The Budget Session of the Indian Parliament is typically one of its busiest. In the 2025 session alone, over 30 bills were introduced and more than 20 were passed — often with little debate and less scrutiny. The rush of legislation in such sessions, particularly when one party or alliance enjoys a parliamentary majority, often escapes close public attention. But buried within this legislative churn are laws that profoundly reshape citizens’ rights and the powers of the state.
Let’s look at one particular bill that has now become the law of the land — the Digital Personal Data Protection Act, 2023. On paper, it promises to secure the privacy of Indian citizens. In reality, it introduces sweeping new powers for the government, imposes vague but punitive obligations on individuals, and threatens the work of journalists, whistleblowers, and civil society actors who hold the powerful to account.
One of the most troubling provisions of the Act lies in Section 17(2)(a), which allows the Central Government to exempt any of its agencies from the law’s provisions. The text reads: “The provisions of this Act shall not apply… to such instrumentality of the State as the Central Government may notify, in the interests of the sovereignty and integrity of India, security of the State… or preventing incitement to any cognizable offence.” This broad exemption undermines the core of data protection by allowing state institutions — including law enforcement, intelligence, and administrative departments — to operate beyond the reach of accountability. For investigative journalists, this provision is dangerous. A reporter pursuing a story about surveillance of community leaders or corruption in a religious land board could find that the implicated agency is exempt from scrutiny — while the journalist could face legal threats for “violating” the privacy of public officials.
The law also burdens citizens with duties that can easily be weaponised. Section 15 requires individuals to not impersonate others, not suppress material information, and not file frivolous complaints — all on pain of penalties up to ₹10,000. While these may seem like common-sense clauses, in practice they can be turned against whistleblowers and sources. A person using a pseudonym to expose wrongdoing may be accused of impersonation. Someone sharing leaked documents could be penalised for withholding personal identifiers. The result is a chilling effect on public interest disclosures, especially those involving religious-political trusts, corporate malpractice, or institutional corruption.
Most alarmingly, the Act does not provide any explicit exemptions for journalistic work, academic research, or disclosures made in the public interest. Unlike the EU’s General Data Protection Regulation (GDPR), which carves out space for journalism and whistleblowing, the DPDP Act is silent on these protections. This silence is deliberate. A media outlet that uncovers how a political party is using voter data to fuel targeted communal campaigns could now be accused of violating the data rights of the perpetrators — not the victims.
The Digital Personal Data Protection Act must be understood as part of a broader trend in India’s legal landscape: the use of ambiguity and unchecked executive discretion to consolidate control, suppress dissent, and redefine the relationship between state and citizen. When legislation avoids judicial oversight, lacks explicit protections for the press, and empowers the executive to carve out blanket exemptions, it ceases to be about protection and becomes a mechanism for legalised surveillance and coercion.
This is not an isolated Indian story. Across regimes — authoritarian and democratic — states have used data protection and digital laws to repress critics, criminalise dissent, and shield themselves from scrutiny. In Pakistan, the Prevention of Electronic Crimes Act (PECA), passed in 2016, was marketed as an anti-cybercrime measure but has become a powerful weapon against journalists and online dissenters. In 2022, PECA amendments made defamation of state institutions a non-bailable offence, triggering arrests and gagging media outlets like Dawn and Geo News. The law’s vagueness — mirroring India’s DPDP — enables selective enforcement.
Saudi Arabia’s Personal Data Protection Law, introduced in 2021, requires state permission for transferring data outside the kingdom and imposes severe penalties. While cloaked in the language of digital modernisation, the law facilitates surveillance and censorship, especially of dissenters and activists challenging religious or royal authority.
Even in the United States, a democracy with constitutional safeguards, surveillance laws like the PATRIOT Act and FISA have enabled widespread, warrantless monitoring of citizens. The NSA’s bulk metadata collection program — later ruled illegal — operated for years in the shadows of public knowledge. While the discourse was framed around national security, the real effect was to erode the civil liberties of millions.
India’s DPDP Act combines the worst of these models. Like Pakistan, it criminalises common behaviour through vague obligations. Like Saudi Arabia, it grants the state near-total control over what information can be shared and by whom. Like the US, it normalises expansive surveillance while avoiding meaningful oversight. But in India — with its increasingly restricted media space, politicised law enforcement, and rising majoritarian pressures — these powers are especially dangerous.
The absence of a journalism exemption, the criminalisation of anonymous or whistleblower-led disclosures, and the ability of the government to opt itself out of accountability together construct a digital regime built not on protecting citizens, but on controlling them. This is not a privacy law. It is a legal framework for data governance by authoritarian instinct — wrapped in the language of rights, but fundamentally hostile to democratic practice.
