I. Introduction: The Quiet Expansion of State Data Power

In August 2025, the Ministry of Road Transport and Highways ("MoRTH") introduced the Policy for Data Sharing from the National Transport Repository ("NTR Policy"), a framework governing the dissemination of citizen data aggregated across India's transport ecosystem. The Policy, dated 18 August 2025, replaced the earlier Bulk Data Sharing Policy of March 2019, which had permitted private entities to purchase entire datasets from the VAHAN and SARATHI databases for a flat annual fee of ₹3 crore per commercial entity.

The scale of the preceding regime is worth recalling. By February 2021, as Union Minister Nitin Gadkari informed the Lok Sabha, the Government had collected ₹1,11,38,79,757 (approximately ₹111 crore) in revenue from providing access to the VAHAN and SARATHI databases to over 170 entities, including Mercedes Benz, BMW India, Bajaj Allianz General Insurance, Axis Bank, and L&T Financial Services. An earlier disclosure in July 2019 had placed the figure at ₹65 crore, with 87 private and 32 government entities having obtained access. Crucially, when the 2019 Policy was eventually scrapped in June 2020 citing privacy concerns, the Government conceded that no proposal existed to require companies to delete data they had already purchased — leaving the personal information of hundreds of millions of citizens permanently in private hands without enforceable downstream controls.

The new NTR Policy ostensibly represents a decisive break from this model. Access is now structured through API-based sharing, portal-based queries, and exceptional bulk transfers. The framework invokes the Digital Personal Data Protection Act, 2023 ("DPDP Act") and positions MoRTH as the primary "data fiduciary" of NTR data. This transition is presented as a necessary recalibration — a move from crude commercialisation to regulated governance of data-as-infrastructure.

However, a closer examination reveals that the shift is more architectural than substantive. The underlying model — centralised aggregation of citizen data coupled with discretionary sharing to a wide spectrum of recipients, from law enforcement agencies to insurance companies remains intact. What has changed is the vocabulary, the procedural scaffolding, and the institutional framing. What has not changed is the fundamental power asymmetry between the State as data aggregator and the citizen as data subject.

This article subjects the NTR Policy to a rigorous legal examination across four dimensions: its compliance with the DPDP Act's consent and purpose-limitation requirements; its vulnerability under the proportionality framework established in Justice K.S. Puttaswamy (Retd.) v. Union of India; its transparency and administrative law deficits; and its reliance on anonymisation as a privacy safeguard. It argues that the current framework, despite its regulatory veneer, is constitutionally fragile, statutorily inconsistent, and administratively opaque.

II. The Architecture of the National Transport Repository

The NTR is a centralised database maintained by MoRTH through the National Informatics Centre ("NIC"), established under statutory authority derived from Sections 25A, 62B, and 136A of the Motor Vehicles Act, 1988. It integrates five principal data streams:

VAHAN (vehicle registration certificates) — currently holding records of over 39 crore (390 million) vehicles; SARATHI (driving licence records) — comprising over 22 crore (220 million) licences; e-Challan (electronic traffic violation records); eDAR (Electronic Detailed Accident Reports); and NETC-FASTag (toll transaction data from the National Electronic Toll Collection system).

The convergence of these datasets creates a composite mobility profile of extraordinary granularity. Vehicle registration reveals ownership and financial liabilities, including hypothecation details. Driving licence records capture identity, address, and biometric data. FASTag data records real-time geographic movement between toll plazas. e-Challan data reveals compliance behaviour. eDAR data connects individuals to accident events, including location, time, and circumstances.

Taken together, the NTR does not merely store administrative records; it constitutes a comprehensive surveillance infrastructure capable of mapping an individual's ownership patterns, geographic movement, financial transactions linked to transport, compliance history, and accident exposure. Civil liberties organisations have described the NTR as a "surveillance-ready stack" — a characterisation that, while polemical, is not without analytical justification.

From a governance perspective, such integration may serve legitimate purposes: streamlining enforcement, reducing fraud, enabling evidence-based transport planning, and facilitating inter-state coordination. However, the moment this data is made accessible — directly or through derived datasets — to private actors, the repository transforms from an administrative tool into a high-value data asset with commercial and surveillance implications that extend far beyond its original statutory mandate.

III. The Illusion of Regulatory Shift: From Bulk Sale to Managed Access

The Government's transition from the 2019 Policy to the NTR Policy is frequently presented as a paradigm shift: from the outright commercial sale of citizen data to a controlled, privacy-respecting framework. This characterisation, while convenient, obscures more than it reveals.

A. The 2019 Regime: Data as Revenue

The 2019 Bulk Data Sharing Policy treated VAHAN and SARATHI data as a revenue-generating asset. Commercial entities could obtain the complete database for ₹3 crore annually; educational institutions for ₹5 lakh. The policy imposed no obligation to delete data after the contractual period. There were no binding restrictions on secondary use, no audit mechanisms, and no public disclosure of sharing arrangements. Analysts documented that there were no effective controls to prevent recipient entities from linking VAHAN and SARATHI data with other datasets — such as KYC records, Aadhaar-linked data, or telecom metadata — to construct comprehensive individual profiles.

The policy's own text acknowledged the risk of "triangulation" — the combination of multiple datasets to re-identify individuals — yet provided no technical or contractual safeguards against it. This was, in substance, a wholesale monetisation of personal data collected under statutory compulsion, with the citizen neither informed nor consulted.

B. The 2025 Regime: New Architecture, Same Dynamics

The NTR Policy restructures the mode of access without fundamentally altering the scope or logic of data-sharing. The current framework continues to enable:

API-based data access for private entities, including insurance providers, banking gateways, HSRP vendors, and authentication service providers, upon execution of a Memorandum of Data Compliance;

Portal-based access secured through Aadhaar-authenticated OTP, with daily query limits;

Bulk data transfers under exceptional circumstances, through secured physical media or FTP;

Complete, unmasked access to all personal data parameters for police, law enforcement, and national security agencies, invoking Sections 7 and 17 of the DPDP Act.

The critical question is whether restructuring the mode of access meaningfully mitigates privacy risks, or whether it merely repackages the same concerns under more defensible regulatory vocabulary. The answer, this article argues, lies substantially in the latter.

The 2019 Policy was objectionable not solely because it sold data in bulk, but because it enabled wide-ranging access to personal data without informed consent, purpose limitation, independent oversight, or downstream accountability. Each of these structural deficits persists, in modified form, in the 2025 framework. API access replaces flat-file downloads; memoranda of data compliance replace annual purchase agreements; but the underlying information flows from centralised State repository to dispersed private recipients — remain substantively unchanged.

IV. Consent and the DPDP Framework: Formal Compliance, Substantive Deficit

The NTR Policy claims alignment with the DPDP Act, 2023. However, close analysis reveals that this alignment is formalistic rather than substantive, particularly in relation to the Act's consent architecture and its expansive state exemptions.

A. The Problem of Consent

Section 6 of the DPDP Act mandates that personal data may be processed only with the free, specific, informed, and unconditional consent of the data principal, unless a statutory exception applies. The NTR Policy operationalises this through OTP-based consent mechanisms for citizen queries and consent declarations for private-sector access.

However, the consent architecture embedded in the NTR framework suffers from several structural infirmities:

Informational asymmetry: When a citizen provides personal data to obtain a driving licence or register a vehicle, they do so under statutory compulsion not as a voluntary data-sharing transaction. The downstream uses of this data its aggregation into the NTR, its sharing with private entities through APIs, its potential combination with other datasets are neither apparent nor meaningfully communicated at the point of collection. The DPDP Act's requirement that consent be "informed" demands more than a technical acknowledgment; it requires substantive awareness of data flows and their consequences.

Transactional consent: Where consent is obtained for instance, through OTP verification for portal-based queries it operates within a transactional context where the individual's immediate objective (verifying a vehicle record, checking a licence status) dominates any privacy assessment. The individual is unlikely to evaluate, or even be aware of, the broader data-sharing ecosystem enabled by the NTR Policy.

Third-party opacity: The NTR Policy does not require MoRTH to disclose to data principals the identities of third-party recipients, the nature of data shared, or the purposes for which it is used. This directly undermines the DPDP Act's principle of transparency. Under Section 5, data fiduciaries are obligated to provide notice specifying the purpose of processing and the manner of exercising rights. The NTR Policy creates no mechanism for such notice in the context of downstream sharing.

In substance, the NTR Policy creates what may be termed a consent fiction: a regime in which formal compliance with consent requirements masks a fundamental gap between what the individual understands and what the system enables.

B. Statutory Exemptions and the Expansion of State Power

The DPDP Act's consent requirements are subject to broad exemptions for state processing. Section 7 permits data processing for "legitimate uses" including the provision of any subsidy, benefit, service, certificate, licence, or permit by the State  without requiring consent. Section 17(2)(a) empowers the Central Government to exempt any State instrumentality from the entire Act on grounds of sovereignty, integrity, public order, or security of the State.

The NTR Policy operates squarely within this exemption framework. Law enforcement, police, and national security agencies receive "complete access to all data parameters, including Personal Data," invoking Sections 7 and 17 explicitly. No prior judicial authorisation is required. No independent approval mechanism exists. The Policy does not specify the conditions under which such access may be exercised, the duration for which accessed data may be retained, or the accountability framework applicable to such agencies.

This creates a structural paradox that sits at the heart of the DPDP Act's design: when the same entity that aggregates data also determines the scope of exemptions from privacy obligations, the safeguards that should constrain state power become, in effect, self-administered. India's data protection framework does not merely waive government agencies from certain provisions — it exempts them from the Act in its entirety, with grounds so broadly framed as to confer essentially unreviewable executive discretion. Scholars who contributed to the early drafts of India's data protection legislation have themselves questioned the breadth of these carve-outs, noting that terms like "sovereignty" and "public order" are functionally unbounded.

V. Transparency Deficit and Administrative Arbitrariness

Perhaps the most significant legal vulnerability of the NTR Policy lies not in what it permits, but in what it fails to specify. The framework suffers from a systemic transparency deficit that, in constitutional terms, raises concerns under both Article 14 (non-arbitrariness) and the procedural safeguards limb of the Puttaswamy proportionality test.

A. Undefined Access Criteria

The NTR Policy does not articulate objective, publicly verifiable criteria for granting data access to private entities. While it requires applicants to submit a justification for the data parameters requested (through Annexures I and II of the Policy), the evaluation of these applications rests with MoRTH, without published guidelines, scoring frameworks, or decisional principles. The categories of eligible entities described in terms such as "transport service providing agencies" and "private sector entities providing authentication services" are defined with sufficient breadth to encompass virtually any entity with a commercial interest in transport-linked data.

This leaves decision-making largely to executive discretion, unguided by legislatively mandated standards. Under established Article 14 jurisprudence, administrative action that affects rights must be structured by intelligible differentia bearing a rational nexus to the objective sought. The absence of published criteria, prioritisation principles, or a reasoned decision-making framework invites the charge of arbitrariness.

B. Absence of Public Disclosure

The NTR Policy contains no requirement to publicly disclose: which entities have received data access; the nature and scope of datasets shared; the purposes declared by recipients; or the outcomes of any compliance audits. Citizens whose data is shared are not informed either individually or through aggregate disclosure of the circulation of their personal information.

This is particularly concerning given the history of the 2019 regime. The identities of data recipients under the earlier policy were made public only through RTI applications and parliamentary questions not through any proactive disclosure by MoRTH. The new Policy perpetuates this opacity. Without disclosure mechanisms, citizens are structurally excluded from knowledge about the circulation of their own data a deficit that is difficult to reconcile with any meaningful conception of informational self-determination.

C. Absence of Independent Oversight

The NTR Policy does not provide for independent regulatory approval of data-sharing arrangements, judicial oversight of access decisions, or a meaningful grievance redress mechanism for affected data principals. While the DPDP Act establishes a Data Protection Board, this body serves an adjudicatory function rather than a regulatory one — it adjudicates complaints after the fact rather than approving data-sharing arrangements ex ante. Moreover, the Board's composition and appointments are controlled entirely by the Central Government under Sections 19 and 20 of the DPDP Act, raising questions about its institutional independence.

In comparative terms, this represents a significant departure from mature data protection regimes. Under the EU's General Data Protection Regulation ("GDPR"), large-scale processing of personal data by public authorities requires a Data Protection Impact Assessment ("DPIA"), conducted prior to processing and subject to review by an independent supervisory authority. The UK's framework mandates audit trails and impact assessments for data-sharing arrangements involving public authorities. India's framework provides for none of these safeguards.

VI. The Re-identification Problem: The Limits of Anonymisation

A central pillar of the NTR Policy's privacy architecture is the masking or anonymisation of personal data. The Policy states that personal data shared through API-based mechanisms will be masked, except when shared with police, law enforcement, and national security agencies. This framing treats anonymisation as a binary safeguard: once applied, privacy concerns are presumed to be addressed.

This assumption is inconsistent with both global data protection jurisprudence and the empirical evidence on re-identification risk.

A. The Science of Re-identification

A substantial body of peer-reviewed research demonstrates that anonymised mobility data is vulnerable to re-identification through triangulation with auxiliary datasets. A landmark study published in Nature Communications (Rocher, Hendrickx & de Montjoye, 2019) found that 99.98% of Americans could be correctly re-identified in any dataset using just 15 demographic attributes. Research on country-scale location datasets (Farzanehfar, de Montjoye et al., 2021) established that the risk of re-identification remains high even when datasets contain tens of millions of individuals contradicting earlier industry claims that large-scale datasets offer inherent anonymity protection.

In the specific context of transport data, researchers at MIT demonstrated that anonymised mobility data from mobile phone networks and transportation systems could be cross-matched with approximately 55% accuracy over a four-week period. Earlier work by de Montjoye et al. (2013) showed that just four spatio-temporal data points are sufficient to uniquely identify 95% of individuals in a mobile phone dataset of 1.5 million users.

More recently, a 2025 study in Transportation Research Part C (Zhang, Gong et al.) demonstrated that users in noise-protected and anonymised transportation location-based datasets can be identified and de-anonymised by correlating with publicly available data, achieving accuracy rates exceeding 50% even in large-scale attack scenarios.

B. Implications for the NTR Policy

India's data ecosystem is characterised by the wide availability of auxiliary datasets that can be used for triangulation: Aadhaar-linked records, telecom metadata, financial transaction data, geolocation datasets from mobile applications, and social media activity. In this environment, the masking of individual data fields within the NTR is unlikely to prevent re-identification when the masked data is combined with even modest amounts of external information.

The NTR itself acknowledges this risk by its own design: FASTag data records movement between specific toll plazas at specific times; e-Challan data records violations at specific locations; VAHAN data links vehicles to owners and their addresses. Even without explicitly revealing a name or Aadhaar number, the temporal and spatial specificity of this data is, in itself, a powerful identifier.

Moreover, the NTR Policy's own exemptions undermine its anonymisation claims. Law enforcement and national security agencies receive full, unmasked access to all personal data parameters. This means that within the same system, parallel data channels operate one masked, one unmasked creating opportunities for information leakage, both intentional and inadvertent.

The reliance on anonymisation as a primary privacy safeguard is, in light of this evidence, inadequate. There is broad consensus among data protection authorities globally that all de-identification techniques entail a residual risk to privacy that may increase over time, and that organisations should continually assess the appropriateness of their safeguards against re-identification.

VII. Proportionality and Constitutional Scrutiny

The privacy framework established by the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) provides the constitutional benchmark against which the NTR Policy must be evaluated. The nine-judge bench unanimously held that the right to privacy is a fundamental right protected under Articles 14, 19, and 21 of the Constitution. Justice D.Y. Chandrachud, writing for the majority, articulated a four-fold test for any state action that restricts informational privacy: (i) legality the restriction must be prescribed by law; (ii) legitimate aim it must pursue a legitimate state objective; (iii) necessity and proportionality there must be a rational connection between the restriction and the objective, and the means must be the least restrictive available; and (iv) procedural safeguards adequate safeguards against abuse must be in place.

This four-fold test was subsequently applied by the Supreme Court in Puttaswamy (Aadhaar) (2018), where the majority evaluated the Aadhaar Act against each limb of the proportionality framework. Justice Chandrachud, in his dissent, notably held that the existence of a legitimate aim is insufficient to uphold the validity of a law; the law must independently satisfy the necessity and proportionality prongs.

A. Legality

The NTR Policy derives its statutory basis from Sections 25A, 62B, and 136A of the Motor Vehicles Act, 1988, which authorise the maintenance of national and state registers of driving licences and vehicles and mandate electronic monitoring of road safety. However, these provisions authorise the maintenance and management of transport records they do not explicitly authorise large-scale sharing of personal data with private entities for commercial purposes. The Policy itself is an executive instrument a circular issued by MoRTH rather than subordinate legislation enacted under a specific rule-making power. This raises a threshold legality question: whether the statutory provisions cited provide adequate legal authority for the breadth of data-sharing contemplated.

B. Legitimate Aim

The NTR Policy articulates multiple objectives: ease of governance, facilitation of business, law enforcement support, academic research, and promotion of road safety. Several of these constitute legitimate state aims. However, the breadth of stated purposes particularly the facilitation of business through data sharing with private commercial entities stretches the concept of legitimate aim to a point where it risks encompassing virtually any use of citizen data, thereby rendering the test meaningless.

C. Necessity and Proportionality

It is under the necessity and proportionality limbs that the NTR Policy faces its most significant constitutional challenge.

Necessity: The Policy does not demonstrate why private-sector access to individual-level transport data as opposed to aggregated, statistical, or sectoral datasets is necessary for the stated objectives. Insurance companies may legitimately need to verify the validity of a vehicle registration or driving licence; they do not, on this ground, require API access to the full NTR with its composite mobility profiles. The failure to establish that less intrusive alternatives were considered and found inadequate is a significant weakness under the necessity prong.

Proportionality: The scale of data aggregation comprising 390 million vehicle records, 220 million licence records, and associated FASTag, e-Challan, and eDAR data is vast. The sharing of this data with a largely undefined category of private recipients, under executive discretion, without independent oversight or public disclosure, appears disproportionate to the stated objectives of governance facilitation and innovation promotion. The absence of temporal limits on data access (beyond annual renewal), the lack of binding data minimisation standards, and the absence of mandatory deletion requirements compound this concern.

D. Procedural Safeguards

The absence of transparency, independent oversight, and meaningful grievance redress mechanisms has already been discussed. In constitutional terms, this directly weakens the fourth limb of the Puttaswamy test. The Supreme Court has consistently held that procedural safeguards are not merely desirable but constitutionally required when the State acts upon fundamental rights. In PUCL v. Union of India (1997), even the narrow power of telephone interception was held to require procedural safeguards, including review by an independent committee. The NTR Policy, which affects the informational privacy of hundreds of millions of citizens, provides no comparable safeguard.

Taken together, the NTR Policy is likely to face substantial difficulty in satisfying the Puttaswamy proportionality test particularly under its necessity, proportionality, and procedural safeguards limbs.

VIII. The Data Fiduciary Paradox

A noteworthy conceptual difficulty in the NTR Policy is its classification of data recipients as "data fiduciaries" under the DPDP Act. The Policy designates MoRTH as the primary data fiduciary of NTR data and simultaneously classifies each entity that receives data from the NTR as a data fiduciary for the purposes of the DPDP Act.

This classification is analytically problematic. A data fiduciary, under Section 2(i) of the DPDP Act, is a person who determines the purpose and means of processing personal data. Data recipients under the NTR Policy, however, receive data under terms and limitations set by MoRTH; they must justify their purposes to MoRTH and use data only as approved. In substance, MoRTH  not the recipient — determines the scope of data processing. This functional reality more closely resembles the relationship between a data fiduciary and a data processor, not between two independent fiduciaries.

This misclassification has practical consequences. If recipients are correctly characterised as data processors rather than fiduciaries, their obligations under the DPDP Act differ materially and MoRTH's own obligations as the determining fiduciary become correspondingly more onerous. The NTR Policy's classification appears designed to distribute compliance obligations across recipients rather than concentrate them where they properly belong with MoRTH as the entity that determines the purpose and means of data sharing.

IX. Comparative Perspective: India's Divergence from Global Norms

India's NTR Policy occupies a distinctive — and in several respects, outlier position within the global landscape of government data-sharing frameworks.

European Union: Under the GDPR, large-scale processing of personal data by public authorities is subject to mandatory Data Protection Impact Assessments (Article 35), oversight by independent supervisory authorities with binding enforcement powers (Articles 51–59), and strict purpose limitation and data minimisation requirements. The GDPR does not permit a public authority to classify data recipients as independent controllers merely to distribute compliance obligations. The EU's proposed Data Act further constrains government data-sharing by requiring clear legal bases, proportionality assessments, and interoperability safeguards.

United Kingdom: The UK's Data Protection Act 2018 and the Information Commissioner's Office ("ICO") framework require public authorities to conduct DPIAs for high-risk processing, maintain comprehensive audit trails, and submit to regulatory review. The ICO has the power to issue binding enforcement notices and impose penalties for non-compliance. Data-sharing agreements between public authorities and private entities must be documented, publicly disclosed, and subject to periodic review.

United States: While lacking a comprehensive federal data protection law, the United States imposes sector-specific restrictions through statutes such as the Driver's Privacy Protection Act of 1994 ("DPPA"), 18 U.S.C. §2721–2725, which directly regulates the disclosure of personal information obtained through state motor vehicle records. The DPPA restricts permissible uses, creates civil and criminal liability for violations, and has generated significant litigation constraining government data-sharing practices — providing a closer analogue to the NTR context than any other comparative regime.

India's approach — combining centralised data aggregation, executive discretion, limited transparency, broad state exemptions, and weak institutional oversight — represents a model that draws from the administrative tradition of state data ownership while lacking the accountability mechanisms that mature democracies have developed to constrain such power.

X. Toward a Rights-Compliant Framework: Recommendations

Given the structural deficiencies identified in this analysis, the following reforms are necessary to bring the NTR data-sharing framework within constitutional limits:

Mandatory Data Protection Impact Assessments: Any data-sharing arrangement under the NTR Policy whether with government agencies or private entities should be preceded by a comprehensive DPIA, conducted by an independent assessor and published in summary form. This is consistent with global best practice and the proportionality requirements of Puttaswamy.

Independent Oversight Mechanism: Data-sharing approvals should not rest solely with MoRTH as both the data aggregator and the gatekeeper. An independent body either the Data Protection Board in an expanded regulatory capacity, or a dedicated Transport Data Oversight Committee comprising representatives of the judiciary, civil society, and technical experts should approve, audit, and review data-sharing arrangements.

Public Disclosure: The identities of all entities receiving NTR data, the nature and scope of datasets shared, the declared purposes, and the outcomes of compliance audits should be published on a publicly accessible dashboard. Proactive disclosure is essential for democratic accountability and for enabling data principals to exercise their rights under the DPDP Act.

Strengthened Anonymisation Standards: The NTR Policy should adopt differential privacy standards or equivalent technical safeguards, rather than relying on simple masking or field-level anonymisation. Re-identification risk assessments should be conducted prior to any data release, and contractual prohibitions on re-identification should be accompanied by technical enforcement mechanisms.

Temporal Limits and Deletion Obligations: Data recipients should be subject to binding data retention limits and mandatory deletion obligations upon expiry of the access period. The failure of the 2019 regime to mandate deletion of already-shared data should not be repeated.

Judicial Safeguards for Law Enforcement Access: Blanket access for police and national security agencies to all personal data parameters, without prior judicial authorisation or independent review, is constitutionally disproportionate. At minimum, access to composite profiles as opposed to specific, transactional queries should require judicial or quasi-judicial authorisation, consistent with the Supreme Court's reasoning in PUCL v. Union of India.

Reclassification of Data Recipients: Data recipients who access NTR data under terms and conditions set by MoRTH should be correctly classified as data processors, not data fiduciaries. This would align the framework with the DPDP Act's definitional structure and concentrate compliance obligations where they properly belong.

XI. Conclusion: A Policy at the Edge of Constitutional Limits

The NTR Data Sharing Policy reflects a broader transformation in Indian governance: the repositioning of state-held data as an economic and administrative resource. This transformation is not inherently problematic data-driven governance, when properly constrained, can enhance efficiency, equity, and transparency. However, when such transformation operates without clearly defined legal boundaries, independent oversight, and meaningful accountability, it risks normalising the erosion of fundamental rights.

The NTR Policy, as currently constituted, occupies a constitutional grey zone. It is not the crude commercialisation of the 2019 regime, but neither is it the rights-respecting, transparent, and accountable framework that the DPDP Act, the Puttaswamy jurisprudence, and comparative global norms demand. It is, in essence, a policy that has adopted the language of data protection without internalising its substance.

The policy risks: normalising opaque data-sharing practices between the State and private entities; enabling the commercial exploitation of citizen data collected under statutory compulsion, without adequate safeguards; and expanding state surveillance capacity through centralised data aggregation, without corresponding accountability mechanisms.

Ultimately, the question is not whether transport data should be used to drive innovation, governance, and road safety. It is whether such use is structured, regulated, and justified in a manner consistent with India's constitutional commitment to privacy as a fundamental right. If left unchallenged, the NTR Policy may not only invite and warrant constitutional challenge, but also set a precedent for similar data-sharing regimes across sectors: health, education, taxation, and welfare. The stakes, therefore, extend well beyond the transport sector.

The constitutional trajectory is clear: India's data governance must evolve from a regime of executive discretion to one of legally bounded, independently overseen, and publicly accountable data stewardship. The NTR Policy, in its present form, falls short of that standard.