Supreme Court's Inquiry into Personal Data Definitions in DPDP Laws
Digital Personal Data Protection (DPDP) Act, 2023: Privacy vs Right to Information
In the digital age, data has become one of the most valuable resources in the world. Governments, corporations, and digital platforms collect vast amounts of personal information, making data protection a major public policy concern. Recognising this, India enacted the Digital Personal Data Protection (DPDP) Act, 2023 to regulate the collection, storage, and processing of personal data.
However, the implementation of the law has triggered a major constitutional debate. Critics argue that certain provisions may weaken transparency mechanisms such as the Right to Information (RTI) and restrict access to information about public officials. The **Supreme Court of India is currently examining whether the Act strikes the right balance between privacy rights and democratic accountability.
As Justice D.Y. Chandrachud observed in the landmark Justice K.S. Puttaswamy v. Union of India:
“Privacy is the constitutional core of human dignity.”
The challenge today lies in ensuring that privacy protection does not undermine transparency in governance.
Background: Emergence of Data Protection Laws in India
India’s data protection framework evolved gradually in response to rapid digitalisation.
| Year | Development |
|---|---|
| 2017 | Supreme Court recognises Right to Privacy as a fundamental right |
| 2023 | Parliament passes Digital Personal Data Protection Act |
| 2025 | Digital Personal Data Protection Rules notified |
These developments reflect India's effort to create a comprehensive data governance framework.
Key Concepts Under the DPDP Act
The Act introduces several concepts to regulate personal data.
| Term | Meaning |
|---|---|
| Data Principal | Individual whose data is collected |
| Data Fiduciary | Entity processing the data |
| Personal Data | Information identifying an individual |
| Data Protection Board | Regulatory authority under the Act |
The law primarily aims to protect individuals from misuse of their personal information.
The Current Constitutional Debate
The Supreme Court is examining a key question:
What constitutes “personal data” and what should be treated as “public information”?
This question is particularly important when information concerns public officials and government functioning.
The petition challenging the law argues that the DPDP framework may restrict journalists and citizens from accessing data that is necessary for public accountability.
Concern: Impact on the Right to Information
One controversial provision is Section 44(3) of the Act, which limits disclosure of personal information through the RTI mechanism.
Comparison: RTI Framework vs DPDP Framework
| Aspect | Right to Information Act | DPDP Act |
|---|---|---|
| Purpose | Transparency and accountability | Privacy protection |
| Public interest test | Allowed disclosure in public interest | Public interest reference removed |
| Access to personal information | Possible under certain conditions | Restricted |
The removal of the “public interest” test raises concerns about reduced transparency.
Journalism and Public Accountability
Journalists often require access to personal information about public officials to investigate corruption or misuse of power.
Examples of Public Interest Data
| Information Type | Importance |
|---|---|
| Asset declarations of politicians | Detect corruption |
| Public office appointments | Ensure accountability |
| Conflict of interest disclosures | Prevent misuse of authority |
Restricting access to such information could potentially weaken investigative journalism.
Concerns About State Surveillance
Critics also argue that the law gives broad powers to the government.
| Issue | Explanation |
|---|---|
| Government exemptions | State agencies may bypass certain restrictions |
| Public order justification | Broad categories for data access |
| Executive influence | Data regulator linked to government |
These provisions have raised questions about whether the Act adequately protects citizens from state surveillance.
Compensation and Accountability Issues
The DPDP Act adopts a penalty-based framework for violations.
| Provision | Outcome |
|---|---|
| Monetary penalties | Paid to government treasury |
| Compensation to victims | Not explicitly provided |
This creates a situation where individuals whose privacy is violated may not receive direct compensation.
Global Comparison: Data Protection Frameworks
India’s data protection law can be compared with international models.
| Region | Law | Key Feature |
|---|---|---|
| European Union | GDPR | Strong user rights and compensation |
| United States | Sectoral data laws | Limited federal framework |
| India | DPDP Act | Centralised regulatory model |
The European Union’s GDPR is often seen as the most comprehensive data protection framework.
Concept of Data Sovereignty
The debate around the DPDP Act also touches upon data sovereignty, which refers to a nation’s authority over data generated within its territory.
| Dimension | Significance |
|---|---|
| National security | Control over sensitive data |
| Economic value | Data as a strategic resource |
| Digital governance | Regulation of global technology firms |
In the digital economy, data is increasingly described as “the new oil” due to its immense economic and strategic value.
Balancing Privacy and Transparency
The Supreme Court has emphasised the need to strike a balance between two important democratic values:
| Right | Importance |
|---|---|
| Right to Privacy | Protects individual dignity and personal autonomy |
| Right to Information | Ensures transparency and accountability in governance |
Both rights are crucial in a constitutional democracy.
Way Forward
India’s data protection regime must evolve in a manner that safeguards individual privacy while preserving the transparency necessary for democratic governance. Clear definitions of “personal data” and “public data,” independent regulatory oversight, and safeguards for journalistic access to information in public interest will be essential.
Conclusion
The debate over the Digital Personal Data Protection Act reflects the broader challenge of governing the digital age. While protecting personal data is essential in an era of widespread digital surveillance, excessive restrictions could undermine transparency and democratic accountability.
As former UN Secretary-General Kofi Annan observed:
“Knowledge is power. Information is liberating.”
India’s challenge will be to ensure that data protection strengthens citizens’ rights without weakening the democratic flow of information.
Attribution
Original content sources and authors
Syllabus classification
How this article maps to GS papers
Main syllabus
GS2Accountable GovernanceQuick Q&A
What is the Digital Personal Data Protection (DPDP) Act, 2023, and what are its key objectives in India’s data governance framework?
The DPDP Act is built on the principle that individuals, referred to as “data principals”, should have control over how their personal data is used. Entities that collect or process such data, known as “data fiduciaries”, must adhere to certain obligations such as obtaining consent, ensuring data security, and limiting the use of personal data to specified purposes. The law also establishes a Data Protection Board of India to regulate compliance and impose penalties in cases of violations.
Key objectives of the DPDP Act include:
- Protecting the privacy rights of individuals in the digital ecosystem.
- Regulating data processing activities by companies and government entities.
- Ensuring accountability and transparency in data handling.
- Facilitating digital innovation while maintaining safeguards.
However, the Act has also generated debate regarding its potential impact on transparency, freedom of the press, and the Right to Information (RTI). Critics argue that certain provisions—particularly restrictions on disclosure of personal information—may limit access to data that is necessary for public accountability. As a result, the Supreme Court is currently examining how to balance privacy protection with democratic transparency under the law.
Why has the Supreme Court decided to examine the distinction between ‘personal data’ and ‘public data’ under the DPDP Act?
One specific concern relates to Section 44(3) of the DPDP Act, which imposes restrictions on the disclosure of personal information through RTI requests. Critics argue that the removal of the term “public interest” from certain provisions may effectively block journalists, researchers, and civil society groups from accessing information about individuals who hold public office. Such restrictions could undermine democratic accountability and limit investigative journalism.
The Supreme Court’s intervention seeks to clarify several key issues:
- What types of information should be classified as personal data.
- When data relating to public officials should be considered public information.
- How to balance privacy rights with transparency obligations.
The Court has emphasised that neither privacy nor the right to information should completely override the other. In a democratic society, citizens have both the right to protect their personal data and the right to access information about governance and public institutions. The outcome of this case is therefore likely to shape the future relationship between data protection laws and transparency mechanisms in India.
How might the DPDP Act affect the functioning of the Right to Information (RTI) regime in India?
Under the DPDP framework, however, certain categories of personal information may be exempt from disclosure even if they are held by public institutions. Critics argue that the Act may allow authorities to reject RTI requests more easily by invoking privacy concerns. This could potentially reduce the ability of journalists and activists to obtain information about public officials or government decision-making processes.
Potential impacts on the RTI regime include:
- Increased rejection of RTI applications citing data privacy provisions.
- Reduced transparency regarding public officials’ activities.
- Constraints on investigative journalism and public interest reporting.
At the same time, supporters of the DPDP Act argue that personal data protection is essential in an era where large volumes of digital information are collected and processed. They contend that stronger privacy safeguards are necessary to prevent misuse of personal information.
The challenge, therefore, lies in designing a framework that ensures privacy protection without weakening transparency mechanisms. The Supreme Court’s ongoing examination of the DPDP Act may help clarify how these two important democratic rights—privacy and access to information—can coexist in India’s legal system.
Critically analyse the concerns that the DPDP Act may enable excessive state surveillance and weaken democratic accountability.
One major concern is that the Act allows the government to exempt itself from certain restrictions on data processing under broad categories such as “public order,” “national security,” or “sovereignty of India.” Because these terms are not narrowly defined, there is a risk that they could be interpreted expansively, enabling extensive monitoring of individuals’ digital activities. This could potentially undermine the right to privacy, which was recognised as a fundamental right by the Supreme Court in the Puttaswamy judgment (2017).
Key criticisms raised by civil society groups include:
- Structural dependence of the Data Protection Board on the executive branch.
- Limited judicial oversight over government data collection.
- Broad exemptions for state surveillance activities.
However, supporters argue that governments require certain data access powers to ensure national security, maintain public order, and deliver public services effectively. The challenge lies in establishing adequate checks and balances so that such powers are not misused.
In this context, the Supreme Court’s review of the DPDP Act could play a crucial role in ensuring that India’s data protection framework remains consistent with constitutional principles of privacy, transparency, and accountability.
Why is the issue of compensation for data breaches a significant concern under the DPDP Act?
This approach has raised concerns because data breaches can cause significant harm to individuals, including identity theft, financial fraud, reputational damage, and emotional distress. Without a clear provision for compensation, victims may have limited avenues for seeking redress or restitution for these harms.
Key issues highlighted by critics include:
- The absence of a direct compensation mechanism for affected individuals.
- The possibility that penalties may not translate into meaningful relief for victims.
- The need for stronger consumer protection mechanisms in the digital economy.
International data protection frameworks, such as the European Union’s General Data Protection Regulation (GDPR), provide individuals with the right to seek compensation for damages resulting from data breaches. Many experts argue that India’s data protection law should incorporate similar provisions to strengthen accountability.
Ensuring effective compensation mechanisms is important not only for protecting individual rights but also for incentivising organisations to adopt stronger cybersecurity practices. Addressing this issue could help enhance public trust in India’s evolving digital governance framework.
How does the debate around the DPDP Act illustrate the broader challenge of balancing privacy, transparency, and data sovereignty in the digital age?
Privacy advocates argue that strong data protection laws are necessary to safeguard individuals from misuse of their personal information by corporations and governments. In a digital economy where vast amounts of personal data are collected through social media platforms, financial systems, and online services, robust privacy protections are crucial to preserving citizens’ rights.
At the same time, transparency advocates stress that democratic accountability requires access to information about government actions and public officials. Journalists often rely on such information to investigate corruption, policy failures, or conflicts of interest. Restricting access to data under the guise of privacy could weaken the role of the media as the “fourth pillar of democracy.”
The issue is further complicated by the concept of data sovereignty:
- Countries seek to ensure that sensitive data is governed by domestic laws.
- Governments aim to regulate the activities of global technology companies.
- Citizens demand strong protections against surveillance and misuse of data.
The DPDP Act represents India’s attempt to navigate these competing priorities. The Supreme Court’s review of the law is therefore likely to shape the evolving balance between privacy rights, freedom of information, and national data governance in the world’s largest democracy.
Practice questions
1 question for mains preparation