Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

How a Delhi HC Ruling Weaponised the DPDP Act Against Domain Privacy—and Why GoDaddy Is Fighting Back

The Dabur India v. Ashok Kumar judgment ended WHOIS privacy defaults in India. Now GoDaddy's July 16 appeal could reshape internet privacy worldwide.

D
DPDPBot Research Team
🕐 11 min read

#How a Delhi HC Ruling Weaponised the DPDP Act Against Domain Privacy—and Why GoDaddy Is Fighting Back

A Delhi High Court ruling designed to stamp out fake Dabur-branded websites is now on course to strip privacy protections from every Indian domain owner—and potentially from internet users around the world. On July 16, 2026, a larger Delhi HC bench will hear appeals from GoDaddy, Namecheap, and Hosting Concepts against a December 2025 judgment that requires domain registrars to end WHOIS privacy-by-default, verify every registrant's identity, and hand over personal data to anyone claiming a vague "legitimate interest" within 72 hours. The case has exposed a serious tension inside the DPDP Act 2023: a single provision originally meant to enable targeted disclosure is now being read as a blanket licence to make privacy the exception rather than the rule.


#The Ruling That Started It All

On December 24, 2025, Justice Prathiba M. Singh of the Delhi High Court delivered a sweeping judgment in Dabur India Limited v. Ashok Kumar that went far beyond the immediate dispute. Dabur, the consumer goods conglomerate, had come to court after discovering dozens of fraudulent websites—daburdistributorships.in, daburdistributor.com, daburfranchisee.in, and scores of similar domains—that were impersonating official Dabur distributor portals and swindling job-seekers out of money. The domain owners had masked their identities behind WHOIS privacy services, making it impossible to trace or serve them.

Justice Singh's response was proportionate to the fraud but drafted with a breadth that now covers every domain registration in India. Her order requires:

  • WHOIS privacy-by-default is banned. Domain registrars cannot offer WHOIS masking as the standard setting. Any registrant who wants privacy must actively opt in—and pay for the privilege.
  • KYC for every registration. Registrars must verify each registrant's identity using government-issued documents or corporate papers, in a process similar to the existing NIXI requirement for .in domains.
  • 72-hour data disclosure. When any entity claiming "legitimate interest", law enforcement, or a court requests a domain owner's name, address, phone number, and email, registrars must comply within 72 hours.
  • A grievance officer on Indian soil. Each registrar must appoint a physical Grievance Officer in India capable of receiving legal service.
  • Blocked domain suggestions. Registrars may not algorithmically suggest domains that closely resemble protected trademarks. (The court singled out GoDaddy for suggesting "Government of India"-prefixed domain combinations as available alternatives.)

For context: as of early 2026, India has 18.5 crore DigiLocker users and more than 30 million registered domain names. The order covers them all.


#The DPDP Act Hook: How Section 7(e) Was Read to End Privacy Defaults

This is where the ruling becomes directly significant for India's data protection landscape. Critics of the judgment—most notably GoDaddy and the legal analysts at SpicyIP—argue that the DPDP Act should have acted as a restraint on the court's disclosure requirements. The Act, after all, is India's first comprehensive data protection law and is built on a consent-first architecture.

Justice Singh's answer was to invoke Section 7(e) of the DPDP Act, which permits a data fiduciary to process personal data without the data principal's consent when required to comply with a court or tribunal order. The ruling held that because this provision explicitly allows processing personal data to execute court directions, the Act not only permits the disclosures required under the judgment—it effectively mandates them.

Legal scholars have raised a pointed objection. Section 7(e) was plainly designed for targeted, case-specific disclosure: when a court orders a company to hand over a particular user's data in the context of specific litigation, the company is shielded from the DPDP Act's consent requirement. What Justice Singh's order does is different: it issues a prospective, blanket direction that applies to all future registrations and all future requests meeting a loosely defined "legitimate interest" threshold.

SpicyIP's analysis put this precisely: the prior case law on domain registrar accountability "required disclosure only of those involved in infringing activity and not a blanket declaration against all current and future users." The court's ruling conflates the narrow procedural carve-out in Section 7(e) with a general principle that privacy must yield to any claimant who asserts a legitimate interest—without defining what that term means or establishing any proportionality test for individual requests.

This reading creates a significant gap in the DPDP Act's protections: if Section 7(e) can be stretched this way, any well-drafted court order can theoretically suspend the Act's consent framework for as many people as the order covers.


#Why GoDaddy Rang the Global Alarm

GoDaddy, the world's largest domain registrar with over 85 million domains under management, filed an appeal within weeks of the ruling. The company's argument is not primarily about Indian law. It is about the physics of how domain names work.

Domain names resolve identically everywhere on the internet. When you register a .com domain, the WHOIS record is maintained in a global database—there is no Indian version and a global version. GoDaddy has warned the Delhi HC that it cannot maintain one WHOIS privacy policy for Indian registrants and a separate policy for every other jurisdiction simultaneously. The technical architecture simply does not support geographic segmentation at the registry level.

The implication is stark: if the Delhi HC upholds the December ruling, GoDaddy may be forced to remove WHOIS privacy defaults for all 85 million domains worldwide, not just those registered in India—or exit the Indian market entirely. Namecheap, which built its brand partly on privacy-first domain registration, faces an equally stark choice.

India's National Technical Research Organization had identified over 1,100 phishing domains in early 2025 alone, targeting an increasingly digitally-active population with limited cybersecurity awareness. The fraud problem is real and serious. The question before the July 16 bench is whether the cure—eliminating default privacy for every domain owner on the planet—is proportionate to that problem.


#What the Ruling Actually Gets Wrong About DPDP Compliance

The Dabur judgment's Section 7(e) analysis deserves scrutiny from anyone tracking DPDP Act implementation, because it sets a precedent that could affect how courts, regulators, and businesses read the Act's consent architecture for years.

The Puttaswamy test was applied selectively. Justice Singh correctly cited the Supreme Court's 2017 K.S. Puttaswamy v. Union of India judgment, which requires that any interference with privacy must satisfy the tests of legality, legitimate aim, and proportionality. But critics argue the proportionality analysis was applied at the level of the Dabur fraud problem—which is significant—rather than at the level of the remedy, which sweeps in every Indian domain owner regardless of whether they have engaged in any infringement.

"Legitimate interest" remains undefined. The order requires registrars to disclose data to anyone with a "legitimate interest" within 72 hours, but never defines the standard. Under the DPDP Act, the concept of legitimate use is narrowly defined and does not appear as a processing ground for data fiduciaries the way it does under GDPR. Leaving the legitimate interest threshold undefined in a blanket disclosure order creates significant scope for abuse: a competitor, a harasser, or an aggressive rights-holder could request personal data under the same provision that was designed to expose fraudsters.

The opt-in-to-privacy model inverts the DPDP Act's architecture. The DPDP Act is built on an opt-in-to-processing model: you cannot process personal data unless the data principal gives consent or one of the narrow Section 7 grounds applies. The Dabur ruling inverts this for domain registrations by making public disclosure the default and requiring individuals to affirmatively pay for privacy. That is structurally closer to an opt-out model, which the DPDP Act's drafting history consistently rejected.


#What Happens on July 16—and What Businesses Should Watch

The Delhi HC's larger bench will hear three separate appeals on July 16, 2026:

  1. GoDaddy's challenge: Focused on the global WHOIS impossibility argument and the disproportionate impact on legitimate registrants.
  2. Namecheap's appeal: Similar arguments, with particular emphasis on privacy-first registrants who have no connection to trademark infringement.
  3. Hosting Concepts' challenge: Believed to focus on the safe harbour question—whether registrars lose IT Act intermediary protections if they fail to proactively police similar domain names.

The bench could take several directions. It could stay the December order pending further hearing, limiting registrars' exposure while the larger legal questions are argued. It could narrow the "legitimate interest" standard, adding procedural gates before 72-hour disclosure kicks in. Or it could uphold the ruling in full, triggering the global WHOIS restructuring GoDaddy warned about.

For Indian businesses with an online presence, the near-term risk is concrete: if the ruling stands, your domain registration data becomes accessible to anyone who files a plausibly-worded "legitimate interest" request. That includes your personal address and phone number if you registered as an individual, or your company's directors' contact details if you registered as a business entity.

For the DPDP Act's credibility, the July 16 outcome matters even more. The Act is still in its soft-enforcement phase, with the Consent Manager framework going live in November 2026 and full compliance obligations kicking in May 2027. If Section 7(e) can be used to override the Act's consent defaults before enforcement has even begun, it raises a genuine question about whether the consent architecture the Act promises is as robust as the Government of India has represented to Indian citizens and global businesses.


#The Bigger Picture: Privacy vs. Accountability in India's Digital Economy

There is no doubt that India has a serious problem with fraudulent domain registrations. The Dabur case is not an isolated incident—trademark-squatting and phishing domains are a persistent drain on consumer trust in India's digital economy. With 1,100 phishing domains identified in a single quarter, the judiciary's frustration with anonymised fraudsters is entirely understandable.

But the response matters as much as the intention. India is building a data protection ecosystem from the ground up in 2026: the Data Protection Board of India is newly established, consent manager registrations are pending, and businesses across the country are in the middle of 18-month compliance programmes. Court rulings that use Section 7(e) to build blanket privacy exceptions—before the Board has issued a single guidance note on proportionality—risk establishing interpretive precedents that outlast the particular fraud they were designed to address.

The GDPR comparison is instructive. The EU's framework has always recognised that privacy rights are not absolute and must be balanced against legitimate competing interests. But it requires that any such balancing be conducted through a documented, proportionate, rights-compatible process—not through the unlimited discretion of anyone who claims to have a legitimate interest. India's DPDP Act has the same ambition. The July 16 hearing will determine whether that ambition survives its first serious judicial test.


#What You Should Do Before July 16

Domain owners: Review whether your registrar currently offers WHOIS privacy on your domains. If the ruling is upheld, you may need to pay to maintain the protection that was previously default. Document your current privacy settings now.

Businesses with Indian websites: Ensure your legal team has reviewed the full Dabur order and assessed your exposure under the 72-hour disclosure requirement. If your domain registration data includes personal information for named directors or employees, consider whether those individuals need to be informed.

Compliance teams: The Section 7(e) question will not go away after July 16. Update your DPDP Act compliance risk assessments to include the scenario where court orders can create blanket, prospective exceptions to your consent-based processing arrangements. The /consent-manager workflows you are building for November 2026 should be reviewed against this interpretation.

Watch the July 16 hearing. The bench's reasoning—not just its conclusion—will be the most significant judicial statement on how the DPDP Act's fundamental architecture interacts with India's courts since the Act's Rules were notified in November 2025.


#Conclusion

The Dabur India v. Ashok Kumar ruling deserves to be read as more than a domain fraud case. It is the first major test of whether India's DPDP Act will function as a genuine privacy shield or as a consent framework riddled with broad judicial carve-outs. GoDaddy's alarm about global implications is legitimate—and separate from the equally important question of what the ruling means for the 30 million Indian-registered domains whose owners have nothing to do with fraud.

The July 16 appeal hearing is one of the most consequential data protection events on India's calendar this month. The stakes are not just about WHOIS databases. They are about whether the DPDP Act's Section 7(e) carve-out will be read as a targeted tool or as an open door through which courts can suspend privacy protections at scale—long before the Data Protection Board has had a chance to define what proportionate enforcement actually looks like.

For businesses working through India's 18-month compliance window, understanding where the courts stand on the Act's architecture is not optional. It is the foundation on which every consent notice, privacy policy, and data processing agreement will need to rest. Visit /resources for updated compliance templates aligned with the current judicial and regulatory landscape.

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial