In News:

The notification of the Digital Personal Data Protection (DPDP) Rules, 2025 marks the full operationalisation of India’s DPDP Act, 2023, establishing the country’s first comprehensive data protection regime. This development comes eight years after the Supreme Court’s landmark K.S. Puttaswamy (2017) judgment recognised privacy as a fundamental right under Article 21. The Rules aim to create a structured compliance ecosystem, define stakeholder responsibilities, and institutionalise enforcement through the Data Protection Board of India (DPBI).

Key Features of the Framework

The DPDP architecture follows a citizen-centric and simplified (SARAL) approach, using accessible language and structured compliance obligations.

Rights of Data Principals (citizens) include consent-based processing, correction and erasure of data, and grievance redressal.

Obligations of Data Fiduciaries (entities processing data) include lawful processing, purpose limitation, security safeguards, and breach reporting.

However, implementation is phased. Immediate provisions include operationalisation of the DPBI (four-member body headquartered in New Delhi) and an amendment to the RTI Act, 2005, restricting disclosure of personal information. Core user protectionssuch as informed consent, purpose limitation, breach notification, and appointment of Data Protection Officers (DPOs)will be enforced over the next 12–18 months, with large technology firms expected to achieve full compliance by 2027.

Significant Data Fiduciaries (SDFs)

Entities will be classified as SDFs based on the volume and sensitivity of data processed and potential risks to sovereignty, democracy, security, and public order. Major technology companies are likely to fall under this category. SDFs face higher obligations, including data protection impact assessments and verifiable parental consent for children’s data.

Data Localisation and Cross-Border Transfers

The Rules introduce conditional data localisation, empowering the government to specify categories of personal and traffic data that must remain within India. A designated committee will determine these categories. While aimed at national security and regulatory oversight, this move has raised industry concerns regarding compliance costs and digital trade implications.

Children’s Data and Safety

Companies must implement mechanisms for verifiable parental consent, though the government has allowed flexibility in designing these systems. Behavioural tracking and targeted advertising directed at children are largely restricted, with limited exceptions to prevent exposure to harmful content.

Breach Notification and Penalties

Data Fiduciaries must inform affected individuals without delay about the nature, scope, consequences, and mitigation steps of a data breach. Penalties for failure to implement adequate safeguards can reach ?250 crore, with enforcement powers vested in the DPBI.

Concerns and Criticisms

Several issues remain contentious:

• RTI Amendment: Removal of the public interest override for personal data of public officials is seen as weakening transparency.
• Government Exemptions: Broad exemptions for state agencies on grounds such as national security may dilute privacy safeguards.
• Delayed Protections: Key user rights becoming operational only after 12–18 months creates a transitional vulnerability.
• Regulatory Capacity: A four-member DPBI may face capacity constraints given India’s digital scale.
• Compliance Burden: Startups and smaller firms may struggle with technical and procedural requirements.

Way Forward

Strengthening institutional capacity and independence of the DPBI is essential. Clearer guidelines on data localisation and parental consent, restoration of the privacy–transparency balance under RTI, and standardised compliance templates can ease implementation. Public awareness and baseline cybersecurity norms will also be crucial.

Conclusion

The DPDP Rules, 2025 represent a landmark step in aligning India’s digital growth with constitutional privacy guarantees. The long-term success of this regime will depend on balanced implementation, regulatory accountability, and continued stakeholder consultation to ensure that innovation, national security, and individual rights evolve together.

Why is it in the News?

In August 2023, India enacted its first comprehensive data protection law, the Digital Personal Data Protection (DPDP) Act, 2023, with the government currently in the process of formulating rules and regulations for its implementation, anticipated to conclude post the general election.

Context:

• In August 2023, India introduced its first comprehensive data protection law, the Digital Personal Data Protection (DPDP) Act, 2023.
• While aimed at safeguarding personal data, its impact on journalistic freedom warrants examination, as the absence of exemptions for journalistic activities may threaten the foundational principles of a free press.

Provisions of Digital Personal Data Protection (DPDP) Act:

• The Digital Personal Data Protection (DPDP) Act, 2023 is a landmark legislation aimed at regulating the collection, processing, storage, and use of personal data in India.
• The Act establishes a comprehensive framework for lawful and transparent handling of personal data, seeking to safeguard individuals' privacy and data rights.

Key provisions of the DPDP Act, 2023 include:

• Definition of personal data: Any information capable of identifying an individual, directly or indirectly.
• Principles of data protection: Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
• Data handlers: Distinction between data fiduciaries (determining processing purpose and means) and data processors (processing data on behalf of fiduciaries).
• Consent: Requirement for explicit consent before processing personal data, with provisions for withdrawal.
• Individual rights: Access, correction, erasure, and transfer of personal data.
• Data localisation: Potentially mandating the storage and processing of certain sensitive data within India.
• Oversight: Establishment of a Data Protection Board to monitor compliance and resolve grievances.
• Non-compliance: Penalties and sanctions, including fines and legal consequences for violations.
• Cross-border data transfers: Ensuring data protection standards comparable to India's when transferring data across borders.
• Obligations for data fiduciaries and processors: Security measures, data breach notifications, and data impact assessments.
• The DPDP Act, 2023 represents a significant step towards upholding individual privacy rights in India and ensuring responsible data management by government entities, organisations, and individuals alike.

Journalistic Exemptions in Data Protection Laws:

• Traditionally, data protection laws include exemptions for journalistic activities, allowing journalists to access and report on personal data without consent for investigative purposes.
  • These exemptions ensure freedom of the press and facilitate accountability in society.
• However, the Digital Personal Data Protection (DPDP) Act, 2023 does not provide such exemptions.
  • Previous drafts of the Act, including versions released by an expert committee on data protection (2018), the government (2019), and a Joint Parliamentary Committee (2021), contained provisions for journalistic activities.
• The unexplained removal of these exemptions in the DPDP Act's final iterations (2022 and 2023) raises concerns over potential negative impacts on journalism and its role in maintaining transparency and accountability.
  • Addressing this absence of journalistic exemptions will be crucial to upholding the freedom of the press and protecting the public's right to information.

Challenges for Journalists under the DPDP Act:

• Consent Requirements: Journalists are now obligated to secure consent from individuals before utilizing their personal data in news stories.
  • This could impede investigative reporting, as subjects may refuse consent, thereby obstructing access to crucial information.
• Right to Erasure: The right to erasure permits individuals to demand the deletion of published stories containing their personal data.
  • This provision may result in the removal of significant investigative work, undermining transparency.
    • For instance, when reporting on a Member of Parliament (MP) and their activities, journalists often gather information such as meeting details, travel itineraries, and familial financial investments, all of which constitute personal data under the DPDP Act.
• Obtaining consent for such data usage poses challenges, and even after publication, MPs can invoke the right to erasure, compelling journalists to delete pertinent stories.
• Government Oversight: The Act grants the government authority to request information from data processors, potentially compromising the confidentiality of journalists' sources and research materials.
  • This governmental oversight may curtail the press's capacity to hold the state accountable.

Addressing Concerns and Potential Solutions for Journalistic Freedoms under the DPDP Act:

• To ensure a balanced approach that protects personal data while preserving journalistic freedoms, addressing the concerns raised by the Digital Personal Data Protection (DPDP) Act is essential.
• The following solutions could help achieve this goal:
• Transparent Consultation: The removal of exemptions for journalistic activities highlights the need for open and transparent public consultations.
  • Although drafts of the DPDP Act were released for public input, the comments received were not made publicly available.
  • Greater transparency in the consultation process would enable better comprehension of stakeholder perspectives and inform more effective law-making.
• Exemptions for Journalists: The central government should consider using its rule-making powers under the DPDP Act to exempt journalistic entities, including citizen journalists, from specific obligations within the Act.
  • This exemption would protect the freedom of the press and encourage a transparent and open environment for journalism.
• Public Consultation: Implementing an open, transparent, and robust public consultation process could facilitate better understanding and consideration of various viewpoints.
  • This approach would lead to a more balanced and effective data protection law that upholds both personal data privacy and freedom of the press.

Conclusion

The Digital Personal Data Protection (DPDP) Act, 2023, is an essential step towards safeguarding personal data in India. However, its potential impact on journalistic free speech raises significant concerns that must be addressed.

To strike a balance between protecting individual privacy and upholding the fundamental principles of a free press, the government should consider implementing exemptions for journalists and fostering transparent consultation processes. These measures would enable a harmonious coexistence of personal data protection and journalistic freedoms, ensuring that both critical elements thrive in India's democratic landscape