As expected, the law of DPDPA is now before the Supreme Court. Normally Courts are expected to step in when a citizen has an adverse impact of the law. and seeks remedy. However, in India, almost every law that gets passed by the Parliament is srutinized by the supreme Court even before it is implemented under the speculation that “This is unconstitutional, Give a stay and later scrap the law”. The same thing has now happenned for DPDPA 2023. There are always some so called Public Interested litigation specialists who  contrive the reason to challenge the law and hamper the progress. Supreme Court has allowed itself to be used as an instrument of delaying legislation in the country and the trend continues.

I refer to the article in “Thewire.in” which refers to a petition of one RTI activist Mr Venkatesh Nayak to ensure that “Two decades of tranparency in the life fo public authorities is not reversed into an era of dark opacity”. The case would be argued by Ms Vrinda Grover and perhaps also Mr Prashat Bhushan, before a bench of Justices Suryakant, Joymalya Bagchi and Vipul Pancholi today.

We donot have a copy of the petition to understand the logic but the article makes the following mentions which we can comment on.

1.Section 44(3) is already in force.

2. Section 44(3) amends RTI act  to broadly exempt the disclosure of information deemed to be “Personal” and provides a “Blanket bar” on an obligation to disclose all personal information.

3. Section 4493) contravenes Article 19(1)(a) of the constitution and violates the right to equality by equating privacy oc public functionaries to that of ordinary citizens”.

Another petition that has been filed is Reporters Collective & Nitin Sethi v. Union of India (W.P.(C) No. 177/2026)   This petition extends the objections and seeks to strike down the entire DPDPA as unconstitutional. Objections are made on Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), alongside Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the 2025 Rules.

Another petition filed by Prashant Bhushan for NCPRI petition (W.P.(C) No. 211/2026 also reflects a similar view.

While we appreciate the legal acumen of those who have filed these petiotions, it is clear that the objective of this elite exercise is to delay DPDPA implementation to the extent possible. It is unlikely that the Supreme Court may be persuaded to consider the objections but the petition has the power to disturb the industry’s resolve to start implementation immediately.

The Urban Naxalites would be happy…that they have placed one more hurdle on the Government to do what it  wants to do.

For the time being, let us watch what the Supreme Court does on this petition. We shall analyse the case as it develops.

Probably a notice would be issued to the Government in this regard. We donot expect any stay at this point of time.

I request any of the readers having a copy of the petitions to send me a copy so that we can take a deeper look at the same.

Naavi

Also Refer:

Opposition seeks repealing of Section 44(3) of DPDPA 2023

The hue and cry about RTI Act being diluted by DPDPA is misplaced.

In October 2025, Meity had released a draft notification related to amendment of ITAct Intermediary Rules related to publication of synthetic content. On 10th February 2026, the final rules have been notified with several clarifications related to the provisions.

The gazette Notification along with an FAQ are available  here. Brief Discussion of these amended rules will be available in FDPPI training program for CDPODA on February 21 and 22.

Gazette Notification of 10th February 2026

FAQ 

These are amendments to Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and willbe effective from 20th February 2026.

Naavi

Going  by the news paper reports it appears that many Indian companies including giants like TCS are eyeing registration as “Consent Manager” under DPDPA  2023. There is news that JIO and Airtel are also interested in being registered as “Consent Manager”.

Further, NeGD had announced a “Code Development Competition” for development of an  open source Consent Management platform to manage the Consents under DPDPA by Data Fiduciaries. This was a competition for a prize of Rs 50 lakhs and as part of the specifications of the coding competition, a document called “BRD” or “Business Requirement Document” had been issued by NeGD.

Under this competition, the following six entities were short listed for the final round of code development.

In the background there are 17 RBI licensed “Account Aggregators” who are acting as “Consent Managers under DEPA”  who may be thinking that they are already “Consent Managers” and should automatically be eligible for registration under DPDPA.

With these developments the media and many experts are confused about the intentions of the MeitY on how they would modify the  DPDPA Rules of November 13  to accommodate the lobbying by the giants such as TCS, Jio and Airtel.

While Naavi.org has explained in detail the conflicts betwee the DPDPA act and the Rules, and will continue to debate this provision, it is our duty to point out that there is a need for substantial change in the  Rule 4 of the November 13 publications.

If the Meity goes ahead  with registration of companies without synchronizing the rules with the act, there could be legal objections that may stall registered Consent Managers from going ahead with the implementation of the accreditation. We can expect some of the other aspiring candidates seeking stay on the registration through legal means.

Let us watch this interesting developing news space.

Naavi

Naavi.org had started a discussion on Neuro Rights during the Indian Data Protection Summit 2022 ( IDPS 2022) where Professor Raael Yuste, a professor and Neuro Scientist from Columbia University had presented his views through a virtual talk. 

(Other articles on Neurorights can be found here)

At that time, Chile was the only country which had recognized Neuro Rights through a Constitutional wmendment. Subsequently, in September 2024, Colarado and then in October 2024, California signed a law recognizing Neuro Rights as “Sensitive Personal Right” under the Privacy law.

Now Brazil, Spain and Mexico have also adopted Neuro Rights Protection through appropriate constituional amendments. (Refer here)

The five principal Neuro Rights recognized by the NeuroRights Foundation are

• Right to Mental Privacy This ensures that data obtained from measuring neural activity (brain data) cannot be sold, transferred, or used without the individual’s explicit consent. It aims to keep thoughts and brain states private.

• Right to Personal Identity This protects the “self” from being altered by external technologies. It ensures that neurotechnology (like brain-computer interfaces) does not blur the line between a person’s own consciousness and the output of a machine.

• Right to Free Will This right ensures that individuals maintain control over their own decision-making processes. It aims to prevent external “neuro-manipulation” where a technology could influence a person’s choices without their knowledge.

• Right to Equitable Access to Mental Augmentation To prevent a new type of “neuro-divide,” this right advocates for fair and equal access to cognitive-enhancement technologies across society, ensuring they aren’t reserved only for a wealthy elite.

• Right to Protection from Algorithmic Bias This ensures that the algorithms used in neurotechnology are designed without bias. It protects individuals from being discriminated against based on data extracted from their brain activity.

The harms normally recognized in the context of technolofical intrusions to human brain are

1. Neural Privacy Breaches
   • Unauthorized brain data collection
   • Neural data theft
   • Cognitive surveillance
2. Cognitive Liberty Infringement
   • Forced neural modification
   • Involuntary thought monitoring
   • Cognitive manipulation
3. Mental Integrity Violations
   • Non-consensual neuromodulation
   • Psychological manipulation through neurotechnology
   • Neural identity interference
4. Neuro-Discrimination
   • Employment discrimination based on neural data
   • Insurance discrimination
   • Social scoring based on brain metrics

Each type of violation presents unique challenges and requires specific protective measures and legal frameworks.

The Parliament of Latin American counries  (Parlantino) had introduced a “Model Law” with 13 articles (Refer here)

Presently it has been reported that Canada has also taken a decision to recognize Neuro Data as “Sensitive Personal Information” under the PIPEDA.

While discussions continue on how Neuro Rights Protection can be achieved, the simplest approach has been to use the existing privacy laws by declaring neuro data as “Sensitive Data”. In India, under DPDPA, this can be done by declaring an organization processing neural data as a “Significatn Data Fiducairy”.

I invite further discussions on this aspect. In the mean time, DGPSI will use the criteria that “Processing of Neural Data” imposes “Significant risks” and hence the data  fiduciary should be considered as a Significatn Data Fiduciary.

It would be interesting for readers to observe that Naavi.org had suggested a “CyBorg  regulation” where consensual intervention of human brain was discussed. What a broader Neuro Rights law may mandate is the regulation through a consent mechanism under the DPDPA itself.

Open for debate.

Naavi

Digital Dependence today is on the increase. Both professionals and ordinary citizens are today dependent on Internet for connectivity, Computers and Cloud for Storing of Data and  Electronic Documents as the data storing form. New Technologies such as AI have provided many conveniences but at the same time hardened the dependence.

As a result, the vulnerability of the society for Cyber Crimes has also increased to the extent that it is no longer a surprise if a company faces a ransomware attack  or an individual becomes a victim of  a cyber crime. There is a danger of the society becoming immune to the Cyber crime threat and taking it for granted.

If we allow this to happen, we will create a Digital Jungleraj. We need to prevent this.

Resilience essentially means how quickly and effectively we recover from a Cyber disaster. It is a fact that if we have lost reputation, it is difficult to recover. But atleast if we have lost money, we should be able to recover it. If we have lost  data we should be able to recover it. If our business has been disrupted, we should be able to get back on rails.

Cyber Space being what  it is, we work on a global network. While individuals are connected to the local ISPs, privileged  entities may be connected  directly to global networks through direct satellite  connections.

Hence regulating the space as if it is manageable within  a region  is not possible. But the nearest we can do is to create a Pan-India collaboration of stake holders so that an informal regulatory network can be created.

If the stakeholders consist of both Private Sector as well as the Government, then there is a need to build  trust between the two entities.

For this Public-Private trust to be effective, there has to be no internal trust deficit between the constituents themselves. Hence there has to be collaboration between one state with the other, one company with the other.

We therefore need to work towards this Intra Private Sector collaboration and Intra State cooperation at different levels.

If we presume that this is possible then there has to be a national leadership which has to come from one all India institution which every one of us trusts.

Just as we trust the defence forces to secure our borders we need to trust the defence  forces to secure our cyber space as well. Unlike our physical boundaries which  can be recognized, Cyber Boundaries exist every where and in every device connected to internet. Hence Cyber Security failures can enable intrusion of Cyber enemies into our Cyber space. It is therefore natural to expect that the “Défense Cyber Authority” has to take the lead.  It ow has a military component and we need to create a Civil Defence arm of this Défense Cyber Authority.

Under this, we need bring  in the CERT In  as well as organizations like NTRO, I4C , the Cyber Crime police stations etc.

Similarly in the industry side, we need to create sectoral leadership and there after a federation of Cyber Security leaders. The CISO community can be a starting point. We need to first create a federation of CISO entities. The DPO community and CISO community  have to be part of this federation and the federation should take up the responsibility of a Private Sector Cyber Defence  system which can collectively work with the Civil Cyber Defence Authority in public interest.

Today, CERT IN is the legal authority which can enforce data breach notifications. The DPB will shortly have its own  authority. But private sector will continue to be wary of the reputation loss that occurs when  a breach is reported and hence will always have a tendency to hide breaches. This tendency may be reduced if the private sector forms its own Private Sector Cyber Defence system.

Probably we need to think in terms of a Private sector CERT and a Cyber Resilience Act as two instruments to pursue.

Let us therefore try to work towards this entity and if possible get a legal recognition from the Central Government.

Naavi

(Continued)

In continuation of our discussions on the IN-CRA act, the next big hurdle we need to tackle is bringing  about the integration of the private sector into this initiative.

The Private sector is important for Cyber Resilience since the expertise in threat hunting and information security lies in private sector, some academic institutions and NGOs. Government has to borrow these  resources besides developing their own expertise.

Private Sector however has the  commercial constraints and the fear of loss of reputation if any security weaknesses become public. Hence even the data breach notification systems donot work efficiently due to large scale under reporting of incidents.

We need to therefore build one industry level institution and link it to the Government infrastructure to infuse more confidence. These should consist  of sector wise  leaders who collaborate  as a federation of Cyber Security agencies.

The Government organizations like CERT In  can work more smoothly with such industry representing organizations. Academic institutions and NGOs can provide leadership of such sectoral committees and act as buffer zones to build trust in ensuring flow of sensitive security information from the victims of Cyber attacks which are commercial entities to the agencies like CERT In.

A serious debate is required on this type of industry bodies.

In the past MeitY did dry to promote self regulatory bodies for digital media regulation but the industry did not respond positively. We need to continue our efforts to persuade the industry to shed their inhibitions and start  cooperating with the Government as a duty towards national security.

This can be done only through an enforceable law with deterrents and recognition of a constitutional right “Right to Security” as an  apex component of  “Right to life”. The Judiciary needs to accept this “Right” as part of our constitutional Right. No  other  Right exists when we no longer exist. This truth is today forgotten by our Judiciary and they need to realize this.

Please feel free to comment.

Naavi

Naavi