Editors Guild says DPDP Rules leave key concerns for journalists unresolved

The Editors Guild of India has warned that the newly notified DPDP Rules could burden journalists with consent obligations and risk chilling reportage without clear exemptions for the media

The Editors Guild of India (EGI) has said that the newly notified administrative rules under the Digital Personal Data Protection (DPDP) Act leave critical questions unresolved for journalists and media organisations.

 

In a statement, the Guild has said that despite the concerns around Act’s shortcomings, issues had not been addressed despite being flagged.

 

“Ambiguous obligations around consent risk exposing journalists and newsrooms to compliance burdens that may impede routine reportage. Without explicit exemptions or clarifying guidance, the possibility remains that journalistic activities could be interpreted as ‘processing’ requiring consent, thereby chilling newsgathering and hindering accountability journalism,” the EGI said in a statement posted on X (formerly Twitter).

   

Urging the Ministry of Electronics and Information Technology to issue a clear and categorical clarification exempting bonafide journalistic activity from the consent and processing requirements of the DPDP Act, the Guild said that though data protection and privacy are vital objectives, they must be balanced with constitutional guarantee of freedom of speech.

 

The government had on November 14 notified the administrative rules under the DPDP Act, marking India’s entry into a select league of countries that have a federal digital personal data privacy regime. The notification of the DPDP Rules also marks the operationalisation of India’s privacy law nearly 15 years after it was first envisioned.

 

Under the new rules, the Ministry of Electronics and Information Technology (Meity) has mandated that all data fiduciaries will have to seek specific and informed consent of all data principals in “clear and plain language”.

 

The consent sought will also have to contain a detailed and itemised description of the user's personal data to be processed, along with the specific purpose for which the data fiduciary is collecting such personal data.

 

All companies, social media platforms, and internet intermediaries that deal with the digital personal data of users will fall under the category of data fiduciaries. All users whose personal data is sought to be processed by these entities will now be referred to as data principals.

 

Such data fiduciaries must also allow users to easily withdraw their consent at any time, exercise other rights mentioned in the Act, and file a complaint with the Data Protection Board (DPB), according to the rules.