Published On: June 4th 2026
Authored By: Varshini R
The Tamil Nadu Dr. Ambedkar Law University, Chennai
Abstract
In recent years, the use of personal data has increased rapidly, especially as more services move online. This shift made the need for a proper data protection law quite obvious. The Digital Personal Data Protection Act, 2023 was introduced with the aim of regulating how personal data is handled and of giving individuals greater control over their information. While this is an important step, the law has also highlighted certain issues, particularly in relation to the Right to Information Act, 2005.
One of the main concerns arises from a recent change to the RTI framework, where the earlier provision allowing disclosure of personal information in the public interest has been removed. At first, this may seem like a reasonable move to protect privacy. But on closer examination, it creates a situation where access to information can be denied more easily, even in cases where disclosure might be important for accountability.
This paper examines how this shift affects the balance between privacy and transparency. It suggests that the current approach may be somewhat one-sided. Protecting personal data is necessary, but it should not come at the cost of broadly reducing access to information.
Keywords: DPDP Act, Right to Information, Privacy, Transparency, Constitutional Law, Data Protection.
Introduction
In a functioning democracy, citizens are not expected to simply accept what the government does. They are meant to question it, scrutinise it, and where necessary, challenge it. This is where transparency plays an important role. At the same time, individuals also expect that their personal information will not be unnecessarily exposed. Privacy, in that sense, is equally important. The difficulty, however, lies in balancing these two values. They often overlap, and sometimes they clash.
This tension has become particularly visible with the enactment of the Digital Personal Data Protection Act, 2023. While the law is aimed at protecting personal data in an increasingly digital world, certain provisions (especially those affecting the Right to Information Act, 2005) have pointed to a serious concern. These concerns are now being examined by the Supreme Court in Venkatesh Nayak v. Union of India.[2] The case does not merely deal with data protection in a technical sense. It raises a deeper constitutional question: whether the law, in trying to protect privacy, has gone too far and weakened the right to access information.
This article attempts to examine that question. It argues that although the objective of the DPDP Act is valid, the way it interacts with the RTI framework is problematic. In particular, the removal of the public interest safeguard risks shifting the balance too heavily in favour of secrecy. Article 19(2) of the International Covenant on Civil and Political Rights, adopted by the United Nations General Assembly on 16 December 1966, affirms that everyone has the right to freedom of expression, including the freedom to seek, receive, and impart information of all kinds.[3] This international standard reinforces the importance of preserving meaningful access to information even as domestic privacy frameworks are strengthened.
The Constitutional Background: Two Rights, One Tension
The right to information and the right to privacy did not develop simultaneously in India, but today they are closely connected.
The right to know has long been recognised as part of freedom of speech. In State of Uttar Pradesh v. Raj Narain,[4] the Supreme Court made clear that citizens have a right to know how public power is exercised. This idea was expanded in S.P. Gupta v. Union of India,[5] known as the “First Judge case,” where the Court emphasised that openness in government is essential in a democracy. These decisions eventually led to the RTI Act, 2005, which created a formal mechanism for citizens to access information. For many years, this law has been one of the most effective tools for accountability.
Privacy, on the other hand, received clear constitutional recognition much later. It was only in Justice K.S. Puttaswamy v. Union of India[6] that the Supreme Court explicitly held that privacy is a fundamental right. But even in that judgment, the Court did not treat privacy as absolute. Instead, it introduced the idea of balancing it against other competing interests. Section 8(1)(j) of the RTI Act dealt with “personal information,” prohibiting disclosure unless a larger public interest justified it.[7] So, from the outset, the constitutional position has not been about choosing one right over the other. It has been about maintaining a balance.
The Journey of the Bill
The path to the DPDP Act, 2023 was long and iterative. In August 2017, the Supreme Court reaffirmed privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India, following which the Justice Srikrishna Committee was constituted to examine data protection issues. In July 2018, the Committee released a draft Personal Data Protection Bill along with its report.
In December 2019, a revised draft bill was sent to a Joint Parliamentary Committee (JPC) covering both Houses of Parliament for review. In December 2021, the JPC released its report and a revised version of the legislation as the Data Protection Bill. In August 2022, this draft was withdrawn, and in November 2022, the Ministry of Electronics and Information Technology released a fresh draft Digital Personal Data Protection Bill for public consultation. On 11 August 2023, the DPDP Bill, 2023 was assented to by the President of India after receiving clearance from both the Rajya Sabha and the Lok Sabha.
What the DPDP Act Actually Does
The DPDP Act was introduced to address a real and growing problem: the misuse of personal data. As more services move online, individuals are constantly sharing information, often without knowing how it will be used.
The Act tries to address this by creating a framework based on consent and accountability. It introduces concepts such as “data fiduciaries” and grants individuals certain rights over their data. It also provides for penalties in case of violations.
All of this seems reasonable in principle. However, the concern is not with data protection as such. The issue arises when the Act begins to affect other legal frameworks, particularly the RTI Act. In a 2024 proceeding before the Delhi High Court, the Court remarked orally that “the very essence of RTI is public interest; if that is excluded, the law risks being hollowed out.” This observation underscores the judiciary’s recognition that broad exemptions under Section 44(3) of the DPDP Act could undermine the core purpose of the RTI regime, which is to promote transparency and accountability in governance.[8]
Citizens’ Rights under the DPDP Act
The Act empowers citizens as “Data Principals,” granting them the following rights:
Right to Information: Individuals have the right to seek information on how their data is being processed, and data fiduciaries are required to make this information available in a clear and understandable manner.
Right to Correction and Erasure: Individuals may correct inaccurate or incomplete data and request erasure of data that is no longer required for the purpose it was collected.
Right to Grievance Redressal: Individuals have the right to use readily available means to register a grievance with a data fiduciary.
Right to Nominate: Individuals may nominate another person to exercise these rights in the event of their death or incapacity.
While these rights represent a meaningful step toward individual empowerment, they operate within a framework that, as discussed below, may simultaneously weaken access to information in the public sphere.
The RTI Amendment: A Quiet but Significant Change
One of the most debated aspects of the DPDP Act is its amendment to Section 8(1)(j) of the RTI Act. The Act’s broad privacy exemptions, combined with the absence of clear guidelines on balancing RTI disclosures, create legal uncertainties.[9]
Earlier, authorities could deny access to personal information, but only under certain conditions. Crucially, even if the information was personal in nature, it could still be disclosed if there was a larger public interest involved. The amendment removes this safeguard entirely.
Now, information can be denied simply because it is “personal,” without any requirement to examine whether its disclosure might serve a public purpose. At first, this might appear to strengthen privacy protection. But the more carefully one examines it, the more concerns begin to emerge.
For instance, much of the information about public officials, government decisions, or the allocation of resources may be linked to individuals. If all such information is treated as exempt, it becomes considerably harder to access details that are necessary for accountability. This is not merely a theoretical concern. In practice, it could affect journalists, researchers, and ordinary citizens trying to understand how decisions are made.
Does This Affect the Right to Know?
It probably does. The right to information is not explicitly mentioned in the Constitution, but it has been read into Article 19(1)(a) by the courts. Without access to information, freedom of speech loses much of its meaning. People cannot form opinions or engage in public debate if they do not know what is happening.
The amendment, by making it easier to deny information, indirectly restricts this right. Restrictions are, of course, permissible under Article 19(2). But they must be reasonable. A broad and undefined restriction, without any mechanism to consider public interest, does not easily satisfy that requirement. This legislative development raises a profound constitutional question: can privacy be so broadly protected that it undermines transparency and the citizen’s right to know?[10]
In S.P. Gupta v. Union of India,[11] Justice Bhagwati described open government as the new democratic culture of the day, which paved the way for the right to know to be formally recognised by law. These cases created the constitutional foundation for the RTI Act and made transparency a part of India’s democratic fabric.
Privacy Matters, But How Much?
It would be incorrect to argue that privacy should not be protected. In fact, the recognition of privacy as a fundamental right in Puttaswamy was a significant step forward.
But the judgment also made something else clear: privacy cannot be treated as absolute. It must be balanced against other rights. In S. Muthumalai v. CPIO,[12] the Central Information Commission clarified that Section 8(1)(j) of the RTI Act, which protects third-party personal information from disclosure, can only be applied if the information is genuinely private, has no public interest relevance, and would cause an unwarranted invasion of privacy.[13]
The current framework of the DPDP Act, at least in relation to RTI, does not appear to fully reflect this idea of balance. By removing the public interest test, it leans strongly in one direction.
The Proportionality Problem
The proportionality test, as laid down in Puttaswamy, requires that restrictions on rights should not be excessive. They must be necessary, and less restrictive alternatives must not be available.
In this case, it is difficult to see why the public interest safeguard had to be removed entirely. It could have been retained, perhaps with clearer guidelines to prevent misuse. Instead, the amendment takes a more rigid approach. And that is where the problem lies.
The issue is not that privacy is being protected. The issue is that it is being protected in a way that may unnecessarily weaken transparency.
Concerns about State Power
Another aspect that deserves attention is the extent of the powers granted to the State under the DPDP Act. The law allows data to be processed for purposes such as national security and law enforcement. This is not unusual; most countries have similar provisions.
However, the safeguards here appear somewhat limited. There is insufficient clarity on how these powers will be exercised or what checks will be in place. This creates a possibility (not immediate, but certainly real) of misuse. In a digital environment, where data can reveal a great deal about individuals, this concern becomes especially important.
Institutional Concerns
The Data Protection Board is intended to function as a regulatory authority under the Act, and as such a body should function independently. However, concerns have been raised about the appointment process and the level of control exercised by the executive. If the Board is not sufficiently independent, its ability to act as an effective regulator may be limited.
This is not merely a technical issue. It goes to the heart of how accountability mechanisms function.
Conclusion
The Digital Personal Data Protection Act, 2023 is an important piece of legislation, and its objective is not in question. Protecting personal data is necessary, especially in a digital age.
However, the way the law has been structured raises legitimate concerns. The amendment to the RTI Act appears to shift the balance away from transparency, and the limited safeguards around state power and institutional independence compound this concern.
The ongoing case of Venkatesh Nayak v. Union of India[14] provides an opportunity for the Supreme Court to examine these issues more closely. The challenge, ultimately, is not to choose between the two rights, but to find a way to protect both. That is not easy, but it is essential for a functioning democracy.
References
[1] R. Varshini, Government Law College, Vellore, Tamil Nadu (Affiliated to DLS-TNDALU, Chennai).
[2] Venkatesh Nayak v. Union of India, W.P.(C) No. 177/2026 (India).Â
[3] International Covenant on Civil and Political Rights, art. 19(2), opened for signature Dec. 16, 1966, 999 U.N.T.S. 171 (entered into force Mar. 23, 1976).
[4] State of Uttar Pradesh v. Raj Narain, 1975 AIR 865 (India).
[5] S.P. Gupta v. Union of India, 1982 AIR 149 (India).
[6] K.S. Puttaswamy v. Union of India, AIR 2018 SC (Supp) 1841 (India).
[7] The Right to Information Act, 2005, s. 8(1)(j): “information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information.”
[8] Oral observations of the Delhi High Court in a 2024 hearing regarding Section 44(3), Digital Personal Data Protection Act, 2023, as cited in: The Transparency-Privacy Paradox in India: A Critical Examination of the Digital Personal Data Protection Act, 2023 and Its Impact on the Right to Information Act, 2005, IJIRL (2025), available at https://ijirl.com/wp-content/uploads/2025/10/THE-TRANSPARENCY-PRIVACY-PARADOX-IN-INDIA-A-CRITICAL-EXAMINATION-OF-THE-DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-AND-ITS-IMPACT-ON-THE-RIGHT-TO-INFORMATION-ACT-2005.pdf
[9] Dr. Pradip Kumar Kashyap, “Digital Personal Data Protection Act, 2023: A New Light into the Data Protection and Privacy Law in India,” 2 ICREP Journal of Interdisciplinary Studies (2023).
[10] Tal Z. Zarsky, “Thinking Outside the Box: Considering Transparency, Anonymity, and Pseudonymity as Overall Solutions to the Problems of Information Privacy in the Internet Society,” 58 U. Miami L. Rev. 991 (2003).
[11] S.P. Gupta v. Union of India, (1981) 1 SCC 87 (India).
[12] S. Muthumalai v. CPIO, CIC/SH/A/2016/000934 (India).
[13] Revisiting Right to Information in India: Is the DPDP Act Counterproductive to the RTI Act?, available at https://pure.jgu.edu.in/id/eprint/9882/1/ohrh.law.ox.ac.uk-Revisiting%20Right%20to%20Information%20in
[14] Venkatesh Nayak v. Union of India, W.P.(C) No. 177/2026 (India).
