DPDP Act: Another sword of Damocles

Discrepancies in voters’ lists have been a hot topic of discussion for some time. In some cases, multiple voters share the same EPIC (Elector Photo Identity Card) number, while in others, thousands of voters are registered at a single address. It has also been established that one person has been instrumental in applying for the deletion of several hundred, thousands in some cases, of voters from the rolls.

Opposition parties have seized on such irregularities to challenge the government and the Election Commission, demanding corrective measures to prevent such errors and eliminate suspicion of electoral fraud. They have raised the issue in Parliament and held press conferences to draw attention to it.

While there are no restrictions on raising such concerns in Parliament, it may become increasingly difficult to discuss them on other public forums, once the rules are framed to implement the Digital Privacy and Data Protection (DPDP) Act. The rules are overdue since the law was rushed through Parliament in August 2023 when most Opposition members were either suspended or not present in the two Houses.

The DPDP Act includes several provisions that could classify discussions on electoral rolls as a legal offence. The voters’ list contains personal details such as names, addresses, age and photographs, and under the law’s provisions, collecting or using such data could well be deemed a violation of privacy.

The DPDP Act was passed in 2023 when several Opposition MPs were expelled from Parliament during protests over the Manipur violence, and their primary focus was on bringing a no-confidence motion against Prime Minister Narendra Modi. As political attention shifted to general elections, the law received little public scrutiny. However, the government has since moved forward with its implementation.

After finalising the rules and inviting suggestions by 5 March, reports indicate that the framework is now ready. Once the budget session concludes, a gazette notification could be issued at any time, turning many concerns about this law into a legal reality.

One of the most pressing concerns surrounding the Act is its impact on the Right to Information (RTI). The RTI Act of 2005 has been a cornerstone of Indian democracy, enabling citizens to hold the government accountable by accessing public records. However, Section 44(3) of the DPDP Act significantly weakens this right by imposing sweeping restrictions on the disclosure of personal information — even when it is in public interest. Civil society groups, including over 30 organisations that recently protested in New Delhi, warn that this provision could effectively kill the RTI Act.

Previously, details such as educational qualifications of public officials or the specifics of government contracts could be accessed if they were deemed relevant for transparency and accountability. Now, such disclosures could be blocked under the pretext of privacy, potentially shielding inefficiency and corruption from scrutiny.

Anjali Bhardwaj of the National Campaign for People’s Right to Information compares this move to “another weapon like UAPA”, suggesting it dismantles vital democratic safeguards. Apaar Gupta, founder director of the Internet Freedom Foundation (IFF) highlights the contradiction, stating that the Right to Information and the Right to Privacy are inherently linked — yet now they are being pitted against each other.

He warns that privacy is being used as a weapon to undermine RTI. Social activist Aruna Roy, a long-time advocate of RTI, sees the DPDP Act as part of a broader strategy to erode transparency. She argues that since the RTI Act’s inception, successive governments have attempted to weaken it, often facing strong resistance.

“Now, a lateral attack is being made,” she says. “Sometimes, such lateral assaults are more dangerous than direct ones.” Journalists, often the frontline defenders of democracy, face a chilling new reality under the DPDP Act. Unlike data protection laws in the European Union, which provide exemptions for journalistic work under the General Data Protection Regulation (GDPR), the Indian law offers no such protection.

Investigative reporters exposing abuse of power — such as a politician’s hidden assets or a bureaucrat’s questionable dealings — could be classified as ‘data fiduciaries’, entities responsible for handling personal data. This designation would subject them to stringent consent requirements and potential fines of up to Rs 250 crore by the government-controlled Data Protection Board (DPB). Without clear exemptions, journalists could face legal harassment, deterring critical reporting and stifling public discourse. The vague language of the Act only amplifies these concerns, leaving the press vulnerable to selective enforcement.

Lawyer Prashant Bhushan offers a different perspective on the issue. He says while the law may not have been explicitly designed to target journalists, its broad and ambiguous language makes it a potential tool for doing so if the need arises.

Consent is another major concern. According to the Act, if a journalist collects and publishes any information about an individual, they must obtain that person’s consent. Pragya Singh, a journalist and executive member of the Press Club of India, highlights the impracticality of this requirement. “I regularly interview people and gather information on the ground. It’s unrealistic to expect me to carry consent forms and get them signed before every interaction,” she says.

The DPDP Act hands the government a double-edged sword: the authority to advocate for privacy while shielding its own actions from scrutiny on the pretext of privacy.

Under the draft rules released in January 2025, authorities can demand “any information” from data fiduciaries for vaguely defined purposes such as “sovereignty and integrity of India” or “security of the State” without informing affected citizens.

This lack of transparency has alarmed digital rights organisations like the IFF which warns that citizens could be left “completely in the dark” about how their data is accessed and why. By enforcing privacy regulations on individuals and private entities while exempting itself, the government appears to have weaponised the Act to evade accountability — transforming a fundamental right into a tool for secrecy.

Economist Jayati Ghosh raises another critical concern. If collecting and publishing data can be deemed a crime, academic research too could become impossible to carry out.

A major source of concern is the Act’s vague definition — or lack thereof — of the term ‘data fiduciary.’ This term is central to the law’s enforcement, referring to entities that determine the purpose and means of processing personal data. However, without a precise definition, the government-appointed DPB has unchecked authority to designate anyone — a journalist, researcher, or activist — as a data fiduciary.

This ambiguity paves the way for arbitrary enforcement. A social media user analysing public profiles or a whistleblower exposing leaked documents could suddenly be subjected to stringent compliance requirements or hefty penalties, all at the discretion of a board that lacks independence from executive influence. Instead of protecting privacy, there is inherent risk of the Act becoming an instrument of control.

Another troubling aspect is the manner in which this law was enacted. The government had initially introduced the Data Protection Bill, which faced opposition in Parliament and was subsequently sent to a Joint Parliamentary Committee for review. Trinamool Congress MP Mahua Moitra, a member of the JPC, recalls, “We submitted 80 pages of recommendations for amendments, but the government discarded them entirely.”

In the meantime, the ministry overseeing the Bill saw a change in leadership, and instead of refining the existing Bill, the government introduced an entirely new law which was then passed in Parliament. Congress MP Gaurav Gogoi, another JPC member, highlights a key addition that was never part of their discussions: “There was no mention of the Right to Information in our deliberations, yet it was inserted into the new law.”

At its core, the DPDP Act centralises power within the Union government. Unlike independent regulators in several other countries, the DPB remains under government control, casting doubts on its neutrality. As India accelerates toward a digital future, the balance between data protection and democratic freedoms stands on shaky ground. While the Act claims to safeguard personal data, its broader impact threatens transparency, press freedom, and accountability.