Delhi HC seeks Centre’s reply on plea against new data law

I have sufficient facts from PIB (Tier 1) and the article itself (Tier 4) to write a complete note. Proceeding.

UPSC Study Note: Delhi HC Seeks Centre's Reply on Plea Against DPDP Act, 2023

1. At a Glance

• The Digital Personal Data Protection (DPDP) Act, 2023 is India's first standalone comprehensive data protection legislation, enacted on 11 August 2023. [S1]
• The Delhi High Court issued notice to the Union Government on 18 February 2026 on a petition challenging specific sections of the Act for allegedly enabling surveillance, unchecked Executive access, and undermining judicial independence. [S3]
• Relevance: Intersects GS-II (governance, rights, judiciary) and GS-III (technology, cybersecurity); tests knowledge of the Act's architecture, constitutional rights, and institutional design of data regulation in India.
• The case signals the first significant constitutional challenge to the DPDP Act, making it a high-priority current-affairs topic for 2026 Prelims/Mains.

2. Why in the News

• 18 February 2026: A two-judge Bench of the Delhi High Court issued notice to the Centre on a writ petition challenging multiple provisions of the DPDP Act, 2023. [S3]
• The Bench posted the matter for hearing in April 2026. [S3]
• The petition targeted Sections 17, 18, 19, 20, 21, 23, 29, 30, 36, 37, 39, 40, and 44 of the Act. [S3]
• 13 November 2025: MeitY had notified the DPDP Rules, 2025 and operationalised the Act with an 18-month phased compliance period — immediately preceding the HC challenge. [S1]

3. Background & Evolution

• 2017: Justice K.S. Puttaswamy v. Union of India — Supreme Court unanimously declared privacy a Fundamental Right under Article 21; directed the government to frame a data protection law.
• 2018: Justice B.N. Srikrishna Committee submitted its report with a draft Personal Data Protection Bill.
• 2019: Personal Data Protection Bill, 2019 introduced in Lok Sabha; referred to a Joint Parliamentary Committee (JPC).
• 2021: JPC submitted its report recommending extensive amendments; renamed bill as Data Protection Bill, 2021.
• August 2022: The government withdrew the 2019 Bill, citing the need for a comprehensive legal framework aligned with the digital economy.
• August 2023: The Digital Personal Data Protection Act, 2023 passed by Parliament and received Presidential assent on 11 August 2023. [S1]
• November 2025: DPDP Rules, 2025 notified by MeitY; 18-month phased compliance rollout begins. [S1]
• February 2026: First constitutional challenge filed in Delhi HC. [S3]

4. Core Static Facts

Challenged Sections (per petition): - Sec. 17 — Exemptions to government processing; basis for alleged surveillance enablement - Sec. 18 — Establishes Data Protection Board (Executive-controlled; no judicial member mandated) - Sec. 19–21 — Appointment, terms, removal of Board Chairperson/Members - Sec. 23 — Powers of the Board - Sec. 29–30 — Blocking of content/access without hearing - Sec. 36–37 — Central Government's power to call for information; broad directions - Sec. 39–40 — Penalties; liability - Sec. 44 — Amendment to the Right to Information (RTI) Act, 2005 — dilutes RTI by exempting personal data from disclosure [S3]

5. Multi-Dimensional Analysis

Legal / Constitutional

• The petition invokes Article 21 (privacy) and Article 14 (non-arbitrariness) to challenge the Act's provisions on Executive-controlled blocking and data access. [S3]
• Section 44 amends the RTI Act, 2005 to restrict disclosure of personal information — critics argue this expands the exemption under Section 8(1)(j) of RTI and reduces government accountability.
• The absence of a judicial review mechanism within the Board structure raises separation-of-powers concerns; the appellate tribunal under the Act is also Executive-appointed.
• Parallels drawn with Shreya Singhal v. UoI (2015) where the Supreme Court struck down Section 66A of the IT Act for vagueness and overbreadth.

Ethical / Governance

• The Act's consent framework has been criticised: deemed consent (Section 7) and government exemptions (Section 17) may allow data processing without meaningful consent from Data Principals. [S3]
• The Data Protection Board is staffed by government nominees — not an independent quasi-judicial body — raising questions of institutional capture.
• Absence of a Data Protection Authority akin to the EU's independent supervisory authority (under GDPR) is a governance gap flagged by civil society.
• The RTI amendment is seen as weakening transparency precisely as digital governance expands.

Economic

• DPDP Rules impose compliance obligations on Data Fiduciaries (companies processing data); the 18-month phased period aims to reduce compliance shock on industry. [S1]
• Significant Data Fiduciaries (SDFs) — large platforms — face enhanced obligations; classification criteria set by MeitY.
• Legal uncertainty from the HC challenge may delay investment in India's data economy and cloud infrastructure.

Geopolitical / Strategic

• The Act's cross-border data transfer provisions (Section 16) allow transfer to countries on a government-approved whitelist — contrasted with GDPR's adequacy framework.
• India's data localisation stance affects negotiations in India-EU FTA and India-US trade frameworks.
• India seeks GDPR adequacy recognition from the EU; the DPDP Act's weaker protections and Executive control may hinder this goal.

Scientific / Technological

• The Act regulates automated decision-making and processing of children's data (parental consent mandatory under Section 9) — relevant to AI governance debates.
• DPDP Rules, 2025 specify data breach notification timelines and formats — a significant operational tech-compliance requirement.
• The Act's silence on non-digital/offline data (unless digitised) leaves a regulatory gap in an era of IoT and embedded systems.

Administrative

• Implementation rests with MeitY; but enforcement via the Board involves Executive appointments — creating overlap with judicial functions.
• The 18-month phased compliance period ends approximately May 2027; entities must restructure consent mechanisms, breach protocols, and data inventories.
• No dedicated cadre or technical regulator (like TRAI for telecom) established — implementation depends on the Board's capacity.

6. Recent Developments (Last 12–18 Months)

• November 2025: MeitY notified DPDP Rules, 2025, triggering the 18-month compliance clock. [S1]
• November 2025: Rules specify requirements for Consent Managers, breach notification to the Board, special protections for children and persons with disabilities. [S1]
• February 2026 (18th): Delhi HC two-judge Bench issues notice to the Centre on constitutional challenge to 13 sections of the DPDP Act; next hearing April 2026. [S3]
• February 2026: Petition specifically flags that the RTI Act amendment (via Section 44 of DPDP Act) dilutes citizens' right to information. [S3]

7. Prelims Hooks (High-Density Factual Bullets)

1. The DPDP Act, 2023 received Presidential assent on 11 August 2023.
2. The implementing ministry is MeitY (Ministry of Electronics and Information Technology), not the Ministry of Law.
3. The Data Protection Board of India is established under Section 18 of the DPDP Act, 2023.
4. The DPDP Act does not classify data into sensitive/critical subcategories — a departure from earlier draft bills.
5. Section 44 of the DPDP Act amends the Right to Information (RTI) Act, 2005 — restricting disclosure of personal data.
6. The DPDP Rules, 2025 were notified on 13 November 2025 by MeitY.
7. The DPDP Rules introduce an 18-month phased compliance period for Data Fiduciaries.
8. The right to privacy was declared a Fundamental Right by the Supreme Court in K.S. Puttaswamy v. Union of India (2017), which mandated a data protection law.
9. The Delhi HC issued notice to the Centre on 18 February 2026 on the DPDP challenge; hearing posted for April 2026.
10. The petition challenged 13 sections of the DPDP Act: Sections 17, 18, 19, 20, 21, 23, 29, 30, 36, 37, 39, 40, and 44.
11. The Personal Data Protection Bill, 2019 was withdrawn in August 2022 before the DPDP Act was introduced.
12. The B.N. Srikrishna Committee (2018) produced the first draft data protection bill in India.
13. Cross-border data transfers under the DPDP Act are governed by a government-approved whitelist of countries (Section 16).
14. Children's data under the DPDP Act requires verifiable parental consent (Section 9).
15. India's DPDP Act has been compared unfavourably with the EU's GDPR for lacking an independent supervisory authority.

8. Mains Relevance

GS Paper Mapping: - GS-II: Governance, transparency, RTI, judiciary, fundamental rights, statutory bodies - GS-III: Data protection, cybersecurity, technology policy, digital economy

Specific Syllabus Headings: - GS-II: Government policies and interventions; important aspects of governance; transparency and accountability; statutory bodies - GS-III: Awareness in the fields of IT; challenges to internal security through communication networks

Plausible Mains Question Stems:

1. "The Digital Personal Data Protection Act, 2023 has been criticised for privileging Executive control over individual rights. Examine the provisions of the Act that raise concerns about surveillance and erosion of the right to privacy." (GS-II, 15 marks)

2. "Critically evaluate the Data Protection Board of India as an institutional mechanism for privacy adjudication. How does it compare with independent data protection authorities in democracies such as the EU?" (GS-II, 10 marks)

3. "Assess the implications of Section 44 of the DPDP Act, 2023 on the Right to Information Act, 2005. Does data protection necessarily conflict with transparency in governance?" (GS-II, 15 marks)

9. Related Topics to Study Next

10. Common Errors / Trap Areas

1. Wrong Ministry: DPDP is implemented by MeitY, not the Ministry of Law and Justice or the Ministry of Home Affairs — a common mix-up.
2. Wrong Year of Assent: The Act received Presidential assent in August 2023, not 2022 or 2024. The Rules were notified in November 2025 — do not conflate these two dates.
3. Confusing the Board with a Court: The Data Protection Board of India is an Executive-appointed adjudicating body, not a statutory tribunal with judicial independence — the absence of this independence is the very ground of the HC challenge.
4. RTI Connection Overlooked: Aspirants often miss that Section 44 of the DPDP Act amends the RTI Act — examiners frequently test this cross-statutory linkage.
5. Conflating DPDP with earlier Bills: The Personal Data Protection Bill (2019) was withdrawn in 2022 and replaced, not amended, by the DPDP Act, 2023. The earlier bills had "sensitive personal data" categories; the 2023 Act does not.

11. Sources

• [S1] Draft Digital Personal Data Protection Rules — Press Information Bureau, MeitY — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090271&reg=3&lang=2 — (Tier 1)
• [S2] Decoding the Digital Personal Data Protection Act, 2023 — EY India — https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023 — (background reference; non-whitelisted)
• [S3] Delhi HC seeks Centre's reply on plea against new data law — The Hindu, 19 February 2026 — https://www.thehindu.com/todays-paper/2026-02-19/th_international/articleGE7FJVFQR-13571860.ece — (Tier 4 — Article Content / Primary Source)