After a gap of 2½ years, we now have certain sections of the Digital Personal Data Protection (DPDP) Act, backed by the Rules, ready for immediate implementation. While the state’s powers to surveil citizens come into effect immediately, the sections that protect citizens' privacy against big data companies and the state (or correct/delete incorrect data) have to wait another 18 months. Some data protection indeed!

The long journey that started with the Privacy Judgement eight years back — the landmark Puttuswamy Judgement — has now resulted in codifying via the DPDP Act and now the Rules, not the privacy rights of citizens, but the unfettered rights of the state to monitor the digital footsteps of its citizens. The fear of a surveillance state expressed by Bappa Sinha earlier regarding the DPDP Act, Establishing a Digital Surveillance and Censorship Regime (Peoples Democracy, March 2024), is now borne out by the DPDP Rules.

The digital space is no longer one we access only on our computers. The use of mobile phones, particularly with the rapid decline in their cost, means even those who do not really know about the internet now use it extensively via Google-YouTube (Google), Facebook-Insta-WhatsApp (Meta) for entertainment or to communicate with others. A survey by the National Statistical Office shows that more than 90% of Indian households have access to smartphones and the internet within the household/home. Therefore, digital privacy is no longer a concern only of a small, middle-class elite but of every user of any digital device—mobile or computer—that can connect to the internet and therefore can be tracked and have its communications monitored.

The primary objective of any Data Protection Act, and therefore of the rules, should be to protect the users’ fundamental rights, which, after the Supreme Court’s Puttuswamy Judgement, also includes the right to privacy. To capture freedom and its limitation pithily: your freedom to swing your fist stops where my nose begins. It is from this simple principle that the concept of a private space has been derived and extended to a wide range of other matters, such as marriage and various personal choices. The Puttuswamy Judgement further extended the concept of physical space, the basis of privacy, to digital space as well. However, whether in the physical or digital sphere, privacy is not absolute; the state can monitor its citizens, but any such surveillance must be necessary, proportionate, and use the least intrusive option, with strong safeguards.

Once the Puttaswamy judgement established that privacy, including digital privacy, is a fundamental right, and that any invasion of our digital space can only be done through lawful means. What the DPDP Rules have done is to provide the Government with a virtually blank cheque to surveil citizens in the digital space. Under the Rules, it can ask any digital platform, including telecom companies, to provide data on any user. Akhil Yadav writes in Article 14 that the DPDP Rules create “a new digital regime that hobbles the very rights meant to protect citizens, to the State’s advantage.” Instead of a robust regime protecting citizens' digital rights, we have one that facilitates the state’s monitoring of citizens in digital space.

The second set of rights concerns users' rights against the misuse of their data by the Act's data fiduciaries: telecom companies that provide internet services, as well as multinational platforms like Google and Meta. If the data of these companies is held abroad, they could argue that since their servers are in the US (or Ireland), any such access has to comply with the host country’s laws as well. This is why the Government had earlier asked for data localisation, requiring that Indian data be held in India. However, the Rules notified appear to have left the data localisation issue open, meaning major players such as Google and Facebook hold the data of their Indian users abroad in “trusted countries”. If data is held abroad, it becomes more difficult for Indian users to enforce their digital rights against global giants like Google and Meta.

DPDP Rules also do not protect journalists. In the European Union, the General Data Protection Regulation provides a specific journalistic exception (Article 85) that exempts journalistic activities from specific data protection requirements to safeguard press freedom. The earlier versions (2019 to 2021) of the DPDP Act had this specific exception, which no longer exists in the current version of the Act or the Rules.

The Editor’s Guild, in its Statement dated 19th November, had stated that in July 2025, the Secretary of the Ministry of Electronics and Information Technology (Meity) had held a meeting with press bodies and assured them that such journalistic work would not fall within the purview of the DPDP Act. “However, there has been no official response since then, and the notified Rules do not alleviate these concerns...The Editors Guild urges Meity to urgently issue a clear and categorical clarification exempting bona fide journalistic activity from the consent and processing requirements of the Act. In the absence of such clarity, confusion and over-compliance will weaken press freedom and obstruct the media’s essential role in a democratic society...The Guild reiterates that data protection and privacy are vital objectives, but they must be balanced with the constitutional guarantee of freedom of speech and the public’s right to know.”

For journalists, the RTI Act has been a major forensic tool to track corruption. The Government has now created a loophole that effectively defangs RTI for journalists or any citizen to trace corruption and misuse of government funds, by creating a privacy exception: any data the government wants to deny can be withheld under this provision.

The last nail in the coffin of citizens’ privacy is what the Rules prescribe for the Privacy Appellate Authority. The Ministry will choose the Appellate Authority and has limited powers, unlike, for example, the TRAI. As Aakriti Bansal writes in Medianama, “DPDP Act gives the Board adjudicatory powers with narrow boundaries. It can receive complaints, examine breach reports, call for information, issue directions, and impose penalties. It cannot write subordinate legislation, define technical standards, or run public consultations.” Effectively, it is a subordinate body to the Ministry with minimal latitude, with not even its own budget.

We might have got rid of the Sanchar Sathi, the app on our phones that would constantly monitor our activities, but surveillance by other means, though not of the same order, will continue under the DPDP Act and its Rules. The fight for our digital rights is very much a part of our larger struggle for safeguarding our constitutional rights against the authoritarian structure that the Modi-led BJP government wants to create.