Naavi.org

The petition of Mr Venkatesh Nayak Vs Union of India (WP-C-177/2026) along with the following writ petitions will come up for hearing on 13th May 2026 at the Honourable Supreme Court.

• W.P.(C) No. 212/2026 (PIL-W) (IA No. 51893/2026 – STAY APPLICATION)-National Campaign for Peoples Right to Information
• W.P.(C) No. 211/2026 (X) (IA No. 51414/2026 – GRANT OF INTERIM RELIEF and IA No. 51415/2026 – PERMISSION TO FILE SYNOPSIS AND LIST OF DATES)-Reporter’s Collective-
• W.P.(C) No. 286/2026 (PIL-W) (IA No. 68833/2026 – STAY APPLICATION)-
• W.P.(C) No. 275/2026 (PIL-W) (IA No. 66957/2026 – EX-PARTE AD-INTERIM RELIEF)

Additionally IA No.85635/2026 filed on behalf of FDPPI will also be considered. In the last hearing on 23rd March 2026, the Government was asked to file it’s reply to the petitions so that counters could be filed by other parties.

The four petitions together have  serious prayers including scrapping  of DPDPA and DPDPA Rule and are argued by a battery of well known advocates including the following:

• • Ms. Indira Jaising, Sr. Adv. Ms. Mishi Chaudhary, Adv. Mr. Paras Nath Singh, AOR Mr. Prasanth Sugathan, Adv. Mr. Jayant Malik, Adv. Mr. Kabir Darshan Singh, Adv. Mr. Syed Mohammad Haroon, Adv. Mr. Sadeeq Ur Rahman, Adv. Mr. Abhishek Manu Singhvi, Sr. Adv. Muhammad Ali Khan, Adv.
  • Mr. Omar Gupta, Adv. Ms. Eesha Bakshi, Adv. Mr. Uday Bhatia, Adv. Mr. Naman Basoya, Adv. Mr. Abishek Jebaraj, AOR A. Reyna Shruti, Adv. Mr. D.P. Singh, Adv. Mr. Prashant Bhushan, AOR Ms. Cheryl D’Souza, Adv. Ms. Anushka Singh,
  • Adv. Ms. Vrinda Grover, Adv. Mr. Soutik Banerjee, Adv. Ms. Devika Tulsiani, Adv. Mr. Aakarsh Kamra, AOR Mr. Pritam Singh, Adv. Mr. Umesh Kumar Shukla, Adv. Mr. Shishupal Singh, Adv. Mr. Vedprakash, Adv. Mr. Ankit Bhatnagar, Adv. Mr. Praharsh Chaudhary,
  • Adv. Mr. Pawan Kumar Saxena, Adv. Mr. Balajee D. K., Adv. Dr. Mahendra Limaye, Adv. Dr. Tushar Mandlekar, Adv. Mr. Alok Sharma, Adv. Mr. Anand Dubey, Adv. Mr. Raghvendra Kumar, AOR Ms. Harsha Sharma, Adv.

• For Respondent(s)  the case will be argued by:
  • Mr. Tushar Mehta, Solicitor General Mr. Gurmeet Singh Makker, AOR Mr. Madhav Sinhal, Adv. Mr. Rajat Nair, Adv. Mrs. Shilpa Ohri, Adv. Mr. Mayank Pandey, Adv. Mr. Chander Uday Singh, Sr. Adv. Ms. Cheryl D’souza, Adv. Ms. Bidya Mohanty, Adv. Katyayani Suhrud, Adv. Mr. Abhishek K., Adv. Ms. Anushka Singh, Adv.

For the Intervention petition of FDPPI, (IA No.85635/2026), following advocates will appear.

• • Dr. Mahendra L.,
  • Adv. Dr. Tushar Mandlekar, Adv.
  • Mr. Alok Sharma,
  • Adv. Mr. Raghvendra Kumar,
  • AOR Mr. Devvrat Singh, Adv.

The Bench headed by the honourable Chief Justice along with JUSTICE JOYMALYA BAGCHI HON’BLE MR. JUSTICE VIPUL M. PANCHOLI will hear the case.

The prayers in the three petitions filed by Mr Venkatesh Nayak, Reporter’s Guild and Geeta Seshu are as follows:

Venkatesh Nayak Prayers

In light of the facts and circumstances stated hereinabove, it is most humbly prayed that this Hon’ble Court may be pleased to:

1. Direct that the operation of Section 44(3) of The Digital Personal Data Protection Act, 2023, shall be stayed during the pendency of the captioned proceeding

Reporter’s Guild Prayers

 It is respectfully prayed that this Hon’ble Court may kindly be pleased to:

1. Issue a writ in the nature of mandamus, or any other appropriate writ, order, or direction declaring the whole of the Digital Personal Data Protection Act, 2023, and specifically Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), of the Digital Personal Data Protection Act, 2023, to be void, inoperative and unconstitutional for being ultra vires Articles 14, 19, and 21 of the Constitution;

1. Issue a writ in the nature of mandamus, or any other appropriate writ, order, or direction declaring the whole of the Digital Personal Data Protection Rules, 2025, specifically Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the Digital Personal Data Protection Rules, 2025, to be void, inoperative and unconstitutional for being ultra vires Articles 14, 19, and 21 of the Constitution;
2. Issue any other writ, order or direction as this Hon’ble Court may deem fit and proper to do complete justice in the circumstances of the case.

Prayers of Geeta Seshu

It is prayed that this Hon’ble Court may be pleased:

1. Issue an appropriate writ, order or direction or declaration quashing and setting aside Sections 7, 17(2)(a), 19(3) 24, 36, 44(2)(a), and 44(3) of the Digital Personal Data Protection Act, 2023, to the extent challenged herein, as being unconstitutional, void and inoperative, and violative of Articles 14, 19(1)(a), 19(1)(g), 21 and 21A of the Constitution of India.
2. Issue an appropriate writ, order or direction, or declaration quashing and setting aside Rules 5, 6, 17, 18, 21 and 23, and the Second Schedule, Fifth Schedule, Sixth Schedule and Seventh Schedule of the Digital Personal Data Protection Rules, 2025, to the extent challenged herein, as being unconstitutional, void and inoperative, and violative of Articles 14, 19(1)(a), 19(1)(g), 21 and 21A of the Constitution of India.
3. Issue an appropriate writ, order or direction, or declaration quashing and setting aside Section 17(2) of the Digital Personal Data Protection Act, 2023, insofar as it empowers the Central Government to exempt any of its instrumentalities from the application of the provisions of the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025. d) Issue an appropriate writ, order or direction, or declaration quashing and setting aside the Second Schedule of the Digital Personal Data Protection Rules, 2025.
4.  Issue an appropriate writ, order or direction, or declaration quashing and setting aside the Second Schedule of the Digital Personal Data Protection Rules, 2025.
5. Issue an appropriate writ, order or direction, or declaration quashing and setting aside Section 44(2)(a) of the Digital Personal Data Protection Act, 2023, insofar as extinguishes the right of affected persons to seek compensation or civil remedy for unlawful processing of personal data and/or data breach.
6. Issue an appropriate writ, order or direction, or declaration quashing and setting aside Section 44(3) of the Digital Personal Data Protection Act, 2023 insofar as it dilutes the right to information of the citizens of India.
7. Issue an appropriate writ, order or direction, or declaration quashing and setting aside Section 19(3) and Section 24 of the Digital Personal Data Protection Act, 2023 read with Rules 17, 18 and 21 and the Fifth and Sixth Schedules of the Digital Personal Data Protection Rules, 2025, insofar as they relate to the constitution, appointment, service conditions and functioning of the Data Protection Board of India.
8. Issue an appropriate writ, order or direction, or declaration directing the Respondent No. 1 to frame a constitutionally compliant mechanism for appointment, tenure and service conditions of the Data Protection Board of India, ensuring its independence from executive control.
9. Issue an appropriate writ, order or direction, or declaration quashing and setting aside Section 36 of the Digital Personal Data Protection Act, 2023 read with Rule 23 and the Serial No. 1 of the Seventh Schedule of the Digital Personal Data Protection Rules, 2025.
10. Issue an appropriate writ, order or direction, or declaration directing the Respondent No. 1 to incorporate and notify a specific and proportionate exemption under the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 for processing personal data for journalistic, editorial, investigative and public interest reporting purposes, including protection of journalistic sources. Alternatively, issue an appropriate writ, order or direction, or declaration quashing and setting aside Section 7 of the Digital Personal Data Protection Act, 2023, insofar as it fails to provide an exemption for processing of personal data for journalistic purposes .

FDPPI has already filed an initial request for intervention

Naavi’s views on this regard which is in public domain is available here.

Naavi has also provided a list  of suggestions to make DPDPA acceptable to all including the petitioners.

In a nutshell Naavi has expressed the view

a) That the objections raised are borne out of mis-reading of the Act and the Rules

b) That the objections raised are not tenable and do not indicate any constitutional crisis.

c) That some clarifications can be issued by the Government to ally the disproportionate fears expressed by the petitioners.

Under no circumstances, we feel that the Act and the Rules should be scrapped.

Naavi has also indicated that DPDPA 2023 does not claim to protect the Privacy Right and only provides a scheme for enforcement of protection of Personal Data along with an administrative penalty. It leaves ITA 2000 and other laws to work along with DPDPA 2023 to provide relief to the data principals. It also leaves the right to enforce the constitutional right to Privacy outside the reliefs granted by DPDPA 2023 (Which is only related to disciplinary action against Data Fiduciaries in tact. Naavi has also indicated that this is the same principle adopted by GDPR also for the EU region.

We await the further developments.

Naavi

Personal Data is a key corporate asset in this time  of Data Driven Business. Organizations collect specific identifiable personal data some times in a structured manner  through a form associated with a service request. This is an ideal situation when the entire set of data elements  are collected in one shot along with a proper notice, purpose linkage, data minimisation etc.

But in actual practice an organization accumulates individual data elements often not specifically identifiable with a data principal. The “Personal Data identifiers”  therefore become available but cannot be associated with any identifiable individual. Even when a “Name is available”, if it is concluded as belonging to a  specific person which the Data Fiduciary knows, there  could be a risk of mismatch. Hence an organization has to wait for accumulation of at least 2  parameters which together create an identity.

To be on the safer side  it is better to have 3 parameters to identify a person unless one of the two parameters happens to  be a “Biometric” information.

Under “Biometric” one can take the  finger print, the facial photograph, the voice sample, DNA etc.

A Unique Government ID such as an aadhaar number or PAN number could perhaps have been considered equivalent to  the biometric for  identification but for the current state in India where these are not reliable.

In the absence of  such “biometric ” data, there should be atleast 3 parameters such as the name, email and the phone to reasonably identify an individual.

Once the identity of an individual can be fixed with a reasonable certainty, information such as a “Behaviour Profile” or a “Health report”, “Credit Report” can be added to the personal information and will also form the data that needs to be protected under the Data Protection Law.

To capture this nature of Personal Data as a “Set of Data Parameters”, Naavi adopts the following layered approach to recognition of Personal data.

Level 1: Operational Identifier: Name (Assigned by the Data Principal)

Level 2: Organizational Identity: Employee ID, Customer ID (Assigned by the Data Fiduciary).

Level 1+Level 2 will have confirmation from the data principal and the data fiduciary provided the two are linked with acceptance from both. If the two identifiers are present independently they donot form an identity till they are associated with a bond of conformation. This could be through a request for confirmation sent from one of the two to the other and its acceptance by the other.

Level 3: Contact Layer: E Mail address, Mobile number

Level 4: Biometric layer: Finger Print, Facial Photograph, Voice Sample, Dental X ray, DNA etc.

Level 5: KYC layer: A KYC report generated by a trusted third party “Joint Data Fiduciary”

Level 6:  Report level: Behaviour Profile, Health Report, Credit Report etc

We can organize these levels into a hierarchical system to move raw data as it flows into an organization into a “Provisional Personal Data Store”, process it periodically and move  it to the next level

Naavi

An Audio Summary is here:

Listen here

When ITA 2000 became a law in 2000, it  prescribed a method of authentication in the form of Digital Signatures (Now expanded as Electronic signatures) as the only means of authentication of an electronic document. This provision meant that an un-digitally signed electronic document could not be considered as “Signed” document for contractual purposes.  Hence there was a need for alternative methods of recording an online “Click Wrap Consent”.

The introduction of Aadhar based e-sign has made it simpler to obtain legally acceptable e-signed consent online but it still has a cost and the issue of use/disclosure of Aadhaar as for signing.

Naavi has suggested use of CEAC Drop Box as a kind of alternative to obtaining third party confirmation.

This problem has now got into prominence since “Consent” under DPDPA needs to be properly authenticated.

In the meantime there is the issue of “Stamp Duty” for digital contracts.  During 1999-2000 when ITA 2000 was enacted, India was one of the early countries to adopt the mandatory digital signature system. At that time many countries including India did not specify that stamp duty was payable on electronic documents and some countries specifically mentioned that since there was no viable system for payment of stamp duty for electronic documents, it was exempted. India did not specify the reason but the Indian stamp act at that time could be interpreted as excluding electronic documents from the list of documents requiring payment of stamp duty.

The keeping  of immovable property transfer documents from Schedule I of ITA 2000 was also linked to this problem.

During that time Naavi had introduced the “Digital Value Imprinted Instrument System” (DVIIS) as a system which combined the “Adhesive Stamp System” then prevailing with the “Digital Value Creation” in the back end server to enable a “Hybrid DVIIS coupon” that could be affixed on an instrument of contract along with payment  of stamp duty online. This was in an era where there was no UPI system. It was an innovative system was even presented to the Stock holding Corporation before they came up with the e-stamping of non judicial stamp papers but was rejected in favour of an alternative foreign system.

Over the years, E Governance has moved forward and many State Governments passed laws to mandate payment of stamp duty even on electronic documents.

in September 2022, even the ITA 2000 was amended to remove the immovable property documents from the list of excluded documents for recognition under ITA 2000.

Many options are now available for online payment of stamp duty to the treasury and obtaining an  acknowledgement such as a QR Code/Bar Code Receipt which can be affixed on an electronic document.

Hence currently the electronic documents are considered not excluded for stamp duty.

Kindly consider the previous views expressed in this website as suitably amended due to change of law.

We now however need to ensure that the nature of an instrument needs to be properly identified to distinguish “MOU” from an “Agreement”. We also need clarity on wehther MOUs also need minimal stamp duty or not.

MOU s are considered a documentation of intention and if organizations use MOUs to record their dealings with associates there may be a claim of stamp duty at some level.

While organizations may be fine with considering that the MOUs are not legally enforceable, the possibility of “Penalty” for not stamping the document even when not enforced in a Court could make it a “Compliance Issue”.

In a Privacy Contract where the notice asks for certain permissions which amount to monetization of personal data, there is an underlying financial value. Hence the “Consent” provided in the form of an “Acceptance” can be considered as an “Electronic Document that requires payment  of Stamp Duty”.

If the  data principal raises this issue with the Adjudicator and claims compensation, there could be a demand of the Stamp duty authorities that 10 times the  normal stamp duty on agreements need to be paid and also linked to the value of the underlying data on which a dispute has arisen. Otherwise the document  becomes infructuous both for lack of digital signature and lack of stamp duty payment.

It is necessary for MeitY to consider this ambiguity and  ensure that there  is a clarity on

a) Recognition of Click Wrap Contract which requires amendment of ITA 2000

b) Exemption of Stamp Duty which require amendment of several State Acts on Stamp Duty.

Since “Personal Data” can be “Nominated” DPDPA 2023 has already recognized the “Property Nature” of personal data and the established “Monetization” practices indicate a clear financial value for Personal data assets.

Hence if this ambiguity has to be removed, an amendment to ITA 2000  may be required.

Needs a debate..

Naavi