The 'Legitimacy' Of Data Driven Elections

Introduction

Elections in India, are the largest democratic electoral process in the world. Until late 2000s, election campaigning in India was largely physical and broadcast-oriented, relying heavily on public rallies, newspaper advertisements, posters, television outreach and door-to-door reach outs.¹ Digital campaigning and voter analytics played little or no significant role during this period.

By contrast, post 2010, India witnessed explosive digital growth. By the 2014 general elections, political parties were estimated to have spent between Rs. 400 crores and Rs. 500 crores on digital platforms alone, constituting nearly 15% of the total political advertising expenditure.² The transition accelerated further during the 2019 general elections - India then had nearly 900 million eligible voters, with almost half having access to the internet and social media platforms. India had over 300 million Facebook users and more than 200 million WhatsApp users during the election period, leading to the 2019 elections being called India's first "WhatsApp election".³

The recent elections in Tamil Nadu, Puducherry, Kerala, Assam and West Bengal show that political campaigning in India is increasingly driven by data collection, digital outreach and voter profiling.⁴ The Cambridge Analytics Data Scandal is a classic example, where voter preferences were studied for micro targeting, by gathering personal data of the voters. A similar example in India is that of the "Viksit Bharat Sampark"⁵ WhatsApp campaign, initiated in March 2024, which sparked significant controversy regarding data privacy, consent, and electoral fairness.

Such data driven elections / campaigning, have immense impact on a citizen, particularly in light of the newly enacted Digital Personal Data Protection Act, 2023. We intend to dissect this in two parts: first, through this article, we discuss analytics-based political campaigning and mass data processing in the context of the Digital Personal Data Protection Act, 2023 ('DPDPA') and second, to examine if political parties are legally entitled to access and process personal data, particularly information generated through welfare schemes and the extent to which such data may be used for electoral purposes.

Digital campaigning across State elections

Political parties now use structured voter management systems that allow detailed analysis at 'individual household' and 'polling booth' levels.⁶ Several election-management platforms operating in India openly advertise features such as:

• Booth-level voter tracking⁷;
• Voter sentiment analysis;⁸
• Whatsapp integration;⁹
• Supporter categorisation;¹⁰ and
• Live turnout monitoring;¹¹

Kerala-based platform "ElectionHubAi" claims to provide access to "2.78 crore voters instantly" along with Whatsapp integration and campaign analytics tools.¹² Similarly, the "Korum" election management platform advertises AI-based contact mapping, booth monitoring, supporter tracking and voter search tools using EPIC (Election Photo Identity Card) numbers and mobile numbers.¹³

The real concern, however, is not just the use of digital tools for processing data. The larger concern is the source, scale and legality of processing such data.

Source of voter data

In a recent controversy,¹⁴ a political party alleged that a Brazilian model's photograph appeared multiple times in the voter lists under different identities and that there were significant irregularities in voter records. Whether or not these allegations ultimately withstand scrutiny is a separate issue. The more relevant question from a data protection perspective is how a political party was able to access, analyse and scrutinise electoral databases at such scale to identify alleged duplicate entries and voting patterns in the first place.

Electoral rolls published by the Election Commission of India, are publicly available. This data includes an individual's name, their father/husband's name, age, gender and the address, and forms the basis for any data collection.

However, a large community of political consultants argue that this data (minimal and basic as it is), is enough for a party to understand the community and religion of the candidate, and polling booths such candidates usually cast their votes.

The issue is not that the political parties/consulting firms are processing publicly available data. The larger concern is the source, scale and legality of the non-public personal data. Modern campaign systems combine electoral rolls with mobile numbers, demographic information, welfare-linked data, social media activity, survey responses and booth-level behaviour analysis. Much of this information may qualify as "personal data" under the DPDPA because it relates to identifiable individuals.

Mr. Shivam Shankar Sigh, a leading expert in political consultancy, threw light on the sources of non-public data in one of his presentations¹⁵. He stated that "What it (*databases like Ola, Justdial, etc.*) also does is that it provides a lot of data to politicians and actually compromise democracy... There are student databases that are put up for sale, you can get people's smartphone data, you can get matrimonial data, online shopping data, list of government employees – and all of this is available through unsolicited emails by random companies (including phone numbers)...". He also went on to say how electricity bills serve as one of the best sources for use by political parties to determine the economic status of people. They also collect data from beneficiaries of welfare schemes like the Ujjwala Yojana, Pradhan Mantri Awas Yojana, etc., and that "eventually someone might get access to loan data, IRCTC/payment wallet details".

The availability and trade of datasets containing personal, financial, and behavioural information highlight contravention of right to privacy and the principles laid down by the Supreme Court of India, in the case of Justice K. S. Puttaswamy v. Union of India¹⁶.

Judicial concerns regarding political data processing

Even prior to the enactment of the DPDPA, Courts in India had expressed concerns regarding political parties obtaining and processing voter information without transparency or consent.

In the year 2021, the Madras High Court came down heavily on the Puducherry unit of a particular political party, for adding voters to a booth level WhatsApp group and directed Unique Identification Authority of India to ascertain how the mobile numbers linked to Aadhar were accessed by a political party.¹⁷ Further, voters had received phone calls and messages. It was contended before the Court that only mobile numbers linked with Aadhar cards, were processed.¹⁸ The Petitioner further contended that the said political party had indulged in identity theft and breached fiduciary duty thereby violating Section 66 of the Information Technology Act, 2000. ¹⁹

More recently, concerns regarding political data collection have also emerged in the context of party membership and outreach campaigns. In 2025, the Madras High Court, issued an interim injunction restraining the use of OTP-based verification during a political membership drive conducted through a mobile application, after allegations were raised regarding collection of personal information and Aadhaar-linked details.²⁰

By contrast, the extensive processing of voter data observed in recent elections has occurred post enactment of DPDPA, placing such processing within a newly formalised statutory framework governing personal data protection.

Are political parties entitled to collect "personal data"?

The data used for electoral campaigning duly qualify as "personal data" under Section 2 (t) of the DPDPA, since it relates to 'identifiable individuals', thereby raising a number of significant questions: Can political parties / electoral candidates, process data during elections? If yes, where do they get access to such information from and are they entitled to such access?

DPDPA mandates that consent be obtained from a data principal before processing personal data, except when it is obtained for certain legitimate uses. In terms of Section 7(b) of the DPDPA²¹, State and its instrumentalities have been empowered to process personal data without consent for providing or issuing subsidy, benefit, certificate etc. under the DPDPA.

Under Section 2(zb) of the DPDPA, the term "State" carries the same meaning as assigned to it under Article 12 of the Constitution of India, 1950. In terms of Article 12 of the Constitution, "State includes the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India."

The scope of the term "State" under Article 12 has been interpreted expansively by Courts over the years. In the case of R. D. Shetty v. International Airport Authority of India²², the Supreme Court evolved the "instrumentality or agency" test and held that entities functioning under deep and pervasive government control could fall within the meaning of "State". The Court identified factors such as government ownership, financial assistance, monopoly status, public functions and administrative control as relevant considerations.

The position regarding political parties under Article 12 remains legally unsettled. In S. Subramaniam Balaji v. Government of Tamil Nadu and Ors.²³, while addressing issues relating to election manifestos and welfare schemes, arguments were specifically advanced before the Supreme Court that political parties are not "State" under Article 12 and therefore are not amenable to writ jurisdiction under Articles 32 or 226 of the Constitution. It was contended that political parties are neither statutory corporations nor instrumentalities or agencies of the Government and that none of the judicial tests evolved for determining "State" apply to political parties. The Supreme Court, however, did not conclusively decide the issue. Instead, the Court left the question open while proceeding to examine the larger issues concerning election manifestos and State-funded welfare schemes.

While Courts have interpreted Article 12 broadly in several contexts, there remains no definitive judicial pronouncement conclusively holding political parties to be "State" for purposes of constitutional and statutory obligations. This ambiguity becomes particularly significant in the context of the DPDPA, where exemptions relating to "legitimate use" are specifically available only to the State and its instrumentalities.

However, on perusal of the definition of "State" and the factors laid down by the Supreme Court, it can be inferred that political parties cannot be considered as a "State" under Article 12 as they are not controlled by the government, and cannot be considered as State even though they perform public and democratic functions.

The statutory framework governing political parties also supports this distinction. Political parties are not created by the Constitution or by statute as governmental bodies. They are association of persons registered with the Election Commission of India under Section 29A of the Representation of the People Act, 1951. The Election Commission's guidelines governing registration require political parties to comply with certain organizational and procedural requirements such as maintaining a party constitution, internal organizational structure and adherence to constitutional principles. However, registration does not convert a political party into a governmental authority or an instrumentality of the State.

Accordingly, political parties not being "State" or its instrumentalities cannot process personal data of individuals without obtaining their consent. Nevertheless, contemporary electoral campaigns frequently appear to rely upon systems that closely resemble state-backed data infrastructures. This creates an important question regarding the legitimacy of political parties processing such data in the absence of explicit consent which will be examined in Part 2 of the article.

Footnotes

1. https://sprf.in/evolving-landscape-of-election-campaigning-in-india/

2. https://timesofindia.indiatimes.com/news/election-2014-is-all-about-social-media/articleshow/33835014.cms

3. https://www.kas.de/en/web/politikdialog-asien/single-title/-/content/the-impact-of-digital-media-on-the-2019-indian-general-election

4. https://enterpriseai.economictimes.indiatimes.com/news/industry/ai-videos-whatsapp-networks-reshape-campaign-playbook-in-poll-bound-states/129946719?utm_source=newslisting&utm_medium=latestNews

5. A government-run Whatsapp outreach initiative through which citizens received messages, surveys and scheme-related communication linked to welfare programs and governance feedback. During the 2024 election period, the initiative drew scrutiny after millions of users received unsolicited Whatsapp messages, leading the Election Commission to direct the Government to stop the bulk messaging.

6. https://restofworld.org/2024/bjp-saral-app-data-gathering/, The data collection app at the heart of the BJP's Indian election campaign

7. https://rajyogelection.in/about/, https://rajyogelection.in/our-products/ Tracking voter trends, turnout patterns, and supporter strength at the level of individual; polling booths to improve targeted campaigning.

8. https://ps25.in/, Analysing public opinions, political preferences and reactions of voters through data driven insights.

9. https://electionsoftware.in/real-time-election-monitoring-a-game-changer-for-state-campaigns-in-haryana/, https://blog.leadnxt.com/2025/10/whatsapp-marketing-in-political-campaigns/, Using Whatsapp networks and automated systems to circulate campaign messages, promotional material and voter outreach communications directly to individuals and groups.

10. https://callhub.io/blog/canvassing/voter-identification/, Classifying voters into categories such as supporters, undecided voters or opposition voters for customised political outreach.

11. https://www.polyas.com/features/wahlbeteiligung-in-echtzeit, Real-time tracking of voter turnout on polling day to identify areas with low participation and mobilise voters accordingly.

12. https://www.electionhubai.com/

13. https://korum.app/

14. https://theprint.in/india/rahul-gandhi-repeats-vote-theft-allegation-against-modi-govt-in-germany/2811143/

15. https://hasgeek.com/fifthelephant/2018/schedule/weaponizing-data-for-politics-3vQuhCmXRRR6Qy5dLUPwAU

16. Supra at 18.

17. https://www.barandbench.com/news/litigation/madras-high-Court-hearing-plea-alleging-misuse-of-voters-aadhaar-data-by-bjp-puducherry , "Should we postpone the elections?" Madras High Court while hearing plea alleging misuse of voters' Aadhaar data by BJP, Puducherry

18. https://www.barandbench.com/news/litigation/madras-high-Court-hearing-plea-alleging-misuse-of-voters-aadhaar-data-by-bjp-puducherry, Plea alleges BJP, Puducherry is using Aadhaar data to boost political mileage: Madras High Court expresses concern

19. https://scroll.in/latest/990652/bjp-accused-of-stealing-aadhaar-data-in-puducherry-for-poll-campaign-madras-hc-expresses-concern

20. https://timesofindia.indiatimes.com/city/chennai/dmk-tweaks-campaign-after-high-Court-injunction-on-otp/articleshow/122844773.cms, DMK tweaks campaign after high Court injunction on OTP

21. A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:—.... (b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– (i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or (ii)such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.

22. R. D. Shetty v. International Airport Authority of India, 1979 AIR 1628.

23. S. Subramaniam Balaji v. Government of Tamil Nadu and Ors., AIRONLINE 2013 SC 153.