Statement of Lok Raj Sangathan, May 4, 2025
In August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, a landmark legislation supposedly intended to empower citizens with control over their personal data. In the same legislative session, it also amended the Right to Information (RTI) Act, a law that had, for nearly two decades, been a provision in the hands of citizens to hold governments accountable. However, the DPDP Act’s provisions are yet to be fully implemented, as the government is still finalizing and implementing the necessary rules and regulations. The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025, in January 2025 to provide the necessary details and framework for implementing the DPDP Act. The draft rules have been released for public consultation.
According to the government, the DPDP Act has been enacted to address long-standing demands for a comprehensive data protection regime. India is one of the world’s largest digital economies with a rapidly expanding base of internet users. The government has argued that the need for strong privacy safeguards is self-evident in this context. But a closer look reveals a different story—one that raises serious concerns about the erosion of transparency, the consolidation of state power, and the shrinking space for democratic dissent.
What is the DPDP Act?
The Digital Personal Data Protection Act, 2023, is a legislation focused solely on the processing of personal data. It lays down the rights of individuals (termed “data principals”) and the obligations of those who collect and process data (called “data fiduciaries”). At the heart of the Act is the idea that consent is central to data processing. It outlines mechanisms for grievance redressal and proposes the creation of a Data Protection Board of India to adjudicate violations. On paper, it seems like an essential legislation. But on detailed scrutiny it has many anti-people provisions.
Dangerous Discretion: Government’s Blanket Exemptions
The most controversial aspect of the DPDP Act is Clause 17(2), which empowers the central government to exempt any “instrumentality of the state” from complying with the provisions of the Act. These exemptions can be invoked in the name of “sovereignty,” “national security,” “public order,” or other vaguely defined purposes.
There are no clear boundaries, no requirement for judicial review, and no transparency mechanisms attached to these exemptions. This means that any government agency—from the Intelligence Bureau to a local police station—could legally process personal data without consent, without safeguards, and without accountability.
This provision effectively gives the state carte blanche powers to conduct surveillance, profile individuals, and suppress dissent—all under the legal umbrella of “data protection.”
A Toothless Watchdog: The Data Protection Board of India
The DPDP Act establishes a Data Protection Board that is entirely controlled by the central government. Its chairperson and members are appointed by the government, and its functioning is subject to rules framed by the same authority it is supposed to oversee.
This raises a serious conflict of interest. If a government agency misuses data, the aggrieved citizen must approach a Board that is neither autonomous nor institutionally equipped to act impartially against the state.
Essentially, the Board is a toothless watchdog.
Silencing the Seeker: Amendments to the Right to Information Act
One of the most direct casualties of the DPDP Act is the Right to Information Act, 2005. This legislation enables citizens to demand information from the state related to corruption, inefficiency, and misuse of power.
Under the old Section 8(1)(j) of the RTI Act, personal information could be disclosed if it was related to public activity or involved a larger public interest. This provision had enabled countless RTI applicants to access information about the assets of public officials, inquiries into corruption, or disciplinary action taken against errant bureaucrats.
The amendment brought in through the DPDP Act removes the “public activity” and “public interest” clauses altogether, thereby expanding the scope of denial. Information that would earlier be accessible—for example, details about a public servant’s use of government funds or misuse of authority—can now be denied outright under the pretext of privacy.
So, the Act engenders opacity in the functioning of state institutions.
Negative Effect on Journalism, Research, and Civil Society
The new law also blurs the lines between data fiduciaries like large tech platforms and other actors like journalists, researchers, or civil rights activists. There is no exemption for data collection done for public interest journalism or research. This means investigative journalists accessing public records or interviewing sources can potentially be accused of violating data protection laws.
These restrictions could criminalise public interest work and create a climate of fear.
The Wider Context: Digital Authoritarianism in Disguise
Taken together, the DPDP Act and the RTI amendment reflect a broader trend of authoritarian consolidation under a digital garb. By projecting a commitment to “data protection,” the government has managed to pass legislation that actually increases its surveillance powers, reduces transparency, and clamps down on dissent.
This is not unique to India. Across the world, authoritarian regimes have co-opted digital technologies to stifle opposition. What makes India’s case alarming is that these changes are being enacted under the cover of progressive-sounding reforms, even as the rulers project the country as the world’s largest democracy.
Widespread opposition
The opposition to the Act has been strong and widespread. Over 30 civil society groups, including the Internet Freedom Foundation, Access Now, Commonwealth Human Rights Initiative, and Satark Nagrik Sangathan, have protested against the provisions.
Their main concerns are:
- The lack of independent oversight
- The unfettered powers given to the government
- The chilling effect on transparency and journalism
- The vague language that can be abused for political ends
- The complete absence of meaningful public consultation during the drafting and passage of the law
These groups have demanded the withdrawal of the DPDP Act and restoration of the RTI Act to its original form, urging lawmakers to rethink the implications of such a far-reaching legal transformation.
Conclusion
Lok Raj Sangathan is of the opinion that by giving the government unchecked authority to process personal data, denying citizens’ access to information, and creating a regulatory framework without independence or transparency, the DPDP Act does not safeguard privacy—it sabotages it. It does not strengthen democracy—it subverts it.
As more of our lives become enmeshed in digital systems, laws like these are inimical to our right to conscience.
The DPDP Act and the RTI Amendment must be repealed.
