Today's Editorial

Today's Editorial - 16 April 2024

New data law, a barrier to journalistic free speech

Relevance: GS Paper II

Why in News?

The government is currently working on establishing regulations and guidelines to implement the Digital Personal Data Protection (DPDP) Act of 2023, the country's first comprehensive data protection law. The process is expected to be completed after the general election.

Data protection law vis-a-vis Journalistic free speech:

  • The law is largely based on users giving consent for processing their personal data.
    • It provides basic rights such as access to and erasure of data, places some obligations on companies, and establishes a complaints body for grievance redress.
  • However, the law might have an invisible impact on journalistic free speech.
    • Typically, data protection laws exempt journalistic activities from privacy obligations such as notifying users and obtaining their consent before using their personal data.
    • Three previous drafts of the DPDP Act had exemptions for journalistic activities, but the final law withdrew such an exemption.
  • The Editors Guild of India also pointed to this risk and requested that journalistic activities be exempted from the DPDP Act in a letter to the government.

How do privacy considerations intersect with journalistic free speech?

  • Imagine that you are a journalist writing about a Member of Parliament (MP) and his performance. For your story, you use information from their lives, such as -
    • They held meetings, travelled where and with whom, and visited towns, villages, and cities. How often did they use a private jet or a chartered plane? What about their financial background and the investments made by their close family members?
      • Most of this information is not available in the public domain and needs a lot of research.
    • All this information about an MP is their ‘personal data’, which is data protected under the DPDP Act.
  • Consequently, any journalist who wishes to use this data will have to get their consent before publishing the story. Even after publication, the MP can exercise their right to erasure and request journalists to delete such stories.
  • Further, the DPDP Act empowers the government to call for information from any data processor in India.
    • How this provision is interpreted and applied may impact the confidentiality journalists must maintain for their sources and research documents.
  • Overall, the need for journalists to get consent before publishing their story, the potential for the subject to rely on the right to erasure to have the story deleted, and the power of the government to call for information would likely impede a journalist’s ability to discharge their role as the fourth estate—of holding the state accountable.

Why was the exemption removed?

  • Why did the government remove such an exemption from subsequent drafts? This remains unclear.
    • Three previous drafts of the DPDP Act, one released by an expert committee on data protection (2018), the other by the government (2019), and the third released by a Joint Parliamentary Committee in 2021, contained clear exemptions for journalistic activities.
    • In two subsequent drafts of the DPDP Act (2022 and 2023), the exemption given to journalistic activities was withdrawn without reasons being given.
  • This instance of the end-stage removal of the clause for journalistic exemption points to the need for adopting a more robust and transparent public consultation process around proposed laws.

Key issues in the public consultation process:

  • One of the primary ways to get feedback on a law is to institute an ‘open and transparent’ public consultation model.
    • Although the Indian government released three separate drafts of the data protection law for public consultation, none of the comments received on the drafts have ever been released in the public domain.
      • This impeded citizens' ability to understand what different stakeholders were saying and who was finally heard in the final formulation of the law.
  • The government has also conducted invite-only town halls to gather feedback on drafts of the DPDP Act.
    • The withdrawal of exemptions for journalistic activities was not discussed in such town halls, and the government did not provide any clarification.
  • Unfortunately, these consultations and town halls are often not conducive to enabling open debate and deliberation on the proposed law and its provisions.

Way forward:

  • In addition to enabling an open and transparent consultation process, the government can swiftly remedy this problem via rules under the DPDP Act.
    • Under the Act, the central government has the power to exempt any data processor or ‘classes’ of data processors from any provisions of the law.
      • These give the government wide powers to unilaterally provide and remove an exemption, but it is the quickest route available in this case.
    • Although an exemption for journalistic work should form part of the core text of the law, the government must use the above-mentioned rule to exempt journalistic entities, including citizen journalists, from any obligations under the DPDP Act.
      • This will ensure that the DPDP Act does not negatively impact journalistic free speech in India.

Beyond Editorial:

9 Principles of data privacy recommended by Justice A.P Shah's committee must be followed:

  • Principle of Notice: The data controller is to notify all individuals of its information practices before collecting information from them.
  • Principle of Choice and Consent: There are two methods of obtaining an individual's consent: the opt-in method and the opt-out method.
  • Principle of Collection Limitation: Collect only as much information as is directly necessary for the purposes identified.
  • Principle of Purpose Limitation: The collection or processing of information should be restricted to only as much information as is adequate and relevant and should be limited to the purpose notified.
  • Principle of Access and Correction: Data subjects have access to the data held about them and the ability to seek corrections, amendment, or deletion of such data in case of inaccuracy.
  • Principle of Disclosure of Information: The data subject (the person whose information is taken) has the right to privacy if their personal information is disclosed to a third party.
  • Principle of Security: Data controllers must ensure the security of the collected personal information by ‘reasonable security standards’ to protect from reasonably foreseeable risks.
  • Principle of Openness: The data controller must make public all the information it can about the practices, procedures, policies, and systems that it implements.
  • Principle of Accountability: The data controller to comply with measures that fulfil the other eight principles.


The government should give due consideration to journalistic free speech, transparency, and public participation while framing regulations and guidelines of the Digital Personal Data Protection (DPDP) Act of 2023. The act must not unfairly restrict journalistic free speech, and legal reforms must be implemented to strike a balance between privacy protection and press freedom.

Book A Free Counseling Session