Questions to be answered by the Government to Supreme Court on DPDPA

Posted on March 14, 2026 by Vijayashankar Na

On 12th of March 2026, Supreme Court of India responding  to a set of petitions filed challenging the constitutionality of DPDPA, issued  a notice to the Central Government for its response. Further course of action will be decided in the next hearing scheduled on March 23rd. At that  time a decision may be taken to form a Constitutional bench to hear the arguments further.

The Hindu has put out a report (on 12th  march) quoting advocate India Jaising in this regard. Similar reports are coming up in  all publications as well as livelaw.in indicating an orchestrated campaign  to support the petitions. This is an orchestrated campaign of NCPRI and Reporter’s Collective Trust which are petitioners in the Supreme Court. Each report quotes a different advocate indicating the attempt to spread a message and formulate a public opinion as if “Sending a Notice to the Central Government”  is acceptance of the petitioner’s arguments.

Naavi and FDPPI is the only organization which is capable  of countering this propaganda and would like to answer each and every point raised by these paid journalists.

We call out each of the journalists who have penned their names in the articles  to justify their views in an open forum.

We will send out an invitation  for a virtual conference to all these reporters shortly. In the meantime, our views are also presented here for neutral observers.

Naavi

The report in Hindu states that the Court has asked Ms Indira Jaising  to frame questions of law. The article indicates the following issues that may be discussed during the proceedings.

  1.  Has the Act failed to clearly define the terms like Information and Personal. Is there  a need to define “Personal Data”  and distinguish it from “Public Data” .
  2. Has the law in effect legalized disproportionate state surveillance?
  3. Has the law created a compensation vacuum for citizens?
  4. Has the law diluted the Right to Information?
  5. Has the law eroded the ability of Journalists to practice their profession?
  6. Has the law established a data protection regulator who is structurally dependent upon the executive?
  7. Has the Section 44(3) of the Act imposed a “Blanket Ban” on Right to Information (RTI) applications seeking disclosure of personal information?
  8. Since the term “public Interest” has been deleted from DPDP Act, does it mean that Journalists  cannot access data which  is in public interest.
  9. Does DPDP act prevent a journalist from accessing  information which is in the public interest to satisfy the public’s right to information and knowledge.
  10. Does the law enable the State to mount sweeping surveillance on anyone?
  11. State has exempted itself from the restrictions regarding personal data in the Act.
  12. Has the law given the State the power to glean personal information from the web without being curtailed by the law?
  13. The Act gave overbroad and undefined categories, including ‘public order’, under which the State could demand personal data,
  14.  Has the Act allowed compensation for illegally accessing personal data to go directly to the government and not the injured person.  Has the law allowed that Penalties are payable exclusively to the Consolidated Fund of India and the data principal whose privacy is violated receives no compensation, restitution or restoration, even in cases involving identity theft, financial fraud, reputational harm or dignitary injury?
  15. Does the protection of sensitive and personal data by the domestic laws of the country in which the information had originated and was stored raises the issue of data sovereignty?

Naavi would be trying to provide his interpretation on each of the above points raised. We request the learned counsels and the honourable Court as well as the Government of India  take into account  the perspective of professionals in this regard which is briefly presented here. FDPPI/Naavi would be happy if an opportunity is given to explain these thoughts to the relevant audience so that the correct interpretation is discussed  in the Court.

  1.  Has the Act failed to clearly define the terms like Information and Personal. Is there  a need to define “Personal Data”  and distinguish it from “Public Data” .

“Personal Data” is defined under section 2(t) of the Act as, “(t) “personal data” means any data about an individual who is identifiable by or in relation to such data;” Hence there is a clear definition of Personal data.

“Data” is defined under  section 2(h) as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;

“Information” has been defined under Information Technology Act 2000 (ITA 2000) which continue to remain the backbone of the digital legislation in India. This definition under Section 2(v) of ITA 2000 states “”Information” includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche”. This amendment was made through the Information technology Amendment Act 2008 which  was influenced by the Personal Data Protection Bill of 2006 which was presented in the Parliament  in 2006 during the Pre-Modi era but was allowed to be lapsed.

Hence it is incorrect to say that there is no clarity on the definition.

What is not “Personal data” is “Non Personal Data” which is out of scope of DPDPA. When data is made public by an individual or is caused to be made publicly available (either under a law or authority) DPDPA is not applicable though  the  information may still be considered as “Personal Information”. Such data is not considered as “DPDPA Protected Data” (DPD).

In the context of Section 44(3) and the impact on  RTI Act,  the “data of a public official” made public because the official is a public servant, is not considered as “DPDPA Protected Data”.

The meaning of “Made Public” means that it is accessible to a member  of the Citizenry without restriction. The name and designation of all Government servants  are to be considered as such “Publicly available data” and hence are not restricted by DPDPA  for disclosure.

The Public authority can also declare the name of the PIO as part of its disclosure along with his “Contact Information” just as the Business contact data of a DPO is by law made public.

This part of the objection raised against amendment of Section 8(1)(j) is therefore not tenable. The data of the public which may be released during an RTI enquiry is however coming under the definition of “personal data” under DPDPA and hence is a protected data. The PIO and the Public authority will have consequences for violation of DPDPA if the disclosure is not within Section 17 of DPDPA or its use is not covered under Section 7 of DPDPA.

It must be noted that the “data” with which an individual may be  identifiable is not one single element of data but a set of few data elements  which together identify the individual. Data which is “Personal” in the hands of one data fiduciary may not be so with another data fiduciary if the associated sets of data elements are different. This aspect has also been recognized by GDPR authorities after 10 years of GDPR and an amendment to explain this has been introduced now in “GDPR Omnibus Proposal” which is now under public comment stage.

Hence, disclosure of data which is “Pseudonymised” or “Anonymised” is permitted under DPDPA and the same is already incorporated under the DPDPA Rules as “Standards” of security to be followed by the Government for  application of legitimate use or for exempted disclosures.

The objections raised under RTI act being diluted is therefore misplaced and is a result of not understanding the law in full.

2. Has the law in effect legalized disproportionate state surveillance  

DPDPA has not given any blanket permission  for state surveillance.  Exemption  is provided for all provisions of the law  only under Section 17(2).  But this is applicable only to specified instrumentalities of the State which need to be  notified and the exemption is applicable only in  the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.

These purposes are only part of exceptions available for the right to privacy as per Article 19(2) of the constitution.

Accountability for such  use is also fixed on “Such officer of the State or of any of its instrumentalities notified under clause (a) of sub-section (2) of section 17 of the Act, as the Central Government or the head of such instrumentality, as the case may be, may designate in this behalf.” (Seventh Schedule of the Rules).

Even the legitimate use permission under Section 7(b) or 7(c) are applicable only for establishing the legal basis (avoiding the notice and consent) and meant for providing  subsidy or other benefits or for performance of certain national security duties by the instrumentalities of the Government. It does not exempt other provisions including security.

It is also necessary for us to appreciate that the “Right to Privacy” is not an absolute Right and there is a “Right to Security” which is also part of the Right to Life and Liberty. This has to be balanced and  it has been effectively done under the provisions.

Hence by no stretch of imagination it can be said that there is a disproportionate state surveillance.

3. Has the law created a compensation vacuum for citizens

The DPDPA as a law is  replacing the provisions of Section 43A of Information Technology Act 2000 (ITA 2000).  However, all other aspects of ITA 2000 are in tact.  DPDPA addresses the issues of what pro-active measures are to be taken by the industry so as to protect the data principal through the Data protection Board and imposes deterrent fines. The Data principals who have a “Cause of Action” in terms of loss suffered due to a personal data breach need to get their compensation through Section 43 and Section 46 of the  IT 2000.

This is the global norm in in EU or USA where the Cyber Crime laws function along with GDPR or other Data Protection Laws and provide compensation to the victims of data abuse of all kinds including violation of Privacy.

Hence there is no vacuum for Citizens for obtaining any compensation they deserve. The TDSAT is the  appeal authority under ITA 2000 which is also the appeal authority under DPDPA for appeals against the decisions of the Data protection Board.

The penalties imposed under  DPDPA are not in the nature of “Compensation” and hence there is nothing wrong in not sharing the  same with  the Data Principal.

4. has the law diluted the Right to Information

DPDPA has not diluted RTI since the appeal remedies  remain in tact under the RTI Act. If the Section 8(1)(j) had not been amended, the PIO would be responsible for determining the possible harm to an individual and likely infringement of the Right to privacy (which has not been defined even by the Supreme Court in the Puttaswamy judgement) and has to exercise his  judicial acumen on the “harm caused to an individual under Right to privacy” Vs the “Larger Public Interest”.

This is an onerous responsibility to which nether the PIO or the CPIO would be equipped. At the same time, every decision of a PIO to release personal data would be complained upon by an affected data principal both under DPDPA as well as ITA 2000 as wrongful disclosure exposing the officials to civil and criminal penalties. .

The public authority would also be liable for the penalties under DPDPA and also to provide personal compensation to the affected data principal.

Such liability may be also attributed to the PIO through Section 85 of ITA 2000, since it is because of his wrong decision that the privacy would have been infringed.

Prior to the Puttaswamy judgement of the Supreme Court on 24th August 2017,  when Right to Privacy was not considered as a “Fundamental Right” the situation was not considered that onerous. There was no DPDPA and hence there was no penalty also.

This pre-2017 system of RTI act has  to be considered as no longer applicable and hence it was mandatory for the Government to make the changes that they have made to the Section 8(1)(j) of the RTI act.

Now, whenever any personal data is released by a PIO, the PIO stands before the Data Protection Board for having  infringed the Right to Privacy (or Right to protect personal information as peer the preamble of DPDPA).

Hence the change was inevitable and mandatory. The Information Commissioner would be like the other sectoral regulators like RBI, SEBI etc and  has to work along with the DPB with mutual understanding and  division of responsibilities.

5. Has the law eroded the ability of Journalists to practice their profession?

DPDPA  has not eroded the ability of a Journalist to practice his profession. The basic definition of journalism is that it is a profession of collecting and writing about news.

“Investigative Journalism” is a term coined by some media experts to cover “Investigative work” which is the duty of the law enforcement. Most investigative journalists violate law willingly and face the charges of both civil and criminal penalties. Courts protect them where the benefit to the society outweighs the gravity of the crime. Even then, an Investigative journalist cannot commit a murder to save the society. He can at best absorb the “Defamation” charges and claim indulgence by a Court.

By law, “Investigative Journalism” cannot be legalized as mainstream journalism. Hence the claims raised such as the changes to the RTI Act adversely affects the Right to Profession  of the Journalists etc is not tenable.

Further, in the Digital Era, the definition of “Journalist” should include every blogger, Youtuber, Instagram or TikTok account holder who publishes news. Currently they do not get recognized as part of Journalists who have raised the issue that their Right to Profession has been adversely impacted by the PIO not being able to freely release personal information of beneficiaries of various Government  projects.

The claim that such “Investigative Journalism” and “Social Audits” are necessary to bring accountability to Governance and prevent Corruption is misplaced. Today most media houses are corporate owned and they have their own agenda often driven by international geo politics. In 2021, New York Times advertised in India to recruit a South Asia business correspondent since it was looking specifically for candidates with “Anti-Modi” and “Anti India” bias. (Also refer https://www.youtube.com/watch?v=8Xepu4JILTI).

Hence the claim that “Journalism is a haloed profession and a pillar of democracy” is an outdated concept and does not fit into the current times.  It is a profession just like any other profession. Today even the  Police has to answer the human right activists and respect the rights  of the public. A Journalist cannot be an  island  of virtue to whom the restrictions of DPDPA can not touch.

6 Has the law established a data protection regulator who is structurally dependent upon the executive?

The implementation of DPDPA will be regulated by the Data Protection Board and the Ministry of Information Technology (MeitY). For certain specific functions, MeitY is designating specific officers. All organizations determining the purpose and means of personal data processing are termed as “Data Fiduciaries” and are required to have a Compliance officer, Grievance Officer, DPO and an Independent Data Auditor as different persons accountable for compliance of the provisions of the Act.

The entire eco-system is reasonably robust and is supervised by the judicial oversight of the TDSAT and later the Supreme Court itself.

The Data Protection Board (DPB) is a five member body which will consist of experts with integrity, experience, professional standing. At present the Board has not been constituted. Speculating that it would be structurally not independent is  judiciable.

Currently the law only specifies the constitution of the search committee. Considering that the DPB  functions  as a body to conduct inquiries and administratively evaluate the data breach  incidents to regulate compliance, the search committee consists of the three secretaries of Government and two persons from private sector. There is no reason to indicate that the search committee will only select a compliant set of people and that those selected will not exercise their independent decision making powers. One can always speculate that an influential Government position can be misused and  may turn to corruption. But these are issues that need to be handled when the issue arises and cannot be speculated as if every person  who may be appointed to the DPB will be a “Dependent Executive”.

This is therefore not judiciable at this stage. If any individual member appointed to the committee is found to be unsuitable, his/her appointment can be questioned in the appropriate forum including the High Court or the Supreme Court.

7. Has the Section 44(3) of the Act imposed a “Blanket Ban” on Right to Information (RTI) applications seeking disclosure of personal information?

As already explained, Section 44(3) makes amendments to RTI Act  which is considered “Mandatory” after the Supreme Court judgement holding “Privacy is  Fundamental Right” and the passage of DPDPA with penalties for not securing personal data of the public and disclosing it without legitimate basis or consent.

There is no blanket ban on disclosure of personal information. It is one of the grounds on which disclosure can be denied. If the PIO/CPIO decides to disclose the personal data under Section 8(2) of the RTI Act disclosure is permitted though the possibility of action under DPDPA by an affected data  principal or by the DPB is feasible. Even when the disclosure is refused, there is an appeal process where the Information Commissioner or the Supreme Court may still permit  the disclosure.  Even if the DPB has objection the matter may be subjected to scrutiny by the TDSAT and later the Supreme Court.

Hence all judicial remedies are in tact to meet the expectations of a vigilant and honest journalist trying to explore  accountability and corruption in Government.

Every PIO who  has to take the decision on disclosure of Personal Information should consult the  DPO internally. The RTI applicant may be allowed to invoke the internal grievance redressal system if required. If satisfied the disclosure can be permitted taking the risk that the harm that may be caused to certain data principals being held later as to outweigh the larger public interest.

8.   Since the term “Public Interest” has been deleted from DPDP Act, does it mean that Journalists  cannot access data which  is in public interest.

No. Journalists may continue to invoke provisions of RTI act under Section 8(2) and let the PIO take the decision either to disclose or not. Appeals are possible both under RTI Act and perhaps also under DPDPA and finally the matter  will come to the Supreme Court for a final review.

It will be no longer possible for powerful RTI activists to bully the PIOs and extract information which could cause damage to the public.

Since the information of the officials themselves are not considered “Protected Personal Information”,  the disclosure of such information is feasible even without the need to prove “Public Interest”.

9. Does DPDP act prevent a journalist from accessing  information which is in the public interest to satisfy the public’s right to information and knowledge.

For the reasons already stated, if there is real “Public Interest”, the journalist who is a “Social Activist” has the access to the appeal authorities and the courts to force release of any information.

When such information is released on the basis of a Court order, the PIO and the Public Authority would be protected from being  held liable under Section 33 of DPDPA.

Hence there would be no opposition from the PIO to release the information. He would be relieved of the responsibility to sit in judgement of what is personal information, whether there is any harm caused by the disclosure to any individual?  whether the harm caused if any outweighs the public interest? how to value the harm? how to value the public interest? how to balance the two?  etc.

It would not be unfair on the PIOs to be relieved from this judicial responsibility to which they are neither trained nor the law is clear enough to be interpreted without dispute.

10.Does the law enable the State to mount sweeping surveillance on anyone.

No. Since the exemptions are limited to part of the exceptions allowed under Article 19(2) and are available only to notified Instrumentalities of the Government, for discharging of specified duties through  special officers designated for the purpose, the law does not provide any blanket sweeping powers.

Even then there is an internal grievance redressal mechanism supported by appeal to DPB, TDSAT and the  Supreme Court.

Law can do only this much and not satisfy all speculative demands of activists.

11.State has exempted itself from the restrictions regarding personal data in the Act.

This is incorrect. As already explained, Section 17(2) is the only section which says “Provisions of this Act shall not apply” and it applies to only notified instrumentalities of the State and only for specified purposes which  are a sub set of exceptions permitted under Article 19(2) of the Act.

The reports appearing in different publications under  the names of different journalists are planted stories by some vested interest.

Given the fact that the petitioners are NCPRI and Reporter’s Collective, it is not surprising that these articles are systematically being published in different publications all of which exhibit a compromise of journalistic principles.

The way these journalists are publishing these articles itself validates that there are no genuine journalistic community left in the organized media houses and there is no reason to consider that they have any special rights to freedom of expression.

12.Has the law given the State the power to glean personal information from the web without being curtailed by the law?

It is not clear what is the justification for this charge. If any body gleans information from the public, it is the private sector which  does it.

The Government sector is ignorant of the tools that can  glean such data and some of the departments like Income Tax which are trying to use IT tools for their tax collection purpose are often making mistakes because their private sector partners do not have proper tools and make mistakes.

I have recently pointed out an error by the IT department  which should be attributed to some private sector company which is assisting the department  with  some tool branded as “AI” which the department  cannot understand.

If this charge arises from the fact that “Personal Information made public” is not considered as protected personal data, it is necessary for us to remember that  ultimately what  is personal and what is not is the “Choice” of the data principal and if he has made his  information available to anybody through a public website, it is his prerogative.

If any organization whether  it is Government or Private picks up data in public space and uses its IT capabilities to modify the information, de-anonymise or de-pseudonymise, then they are all committing Section 66 offence under ITA 2000 and are punishable with imprisonment besides being liable under Section 43.

Only because the community does not understand  ITA 2000 properly and have no resources to question  the Government or Private Sector on specific misuse of publicly available information, such offences are going un-noticed and unreported.

13.The Act gave overbroad and undefined categories, including ‘public order’, under which the State could demand personal data

This objection comes from the exceptions provided under Section 17(2). If any body thinks that “Public order” etc are “Undefined”, they have to question the Constitution of India. These terms are imported from Article 19(2) and have been discussed in the Courts  many times.

One should observe that Section 17(2) qualifies that even the prevention of  cognizable offences covered under the section is limited to those which are related to sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order.

The Government  has been more conservative than required and the charge is unfair and unsustainable.

14. Has the Act allowed compensation for illegally accessing personal data to go directly to the government and not the injured person.  Has the law allowed that Penalties are payable exclusively to the Consolidated Fund of India and the data principal whose privacy is violated receives no compensation, restitution or restoration, even in cases involving identity theft, financial fraud, reputational harm or dignitary injury?

This is one of the most childish charges made by the petitioners and exhibits the ignorance of the petitioners.

DPDPA does not function in a vacuum. It works along with ITA 2000 in particular. ITA 2000 has specific provisions under section 43 and procedures under Section 46 to enable  any individual whether he is a data principal or not to claim compensation from any person or company (can be extended even to a Government department which  can be sued in its own name) in the event of any injury caused to the “Data”. All DPDPA breaches that could cause damage a data principal are covered under ITA 2000.

DPDPA restricts itself to enforcing discipline in the industry through some compliance measures which would reduce offences related to personal data misuse. The earlier section 43A of ITA 2000 was also meant  for the same purpose but it has now been extended to Government and the penalties are specified.

Hence there is no reduction in the rights of individuals to claim compensation. The penalties under the Act is not meant to compensate the individuals affected. This is a global norm and GDPR does not share the penalty of $1.2 billion with Max Schrems who initiated the litigation.

The allegation arises out of ignorance and is not sustainable.

15. Does the protection of sensitive and personal data by the domestic laws of the country in which the information had originated and was stored raises the issue of data sovereignty?

It is not clear if this is just an observation or a point of contention. By providing a “Right to Nomination” to the data principal, DPDPA has recognized “Ownership of Personal data” with the data principal.  This applies both to  sensitive and non sensitive data. This  does provide data sovereignty at the individual level.

Whether an “Individual’s Property” is also the “National Asset” and can be referred to as “Sovereign to the nation” is a different discussion. At present  Section 16 of the DPDPA has empowered the Government to restrict transfer  of data out of India in certain circumstances. Currently the rules have not addressed the same and we cannot raise a complaint for what  the  Government may do in future.

It is seen from the above that none of the contentions raised by the article are sustainable. But the  campaign has been launched and it needs to be countered. We feel that many reporters have just lent their name to the different articles which are drafted by the PR agency of NCPRI (National Campaign for People’s Right to Information)  or Reporter’s  collective.

I invite the reporters such as Anmol Kaul Bawa of Live law,  Krishnadas Rajgopal of the Hindu, Shemin Joy of Deccan Herald and others who have parotted the press  release as their own articles to an online debate on the points raised above. I  will be raising a note on Linked in  connected to this article and invite them to send their acceptance to attend the event through comments there.

We want Journalists to be properly informed and donot just print whatever is dished out by the PR agencies attributing them to themselves.

We request the honourable Supreme Court to call out the pseudo journalists and pseudo public interest persons who are trying to cancel the law which could bring some benefit to the society at large.

Can the law could have been better?… is a debate  for the future.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.