The rapid advancement of satellite technology has transformed space-based remote sensing from a tool for state security into a cornerstone of the modern digital economy. High-resolution sensors now provide essential data for addressing global challenges such as climate change, urban mapping, and disaster management. However, as technology evolves to capture imagery at resolutions finer than 30 centimeters, the line between public benefit and private infringement is blurring. While the Indian government has introduced the Digital Personal Data Protection Act (DPDP Act) of 2023 and the Indian Space Policy 2023, a critical question remains: are these frameworks sufficient to protect individual privacy in an era of space big data?.

The Intersection of Geospatial and Personal Data

At first glance, geospatial data refer  as positional data in forms like images, videos, or vectors appears distinct from personal data. The DPDP Act defines personal data as any information relating to an identified or identifiable individual. Traditionally, satellite imagery was viewed as an overview of geographic patterns or weather. However, modern satellites like Cartosat-3, operating at altitudes of roughly 509 km, hypothetically can target individuals with 25-centimeter resolution. When this geospatial data is processed to the point of identifying an individual or monitoring their specific behavior, it effectively transforms into personal data. This intersection creates a legal grey area where the broad objectives of the National Geospatial Policy 2022(NGP) must be reconciled with the fundamental right to privacy However NGP is not silent on the processing of personal data; certain categories of data have been specifically placed under the negative list.

The Concept of  Negative Listing.

To safeguard national integrity, the Department of Science and Technology maintains a Negative Listing. This list identifies sensitive attributes and prohibited areas, such as nuclear power plants, oil industries, and armed forces personals and installations that cannot be mapped or processed without special permission.

At present, these restrictions are mainly limited to horizontal and vertical accuracy thresholds (for example, accuracy not exceeding one meter horizontally) to prevent the identification of individuals within sensitive zones. However, the existing framework arguably does not sufficiently safeguard the privacy of the general public outside such zones. While foreign entities are allowed to process Indian geospatial data, they must store it within India which is aligning with Section 16 of the DPDP Act. Yet, there is no specific mechanism to regulate such data processing, and the primary concern remains whether the space industry falls within the ambit of a data fiduciary.

Who is the Data Fiduciary and Determining their Accountability

Under the DPDP Act, a Data Fiduciary is any entity that determines the purpose and means of processing personal data. In the context of the space industry, determining this role is essential for establishing accountability and they fall under broadly under two category 

•  Commercial Entities: If a company collects and stores geospatial data to identify individuals for its own purposes, it acts as a Data Fiduciary.
• Space Industries: If a space-based entity is hired merely to process data according to instructions, it acts as a Data Processor. However, if the space industry also determines who receives that data, it assumes the responsibilities of a Data Fiduciary.

If the space industry is brought within the definition of a data fiduciary under the above two categories, it would become subject to the obligations laid down under the DPDP principles. This would require informing users about what data is collected and the purpose for which it is used, obtaining verifiable consent before processing any personal data, and ensuring adequate protection and security of the information collected. Additionally, in cases involving children or persons with disabilities, special consent would need to be obtained from a parent or legal guardian before any data processing takes place. However, such a framework still needs to be developed, and space companies are not yet fully accountable under the DPDP regime, which raises serious concerns regarding the privacy of Indian citizens.

Conclusion:

The commercialization of space-based data offers immense benefits, from slum area declaration to efficient water connection planning. Yet, the potential for surveillance of innocent civilians remains a significant threat. To bridge the gap between the Indian Space Policy and the DPDP Act, a more transparent mechanism is required. A fundamental principle of data protection, consent and purpose must be integrated into the terms and conditions of geospatial services. Furthermore, individuals should potentially have the choice to “opt-out” of remote sensing data collection, effectively placing their personal data on a negative list to ensure it remains protected by law. Only by establishing these safeguards can India foster a thriving space economy without sacrificing the fundamental right to privacy.