Public-interest policy proposal

Digital Personhood Model Bill, 2026

This page presents a research-based model bill for biometric integrity, identity protection, AI-generated impersonation, automated consequential decisions and remedies for systemic digital harm in India. It is a proposal for consultation, not enacted law.

AuthorNitish Kumar
Version1.0
Published21 June 2026, 3:24 PM IST
Document classPublic-interest policy framework and model bill
JurisdictionIndia
Legal statusProposal for research, consultation and legislative consideration

Direct answer

What this bill proposes

It proposes that a person's biometric identity, personal data, communications, behavioural signals and AI-generated identity derivatives should receive protection proportionate to the protection given to the physical person.

Current legal status

Is it already Indian law?

No. It is a proposed legal and policy framework. Existing Indian law protects privacy, dignity, liberty, equality and personal data through the Constitution, judicial decisions and statutes including the Digital Personal Data Protection Act, 2023.

Executive summary

Why this bill exists

The proposal starts from a simple proposition: a person must not lose practical control over dignity, liberty, reputation or livelihood merely because the instrument of harm is data rather than physical force.

It organizes the problem around biometric integrity, identity correction, covert surveillance, synthetic impersonation, automated adverse decisions, evidence preservation, cross-border containment and public accountability. The model bill does not pretend that all of these duties already exist in one finished statute. Its purpose is to show what a coherent legal architecture could look like.

What the framework does not claim

It narrows the proposal instead of overstating the law.

The proposal does not claim that Parliament can declare a new Basic Structure feature and bind constitutional courts.

It does not say that every data breach automatically becomes an Article 21 violation or a constitutional tort.

It does not treat personal data as sovereign property of the Union or present "digital arrest" as a lawful arrest category.

It does not claim that a statutory tribunal can be turned into a constitutional court of record by ordinary legislation.

Implementation context

Existing-law position as framed in the source draft

The source manuscript states that the Digital Personal Data Protection Act, 2023 is enacted law, that the Digital Personal Data Protection Rules, 2025 have been notified, and that the Data Protection Board of India was formally established by Gazette notification dated 13 November 2025.

The policy question raised here is therefore not whether the Board exists in the abstract, but whether appointments, technical capacity, public accessibility, procedures and coordination mechanisms become operational at a level proportionate to the risk.

Core dimensions

Eight protected dimensions of digital personhood

DimensionProposed protectionPrincipal foundation
Biometric integrityProtection against unlawful capture, replication, matching, transfer and weaponisation of fingerprints, iris, facial geometry, voice, gait and derived templates.Article 21 dignity, privacy and bodily autonomy; statutory data-protection duties.
Identity integrityThe right to correction, dispute, provenance review and rapid containment when identity is falsified or duplicated.Articles 14 and 21.
Data autonomyMeaningful control over collection, purpose, sharing, retention and deletion, subject to lawful exceptions.Privacy and informational self-determination.
Digital dignityProtection from synthetic sexual content, impersonation, humiliation, extortion and reputational manipulation.Dignity, autonomy and reputation.
Communicative privacyProtection of private calls, messages and communications against unlawful interception or covert surveillance.Articles 19 and 21, subject to valid law.
Freedom from chilling surveillanceProtection against surveillance that deters lawful expression, association and democratic participation.Article 19 with privacy and proportionality principles.
Humanly reviewable decisionsNotice, reasons, contestability and meaningful human review for serious automated decisions.Articles 14 and 21 for State systems; statutory extension for covered private systems.
Effective remedyComplaint, preservation, correction, containment, compensation and appeal mechanisms.Articles 32 and 226; public-law compensation principles; statutory remedies.

Design principles

The administrative logic of the bill

  1. Person before dataset. A digital incident is assessed by its effect on dignity, liberty, opportunity and safety.
  2. Prevention before compensation. Containment, correction and evidence preservation take priority over delayed payment alone.
  3. Necessity and minimisation. Systems should collect and retain only what is reasonably needed for a defined lawful purpose.
  4. Explainability proportionate to impact. The greater the effect on a person, the stronger the duty to provide reasons and review.
  5. No consent fiction. Dark-pattern, bundled or coercive consent is not treated as meaningful permission.
  6. Traceable accountability. Every high-impact system must have identifiable decision-makers, processors, vendors and responsible officers.
  7. Technology neutrality. Duties attach to function and harm, not to a fashionable product label.
  8. Federal coordination with local access. National standards must still remain reachable in State and district contexts.
  9. Open institutional reporting. Aggregate remedy and delay data should be public without exposing victims.
  10. Constitutional supervision preserved. No statutory mechanism should narrow Articles 32 or 226.

Bill architecture

What the source manuscript organizes into chapters

Chapter I

Preliminary

  • Short title, extent and commencement
  • Objects of the Act
  • Definitions
Chapter II

Recognition and protection of digital personhood

  • Statutory recognition
  • Rights of an affected person
  • Invalid waivers and application to public and private actors
Chapter III

Legality, purpose and safeguards

  • Rights-impact test
  • Prohibited AI use on unlawfully obtained data
  • Special protection for biometric data
Chapter IV

Affirmative duties of public authorities

  • Coordinated response to serious digital harm
  • Cross-border containment and cooperation duty
  • Implementation accountability and citizen cyber-intelligence submissions
Chapter V

Data sovereignty and digital harm register

  • Data sovereignty as a governance responsibility
  • Cross-border compromised datasets
  • Standing and reasoned action
Chapter VI

SDK, adtech and embedded-component accountability

  • Covert embedded collection controls
  • SDK disclosure statement
  • Public SDK register and foreign regulatory action review
Chapter VII

Automated consequential decisions

  • Notice
  • Meaningful human review
  • Audit and incident reporting
Chapter VIII

Digital Harm Tribunal

  • Establishment and benches
  • Composition and jurisdiction
  • Interim powers and appeals
Chapter IX

Remedies and liability

  • State digital omission
  • Compensation
  • Biometric compromise presumption and structural compliance orders
Chapter X

Offences and civil penalties

  • Serious offences
  • Sentencing and penalty principles
  • Penalty bands for consultation
Chapter XI

Extra-territorial application and cooperation

  • Substantial connection to India
  • Preservation before attribution
  • International evidence protocol
Chapter XII

Implementation architecture

  • Phased implementation
  • Current-law coordination
  • Independent review
Chapter XIII

Relationship with existing law

  • Harmonious construction
  • Conflict clause
  • Preservation of constitutional remedies
Chapter XIV

Parliamentary and public accountability

  • Annual report to Parliament
  • Public consultation duty
  • Right of response and correction

Direct answer blocks

Five questions the source manuscript treats as essential

Question 01

What is biometric integrity?

It is the protection of biometric traits against unlawful capture, replication, transfer, matching, synthetic imitation and exploitative reuse. The idea is that biometric failure or compromise should not erase a person's legal visibility.

Question 02

What does "digital arrest" mean here?

The manuscript treats it as a scam description, not a lawful arrest category. The proposed legal term is digital impersonation coercion so the law targets intimidation, blackmail, extortion and forced compliance without legitimizing the scammer's language.

Question 03

What is AI-amplified re-weaponisation?

It means using automated or generative systems to increase the scale, realism or persistence of harm from unlawfully obtained personal or biometric data, including voice cloning, deepfake impersonation and automated targeting.

Question 04

What would the Digital Harm Tribunal do?

The manuscript proposes a statutory forum for urgent containment orders, evidence preservation, structured remedy and appeals in serious digital-harm disputes. It does not describe the tribunal as a constitutional court of record.

Question 05

How is this different from current data-protection law?

The model bill tries to connect privacy, identity integrity, biometric compromise, automated-decision review, cross-border containment and public-law remedy into one architecture instead of treating them as isolated compliance questions.

Consultation and correction

How the page asks to be used

Consultation discipline

The manuscript prioritizes three responses from readers: identify a legal or factual error, comment on a defined policy question, or provide a primary source for a claim that still needs evidence completion.

Correction policy

Corrections are grouped as typographical, clarifying, substantive factual, legal-status or structural revision. Substantive and legal-status corrections should remain visible in version history.

Version history

Version 1.0 is dated 21 June 2026 and described in the source draft as a human-edited restructuring that separated settled law, legal argument and proposal while correcting overbroad earlier claims.

Editorial closing note

The closing discipline is clear: urgency is not a license for imprecision. The credibility of the proposal depends on saying exactly what the Constitution already protects, what Parliament has enacted, what evidence proves and what the author is asking the law to become.

Cite this page

Recommended citation

Kumar, Nitish. "Digital Constitutional Personhood Framework and Model Bill, 2026." thenitishkr, 21 June 2026, version 1.0. https://thenitishkr.in/digital-constitutional-personhood/model-bill-2026/

Related reading

Continue with the related research.

This model bill sits inside a larger research structure on Article 12 accountability, DISHA, digital identity harm, evidence custody and public-interest remedy.

Definition Data Sovereignty Biometric Failure Article 12