India’s Digital Personal Data Protection (DPDP) Act, 2023, seeks to balance individual privacy with the realities of a rapidly expanding digital economy. Section 36 of the Act empowers the State to require the Data Protection Board (DPB), a data fiduciary or a data intermediary to furnish information. This, however, is not an instrument of unchecked State power. Rather, it is the enforcement mechanism that makes privacy rights meaningful in practice — providing a suraksha kawach (security armour) for citizens.Critics argue that Section 36 is broadly worded and could enable mass surveillance. (Gemini)Every day, citizens entrust banks, fintech platforms, social media companies, e-commerce platforms and ed-tech firms with sensitive financial, biometric, and personal information. When these entities fail to protect that data, the State must be equipped to respond swiftly. Section 36 provides that capability while remaining firmly tied to the Act’s objective of safeguarding privacy and ensuring lawful processing of personal data.Its significance becomes evident in real-world situations. Consider a major fintech platform suffering a data breach that exposes Aadhaar-linked bank details of millions of users. Fraudsters could immediately exploit the leaked information to obtain unauthorised loans in victims’ names. Section 36 enables the Data Protection Board to demand access logs, breach reports, third-party sharing records and compliance documents. This helps authorities trace source of the breach, identify failures, impose penalties where necessary and facilitate compensation for affected individuals. Instead of fighting banks and credit agencies alone, citizens gain access to an effective legal mechanism for redress.Also Read | Weaponising privacy to curtail the right to knowA similar need arises in the case of ed-tech companies. During the rapid expansion of online education, many platforms collect detailed information about students without obtaining meaningful parental consent and some later shared it with advertisers. Parents discovered targeted promotions based on children’s learning patterns and locations. Under Section 36, authorities can now compel these companies to produce their processing records, consent mechanisms, and data-sharing agreements. If violations are established, improperly collected data can be deleted, unlawful processing can be stopped and companies held accountable. This is especially important because children deserve the highest standards of privacy protection.Another pressing concern is the rise of rogue loan apps. Many such apps unlawfully access users’ contact lists, photographs and social media accounts before using that information to harass borrowers, their relatives and even colleagues. Since these operators often delete or shift records across jurisdictions, victims are left with little recourse. Section 36 empowers authorities to direct intermediaries and relevant entities to preserve and produce crucial information, enabling faster investigations, prosecutions and takedown orders. This directly protects ordinary citizens from coercion, harassment and financial exploitation.Critics argue that Section 36 is broadly worded and could enable mass surveillance. However, the provision itself confines the exercise of this power to the purposes of the DPDP Act. Any action taken under it must satisfy the constitutional doctrine of proportionality laid down by the Supreme Court in the landmark Justice K. S. Puttaswamy (Retd.) v. Union of India judgment. Furthermore, its exercise remains subject to judicial review under Articles 32 and 226 of the Constitution. The power is also consistent with information-gathering authorities already available to regulators such as the Reserve Bank of India and the Securities and Exchange Board of India. In fact, it is narrower than certain interception powers that already exist under the Information Technology Act. Importantly, Section 36 promotes accountability from private entities.Also Read | Accelerated DPDP: The e-commerce challengeThe criticism also reveals a striking inconsistency. During the term of the United Progressive Alliance government, Aadhaar became the world’s largest biometric identity programme without the backing of a comprehensive privacy law. The same period also witnessed development of surveillance initiatives such as NATGRID. Despite the UPA governing during an era of unprecedented digital expansion, no dedicated data protection framework was enacted. Against that backdrop, objections to an enforcement provision within a comprehensive privacy law appear difficult to reconcile with the earlier absence of statutory safeguards surrounding large-scale collection of citizens’ personal data.Section 36 does not tilt the balance against citizens but in favour of them. It strengthens the State’s ability to protect them from corporate negligence, cybercrime, and criminal misuse of personal data. In a country pursuing the vision of Digital India, privacy requires effective enforcement mechanisms capable of translating tangible legal rights into real- world protection. Section 36 is one of the most practical and necessary tools for achieving precisely that objective.Shehzad Poonawalla is a national spokesperson of the Bharatiya Janata Party (BJP). The views expressed are personal.