Surveillance and Privacy: Assessing ICCCs Under 2025 DPDP Rules

      I. Introduction: The “Urban Brain” under Scrutiny

As of January 2026, the Indian urban landscape is no longer just a collection of physical infrastructure; it is a digital organism. At the heart of this transformation are the Integrated Command and Control Centres (ICCCs) the “brains” of the Smart Cities Mission which aggregate real-time data from thousands of CCTV cameras, IoT sensors, and biometric scanners. According to Ministry of Housing and Urban Affairs (MoHUA) data, over 100 cities have operationalized ICCCs, managing everything from traffic flow to “predictive policing.”

However, there was a substantial change in the legal basis of such centres on November 14, 2025, when the DPDP Rules, 2025, were announced. It is now time to begin an 18 month period of phased compliance (which also occurs on a retroactive basis, since it is only in this period that municipal bodies and Special Purpose Vehicles will need to be retroactively compliant) where mass surveillance architectures are required to be brought into compliance with a rights-based data regime. The central question for 2026 is no longer if surveillance is permissible, but how it survives the dual test of statutory compliance and constitutional proportionality in an era of unprecedented data transparency.

    II. The ICCC as a “Significant Data Fiduciary”

Under the DPDP Act, 2023, any entity that determines the “purpose and means” of data processing is a “Data Fiduciary.” The processing of personal data including facial biometrics and geolocation by ICCCs, which is usually handled by Smart City SPVs, is conducted at a scale that can result in the “Significant Data Fiduciary” (SDF) status of the data processing under Section 10. The SDF designation is not only a nomenclature, but it comes with an expanded set of responsibilities that a majority of local governments are still ill-equipped to manage.

By early 2026, the newly notified Rule 13 of the 2025 Rules imposes a rigorous “Privacy-by-Design” mandate on these SDFs. In contrast to other fiduciaries, ICCCs are now required to:

1. Conduct Annual Data Protection Impact Assessments (DPIAs): This is an ordered evaluation of the harm that surveillance may have on “Data Principals” (citizens) including, the risk of discrimination and loss of anonymity.

2. Appoint an India-based Data Protection Officer (DPO): To serve as the primary point of contact for the Data Protection Board of India and to handle citizen grievances.

3. Engage Independent Data Auditors: To ensure that the software applied in the facial recognition algorithm is not just accurate but also that the software is legally compliant in the data retention and processing logs.

For the SPVs operating these centers, data has ceased to be an administrative resource, it is a potential legal liability and needs oversight on a boardroom level.

 III. The “Consent Paradox” and the Section 7 Trap

The DPDP framework is built on the pillar of “informed and unambiguous consent” (Section 6). However, mass surveillance has a logical paradox: it is physically impossible to obtain commuter-level consent for each high-resolution camera on the street. To navigate this, many municipal bodies are relying heavily on Section 7 (Certain Legitimate Uses).

Specifically, Section 7(c) allows the State and its instrumentalities to process data to perform “legal duties” or for the “security of the State.” However, according to legal scholars, this may act as a trap for the administrators. Although capturing a license plate in a traffic offense may be regarded as a legal obligation, breaking down citizens into 360-degree behavioural portraits to maintain general law and order is probably more than the intent of the statute. Under Rule 3, the transparency requirement exists even in cases of legitimate uses. This implies that passive “Notice Boards” in civic parks are no longer legal, cities are now required to provide digital, accessible, and standalone notices, such as by using QR code-linked city portal to explain what data is being collected, its exact purpose, and the retention period.

 IV. The “Phased Compliance” Reprieve (2025–2027)

The fact that the government has decided to offer an 18-month window  ending in May 2027 provides a vital transition period. At the present stage, the Data Protection Board is active; however, the administrative establishment and registration of “Consent Managers” are the main issue of regulation.

However, administrators should understand that the concept of phased compliance is not a legal vacuum. Section 8(5) of the Act, which requires “reasonable security safeguards” to prevent data breaches, is already operational. Assuming that an ICCC suffers a data leak in 2026, perhaps because of an unsecured server or a rogue third-party vendor, the compliance window will not protect the entity against the INR 250 Crore penalty imposed for failure to notify the Board of the data leak without delay under Rule 7. The message is clear: the procedural rules for how to process may have a grace period, but the fundamental duty to protect what you have already collected is immediate.

    V.  Algorithmic Accountability and Third-Party Risk

A significant portion of ICCC operations is outsourced to private technology “processors.” The 2025 Rules have made the Data Fiduciary (the City SPV) be strictly responsible for the activities of its Processors. This forms a problem of shadow governance. By 2026, contracts between Smart Cities and technological giants will have to be rewritten to include:

1. Mandatory Data Deletion Clauses: Aligning with Rule 8, which requires data to be erased once the specified purpose is fulfilled.

2. Audit Rights: Allowing the city to verify the Processor's security protocols.

3. Liability Indemnification: To protect the public exchequer from fines caused by private-sector technical failures.

The shift is from a “vendor-client” relationship to one of “joint-fiduciary accountability,” where the city must proactively monitor its own digital supply chain.

 VI. The Constitutional Guardrail: The Proportionality Test

Beyond the DPDP Act lies the shadow of the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy v. Union of India. The court established a four-fold test for any State interference with privacy:

1. Legality: There must be an enabling law (The DPDP Act provides this).

2. Legitimate Aim: The goal must be clear (e.g., crime prevention).

3. Necessity: There must be no less intrusive alternative (e.g., Can traffic be managed without facial recognition?).

4. Proportionality: The benefits to public order must outweigh the loss of civic anonymity.

Interestingly, we see a parallel struggle for “functional” over “technical” definitions in the 2025 Aravalli Case. Just as the Court stayed its own order that defined “hills” purely by a 100m height threshold, urban privacy law must move away from “technical compliance” (height of security) to “functional integrity” (impact on citizens). If a city can identify its targets with non-biometric anonymous information, the use of invasive facial recognition may be considered unconstitutional by the High Courts, even with the statutory exemptions under the DPDP Act.

VII. Grievance Redressal: The Citizen’s Right to be Heard

By 2026, the Data Protection Board (DPB) is expected to be overburdened with citizen grievances. Rule 14 mandates that SDF must resolve grievances within a maximum of 30 days. In the case of ICCCs, this would mean creating a special “Privacy Helpdesk.” In case a citizen discovers that their image has been incorrectly tagged in a city database as a person of interest, they now have the statutory right to correction and erasure (Section 12). Failure to rectify such errors may result in the DPB declaring a “voluntary undertaking” or, in the worst scenario, a “blocking order” of the data processing operations in the city.

VIII. Conclusion: From Surveillance to Stewardship

The year 2026 marks the end of “wild west” data collection in Indian cities. The ICCCs must evolve from surveillance hubs into data stewards. The ICCCs are supposed to transform into data custodians. The objectives of the 2025 DPDP Rules cannot be met without upgraded software, but it must offer a paradigm shift, not merely in technology, but to the fundamental culture of data minimization. This means that a city should only gather data that it absolutely requires to achieve a certain, proven purpose.

The success of the “Smart City” in this new legal era depends not on the technical capacity of its cameras, but on the integrity of its digital safeguards. The task ahead for urban administrators is to ensure that the pursuit of efficiency does not come at the irreparable cost of civic anonymity. Urban governance must prove that it can be smart without being intrusive, and that the digital eyes of the city are not only intended to observe but are also meant to protect.