On  16th February 2026, the Supreme Court heard the prelimary petitions challenging DPDPA 2023 from the perspective of whether Section 44(3) and other sections  violate the Constitution.

The three petitions which were heard were

1. 1. Venkatesh Nayak v. Union of India, W.P.(C) No. 177/2026;
   2. The Reporters Collective Trust & Anr. v. Union of India & Ors., W.P.(C) No. 211/2026; and
   3. National Campaign for Peoples Right to Information v. Union of India, W.P.(C) No. 212/2026.

Despite strong pleadings, the Court refused to stay the act but committed the pertitions to a larger bench. It has issued necessary notices to the Government.

A detailed post on internetfreedom.in provides additional information on the developing case. A copy of the petition  of The Reporter Collective Trust is  avaialable here.

This petition goes much beyond Section 44(3) and challenges Sections 5, 6, 8, 10, 18, 19, 36, besides 44(3) of the DPDP Act, 2023, and Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the
DPDP Rules, 2025.

It  is interesting to note that while the petition wants to have easy access to all beneficiaries of various Government schemes, they want to redact the name of the petitioners because they consider it their right to privacy.  This is a point to be noted.

The prayer in the petition is as follows:

PRAYER

Therefore, in light of the above-mentioned facts and circumstances, it is respectfully prayed that this Hon’ble Court may kindly be pleased to:

A. Issue a writ in the nature of mandamus, or any other appropriate writ, order, or direction declaring the whole of the Digital Personal Data Protection Act, 2023, and specifically Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), of the Digital Personal Data Protection Act, 2023, to be void, inoperative and unconstitutional for being ultra vires Articles 14, 19, and 21 of the Constitution;

B. Issue a writ in the nature of mandamus, or any other appropriate writ, order, or direction declaring the whole of the Digital Personal Data Protection Rules, 2025, specifically Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the Digital Personal Data Protection Rules, 2025, to be void, inoperative and unconstitutional for being ultra vires Articles 14, 19, and 21 of the Constitution;

C. Issue any other writ, order or direction as this Hon’ble Court may deem fit and proper to do complete justice in the circumstances of the case.

It is our duty to analyze the petition point by point and present it to the larger public to understand the issues involved. We shall do so in due  course. Watch this space.

Naavi

Also Refer: livelaw

As expected, the law of DPDPA is now before the Supreme Court. Normally Courts are expected to step in when a citizen has an adverse impact of the law. and seeks remedy. However, in India, almost every law that gets passed by the Parliament is srutinized by the supreme Court even before it is implemented under the speculation that “This is unconstitutional, Give a stay and later scrap the law”. The same thing has now happenned for DPDPA 2023. There are always some so called Public Interested litigation specialists who  contrive the reason to challenge the law and hamper the progress. Supreme Court has allowed itself to be used as an instrument of delaying legislation in the country and the trend continues.

I refer to the article in “Thewire.in” which refers to a petition of one RTI activist Mr Venkatesh Nayak to ensure that “Two decades of tranparency in the life fo public authorities is not reversed into an era of dark opacity”. The case would be argued by Ms Vrinda Grover and perhaps also Mr Prashat Bhushan, before a bench of Justices Suryakant, Joymalya Bagchi and Vipul Pancholi today.

We donot have a copy of the petition to understand the logic but the article makes the following mentions which we can comment on.

1.Section 44(3) is already in force.

2. Section 44(3) amends RTI act  to broadly exempt the disclosure of information deemed to be “Personal” and provides a “Blanket bar” on an obligation to disclose all personal information.

3. Section 4493) contravenes Article 19(1)(a) of the constitution and violates the right to equality by equating privacy oc public functionaries to that of ordinary citizens”.

Another petition that has been filed is Reporters Collective & Nitin Sethi v. Union of India (W.P.(C) No. 177/2026)   This petition extends the objections and seeks to strike down the entire DPDPA as unconstitutional. Objections are made on Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), alongside Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the 2025 Rules.

Another petition filed by Prashant Bhushan for NCPRI petition (W.P.(C) No. 211/2026 also reflects a similar view.

While we appreciate the legal acumen of those who have filed these petiotions, it is clear that the objective of this elite exercise is to delay DPDPA implementation to the extent possible. It is unlikely that the Supreme Court may be persuaded to consider the objections but the petition has the power to disturb the industry’s resolve to start implementation immediately.

The Urban Naxalites would be happy…that they have placed one more hurdle on the Government to do what it  wants to do.

For the time being, let us watch what the Supreme Court does on this petition. We shall analyse the case as it develops.

Probably a notice would be issued to the Government in this regard. We donot expect any stay at this point of time.

I request any of the readers having a copy of the petitions to send me a copy so that we can take a deeper look at the same.

Naavi

Also Refer:

Opposition seeks repealing of Section 44(3) of DPDPA 2023

The hue and cry about RTI Act being diluted by DPDPA is misplaced.

In October 2025, Meity had released a draft notification related to amendment of ITAct Intermediary Rules related to publication of synthetic content. On 10th February 2026, the final rules have been notified with several clarifications related to the provisions.

The gazette Notification along with an FAQ are available  here. Brief Discussion of these amended rules will be available in FDPPI training program for CDPODA on February 21 and 22.

Gazette Notification of 10th February 2026

FAQ 

These are amendments to Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and willbe effective from 20th February 2026.

Naavi

Going  by the news paper reports it appears that many Indian companies including giants like TCS are eyeing registration as “Consent Manager” under DPDPA  2023. There is news that JIO and Airtel are also interested in being registered as “Consent Manager”.

Further, NeGD had announced a “Code Development Competition” for development of an  open source Consent Management platform to manage the Consents under DPDPA by Data Fiduciaries. This was a competition for a prize of Rs 50 lakhs and as part of the specifications of the coding competition, a document called “BRD” or “Business Requirement Document” had been issued by NeGD.

Under this competition, the following six entities were short listed for the final round of code development.

In the background there are 17 RBI licensed “Account Aggregators” who are acting as “Consent Managers under DEPA”  who may be thinking that they are already “Consent Managers” and should automatically be eligible for registration under DPDPA.

With these developments the media and many experts are confused about the intentions of the MeitY on how they would modify the  DPDPA Rules of November 13  to accommodate the lobbying by the giants such as TCS, Jio and Airtel.

While Naavi.org has explained in detail the conflicts betwee the DPDPA act and the Rules, and will continue to debate this provision, it is our duty to point out that there is a need for substantial change in the  Rule 4 of the November 13 publications.

If the Meity goes ahead  with registration of companies without synchronizing the rules with the act, there could be legal objections that may stall registered Consent Managers from going ahead with the implementation of the accreditation. We can expect some of the other aspiring candidates seeking stay on the registration through legal means.

Let us watch this interesting developing news space.

Naavi

Naavi.org had started a discussion on Neuro Rights during the Indian Data Protection Summit 2022 ( IDPS 2022) where Professor Raael Yuste, a professor and Neuro Scientist from Columbia University had presented his views through a virtual talk. 

(Other articles on Neurorights can be found here)

At that time, Chile was the only country which had recognized Neuro Rights through a Constitutional wmendment. Subsequently, in September 2024, Colarado and then in October 2024, California signed a law recognizing Neuro Rights as “Sensitive Personal Right” under the Privacy law.

Now Brazil, Spain and Mexico have also adopted Neuro Rights Protection through appropriate constituional amendments. (Refer here)

The five principal Neuro Rights recognized by the NeuroRights Foundation are

• Right to Mental Privacy This ensures that data obtained from measuring neural activity (brain data) cannot be sold, transferred, or used without the individual’s explicit consent. It aims to keep thoughts and brain states private.

• Right to Personal Identity This protects the “self” from being altered by external technologies. It ensures that neurotechnology (like brain-computer interfaces) does not blur the line between a person’s own consciousness and the output of a machine.

• Right to Free Will This right ensures that individuals maintain control over their own decision-making processes. It aims to prevent external “neuro-manipulation” where a technology could influence a person’s choices without their knowledge.

• Right to Equitable Access to Mental Augmentation To prevent a new type of “neuro-divide,” this right advocates for fair and equal access to cognitive-enhancement technologies across society, ensuring they aren’t reserved only for a wealthy elite.

• Right to Protection from Algorithmic Bias This ensures that the algorithms used in neurotechnology are designed without bias. It protects individuals from being discriminated against based on data extracted from their brain activity.

The harms normally recognized in the context of technolofical intrusions to human brain are

1. Neural Privacy Breaches
   • Unauthorized brain data collection
   • Neural data theft
   • Cognitive surveillance
2. Cognitive Liberty Infringement
   • Forced neural modification
   • Involuntary thought monitoring
   • Cognitive manipulation
3. Mental Integrity Violations
   • Non-consensual neuromodulation
   • Psychological manipulation through neurotechnology
   • Neural identity interference
4. Neuro-Discrimination
   • Employment discrimination based on neural data
   • Insurance discrimination
   • Social scoring based on brain metrics

Each type of violation presents unique challenges and requires specific protective measures and legal frameworks.

The Parliament of Latin American counries  (Parlantino) had introduced a “Model Law” with 13 articles (Refer here)

Presently it has been reported that Canada has also taken a decision to recognize Neuro Data as “Sensitive Personal Information” under the PIPEDA.

While discussions continue on how Neuro Rights Protection can be achieved, the simplest approach has been to use the existing privacy laws by declaring neuro data as “Sensitive Data”. In India, under DPDPA, this can be done by declaring an organization processing neural data as a “Significatn Data Fiducairy”.

I invite further discussions on this aspect. In the mean time, DGPSI will use the criteria that “Processing of Neural Data” imposes “Significant risks” and hence the data  fiduciary should be considered as a Significatn Data Fiduciary.

It would be interesting for readers to observe that Naavi.org had suggested a “CyBorg  regulation” where consensual intervention of human brain was discussed. What a broader Neuro Rights law may mandate is the regulation through a consent mechanism under the DPDPA itself.

Open for debate.

Naavi

Digital Dependence today is on the increase. Both professionals and ordinary citizens are today dependent on Internet for connectivity, Computers and Cloud for Storing of Data and  Electronic Documents as the data storing form. New Technologies such as AI have provided many conveniences but at the same time hardened the dependence.

As a result, the vulnerability of the society for Cyber Crimes has also increased to the extent that it is no longer a surprise if a company faces a ransomware attack  or an individual becomes a victim of  a cyber crime. There is a danger of the society becoming immune to the Cyber crime threat and taking it for granted.

If we allow this to happen, we will create a Digital Jungleraj. We need to prevent this.

Resilience essentially means how quickly and effectively we recover from a Cyber disaster. It is a fact that if we have lost reputation, it is difficult to recover. But atleast if we have lost money, we should be able to recover it. If we have lost  data we should be able to recover it. If our business has been disrupted, we should be able to get back on rails.

Cyber Space being what  it is, we work on a global network. While individuals are connected to the local ISPs, privileged  entities may be connected  directly to global networks through direct satellite  connections.

Hence regulating the space as if it is manageable within  a region  is not possible. But the nearest we can do is to create a Pan-India collaboration of stake holders so that an informal regulatory network can be created.

If the stakeholders consist of both Private Sector as well as the Government, then there is a need to build  trust between the two entities.

For this Public-Private trust to be effective, there has to be no internal trust deficit between the constituents themselves. Hence there has to be collaboration between one state with the other, one company with the other.

We therefore need to work towards this Intra Private Sector collaboration and Intra State cooperation at different levels.

If we presume that this is possible then there has to be a national leadership which has to come from one all India institution which every one of us trusts.

Just as we trust the defence forces to secure our borders we need to trust the defence  forces to secure our cyber space as well. Unlike our physical boundaries which  can be recognized, Cyber Boundaries exist every where and in every device connected to internet. Hence Cyber Security failures can enable intrusion of Cyber enemies into our Cyber space. It is therefore natural to expect that the “Défense Cyber Authority” has to take the lead.  It ow has a military component and we need to create a Civil Defence arm of this Défense Cyber Authority.

Under this, we need bring  in the CERT In  as well as organizations like NTRO, I4C , the Cyber Crime police stations etc.

Similarly in the industry side, we need to create sectoral leadership and there after a federation of Cyber Security leaders. The CISO community can be a starting point. We need to first create a federation of CISO entities. The DPO community and CISO community  have to be part of this federation and the federation should take up the responsibility of a Private Sector Cyber Defence  system which can collectively work with the Civil Cyber Defence Authority in public interest.

Today, CERT IN is the legal authority which can enforce data breach notifications. The DPB will shortly have its own  authority. But private sector will continue to be wary of the reputation loss that occurs when  a breach is reported and hence will always have a tendency to hide breaches. This tendency may be reduced if the private sector forms its own Private Sector Cyber Defence system.

Probably we need to think in terms of a Private sector CERT and a Cyber Resilience Act as two instruments to pursue.

Let us therefore try to work towards this entity and if possible get a legal recognition from the Central Government.

Naavi