Privacy vs. Transparency: The Constitutional Dilemma of India’s DPDP Act

India’s DPDP Act was introduced as a modern shield for an individual’s data in the digital age. The act spells out how businesses, companies and government bodies must handle personal data of individuals. The DPDP Act further gives regulators teeth to penalise misuse of such personal data for any non-compliance with the DPDP Act. But soon, the law has been challenged before the Supreme Court in the form of public interest petitions that raise a simple but profound question: Can privacy protection accidentally become a tool for secrecy?

At the heart of the challenge is the Right to Information Act, 2005 (“RTI Act”) which has been a cornerstone of Indian democracy. The RTI Act allows any Indian citizen to request information from a public authority regarding records and documents, data and statistics, official memo/ communications, certified copies of documents, samples and models, right to inspect files, rationale behind various decisions of a department, and other information to be published suo motu. The RTI Act also allows citizens of India to hold authorities accountable for breach of their duty to produce the documents or information requested by the applicant. 

The petitioners of the case argue that the DPDP Act, especially section 44(3), quietly changes how the RTI Act treats “personal information.” Under the original framework of the RTI Act, personal information was protected but not untouchable. Section 8(1)(j) of the RTI Act exempted personal information from disclosure, unless the applicant could prove a larger public interest. Further, information which could not be denied to the Parliament or a State Legislature was also not to be denied to any person. Public Information Officers (PIOs) and Courts often performed a balancing test, weighing the "privacy of the individual" against the "right of the citizen to know." In many cases, details of government officials' assets or educational qualifications were disclosed because they were deemed relevant to public accountability.

In the current framework, section 44(3) of the DPDPA 2023 directly amends the RTI Act, fundamentally changing section 8(1)(j). The amendment removes the "public interest" exception. Now, any information that relates to personal data is strictly exempt from disclosure. Further, the proviso that linked disclosure to what Parliament could see has also been deleted. Accordingly, if a document contains "personal data" (as defined broadly by the DPDPA), the PIO now has a statutory obligation to deny the request, regardless of how important the information might be for social audits or transparency. 

Legal luminaries and RTI activists also raise concerns that the law may affect press freedom and could be leveraged to deny access to information that exposes corruption, policy failures, or misuse of public funds. In other words, the law may let “privacy” become a blanket justification to withhold information that otherwise should be available under the RTI Act. If authorities can routinely turn down information access requests on “privacy” grounds, it becomes harder to track how public money is spent, how officials accumulate assets, or how policies actually work on the ground. The petitioners argue that the change to the RTI Act is too broad and risk becoming arbitrary, which may potentially violate Articles 14 (equality), 19(1)(a) (free speech and information) and 21 (life and liberty) of the Constitution of India.

Beyond the RTI issue, the case also touches on how the state itself can access data. Section 36 of the DPDP Act allows the Union government to require intermediaries and data fiduciaries to furnish information when needed, while Rule 23(2) lets them keep it secret from the individual if disclosure might affect “sovereignty and integrity of India” or “security of the State.” The petitioners argue that this lacks clear statutory guidance and could be used to collect data without sufficient checks. The petitioners also flag the appointment of the Chairperson and other members of the Data Protection Board of India (“DPBI”), arguing that the executive dominated search cum selection committee set up for the appointment may disrupt the separation of powers by weakening the DPBI ‘s independence.

Practically, for businesses, banks, and public bodies, this means the DPDP Act is not just a “tick box” compliance issue. Depending on how the Supreme Court decides to balance DPDP and RTI, businesses might need to:

The key takeaway is that while the Supreme Court has refused to stay the implementation of the DPDP Act at this stage, it has recognized the gravity of the constitutional questions challenged by the PIL and has referred the matter to a larger bench. The case is currently part of a cluster of petitions being heard in March 2026. When the final judgment is pronounced, it could provide clearer guidance on how privacy and transparency should coexist within the same ecosystem, lead to adjustments in how government departments and companies handle information requests and data based disclosures, and send a stronger signal that any restriction on the right to know must be narrow, necessary, and proportionate.