MAHITI ADHIKAR GUJARAT PAHEL: PCI and IWPC Submit 35 Questions to Govt Over Concerns About DPDP Act

The Wire India: New Delhi: Monday, 25 August 2025.
The original demand of the press bodies and the journalists in the memorandum to amend the Act to include the line, ‘journalistic work is exempted’ stands.

Press Club of India, New Delhi. Photo: The Wire

The Press Club of India (PCI) and the Indian Women Press Corps (IWPC) have submitted as many as 35 questions to the Ministry of Electronics and Information Technology (MeiTy) over their concerns about the Digital Personal Data Privacy ( DPDP) Act.
The questions are a part of an FAQ (frequently asked questions) sought by the ministry secretary S. Krishnan during a meeting he had held with representatives of the PCI, IWPC, DIGIPUB and Editors Guild of India on July 28.
The meeting was held at the behest of the PCI which had sought an appointment with the MeiTy minister Ashwini Vaishnaw while submitting to him through the principal director general of the Press Information Bureau (PIB) a joint memorandum with 21 other elected press bodies from across the country and over one thousand journalists expressing their deep concern about the Act not having journalistic exemption. Instead, time was granted by the Ministry secretary. He discussed the points raised in the memorandum.
The PCI, along with IWPC, thereafter, put together 35 FAQs after holding a meeting of its members to seek their suggestions in order to democratise the process that may likely violate the journalists’ right to work granted under Article 19 of the Constitution.
On August 23, the questions seeking clarification from the ministry were submitted to the principal DG, PIB, Dhirendra Ojha to be sent to the MeiTy secretary.
In the letter to Krishna, it has been stated though that FAQs don’t have legal validity and are mere clarifications by the ministers, and therefore, the original demand of the press bodies and the journalists in the memorandum to amend the Act to include the line, ‘journalistic work is exempted’ stands.
Following are the questions sent to the Secy, MeiTy:

In the 2018, 2019 and 2021 versions of the data protection bill, exemptions were provided for journalistic purposes. The Justice Srikrishna Committee Report on Data Protection (2018) and the 2012 Group of Experts on Privacy headed by Justice AP Shah had also recommended exemptions for journalistic purposes. Why was the journalistic exemption removed from the final version of the DPDP Bill, which was enacted in August 2023?
If in the opinion of the ministry, no explicit exemption for journalistic purposes is required as the law does not to apply to journalistic work, which are the specific sections of the DPDP Act, 2023, that safeguard rights of entities and individuals and exempt them from obligations of data fiduciary if they are processing personal information for journalistic purposes? Please provide a list of such sections and an explanation on how they protect journalistic work.
Since the enactment of the RTI Act in 2005, information accessed under the law has become a crucial source for journalists and media. There are innumerable examples of important journalistic work in public interest which are based on records accessed under the RTI Act. Why was Section 8(1)(j) of the RTI Act amended through the DPDP Act to expand the scope of information exempt from disclosure?
If in the opinion of the ministry, the right to access information under the RTI Act remains unchanged despite the changes made to Section 8(1)(j) through the DPDP Act because of the existence of Section 8(2) of the RTI Act, why was the RTI Act amended?
Section 44(3) substitutes RTI Act Section 8(1)(j), making all personal data exempt from disclosure without the earlier public-interest override (see explanatory note). How will MEITY prevent this from hollowing out journalists’ access to corruption-related records?
Journalistic work at times requires sharing and storing of documents, including those containing personal information, across national borders and jurisdictions. At times, such documents are provided by whistleblowers and therefore require measures to ensure confidentiality, including in the storage and processing of such information which may entail the use of secure servers located outside Indian jurisdiction. Various sections place restrictions on transfer of personal data including Section 16 of the DPDP Act. How will processing and storage of information outside India for journalistic purposes be protected?
Do the definitions of “Automated”, “Data Fiduciary”, “Data Principal” and “Data Processor” provided in Section 2 of the Digital Personal Data Protection Act, 2023, apply to individuals involved in journalistic work and media organisations for carrying out journalism? Yes or No?
If no, why does the Act not spell out the exemption for individuals involved in journalistic work and media organisations explicitly in Section 17?
If no (Q7), what exemptions will be applicable to individuals involved in journalistic activity and media organisations from the definition of “data fiduciary”, “data processor”, “personal data” and “data principal”?
Draft Rule 8 mandates deletion of personal data three years after the last user interaction and even requires a 48-hour pre-erasure warning. Given the historical value of news archives, will MEITY confirm that journalistic archives fall under the “research, archiving and statistical purposes” exemption in Section 17?
Where Draft Rule 15 treats continued non-use as a trigger for deletion, people involved in journalistic activity or media organisations obtain a categorical assurance that source- related files kept solely for public-interest follow-ups will not be forced into erasure schedules?
Will MEITY invoke its rule-making power under Section 40 to recognise a limited exception for bona-fide newsgathering, or must journalists rely solely on the narrow “certain legitimate uses” in Section 7?
Do individuals involved in journalistic work and organisations need to seek prior consent from any person they report on, or whose “personal data” such as identification details are contained in a press report?
Reporting whether for print, broadcast or online media requires several details such as name, age, gender, location, profession, caste, class, income are required to authenticate a story. Without these details, the story will be incomplete, vague, and likely to be rejected. Much of this information is set to fall within the definition of “personal data”. Blanking out this type of data will lead to a hollowing out of stories, particularly field reportage and will adversely affect the media as a whole. What are the specific clauses in the act that provide exemption for publishing such details as part of regular journalistic work?
In the case of a developing news story such as coverage of a riot, a terror attack, or a natural disaster, spontaneous street interviews, etc., is the person involved in journalistic activity (data fiduciary) required to go through the elaborate process of obtaining consent from the subjects (data principal) according to the provisions and clauses mentioned under Section 5 and Section 6 before reporting the story?
Draft Rule 3 demands that the Data Fiduciary’s notice be “in clear and plain language” and given before processing. How can live spot reporting, spontaneous street interviews, undercover reporting, etc., comply, and will MEITY clarify that journalistic collection in the public interest need not issue advance notices?
In a case of a scam or instance of corruption perpetuated by a minister or bureaucrat or any public servant, is the person involved in journalistic activity, or the media organisation, required to take “informed consent” from the accused in the form and format laid out in the Act, specifying the purpose for which the information has been collected, before publishing the article?
In a case of custodial torture or death, is a reporter, or a media organisation, required to obtain consent in the prescribed format as defined under Section 6 of DPDPA from the accused police official before naming her, or mentioning the place of posting or where the incident took place, or any other information that makes the accused identifiable before publishing the article?
Section 7 states that personal data of a “data principal” can be used only for the “specified purpose”. In such a case, how do these scenarios pan out for journalists and media organisations?

Scenario 1:
Suppose a person involved in journalistic activity is working on a story on denial of ration cards to people of a certain region due to mismatch with Aadhaar data and collects personal data of the affected people such as name, age, and place for identifying the extent of the problems. It raises some questions:

Is the individual involved in journalistic activity required to take “informed consent” from each individual for processing this raw data and using it in a coherent tabular format in an article to highlight the systemic problem in the public interest?
Since, this situation involves flaws that are inbuilt and baked into the Aadhaar architecture, does the person involved in journalistic activity needs “informed consent” of the concerned official of UIDAI before highlighting how Aadhaar-based ration cards are responsible for denial of food?

Scenario 2:
Suppose, a few months down the line, it emerges that starvation deaths have occurred in the same region due to lack of access to food and the previously collected data is used to establish a causal link between the deaths and problems with Aadhaar data, is the person involved in journalistic activity or the media organisation required to obtain fresh consent?

Draft Rule 10(1) forces outlets to obtain age-verified parental consent before processing a child’s data. How should people involved in journalistic activity or media organisations cover issues affecting minors (18 years and below) in real-time without breaching this rule?

Since Section 10 of the Act gives the Central Government discretionary power to notify any data fiduciary as “Significant Data Fiduciary”, does this mean a person involved in journalistic work, or a media organisation, handling a large volume of data, which contains personal data, can be notified as a “significant data fiduciary”? Yes or no?
If no (Q20), under which provision of the Act the exemption will be given?
Section 10 allows notification of any Data Fiduciary based on “risk to electoral democracy, public order or the security of the State”. What objective criteria will be applied to ensure that large or critical media houses are not placed under onerous Significant Data Fiduciary compliance merely for publishing investigative stories?
Draft Rule 22(1) allows the Government, after obtaining information, to direct that “the Data Fiduciary shall not disclose to any person the fact that such a direction has been received”. How will MEITY reconcile these secret orders with the open-justice principle and the press’s right to report on state action?
Clause (c) of sub-section (7) under Section 28 and Section 36 give the Data Protection Board and the Central Government sweeping powers to call for “any data, book, document, register, book of account or any other document.” Now, investigative journalism, to a great extent, relies on “source-based information” or provided by whistleblowers. Given the wide range of powers that have been vested in the Data Protection Board, it can very well demand a person involved in journalistic activity or media organisation to reveal the “source”. What are the protections available to a person involved in journalistic activity and media organisations from revealing a “source” under the Act?
Draft Rule 6(g) demands “appropriate technical and organisational measures to ensure effective observance of security safeguards” and can be enforced by the Board. What limits will be set so that inspections do not morph into newsroom searches, jeopardising editorial independence?
Draft Rule 7 obliges a Data Fiduciary to alert every affected person after a leak. If a whistle-blower leaks wrongdoing inside a company, PSU, government department, etc., must the person involved in journalistic activity or the newsroom notify the very officials under investigation, thereby exposing its source?
The draft rules allow the Board to suspend or cancel a Consent Manager’s registration and compel information disclosure. If a media-run consent tool is de-registered, is there an appeal, and how will ongoing subscriptions be maintained?
Draft Rule 6 requires encryption, extensive logging and one-year log retention. What financial or technical assistance will be offered to small, independent outlets that cannot afford enterprise-grade infrastructure?
Section 7(b) allows data processing by the state for providing state benefits. Rule 5 explicitly lets the State reuse personal data to deliver subsidies without consent, subject only to minimal standards. What safeguards will prevent such “lawful” data-sharing from being repurposed to identify or retaliate against critical journalists?
Repeated non-compliance can ultimately attract blocking under the IT Act read with Section 37 DPDPA (blocking for data-protection reasons). Will MEITY commit to seeking prior judicial authorisation before any news site is disabled?
What is the quantifiable threshold of non-compliances before blocking action is initiated?
When deciding penalties, Section 33 directs the Board to consider factors such as the “nature, gravity and duration” of the breach. Given that honest public-interest reporting may involve leaked data, how will proportionality be guaranteed so fines do not have a chilling effect on smaller newsrooms and individuals engaged in journalistic activity?
How will MEITY harmonise the DPDPA’s consent and notice requirements with statutory privileges under the Press and Registration of Periodicals Act and the Working Journalists (Conditions of Service) Act?
Given that the Central Government has been empowered to block information/content under Section 69A of the IT Act, what is the purpose behind including Section 37(1)(b) that creates another parallel blocking regime that further empowers the Central Government to issue blocking directions under the DPDPA framework?