New Delhi’s data privacy law modelled leaves loophole for state surveillance Article by Deutsche Welle

India’s new data privacy rules—requiring companies such as Amazon, Meta, and OpenAI to limit the collection of personal information—came into effect earlier this month, marking the implementation of the Digital Personal Data Protection Act (DPDP). The legislation is intended to safeguard Indian users’ data while ensuring that their consent is respected.

Under the DPDP framework, companies may gather only the data necessary for a defined purpose and must allow users to opt out. They are also required to notify people if their information has been compromised in a data breach, according to the legislation.

Although framed as a step toward responsible data governance, the DPDP has faced criticism for giving the government broad authority to access personal data without strong independent checks.

Comparisons to the European Union’s General Data Protection Regulation (GDPR) highlight key differences: the EU relies on strict consent rules, robust data-minimization standards, and oversight by well-resourced and independent regulatory bodies.

Countless of private enterprises, particularly big tech companies, have been fined for their breach of the European data privacy legislation. Amazon, Uber, TikTok, LinkedIn are just a few of the companies that found themselves in a European court over their operations within the EU, which saw the collection of over €5 billion worth in fines by January 2025. The historic €1.2 billion fine charged to Meta in 2023 by the Irish Data Protection Commission (DPC) remains a significant moment in data protection enforcement.

India, by contrast, has established a government-appointed Data Protection Board with just four members to oversee privacy for a population of about 1.4 billion—raising concerns about weakened safeguards and risks to free expression.

Experts argue that, unlike the GDPR’s global influence and its strong protections against government intrusion, India’s version may fall short.

“India's data protection act and rules are likely to remain paper milestones when it comes to genuinely protecting the privacy of its people, since it mainly formalizes various aspects of data processing,” Prateek Waghre, head of programs at Tech Global Institute, told Deutsche Welle. He added, “Though successive iterations of the act and the rules were criticized for granting the executive branch too much leeway and control without adequate accompanying safeguards, each version expanded its powers.”

Waghre also warned that the government could pressure individuals and companies into surrendering data through broad provisions and a presumption of consent.

A particularly contentious issue highlighted by German media concerns the DPDP’s effect on India’s Right to Information (RTI) Act. Previously, citizens could request personal information held by public authorities if a “larger public interest” justified its release. The DPDP alters this provision so that—even when public interest is involved—authorities may refuse disclosure.

“The amendment […] will potentially lead to a blanket denial of personal information needed by citizens to expose corruption and hold governments accountable,” said Anjali Bhardwaj, co-convenor of the National Campaign for People's Right to Information. “For example, names of contractors undertaking public works and names of wilful loan defaulters of public sector banks cannot be obtained.”

Amrita Johri, a digital transparency advocate, told the German outlet that the change removes earlier protections that allowed access to information tied to public interest or public activity. “The government has used claims of ‘no data available’ to dodge transparency on critical public matters, further undermining the spirit of the RTI Act as a tool for democratic accountability,” she said, stressing that the ability to question and speak freely “is central to democracy.”

The Indian government rejects these concerns. The Ministry of Electronics and Information Technology insists the DPDP does not weaken the RTI. Secretary S. Krishnan stated that the law only eliminates “a redundant provision” and maintains that authorities may still release information in the public interest, as permitted under the existing RTI framework.

By Nazrin Sadigova