GS2 Accountable Governance

Supreme Court to examine ‘personal data’ definition under the DPDP Act
Supreme Court to examine ‘personal data’ definition under the DPDP Act

Supreme Court's Inquiry into Personal Data Definitions in DPDP Laws

The Supreme Court examines how DPDP laws may compromise citizens' rights and journalists' access to public data.
Gopi
4 mins read

Digital Personal Data Protection (DPDP) Act, 2023: Privacy vs Right to Information

In the digital age, data has become one of the most valuable resources in the world. Governments, corporations, and digital platforms collect vast amounts of personal information, making data protection a major public policy concern. Recognising this, India enacted the Digital Personal Data Protection (DPDP) Act, 2023 to regulate the collection, storage, and processing of personal data.

However, the implementation of the law has triggered a major constitutional debate. Critics argue that certain provisions may weaken transparency mechanisms such as the Right to Information (RTI) and restrict access to information about public officials. The **Supreme Court of India is currently examining whether the Act strikes the right balance between privacy rights and democratic accountability.

As Justice D.Y. Chandrachud observed in the landmark Justice K.S. Puttaswamy v. Union of India:

“Privacy is the constitutional core of human dignity.”

The challenge today lies in ensuring that privacy protection does not undermine transparency in governance.


Background: Emergence of Data Protection Laws in India

India’s data protection framework evolved gradually in response to rapid digitalisation.

YearDevelopment
2017Supreme Court recognises Right to Privacy as a fundamental right
2023Parliament passes Digital Personal Data Protection Act
2025Digital Personal Data Protection Rules notified

These developments reflect India's effort to create a comprehensive data governance framework.


Key Concepts Under the DPDP Act

The Act introduces several concepts to regulate personal data.

TermMeaning
Data PrincipalIndividual whose data is collected
Data FiduciaryEntity processing the data
Personal DataInformation identifying an individual
Data Protection BoardRegulatory authority under the Act

The law primarily aims to protect individuals from misuse of their personal information.


The Current Constitutional Debate

The Supreme Court is examining a key question:

What constitutes “personal data” and what should be treated as “public information”?

This question is particularly important when information concerns public officials and government functioning.

The petition challenging the law argues that the DPDP framework may restrict journalists and citizens from accessing data that is necessary for public accountability.


Concern: Impact on the Right to Information

One controversial provision is Section 44(3) of the Act, which limits disclosure of personal information through the RTI mechanism.

Comparison: RTI Framework vs DPDP Framework

AspectRight to Information ActDPDP Act
PurposeTransparency and accountabilityPrivacy protection
Public interest testAllowed disclosure in public interestPublic interest reference removed
Access to personal informationPossible under certain conditionsRestricted

The removal of the “public interest” test raises concerns about reduced transparency.


Journalism and Public Accountability

Journalists often require access to personal information about public officials to investigate corruption or misuse of power.

Examples of Public Interest Data

Information TypeImportance
Asset declarations of politiciansDetect corruption
Public office appointmentsEnsure accountability
Conflict of interest disclosuresPrevent misuse of authority

Restricting access to such information could potentially weaken investigative journalism.


Concerns About State Surveillance

Critics also argue that the law gives broad powers to the government.

IssueExplanation
Government exemptionsState agencies may bypass certain restrictions
Public order justificationBroad categories for data access
Executive influenceData regulator linked to government

These provisions have raised questions about whether the Act adequately protects citizens from state surveillance.


Compensation and Accountability Issues

The DPDP Act adopts a penalty-based framework for violations.

ProvisionOutcome
Monetary penaltiesPaid to government treasury
Compensation to victimsNot explicitly provided

This creates a situation where individuals whose privacy is violated may not receive direct compensation.


Global Comparison: Data Protection Frameworks

India’s data protection law can be compared with international models.

RegionLawKey Feature
European UnionGDPRStrong user rights and compensation
United StatesSectoral data lawsLimited federal framework
IndiaDPDP ActCentralised regulatory model

The European Union’s GDPR is often seen as the most comprehensive data protection framework.


Concept of Data Sovereignty

The debate around the DPDP Act also touches upon data sovereignty, which refers to a nation’s authority over data generated within its territory.

DimensionSignificance
National securityControl over sensitive data
Economic valueData as a strategic resource
Digital governanceRegulation of global technology firms

In the digital economy, data is increasingly described as “the new oil” due to its immense economic and strategic value.


Balancing Privacy and Transparency

The Supreme Court has emphasised the need to strike a balance between two important democratic values:

RightImportance
Right to PrivacyProtects individual dignity and personal autonomy
Right to InformationEnsures transparency and accountability in governance

Both rights are crucial in a constitutional democracy.


Way Forward

India’s data protection regime must evolve in a manner that safeguards individual privacy while preserving the transparency necessary for democratic governance. Clear definitions of “personal data” and “public data,” independent regulatory oversight, and safeguards for journalistic access to information in public interest will be essential.


Conclusion

The debate over the Digital Personal Data Protection Act reflects the broader challenge of governing the digital age. While protecting personal data is essential in an era of widespread digital surveillance, excessive restrictions could undermine transparency and democratic accountability.

As former UN Secretary-General Kofi Annan observed:

“Knowledge is power. Information is liberating.”

India’s challenge will be to ensure that data protection strengthens citizens’ rights without weakening the democratic flow of information.

Attribution

Original content sources and authors

Author Krishnadas Rajagopal Source The Hindu

Syllabus classification

How this article maps to GS papers

Main syllabus

GS2Accountable Governance

Quick Q&A

What is the Digital Personal Data Protection (DPDP) Act, 2023, and what are its key objectives in India’s data governance framework?
The Digital Personal Data Protection (DPDP) Act, 2023 is India’s primary legislation governing the collection, processing, storage, and protection of personal data in the digital environment. The Act aims to create a legal framework that safeguards individuals’ personal data while enabling lawful data processing for legitimate purposes such as governance, innovation, and digital commerce.

The DPDP Act is built on the principle that individuals, referred to as “data principals”, should have control over how their personal data is used. Entities that collect or process such data, known as “data fiduciaries”, must adhere to certain obligations such as obtaining consent, ensuring data security, and limiting the use of personal data to specified purposes. The law also establishes a Data Protection Board of India to regulate compliance and impose penalties in cases of violations.

Key objectives of the DPDP Act include:
  • Protecting the privacy rights of individuals in the digital ecosystem.
  • Regulating data processing activities by companies and government entities.
  • Ensuring accountability and transparency in data handling.
  • Facilitating digital innovation while maintaining safeguards.

However, the Act has also generated debate regarding its potential impact on transparency, freedom of the press, and the Right to Information (RTI). Critics argue that certain provisions—particularly restrictions on disclosure of personal information—may limit access to data that is necessary for public accountability. As a result, the Supreme Court is currently examining how to balance privacy protection with democratic transparency under the law.
Why has the Supreme Court decided to examine the distinction between ‘personal data’ and ‘public data’ under the DPDP Act?
The Supreme Court has decided to examine the distinction between ‘personal data’ and ‘public data’ because ambiguities in the Digital Personal Data Protection (DPDP) Act, 2023 may have serious implications for transparency, journalism, and the Right to Information (RTI). Petitioners have argued that vague definitions in the law allow authorities to classify large amounts of information as personal data, thereby preventing its disclosure even when it is in the public interest.

One specific concern relates to Section 44(3) of the DPDP Act, which imposes restrictions on the disclosure of personal information through RTI requests. Critics argue that the removal of the term “public interest” from certain provisions may effectively block journalists, researchers, and civil society groups from accessing information about individuals who hold public office. Such restrictions could undermine democratic accountability and limit investigative journalism.

The Supreme Court’s intervention seeks to clarify several key issues:
  • What types of information should be classified as personal data.
  • When data relating to public officials should be considered public information.
  • How to balance privacy rights with transparency obligations.

The Court has emphasised that neither privacy nor the right to information should completely override the other. In a democratic society, citizens have both the right to protect their personal data and the right to access information about governance and public institutions. The outcome of this case is therefore likely to shape the future relationship between data protection laws and transparency mechanisms in India.
How might the DPDP Act affect the functioning of the Right to Information (RTI) regime in India?
The Digital Personal Data Protection (DPDP) Act could significantly influence the functioning of India’s Right to Information (RTI) regime because it introduces new restrictions on the disclosure of personal data. The RTI Act, enacted in 2005, has been a key instrument for promoting transparency and accountability in governance by enabling citizens to access information held by public authorities.

Under the DPDP framework, however, certain categories of personal information may be exempt from disclosure even if they are held by public institutions. Critics argue that the Act may allow authorities to reject RTI requests more easily by invoking privacy concerns. This could potentially reduce the ability of journalists and activists to obtain information about public officials or government decision-making processes.

Potential impacts on the RTI regime include:
  • Increased rejection of RTI applications citing data privacy provisions.
  • Reduced transparency regarding public officials’ activities.
  • Constraints on investigative journalism and public interest reporting.

At the same time, supporters of the DPDP Act argue that personal data protection is essential in an era where large volumes of digital information are collected and processed. They contend that stronger privacy safeguards are necessary to prevent misuse of personal information.

The challenge, therefore, lies in designing a framework that ensures privacy protection without weakening transparency mechanisms. The Supreme Court’s ongoing examination of the DPDP Act may help clarify how these two important democratic rights—privacy and access to information—can coexist in India’s legal system.
Critically analyse the concerns that the DPDP Act may enable excessive state surveillance and weaken democratic accountability.
Critics of the Digital Personal Data Protection (DPDP) Act argue that certain provisions of the law may inadvertently strengthen state surveillance and weaken democratic accountability. While the Act is designed to protect citizens’ personal data, some observers believe that the exemptions granted to government agencies could allow authorities to collect and process data without sufficient safeguards.

One major concern is that the Act allows the government to exempt itself from certain restrictions on data processing under broad categories such as “public order,” “national security,” or “sovereignty of India.” Because these terms are not narrowly defined, there is a risk that they could be interpreted expansively, enabling extensive monitoring of individuals’ digital activities. This could potentially undermine the right to privacy, which was recognised as a fundamental right by the Supreme Court in the Puttaswamy judgment (2017).

Key criticisms raised by civil society groups include:
  • Structural dependence of the Data Protection Board on the executive branch.
  • Limited judicial oversight over government data collection.
  • Broad exemptions for state surveillance activities.

However, supporters argue that governments require certain data access powers to ensure national security, maintain public order, and deliver public services effectively. The challenge lies in establishing adequate checks and balances so that such powers are not misused.

In this context, the Supreme Court’s review of the DPDP Act could play a crucial role in ensuring that India’s data protection framework remains consistent with constitutional principles of privacy, transparency, and accountability.
Why is the issue of compensation for data breaches a significant concern under the DPDP Act?
One of the major criticisms of the Digital Personal Data Protection (DPDP) Act relates to the absence of direct compensation mechanisms for individuals whose personal data has been misused or illegally accessed. While the Act establishes a system of penalties for organisations that violate data protection rules, these penalties are typically paid to the Consolidated Fund of India rather than to the affected individuals.

This approach has raised concerns because data breaches can cause significant harm to individuals, including identity theft, financial fraud, reputational damage, and emotional distress. Without a clear provision for compensation, victims may have limited avenues for seeking redress or restitution for these harms.

Key issues highlighted by critics include:
  • The absence of a direct compensation mechanism for affected individuals.
  • The possibility that penalties may not translate into meaningful relief for victims.
  • The need for stronger consumer protection mechanisms in the digital economy.

International data protection frameworks, such as the European Union’s General Data Protection Regulation (GDPR), provide individuals with the right to seek compensation for damages resulting from data breaches. Many experts argue that India’s data protection law should incorporate similar provisions to strengthen accountability.

Ensuring effective compensation mechanisms is important not only for protecting individual rights but also for incentivising organisations to adopt stronger cybersecurity practices. Addressing this issue could help enhance public trust in India’s evolving digital governance framework.
How does the debate around the DPDP Act illustrate the broader challenge of balancing privacy, transparency, and data sovereignty in the digital age?
The debate surrounding the Digital Personal Data Protection (DPDP) Act highlights the complex challenge of balancing three critical objectives in the digital era: individual privacy, democratic transparency, and national data sovereignty. Each of these goals is essential, yet prioritising one can sometimes conflict with the others.

Privacy advocates argue that strong data protection laws are necessary to safeguard individuals from misuse of their personal information by corporations and governments. In a digital economy where vast amounts of personal data are collected through social media platforms, financial systems, and online services, robust privacy protections are crucial to preserving citizens’ rights.

At the same time, transparency advocates stress that democratic accountability requires access to information about government actions and public officials. Journalists often rely on such information to investigate corruption, policy failures, or conflicts of interest. Restricting access to data under the guise of privacy could weaken the role of the media as the “fourth pillar of democracy.”

The issue is further complicated by the concept of data sovereignty:
  • Countries seek to ensure that sensitive data is governed by domestic laws.
  • Governments aim to regulate the activities of global technology companies.
  • Citizens demand strong protections against surveillance and misuse of data.

The DPDP Act represents India’s attempt to navigate these competing priorities. The Supreme Court’s review of the law is therefore likely to shape the evolving balance between privacy rights, freedom of information, and national data governance in the world’s largest democracy.

Practice questions

1 question for mains preparation

With the rise of digital governance, protecting personal data has become an important policy priority. However, concerns have emerged that data protection laws may restrict transparency and access to information. In the context of the Digital Personal Data Protection (DPDP) Act, 2023, examine the challenges in balancing the Right to Privacy and the Right to Information in India’s constitutional framework.

15 marks · 250 words · 8 mins