DPDP Act under the scanner: what the Supreme Court challenge means for Indian businesses

The DPDP Act was enacted in August 2023 as India’s first dedicated personal data protection law.

After its enactment, writ petitions were filed before the Supreme Court by RTI activists, journalists, civil society groups and members of the legal community. These petitions challenge specific parts of the law, not the entire idea of data protection.

The most prominent challenge concerns the amendment made by the DPDP Act to Section 8(1)(j) of the Right to Information Act, 2005.

Before the amendment, RTI authorities could deny disclosure of personal information only after applying certain public-interest tests. The older provision allowed disclosure where a larger public interest justified it. It also carried an important safeguard: information that could not be denied to Parliament or a State Legislature could not be denied to a citizen.

The DPDP Act simplifies this language and creates a broader exemption for information relating to personal information.

That change is now under constitutional scrutiny.

Petitioners argue that the amendment may weaken transparency, especially around information concerning public servants, public institutions, qualifications, assets, disciplinary records and other matters of public interest.

Some petitions also raise concerns around:

• ✓independence of the Data Protection Board;
• ✓breadth of the Government’s rule-making powers;
• ✓lack of explicit exemptions for journalism, research and public-interest reporting;
• ✓possible chilling effects on transparency and accountability.

For businesses, the important point is simple:

The DPDP Act continues to apply unless the Supreme Court specifically stays or strikes down relevant provisions.

As of now, there is no general stay on the DPDP Act.

That means Indian businesses must continue preparing for the core obligations under the law.

The practical obligations remain broadly unchanged:

• ✓collect personal data only with valid consent or recognised legitimate use;
• ✓provide clear and accessible privacy notices;
• ✓use personal data only for the purpose communicated;
• ✓keep data only as long as necessary;
• ✓maintain reasonable security safeguards;
• ✓support data principal rights;
• ✓manage grievances;
• ✓notify personal data breaches as required;
• ✓ensure processors and vendors handle data properly.

The Supreme Court challenge mainly tests whether certain provisions of the Act are constitutionally valid, especially where privacy intersects with RTI, public interest, press freedom and government powers.

Businesses should not pause DPDPA readiness because of the constitutional challenge.

They should use this period to close practical gaps quietly before customers, partners, regulators or auditors ask harder questions.

Area of Focus

Action Required

Data Mapping

List where personal data sits across CRMs, HR systems, ATS tools, spreadsheets, WhatsApp groups, vendor portals, backups and cloud folders. Identify owners and access rights.

Consent Flows

Review every collection point: website forms, app screens, WhatsApp opt-ins, offline forms, candidate forms and customer onboarding journeys. Remove vague consent and pre-ticked boxes.

Privacy Notice

Rewrite your privacy notice in plain language. State what data is collected, why it is collected, how long it is retained, who it is shared with and how users can raise requests.

Retention Schedule

Define how long each category of personal data is retained. CVs, customer records, invoices, support tickets and marketing leads should not be kept forever by default.

Vendor Contracts

Review contracts with payroll providers, cloud tools, email platforms, payment gateways, CRMs, marketing tools and outsourced processors. Add data protection obligations where missing.

Rights Request Process

Create a dedicated email, owner and SLA for access, correction, erasure and grievance requests. Do not wait until the first request arrives.

Breach Response

Prepare a breach response runbook. Identify who acts in the first 24–72 hours, who informs leadership, who handles customer communication and who coordinates with vendors.

Leadership Briefing

Some issues remain genuinely uncertain because the Supreme Court challenge and final regulatory implementation are still evolving.

Businesses should track these areas, but not use them as an excuse to pause.

1. ✓RTI and Personal Data Disclosure

The biggest open question is how the Supreme Court will interpret the amended RTI exemption for personal information.

The Court may uphold the amendment, strike it down, or read it down to preserve public-interest disclosure.

This matters most for public authorities, journalists, civil society, public-sector entities and government-linked data ecosystems.

For most private businesses, this is important to understand but does not directly change everyday DPDPA obligations.

1. ✓Press, Research and Public-Interest Exemptions

The Act does not contain a strong, standalone exemption for journalism, academic research, public-interest investigation or whistle-blowing.

The Supreme Court may influence how these areas are interpreted.

This is especially relevant for:

• ✓media companies;
• ✓research organisations;
• ✓civic-tech platforms;

Businesses should avoid these common errors while reading the Supreme Court challenge.

1. ✓Assuming the DPDP Act Has Been Stayed

It has not been stayed.

A constitutional challenge does not automatically pause a law. Unless the Court grants a stay or strikes down a provision, the law continues to operate.

Waiting on this assumption is risky.

⸻

1. ✓Treating the RTI Issue as a Private-Sector Compliance Escape Route

The RTI challenge is important, but it does not remove the privacy obligations of private businesses.

A recruitment agency, CA firm, D2C brand, SaaS company or training institute cannot use the RTI debate as a reason to delay privacy notices, consent flows, retention rules or vendor reviews.

⸻

1. ✓Waiting for Final Rules Before Doing Anything

Some details may still evolve, but the core work is already obvious.

You do not need final rules to begin:

• ✓data mapping;
• ✓consent cleanup;