1. Introduction: The Collision of Two Legal Epistemologies
The enactment of India’s Digital Personal Data Protection Act, 2023 (DPDPA) marks a paradigm shift in the nation’s governance of informational privacy, yet it precipitates a fundamental constitutional crisis within the pluri-legal framework of Northeast India.1 The DPDPA is predicated on a philosophy of normative individualism, identifying the “Data Principal” as a singular, atomic unit empowered with unilateral rights to consent, erasure, and correction.2 This statutory architecture is structurally incompatible with the collective governance models constitutionally mandated for tribal communities under the Sixth Schedule, Article 371A (Nagaland), Article 371G (Mizoram), and the Panchayats (Extension to Scheduled Areas) Act, 1996 (PESA).3
In these customary jurisdictions, rights over land, lineage, and cultural knowledge are not individual assets but communal estates vested in the clan, village council, or Gram Sabha.4 The immediate legal risks arise from the digitisation of traditional records, specifically land titles (under schemes like SVAMITVA), genealogical registers, and customary resource rosters.5 Under the DPDPA, an individual clan member may exercise “erasure” or “portability” rights over data that is intrinsically communal, thereby fracturing the integrity of collective records essential for tribal identity and inheritance. Furthermore, Section 17(1) of the DPDPA, which exempts State instrumentalities from consent requirements for “legitimate uses”, potentially empowers the central government to bypass the Free, Prior, and Informed Consent (FPIC) mandates established by the Supreme Court in the Orissa Mining Corporation (Niyamgiri) judgment.6
The digitisation of governance in India is not merely a technological upgrade; it is a re-engineering of the relationship between the citizen and the state. The DPDPA represents the culmination of a decade-long debate on privacy, sparked by the Aadhaar judgment and crystalised in K.S. Puttaswamy v. Union of India.7 However, as the Indian state attempts to standardise data processing protocols to fuel a $1 trillion digital economy, it encounters the friction of India’s “asymmetric federalism”, specifically, the distinct constitutional status of the tribal communities in the Northeast.8
1.1 The DPDPA’s Individualistic Architecture
The DPDPA is built upon the edifice of the “Data Principal”, defined strictly as the individual to whom the personal data relates.9 The Act constructs a privacy framework where this individual is the sole locus of authority, empowered to grant consent, withdraw it, and demand the erasure of their digital footprint. This model aligns with the Supreme Court’s ruling in Puttaswamy, which recognised privacy as a fundamental right flowing from individual dignity and liberty under Article 21.10 It draws heavily from Western legal traditions, particularly the European Union’s General Data Protection Regulation (GDPR), which views privacy as the protection of the individual against intrusion.11
However, this architecture assumes a homogenised citizen-subject who exists independently of their community. It fails to account for “informational privacy” in societies where the “self” is constituted through relationships such as kinship, clan, and village.12 By centralising power in the individual and the State (through broad exemptions), the Act ignores the intermediate layer of community rights that defines social and legal life for millions of tribal citizens. The Act’s silence on “group privacy” or “community data” concepts extensively debated by the Kris Gopalakrishnan Committee but ultimately discarded creates a legislative vacuum that threatens tribal autonomy.13
1.2 The Customary Legal Order of Northeast India
In contrast to the DPDPA’s individualism, the legal order of Northeast India is fundamentally collectivist. The Constitution of India, through the Sixth Schedule and special provisions like Articles 371A (Nagaland) and 371G (Mizoram), creates a “state-within-a-state” mechanism.14 Here, legislative competence over key areas such as land, inheritance, marriage, and social customs is transferred from the Parliament and State Assemblies to Autonomous District Councils (ADCs) and traditional village authorities.15
In these jurisdictions, an individual’s rights are derivative of their membership in a community. Land is often owned by the clan (Ri Kur in Meghalaya) or the village; inheritance is determined by customary lineage laws; and justice is dispensed by tribal courts that prioritise restorative community harmony over individual adversarial vindication.16 The legal subject here is not just the individual citizen, but the member of a collective.
1.3 Digital Sovereignty vs. Digital Colonialism
This clash is not merely administrative; it is ontological. The concept of Indigenous Data Sovereignty (IDS), which asserts that Indigenous peoples have the right to control data about their communities, lands, and resources, frames this conflict as a struggle against “digital colonialism”.17 Just as colonial legal systems historically derecognised collective land tenure to facilitate extraction (labeling it terra nullius), the DPDPA’s refusal to recognise collective data rights threatens to extract information from tribal communities converting sacred lineages and community resources into tradeable “digital assets” without the collective consent required by their customary laws.18
This report, serving as a continuation of previous work on data sovereignty in Australia and New Zealand (ANZ), analyses this conflict through the lens of legal precedents and offers a roadmap for reconciling these diverging legal epistemologies. It leverages the theoretical frameworks of the CARE Principles and the empirical realities of India’s Northeast to demonstrate why a “one-size-fits-all” data law is constitutionally untenable.
2. The Legal Architecture of DPDPA 2023 and the Exclusion of Collective Rights
To understand the depth of the conflict, one must first dissect the operational mechanics of the DPDPA 2023 and identify specifically where it structurally excludes collective rights. The Act’s definitions and mechanisms are designed for a liberal, market-based society, creating friction when applied to customary, kinship-based societies.
2.1 The “Data Principal” as an Atomic Unit
Section 2(j) of the DPDPA defines a “Data Principal” as the individual to whom the personal data relates. Where the individual is a child or a person with a disability, the definition extends to their parents or lawful guardians.19
Critical Gap: The Act contains no provision for a “Collective Data Principal” or a “Group Data Principal.” This is a significant departure from the recommendations of the Kris Gopalakrishnan Committee on Non-Personal Data (2020), which explicitly proposed the recognition of “Community Data” and “Community Rights” to prevent the exploitation of aggregated data sets that belong to a group rather than any single individual.20
In the context of tribal communities, this omission is fatal. Tribal identity is rarely singular; it is relational. A “Naga” or “Khasi” individual’s data such as their clan affiliation, their village of origin, or their customary land holding is inextricably linked to the data of their entire kinship group. By recognising only the individual, the DPDPA allows a single member to alienate, sell, or delete data that constitutes the shared heritage of the entire group. This mirrors the “individualisation of tenure” that colonial powers used to break up communal lands; today, it is the individualisation of data about tenure.21
2.2 The Consent Mechanism and its Customary Incompatibility
Section 6 of the DPDPA mandates that consent must be “free, specific, informed, unconditional, and unambiguous”.22 While this sets a high standard for individual autonomy, it fails to accommodate “Collective Consent” protocols mandated by customary law.
| Feature | DPDPA (Section 6) | Customary Law (Northeast India) | Conflict Point |
| Locus of Consent | Individual Data Principal | Gram Sabha / Village Council / Clan Head | Individual can bypass community checks. |
| Withdrawal | Unilateral right of the individual | Often requires community consensus | Individual withdrawal disrupts collective records. |
| Purpose | Specific usage (e.g., loan, service) | Holistic community welfare | Commercial use vs. Customary prohibition. |
| Authorisation | Digital verification (OTP, Biometric) | Public deliberation / Consensus | Lack of transparency in digital consent. |
In many Sixth Schedule areas, an individual cannot authorise the sharing of family or clan records without the approval of the Kur (clan) head or the village council. The DPDPA ignores this hierarchy. If a fintech company seeks access to a tribal individual’s land data for a loan, and the individual consents, the DPDPA treats this as valid. However, under customary law (e.g., in the Khasi Hills), that land may be ancestral clan property (Ri Kur), and the individual may have no right to encumber it or share its details without the clan council’s durbar.23
The Act grants Data Principals the Right to Erasure (Section 12). If a disgruntled family member demands the erasure of their name from a digitised family tree, the DPDPA compels the Data Fiduciary to comply (unless retention is required by “law”). This unilateral erasure could destroy the genealogical proof required by the entire clan to prove their Scheduled Tribe (ST) status or inheritance rights in a customary court. Because “law” in the DPDPA typically refers to statutory law, it is unclear if customary law requirements for record retention would be respected as a valid exception to erasure.24
2.3 Section 17: The State’s Override Power and the FPIC Bypass
Perhaps the most contentious provision regarding tribal autonomy is Section 17, which exempts the “State and its instrumentalities” from the requirement of notice and consent for processing data for “legitimate uses,” including the provision of subsidies, benefits, certificates, or in the interests of the sovereignty and integrity of India.25
This section effectively allows the central or state government to digitise tribal records (land, census, health) without seeking the consent of the Gram Sabhas or Autonomous District Councils.
The Panchayats (Extension to Scheduled Areas) Act, 1996 (PESA), specifically empowers the Gram Sabha to approve all plans, programs, and projects for social and economic development. By allowing the State to process data for “benefits” without consent, Section 17 of the DPDPA bypasses the Gram Sabha’s statutory right to verify beneficiary lists and control local development data.26
The Forest Rights Act (FRA), 2006, vests the authority to recognise forest rights in the Gram Sabha. Digitisation of forest rights data by the State without Gram Sabha consent, enabled by Section 17 violates the spirit of the Niyamgiri judgment, which mandated collective decision-making.27
3. The Customary Legal Order: Constitutional Shields in Northeast India
To appreciate why the DPDPA’s application is contested, one must examine the robust constitutional shields that protect the “customary mode of life” in Northeast India. These are not merely cultural recognitions; they are jurisdictional bars against the automatic application of parliamentary law.
3.1 Article 371A: The Nagaland Paradigm
Article 371A of the Constitution stands as the strongest bulwark against legislative encroachment. It states that “no Act of Parliament” in respect of:
- Religious or social practices of the Nagas;
- Naga customary law and procedure;
- Administration of civil and criminal justice involving decisions according to Naga customary law;
- Ownership and transfer of land and its resources;
shall apply to the State of Nagaland unless the Legislative Assembly of Nagaland by a resolution so decides28.
The digitisation of land records involves processing data about “ownership and transfer of land.” Since Article 371A explicitly excludes Parliament’s jurisdiction over Nagaland, the DPDPA’s provisions regulating the processing of digital land records are arguably unconstitutional in Nagaland unless ratified by the Assembly.29 The DPDPA dictates how land data is stored, shared, and erased functions that impinge on the substantive right of “ownership and transfer.”
Naga customary law relies on oral and written records maintained by village councils. The DPDPA’s imposition of a “Data Protection Board of India” (a central body) to adjudicate disputes regarding these records constitutes an interference in the “administration of civil justice” according to customary law, which Article 371A forbids.30
3.2 Article 371G: The Mizoram Context
Similar to Nagaland, Article 371G provides that no Act of Parliament concerning Mizo customary law, social practices, or land ownership shall apply to Mizoram unless the State Assembly resolves to adopt it.31
The Mizoram Assembly has previously exercised this power to block or modify central acts (like the Forest Conservation Amendment Act, 2023) to protect local rights.32 The DPDPA, by regulating the “digital” aspect of Mizo identity and land data, falls squarely within the ambit of “Mizo customary law and procedure.” Without a resolution from the Mizoram Assembly, the enforceability of DPDPA on Mizo tribal data remains legally precarious.
3.3 The Sixth Schedule and ADCs
In Assam, Meghalaya, Tripura, and Mizoram, the Sixth Schedule creates Autonomous District Councils (ADCs) with legislative powers over land, forests, and inheritance.33
Paragraph 3 of the Sixth Schedule empowers ADCs to make laws regarding “inheritance of property” and “social customs.” Data regarding these subjects (e.g., a digital will or a digital marriage certificate) is, therefore, subject to ADC legislation. The DPDPA’s attempt to regulate this data centrally creates a federal conflict, as it encroaches upon the legislative domain reserved for these autonomous bodies. The Governor, under Paragraph 12(1)(b), has the power to direct that an Act of Parliament shall not apply to an autonomous district or shall apply with such modifications as he may specify.34
4. The Conflict Vectors: Where Data Meets Custom
The conflict between the DPDPA and customary law is not abstract; it manifests in specific categories of data that are currently undergoing digitisation.
The Government of India’s Digital India Land Records Modernisation Programme (DILRMP) and SVAMITVA scheme aim to create a centralised, digital database of land ownership.35 The goal is to provide “conclusive titling.”
In tribal areas, land is often held communally or under “usufructuary” rights that do not translate easily into the “exclusive individual ownership” model of digital databases.
When a surveyor enters a name into the database as the “owner” (Data Principal), they effectively erase the underlying community title. Under DPDPA, this individual “owner” can then consent to share this land data with banks or real estate developers.
Customary law requires the Village Council to approve any land transfer. The DPDPA allows the “Data Principal” to share land data directly with third parties, bypassing the Council’s oversight and potentially facilitating land alienation to non-tribals, a practice strictly prohibited in Sixth Schedule areas.36 The SVAMITVA guidelines themselves note the complexity of implementing in Sixth Schedule areas due to these conflicts.37
Tribal identity in Northeast India is strictly lineage-based. The Khasi inherit lineage from the mother (Kur), while Nagas follow patrilineal clan lines. Records of these lineages are maintained orally or in clan registers.
A member of a Khasi clan converts to a different religion or leaves the community and, exercising their rights under Section 12 of the DPDPA, demands the erasure of their personal data from the clan’s digital lineage register.
Under DPDPA, the Data Fiduciary (the Clan Council or researcher) might be legally obligated to erase the data. However, under customary law, the integrity of the lineage record is paramount for determining the inheritance of ancestral property (Ri Nongtymmen). The erasure of one link breaks the chain of evidence for the entire group. Here, the individual’s “Right to Erasure” directly destroys the community’s “Right to Cultural Preservation” and legal evidence for succession.38
The Naga Hoho and other bodies have vehemently opposed the patenting or unauthorised digitisation of traditional designs and medicinal knowledge.39
If a researcher collects data on traditional medicine from an individual healer and obtains their individual consent under DPDPA, the processing is lawful.
Customary law views this knowledge as the collective property of the tribe. An individual cannot consent to its alienation. By validating individual consent, the DPDPA provides a legal veneer for biopiracy, allowing corporations to bypass the collective authorisation required under the Nagoya Protocol and customary norms.40 The Traditional Knowledge Digital Library (TKDL) attempts to protect this, but DPDPA does not explicitly integrate TKDL’s defensive mechanisms into its consent framework.
Genomic research often targets indigenous populations due to their unique genetic markers. The uploaded research highlights the risks of “overvaluing individual consent” in such studies.41
Genetic data is inherently shared; an individual’s DNA reveals information about their parents, siblings, and tribe. The DPDPA allows an individual to consent to genetic sequencing. This data can stigmatise the entire community (e.g., if a predisposition to alcoholism is “discovered”).
Tribal communities require collective consent for genetic research to assess group harm, a provision standard in ANZ research ethics but absent from the DPDPA.42
5. Comparative Insights: Learning from the ANZ Experience
The conflict in India is not unique; it mirrors the struggles of Indigenous peoples in Australia and New Zealand (ANZ), offering valuable comparative insights for policy formulation.
In New Zealand, the Waitangi Tribunal has recognised Māori data as “taonga” (treasure), protected under Article 2 of the Treaty of Waitangi. This legal status requires the Crown to partner with Māori in data governance, rather than merely consulting them.43
The shift from census to administrative data (using existing government records) was opposed by Māori groups because it created “deficit data” focusing on crime and health problems rather than cultural resilience.
Where in New Zealand, Te Mana Raraunga (Māori Data Sovereignty Network) was established and Māori data governance protocols integrated into New Zealand’s statistics, India lacks an equivalent “Tribal Data Sovereignty Network” or statutory recognition of tribal data as taonga.
The Global Indigenous Data Alliance (GIDA) proposed the CARE Principles (Collective Benefit, Authority to Control, Responsibility, Ethics) to complement the FAIR principles (Findable, Accessible, Interoperable, Reusable) used by scientists.
| Principle | DPDPA Approach | CARE / Indigenous Approach | Recommendation for India |
| Collective Benefit | Benefit to individual or economy | Benefit to the community ecosystem | Mandate “Community Benefit” assessments for tribal data processing. |
| Authority to Control | Control with Data Fiduciary/State | Control with Indigenous governance bodies | Recognise Gram Sabhas as “Community Data Fiduciaries.” |
| Responsibility | Accountability to Data Protection Board | Accountability to the people/relations | Decentralise grievance redressal to ADCs. |
| Ethics | Minimising individual harm | Minimising collective harm | Introduce “Collective Harm” as a category in DPDPA rules. |
Australia’s new framework emphasises “decolonising bureaucracy” by shifting from consultation to co-design.44 It requires government agencies to partner with Indigenous communities throughout the data lifecycle. In contrast, India’s DPDPA was drafted with minimal consultation with tribal bodies, reflecting a top-down imposition rather than a co-designed partnership.
6. Conclusion: Toward a Pluralistic Data Democracy
The DPDPA represents a significant leap in India’s digital governance capabilities, but its uniform application threatens to replicate the historical injustices of colonial resource extraction in a new, digital guise. By treating data as a purely individual asset, the Act renders invisible the complex web of collective rights and customary duties that sustain the tribal societies of Northeast India.
The “conflict” described here is not merely technical; it is a test of Indian federalism. If the “special provisions” of the Constitution (Articles 371A, 371G, Sixth Schedule) are to have meaning in the 21st century, they must extend to the digital domain. Data about land is as sensitive as the land itself; data about lineage is as sacred as the bloodline.
Failing to address this will likely lead to extensive litigation, with tribal bodies invoking the Niyamgiri and Ratan Singh precedents to challenge the DPDPA’s constitutionality. Alternatively, India has the opportunity to become a global leader in Indigenous Data Sovereignty, demonstrating how a modern digital economy can coexist with, and empower, ancient systems of collective wisdom. The path forward requires moving from “Data Protection” to “Data Pluralism,” where the digital rights of the individual do not come at the cost of the digital sovereignty of the community.