sharing to be for lawful purposes with proper controls.
The standards in the public sector are said to be aligned with the PDPA’s principles, even
if the enforcement mechanism is different.

National Registers in Singapore: Singapore has a national identification system where

each citizen and resident has a National Registration Identity Card (NRIC) number. The
maintenance of population records (including a register of residents and a central
identification database) is handled by the Immigration and Checkpoints Authority under
the National Registration Act. Data from the NRIC database is used for a wide range of
public services. Because the PDPA doesn’t apply to government, issues of conflict are
handled administratively or via other laws. For instance, the NRIC number is considered
highly sensitive; misuse of someone’s NRIC or unnecessary collection by private entities
was addressed through PDPA Advisory Guidelines. In the public sector, the PSGA and
Official Secrets Act provide legal protection – e.g., any civil servant leaking personal
data faces legal penalties.

There was an incident where a government portal (ACRA’s business registry)

inadvertently exposed NRIC numbers, raising public concern. It became a talking point
because ACRA, as a government agency, is exempt from PDPA, meaning the data
protection commission (PDPC) could not sanction them under PDPA. Instead, the matter
was handled through internal government review and tightening of processes. This led
some to question whether public-sector exemption should continue. In Parliament,
questions were raised if PDPA should be extended to cover public agencies given some
serious data breaches (like a 2018 health data breach). The government’s response was
that it prefers its own governance framework, arguing that it imposes “comparable, if not
higher” standards on public agencies as PDPA does on private companies. The rationale
is that having direct executive control allows faster improvements and that sensitive
government data is already protected by multiple laws (Official Secrets Act, Statistics
Act for census data, etc.).

Conflict and Resolution: In Singapore, if an individual is unhappy with how their data is
used by a government agency (for example, data held in the national register), they
cannot complain to the PDPC (data protection regulator) since it has no jurisdiction.
Their recourse is to approach the agency itself or the general governmental complaint
channels, or in extreme cases, seek judicial review if a constitutional/privacy issue arises
(though Singapore does not recognize privacy as a fundamental right per se). Essentially,
the resolution mechanism is internal accountability and ministerial oversight. The
public sector data policies are regularly updated; audits are conducted to ensure
compliance. The government asserts a “trust us to police ourselves” stance, supplemented
by harsh punishments for any insider misuse to deter breaches.

For population data, this means the National Registration database is tightly controlled by
law (the N.R. Act specifies who can access NRIC data and for what purposes) and
oversight is through the Home Affairs Ministry. So, conflicts are pre-empted by clearly
circumscribing the use of the national register data in law and relying on official
secrecy provisions. The situation is unlike India’s, where a general privacy law (DPDP)
can apply to government – in Singapore there is a firewall between the two domains.
India could theoretically have chosen that model (exempt all government data from
DPDP and manage it separately), but India’s Act chose a more EU-like path of covering
both sectors, albeit with some exemptions. The Singaporean model shows that one way to
avoid conflict is to remove one side of it (i.e., don’t apply the privacy law to the NPR at
all) – but then the onus is on the government to ensure privacy by other means. The
downside is that citizens lack an independent complaint forum regarding government
misuse of their data. In India’s context, adopting a Singapore-like blanket exemption for
NPR would likely be unacceptable after Puttaswamy, unless accompanied by alternative
robust safeguards.

Saudi Arabia: A Comprehensive Law in an Authoritarian Context

The Kingdom of Saudi Arabia enacted a new data protection law relatively recently: the
Personal Data Protection Law (PDPL), first issued by Royal Decree in 2021 and
amended in 2023 before coming into force on September 14, 2023. Saudi Arabia’s PDPL
is inspired by global norms (with some GDPR-like elements) and aims to protect the
personal data of individuals (residents or citizens) in Saudi Arabia across both
public and private sector processing. The law defines personal data broadly and gives
data subjects certain rights, while imposing obligations on controllers regarding consent,
purpose specification, data security, etc. There are exemptions and flexibilities too:
notably, the 2023 amendments to PDPL introduced exceptions allowing data controllers
to process data without consent for their “lawful interests” as long as it doesn’t override
the data subject’s rights. This is somewhat analogous to legitimate interests in GDPR and
could cover government uses.

National Identity System in KSA: Saudi Arabia operates a national identity card system
for citizens and a residency card (Iqama) for expatriates, managed by the Ministry of
Interior’s Civil Affairs department. They effectively have a population register of all
citizens and residents, containing personal details and biometrics. Prior to PDPL, this was
governed by internal regulations with strong state control. Under PDPL, government
bodies are not exempt (at least not generally – national security sectors may have
separate regimes, but civil administration is included). The law is enforced by a national
regulatory authority – originally this was the Saudi Data & Artificial Intelligence
Authority (SDAIA), which was tasked with PDPL enforcement and issuing regulations.
SDAIA is a high-level government agency (not independent of government, but a part of
it). The law gives SDAIA (and any officers it designates) power to conduct compliance
inspections and investigations. The Saudi public prosecutor’s office is involved in
prosecutions for violations, meaning serious breaches can lead to criminal proceedings.

Navigating Conflicts: Saudi Arabia, being an absolute monarchy, handles conflicts

differently than democracies. If a population database (like the national ID registry) were
to conflict with PDPL provisions, one can expect the law itself or its implementing
regulations to carve out what’s needed for the state. Indeed, PDPL allows the competent
authority to issue regulations with more detail; the 2023 amendments explicitly relaxed
some requirements (e.g., data collection directly from the individual and purpose
limitation were eased to allow broader processing if it meets the controller’s lawful
interests). This change can be seen as accommodating practical needs of government and
businesses so that they are not hamstrung by rigid consent rules for every reuse of data. It
suggests that Saudi law is trying to balance privacy with flexibility for controllers. If the
Ministry of Interior wants to use the national register data for a new government service,
PDPL likely has the mechanism (through lawful interest or public interest grounds) to
permit that without needing citizen consent each time. At the same time, PDPL would
require that individuals are informed and that data is safeguarded. Saudi law mandates
data controllers to implement necessary protective measures and also requires breach
notifications to the regulator (with some thresholds for when individuals must be
notified).

The enforcement in Saudi Arabia ultimately lies with the government itself (SDAIA and
prosecutors). In an authoritarian setting, individuals have limited ability to challenge state
actions. However, by instituting PDPL, Saudi Arabia has signaled an intention to adhere
to international standards, perhaps to facilitate cross-border business and data flows. The
test will be how stringently it applies to government-held data. Notably, PDPL provides
hefty penalties for violations, and at least on paper, those could apply to government units
as well. One can imagine, though, that conflicts are resolved internally – for instance, if
the national information center wanted to do something initially not in line with PDPL,
the government might simply amend regulations to allow it (something relatively easy in
KSA’s system).
For India, the Saudi example underscores that even countries focused on state control are
adopting data protection laws, but they build in broad allowances for state needs. The
DPDP Act’s wide exemption clause is reminiscent of that approach. The difference is
India has a judiciary that could strike down an over-broad exemption or misuse, whereas
in Saudi Arabia that check is minimal. Additionally, Saudi Arabia enforcing PDPL
through a government authority (SDAIA) is akin to India’s DPB being within MeitY’s
oversight. The effectiveness of such a model in curbing government misuse has yet to be
proven. Transparency is also an issue; in Saudi, decisions are often opaque, whereas India
may face public and media scrutiny if, say, the Data Protection Board absolves a
government department of a privacy violation controversially.

Comparative Insights:

Each of these jurisdictions offers insights for the Indian context:

• Legal Basis and Consent: All examined countries allow their governments to
collect population data without individual consent, but they define the legal basis
clearly (constitutional mandate for census in US, statutory mandate in EU
countries, etc.). The DPDP Act similarly recognizes legal mandates. The key is
that having a legal basis doesn’t mean anything goes – additional layers of rules
(Privacy Act, GDPR principles, etc.) restrain the use of that data. India’s
challenge will be to impose meaningful constraints on NPR data use in line with
the DPDP Act principles, even though participation is compulsory.
• Purpose Limitation: Both the EU and US models emphasize using population
data strictly for the purpose it was collected (with EU allowing new uses only if
compatible or with new legal basis, and US forbidding secondary use of census
data entirely). Singapore and Saudi, by contrast, centralize data to use across
government but rely on internal controls. India might need to decide whether NPR
data will be siloed to citizenship identification only, or also explicitly opened for
welfare targeting. If the latter, making that an official purpose via law (as
suggested by Indian experts) would be important to avoid legal ambiguity.
• Oversight Mechanisms: The EU relies on independent regulators to mediate
conflicts, the US uses courts and internal agency checks, Singapore uses internal
executive oversight, and Saudi uses a government-appointed authority. India’s
DPB is closer to the Saudi model at present (not fully independent). For NPR
issues, expecting citizens to fight lengthy court battles (like in US) might be
daunting, so the DPB’s role becomes crucial. Learning from the EU DPA model
could improve outcomes – for instance, ensuring the DPB has the power to
conduct audits on NPR processes or advise on privacy safeguards before the next
data collection.
• Security and Trust: A common theme is ensuring high security and penalizing
misuse. Singapore criminalizes misuse by officials; the US jails anyone (including
officials) who wrongfully discloses census info; Saudi can prosecute violations
under PDPL; EU can fine agencies and individuals under GDPR and national
laws. India’s DPDP Act also has penalty provisions that technically apply to
government units. Ensuring the NPR data is locked down with similar rigor as
 these examples will be vital. Any breach or leak of NPR data could undermine
public trust severely, and under DPDP Act could attract massive fines (though
that would just be the government paying itself). The true deterrent in a
government context is likely reputational and political rather than financial.
• Public Communication: Countries have learned that transparency about why
data is collected and how it is used helps alleviate public concern. In Europe,
GDPR requires clear notices even for government data collection. In the US, the
Census Bureau runs outreach to explain confidentiality. If the Indian government
proceeds with NPR under DPDP, it would do well to provide a privacy notice to
every individual (in local languages) explaining what data is collected, the legal
authority, and how it will (and will not) be used – essentially fulfilling DPDP’s
consent notice in spirit, even if formal consent isn’t sought. This could pre-empt
misunderstanding and build trust that NPR is not a surveillance tool.

Conclusion
As India stands on the cusp of enforcing the DPDP Act and simultaneously restarting the
National Population Register update, it faces a defining moment in balancing privacy
with governance at scale. The DPDP Act, 2023 has inaugurated a new era of data
protection, affirming that Indians have a right to safeguard their personal data and hold
data handlers accountable. The NPR, on the other hand, is a decade-old project rooted in
national security and administrative needs, requiring every resident’s data ostensibly for
the public good. Potential conflicts between the two are real but not insurmountable.
The analysis above identified issues in consent, scope of data, purpose creep, and
oversight that need reconciliation.

To avoid these conflicts, India has a few paths forward. One path is legal
synchronization: amend or clarify the NPR’s governing rules to explicitly align with the
DPDP Act’s principles – for instance, limit NPR data fields to those necessary, specify
allowable uses of NPR data (and forbid others) in the rules, and incorporate privacy
safeguards like data sharing limitations. This would embed privacy-by-design into the
NPR framework itself. Another path is leveraging the DPDP Act’s flexibility: the
government could invoke Section 17 to exempt the NPR from certain provisions (like
consent and perhaps data storage limits) citing public interest, but even if it does so, it
should voluntarily adopt equivalent safeguards. For example, even if exempt from
needing consent, the NPR exercise could still provide transparency and honor requests
for correction or update of data, as these do not hamper its purpose. An exemption, if
used, should be narrow (perhaps only for the act of mandatory collection) and should
ideally come with an alternative privacy code of practice for the NPR.

International comparisons indicate that many democracies and even non-democracies

have found ways to reconcile such conflicts: the U.S. by strict legal firewalls around data
use, the E.U. by independent enforcement of privacy principles even on the state,
Singapore by separate but robust public-sector rules, and Saudi by adjusting the law to
not impede government operations while still aiming to protect personal data. India can
glean that transparency, proportionality, and accountability are key in all models. A
population register can coexist with privacy if its purpose is well-defined and if checks
are in place against misuse.

From a legal standpoint, the Indian judiciary’s privacy doctrine (from the Puttaswamy
case) will loom large. Any blatant attempt to sidestep privacy protections for NPR might
invite judicial review. Conversely, a sincere effort to uphold privacy even within NPR
would strengthen the state’s case that it is respecting fundamental rights while performing
its duties. By March 2025, the stage is set: rules under the DPDP Act are being finalized,
and plans for the census/NPR are being dusted off after long delay. It is imperative that
policymakers treat these developments not in isolation but as intertwined. Ideally, before
the NPR exercise resumes, the government (perhaps via the Data Protection Board or an
inter-ministerial process) should issue clear guidelines on how NPR data will be handled
in compliance with the spirit of the DPDP Act. This could include data minimization,
role-based access control to the NPR database, and an assurance that NPR data won’t be
used for unrelated purposes without legal sanction.

In conclusion, the DPDP Act and the NPR need not be in fundamental conflict if
managed properly – the Act provides the protective framework and the NPR has a
legitimate state purpose. The challenge and opportunity lie in ensuring that the NPR
becomes a model for how a large government program can be executed with privacy
considerations at its core, rather than as an exception to the rule. By learning from
global practices and adhering to the constitutional principles of necessity and
proportionality, India can strive to secure both the benefits of a comprehensive
population register and the privacy rights of its citizens. The coming year will be crucial
in translating the written principles of the DPDP Act into actual practices during the NPR
rollout, setting a precedent for how India marries the goals of Digital Governance with
Digital Privacy.