DPDP Act 2023
Implementation Framework

1. Statutory Context & Scope

The Digital Personal Data Protection Act, 2023, establishes the legal framework for processing digital personal data in India. While the Act mandates consent and defines rights for Data Principals (individuals to whom the data relates), it concurrently recognizes the imperative need for the State and its instrumentalities to process data without consent to maintain national security, public order, and enforce the law.

SATARK, developed by Sunil Kumar Jangid and operated by KENILGLOBAL TECH (OPC) PRIVATE LIMITED, processes vast quantities of digital personal data—including telecom meta-data, financial telemetry, and OSINT profiles—exclusively on behalf of authorized Law Enforcement Agencies (LEAs).

2. Data Fiduciary & Data Processor Roles

Under the DPDP Act, the legal responsibilities of data processing are divided between the Fiduciary (who determines the purpose) and the Processor (who executes the processing).

• The Law Enforcement Agency (Data Fiduciary): The authorized LEA officer utilizing the SATARK platform acts as the representative of the Data Fiduciary. The LEA determines the purpose of processing (e.g., investigating an active FIR or intelligence gathering).
• KENILGLOBAL TECH / SATARK (Data Processor): SATARK operates strictly as a Data Processor. The system only ingests, analyzes, and correlates personal data upon the direct, authenticated query executed by the LEA. SATARK does not independently determine the purpose of processing or utilize this data for any commercial or external AI-training purposes.

3. Processing Exemptions for LEAs (Section 17)

The processing of personal data within SATARK falls squarely under the exemptions provided in Section 17 of the DPDP Act, 2023.

3.1 Section 17(1)(a) Exemption

Consent requirements, notice obligations, and certain Data Principal rights are wholly exempted when the processing is necessary for the interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, or maintenance of public order.

3.2 Section 17(1)(b) Exemption

Data processing within SATARK is further exempted when it is necessary for the prevention, detection, investigation, or prosecution of any offense or contravention of any law in force in India. Therefore, LEAs utilizing SATARK are not required to seek the consent of suspects, targets, or involved parties before parsing their CDRs, UPI hashes, or IPDR logs.

4. Limitation of Data Principal Rights

Because SATARK is utilized exclusively under the exemptions of Section 17 for criminal investigations, the standard rights afforded to individuals (Data Principals) under the DPDP Act are restricted within this environment to prevent obstruction of justice.

• No Right to Erasure (Section 12): Suspects or individuals whose data is being processed in an active investigation cannot exercise the right to have their personal data erased from the SATARK Vault or LEA registry while the investigation or prosecution is ongoing.
• No Right to Information (Section 11): Individuals cannot request a summary of the personal data being processed about them within SATARK, as revealing such information would compromise the integrity of active law enforcement operations.

5. Implementation of Security Safeguards (Section 8)

Despite the exemptions regarding consent, the DPDP Act mandates that Data Fiduciaries and Processors implement reasonable security safeguards to prevent personal data breaches (Section 8(5)). KENILGLOBAL TECH ensures compliance through:

FIPS 140-3 & AES-256 Encryption: All personal data ingested into SATARK (e.g., suspect phone lists, financial statements) is encrypted at rest. Transit occurs exclusively through TLS 1.3 tunnels. The Zero-Trust Architecture guarantees that unauthorized personnel cannot access the PII stored within the system.

6. Purpose Limitation & Automated Erasure

Section 8(7) of the DPDP Act requires the erasure of personal data once the specified purpose has been served. SATARK implements automated data lifecycle management to ensure LEAs remain compliant with this statutory requirement.

• Ephemeral Raw Data: Massive unverified datasets (like bulk Tower Dumps encompassing thousands of innocent citizens' locations) are held in volatile memory or temporary storage for correlation. Once the specific target is identified, the bulk raw data is subjected to automated cryptographic wiping.
• Case Closure Sanitization: Upon an LEA officer marking a case as 'Resolved' or explicitly closing an intelligence docket, SATARK initiates a sanitization protocol, purging the associated non-evidentiary personal data from the active indexing servers.