Frontline: New Delhi: Saturday, 28 February 2026.
The DPDP Act tightens privacy rules, limiting RTI disclosures and raising questions about transparency, press freedom, and citizens’ ability to hold power to account.
Two decades ago, India
took a transformative step towards deepening its democratic foundations with
the enactment of the Right to Information (RTI) law, a piece of legislation
that empowered citizens to question authority, scrutinise decision-making, and
demand accountability from those in power. In 2025, as the nation marked 20
years of the landmark sunshine law, the government operationalised the Digital
Personal Data Protection (DPDP) Act, which made regressive amendments to the
RTI Act with the ostensible aim of protecting personal data and upholding
people’s right to privacy.
Both the right to information and the right to privacy have been upheld by the Supreme Court to be fundamental rights flowing from the Constitution under Article 19(1)(a) and Article 21, which guarantee the people the freedom of speech and expression and the right to life with dignity. The RTI Act, passed in 2005, included an explicit provision to balance people’s right to information with the right to privacy through an exemption clause under Section 8(1)(j). Personal information was exempt from disclosure if it had no relationship to any public activity or interest, or if information sought was such that it would cause an unwarranted invasion of privacy of an individual, unless the information officer was satisfied that there was a larger public interest that justified disclosure. The provision was the most often invoked exemption clause to deny information under the RTI Act.
The data protection law was similarly expected to harmonise both rights in a manner that preserved democratic accountability while protecting personal data from misuse. Instead, it amended Section 8(1)(j) of the RTI Act to exempt from disclosure all personal information, a move that has severely impaired people’s ability to access information needed to hold the powerful to account.
To effectively participate in a democracy and ensure accountability, citizens require access to personal information that identifies the individuals responsible for the exercise of power and the disbursal of public funds. This includes names of public officials involved in decision-making, information about their functioning, names, and particulars of contractors involved in public works, and names of officers who grant statutory clearances, licences, or environmental approvals.
Correspondence between various authorities and public officials, including the RBI Governor, the Election Commission of India (ECI), and the Finance Ministry, regarding the proposal to introduce the electoral bonds scheme was accessed under the RTI Act. The documents were instrumental in highlighting the objections expressed by the public authorities and officials regarding the proposed scheme and were relied upon by the Supreme Court in its landmark judgment striking down the anonymous electoral bonds.
Similarly, the Supreme Court has held that citizens have a right to know the names of wilful defaulters and details of the Non-Performing Assets of public sector banks. Democracies routinely ensure public disclosure of voters’ lists with names, addresses, and other personal data to enable public scrutiny and prevent electoral fraud. The ECI permits objections raised by people to voter list inclusions. Experience of the use of the RTI Act in India has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of government schemes and welfare programmes, they must have access to relevant personal information. For instance, the Public Distribution System Control Order recognises the need for putting out the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and monitoring. Beneficiary lists are published, read before Gram Sabhas and opened to objections. Social audits are also a statutory requirement under the National Food Security Act, the VB-G RAM G Act, and other legislations—each premised on the public availability of personal information.
In each of these contexts, the disclosure of personal information is not incidental but integral to ensuring transparency and accountability in the functioning of public authorities.
Though some disclosures of personal information that are explicitly mandated by statute will be protected under the DPDP Act, most transparency frameworks operate through executive guidelines and administrative practice rather than specific legislative prescription. The amendments, therefore, effectively impose a blanket prohibition on sharing personal data, without carving out space for public-interest disclosures that fall outside an explicit statutory mandate. Given the DPDP Act’s expansive definitional scope, onerous compliance obligations, and substantial monetary penalties—upto Rs.250 crore, which can be doubled—public authorities are likely to err heavily towards denial of information even where sharing information serves demonstrable public interest. This threatens a systemic rollback of proactive disclosure and social audit mechanisms that underpin participatory governance.
The amendment made by the data protection law to the RTI Act has also done away with an important proviso to Section 8(1) of the RTI Act, which stated that “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person”. This proviso acted as a built-in proportionality test within the RTI Act and served as a powerful democratic equaliser, recognising the need for ensuring accountability of public authorities towards citizens and not just elected representatives.
Threat to press freedom and whistleblowing
The DPDP Act will have a chilling impact on the freedom of the press as it does not provide any exemptions for accessing and processing of personal information by journalists, reporters, and media organisations. While the DPDP Act does not address journalists or their activities directly, under the law, any person or organisation who collects, processes, or publishes personal data will be classified as a data fiduciary and will be subject to various obligations, including providing notice and obtaining consent requirements that are undeniably onerous. Further, the law allows the Union government to call for information from any data fiduciary without adequate safeguards. Such arbitrary powers without adequate checks and balances pose a grave threat to peoples’ right to privacy and could be used to compromise journalistic confidentiality.
Media bodies, including the Editor’s Guild of India, the Press Club of India, and other press clubs, have flagged these dangers in the law, seeking a clear carve-out for personal information processed for journalistic purposes, as is the practice in other data protection regimes, including the European Union’s General Data Protection Regulation. However, the government has refused to make any changes to the law.
The DPDP also fails to provide any protection to whistleblowers, who in exposing corruption necessarily process personal data—names, financial transactions, correspondence, details of official conduct. With exposure to the full liability and penalty regime of the DPDP Act, the omission of protection creates a direct and unresolved conflict between the State’s stated commitment to combating corruption and the chilling effect now imposed on those who come forward with evidence of it.
Unchecked executive control
The DPDP Act not only curtails peoples’ right to information and press freedom, but also fails to provide a robust framework for preventing the misuse of personal data, including for financial fraud. Given that the government is the biggest data repository, an effective data protection law must not give wide discretionary powers to the government. The DPDP Act, unfortunately, empowers the executive to draft rules and notifications on a vast range of issues.
The Union government can exempt any government, or even a private sector entity, from the application of provisions of the law by merely issuing a notification. This potentially allows the government to arbitrarily exempt its cronies and government bodies, resulting in immense potential for violations of citizens’ privacy. The creation of a government-controlled Data Protection Board, empowered to impose fines up to Rs 250 crore—causes serious apprehensions of opening the law to potential misuse by the executive to target dissenting voices and political opposition.
Constitutional challenge
Several petitions have been filed in the Supreme Court challenging the constitutional validity of the DPDP Act. The National Campaign for People’s Right to Information, media outlet Reporter’s Collective, and RTI activists have challenged the amendments made to the RTI Act. The petitioners have also flagged the detrimental impact that the DPDP Act will have on press freedoms and the ability of journalists and whistleblowers to expose corruption and wrongdoing.
The bench led by the Chief Justice of India noted that the petitions raise significant constitutional questions and issued notice to the Union government. At its core, the challenge before the court is whether data protection can be used as a shield to insulate the exercise of power from public scrutiny. The verdict will determine not just the fate of the RTI Act, but the architecture of accountability in Indian democracy for years to come.
(Anjali Bhardwaj and Amrita Johri are transparency activists associated with the National Campaign for People’s Right to Information and Satark Nagrik Sangathan, and have also filed a petition in the Supreme Court challenging the provisions of the DPDP Act.)
The DPDP Act tightens privacy rules, limiting RTI disclosures and raising questions about transparency, press freedom, and citizens’ ability to hold power to account.
 |
| RTI activists and NGOs protesting against the RTI Amendment Bill in Thane, Maharashtra, on July 25, 2019. Photo Credit: VIBHAV BIRWATKAR |
Both the right to information and the right to privacy have been upheld by the Supreme Court to be fundamental rights flowing from the Constitution under Article 19(1)(a) and Article 21, which guarantee the people the freedom of speech and expression and the right to life with dignity. The RTI Act, passed in 2005, included an explicit provision to balance people’s right to information with the right to privacy through an exemption clause under Section 8(1)(j). Personal information was exempt from disclosure if it had no relationship to any public activity or interest, or if information sought was such that it would cause an unwarranted invasion of privacy of an individual, unless the information officer was satisfied that there was a larger public interest that justified disclosure. The provision was the most often invoked exemption clause to deny information under the RTI Act.
The data protection law was similarly expected to harmonise both rights in a manner that preserved democratic accountability while protecting personal data from misuse. Instead, it amended Section 8(1)(j) of the RTI Act to exempt from disclosure all personal information, a move that has severely impaired people’s ability to access information needed to hold the powerful to account.
To effectively participate in a democracy and ensure accountability, citizens require access to personal information that identifies the individuals responsible for the exercise of power and the disbursal of public funds. This includes names of public officials involved in decision-making, information about their functioning, names, and particulars of contractors involved in public works, and names of officers who grant statutory clearances, licences, or environmental approvals.
Correspondence between various authorities and public officials, including the RBI Governor, the Election Commission of India (ECI), and the Finance Ministry, regarding the proposal to introduce the electoral bonds scheme was accessed under the RTI Act. The documents were instrumental in highlighting the objections expressed by the public authorities and officials regarding the proposed scheme and were relied upon by the Supreme Court in its landmark judgment striking down the anonymous electoral bonds.
Similarly, the Supreme Court has held that citizens have a right to know the names of wilful defaulters and details of the Non-Performing Assets of public sector banks. Democracies routinely ensure public disclosure of voters’ lists with names, addresses, and other personal data to enable public scrutiny and prevent electoral fraud. The ECI permits objections raised by people to voter list inclusions. Experience of the use of the RTI Act in India has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of government schemes and welfare programmes, they must have access to relevant personal information. For instance, the Public Distribution System Control Order recognises the need for putting out the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and monitoring. Beneficiary lists are published, read before Gram Sabhas and opened to objections. Social audits are also a statutory requirement under the National Food Security Act, the VB-G RAM G Act, and other legislations—each premised on the public availability of personal information.
In each of these contexts, the disclosure of personal information is not incidental but integral to ensuring transparency and accountability in the functioning of public authorities.
Though some disclosures of personal information that are explicitly mandated by statute will be protected under the DPDP Act, most transparency frameworks operate through executive guidelines and administrative practice rather than specific legislative prescription. The amendments, therefore, effectively impose a blanket prohibition on sharing personal data, without carving out space for public-interest disclosures that fall outside an explicit statutory mandate. Given the DPDP Act’s expansive definitional scope, onerous compliance obligations, and substantial monetary penalties—upto Rs.250 crore, which can be doubled—public authorities are likely to err heavily towards denial of information even where sharing information serves demonstrable public interest. This threatens a systemic rollback of proactive disclosure and social audit mechanisms that underpin participatory governance.
The amendment made by the data protection law to the RTI Act has also done away with an important proviso to Section 8(1) of the RTI Act, which stated that “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person”. This proviso acted as a built-in proportionality test within the RTI Act and served as a powerful democratic equaliser, recognising the need for ensuring accountability of public authorities towards citizens and not just elected representatives.
Threat to press freedom and whistleblowing
The DPDP Act will have a chilling impact on the freedom of the press as it does not provide any exemptions for accessing and processing of personal information by journalists, reporters, and media organisations. While the DPDP Act does not address journalists or their activities directly, under the law, any person or organisation who collects, processes, or publishes personal data will be classified as a data fiduciary and will be subject to various obligations, including providing notice and obtaining consent requirements that are undeniably onerous. Further, the law allows the Union government to call for information from any data fiduciary without adequate safeguards. Such arbitrary powers without adequate checks and balances pose a grave threat to peoples’ right to privacy and could be used to compromise journalistic confidentiality.
Media bodies, including the Editor’s Guild of India, the Press Club of India, and other press clubs, have flagged these dangers in the law, seeking a clear carve-out for personal information processed for journalistic purposes, as is the practice in other data protection regimes, including the European Union’s General Data Protection Regulation. However, the government has refused to make any changes to the law.
The DPDP also fails to provide any protection to whistleblowers, who in exposing corruption necessarily process personal data—names, financial transactions, correspondence, details of official conduct. With exposure to the full liability and penalty regime of the DPDP Act, the omission of protection creates a direct and unresolved conflict between the State’s stated commitment to combating corruption and the chilling effect now imposed on those who come forward with evidence of it.
Unchecked executive control
The DPDP Act not only curtails peoples’ right to information and press freedom, but also fails to provide a robust framework for preventing the misuse of personal data, including for financial fraud. Given that the government is the biggest data repository, an effective data protection law must not give wide discretionary powers to the government. The DPDP Act, unfortunately, empowers the executive to draft rules and notifications on a vast range of issues.
The Union government can exempt any government, or even a private sector entity, from the application of provisions of the law by merely issuing a notification. This potentially allows the government to arbitrarily exempt its cronies and government bodies, resulting in immense potential for violations of citizens’ privacy. The creation of a government-controlled Data Protection Board, empowered to impose fines up to Rs 250 crore—causes serious apprehensions of opening the law to potential misuse by the executive to target dissenting voices and political opposition.
Constitutional challenge
Several petitions have been filed in the Supreme Court challenging the constitutional validity of the DPDP Act. The National Campaign for People’s Right to Information, media outlet Reporter’s Collective, and RTI activists have challenged the amendments made to the RTI Act. The petitioners have also flagged the detrimental impact that the DPDP Act will have on press freedoms and the ability of journalists and whistleblowers to expose corruption and wrongdoing.
The bench led by the Chief Justice of India noted that the petitions raise significant constitutional questions and issued notice to the Union government. At its core, the challenge before the court is whether data protection can be used as a shield to insulate the exercise of power from public scrutiny. The verdict will determine not just the fate of the RTI Act, but the architecture of accountability in Indian democracy for years to come.
(Anjali Bhardwaj and Amrita Johri are transparency activists associated with the National Campaign for People’s Right to Information and Satark Nagrik Sangathan, and have also filed a petition in the Supreme Court challenging the provisions of the DPDP Act.)
.JPG)
.JPG)
