DPDPA was enacted in August 2023, but its full enforcement and detailed rules are still pending notification by the Government. The law creates a clear framework for how data is collected, stored, and processed across diverse sectors in the country. While widely recognized as progressive, many areas where data intersects with law and regulation still require further evolution and clarification.To surface these issues, the Press Club of India (PCI) has put forward 35 important questions for MEITY, seeking clarity that is essential for the smooth and transparent enforcement of the DPDPA. These questions capture the real-world challenges individuals and organizations are grappling with today
Across sectors—finance, healthcare, journalism, research, and technology—citizens actively question how regulators and institutions will enforce their rights in practice; businesses consistently demand clear definitions of their legal and ethical responsibilities when handling sensitive data; and lawmakers work persistently to align and harmonize evolving global data protection frameworks with India’s specific regulatory, cultural, and economic context.
MeitY’s Clarifications on DPDPA 2023: Why They Matter
The Data Protection and Digital Personal Data Protection Act, 2023 (DPDPA 2023) is not only another compliance checklist — it is India’s law regarding privacy and data protection. But the language of the Act leaves a lot open to interpretation, and without clarity:
- Businesses risk penalties due to misinterpretation.
- Startups and MSMEs face uncertainty in compliance costs.
- Journalists and researchers worry about restrictions on their work.
- Citizens are unsure how to exercise their rights.
This is why MEITY’s clarifications are more than administration, they are necessary for the DPDPA to fulfill its purpose without confusion or overreach. MEITY is able to answer these 35 questions, and therefore, build bridges, and build trust to strengthen India’s path towards a responsible digital future.
Observations Before the Questions
Before revealing these 35 questions, the Press Club of India made a few important notes regarding the nature of guidance by MEITY:
- FAQs are guidance, not law – Any clarifications or FAQs issued by MEITY are administrative tools. They cannot override the law itself or carry binding authority.
- Courts follow the Act, not clarifications – Judicial bodies rely on statutory text, intent, and precedent. MEITY’s guidance may help businesses, but it won’t shape judicial interpretation.
- Clarifications as policy interpretation – At best, MEITY’s statements are policy interpretations that help stakeholders understand the law. But they lack the force of law.
- Industry still needs clarity – Even if not legally binding, FAQs and clarifications are crucial for helping organizations adopt practical compliance measures and reduce uncertainty.
With this context in mind, here are the 35 questions framed by the Press Club of India for MEITY consideration.
35 Questions Awaiting Clarifications from mEITY
The Press Club of India has formally framed the following list of 35 questions, reflecting widespread concerns that MEITY has still not answered under the DPDPA 2023 framework.
1. In the 2018, 2019 and 2021 versions of the data protection bill, exemptions were provided
for journalistic purposes. The Justice Srikrishna Committee Report on DataProtection (2018) and
the 2012 Group of Experts on Privacy headed by Justice AP Shahhad also recommended exemptions
for journalistic purposes. Why was the journalistic exemption removed from the final version of the
DPDP Bill, which was enacted in August 2023?
2. If in the opinion of the ministry, no explicit exemption for journalistic purposes is
required as the law does not to apply to journalistic work, which are the specific sections
of the DPDP Act, 2023, that safeguard rights of entities and individuals and exempt them
from obligations of data fiduciary if they are processing personal information for
journalistic purposes? Please provide a list of such sections and an explanation on how
they protect journalistic work.
3. Since the enactment of the RTI Act in 2005, information accessed under the law has
become a crucial source for journalists and media. There are innumerable examples of
important journalistic work in public interest which are based on records accessed under
the RTI Act. Why was Section 8(1)(j) of the RTI Act amended through the DPDP Act to
expand the scope of information exempt from disclosure?
4. If in the opinion of the ministry, the right to access information under the RTI Act remains
unchanged despite the changes made to Section 8(1)(j) through the DPDP Act because of
the existence of Section 8(2) of the RTI Act, why was the RTI Act amended?
5. Section 44(3) substitutes RTI Act Section 8(1)(j), making all personal data exempt from
disclosure without the earlier public-interest override (see explanatory note). How will
MEITY prevent this from hollowing out journalists’ access to corruption-related records?
6. Journalistic work at times requires sharing and storing of documents, including those
containing personal information, across national borders and jurisdictions. At times, such
documents are provided by whistleblowers and therefore require measures to ensure
confidentiality, including in the storage and processing of such information which may
entail the use of secure servers located outside Indian jurisdiction. Various sections place
restrictions on transfer of personal data including Section 16 of the DPDP Act. How will
processing and storage of information outside India for journalistic purposes be
protected?
7. Do the definitions of “Automated”, “Data Fiduciary”, “Data Principal” and “Data Processor”
provided in Section 2 of the Digital Personal Data Protection Act, 2023, apply to
individuals involved in journalistic work and media organisations for carrying out
journalism? Yes or No?
8. If no, why does the Act not spell out the exemption for individuals involved in journalistic
work and media organisations explicitly in Section 17?
9. If no (Q7), what exemptions will be applicable to individuals involved in journalistic
activity and media organisations from the definition of “data fiduciary”, “data processor”,
“personal data” and “data principal”?
10. Draft Rule 8 mandates deletion of personal data three years after the last user interaction
and even requires a 48-hour pre-erasure warning. Given the historical value of news
archives, will MEITY confirm that journalistic archives fall under the “research, archiving
and statistical purposes” exemption in Section 17?
11. Where Draft Rule 15 treats continued non-use as a trigger for deletion, people involved in
journalistic activity or media organisations obtain a categorical assurance that
sourcerelated files kept solely for public-interest follow-ups will not be forced into erasure
schedules?
12. Will MEITY invoke its rule-making power under Section 40 to recognise a limited
exception for bona-fide newsgathering, or must journalists rely solely on the narrow
“certain legitimate uses” in Section 7?
13. Do individuals involved in journalistic work and organisations need to seek prior consent
from any person they report on, or whose “personal data” such as identification details
are contained in a press report?
14. Reporting whether for print, broadcast or online media requires several details such as
name, age, gender, location, profession, caste, class, income are required to authenticate a
story. Without these details, the story will be incomplete, vague, and likely to be
rejected. Much of this information is set to fall within the definition of “personal data”.
Blanking out this type of data will lead to a hollowing out of stories, particularly field
reportage and will adversely affect the media as a whole.What are the specific clauses in the act that provide exemption for publishing such details as part of regular
journalistic work?
15. In the case of a developing news story such as coverage of a riot, a terror attack, or a
natural disaster, spontaneous street interviews, etc., is the person involved in journalistic
activity (data fiduciary) required to go through the elaborate process of obtaining consent
from the subjects (data principal) according to the provisions and clauses mentioned
under Section 5 and Section 6 before reporting the story?
16. Draft Rule 3 demands that the Data Fiduciary’s notice be “in clear and plain language” and
given before processing. How can live spot reporting, spontaneous street interviews,
undercover reporting, etc., comply, and will MEITY clarify that journalistic collection in
the public interest need not issue advance notices?
17. In a case of a scam or instance of corruption perpetuated by a minister or bureaucrat or
any public servant, is the person involved in journalistic activity, or the media
organisation, required to take “informed consent” from the accused in the form and
format laid out in the Act, specifying the purpose for which the information has been
collected, before publishing the article?
18. In a case of custodial torture or death, is a reporter, or a media organisation, required to
obtain consent in the prescribed format as defined under Section 6 of DPDPA from the
accused police official before naming her, or mentioning the place of posting or where the
incident took place, or any other information that makes the accused identifiable before
publishing the article?
19. Section 7 states that personal data of a “data principal” can be used only for the “specified
purpose”. In such a case, how do these scenarios pan out for journalists and media
organisations?
Scenario 1:
Suppose a person involved in journalistic activity is working on a story on denial of ration
cards to people of a certain region due to mismatch with Aadhaar data and collects
personal data of the affected people such as name, age, and place for identifying the
extent of the problems. It raises some questions:
i) Is the individual involved in journalistic activity required to take “informed consent”
from each individual for processing this raw data and using it in a coherent tabular format
in an article to highlight the systemic problem in the public interest?
ii.) Since, this situation involves flaws that are inbuilt and baked into the Aadhaar
architecture, does the person involved in journalistic activity needs “informed consent” of
the concerned official of UIDAI before highlighting how Aadhaar-based ration cards are
responsible for denial of food?
Scenario 2:
Suppose, a few months down the line, it emerges that starvation deaths have occurred in
the same region due to lack of access to food and the previously collected data is used to
establish a causal link between the deaths and problems with Aadhaar data, is the person
involved in journalistic activity or the media organisation required to obtain fresh
consent?
20. Draft Rule 10(1) forces outlets to obtain age-verified parental consent before processing a
child’s data. How should people involved in journalistic activity or media organisations
cover issues affecting minors (18 years and below) in real-time without breaching this rule?
21. Since Section 10 of the Act gives the Central Government discretionary power to notify
any data fiduciary as “Significant Data Fiduciary”, does this mean a person involved in
journalistic work, or a media organisation, handling a large volume of data, which
contains personal data, can be notified as a “significant data fiduciary”? Yes or no?
22. If no (Q20), under which provision of the Act the exemption will be given?
23. Section 10 allows notification of any Data Fiduciary based on “risk to electoral democracy,
public order or the security of the State”. What objective criteria will be applied to ensure
that large or critical media houses are not placed under onerous Significant Data
Fiduciary compliance merely for publishing investigative stories?
24. Draft Rule 22(1) allows the Government, after obtaining information, to direct that “the
Data Fiduciary shall not disclose to any person the fact that such a direction has been
received”. How will MEITY reconcile these secret orders with the open-justice principle
and the press’s right to report on state action?
25. Clause (c) of sub-section (7) under Section 28 and Section 36 give the Data Protection
Board and the Central Government sweeping powers to call for “any data, book, document,
register, book of account or any other document.” Now, investigative journalism, to a great
extent, relies on “source-based information” or provided by whistleblowers. Given the
wide range of powers that have been vested in the Data Protection Board, it can very well
demand a person involved in journalistic activity or media organisation to reveal the
“source”. What are the protections available to a person involved in journalistic activity
and media organisations from revealing a “source” under the Act?
26. Draft Rule 6(g) demands “appropriate technical and organisational measures to ensure
effective observance of security safeguards” and can be enforced by the Board. What limits
will be set so that inspections do not morph into newsroom searches, jeopardising
editorial independence?
27. Draft Rule 7 obliges a Data Fiduciary to alert every affected person after a leak. If a
whistle-blower leaks wrongdoing inside a company, PSU, government department, etc.,
must the person involved in journalistic activity or the newsroom notify the very officials
under investigation, thereby exposing its source?
28. The draft rules allow the Board to suspend or cancel a Consent Manager’s registration and
compel information disclosure. If a media-run consent tool is de-registered, is there an
appeal, and how will ongoing subscriptions be maintained?
29. Draft Rule 6 requires encryption, extensive logging and one-year log retention. What
financial or technical assistance will be offered to small, independent outlets that cannot
afford enterprise-grade infrastructure?
30. Section 7(b) allows data processing by the state for providing state benefits. Rule 5
explicitly lets the State reuse personal data to deliver subsidies without consent, subject
only to minimal standards. What safeguards will prevent such “lawful” data-sharing from
being repurposed to identify or retaliate against critical journalists?
31. Repeated non-compliance can ultimately attract blocking under the IT Act read with
Section 37 DPDPA (blocking for data-protection reasons). Will MEITY commit to seeking
prior judicial authorisation before any news site is disabled?
32. What is the quantifiable threshold of non-compliances before blocking action is initiated?
33. When deciding penalties, Section 33 directs the Board to consider factors such as the
“nature, gravity and duration” of the breach. Given that honest public-interest reporting
may involve leaked data, how will proportionality be guaranteed so fines do not have a
chilling effect on smaller newsrooms and individuals engaged in journalistic activity?
34. How will MEITY harmonise the DPDPA’s consent and notice requirements with statutory
privileges under the Press and Registration of Periodicals Act and the Working Journalists
(Conditions of Service) Act?
35. Given that the Central Government has been empowered to block information/content
under Section 69A of the IT Act, what is the purpose behind including Section 37(1)(b)
that creates another parallel blocking regime that further empowers the Central
Government to issue blocking directions under the DPDPA framework?
Why These Clarifications Are Crucial for DPDPA’s Future
The 35 questions raised by the Press Club of India to MEITY cut across industries, fundamental rights, and pressing practical issues. Each unresolved area, in turn, deepens uncertainty for stakeholders and, moreover, weakens the overall effectiveness of the Act. As a result, the absence of clear answers risks undermining both compliance and trust in the system.
If MEITY offers clarifying transparency, it will:
- Assist businesses in avoiding penalty and operating more smoothly.
- Enhance enforcement actions in order to protect citizens’ right to privacy.
- Allow journalists and researchers to operate without fear of misuse.
- Inspire confidence from the international audience regarding India’s data governance framework.
Thus, the Digital Personal Data Protection Act, 2023 represents not just a law but a watershed moment for India’s democratic digital future. Nevertheless, the Act’s promise could easily be lost in layers of ambiguity if MEITY does not take decisive steps to provide clear, timely, and practical answers to the 35 outstanding questions. In short, transparency is no longer optional—it is the bridge between the promise of reform and its meaningful realization.
Will MEITY Step Up in This?
As India gets closer to fully enforcing the DPDPA, the unresolved issues can no longer be ignored. In fact, each unclear rule or vague explanation not only creates confusion in the law but also leaves businesses stuck and people unsure about their rights. Therefore, it is important for MEITY to step in and give clear answers.
Moreover, only with simple, practical, and direct guidance can regulators make it easier for businesses to follow the law and, at the same time, increase public trust in India’s new data protection system. Ultimately, clear and timely instructions will not just remove doubts but also build confidence among businesses and citizens, bring India closer to global standards, and, most importantly, protect people’s rights.
Until then, even after the release of the 35 questions MeitY must address, both the industry and the public will continue waiting for the ministry’s next step.
