By Amit Upadhyay and Abhinav Mehrotra
India’s digital transition in recent decades has led to a blurring of boundaries between the public and private, with calls for increased privacy protection amidst the need for transparency and accountability.
As digital governance continues to expand, personal data is becoming central to state and corporate functions. This has given rise to various legal and constitutional questions that have arisen around preserving individual privacy without weakening public accountability.
To ensure the integrity and protection of personal data, the government is required to frame laws allowing individuals to protect their rights while allowing them access to various services such as healthcare, banking, education and digital platforms offered by the public and private sectors.
However, in April, Indian opposition parties cried foul over the 2023 Digital Personal Data Protection Act (DPDP), seeking the repeal of a particular provision – Section 44(3) – claiming that it infringed on the Right to Information Act.
The opposition’s contention was that the “surreptitious” passing of the Act in 2023 could potentially adversely impact press freedom and citizens’ right to information.
Personal data protection in India has been shaped by recent legislative developments.
The enactment of the DPDP Act was an essential step in this direction as it established a comprehensive framework for data privacy. The law provides individuals the right to protect their personal data, with the necessity of using such data for lawful purposes such as governance, business operations, or for public interest including issuance of Aadhaar, subsidies, pensions etc.
The DPDP Act introduced several rights for individuals, which empowers them in the digital age. By exercising these rights, people can request access to personal data held by data fiduciaries such as banks, telecom companies, e-commerce platforms, healthcare providers, educational institutions and government departments.
People can seek correction or erasure of data no longer necessary for the purpose it was collected. For example, customers can request correction or deletion of old data when mobile service providers continue to retain outdated address information.
They also have the right to grievance redressal related to their personal data processing. In the event an e-commerce platform shares a user’s personal data with third-party advertisers without consent, the customer can raise a grievance with the platform’s data protection officer or escalate it to the data protection board.
Additionally, the Act mandates that consent by the individual, known as the Data Principal, for data processing must be freely given, and must be specific, informed and unambiguous. It also establishes the Data Protection Board of India to oversee compliance and adjudicate disputes.
The DPDP Act, India’s first comprehensive law exclusively focused on personal data protection, is in line with global privacy frameworks such as the European Union’s General Data Protection Regulation (GDPR) which governs how personal data of individuals in the EU can be processed and transferred.
It aims to protect individuals’ fundamental rights in the digital age and create a unified framework for data protection. The GDPR applies to organisations that process personal data of individuals, irrespective of where the organisations are located. The DPDP Act applies to all entities – public and private – processing digital personal data within and outside India while offering goods and services.
Draft rules
Even though the DPDP Act received presidential assent in August 2023, it is yet to be fully executed. The Ministry of Electronics and Information Technology (MeitY) released draft rules under the Act in January 2025, inviting public comments until February 18, 2025.
These rules aim to explain the Act’s operational aspects, including data fiduciary obligations such as ensuring lawful processing, obtaining valid consent, maintaining data security and providing grievance redressal mechanism. Similarly, data principal rights such as the right to access, correction, erasure of personal data, withdrawal of consent and seeking redressal for grievances are stated in the Act.
Consequently, the issue that triggered concerns was the DPDP Act’s emphasis on personal data protection in matters of public concern, such as government transparency, public accountability, and access to information, and its potential impact on the RTI Act.
Since the RTI Act promotes transparency by allowing citizens to access information under the control of public authorities, it is the cornerstone of Indian democracy.
However, the DPDP Act’s provisions could limit access to personal data held by public bodies, potentially hindering transparency and accountability under RTI Act’s Section 8(1) (j). This exempts sharing personal information if it unfairly invades someone’s privacy, unless the officer-in-charge decides that the public’s right to know is more important.
It is being argued by opposition parties that the DPDP Act may override the RTI Act in cases where personal data is involved, even when public interest is at stake, thereby restricting information that was previously accessible.
This tension highlights the need for a nuanced approach that balances individual privacy rights with the public’s right to information.
Both privacy and transparency are fundamental rights under the Indian Constitution – privacy under Article 21 (Right to Life and Personal Liberty) and transparency under Article 19(1)(a) (Freedom of Speech and Expression). In a landmark case in 2017, the Supreme Court affirmed privacy as a constitutional right but balanced it against legitimate public interest.
The judgement declared that the right to privacy is part of the fundamental right to life, with the right to informational privacy being an integral part.
However, it did not describe the specific elements of the right to informational privacy or lay down particular mechanisms through which this right was to be protected in India.
Dilution of transparency?
After the Supreme Court’s 2017 judgement, public authorities and the judiciary have leaned heavily on privacy to deny information, sometimes even about public servants, raising concerns about the dilution of transparency.
In 2019, the Supreme Court upheld that RTI would be applied to constitutional functionaries such as the president, vice-president, prime minister and governors, but emphasised proportionality and necessity in determining disclosure.
As people discuss how the DPDP Act and the RTI Act work together, there are worries that the former weakens the latter. This is because Section 44 (3) of the DPDP Act dilutes Section 8(1)(j) of the RTI Act, which lets personal information be shared when public interest is strong enough to justify it.
As the DPDP Act’s rules stand finalised, it will be crucial to observe how these concerns are addressed to ensure both privacy and right to information are upheld. The state must carry out legal literacy campaigns educating citizens about their dual rights to access public information while protecting their personal data.
In a fast-changing technological landscape, there is a need to create user-friendly grievance portals and clear guidelines. Civil society organisations can help bridge the access gap posed by the digital divide.
The Supreme Court should also lay down a clear doctrine on when one right must yield to another, especially in the digital age, given the growing conflict between data privacy and transparency. Privacy and transparency are not mutually exclusive but mutually reinforcing pillars of a democratic society.
The challenge lies in building a legal architecture where citizens can safeguard their personal data and also hold power to account. This will shape the contours of public trust, digital rights and constitutional governance for decades.
The DPDP Act was shaped to protect personal privacy in India. However, its rigid approach may erode the RTI Act’s transparency mechanisms.
As India implements the DPDP Act, it must ensure a balanced legislative or judicial clarification to uphold both the right to privacy and citizen’s right to information.
Amit Upadhyay is an Associate Professor, Jindal Global Law School, O.P. Jindal Global University, Sonipat, Haryana.
Abhinav Mehrotra is an Associate Professor, Jindal Global Law School, O.P. Jindal Global University, Sonipat, Haryana.
Originally published under Creative Commons by 360info™.
