India has witnessed a continued battle on introduction of Privacy laws since 2 decades. Every time the Government makes an  attempt whether in 2006 when the Personal Data Protection Bill 2006 was introduced in the Parliamemnt by the then Government of which Mr Kapil Sibal was a part to the period of  2017 to 2023 when Supreme Court through the Putaswamy Government pushed the need for a law, there has been opposition for the law on one ground or the other.

Now after a long delay, Government of the day has taken steps to announce the time line of implementation. The law was enacted on 11th August 2023 but the implementation is happenning only on 13th May 2027 nearly 4 years later.

From 2023 to till date activists had the freedom to assist the Government to make appropriate challenges provided they were willing to have some flexibility to understand that “Privacy Cannot be allowed to be a tool of Criminals to hide”. They however waited till the date of implementation was frozen and have now gone to the Supreme Court.

On the face of it, the petitions of Reporter’s Collective, Mr Venkatesh Nayak and NCPRI are focussed on the dilution of the RTI Act but the petitions are not limited to the controversy on Section 44(3). The prayer extends to scrapping of DPDPA and the rules.

The grounds apart from the RTI Act is  “Unfettered powers to the Government on surveillance”, “DPB susceptible to  Executive Control” , “Vagueness,overboard  and arbitrary”, “Disproportionate to the needs”, “Enabling unreasonable digital searches” , “Lack of balance between protection of Privacy Rights and Right to Information” etc.

One of the petitions specifically asks for striking down of Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), alongside Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the 2025 Rules.

In the past we have seen that the Government of India has not adequately defended the rights of citizens in the Supreme Court against the powerful advocates such as Mr Kapil Sibal, Prashant Bhushan and Vrinda Grover. These are firebrand advocates who are considered capable of swaying the views of the Court through their commendable skills of articultion.

FDPPI is committed to ensuring that DPDPA is implemented without further delay. While we do support many changes in the rules to enable “Compliance without Pain” and “Penlty without Grudge”, the objective of “DPDPA implementation at the earliest” remains in the forefront.

We shall therefore give a series of informative articles here which explains each of the DPDPA Clauses on which some objection has been raised.

We may also have to take a look at Subash Chandra case or Ankit Garg case or Girish Ramachandra Deshpande case which have been cited along with the Puttaswamy case to defend the petitions.

We believe that the Rules are flexible and can be tweaked if necessary. Supreme Court also has the power to read down any of the provisions of the law. A Combination of “Reading down” and “Tweaking of the Rules” can together satisfy the petitioners without the need for scrapping the law.

We hope the information provided here would help the other professionals to understand and follow the case more effectively. (The next hearing is on March 23)

Follow us and contribute your thoughts…

Naavi

On 25th May 2016, GDPR became a law. It provided a window of 2 years for implementaion and hence the law became effective from 25th May 2018. We now have the experience of 8 years of implementation and hundreds of cases where penalties were imposed. According to the enforcementtracker.com, 2775 complaints have been recorded and a total fine of of 6.8 billion Euros have been imposed. We are not awaare of how much has been actually collected and the state of litigations. Now about 30-40 fines are being imposed each month. (refer tracker report 2025).

The highest fine imposed  was EUR 1.2 billion on Meta Platforms. Some of the other countries have mocked the astronomical fines imposed by GDPR authorities in various countries. These fines have remained under dispute and we need to wait a long time before they become a reality. Since EU had a data protection directive even before GDPR, there were trials based on the earlier directive undertaken after 25th May 2018.

Many countries who followed EU with their own laws also adopted measures to impose their own fines and a global cost of data management was imposed on the industry. Out of these UK has imposed fines of about 15 million  pounds. Cumulative data of other countries is not easily available.

The practice of imposing fines on global turnover basis and on foreign entities, created a fear and urgency for compliance but has not endeared GDPR to the organizaions.

Organizations incurred high costs of compliance particualrly during the period 2018-2020 and have been maintaining substantial expenses since then.  During 2016-2018 according to one survey, the investment for compliance was around $7.8 billion and since then there is annual expenditure of around $10 million each year by about 40% of organizations while around 88% spend less than $1 million. In 2025, the global market for GDPR tools was estimated to be around $3.7 billion. A conservative estimate on a global level indicatesmore than $20 billion invested in compliance.

In India it is estimated that the industry would spend around Rs 10000 crores in the next 3 years on compliance.

 The transparency brought about by GDPR is good for the public but there is still problems of cosnent fatigue and the realization that this cost can finally only be borne by the consumers in the long run since large data processors have continued to prosper.

The smaller entities in the industry (Despite exemptions provided under GDPR)  have however borne the brunt of the problems arising out of increased compliance burden.

India now has an opportunity to learn from these developments and ensure that SMEs and MSMEs are not unduly harassed as if this is a new tax regime. The responsibility for this falls squarely on the Data Protection Board and the MeitY.

While many other organizations will look at the so called “Rs 10000 crore Market” and how they can exploit it, FDPPI is concerned about

a) How to increase awareness of compliance particualrly at the industry level

b) How to ensure that the penalty system remains fair

c) How to ensure that the rules of compliance are  practical

We have miles to go before we sleep…to achieve “Compliance without Pain and Penalty without a grudge”.

Naavi

The India impact AI summit has been a great success despite the first day problem of crowd management and the needless embarassment caused by one of the exhibitors. It has created a high degree of awareness in the Indian public and also  drawn international attention to India’s progress in the field.  It will take some time for the current status of AI to be fully understood in the “Sarvam AI mayam” euphoria created by the event

Despite the different reports about the event in the media, there is not much coverage on the “AI Risks” both to the users and to the society.

Normally innovators are not concerned about the impact of any new technology on the society. The talk of “Ethics” is simply an eye wash. Untill “Ethics” is enforced through a law which is sufficiently deterrant, no commercial organization can be expected to recognize “Ethics” beyond the word being repeated in speeches.

It is the responsibility of the society to conisder if India has to recognize the AI risks and take regualtory steps to ensure that they donot become a problem like how Cyber Crimes have become a problem for the society.

AI driven Risks may manifest both as operational Risks as well as AI driven Cyber Crimes. They will create a larger challenge to the society which cannot be ignored.

These are additional to the debate whether AI will result in Job Losses, Businesses going bust, AI taking over humans etc.

Were there any stalls in the summit on these themes?… Were there panel discussions?…Were there expert  talks? Were there solutions discussed?….. We need to explore.

In the meantime, I leave below some instances of AI related issues in health care which I had collected a few days back which should open our eyes on operational risks in the use of AI.

• UnitedHealth & Humana “nH Predict” Algorithm (2025):
• AI algorithm used to deny coverage to elderly patients had a 90% error rate on appeal.
• The system, optimized for cost-cutting, disproportionately impacted patients, with humans often overturning 9 out of 10 denials.
• Dermatology AI Bias (2024):
• A study on skin cancer detection AI found that most systems struggled to perform on non-white skin, with significant performance drops in sensitivity for dark-skinned individuals.
• Pulse Oximeters Overestimation (2024):
• A UK review confirmed that pulse oximeters, often aided by AI, tended to overestimate oxygen levels in people with darker skin, leading to potential delays in treatment.
• Epic Sepsis Model (2022/2024):
• A widely deployed sepsis prediction model in hundreds of U.S. hospitals was found to have a very poor, failing performance compared to its advertised performance
• It missed 67% of sepsis cases while triggering excessive false alarms.
• Fake Medical Information (2025):
• Studies showed that AI chatbots, such as GPT-4, failed to gather complete medical histories and sometimes generated incorrect, dangerous diagnoses based on simulated patient conversations.
• ECG Misinterpretation (2025):
• In a 2025 trial, an AI-enabled ECG tool wrongly flagged a heart attack for a healthy 29-year-old woman, illustrating how models can be “statistically confident while still being clinically wrong”.
• NEDA “Tessa” Chatbot (2023):
• The National Eating Disorders Association had to disable its chatbot, Tessa, after it was found to be providing dangerous weight-loss advice and calorie-tracking recommendations to people with eating disorders.
• Data Privacy Violations (DeepMind):
• Google’s DeepMind received criticism after it was revealed that the NHS had provided data on 1.6 million patients to train its “Streams” app without proper patient consent.
• Robotic Surgery Failures (2023):
• AI-powered robotic systems have shown failures where the electrical current can leave the robot, resulting in accidental burns to surrounding tissues

Let us study such incidents and try and find solutions in the form of technology and governance.

We need to start discussing solutions to AI risks and the need for new regulations including modification of ITA 2000 and introduction of the concept of Neuro Rights within DPDPA.

Naavi

The Supreme Court heard three petitions on February 16 challenging DPDPA act as well as the rules.

The key aspects of the disputes raised are

1. Section 44(3) which amends RTI act section 8(1) will dilute the current procisions.
2. Government seeks powers to seek data from data fiduciaries
3. The Act fails to bring a balance between Right to Privacy and Right to freedom of information.

Naavi.org would analyse the petitions in detail in due course. We are in receipt of copy of one of the petitions posted by Mr Apar Gupta on his website. Copies of the other two petitions are still not available.

Naavi

On  16th February 2026, the Supreme Court heard the prelimary petitions challenging DPDPA 2023 from the perspective of whether Section 44(3) and other sections  violate the Constitution.

The three petitions which were heard were

1. 1. Venkatesh Nayak v. Union of India, W.P.(C) No. 177/2026;
   2. The Reporters Collective Trust & Anr. v. Union of India & Ors., W.P.(C) No. 211/2026; and
   3. National Campaign for Peoples Right to Information v. Union of India, W.P.(C) No. 212/2026.

Despite strong pleadings, the Court refused to stay the act but committed the pertitions to a larger bench. It has issued necessary notices to the Government.

A detailed post on internetfreedom.in provides additional information on the developing case. A copy of the petition  of The Reporter Collective Trust is  avaialable here.

This petition goes much beyond Section 44(3) and challenges Sections 5, 6, 8, 10, 18, 19, 36, besides 44(3) of the DPDP Act, 2023, and Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the
DPDP Rules, 2025.

It  is interesting to note that while the petition wants to have easy access to all beneficiaries of various Government schemes, they want to redact the name of the petitioners because they consider it their right to privacy.  This is a point to be noted.

The prayer in the petition is as follows:

PRAYER

Therefore, in light of the above-mentioned facts and circumstances, it is respectfully prayed that this Hon’ble Court may kindly be pleased to:

A. Issue a writ in the nature of mandamus, or any other appropriate writ, order, or direction declaring the whole of the Digital Personal Data Protection Act, 2023, and specifically Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), of the Digital Personal Data Protection Act, 2023, to be void, inoperative and unconstitutional for being ultra vires Articles 14, 19, and 21 of the Constitution;

B. Issue a writ in the nature of mandamus, or any other appropriate writ, order, or direction declaring the whole of the Digital Personal Data Protection Rules, 2025, specifically Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the Digital Personal Data Protection Rules, 2025, to be void, inoperative and unconstitutional for being ultra vires Articles 14, 19, and 21 of the Constitution;

C. Issue any other writ, order or direction as this Hon’ble Court may deem fit and proper to do complete justice in the circumstances of the case.

It is our duty to analyze the petition point by point and present it to the larger public to understand the issues involved. We shall do so in due  course. Watch this space.

Naavi

Also Refer: livelaw

As expected, the law of DPDPA is now before the Supreme Court. Normally Courts are expected to step in when a citizen has an adverse impact of the law. and seeks remedy. However, in India, almost every law that gets passed by the Parliament is srutinized by the supreme Court even before it is implemented under the speculation that “This is unconstitutional, Give a stay and later scrap the law”. The same thing has now happenned for DPDPA 2023. There are always some so called Public Interested litigation specialists who  contrive the reason to challenge the law and hamper the progress. Supreme Court has allowed itself to be used as an instrument of delaying legislation in the country and the trend continues.

I refer to the article in “Thewire.in” which refers to a petition of one RTI activist Mr Venkatesh Nayak to ensure that “Two decades of tranparency in the life fo public authorities is not reversed into an era of dark opacity”. The case would be argued by Ms Vrinda Grover and perhaps also Mr Prashat Bhushan, before a bench of Justices Suryakant, Joymalya Bagchi and Vipul Pancholi today.

We donot have a copy of the petition to understand the logic but the article makes the following mentions which we can comment on.

1.Section 44(3) is already in force.

2. Section 44(3) amends RTI act  to broadly exempt the disclosure of information deemed to be “Personal” and provides a “Blanket bar” on an obligation to disclose all personal information.

3. Section 4493) contravenes Article 19(1)(a) of the constitution and violates the right to equality by equating privacy oc public functionaries to that of ordinary citizens”.

Another petition that has been filed is Reporters Collective & Nitin Sethi v. Union of India (W.P.(C) No. 177/2026)   This petition extends the objections and seeks to strike down the entire DPDPA as unconstitutional. Objections are made on Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), alongside Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the 2025 Rules.

Another petition filed by Prashant Bhushan for NCPRI petition (W.P.(C) No. 211/2026 also reflects a similar view.

While we appreciate the legal acumen of those who have filed these petiotions, it is clear that the objective of this elite exercise is to delay DPDPA implementation to the extent possible. It is unlikely that the Supreme Court may be persuaded to consider the objections but the petition has the power to disturb the industry’s resolve to start implementation immediately.

The Urban Naxalites would be happy…that they have placed one more hurdle on the Government to do what it  wants to do.

For the time being, let us watch what the Supreme Court does on this petition. We shall analyse the case as it develops.

Probably a notice would be issued to the Government in this regard. We donot expect any stay at this point of time.

I request any of the readers having a copy of the petitions to send me a copy so that we can take a deeper look at the same.

Naavi

Also Refer:

Opposition seeks repealing of Section 44(3) of DPDPA 2023

The hue and cry about RTI Act being diluted by DPDPA is misplaced.