ournalism runs on names, documents, and timelines. The Digital Personal Data Protection Act, 2023, with its draft rules, treats all of this as regulated “personal data” and seats the executive over the newsroom. To be clear, this law has been criticised by privacy activists like us for failing to protect our personal data. Yet, at the same time, through a mix of discretionary powers and compliance mandates, it manages to place a chokehold on journalists and RTI activists. It will not merely slow the press, it will sap the courage and the routines that produced the reporting that has cleaned India’s public life for decades.
As a preliminary matter, unlike previous drafts of the data protection law, this version that passed into law does not recognise journalistic purpose. It turns every reporter, editor, and independent digital news outlet into a “data fiduciary” who must issue notices, seek consent, and prepare to erase on demand by a “data principal”. It demands that a journalist should foretell the purposes and processing to any person identified by them in their work, even when a story changes in the field. It also creates a vague “Significant Data Fiduciary” designation that can be used for larger publishers, with audits, impact assessments, and intrusive governance paperwork that pulls open internal systems. Rather than a shield for citizens, it is a pry bar into a newsroom. Under a consent-first regime for the press, any undercover work becomes a legal oxymoron. The stings that exposed MPs selling questions and officials taking cash would be unthinkable if cameras first needed consent and subjects could later force erasure. Even routine, source-driven reporting would calcify under the threat of penalties untethered from intent or public interest.
The second blow of this data protection law lands on the Right to Information Act. It simply erases the tentative balance that once existed in which personal information would be disclosed by public authorities if it was in public interest. Not stopping there, it also deletes a proviso in which citizens could demand the same information that our elected officials could inquire for in legislative Houses. The DPDPA amendment rips out the override and buries the proviso. Think of the Adarsh Housing Society records showing how a tower for Kargil widows was carved up for the powerful. Think of the Commonwealth Games paperwork revealing diversion of funds meant for the marginalised. Think of the Reserve Bank of India’s minutes that unsettled the official tale of demonetisation. Each can now be stonewalled with two words, “personal data”.
A third danger is the power to “call for information”. This data law lets the Union government demand “such information as may be called for” from any data fiduciary or intermediary. That is a vast, unchecked power not linked to any underlying grounds which, of course, may be limited later through rule-making power. However, even with it, there is a risk of overbroad use as no independent authorisation or meaningful remedy is required for the exercise of the power. An order to “call for information” can potentially demand raw notes, leak files, interview recordings, reader lists, and server logs. What brave source will trust a newsroom that can be ordered to disgorge its vault?
These legal faults are not academic. They map neatly onto the kinds of investigation that shaped Indian public life. Consider the Bofors papers that toppled a government; the Harshad Mehta columns that pried open a labyrinth of bank receipts and market manipulation; the Jain hawala diaries and the litigation that followed which insulated the Central Bureau of Investigation from political interference; the Kamla sting that put a face and name to the horror of trafficking; the defence procurement stings that filmed bribe-taking in grainy rooms and changed ministerial fortunes; the Radia tapes and the 2G revelations that exposed a cash-for-patronage telecom culture; the Panama Papers collaboration that revealed offshore wealth and led to tax recovery and prosecutions. Each relied on names. On tapes. On files. On collaboration across borders and across time. Under this new data regime, each step becomes a legal tripwire, a budgetary bleed, a potential litigation.
Cross-border transfer of personal data rules add the fourth shackle. Modern reporting lives on encrypted tools and often on servers outside India by design. It is safer there, that is the point. The draft rules would let the government license and throttle these transfers. That sounds technical until you remember Pegasus and other cross-border collaborations where security and international collaboration was essential to the function of reporting. If an official can deny transfers or compel mirror hosting at home, it can map networks, lean on partners, and burn sources. International projects, such as the International Consortium of Investigative Journalist’s work on tax havens or transnational spyware reporting, depend on freedom to compute where safety permits and to publish where the story lands. You cannot promise the public global accountability while chaining the press to national storage directives.
The fifth problem is liability calibrated to chill. With no journalistic exemption, penalties up to hundreds of crores hang over routine newsgathering. Pair that with the “call for information” power and a Data Protection Board that is wholly a creature of the Union government and you have a system primed to pierce reporter source privilege through process. Whistleblowers and leakers will vanish. Not because they lack courage but because they will fear public disclosure of their identities followed by the threat of expensive and protracted litigation. The hawala ledgers, the lobbyist transcripts, the banker confessions, the paper trails of land and licences — these are all “personal data”. In the hands of a motivated complainant or a thin-skinned official, it will be put to abuse, which, due to its intentional vagueness and drafting, is in many ways its intended use. You do not need criminal defamation when you can manufacture regulatory exposure and potential liability.
Finally, the compliance burden will crush the small and the brave who have been holding our public officials to account. Today, many independent digital outfits carry much of our investigative load. They derive revenue primarily through online subscription and donation models. This includes subscriber databases, newsletters, contribution platforms, analytics dashboards. All of it becomes a minefield of multi-language notices, granular consent logs, erasure-by-default, and audit trails. If designated “significant”, they must fund assessments and external audits, draft board-level policies, and accept intrusion into editorial back-rooms disguised as data governance. Even the deletion cycles envisaged in the draft rules, however well-intentioned, become dangerous when applied to archives. To be clear, while such data fall outside the purview of “journalistic purpose” and should be regulated by data protection, there is a real basis to a sense of foreboding. Extraordinary and complex compliance burdens, especially in our taxation and financial reporting systems, have been tied to the contraction of non-profits and civil society in India.
Indian journalism is not an abstraction. It is Bofors. It is Harshad Mehta. It is Adarsh, 2G, CWG, and Panama. It is village women who used RTI to confront a ration mafia and got the dealer’s licence suspended. The pensioners who forced a railway board to honour a Supreme Court order and release arrears. The law before us would have made much of this impossible or punishable. If privacy is the citizen’s shield, a free press is democracy’s sword. A good data protection regime knows the difference. This one does not.
Apar Gupta and Naibedya Dash are advocates who work at the Internet Freedom Foundation