Is Encrypted Data Personal Data under India’s DPDP Act? – Identifiability, Liability, and Regulatory Design in a Growing Digital Economy

Introduction

Encryption is a data safety mechanism converting personal data into an unreadable form using algorithms and cryptographic keys. It supports data minimization, a key principle contained in India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”). Section 6 of the DPDP Act echoes this principle by limiting processing of data to the extent it is “necessary” for a specified purpose. Data minimization operates alongside this requirement by limiting collection and processing to what is adequate and necessary for that purpose. Where identification of the individual is not required to fulfil the specified purpose, the degree of identification should be correspondingly reduced, including through masking or similar techniques.. This is also built into the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), whose Rule 6 obligates data fiduciaries to implement reasonable security safeguards including encryption.

Modern digital systems rely on encryption primarily in two contexts: data at rest, such as information stored in databases or cloud environments, and data in transit, such as information transmitted across networks. Encryption in transit is treated as a baseline safeguard against interception, while encryption at rest mitigates exposure in the event of unauthorised access. In both contexts, encryption materially reduces breach risk.

There is a growing view that encrypted data, because it is unreadable, should fall outside the scope of “personal data,” or at least attract reduced regulatory obligations. While intuitive, this reasoning does not align with the structure of the DPDP Act, which regulates data based on identifiability rather than intelligibility to unauthorised parties. Even strong encryption, including end-to-end and emerging quantum-resistant designs, typically preserves a lawful pathway to decryption through key management systems or authorised access. So long as such pathways exist within the relevant legal or organisational framework, the individual remains identifiable in relation to the data.

The core claim of this article follows directly from this framework. Under the DPDP Act, encryption rarely changes the legal classification of data. It reshapes the risk landscape and should inform security design, breach response, and compliance calibration, but it does not ordinarily convert personal data into non-personal data. The analysis therefore focuses on unresolved recipient-side questions that arise when encrypted data is shared without decryption keys, and on how those questions intersect with data classification and fiduciary accountability under Indian law.

Encryption, Reversibility, and Identifiability Under the DPDP Act

Encryption as a Reversible Access-Control Mechanism

Encryption does not eliminate identifiability. Its function is to control access. The defining feature of encryption is that authorized parties can recover the original information. As long as decryption keys exist and are accessible through technical, organizational, or legal means, encryption remains reversible.

This technical characteristic is legally significant because modern data protection frameworks distinguish between: i) data that is irreversibly de-identified i.e. anonoymization and ii) data that remains re-identifiable in context such as pseudonymization. To guide the classification of encrypted data, it is important to understand how the these safeguarding mechanisms of anonymization and pseudonymization function.

Anonymization refers to data that can no longer be linked to an identifiable individual using means reasonably likely to be used in the relevant context. This risk-based distinction is consistent with the Article 29 Working Party’s Opinion 05/2014 on anonymization techniques, which stresses that “anonymization” is only achieved where residual identification risk is sufficiently mitigated in light of likely means of re-identification, including linkage with other datasets. Encryption, by design, preserves reversibility and does not satisfy the core irreversibility logic associated with anonymization. At most, it can reduce exposure risk and raise the cost of re-identification for unauthorized parties.

Whereas pseudonymization, defined in Article 4(5) of the General Data Protection Regulation (“GDPR”) refers to processing of personal data that removes identifiability while preserving a reversible link through additional information. While the DPDP Act does not define encryption, the DPDP Rules make a reference to encryption which is functionally analogous. By referring to reversible techniques such as security safeguards, it reflects an understanding that identifiability persists wherever mapping information exists.

Identifiability as the Trigger Under the DPDP Act

Section 2(t) of the DPDP Act defines personal data as “any data about an individual who is identifiable by or in relation to such data.” The definition is deliberately broad and does not turn on the technical form in which the data is stored or processed, nor does it require identification to be immediate or obvious. The statutory emphasis is on identifiability of the data subject.

Applied to encrypted data, the definition supports a two-step inquiry. First, whether the dataset is “about” an individual in terms of its content, purpose, or effect. Second, whether reasonably available information would permit attribution to that individual, including decryption keys, mappings, contractual rights, or statutory powers. Encryption does not alter the character of the data as being about an individual, nor does it eliminate lawful pathways to identification where such pathways remain accessible.

Where additional information enabling attribution is reasonably available within the processing arrangement, the data remains personal data for the relevant actor. Identifiability therefore determines whether the DPDP Act applies. At the same time, fiduciary obligations arise not merely from technical capacity to identify but from the determination of the purpose and means of processing. Encryption regulates access to data rather than extinguishing attribution pathways. If a Data Fiduciary encrypts a dataset but retains the decryption keys, or retains a realistic means of obtaining them, the individual remains identifiable in relation to the data and the fiduciary remains accountable for compliance.

Constitutional and Legislative Pedigree of an Identifiability-Based Threshold in India

The DPDP Act’s trigger, whether an individual is “identifiable by or in relation to” the data, should be read through India’s constitutional privacy framework. In K.S. Puttaswamy v. Union of India, the Supreme Court recognized informational privacy and adopted a structured proportionality test (legality, legitimate aim/necessity, proportionality) for state action affecting privacy. In operational terms, this constitutional approach supports an identifiability standard that is contextual and calibrated to realistic capabilities rather than theoretical possibility. Importing GDPR Recital 26’s “means reasonably likely” framing is  a practical articulation of proportionality within the data classification context: identifiability should turn on the cost, time, and reasonably available means to identify, because an over-inclusive test would impose disproportionate burdens on low-risk actors while under-serving the Act’s privacy purpose. Although Puttaswamy directly governs State action rather than private data fiduciaries, the DPDP Act was enacted against the backdrop of that constitutional privacy framework, and proportionality is invoked here as an interpretive guide to understanding the structure of the statute rather than as a source of direct constitutional obligations for private actors.

The Srikrishna Committee Report (2018) adopts an approach to identifiability consistent with the constitutional framework articulated in K.S. Puttaswamy v. Union of India. The Srikrishna Committee similarly treated de-identification, masking and pseudonymisation as risk-reducing techniques while warning that re-identification remains possible where auxiliary datasets, technological capability, or organisational access exist. Encryption falls within this category. Read in light of Puttaswamy, this supports interpreting the DPDP Act’s identifiability trigger as contingent on realistic re-identification risk.

Parliamentary scrutiny of the Personal Data Protection Bill, 2018 (earlier version of the DPDP Act) further underscores sustained concern with anonymization governance. Committee deliberations did not treat anonymization as a purely technical state, but as a regulatory question requiring safeguards and clarity, particularly in data-rich environments where re-identification risk persists. This legislative history aligns with proportionality: obligations should correspond to actual capacity to identify individuals and the impact on their rights. It therefore supports guidance under the DPDP Act that operationalises identifiability as contextual and actor-specific, distinguishes reversible safeguards such as encryption from irreversible anonymization, and avoids both over-extension of compliance burdens and premature claims of de-identification.

Why Encrypted Data Ordinarily Remains Personal Data for the Fiduciary

In most real-world implementations, the same organization, or its controlled vendors, holds both encrypted data and a practical means of decryption. This may be through direct possession of cryptographic keys, hardware security modules, key management systems, or organizational and contractual mechanisms that enable recovery. For a typical Data Fiduciary, encryption therefore does not remove identifiability. It reduces breach risk by making data unintelligible to unauthorized parties, but the fiduciary can still link the data to individuals and use it in ways that affect their rights or interests. Under the DPDP Act, such data remains personal. At the same time, the fiduciary’s liability does not depend solely on decryptability; it arises from its determination of the purpose and means of processing and includes responsibility for unauthorized disclosure, inadequate safeguards, or non-legitimate use of the data.

This position aligns with regulatory practice across jurisdictions. The UK Information Commissioner’s Office in most circumstances treats encrypted data as personal data where the controller retains access to decryption keys. Canadian and Australian regulators similarly frame encryption as a security safeguard that reduces risk without converting personal data into anonymized data.

How Modern Data Protection Law Assesses Re-identifiability

Comparative data protection law converges on three principles that are directly relevant to how encrypted data should be treated under the DPDP Act.

First, identifiability turns on reasonable means rather than theoretical possibility. GDPR Recital 26 requires consideration of all means reasonably likely to be used to identify a person, taking account of cost, time, available technology, and technological developments. The standard is contextual and time-bound: it assesses identification risk in light of capabilities realistically available within the relevant legal and organisational framework at the time of processing, rather than speculative future advances. US privacy laws reflect a similar approach. The California Consumer Privacy Act, for example, includes information that can be “reasonably linked,” directly or indirectly, to an individual. In both frameworks, the inquiry asks whether identification is realistically possible in practice.

Second, legal and organizational access matters. In Breyer v. Germany, the Court of Justice of the European Union (CJEU) held that dynamic IP addresses can constitute personal data where the controller has legal means reasonably likely to be used to obtain the additional information necessary to identify the individual, for example through cooperation mandated by law. The Court rejected the argument that data ceases to be personal merely because identification requires additional steps or third-party assistance. What mattered was whether lawful and realistic pathways to identification existed.

This reasoning was further examined in EDPS v. Single Resolution Board, where the Court of Justice clarified that the General Court had erred in requiring identifiability to be assessed exclusively from the recipient’s perspective. The Court emphasized that a controller’s obligations are assessed from the controller’s perspective at the time of processing, and that the availability of additional information enabling identification must be evaluated within the relevant legal and organizational framework governing access to that information. The judgment therefore resists a purely recipient-centric approach to determining the applicability of data protection obligations. At the same time, it confirms that identifiability cannot be treated as an abstract property of data but must be assessed in light of realistic access to supplementary information within the processing arrangement. The decision thus highlights the tension between a controller-focused allocation of regulatory responsibility and the inherently contextual nature of identifiability analysis in multi-actor environments.

Third, encryption mitigates harm but does not change classification. Article 34 GDPR limits breach notification obligations where encrypted data is unintelligible to unauthorized persons. This reflects a risk-based calibration of remedial obligations in light of reduced harm, rather than a reclassification of encrypted data as non-personal. This structure, mirrored in the UK jurisprudence, Singapore’s Personal Data Protection Act read with its guidelines, Brazil’s Lei Geral de Proteção de Dados, and Canadian and Australian guidance, confirms a consistent regulatory understanding. Encryption reduces the risk and consequences of unauthorized access, but it does not alter the underlying legal status of the data.

Taken together, these principles support a coherent interpretive position for India. Because the DPDP Act is anchored in identifiability, encryption is best understood as a safeguard applied to personal data rather than as a mechanism that removes data from the Act’s scope. Encryption does not displace obligations relating to notice, purpose limitation, breach reporting, or deletion. Its legal significance lies elsewhere: it operates at the boundary between intelligibility and attribution, a boundary that is often mistaken for a classification threshold. The article therefore focuses on encryption not because it is the only safeguard recognised under Rule 6 of the DPDP Rules 2025, but because it raises recurring interpretive questions about the scope of personal data and the allocation of responsibility in multi-actor processing arrangements. Comparative jurisprudence also illustrates why recipient-side analysis matters: identifiability depends on the technical, legal, and organisational means available to the actor in question.

What Indian Law Has Not Yet Clarified: Recipient-side Treatment of Encrypted Data

The DPDP Act remains silent on a key question: the status of encrypted data shared with a recipient who does not possess, and cannot realistically obtain, the decryption keys. Would that data continue to qualify as “personal data” for that recipient?

This is not a marginal or theoretical issue. The classification of such encrypted data has far-reaching implications for the data compliance obligations applicable to the entities. It arises routinely in cloud hosting, outsourced analytics, regulatory reporting, managed services, and research collaborations. Because the DPDP Act defines personal data by reference to identifiability, the analysis is contextual and actor-specific. The same encrypted dataset may remain personal data for one entity and become effectively non-personal for another, depending on whether the recipient has realistic means to identify individuals.

Three common scenarios illustrate why this question cannot be answered through a single, controller-centric rule.

Scenario 1: Bank and Financial Regulator (RBI or SEBI)

A bank transmits an encrypted dataset to a financial regulator without sharing decryption keys. If the regulator has statutory authority to mandate disclosure of keys, requires decrypted information, or otherwise obtains identifiable data, in that case, the encrypted data may remain as personal data in the regulator’s hands. However, if the regulator receives only encrypted payloads or aggregated outputs and lacks any legal pathway to obtain identifying inputs, the dataset may be effectively non-personal from the regulator’s perspective, even though it remains personal data for the originating bank. That assessment, however, must account for the regulator’s broader statutory powers, access to auxiliary datasets, and exemptions available under the DPDP Act. Where such powers or data ecosystems create realistic pathways to attribution, identifiability may persist notwithstanding encryption.

This scenario illustrates that recipient-side analysis cannot turn solely on technical format. Legal powers, institutional role, and statutory authority are equally relevant to identifiability.

Scenario 2: Health-tech and Research Trust Intermediary

A health-tech company shares encrypted patient data with an academic research trust while retaining the decryption keys and contractually prohibiting disclosure. If the research trust has no technical access to keys, no legal avenue to compel disclosure, and no realistic ability to infer identities using auxiliary datasets, it may be processing data that is effectively non-personal. At the same time, the originating health technology company remains a Data Fiduciary processing personal data because it can decrypt the data and link it to patients.

This scenario highlights the practical value of a recipient-side lens. It creates a necessary distinction between a lower-risk intermediary and the originating controller while preserving accountability where identifiability actually exists.

Scenario 3: Encrypted Data Processed in AI-Enabled Environments

Another increasingly common situation arises where encrypted or pseudonymized data is processed within systems that deploy advanced analytics. Encryption may render raw fields unintelligible, yet identifiability risk can persist or re-emerge depending on how the data is structured and used. In AI-enabled environments, patterns, tokens, or behavioral signals may permit singling out, linkage across datasets, or inference about specific individuals even without decryption of the underlying payload.

This scenario requires distinguishing confidentiality from identifiability. Encryption limits unauthorized access, but identifiability may persist through (i) singling out across records; (ii) linkage via stable encrypted tokens or metadata; and (iii) inference from analytical outputs that permit attribution of characteristics to an individual. The risk is heightened where encrypted identifiers are deterministic and enable joins, where auxiliary datasets are available, or where organizational or legal pathways permit access to mappings. The relevant question is not whether a recipient can read ciphertext, but whether it can realistically achieve attribution in context, whether directly, indirectly, or through downstream outputs.

This does not imply that every entity processing encrypted data in analytical environments can identify individuals. Identifiability remains contextual under the DPDP Act and depends on technical capability, dataset structure, purpose of processing, and surrounding constraints. Encryption reduces exposure risk, but it does not by itself determine whether data falls within or outside the Act’s scope.

These examples illustrate why a uniform, chain-wide classification rule sits uneasily with an identifiability-based statute. The DPDP Act turns on capacity to identify rather than the mere transfer of datasets. It can therefore accommodate actor-specific classification, provided regulators distinguish between the existence of encrypted personal data within a broader arrangement and the realistic identification capacity of each entity within it. Without that distinction, classification risks hardening into a formal rule detached from the statute’s identifiability trigger.

Likely Enforcement Posture in India

The structure of the DPDP Act places primary accountability on the Data Fiduciary, defined as the entity that determines the purpose and means of processing personal data. Section 8(1) provides that a Data Fiduciary remains responsible for compliance even where processing is carried out on its behalf by a Data Processor. Although the Act empowers the Data Protection Board to impose penalties for breach by a person in accordance with the Schedule, the core operational duties, including implementation of reasonable security safeguards and breach intimation, are framed as fiduciary obligations. In practical terms, the enforcement architecture is therefore fiduciary centered.

In the early stages of enforcement, regulators may reasonably adopt a cautious, controller-focused posture and treat encrypted datasets as personal data throughout a processing chain wherever realistic identification pathways exist. Such an approach minimises the risk of under-protection, though it may increase compliance burdens for infrastructure providers, intermediaries, and research organizations.

At the same time, the trigger for fiduciary obligations under the DPDP Act is not merely the technical capacity to identify, but the exercise of control over the purpose and means of processing. Identifiability determines whether data falls within the statutory scope; fiduciary status determines who bears primary responsibility for compliance. A more relational approach under the DPDP Act would therefore distinguish between classification and accountability. The same encrypted dataset may remain personal data within the statutory framework, yet entities that neither determine purpose and means nor possess realistic re-identification capacity should not automatically bear full fiduciary obligations. Clarifying this distinction is essential to ensure that the Act protects privacy without collapsing role-based accountability into a purely technical identifiability test.

Classification of Data versus Liability of the Data Fiduciary

The recipient-side scenarios above expose a structural distinction that Indian law must operationalize clearly: the classification of data in a recipient’s hands is a different legal question from the liability of the originating Data Fiduciary. Conflating these two inquiries risks both regulatory overreach and accountability gaps. Across all three scenarios, the answer is consistent. A Data Fiduciary cannot shed responsibility simply by encrypting data and transferring it onward. Fiduciary obligations arise from the decision to collect, process, disclose, and use personal data in ways that affect individuals.

Applied to the same scenarios:

This distinction is critical. Classification may vary by recipient, but fiduciary responsibility does not evaporate simply because data is encrypted or shared. Additionally, a distinct question is whether the encryption deployed satisfies the “reasonable security safeguards” requirement under Rule 6 of the DPDP Rules. The standard is technology-relative and evolves with prevailing industry practices and key governance norms. Stronger encryption may reduce breach risk, but it does not alter the classification inquiry. Its adequacy is therefore a safeguards compliance issue, not a determinant of whether data falls within the Act’s scope.

What the DPDP Rules Signal About Encryption

A critical distinction follows. Data classification asks whether a data set enables identification by a particular actor. Fiduciary liability asks who remains responsible under the DPDP Act for decisions affecting individuals.

Encryption may affect classification for certain recipients, but it does not transfer or dilute fiduciary accountability. A Data Fiduciary cannot shed responsibility simply by encrypting data and sharing it onward. Obligations under the DPDP Act arise from control, decision-making power, and impact on individuals, not from ciphertext alone.

Rule 6 of the DPDP Rules confirms this structure. It requires encryption and similar measures as safeguards for personal data. MeitY’s explanatory note accompanying the DPDP Rules likewise treats encryption as a component of “reasonable security safeguards” designed to protect personal data, reinforcing that encryption operates within the Act’s framework rather than outside it. The Rules therefore do not redefine what counts as personal data, nor does it reallocate liability.

The Compliance Risk of Collapsing Classification and Liability

While classification may affect the intensity or tier of obligations that apply, the allocation of fiduciary responsibility remains grounded in control over the purpose and means of processing rather than in technical unreadability alone. If regulators collapse classification and liability into a single question, two predictable problems arise. The first is over-regulation of low-risk recipients. Cloud providers, infrastructure vendors, and research intermediaries may be required to comply as if they hold personal data even where they lack realistic means of identification. The second is false comfort for fiduciaries. Originating entities may mistakenly assume that encryption shifts responsibility downstream, weakening incentives to design privacy-preserving systems and governance. Neither outcome serves the DPDP Act’s purpose of protecting individuals while enabling responsible data use.

What Effective Guidance Should Do

To avoid these pitfalls, regulatory guidance should treat classification as actor-specific and context-dependent, grounded in realistic identifiability, preserve fiduciary liability based on control, decision-making power, and impact on individuals, clarify common recipient-side scenarios, including cloud hosting, regulated reporting, research, and AI-enabled processing, distinguish between “no realistic means” and “difficult but feasible” re-identification; and recognize encryption as a baseline safeguard without misreading it as a scope carve-out.

Handled this way, the DPDP framework can remain robust without imposing unnecessary compliance costs on actors who cannot meaningfully identify individuals, while ensuring that those who can do so remain accountable under the Act.

In practical terms, such guidance could include illustrative scenarios clarifying when encrypted data in the hands of infrastructure providers, cloud hosts, or research intermediaries falls outside their compliance perimeter due to absence of realistic re-identification capacity, while preserving full fiduciary accountability for the originating controller. Comparative practice demonstrates that this is administratively workable. Under the GDPR, supervisory authorities distinguish between controller responsibility for lawful processing and limited breach-notification consequences where data is rendered unintelligible through encryption. Guidance in jurisdictions such as the UK and Singapore similarly treats encryption as a risk-mitigating safeguard without reclassifying the data itself. These examples show that actor-specific classification can coexist with clear ex-ante compliance obligations, rather than converting the regime into a purely ex-post harm framework.

Conclusion

Under India’s DPDP Act, encrypting data does not convert personal data into non-personal data. The Act is anchored in identifiability, and encryption is ordinarily reversible through keys or controls that remain within the realistic reach of data fiduciaries or their processors.

Comparative practice across jurisdictions points in the same direction: encryption reduces risk and harm, but it does not, by itself, redraw the boundary of what counts as personal data. The harder question, and the one Indian regulators have yet to answer clearly, concerns recipient-side treatment when encrypted data is shared without decryption keys. This issue matters because modern data processing is increasingly distributed across cloud providers, analytics vendors, regulators, and research intermediaries with very different capacities to identify individuals. Without clear guidance, enforcement risks oscillating between over-regulation of low-risk infrastructure actors and under-regulation of entities that retain meaningful control over re-identification.

The policy task ahead is therefore not to rethink encryption, but to operationalize identifiability. That exercise must remain anchored in proportionality and realistic attribution capacity, while preserving the Act’s ex-ante allocation of fiduciary responsibility. Doing so requires guidance that separates data classification from fiduciary accountability and applies context-sensitive standards across multi-party processing chains. If handled carefully, India can avoid treating encryption as either a loophole or a liability trap, while preserving the DPDP Act’s core commitment to protecting individuals in an increasingly data-driven economy.