Section 35

Section 35 is the Central Government's direct data acquisition power — the most expansive and least constrained provision in the DPDP Act. Its scope: the government can, by order, direct any Data Fiduciary or class of Data Fiduciaries to provide any personal data specified in the order, on grounds of sovereignty and integrity of India, state security, friendly foreign relations, public order, or prevention of cognisable offences related to these grounds. The 'notwithstanding anything contained in this Act' language is a non-obstante clause: Section 35 overrides all other DPDP Act provisions, including consent requirements, purpose limitation, and the rights of Data Principals. A Data Principal cannot exercise their Section 12 right to erasure to prevent data from being provided under a Section 35 direction. The grounds in Section 35 mirror those in Section 17(1)(a) for exemptions — and together they create a comprehensive state surveillance permission architecture. The critical differences from comparable provisions in other jurisdictions: GDPR's Article 23 restrictions require member states' restrictions to be proportionate, necessary, and to respect the essence of fundamental rights — the proportionality requirement is statutory. Section 35 has no explicit proportionality or necessity requirement in its text. The grounds — particularly 'maintenance of public order' — are very broad by international standards. Privacy advocates have argued that Section 35, read with Section 17, effectively creates a framework where the state can access virtually any Indian resident's personal data held by any Data Fiduciary, with no independent judicial oversight or statutory proportionality constraint.