❈ ❈ ❈
Will the DPDPA Muzzle RTI Act and Investigative Journalism?
T.K. Rajalakshmi
An amendment to the Right to Information (RTI) Act, introduced through the Digital Personal Data Protection Act (DPDPA)—which became law in 2023 but is yet to be implemented because the Rules are still not notified—has alarmed opposition parties and civil society organisations over its potential impact on people’s right to transparency and on investigative journalism.
The legislation was passed under dubious circumstances in 2023, amid heated parliamentary debates on the situation in Manipur and a no-confidence motion moved by the opposition. That the Act is overly centralised, giving vast powers to the Centre, has been one of the main areas of concern.
The DPDPA purports to protect and regulate the use and processing of digital data, enhance online safety, safeguard citizens’ personal information, address cybersecurity concerns related to data breaches, and regulate the use of artificial intelligence. The draft Rules, formulated in January 2025, outline implementation aspects such as the notice to be issued by fiduciaries (personal data handlers) to individuals; processes of obtaining consent from data principals for the use of their information; processing of personal data to deliver benefits, subsidies, and other services by the state; applicability of reasonable security safeguards; and protocol for reporting data breaches.
Critics point out that a Data Protection Board comprising people appointed by the Central government—with its operations and decision-making entirely under the executive’s control—would lack autonomy.
Rendering RTI Act toothless
The opposition is particularly agitated about the dilution of Section 8(1)(j) of the RTI Act through Section 44(3) of the DPDPA. Section 8(1)(j) of the RTI Act exempts disclosure of information if it causes “an unwarranted invasion of privacy”, but it allows such disclosure if “a larger public interest justifies the disclosure of such information”. Section 44 3) of the DPDPA changes this provision by saying “any information which relates to personal information” will be exempt from disclosure. This, it is feared, would in practice translate to a blanket curb on disclosure of any “personal information” and rob the RTI Act of its teeth.
In late March, a letter endorsed by leading opposition members from Parliament and addressed to Union Minister for Electronics and Information Technology Ashwini Vaishnaw demanded repeal of Section 44(3) and pointed out that provisions in the DPDPA “drastically weaken the RTI Act and will have a detrimental impact on the fundamental right to information”. Signed by over a hundred people, including opposition MPs and leaders, the letter said the legal framework for privacy and data protection should complement the RTI Act and not undermine or dilute it.
At a press conference in mid-April, opposition leaders like Gaurav Gogoi (Congress), John Brittas from the CPI(M), Priyanka Chaturvedi (Shiv Sena-UBT), Javed Ali (Samajwadi Party), Nawal Kishore (Rashtriya Janata Dal), and M.M. Abdulla (Dravida Munnetra Kazhagam) said they would take the issue to the people. They pointed out that Section 44(3) was not included in the 2019 draft of the DPDPA or the draft that was drawn up after a Joint Parliamentary Committee (JPC) submitted its report on the legislation. They said that nothing about any amendment to Section 8(1)(j) of the RTI Act was discussed in the JPC meetings and recalled how the government had rushed the Bill through in Parliament. “This is about protecting Indian democracy. It goes beyond the INDIA alliance,” said Brittas, who was a member of the JPC.
RTI activists believe that the amendment potentially negates the very purpose of the RTI Act because it may end up blocking disclosure of the names of people involved in corruption or misdeeds. RTI activists fear that loan defaulters, electoral bond purchasers, and assets of public servants may all be protected against disclosure by the new law.
Apar Gupta, founder-director of Internet Freedom Foundation, said: “The names of public officials cannot be released to fix accountability. The whole purpose of the RTI Act to demand accountability is defeated. In the original RTI Act, there was a balance between the right to privacy and the right to information, but now no personal information can be sought.” The amendment can potentially hinder journalistic reportage and embolden errant officials by protecting them from exposure.
Stifling of investigative journalism
The DPDPA can also place a virtual stranglehold on journalistic activities by regulating the processing of data, which includes collection, use, and storage. RTI activists have pointed out that Section 22 of the DPDP Rules, framed in January 2025, gives the Central government untrammelled powers to demand user data from data fiduciaries and intermediaries without any judicial oversight, transparency, or safeguards. The DPDPA mandates that data fiduciaries, who are individuals and entities who would determine the process and the means to use and process the data, must give notice and take consent for the processing of data, except where such data are related to employment and medical emergency. This means that there is no exception for journalists and their work relating to news-gathering.
Anjali Bharadwaj, RTI campaigner and co-founder of the National Campaign for People’s Right to Information (NCPRI), said: “If the fiduciary does not get consent, then either the government or any individual can complain to the Board. This body has the power to impose penalties on anyone, which can go up to crores. There is no exception for journalists under the law. The Centre alone can decide whether a company or the UIDAI [Unique Identification Authority of India] is exempt from the law.” The penalties range from Rs.10,000 (for breach of data and non-compliance by data principals) to Rs.250 crore (applicable to data fiduciaries for the same offences). The Data Protection Board would reserve the right to determine the nature of the offence under the law.
Data or information can still be provided voluntarily by the data principal in the form of interviews. But for other forms of journalistic writing, such as opinion pieces, investigative reporting, analyses based on independent or private research, all of which would be covered under the DPDPA, a journalist or columnist would be required to take consent from each data principal.
Several journalists’ organisations have demanded that journalists be exempted from the Act’s purview. They point out that the law will seriously hinder journalistic work, specifically investigative journalism.
In mid-February, the Editors’ Guild wrote to Ashwini Vaishnaw pointing out that all previous iterations of the data protection law had specifically exempted processing for journalistic purposes from complying with key provisions, including the obligation to provide notice and obtain consent. It was also pointed out that both the B.N. Srikrishna Committee report, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, and the draft of the DPDP Bill, 2018, prepared by the committee, had held that mandating consent for processing personal data would be “unfavourable” as the data principal could refuse to give consent.
Government defence of DPDPA
However, the government has strongly defended the DPDPA. In a rejoinder to Congress MP Jairam Ramesh, who had on March 23, 2025, written to Vaishnaw, the minister claimed on April 10 that the DPDPA was in harmony with both the RTI and the right to privacy upheld by the Supreme Court in the Puttaswamy case.
Sharing his reply on X, Vaishnaw wrote that the Act would strengthen privacy rights and prevent misuse of the RTI law. Personal details, subject to public disclosure under various laws, would continue to be disclosed under the RTI Act even after the implementation of the new data protection rules, he added. However, he did not comment on exemptions relating to processing of data for journalistic purposes.
Reacting to the Minister’s post on X, Amrita Johri, co-founder of the NCPRI, told Frontline that the legal basis for disclosure of information stood severely diluted. “Under the amended RTI, there is a blanket restraint on disclosure of any personal information under Section 8(1)(j) since all the guard rails have been done away with,” she said.
Industry is reportedly unhappy with certain restrictive features in the Rules relating to cross-border transfer of data. This, sources said, was one of the reasons that the DPDPA Rules have not been notified. Nasscom, the trade association representing the information technology and business process management industry, has urged the government to reconsider restrictions in the DPDP Rules on cross-border transfer of data, saying these would discourage investment and increase compliance costs for companies.
The matter is not likely to be resolved soon. With the government itself pushing for increased digitisation and transparency, the amendment to the RTI Act and denying the media exemption from the DPDPA’s regulatory purview raise more questions than they answer.
(T.K. Rajalakshmi is Senior Deputy Editor with Frontline. Courtesy: Frontline, a fortnightly English language magazine published by The Hindu Group of publications headquartered in Chennai, India.)
❈ ❈ ❈
The Draft Digital Personal Data Protection Rules: Surveillance for Surveillance’s Sake
Rubayya Tasneem and Injila Muslim Zaidi
The Draft Digital Personal Data Protection Rules released on January 3 paint a worrying picture. Though aimed at establishing a comprehensive data protection framework, the Rules fall short in crucial areas like enforcement and transparency, with a particularly troubling provision under Rule 22.
The Digital Personal Data Protection Act, enacted in 2023, granted authority to the Union government under Section 36 to demand information from data fiduciaries or intermediaries. Rule 22 has taken this a step further, allowing the government broad discretion to demand sensitive personal data from companies without the consent of individuals, with the criteria under the Seventh Schedule of the Rules for such requests remaining vague and undefined.
What does it mean for personal data?
Under the Rules, one of the primary grounds to demand data is “in the interest of sovereignty and integrity of India or security of the State,” as outlined in the Seventh Schedule. This justification is alarmingly vague, allowing for potential overreach and arbitrary use without clear, enforceable limits.
Additional grounds for requesting data include “performing functions under existing laws, fulfilling obligations under any law in force, actions by persons authorised under applicable laws, and conducting assessments to designate certain entities as Significant Data Fiduciaries”. These broad and ambiguous criteria give government authorities almost unchecked power to access personal data whenever they see fit.
Notably, there is no requirement for a formal, written request by the authorities, who are themselves appointed by the government. This creates a system where government-appointed agents can demand sensitive information at will, bypassing the need for individual consent and raising significant concerns about privacy and misuse of power.
Second, Rule 22 permits the government to withhold information if its disclosure is deemed to jeopardise national security or sovereignty. The phrasing – “prejudicially affect the sovereignty and integrity of India or security of the State” – is alarmingly broad and could potentially be invoked broadly and without clear, enforceable limits.
In the past, such vague language has been used to render the state’s actions hard to challenge, and this case may be no different.
Rule 22 also does not have any safeguards for when the government requests information, which grants it broad and unfettered power without clear limitations, exceptions or oversight. This provision bypasses the safeguards established by the Supreme Court in PUCL v. Union of India (1997), which held that intercepting communications violates the constitutional right to life and personal liberty unless done through a legally established procedure.
The judgment mandated specific safeguards, including oversight by a review committee and a requirement for requests to detail the intended use of the information. Rule 22 undermines these protections, allowing government authorities unchecked access to personal data.
The other, bigger problem with Rule 22 is that it does not have a requirement for an independent review mechanism to check the legitimacy or necessity of the government’s demands for data to ensure that they are reasonable, justified or proportionate.
This leaves room for arbitrary use. In fact, without proper oversight, the rule has the potential to enable covert surveillance programs that bypass checks and balances and can lead to excessive data collection and the monitoring of ordinary citizens by the government.
Finally, there is no mechanism to challenge such requests, and data fiduciaries and intermediaries may not have an effective way to challenge such data requests from the government, potentially resulting in a surveillance state without public awareness or recourse.
We have often seen how overbroad directions for censorship have been made and required to be kept confidential under Section 69 of the IT Act, 2000. Such an opaque framework has prevented social media users from challenging the takedown of their content before court and is at the heart of the judicial challenge in the Karnataka high court where X has challenged the Union government.
The lack of transparency and the over-collection of data allows for the broad, unchecked use of data and for its potential misuse by prosecuting agencies.
For example, in the case of FIRs where police often lack the information needed to identify suspects, the data collected by the government could be wrongfully used to implicate individuals. This eliminates the need for the police to seek out information, as they already have access to it through the government’s data collection, which could be used to target individuals unjustly.
What does this mean for our privacy?
The A.P. Shah Report stressed on the need for a transparent process that includes the disclosure of surveillance to those who have been placed under it. Access to information under Section 95 of the BNSS is subject to judicial oversight, as a court order must be issued before accessing information.
In a similar vein, the guidelines issued by the Supreme Court in PUCL v. Union of India included oversight by a review committee and required interception requests to specify the intended use of the information.
However, Rule 22 appears to sidestep these safeguards entirely and bypass established protections by granting the state unfettered power under the vague grounds of the sovereignty and integrity of the nation.
Complicating matters is the fact that the broad definition of a data fiduciary means it could apply to anyone, including journalists. For journalists acting as data fiduciaries, Rule 22 has profound implications, particularly in terms of their ability to safeguard sensitive information, such as the identities of sources.
This raises serious questions about the future of privacy in India. As it stands, Rule 22 opens the door for unchecked government surveillance, with minimal accountability or transparency.
A first step toward correcting this would be to introduce clear, transparent processes, including a requirement for companies to inform individuals when their data is being requested by the state.
Such requests must also conform with the standards laid down in the K.S. Puttaswamy judgment, which held that while the right to privacy is not absolute, any state intrusion must meet a three-fold requirement. This includes legality, which necessitates the existence of a law authorising the intrusion; a legitimate state aim to justify the need for such intrusion; and proportionality, ensuring a rational connection between the law’s objectives and the means adopted, thereby preventing disproportionate impacts on individual rights.
Additionally, the process should allow for a clear appeal mechanism and be subject to independent oversight.
At any rate, the provision as it stands now does not bode well for privacy in India.
(Rubayya Tasneem and Injila Muslim Zaidi are fellows at the Internet Freedom Foundation. Courtesy: The Wire, an Indian nonprofit news and opinion website. It was founded in 2015 by Siddharth Varadarajan, Sidharth Bhatia, and M. K. Venu.)
