The Digital Personal Data Protection (DPDP) Act was passed in August 2023, but is still not yet active two years on. The draft Rules were released for public consultation in January 2025. These Rules are expected to be finalised and notified soon, as per media reports. While the legislative gap in data protection in India has long been glaring, especially in the context of increasing digitisation across sectors, whether this particular law genuinely protects an individual’s right to privacy – without simultaneously undermining the Right to Information (RTI) – remains deeply contested.

In particular, Section 44(3) of the DPDP Act has sparked concern. This provision effectively overrides Section 8(1)(j) of the RTI Act, which previously allowed for the disclosure of personal information if it served a larger public interest or was related to public activity. With the passage of the DPDP Act, such exceptions have been struck down. Now, the blanket bar on sharing any personal data – even where larger public interest or its connection to public activity is evident – has been widely seen as diluting the core of the RTI framework. What was once a carefully crafted exception to allow for transparency and accountability is now entirely curtailed under the rubric of privacy.

It is important to examine the kind of “personal information” that may fall under public interest, which citizens, activists, journalists and civil society organisations will now be unable to access once the Act and Rules come into full force. Numerous cases of corruption, particularly in public works such as infrastructure, roads and drains, have been unearthed through RTI applications revealing tender details, contract documents and the identities of individuals involved on both sides of the transaction. Such disclosures often expose conflicts of interest and political-business nexuses that underpin policy-making even in the social sector.

Also read: Full Text | Justice A.P Shah's Open Letter Seeking Repeal of Recent Amendments to RTI Act

For instance, in late 2007, around 30 Members of Parliament, across party lines, wrote to the Ministry of Human Resource Development at the behest of the Biscuit Manufacturers Welfare Association, proposing that mid‑day meals in schools be replaced with packaged biscuits. There was public outcry including demands for these MPs to clarify their associations with the companies concerned. In another instance, Commissioners (on Right to Food) appointed by the Supreme Court were able to show that contracts for supplying take-home rations to anganwadi centres in Maharashtra were awarded to entities labelled as Mahila Mandals but functioning as fronts for large corporate firms – based on information about the ownership and membership of Mahila Mandals. The Supreme Court subsequently directed that the tender process be redone. Under the DPDP Act, access to such information – on the grounds that it constitutes personal data – may now be blocked altogether. There is a very real danger that such efforts to capture public policy by private interests will be shielded under the pretext of privacy protection.

Beyond exposing large-scale scams, civil society organisations and activists routinely seek personal data to assist individuals in securing entitlements. For example, when an elderly widow suddenly stops receiving her pension without any notification, or when a household has waited for years to be added to the priority list under the National Food Security Act (NFSA) to obtain a ration card, the route to resolution often begins with checking the status of applications and beneficiary lists. This involves accessing details such as names, reasons for rejection and dates of application – all of which qualify as personal information. Based on this data, citizens can file appeals or complaints, and often secure the benefits they are entitled to.

Similarly, social audits conducted in partnership with local communities rely on cross-verifying official records with ground-level testimonies. These audits draw on publicly available lists of beneficiaries, wages paid, ration entitlements, pension disbursements and so on. The new DPDP regime, however, prohibits the sharing of such data unless explicit consent is obtained from each individual – something nearly impossible to operationalise in large-scale audits involving thousands of beneficiaries.

To be clear, there is no denying that a robust legal framework for protecting privacy is essential. In the absence of such protections, both rich and poor citizens face exposure to fraud, data theft and misuse. Personal data leakages – ranging from banking details to mobile numbers and identity documents – are rampant, and individuals are routinely subjected to financial scams, unsolicited marketing and phishing attacks. Often, data collected for one purpose – such as KYC verification or government scheme registration – finds its way into other hands without consent. There is also no institutional grievance redressal mechanism to address such misuse.

Also read: What Lies Beneath the PR Blitz on the New Data Protection Act?

Even state agencies collect data with minimal safeguards or informed consent. The use of facial recognition for accessing supplementary nutrition under the Integrated Child Development Services Scheme, or mandatory e-KYC for schemes such as old-age pensions and the public distribution system, involve the mass collection of biometric and demographic data without any clear accountability. In some instances, access to entitlements is denied simply because individuals refuse or fail to comply with these invasive requirements.

The DPDP Act, in theory, establishes strong penalties for violations. However, the enforcement mechanisms under the Act are opaque. The composition and functioning of the Data Protection Board – a body tasked with adjudicating complaints and imposing penalties – are entirely controlled by the Union government. There is no independent appointments process, no safeguards against arbitrary decision-making, and no clear procedure for appeals.

Moreover, there is a genuine worry that smaller civil society initiatives – such as grassroots surveys, independent research and community-based documentation efforts – will be priced out of existence. The compliance costs associated with data processing under the new framework, including consent management, data security audits and liability for breaches, are likely to be prohibitive for most non-profit and community-led groups. This will further tilt the balance in favour of large corporations and well-funded entities that can afford to navigate the legal complexities of the DPDP regime.

The fundamental question, then, is whether the DPDP Act manages to balance two equally important constitutional rights: the right to privacy and the right to information. These are not merely procedural or technical issues, but core questions of democratic accountability and citizen empowerment. Often, these two rights come into conflict. The critical test for any legal framework is to determine which right prevails when they do – and for whose benefit.

In its current form, the DPDP Act appears to lean heavily in favour of protecting the interests of the powerful – whether in the corporate sector or the government. It grants the government sweeping discretionary powers, including the ability to exempt entire categories of data processing from the provisions of the Act (under Section 17), without any obligation to lay out the principles guiding such exemptions. It allows the government to appoint members to the Data Protection Board without parliamentary oversight or public transparency. And most crucially, it alters the functioning of the RTI Act without debate by amendments to the original law, effectively bypassing the very spirit of participatory democracy that the RTI Act was meant to protect.

The debate around the DPDP Act is not merely about technical definitions of data fiduciaries or consent notices. It is a deeper political and constitutional question: does the law empower citizens, or does it shield the powerful?

Dipa Sinha is a development economist.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.