India's new data privacy rules, requiring companies like Amazon, Meta, and OpenAI to minimize the collection of personal information, came into force this month.

The Digital Personal Data Protection Act (DPDP) aims to secure Indian users' personal data, while guaranteeing their consent.

Under the DPDP rules, firms will only be able to collect customer data that is necessary for a specific purpose. They must allow users to opt out and tell them if their information is involved in a data breach.

Government oversight sparks privacy fears

The DPDP and its rules "create a simple, citizen-focused and innovation-friendly framework for the responsible use of digital personal data," said India's Ministry of Electronics and Information Technology in a statement. 

However, the DPDP has been criticized for granting the government broad powers to access personal data without strong independent oversight. 

India's DPDP has been compared to the EU's General Data Protection Regulation (GDPR), which requires strict consent, data minimization, and has an independent regulator.

The DPDP gives a government-appointed Data Protection Board — with just four members — the task of overseeing privacy for some 1.4 billion people, raising concerns over compromised privacy and free speech. 

Europe's GDPR sets high standards 

Experts say the EU's GDPR, which has substantially influenced legislation in nearly 160 countries, firmly prioritizes individual privacy through strict consent requirements, data minimization principles, and a strong, independent regulatory oversight that limits government intrusion.

"India's data protection act and rules are likely to remain paper milestones when it comes to genuinely protecting the privacy of its people, since it mainly formalizes various aspects of data processing," Prateek Waghre, head of programs at Tech Global Institute, a digital policy and human rights nonprofit, told DW.

"Though successive iterations of the act and the rules were criticized for granting the executive branch too much leeway and control without adequate accompanying safeguards, each version expanded its powers," he added

Waghre also claimed the government could coerce citizens and businesses into turning over data through sweeping provisions and presumption of consent.

Right-to-information amendment raises accountability fears

Perhaps one particularly controversial aspect of the DPDP is its direct impact on the Right to Information (RTI) Act, under which citizens could previously seek access to records held by public authorities if "larger public interest" justified the disclosure.

Critics have noted that the DPDP amends the public interest provision so that even if the requested information relates to the public interest, authorities can deny its disclosure.

"The amendment … will potentially lead to a blanket denial of personal information needed by citizens to expose corruption and hold governments accountable," Anjali Bhardwaj, a co-convenor of the National Campaign for People's Right to Information, told DW.

"For example, names of contractors undertaking public works and names of willful loan defaulters of public sector banks cannot be obtained," said Bhardwaj.

Government denies diluting RTI rights

Amrita Johri, a campaigner for digital transparency, told DW that the change to RTI regulations removes earlier stipulations that permitted access to personal information if relevant to public interest or public activity.

"The government has used claims of 'no data available' to dodge transparency on critical public matters, further undermining the spirit of the RTI Act as a tool for democratic accountability," said Johri, who noted that the right to question and speak freely "is central to democracy."

"While tackling fake news is important, any regulation must follow the Constitution and be overseen independently. The judiciary recently stopped the government's plan to set up fact-checking units that journalists had opposed as a threat to media freedom," she added.

The Ministry of Electronics and Information Technology said that it does not believe the DPDP dilutes the RTI.

The ministry's Secretary S Krishnan told the daily paper Hindustan Times that the DPDP only removed "a redundant provision" and did not affect citizens' right to information.

Krishnan claimed that the RTI Act already permitted public authorities to share any information if it served the public interest, regardless of exemptions.

Hefty fines 'threaten' investigative journalism

Reporters and journalists' organizations like the Press Club of India and Editors Guild of India (EGI) remain apprehensive, however. The DPDP classifies them as "significant data fiduciaries" (SDFs) for routine work involving personal data collection, processing, and publication.

A data fiduciary is any person or organization that decides why and how personal data is processed. They are responsible for protecting that data and ensuring it is used legally and fairly. 

Reporters must therefore obtain explicit consent before using individuals' data in stories such as naming corrupt officials or exposing scams — which could make investigative reporting impossible without prior approval.

"The new rules lack clear exemptions for journalistic activities, risking routine reporting being classified as data processing requiring consent, which could hamper newsgathering and investigative journalism," Ananth Nath, former president of EGI told DW.

"We urge the government to urgently provide explicit clarification exempting bona fide journalism from these rules to safeguard press freedom and the public's right to know."

Non-compliance with the DPDP can result in substantial monetary penalties for data fiduciaries, with fines potentially reaching up to approximately $30 million (€26 million) for every instance of violation.

"This will create a chilling effect, turning journalism into a high-risk activity and forcing media to act more like PR agents than watchdogs," Sanjay Kapoor, senior journalist and current EGI president, told DW.

"It could bankrupt small media outlets or force self-censorship to avoid damaging costs."

Edited by: Keith Walker