My Phone Number is Not a Campaign Resource: How Bar Council Elections and India’s Data Protection Law Interact

The unauthorised repurposing of enrolment data is a foundational violation of the objective of the DPDPA. Personal data collected for regulatory administration is being repurposed for campaign outreach, a textbook breach of the purpose limitation principle.

My co-author tells me, “I have received 88 automated calls in the last few days.” The Bar Council election season brings with it a familiar and largely unrequited ritual of finding ourselves flooded with (unsolicited) campaign pamphlets, calls, and messages. Yes, as members of the Bar this is an essential democratic process! Our inboxes are inundated with promotional material and physical pamphlets arrive at our residential addresses, all without their consent or knowledge — like a special leave petition (SLP) dismissal faster than you blink. What is routinely dismissed as an electoral noise, in the eyes of law, may be deemed as serious and actionable violation of India’s data protection framework.

The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s first comprehensive data protection regulation establishing clear rights of individuals (data principals) over their personal data, while simultaneously defining enforceable obligations for those who process it (data fiduciaries and processors). Mobile numbers, email addresses, residential and official addresses fall unambiguously within the definition of “personal data” under the legislation. Processing such data for campaign outreach, without the consent of the individual concerned, would be contrary to the law in the future. Of course, the DPDPA goes into full effect in May 2027, this is a thought piece for future election processes and structures required around it.

The electoral roll was never meant to be a campaign database

The Bar Council of Delhi — like any other Bar Council — maintains a State Roll of Advocates containing enrolment numbers, dates of enrolment, and critically, personal contact details including mobile numbers, residential addresses, and professional addresses, in pursuance of Section 17, Advocates Act, 1961. This data is collected in the Bar Council’s statutory capacity for the enrolment of advocates, the conduct of disciplinary proceedings, and the administration of elections. The objective and purpose of such data is circumspect.

Yet, during every election cycle, and especially this season, this data is systematically accessed and deployed for campaign communications. Bulk phone calls were made to personal mobile numbers, campaign emails being dispatched to official and personal addresses, physical pamphlets being delivered to residential addresses and WhatsApp messages being made to personal numbers. Each of these activities would qualify as “processing” of “personal data” belonging to a “data principal” without their free, specific, informed and unambiguous consent as mandated by Section 6 DPDPA.

In a similar situation, the Belgium Data Protection Authority,¹ fined a local political association 3000 euros in 2020 for sending advertisements based on details taken from the local electoral roll, since the local electoral decree would keep the purpose of the electoral roll circumspect to the election process and not advertisement dispensation.

The Model Code of Conduct (MCC)² issued by the Bar Council of Delhi for Elections 2026, dated 27 December 2025, is otherwise comprehensive in its regulation of campaign behaviour. It explicitly prohibits bribery, hospitality inducements, hate speech, and the dissemination of misinformation. However, it is silent on the protection of personal data of the very advocates who constitute the electorate. There is no provision restricting the use of enrolment data for outreach purposes, no prohibition on unsolicited contact, and no acknowledgment that advocates hold enforceable data protection rights. This silence does not, however, create a legal vacuum with the DPDPA being in a staggered implementation phase.

The Delhi High Court stepped in

The controversy this election season escalated beyond inbox fatigue when the Bar Council of Delhi uploaded its updated voter list on its website. The list not just carried names and enrolment numbers but also mobile numbers, residential addresses, and photographs of the advocates. The consequences of the same were immediate as Bar members began receiving campaign outreach via SMSes, emails, WhatsApp messages, phone calls and even campaign posters via speed post. Several lawyers reported being added to WhatsApp groups without prior consent.

A petition was filed before the Delhi High Court³ challenging the publication of this data itself, describing it as an “unauthorised publication, circulation and misuse of sensitive personal data of Advocates”. The plea invokes Article 21 and Supreme Court’s ruling in the landmark case of K.S. Puttaswamy (Privacy-9J.) v. Union of India⁴, arguing that the disclosure “constitutes a manifest violation of the fundamental right to privacy” and “fails the test of legality, necessity and proportionality”. It further warns that the disclosure has the potential to facilitate stalking, harassment, intimidation, identity theft, cyber fraud, data mining, and other forms of data-driven harm.

A Bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia heard the matter on 18 February 2026 and was unequivocal.

This is not the way. You can’t encroach on people’s privacy. Individual lawyers are being harassed without their willingness… You have to protect their right to privacy. You are making every detail public.

The matter remains sub judice but the court’s observations make clear that statutory professional bodies cannot treat electoral roll as an open-access database simply because elections are a legitimate institutional function.

What the law says and why it matters here

Under Section 2(t) DPDPA, “personal data” means any data about an individual who is identifiable by or in relation to such data. Mobile numbers, email addresses, and physical addresses are paradigmatic examples. The advocates whose data is used, “processed”, for campaign outreach are “data principals” under Section 2(j). Election candidates and their campaign teams, who access and use this data to send campaign material are “data fiduciaries” under Section 2(i) as they are responsible for determining the purpose and means of processing personal data. “Processing” is defined expansively under Section 2(x) to include collection, storage, use, sharing, disclosure, and dissemination of data. At every stage of the campaign outreach chain, from accessing the rolls to sending the final message, “processing” is occurring within the meaning of the DPDPA.

The DPDPA provides that personal data may be processed only upon the consent of the data principal and that such consent must be free, specific, informed, unconditional, and unambiguous. It must be expressed through a clear affirmative action and limited strictly to the specific purpose for which it is sought. When an advocate enrols with the State Bar Council and furnishes their contact details, they do so for the purpose of regulatory enrolment and administration, not for receiving election campaign material or advertising material. More so, the publication of such information on the Council rolls is not an act of manifestly making the said data public, and hence, the “public data” under Section 3, would not apply. The purpose limitation principle is unequivocal and clearly demands that data collected for one purpose cannot be repurposed without fresh, specific consent.

One must also consider whether Section 7 DPDPA, which permits processing without consent for certain “legitimate uses”, including where the State processes data in the public interest offers any shelter. The Bar Councils are statutory bodies incorporated under the Advocates Act, 1961 and form part of the “State” or its “instrumentalities” within the meaning of Article 12 of the Constitution of India. However, private campaign outreach conducted by an individual candidate for electoral benefit of the said individual candidate cannot, by any reasonable interpretation, constitute a legitimate use in the public interest. The doctrine of legitimate interests, even where applicable, remains bound by the requirements of legitimacy, necessity, and proportionality none of which are satisfied here.

Four ways candidates would infringe the law

The mishandling of personal data during Bar Council elections is neither peripheral nor merely technical. It is systemic, multi-layered, and legally consequential.

The unauthorised repurposing of enrolment data is a foundational violation of the objective of the DPDPA. Personal data collected for regulatory administration is being repurposed for campaign outreach, a textbook breach of the purpose limitation principle. The consent given by an advocate at the time of enrolment extends only to regulatory use. It does not extend to having their home address placed on a candidate’s distribution list.

The compilation and sharing of contact databases compound the original infraction. Candidate teams routinely assemble comprehensive directories of advocate contact information, circulate them across alliance partners, support groups, and campaign coordinators. Each such transfer constitutes a distinct and independent act of processing without consent a separate violation, not merely a continuation of the first.

The use of bulk messaging services presents a dual infraction. Section 4.3 of the MCC itself prohibits the use of bulk messaging platforms, including SMS, the WhatsApp Business Application Programming Interface (API), and comparable tools, during the silent period and on polling day. Deploying such services with personal data obtained without consent simultaneously violates both the MCC and the DPDPA.

The use of residential addresses is perhaps the gravest concern of all. A residential address is among the most sensitive categories of personal data, its exposure carries direct implications for personal safety, particularly for female advocates and those residing alone or in shared accommodation. When enrolment data is used to dispatch unsolicited pamphlets to an advocate’s home, the violation moves beyond the technical and enters the domain of tangible, real-world harm.

In summary

The legal profession stands tall on being the custodian of the law, constitutional values, and fundamental rights. Advocates appear daily before courts defending the right to privacy, the right to dignity, and the right against arbitrary action by the State. It would be a profound institutional contradiction and a serious foundering of self-governance that the Bar Council’s own electoral process is conducted in systematic violation of the very right to privacy.

The practices analysed in this article, the extraction of personal data from enrolment rolls, its repurposing for unsolicited campaign outreach, the distribution of residential addresses through campaign material, the placing of after-hours phone calls, and the sharing of contact databases across candidate networks are not merely poor practices — they are violations of India’s data protection law, for which clear remedies and meaningful penalties exist.

The Bar Council of Delhi could amend its MCC to incorporate express data protection provisions prohibiting the use of enrolment data for campaign outreach, restricting unsolicited contact with advocates, prohibiting the use of residential addresses for campaign correspondence, and recognising violations of the DPDPA as MCC infractions warranting disqualification from candidacy. Until such reforms are enacted, every advocate whose personal data is “misused” for campaign purposes has both the right and the remedy and the Data Protection Board of India stands as the forum to hold those responsible to account. We would like this piece to be a conversation starter between the need to reach out to voters which creates a strong democratic office juxtaposed with the fundamental right to privacy from such contact.