The Digital Personal Data Protection Act (DPDP) aims to secure the personal data of Indian users by guaranteeing their consent.
Under DPDP rules, companies will only be able to collect customer data that is necessary for a specific purpose. They must allow users to opt out and tell them if their information is included in a data breach.
Government surveillance raises privacy fears
India’s Ministry of Electronics and Information Technology said in a statement that the DPDP and its rules “create a simple, citizen-centric and innovation-friendly framework for responsible use of digital personal data.”
However, the DPDP has been criticized for giving the government broad powers to access personal data without strong independent oversight.
India’s DPDP has been compared to the EU’s General Data Protection Regulation (GDPR), which requires strict consent, data minimization and has an independent regulator.
The DPDP tasks a government-appointed data protection board – with just four members – with overseeing the privacy of some 1.4 billion people, raising concerns over compromised privacy and free speech.
Europe’s GDPR sets high standards
Experts say the EU’s GDPR, which has significantly influenced legislation in about 160 countries, strongly prioritizes individual privacy through strict consent requirements, data minimization principles and a strong, independent regulatory oversight that limits government intrusion.
“India’s data protection laws and regulations are likely to remain paper milestones when it comes to actually protecting the privacy of people in India, as it largely formalizes various aspects of data processing,” Pratik Waghre, head of programs at the Tech Global Institute, a digital policy and human rights nonprofit, told DW.
He said, “Although successive iterations of the Act and regulations have been criticized for giving too much latitude and control to the executive branch without adequate safeguards, each version expanded its powers.”
Waghare also claimed that the government can force citizens and businesses to hand over data through sweeping provisions and the presumption of consent.
Right to Information amendment raises fears of accountability
Perhaps a particularly controversial aspect of the DPDP is its direct impact on the Right to Information (RTI) Act, under which citizens could previously access records held by public officials if “larger public interest” justified disclosure.
Critics have noted that the DPDP amends the public interest provision so that even if the information sought is related to the public interest, officials can refuse to disclose it.
“The amendments…will likely completely deny citizens access to personal information they need to expose corruption and hold governments accountable,” Anjali Bhardwaj, co-convenor of the National Campaign for Right to Information, told DW.
“For example, names of contractors carrying out public works and names of willful defaulters of public sector banks cannot be obtained,” Bhardwaj said.
Government has denied weakening RTI rights
Amrita Johri, who campaigns for digital transparency, told DW that the change in RTI rules removed pre-conditions that allowed access to personal information if it was relevant to public interest or public activity.
“The government has used claims of ‘no data available’ to avoid transparency on important public matters, further undermining the spirit of the RTI Act as an instrument of democratic accountability,” Johri said. He said the right to question and speak freely “is central to democracy.”
“Tackling fake news is important, but any regulation must follow the Constitution and be independently monitored,” he said. The judiciary recently blocked the government’s plan to set up fact-checking units, which journalists had opposed as a threat to media freedom.
The Ministry of Electronics and Information Technology said that it does not believe that the DPDP weakens RTI.
Ministry secretary S Krishnan told daily newspaper Hindustan Times that the DPDP only removed “an unnecessary provision” and did not affect citizens’ right to information.
Krishnan claimed that the RTI Act already allows public officials to share any information, regardless of exemption, if it serves public interest.
Investigative journalism is ‘threatened’ by heavy fines
However, reporters and journalist organizations like the Press Club of India and the Editors Guild of India (EGI) are apprehensive. The DPDP classifies them as “Significant Data Fiduciaries” (SDFs) for routine tasks involving personal data collection, processing and publication.
A data fiduciary is any person or organization that decides why and how personal data is processed. They are responsible for protecting that data and making sure it is used legally and fairly.
Reporters must therefore obtain explicit consent before using individuals’ data in stories such as naming corrupt officials or exposing scandals – which can make investigative reporting impossible without prior approval.
“The new rules lack clear exemptions for journalistic activities, putting routine reporting at risk of being classified as data processing requiring consent, which could hinder news gathering and investigative journalism,” former EGI president Ananth Nath told DW.
“We urge the government to immediately provide clear clarification on exempting genuine journalism from these rules to protect freedom of the press and the public’s right to know.”
Non-compliance with the DPDP can subject data fiduciaries to substantial monetary penalties, with fines potentially reaching approximately $30 million (€26 million) for each instance of violation.
“This will create a chilling effect, turn journalism into a high-risk activity and force the media to act like PR agents rather than watchdogs,” senior journalist and current EGI president Sanjay Kapoor told DW.
“It could bankrupt smaller media outlets or force self-censorship to avoid damaging costs.”
Edited by: Keith Walker
<a href