Afew days ago, the government notified the Digital Personal Data Protection Rules, 2025, touted as proof that India is finally taking privacy seriously. On paper, they promise stronger citizen rights, greater trust, and real accountability in the digital economy. However, as the fine print makes clear, India’s new data framework does something very different: it grants sweeping powers to the State while imposing heavy burdens on journalists, start-ups, and everyday consumers.
For a country that prides itself on being the world’s largest democracy and a rising digital superpower, this should worry us. On paper, the DPDP framework promises control and consent. But for millions of Indians, especially those who rely on an independent press and the Right to Information to hold power accountable, these rules threaten to shrink the very transparency that keeps democracy healthy. Two of the country’s most important media watchdogs, DIGIPUB and the Editors Guild of India, have sounded the alarm. Their message is simple: the new rules could make journalism itself a consent-based activity. If routine newsgathering is reinterpreted as “data processing,” reporters may need consent from the very people they are investigating. That’s not privacy protection. That’s a muzzle. And the consequences do not stop at the newsroom.
The rules weaken the RTI framework by diluting the public-interest override, a principle that enables journalists and citizens to access and publish sensitive information, when public interests outweigh potential harm caused by disclosure. This safeguard has enabled people to uncover corruption, exposed wrongdoing, and empowered ordinary citizens for nearly two decades. At the same time, Rule 23 gives the government the authority to demand personal data from any platform or company, without notifying the user whose data is being accessed. Companies are explicitly prohibited from telling you when the State comes knocking. So, while citizens may soon be forced to jump through more hoops to access information, the State gets an express lane.
This imbalance carries a heavy cost. India’s digital economy thrives because consumers trust platforms with their information. Start-ups innovate because they aren’t bogged down by compliance paperwork. Journalists investigate because they can protect their sources. RTI activists ask difficult questions because they know the law backs them. Under the new regime, these pillars wobble. Small Firms and startups now face the same stricter audits, annual impact assessments, and compliance certifications that even global tech giants follow. This is a huge blow for India’s start-up ecosystem, which is already struggling funding winters and regulatory whiplash, this is not protection; it’s a hurdle. When young companies are compelled to divert their scarce resources into paperwork instead of developing products, innovation suffocates, competition and consumers pay the ultimate price.
And for journalists, researchers, and public-interest watchdogs, the chilling effect is immediate. When the line between reporting and “processing personal data” becomes blurry, over-compliance becomes the safe, and undemocratic, choice. This isn’t about rejecting data protection. Indians deserve better privacy protection norms, transparent rules, stronger safeguards and greater accountability from platforms that handle our data. But privacy cannot come at the cost of undermining the institutions that defend our freedom. A law that claims to empower citizens while tightening its grip on press and limiting transparency neither safeguards democracy nor consumers. The world already shows us what happens when data laws go too far. Europe’s GDPR, despite its good intentions, created a compliance maze that hurt small businesses and cemented the dominance of Big Tech.
Innovation stalled, smaller players suffered and consumers lost out on competition and choice. India risks repeating the same mistakes, but this time it could lead to weaker transparency at home and a press that’s even more constrained to question the authority. A smarter path is possible. The government must introduce an explicit journalistic exemption to protect reporters, whistleblowers, and public-interest investigations, and reinstate the RTI public-interest override that has long empowered citizens to hold power accountable.
And it must ensure that privacy safeguards don’t morph into more surveillance or unchecked access to personal data. India has built bold digital public infrastructure before, UPI, CoWIN, and DigiLocker. But the success of these systems came from clarity, openness, and trust. Not opacity. Not uncertainty. Not silence in the face of democratic concerns. A fair data regime should empower the citizens, not intimidate them. It should strengthen their control over personal data, not create rules that leave them second-guessing the State. Protect consumers, not burden innovators.
Originally published here
