The Digital Personal Data Protection Act, 2023 (DPDP Act), is a significant step toward safeguarding the fundamental right to privacy, as recognized by the nine-judge Constitution Bench of the Supreme Court of India in the Justice K.S. Puttaswamy judgment (2017). The law, expected to come into force soon, also introduces a progressive change in legislative drafting by using gender-inclusive language. For example, Section 7 states that a Data Fiduciary may process personal data of a Data Principal for a specified purpose if ‘she’ has voluntarily provided ‘her’ data and has not indicated non-consent. Section 2(y) clarifies that the term ‘she’ applies to any individual, irrespective of gender.

This thoughtful change marks a milestone in inclusivity in India, as the United Nations claims using gender-inclusive language is a powerful way to promote gender equality and eradicate gender bias. While there are positive aspects, there are concerns as well:

Advertisement

The DPDP Act proposes an amendment to the RTI Act. Currently, S. 8(1)(j) of the RTI Act states that personal information can be disclosed if it serves a public interest or if it cannot be denied to Parliament or a State Legislature. However, Section 44(3) of the DPDP Act replaces this provision with a broader exemption for any “information which relates to personal information.”

This change could weaken the RTI Act in two ways: Firstly, any personal information may now be exempt from disclosure, regardless of public interest. Secondly, Public Information Officers will lose their discretion to release personal information even if they are “satisfied that the larger public interest justifies the disclosure of such information.”

Fortunately, despite the amendment, Section 8(2) of the RTI Act remains unchanged, thus providing balance. This provision allows disclosure of exempt information if “the public interest outweighs the harm to the protected interests.” Justice K.M. Joseph, in the Rafale review judgment (Yashwant Sinha & Ors. v. CBI, 2019), noted that Section 8(2) confers upon the citizens a priceless right by clothing them with the right to demand information – even if it falls under exemptions.

A still greater challenge arises from the DPDP Act’s lack of explicit exemption for journalistic activities, raising serious concerns about press freedom and the future of investigative reporting. S.17(2)(b) provides exemptions for research and archiving, but fails to recognize journalism as a legitimate purpose for processing personal data.

This omission, even if unintended, could create a chilling effect on journalism: Media organisations as Data Fiduciaries can only process digital Personal data with the individual’s consent. The individual (Data Principal) should be given clear notice about the purpose of using (or even storing) such data.

Obtaining “free, specific, informed, unconditional and unambiguous” is impractical in investigative journalism, particularly in cases involving corruption, crime or governance failures. The fear of Rs 50 crore to Rs 250 crore fines may dissuade journalists from exposing any wrongdoing by any person.

In addition, big media houses, if classified as Significant Data Fiduciaries under S.10, need to fulfil added obligations. They must appoint Data Protection Officers, conduct periodic data audits and Data Protection Impact Assessment.

Many international data protection frameworks offer specific exemptions for journalistic activities.  For example, Article 85 of the European Union’s General Data Protection Regulation (GDPR) allows member states to create exemptions for processing personal data for news reporting. The UK’s Data Protection Act 2018 does not provide a blanket exemption for journalists but excludes them from most data protection obligations if data processing is carried out with a view to ‘publishing’ material in the ‘public interest’.

The Editors Guild of India urged the Central Government last year to issue a notification under S.17(5) of the DPDP Act to exempt media organizations from compliance obligations that obstruct investigative journalism. However, such a notification, if issued ‘for such period as may be specified’ would offer only temporary protection – like a sword hanging over press freedom.

A more credible and permanent solution would be to amend Rule 15 of the draft Digital Personal Data Protection Rules, 2025, to explicitly exempt journalism from certain consent requirements. For this to happen, S.17(2)(b) of the DPDP Act needs to be amended by Parliament, ensuring that the law does not apply to the processing of personal data necessary for journalistic purposes, if such processing is carried on in accordance with the Press Council of India’s Norms of Journalistic Conduct.

The Norms of Journalistic Conduct, 2022, contain sufficient safeguards to protect privacy. These norms state that the press should avoid intruding on privacy unless there is a genuine overriding public interest. By supporting the DPDP Act’s framework with these established journalistic standards, a balance can be achieved between protecting personal data and upholding press freedom.

Except for the Editors Guild of India, this issue has received little attention. The proposed Digital Data Protection Regime may initially suppress press freedom, consequently, restrict citizens’ right to information, and finally, weaken democracy – although this is not the Parliamentary intention.

(The writer is a transparency and equality advocate and author.)