Anthropic vs Government data control: Why this case matters for India
The case highlights an emerging reality that control over digital infrastructure is increasingly becoming a constitutional issue.
Earlier this month, the artificial intelligence company Anthropic sued the United States Department of Defense after the Pentagon designated the firm a 'supply-chain risk', effectively blacklisting it from certain Government contracts. Anthropic argues that the decision was arbitrary and retaliatory, particularly because the company had publicly resisted the use of its AI technology for military surveillance and autonomous weapons. Legal experts in the United States have suggested that the company may have a strong case. If the Pentagon's designation lacked clear statutory authority or procedural safeguards, the decision could be vulnerable to judicial scrutiny. But the dispute is about far more than procurement policy or defence contracting.
At its core, the litigation reflects a growing global tension between governments seeking greater control over advanced technologies and companies attempting to impose limits on how those technologies are used. The case highlights an emerging reality that control over digital infrastructure is increasingly becoming a constitutional issue.
It raises a broader question that is equally relevant to India's ongoing privacy debate, which is how much power should governments have over a person's data in a digital society?
India's data protection framework under scrutiny
India's answer to that question currently lies in the Digital Personal Data Protection Act, 2023 (DPDP Act), the country's first comprehensive law regulating the processing of digital personal data. In theory, the objective of any data protection law is straightforward. It exists to ensure that individuals retain control over their personal information and that entities collecting such data remain accountable for how it is used. However, the design of the DPDP Act has already come under judicial scrutiny. Several petitions challenging the constitutional validity of the law are currently pending before the Supreme Court, and the Court has issued notice in these matters (the latest being Geeta Seshu and Anr. v. Union of India and Ors. [W.P.(C) No. 275/2026]).
The core issue: State exemptions under the DPDP Act
The petitioners argue that certain provisions of the DPDP Act may undermine the very right to privacy that the legislation is meant to protect. One of the central concerns relates to the wide exemptions granted to the State. The DPDP Act allows the Government to exempt its agencies from the application of key provisions of the law on grounds such as national security, public order, or the sovereignty and integrity of India.
While such objectives are legitimate, the breadth of these exemptions raises an important constitutional concern. If the Government retains the ability to exempt itself from the very law designed to protect digital personal data, the balance between privacy and State power becomes difficult to maintain. The challenge to the DPDP Act, therefore, raises a deeper structural question of whether a law truly protects citizens' privacy if it places strict obligations on private entities while simultaneously allowing the State broad discretion over personal data? This is where the Anthropic dispute becomes particularly relevant.
Why the Anthropic case matters for India
In the United States case, a private technology company has chosen to challenge the actions of a Government agency that it believes exceeded its authority. The litigation illustrates how conflicts between technological development, surveillance concerns, and State power are increasingly being resolved through constitutional scrutiny. The case signals that the governance of data and digital infrastructure is becoming one of the most contested areas of public law.
For India, this debate carries even greater significance. The country is among the fastest-growing digital economies in the world. The scale of such data ecosystems means that any misuse or unchecked access can have profound implications for privacy and civil liberties.
The constitutional principle at stake
Data protection laws, therefore, serve a critical constitutional function. They are safeguards meant to limit the concentration and misuse of digital informational power. If the ultimate goal of privacy legislation is to protect individuals from the misuse of their digital personal information, those protections must apply to the most powerful actors in the system as well.
Governments, by virtue of their regulatory authority and access to large-scale data systems, are often the most powerful data processors in any jurisdiction. Otherwise, the balance between State authority and individual liberty risks being fundamentally altered.
The Supreme Court's examination of the DPDP Act therefore represents a pivotal moment in India's evolving privacy jurisprudence. The apex court will ultimately have to determine whether the law strikes the correct balance between enabling governance and protecting citizens' fundamental rights. In doing so, the Court may also have to confront a central constitutional principle that lies at the heart of both the DPDP challenge and the Anthropic dispute which is a data protection law cannot claim to protect citizens' privacy if it restrains private actors but allows the State itself to operate with wide and largely unchecked powers over personal data.
Conclusion
Data protection laws were conceived as instruments to protect citizens' privacy in an increasingly digital world. If they are to fulfill that promise, they must ensure that the State itself remains subject to the same principles of accountability and restraint that it imposes on others.
Rashmi Deshpande, who authored this article, is a founder of Fountainhead Legal, bringing nearly 20 years of experience across Big 4 consulting and top law firms. She has worked with Deloitte, BMR & Associates, KPMG, PwC, and was a partner at Khaitan & Co. before founding her firm in 2023. Her expertise spans data privacy, corporate advisory, contract drafting, and litigation across sectors like fintech, insurance, IT/ITES, life sciences, and real estate. She specialises in regulations such as India's DPDP Act and GDPR, helping clients with compliance, privacy policies, and data protection frameworks.