<p>With the Union government notifying the rules of the Digital Personal Data Protection (DPDP) Act, 2025, the law has come into effect, while the questions it has raised remain unanswered. Privacy is central to the times we live in, and breaches impact life across domains. </p><p>This makes the need for strong data protection clear and indisputable. The provisions of the DPDP Act – widely discussed before and after it was passed by Parliament in 2023 – have attracted much criticism on multiple grounds, including their impact on privacy, freedom of speech and expression, and the right to know. These are fundamental rights, and the law will impact them in ways few other legislations have.</p>.<p>The declared objective of the law is to protect personal data, but the means to achieve this, such as non-negotiable consent, breach notification, and erasure rights, will not come into play immediately because the law will be implemented over 18 months. There is no definite timeline for the implementation of some of its key provisions. Another fallout is its impact on the Right To Information (RTI) Act – under the law, information, which is deemed personal, need not be disclosed, even if there is public interest in it. </p>.Over 12 lakh central government employees, including Union ministers, switch to Zoho Mail, but privacy concerns remain.<p>This provision will be used to deny information under the RTI, further weakening the law. The rules grant unchecked powers to the government to demand personal data from data fiduciaries without consent on undefined grounds, such as national security. This will give the government powers to control data and, with it, the people who own such data. These provisions may lead to surveillance. It is to be noted that data fiduciaries are banned from disclosing such demands from the government.</p>.<p>In democratic countries, exemptions in rules are made for journalists in the collection of and access to data that is of public interest. An earlier draft of the DPDP Act contained such an exemption, but it was later dropped. The result is that journalists will not be able to identify and disclose the names of people who are accused of wrongdoing because that can be construed as violating their privacy. </p><p>They will also need to obtain permission for writing about people relevant to these cases. Violations of the law’s provisions will attract fines of up to Rs 250 crore. The law and the rules in their present form would help the government exercise extensive control over the people – a power that stands in stark contrast to the idea of data protection as an enabler of the citizen.</p>
<p>With the Union government notifying the rules of the Digital Personal Data Protection (DPDP) Act, 2025, the law has come into effect, while the questions it has raised remain unanswered. Privacy is central to the times we live in, and breaches impact life across domains. </p><p>This makes the need for strong data protection clear and indisputable. The provisions of the DPDP Act – widely discussed before and after it was passed by Parliament in 2023 – have attracted much criticism on multiple grounds, including their impact on privacy, freedom of speech and expression, and the right to know. These are fundamental rights, and the law will impact them in ways few other legislations have.</p>.<p>The declared objective of the law is to protect personal data, but the means to achieve this, such as non-negotiable consent, breach notification, and erasure rights, will not come into play immediately because the law will be implemented over 18 months. There is no definite timeline for the implementation of some of its key provisions. Another fallout is its impact on the Right To Information (RTI) Act – under the law, information, which is deemed personal, need not be disclosed, even if there is public interest in it. </p>.Over 12 lakh central government employees, including Union ministers, switch to Zoho Mail, but privacy concerns remain.<p>This provision will be used to deny information under the RTI, further weakening the law. The rules grant unchecked powers to the government to demand personal data from data fiduciaries without consent on undefined grounds, such as national security. This will give the government powers to control data and, with it, the people who own such data. These provisions may lead to surveillance. It is to be noted that data fiduciaries are banned from disclosing such demands from the government.</p>.<p>In democratic countries, exemptions in rules are made for journalists in the collection of and access to data that is of public interest. An earlier draft of the DPDP Act contained such an exemption, but it was later dropped. The result is that journalists will not be able to identify and disclose the names of people who are accused of wrongdoing because that can be construed as violating their privacy. </p><p>They will also need to obtain permission for writing about people relevant to these cases. Violations of the law’s provisions will attract fines of up to Rs 250 crore. The law and the rules in their present form would help the government exercise extensive control over the people – a power that stands in stark contrast to the idea of data protection as an enabler of the citizen.</p>
