By Anuradha Gandhi and Rachita Thakur
BACKGROUND
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘the DPDP Act’ or ‘the Act’) represents a landmark legislative development in India’s data governance landscape, being the country’s first comprehensive statute dedicated exclusively to the protection of digital personal data. Passed by Parliament in August 2023 and notified in November 2024, the Act is accompanied by the Digital Personal Data Protection Rules, 2025 (‘the DPDP Rules’), which prescribe a phased 18-month compliance timeline for data fiduciaries.
The legislative framework draws principally from the nine-judge constitutional bench decision of the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, which unanimously affirmed the right to privacy as a fundamental right under Article 21 of the Constitution of India. The DPDP Act seeks to operationalise this right in the digital sphere through a consent-based model of data processing, accompanied by obligations on data fiduciaries and corresponding rights for data principals.
THE SUPREME COURT PROCEEDINGS
The Hon’ble Supreme Court of India is expected to take up, before the conclusion of May 2026, several clubbed writ petitions challenging distinct aspects of the DPDP Act. The petitioners represent a broad spectrum of stakeholders, including media and press freedom organisations, right to information activists, civil liberties groups, and members of the legal community. Each petition raises specific constitutional challenges, and the court’s observations — even at the hearing stage — are likely to be of considerable significance to the compliance ecosystem.
The principal challenges before the court may be summarised as follows:
-
Alleged Conflict with the Right to Information Act, 2005
A substantial body of petitioners contend that Section 44(3) of the DPDP Act impermissibly dilutes Section 8(1) (J) of the Right to Information Act, 2005 (‘RTI Act’) by permitting the denial of information requests on grounds of personal data protection. In practical terms, this provision may enable public authorities to withhold information that would otherwise be disclosable under the RTI Act, on the pretext of protecting the personal data of third parties. The Indian National Developmental Inclusive Alliance (INDIA bloc) in Parliament, comprising over 120 Members of Parliament, formally called for the removal of this provision, asserting that it undermined the foundational principles of governmental accountability and transparency.
The legal question for the court is whether Section 44(3) is proportionate and constitutionally valid, or whether it unreasonably restricts the fundamental right to information as a facet of the right to freedom of speech and expression under Article 19(1)(a).
-
Overbroad State Exemptions and the Right to Privacy
Several petitions challenge the wide exemptions afforded to state agencies under the Act, which permit government bodies to process personal data outside the consent framework in a range of circumstances. Petitioners argue that these exemptions do not satisfy the three-pronged test of legality, legitimate aim, and proportionality enunciated in Puttaswamy (supra), and that, if left unqualified, they may provide a statutory basis for mass surveillance without adequate judicial oversight.
This challenge goes to the heart of the balance between state power and individual liberty that the Supreme Court will be called upon to examine. Last heard in February 2026, wherein the Court refused to entertain the interim application for staying the amendment while referring the same to a larger bench.
-
Impact on Press Freedom and Investigative Journalism – Conflict or Alignment?
The Editors Guild of India, the Reporters Collective, and allied media organisations have raised concerns that the Act’s data processing framework, read with its exemptions, may have a chilling effect on investigative journalism. The ability of journalists to gather, process, and publish personal data in the exercise of the press’s constitutionally protected watchdog function may be curtailed if the law does not adequately carve out a public interest exception. Since, the DPDP Act does not provide for any exemption for accessing and processing of personal information for journalistic purposes, the court is likely to be called upon to read in or affirm the existence of such an exception.
However, to clarify and settle the air, the Ministry of Information and Technology in August 2025 said that the Amendment brought by the DPDP Act aligns with the principles set in the K.S. Puttaswamy judgement. Further elaborating that under Section 8(2) of the RTI Act, a public authority still has the right to allow access to information if the public interest in disclosure outweighs the harm to the protected interests.
Though the DPDP Act exempts processing of personal information for research, archiving and statistical purposes provided that the personal data is not used to make decisions about individuals. Furthermore, in contrast with the DPDP Act, the General Data Protection Regulations (“GDPR”) includes a journalistic exemption that allows journalists under Article 85 to process personal data with strict adherence to standard GDPR rules. Though not a blanket exemption, it requires the EU member states to enact their own national laws reconciling data privacy with freedom of expression in alignment with the ‘public interest’ doctrine.
-
Independence of the Data Protection Board of India
The structural composition and independence of the Data Protection Board of India (‘the Board’), established under Chapter V of the Act as the primary adjudicatory authority, has been questioned by petitioners who argue that the executive retains excessive control over appointments and functioning. The concern is that the Board, as currently constituted, may lack the institutional independence necessary to function as an effective and impartial regulatory body. A finding by the court on this issue could necessitate structural reforms to the Board or, in the interim, affect the enforceability of its orders.
-
Absence of Civil Remedies for Negligent Data Exposure
Certain petitions specifically flag the removal, as compared to earlier legislative drafts, of direct civil remedies available to individuals who suffer harm as a result of negligent data exposure by a data fiduciary. The present Act channels grievance redressal primarily through the Board, without preserving the right of data principals to pursue civil claims in ordinary courts. Petitioners contend that this limitation is inconsistent with the constitutional mandate to provide effective remedies for violations of fundamental rights.
Contrary to the same, under the present laws, affected individuals under Section 43A the Information Technology Act, 2000 can claim compensation if an organization is negligent in maintaining reasonable security safeguards for Sensitive Personal Data or Information resulting in wrongful gain or loss.
- DPDP Act gap assessments and phased compliance roadmaps
- Drafting and review of consent frameworks, privacy policies, and data processing agreements
- Data Protection Impact Assessments (DPIAs) for high-risk processing activities
- Advisory on government and regulatory data access requests
- Breach response planning, tabletop simulations, and post-incident analysis
- Representation before the Data Protection Board of India
- Ongoing monitoring and client briefings on Supreme Court developments
KEY TAKEAWAYS FOR IN-HOUSE COUNSEL
Irrespective of the outcome of the pending proceedings, organisations operating in India must be cognisant of their obligations under the existing statutory framework, while simultaneously preparing for potential modifications to the legal landscape. The following action points are commended to in-house legal and compliance teams:
| 1 | Maintain Compliance Momentum — Do Not Await Judicial Outcomes
The DPDP Rules, 2025 remain in full force and effect. Pending litigation before the Supreme Court does not operate as a stay on compliance obligations. Organisations must continue to progress their phased implementation programmes — including consent management frameworks, privacy notices, data principal rights mechanisms, and breach response protocols — without interruption. |
| 2 | Design Adaptive Governance Frameworks
Given the constitutional questions presently sub judice, organisations would be well-advised to architect their data governance policies with a degree of structural flexibility. Provisions relating to government data requests, RTI intersections, and breach liability may be subject to judicial modification. Hard-coded compliance positions based on the present statutory text carry a degree of regulatory risk. |
| 3 | Review the Interface Between the DPDP Act and the RTI Act
Public authorities and organisations that receive or respond to RTI requests involving personal data must carefully assess their existing procedures in light of the challenge to Section 44(3). Pending the court’s ruling, organisations should seek specific legal advice before invoking the DPDP Act as a ground for denying RTI disclosures. |
| 4 | Strengthen Breach Prevention and Incident Response
The challenge to the removal of civil remedies signals that judicial reinstatement of such remedies remains a live possibility. Organisations should invest proactively in breach detection capabilities, documented incident response plans, and post-breach review mechanisms, in anticipation of an enhanced liability environment. |
| 5 | Scrutinise Government Data Requests for Constitutional Compliance
Where state agencies seek access to personal data on the basis of DPDP Act exemptions, organisations should not treat such requests as automatically valid. Legal counsel should assess each request against the proportionality standard articulated in Puttaswamy and, where appropriate, seek written legal advice before compliance. |
| 6 | Monitor Data Protection Board Developments
Any judicial intervention regarding the Board’s independence or composition may affect enforcement timelines, the validity of notices issued, and the finality of orders passed. Organisations should closely track Supreme Court developments and align their internal compliance calendars to account for potential regulatory delays. |
COMPLIANCE MILESTONES: WATCH LIST
| Event | Compliance Significance |
| Supreme Court Hearing (May 2026) | Initial arguments may indicate the court’s willingness to grant interim relief or a stay on specific provisions. Monitor closely for any directions affecting operational compliance. |
| Interim Orders / Stay Applications | Any stay granted on specific sections of the Act would have immediate effect on compliance obligations. Legal teams should be prepared to respond swiftly. |
| Constitution of the Data Protection Board | Pending litigation may delay the Board’s full operationalisation. Enforcement activity and adjudication timelines will be contingent on Board readiness. |
| DPDP Rules — Phased Compliance Deadlines | The 18-month compliance timeline under the DPDP Rules continues to run independently of court proceedings. Internal milestones must be honoured. |
| Possible Constitution Bench Reference | Given the significance of the constitutional questions raised, a referral to a larger bench remains possible, which would extend the period of legal uncertainty. |
HOW WE CAN ASSIST
We have a dedicated Technology & Data Privacy practice with deep expertise in advising corporate clients on data protection compliance, regulatory strategy, and technology law. Our team regularly advises data fiduciaries, data processors, and multinational corporations on their obligations under Indian and international data protection frameworks.
We are available to assist with the following:
This Legal Alert has been prepared by SS Rana & Co. for general informational purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice must be obtained in relation to any particular matter. Reproduction with attribution is permitted.