Article 14: Ahmedabad: Tuesday, 25 November 2025.
India’s new data protection rules issued eight years after the Supreme Court declared privacy a fundamental right create a system that puts State authority first and privacy later. They allow officials to quietly demand personal data without judicial oversight, while forcing companies to keep citizens in the dark. They endanger investigative journalism, curb the right to information, and place whistleblowers, sources, and democratic accountability at risk.
India’s new data
protection rules place the State above citizens, weaken hard-won transparency
rights and safeguards for journalists and others probing the government and
make investigative journalism almost impossible.
On 14 November 2025, the government cleared the Digital Personal Data Protection (DPDP) Rules—which clarify a new data protection law issued in 2023—creating a new digital regime that hobbles the very rights meant to protect citizens, to the State’s advantage.
Meant to safeguard personal digital information, the new rules come eight years after the Supreme Court declared privacy to be a fundamental right. But while they provide immediate powers to the government, they postpone citizens’ rights by 18 months.
The real substance of privacy—clear consent, the ability to take back permission, the right to correct or delete your data, and enforceable timelines for grievances—will not come into effect until mid-2027.
“[The rules] delay the implementation of practically all key protections to 2027, while implementing the dilution of the (right to information) RTI Act immediately; public information officers are now authorised to decline any personal information except what is already required to be published by other laws—an all-too-thin slice of the pie for citizens seeking accountability,” said an editorial in The Hindu on 17 November 2025.
Experts have pointed out (here and here) that there is no independence evident in the institutions that are meant to ensure accountability. A supposedly independent data protection board, for instance, will function under the union ministry of electronics and information technology.
In other words, the government, which solicits business from the world’s big tech companies and seeks access to their data, will supervise the institution meant to protect Indians from any violations of privacy.
“For all practical purposes, [the DPDP rules] do not offer any real remedy… the rules will only be a nominal checkbox,” Apar Gupta, co-founder of the Internet Freedom Foundation (IFF), a think tank, had said in January. That is what has happened.
The new law provides the State with overwhelming power and few corresponding responsibilities, according to a reading of the rules.
Consider Rule 23.
A Carte Blanche For The State
Rule 23 allows the union government to demand any information from digital platforms, such as Google, Whatsapp, YouTube and Meta, and prohibits them from informing those whose information the State demands.
The rule does not require prior judicial authorisation, transparent reporting, or independent review. It permits authorities to acquire call logs, identity records, or location metadata without leaving any visible trace.
The proportionality standard laid down in the landmark 2017 Puttaswamy judgement, which requires legality, necessity, using the least intrusive option and strong safeguards, remains unaddressed.
Rule 23 builds a zone of unaccountable State access within which scrutiny becomes impossible.
The consequences will be immediate.
Investigative journalists working on corruption or illegal surveillance have no way to know if the government has silently requisitioned their metadata.
Metadata refers to data about data, which can reveal patterns about a person’s life—relationships, movements, habits—even without accessing the actual content. That includes emails, call records, photos, documents and browsing history.
Similarly, citizens using the 20-year-old right-to-information law to ask questions of the government, document corruption and other malfeasance run the same risk.
Power Imbalances Deepen
Until 2027, when the rules for users take effect, a person who finds data inaccurate, misused, or retained beyond necessity has no enforceable right to demand correction or deletion.
The introduction of consent managers—intermediaries that centralise how individuals give, track, or withdraw consent—creates further risks, as these gatekeepers could consolidate control over privacy choices and influence how users navigate consent itself.
Marketed as tools of empowerment, the consent-manager structure threatens to create new concentrations of control. If a very few large companies dominate consent management, they could shape how privacy choices are presented—for instance, making it easier to agree than to refuse, effectively nudging users toward decisions that benefit commercial interests rather than their own.
The Rules also place a heavy onus on Aadhaar or DigiLocker-based verification for children's data and the data of persons with disabilities.
Such identity-linked verification extends the exchange of sensitive information between private platforms and government databases, raises the possibility of exclusion, creates unnecessary linkages and amplifies the longstanding concerns around biometric dependence.
India's experience (here, here and here) with Aadhar-based authentication, centralised biometric databases, and large-scale identity-linked welfare systems repeatedly demonstrates that centralised identity systems create vulnerabilities, not resilience.
The Rules appear to ignore this lesson.
Crippling Journalism & Transparency
The most serious consequence of India’s new digital regime, according to experts and industry bodies (here, here and here), is the way it deals with journalism and public-interest transparency.
Once the Rules kick in, journalists may be unable to protect sources or access information essential for reporting.
Under most modern data-protection laws (including the EU’s General Data Protection Regulation), a “journalistic exemption” protects the press from strict data-processing rules when reporting in the public interest.
A journalistic exemption usually allows journalists to: collect, store, and publish personal data without needing consent; avoid certain obligations, such as giving notice to the data subject, retain data used for reporting, and protect confidential sources.
Under India’s DPDP rules journalists—and documentary filmmakers and independent content creators—are treated like any other data processor or collector. This means they may be required to seek consent from the very people they are investigating.
Journalists often rely on confidential documents, whistleblowers, victims, or officials who speak only on the condition of anonymity. Requiring “permission” in these situations is not just unrealistic; it fundamentally misunderstands how accountability reporting works.
It also gives the State an easy route to question, delay or intimidate journalists through opaque data-access demands. As the Editors Guild of India warned in a statement on the DPDP Rules, removing clear safeguards for journalistic work “creates a chilling environment for reporters and weakens the public’s right to know.”
There is no explicit protection for handling leaked documents, confidential data, or source-provided information, and publishing certain personal data—even if crucial to a public-interest story—could technically violate the law.
Press bodies, digital-rights groups, RTI campaigners and legal experts submitted detailed objections to the draft rules, focusing on journalism, source protection and the weakening of the RTI Act.
The government appears to have accepted none of these.
‘Indirect Censorship’
“By excluding journalists from any statutory exemption and granting the State broad access and enforcement powers, the Rules open the door to indirect censorship, a chilling effect on free expression, and disproportionate surveillance of legitimate newsgathering activities,” said a statement issued on 18 November by DIGIPUB News India Foundation, a body of more than 100 independent digital news media.
A statement from DIGIPUB News India Foundation, a body of more than 100 independent news organisations
“The absence of any journalistic exemption, coupled with wide-ranging powers granted to the government to obtain personal data, poses a direct threat to press freedom and weakens the institutional safeguards necessary for public-interest reporting,” the Editors Guild of India said.
“DPDP rules introduce breach notifications, correction and erasure rights, but govt exemptions, loopholes, weak oversight threaten user privacy,” said Nikhil Pahwa, founder of MediaNama, a media website.
Earlier versions of India’s data-protection proposals—the 2018 Srikrishna Committee draft bill and the 2019 Personal Data Protection Bill—explicitly included an exemption for journalistic purposes, similar to the GDPR model.
The DIGIPUB statement said despite consultations with the electronics and information technology ministry, it “neither responded to these questions nor addressed any of the concerns raised by journalists and digital media organisations”.
“This reflects a serious departure from the democratic consultative process expected in delegated legislation and demonstrates disregard for press freedom,” said the statement.
The erosion of third-party transparency—one of the few ways journalists can detect surveillance—makes it all but impossible to assess whether State power is being misused.
Muzzling Citizens
The DPDP Act and Rules primarily dilute the RTI Act by amending section 8(1)(j), which had an override for disclosure in the public interest, so that citizens could expose corruption, misuse of power, or irregularities in a public authority or institution.
The removal now empowers authorities to deny information by merely labeling it “personal data” when the public interest clearly requires that it be released. The weakening of RTI and the increased risk for journalistic sources combine to choke the public's access to the truth.
Anjali Bhardwaj, a veteran RTI activist, warned that “the amendment imposes a blanket exemption on personal data… undermines transparency, weakens the public’s ability to hold authorities accountable, and restricts access to critical government records”.
In July, Justice (retd) A P Shah, former chief justice of the Delhi High Court and former chairman of the Law Commission of India, in a letter to the advocate general of India, had urged the repeal of the changes to section 8(1)(j).
“These changes represent a seismic shift in India’s transparency framework for the worse, threatening to dismantle RTI Act’s core purpose of democratic accountability and citizen empowerment,” wrote Justice Shah.
RTI advocates warned that the new framework will restrict access to information. Bhardwaj said the changes “undermine the public’s right to know” by replacing the RTI Act’s public-interest test with a far narrower standard.
Shah also warned that the removal of a proviso to section 8(1) of the RTI Act—which mandated that information not deniable to Parliament or a State Legislature would not be denied to any person—was “alarming for democracy”.
“These amendments are manifestly ill-thought-out, raising critical legal issues that are ripe for constitutional challenge,” wrote Justice Shah.
The DPDP Rules strike directly at Article 19(1)(a)—the right to free expression, which includes the right to gather information safely, communicate with sources without fear and publish freely.
The Rules do indeed have a grievance procedure, but there is a striking lack of independence in the regulator, a data protection board.
A Regulator Beholden To Govt
The Data Protection Board, which is supposed to act as the main oversight body under the new law, is not independent, as many experts have pointed out (here, here and here).
The government controls who is appointed, how long they serve, and can influence their removal. So, the Board depends on the very authority it is expected to supervise.
Gupta of the IFF said that the data protection board—it will have a chairperson and three members—“is not an independent authority for adjudication because it does not have any autonomy and is appointed, selected, and its tenure and service conditions are determined by the central government”.
In 2018, the Justice Srikrishna Committee, set up by the union government to create a draft law, had recommended that in order to ensure independence, the selection committee should also include the Chief Justice of India or her nominee.
That never happened.
The Regulation Of Regulators
When a regulator relies on the executive for its functioning, it becomes harder for it to question government departments that hold the most extensive access powers.
Examples of receding independence of regulators include the Election Commission of India, the Central Bureau of Investigation, the Central Information Commission, the Telecom Regulatory Authority of India and the National Human Rights Commission of India.
In most of these cases, government departments—usually the biggest violators—now escape serious scrutiny. This is the structural risk critics point out with the data protection board, especially since the government is itself the largest data collector with the broadest access and exemption powers.
The Rules deepen this problem by offering very few safeguards around government access to people’s data. There is no requirement for an independent authority to approve access requests, no proportionality check, no routine public reporting of how often data is sought, and no limit on how long secrecy orders may last.
Much of the problems in the Rules stem from widespread ambiguity, experts have said, apparently a deliberate feature of a law that does not engage meaningfully with the concept of privacy and lacks a clear foundation.
The vagueness in the rules flows from the parent act of 2023, allowing the government many exemptions that benefit itself.
“Now, the problem with a vague law is that its enforcement is uncertain,” Gupta of the IFF had said. “The protection it provides people and the exemptions it provides businesses—both are up to the government’s discretion without any foundational principle attached to it.”
(Akhil Yadav is a millennium fellow and law student at Gujarat National Law University, Gandhinagar.)
India’s new data protection rules issued eight years after the Supreme Court declared privacy a fundamental right create a system that puts State authority first and privacy later. They allow officials to quietly demand personal data without judicial oversight, while forcing companies to keep citizens in the dark. They endanger investigative journalism, curb the right to information, and place whistleblowers, sources, and democratic accountability at risk.
On 14 November 2025, the government cleared the Digital Personal Data Protection (DPDP) Rules—which clarify a new data protection law issued in 2023—creating a new digital regime that hobbles the very rights meant to protect citizens, to the State’s advantage.
Meant to safeguard personal digital information, the new rules come eight years after the Supreme Court declared privacy to be a fundamental right. But while they provide immediate powers to the government, they postpone citizens’ rights by 18 months.
The real substance of privacy—clear consent, the ability to take back permission, the right to correct or delete your data, and enforceable timelines for grievances—will not come into effect until mid-2027.
“[The rules] delay the implementation of practically all key protections to 2027, while implementing the dilution of the (right to information) RTI Act immediately; public information officers are now authorised to decline any personal information except what is already required to be published by other laws—an all-too-thin slice of the pie for citizens seeking accountability,” said an editorial in The Hindu on 17 November 2025.
Experts have pointed out (here and here) that there is no independence evident in the institutions that are meant to ensure accountability. A supposedly independent data protection board, for instance, will function under the union ministry of electronics and information technology.
In other words, the government, which solicits business from the world’s big tech companies and seeks access to their data, will supervise the institution meant to protect Indians from any violations of privacy.
“For all practical purposes, [the DPDP rules] do not offer any real remedy… the rules will only be a nominal checkbox,” Apar Gupta, co-founder of the Internet Freedom Foundation (IFF), a think tank, had said in January. That is what has happened.
The new law provides the State with overwhelming power and few corresponding responsibilities, according to a reading of the rules.
Consider Rule 23.
A Carte Blanche For The State
Rule 23 allows the union government to demand any information from digital platforms, such as Google, Whatsapp, YouTube and Meta, and prohibits them from informing those whose information the State demands.
The rule does not require prior judicial authorisation, transparent reporting, or independent review. It permits authorities to acquire call logs, identity records, or location metadata without leaving any visible trace.
The proportionality standard laid down in the landmark 2017 Puttaswamy judgement, which requires legality, necessity, using the least intrusive option and strong safeguards, remains unaddressed.
Rule 23 builds a zone of unaccountable State access within which scrutiny becomes impossible.
The consequences will be immediate.
Investigative journalists working on corruption or illegal surveillance have no way to know if the government has silently requisitioned their metadata.
Metadata refers to data about data, which can reveal patterns about a person’s life—relationships, movements, habits—even without accessing the actual content. That includes emails, call records, photos, documents and browsing history.
Similarly, citizens using the 20-year-old right-to-information law to ask questions of the government, document corruption and other malfeasance run the same risk.
Power Imbalances Deepen
Until 2027, when the rules for users take effect, a person who finds data inaccurate, misused, or retained beyond necessity has no enforceable right to demand correction or deletion.
The introduction of consent managers—intermediaries that centralise how individuals give, track, or withdraw consent—creates further risks, as these gatekeepers could consolidate control over privacy choices and influence how users navigate consent itself.
Marketed as tools of empowerment, the consent-manager structure threatens to create new concentrations of control. If a very few large companies dominate consent management, they could shape how privacy choices are presented—for instance, making it easier to agree than to refuse, effectively nudging users toward decisions that benefit commercial interests rather than their own.
The Rules also place a heavy onus on Aadhaar or DigiLocker-based verification for children's data and the data of persons with disabilities.
Such identity-linked verification extends the exchange of sensitive information between private platforms and government databases, raises the possibility of exclusion, creates unnecessary linkages and amplifies the longstanding concerns around biometric dependence.
India's experience (here, here and here) with Aadhar-based authentication, centralised biometric databases, and large-scale identity-linked welfare systems repeatedly demonstrates that centralised identity systems create vulnerabilities, not resilience.
The Rules appear to ignore this lesson.
Crippling Journalism & Transparency
The most serious consequence of India’s new digital regime, according to experts and industry bodies (here, here and here), is the way it deals with journalism and public-interest transparency.
Once the Rules kick in, journalists may be unable to protect sources or access information essential for reporting.
Under most modern data-protection laws (including the EU’s General Data Protection Regulation), a “journalistic exemption” protects the press from strict data-processing rules when reporting in the public interest.
A journalistic exemption usually allows journalists to: collect, store, and publish personal data without needing consent; avoid certain obligations, such as giving notice to the data subject, retain data used for reporting, and protect confidential sources.
Under India’s DPDP rules journalists—and documentary filmmakers and independent content creators—are treated like any other data processor or collector. This means they may be required to seek consent from the very people they are investigating.
Journalists often rely on confidential documents, whistleblowers, victims, or officials who speak only on the condition of anonymity. Requiring “permission” in these situations is not just unrealistic; it fundamentally misunderstands how accountability reporting works.
It also gives the State an easy route to question, delay or intimidate journalists through opaque data-access demands. As the Editors Guild of India warned in a statement on the DPDP Rules, removing clear safeguards for journalistic work “creates a chilling environment for reporters and weakens the public’s right to know.”
There is no explicit protection for handling leaked documents, confidential data, or source-provided information, and publishing certain personal data—even if crucial to a public-interest story—could technically violate the law.
Press bodies, digital-rights groups, RTI campaigners and legal experts submitted detailed objections to the draft rules, focusing on journalism, source protection and the weakening of the RTI Act.
The government appears to have accepted none of these.
‘Indirect Censorship’
“By excluding journalists from any statutory exemption and granting the State broad access and enforcement powers, the Rules open the door to indirect censorship, a chilling effect on free expression, and disproportionate surveillance of legitimate newsgathering activities,” said a statement issued on 18 November by DIGIPUB News India Foundation, a body of more than 100 independent digital news media.
A statement from DIGIPUB News India Foundation, a body of more than 100 independent news organisations
“The absence of any journalistic exemption, coupled with wide-ranging powers granted to the government to obtain personal data, poses a direct threat to press freedom and weakens the institutional safeguards necessary for public-interest reporting,” the Editors Guild of India said.
“DPDP rules introduce breach notifications, correction and erasure rights, but govt exemptions, loopholes, weak oversight threaten user privacy,” said Nikhil Pahwa, founder of MediaNama, a media website.
Earlier versions of India’s data-protection proposals—the 2018 Srikrishna Committee draft bill and the 2019 Personal Data Protection Bill—explicitly included an exemption for journalistic purposes, similar to the GDPR model.
The DIGIPUB statement said despite consultations with the electronics and information technology ministry, it “neither responded to these questions nor addressed any of the concerns raised by journalists and digital media organisations”.
“This reflects a serious departure from the democratic consultative process expected in delegated legislation and demonstrates disregard for press freedom,” said the statement.
The erosion of third-party transparency—one of the few ways journalists can detect surveillance—makes it all but impossible to assess whether State power is being misused.
Muzzling Citizens
The DPDP Act and Rules primarily dilute the RTI Act by amending section 8(1)(j), which had an override for disclosure in the public interest, so that citizens could expose corruption, misuse of power, or irregularities in a public authority or institution.
The removal now empowers authorities to deny information by merely labeling it “personal data” when the public interest clearly requires that it be released. The weakening of RTI and the increased risk for journalistic sources combine to choke the public's access to the truth.
Anjali Bhardwaj, a veteran RTI activist, warned that “the amendment imposes a blanket exemption on personal data… undermines transparency, weakens the public’s ability to hold authorities accountable, and restricts access to critical government records”.
In July, Justice (retd) A P Shah, former chief justice of the Delhi High Court and former chairman of the Law Commission of India, in a letter to the advocate general of India, had urged the repeal of the changes to section 8(1)(j).
“These changes represent a seismic shift in India’s transparency framework for the worse, threatening to dismantle RTI Act’s core purpose of democratic accountability and citizen empowerment,” wrote Justice Shah.
RTI advocates warned that the new framework will restrict access to information. Bhardwaj said the changes “undermine the public’s right to know” by replacing the RTI Act’s public-interest test with a far narrower standard.
Shah also warned that the removal of a proviso to section 8(1) of the RTI Act—which mandated that information not deniable to Parliament or a State Legislature would not be denied to any person—was “alarming for democracy”.
“These amendments are manifestly ill-thought-out, raising critical legal issues that are ripe for constitutional challenge,” wrote Justice Shah.
The DPDP Rules strike directly at Article 19(1)(a)—the right to free expression, which includes the right to gather information safely, communicate with sources without fear and publish freely.
The Rules do indeed have a grievance procedure, but there is a striking lack of independence in the regulator, a data protection board.
A Regulator Beholden To Govt
The Data Protection Board, which is supposed to act as the main oversight body under the new law, is not independent, as many experts have pointed out (here, here and here).
The government controls who is appointed, how long they serve, and can influence their removal. So, the Board depends on the very authority it is expected to supervise.
Gupta of the IFF said that the data protection board—it will have a chairperson and three members—“is not an independent authority for adjudication because it does not have any autonomy and is appointed, selected, and its tenure and service conditions are determined by the central government”.
In 2018, the Justice Srikrishna Committee, set up by the union government to create a draft law, had recommended that in order to ensure independence, the selection committee should also include the Chief Justice of India or her nominee.
That never happened.
The Regulation Of Regulators
When a regulator relies on the executive for its functioning, it becomes harder for it to question government departments that hold the most extensive access powers.
Examples of receding independence of regulators include the Election Commission of India, the Central Bureau of Investigation, the Central Information Commission, the Telecom Regulatory Authority of India and the National Human Rights Commission of India.
In most of these cases, government departments—usually the biggest violators—now escape serious scrutiny. This is the structural risk critics point out with the data protection board, especially since the government is itself the largest data collector with the broadest access and exemption powers.
The Rules deepen this problem by offering very few safeguards around government access to people’s data. There is no requirement for an independent authority to approve access requests, no proportionality check, no routine public reporting of how often data is sought, and no limit on how long secrecy orders may last.
Much of the problems in the Rules stem from widespread ambiguity, experts have said, apparently a deliberate feature of a law that does not engage meaningfully with the concept of privacy and lacks a clear foundation.
The vagueness in the rules flows from the parent act of 2023, allowing the government many exemptions that benefit itself.
“Now, the problem with a vague law is that its enforcement is uncertain,” Gupta of the IFF had said. “The protection it provides people and the exemptions it provides businesses—both are up to the government’s discretion without any foundational principle attached to it.”
(Akhil Yadav is a millennium fellow and law student at Gujarat National Law University, Gandhinagar.)
.JPG)
.JPG)
