Edition 10: MeitY met media bodies over Digital Personal Data Protection Act
The meeting focussed on two issues with the DPDP Act: removal of exemption for journalistic work, and dilution of the RTI Act.
Representatives from four media bodies met top officials from the Ministry of Electronics and Information Technology (MeitY) and the Press Information Bureau (PIB) on July 28 to discuss two primary issues with the Digital Personal Data Protection Act, 2023, that can arguably impede the work of journalists.
The two issues — removal of exemptions from data protection obligations for journalistic work, and dilution of the Right to Information Act, 2005 — were highlighted in a memorandum submitted by 22 press bodies and signed by more than a thousand journalists to MeitY in June 2025.
These formed the bulk of the discussion chaired by IT secretary S. Krishnan that was attended by senior officials from the ministry’s cyber laws division, PIB’s principal director Dhirendra Ojha, and representatives from the Editors Guild of India, Press Club of India, Digipub News India Foundation, and Indian Women’s Press Corps.
Two people directly aware of the discussions said that it was a “constructive” meeting where both the government and media bodies were “open to ideas” and working together. In the meeting, MeitY maintained that the new act would not affect journalistic functions in any way and said that if required, it was willing to publishing clarifications and/or FAQs on the matter.
The media bodies have been asked to submit a written submission outlining the legal questions and scenarios where they think the DPDP Act may adversely affect journalistic function. To be sure, the June memorandum already highlighted those.
Subsequently, a broader meeting between the media bodies, their lawyers, MeitY and its cyber laws division will be held, the people cited above said. However, no timelines for the written submission were given in the meeting.
MeitY is currently working on finalising the DPDP Rules which are crucial to operationalising the act which was notified in August 2023. The draft rules were released for a public consultation in January 2025, which received 6,915 submissions as per the ministry’s response in Rajya Sabha on July 25.
While RTI activists had been criticising the amendment to the RTI Act since the publication of the draft bill in December 2022, it is only after the draft rules were released earlier this year that it started drawing political attention too.
To be sure, the issues highlighted by the media bodies, including the amendment of the RTI Act, stem from the parent act itself, a problem that multiple MeitY officials have acknowledged in conversations with The Tech Trace over time.
On the question of journalistic exemption
The 2018, 2019 and 2021 versions of the data protection bills exempted journalistic work from certain data protection obligations of the bill. In the 2022 bill and the subsequent act, journalistic work was removed from the list of exemptions, raising concerns around whether news publishers could become data fiduciaries themselves.
In the July 28 meeting, the media bodies sought to get journalistic work exempted, and asked why the exemption was removed from the 2022 draft bill in the first place.
A data fiduciary status for a news publisher and/or journalist means additional data protection obligations, including requirement of consent from subjects of news stories (including critical ones) and potential categorisation as “significant data fiduciaries”.
Through the powers of a civil court given to the Data Protection Board (DPB) under Section 28, the board can “summon and enforce the attendance of any person”, and “inspect” “any data, book, document, register, books of account or any other document”. Similarly, Section 36 empowers the central government to require the DPB or any data fiduciary/intermediary to furnish “any” information.
Depending on how these powers are interpreted and wielded, journalists could be forced to give up their sources, especially due to lack of protection for whistleblowers in India.
I recommend reading my Newslaundry article (available here) from January 2023 to understand the implications of removal of exemption for journalistic work better.
In the July 28 meeting, MeitY clarified that journalists are not considered data fiduciaries under the DPDP Act. Instead, the source is, people cited above said.
Thus, the officials said in the meeting, the question of a journalist seeking consent from the data principal does not arise as that responsibility would have been the source’s. If the source were the the subject of the personal data themselves, that is, the data principal, the question of seeking consent becomes moot.
Arguing in favour of an exemption, the media bodies asked what would happen if a case was filed against a journalist under the DPDP Act. MeitY said that criminal penalties had already been removed in the notified act so the process would be a civil one. The media bodies said that without the exemption, even the civil process could become a punishment.
Let’s consider a scenario:
To make it easier for sources to contact her, a journalist publicly publishes details of her Shhh! account on her social media. Shhh! is an end-to-end encrypted messaging platform.
An employee working at the government’s Single Source of Truth Big ID programme messages the journalist on Shhh!, informing her about a vulnerability in the database because of which personal data of at least a million residents is easily available online via the official website without any access authentication mechanisms such as passwords. The employee, on a video call, demonstrated how to access this data on the website.
The employee asks the journalist to not identify them in the story, fearing repercussions. To verify the authenticity of the data, the journalist randomly calls five people whose data she can access. All fields match even and recipients of the calls are suitably bewildered.
The journalist reaches out to the government for an official comment but does not receive one. She informs the data protection officer of Single Source of Truth Big ID, CERT-In and NCIIPC, and waits for a month for the vulnerability to be plugged.
As soon as the vulnerability is plugged, her editor publishes the story.
After the story is published, the DPB takes note of it given the scale of the personal data breach, especially because the leaked data has also appeared for sale on a popular forum for black hat hackers.
Questions to consider:
Under the DPDP Act, while the leakage of data is definitely a personal data breach, is the publication of the news story also a personal data breach?
By sharing information about the leak with the journalist and demonstrating how to access the data on specific public URLs, did the employee participate in a personal data breach by “sharing” personal data, thereby “compromising its confidentiality”? Or is it not a breach because the sharing was not done through automated means and is thus exempt from the definition of “processing”? Must “sharing” always be “accidental” to be considered as a “personal data breach”?
Did the journalist commit a personal data breach by calling five data principals whose data had been leaked? By calling them, was it “unauthorised processing” of personal data? Since the act of calling did not include “wholly or partly automated operation or set of operations performed on digital personal data” by the journalist, it was not an act of “processing” personal data at all? Must “use” of personal data also always be “accidental” for it to be considered a personal data breach?
Does the employee have the same degree of data fiduciary obligations as the senior management of Single Source of Truth Big ID?
Under Section 28, can the DPB summon the journalist and ask her to reveal the identity of the source? Can the journalist refuse under oath? What happens if she does? Can the DPB ask to inspect the journalist’s phone or laptop to ascertain the identity of the source?
Can either the DPB (under Section 28) or the government (under Section 36, or various provisions of the Information Technology Act) seek information from Shhh! (an intermediary) about the journalist’s account?
On the question of the amendment to the RTI Act
The DPDP Act amended Section 8(1)(j) of the RTI Act, thereby allowing public information officers (PIOs) to not give any information “which relates to personal information”.
Before the amendment, only personal information which does not have any relationship to any public activity or interest could be denied. Even an “invasion of the privacy of the individual” was allowed if the central PIO, the state PIO, or the appellate authority determined that the disclosure was justified by larger public interest.
Under Section 8 of the RTI Act — which lists the exemptions for giving out information under the RTI Act —, any information that must be given to the parliament or a state legislature must also be given to a lay citizen.
RTI activists have been arguing since the inclusion of this amendment in the 2022 bill that this amendment grossly undermines public interest journalism, and erodes a major transparency measure.
In the July 28 meeting, MeitY said that the amendment to Section 8(1)(j) of the RTI Act would not have an impact as Section 8(2) of the act had been left intact, allowing the public authority to disclose information in larger public interest.
The media bodies said that invocation of Section 8(2) would require protracted appeals to the PIOs and the Central Information Commission, making the transparency-seeking process a punishment unto itself.
Section 8(2) of the RTI Act
Notwithstanding anything in the Official Secrets Act, 1923 (19 of 1923) nor any of the exemptions permissible in accordance with sub-section (1), a public authority may allow access to information, if public interest in disclosure outweighs the harm to the protected interests.
“The End”