Naavi.org

Today is 13th May 2026. Barring  unforeseen circumstances, DPDPA should be fully implemented on 13th May 2027 with the possibility of penalties being imposed for non compliance.

Today is also the day when the important hearing takes place in the Supreme Court on the constitutionality of DPDPA as a law. In terms of probability, however low it is, there is a possibility  of the Act being scrapped. More probably there may be a reading down of the law. The possibility of any major changes that affect the industry is insignificant.

The Challenge has been filed in the form of a number of Public Interest Litigations and a  battery of well know PIL lawyers are representing them.

It is interesting to note that FDPPI has filed an intervention petition to defend DPDPA and assist the Court in finding a harmonious resolution for the agitated RTI activists and Journalists.

In the meantime, the Government has set up the Search Committees for constituting the Data Protection Board and its members and issued an advertisement to call for applications.

By 5th June 2026, the last date for receiving applications will be end.

Hopefully by end of June, the selections may be over and by end of July DPB may be in place.

Then action to get the website of DPB should commence. Some work on this has already been completed in the background by the NeGD and hence we can see the website of DPB soon in place. This will be the “Digital Office of DPB” and hence an important  instrument in implementing DPDPA.

The first action point for the DPB  will be from 13th November 2026 when applications will be received from organizations intending  to be registered as “Consent Managers”.

The Count down has begun… Let us brace for the impact.

Naavi

The MeitY has initiated steps towards constitution of the Data Protection Board of India and the appointment of Chairman and Four members to the Board through an advertisement released on the website of  MeitY.

The details of the terms etc are available in the document here.

The last date for receipt of applications is 30 days from the date of publication of an advertisement in this regard in the Employment News.  (Released on 6th may 2026) Applications received after this date will not be considered. Applicants already in service should send their application through their Cadre Controlling Authority. An advance copy may be sent directly; however, the application shall not be considered in the absence of official recommendation and clearances. Incomplete applications shall not be considered.

The minimum age for applying for the post is 55 years as on the closing date of submission of applications. The tenure of the post is for a term not exceeding two (2) years or till the age of sixty-five (65) years, whichever is earlier.

Eligibility for the post of Chairperson is that he  shall be a person of ability, integrity, and standing, having held a post equivalent to Additional Secretary to the Government of India or above; or having held a position not less than one level below the head of:

(i) an academic, policy, or research institution of repute; or
(ii) a body corporate with a paid-up capital of ₹100 crore or turnover of ₹500 crore.

For the members, the eligibility criteria shall be that they  shall be persons of ability, integrity, and standing, having held a post equivalent to Joint Secretary to the Government of India or above; or having held a position not less than two levels below the head of:

(i) an academic, policy, or research institution of repute; or
(ii) a body corporate with a paid-up capital of ₹100 crore or turnover of ₹500 crore.

(Out of the four members, at least one among the Members shall be an expert in the field of law)

Applications can be  sent here as per the proforma provided and with relevant documents.

Deputy Secretary (Pers.),
Ministry of Electronics and Information Technology,
Electronics Niketan, 6, CGO Complex,
New Delhi-110003.
E-mail: p.victor@meity.gov.in

Naavi

Honourable Supreme Court is set to hear the challenge against the constitutionality of DPDPA on May 13 2026.

The Court is hearing five PILs filed in this regard some of which asking for complete scrapping of DPDPA 2023 and DPDPA Rules of November 2025.

FDPPI has requested for intervention to assist the Court to place the views of the practicing  professionals while defending DPDPA 2023.

Naavi.org has discussed the issues in detail in the past.

All these articles can be accessed here.

Petition of Venkatesh Nayak

Petition of Reporter’s Guild

Petition of Geeta Seshu

Intervention Petition of FDPPI

Naavi

Audio Overview

When an RTI activist picks up information about a Government Scheme for Journalistic Research or Social Audit, it ay acquire sensitive personal information of a large number of public who have given permission to the Government to use the personal information for a specific purpose.

Releasing the information to the journalist my therefore require an assessment

a) Does the release harm the individuals.

b) If so, is the harm outweighs the probable public good.

c) At the time of release, Probable public good is speculative but the harm is definitive and the PIO will take a decision , that can hurt the data principals, for which he is not equipped with.

After the Puttaswamy judgement this is not permitted under law. Hence the need to modify Section 8(1)(j) was mandatory.

Naavi

FDPPI has raised some issues against the  Challenge filed in Supreme Court on the constitutional validity of DPDPA which is coming up for hearing on 13th May 2026.

Introduction: The Post-Puttaswamy Era

For decades, India’s transparency landscape operated on a relatively simple axis: the citizen’s right to know versus the state’s duty to disclose.

That era ended in 2017.

With the landmark  Puttaswamy  judgment, the Supreme Court elevated privacy to a fundamental right, sparking a high-stakes tension between the Right to Information (RTI) Act and the new Digital Personal Data Protection (DPDP) Act, 2023.

In the ongoing legal challenge before the Supreme Court, the Foundation of Data Protection Professionals in India (FDPPI) has stepped in as a crucial “middle-ground” expert.

Moving beyond the binary narrative of “Government vs. Petitioners,” this body of scholars and technologists argues that the DPDP Act isn’t an attack on transparency, but a necessary recalibration for a digital-first society.

Takeaway 1: Stop Calling it a Blanket Bar—Privacy Decisions Just Got a Promotion

Critics have been quick to label the amendment to Section 8(1)(j) of the RTI Act as a “blanket bar” on the disclosure of personal info.

But a closer look at the FDPPI’s argument suggests a “relocation of decisional responsibility” rather than a shutdown.

The core of the issue is “institutional suitability.

” After  Puttaswamy , weighing privacy against transparency requires a complex “proportionality test”—a task for which a mid-level bureaucrat was never equipped.

By moving this decision to higher public authorities under Section 8(2), the law recognizes that balancing two fundamental rights is no longer a routine administrative checkbox .”The unamended Section 8(1)(j) required a Public Information Officer—typically a mid-level administrative functionary… to determine, at first instance, whether disclosure of personal information would cause ‘unwarranted invasion’ of privacy…

After Puttaswamy Juggement, this is constitutional adjudication of the highest order.”

Takeaway 2: Protecting the “Collateral” Citizen

The debate often focuses on the “right to know” about public officials, but it overlooks the “Collateral Third-Party Data Problem.”

When an RTI request targets welfare scheme records, it often inadvertently exposes the sensitive data of thousands of innocent citizens who never consented to being in the spotlight.

FDPPI argues that exposing this data is “constitutionally untenable” under the principle of informational self-determination. These citizens aren’t wrongdoers; they are simply beneficiaries whose data is caught in the crossfire.

The data at risk includes:

• • Full names and home addresses
  • Aadhaar references
  • Bank account numbers
  • Specific health conditions used for eligibility
  • Detailed family records

Takeaway 3: Public Officials Aren’t “Private” (The Governance Distinction)

One of the most persistent fears is that the DPDP Act will serve as a shield for corrupt officials.

However, the FDPPI’s “interpretive suggestion” draws a sharp line between “personal info” and “functional info.

“The law is designed to protect the private lives of individuals, not the “Governance Contact Information” of public functionaries.

Official identities—names, designations, and work emails—are functional, not personal.

Under Section 3(c)(ii), the DPDP Act does not apply to personal data that is made or required to be made publicly available by the individual themselves or under any other law. Since official identities of public servants are already public via gazettes and appointment orders, they remain disclosable.

Takeaway 4: The Journalist’s Purpose-Based Protection

Is the DPDP Act a muzzle for the press?

Not necessarily.

While the Act lacks a categorical “journalist” identity exemption, the FDPPI points out that Section 17(2)(b) creates a “purpose-based” framework.

Processing data for “research, archival, and statistical purposes” is permitted, provided it doesn’t lead to a specific decision about the individual. This covers the “research loop” of investigative and data-driven journalism.

Furthermore, the FDPPI notes that journalists remain accountable through existing safeguards: the law of defamation and professional standards of accuracy and fair comment.

“The Intervener respectfully suggests… the development… of a framework for the registration of accredited journalists—including digital journalists, bloggers and online publishers—with conditional permissions for purpose-specific processing.”

Takeaway 5: “Significant” is a Guardrail, Not a Weapon

The threat of a ₹250 crore penalty has sent shivers through many organizations, but the phrasing of Section 33(1) contains a built-in constraint.

The Data Protection Board can only impose penalties if a breach is “significant.” This term acts as a legal shield, preventing the Board from weaponizing the Act over trivial or technical errors.

Interestingly, despite the headlines, India’s penalty cap is actually more conservative than global benchmarks. For instance, the GDPR allows for fines up to 4% of a company’s global turnover, which can dwarf a fixed ₹250 crore limit.

To ensure fairness, the Board must legally consider these four factors before setting a price tag:

• • The nature, gravity, and duration of the breach.

• • The type of personal data affected.

• • Whether the breach is repetitive.

• • Mitigation measures taken by the organization.

Conclusion: The Five-Year Evolution

As we look toward full operationalization by May 2027, the DPDP Act provides a “safety valve” in Section 17(5).

This five-year transitional flexibility allows the government to course-correct based on real-world friction.

However, one nuance remains: the controversial deletion of the “proviso” to Section 8(1)(j)—the rule that information shouldn’t be denied to a citizen if it can’t be denied to Parliament.

While the FDPPI defends the privacy recalibration, they notably do not defend the loss of this “informational symmetry” between the electorate and their representatives, suggesting it could be restored without compromising the core privacy framework.

Final Thought:  As we move into a future where our digital identities are our primary identities, we cannot afford a transparency regime that doesn’t respect the right to be left alone?

Naavi