SYLLABUS
GS-2: Structure, organization and functioning of the Executive and the Judiciary Ministries and Departments of the Government.
Context: The Supreme Court has referred a batch of petitions challenging the constitutional validity of provisions of the Digital Personal Data Protection (DPDP) Act, 2023, and its Rules, 2025, to a five-judge Constitution Bench, which is expected to hear the matter in March.
More on the News
- Core constitutional challenge: The petitions primarily challenge Section 44(3) of the DPDP Act, which amends Section 8(1)(j) of the Right to Information (RTI) Act, 2005.
- Earlier, personal information could be withheld only if disclosure had no relation to public activity or caused an unwarranted invasion of privacy, with a public interest override.
- The amended provision exempts disclosure of “personal information” without explicitly retaining this balancing test, which petitioners argue converts a calibrated exemption into an absolute bar.
- Petitioners claim this weakens transparency, undermines participatory democracy, and violates proportionality principles laid down in the Puttaswamy privacy judgment.
- Privacy vs transparency debate: Petitioners argue the amendment removes the discretion of Public Information Officers to weigh privacy against the larger public interest.
- They contend the change could block access to documents such as asset declarations, procurement records, and file notings, which often contain personal data but are crucial for exposing corruption.
- It is also argued that the provision extends privacy protections to public officials in a manner that dilutes accountability under Article 19(1)(a).
- Concerns over press freedom: The petitions warn that journalists may be treated as “data fiduciaries” under the Act, requiring notice and consent for using personal data.
- This could make investigative journalism difficult, especially in cases involving scams or beneficiaries of public schemes.
- Non-compliance could attract penalties of up to ₹250 crore, potentially creating a chilling effect on public-interest reporting.
- Government access to personal data: Section 36 of the Act, which allows the Union government to seek data from fiduciaries, has been criticised as vague and overbroad.
- Petitioners argue the provision lacks safeguards, independent oversight, or appeal mechanisms, raising fears of surveillance and threats to journalistic sources.
- Rule 23 of the 2025 Rules is also challenged for allegedly enabling data sharing without adequate transparency.
- Independence of Data Protection Board questioned: The composition of the Data Protection Board of India has been challenged on the grounds of executive dominance.
- The appointment process reportedly involves only government officials and nominees, raising concerns about impartiality, especially as the State is the largest data collector.
- Court’s observations and next steps: The Court declined to stay the law, stating that interim orders should not introduce a new regime contrary to Parliament’s intent.
- It acknowledged that both privacy and transparency involve fundamental rights and will require careful balancing by the Constitution Bench.
- The outcome is expected to shape how India reconciles the right to information under Article 19(1)(a) with privacy protections under Article 21.
About the DPDP Act 2023
- The DPDP Act is India’s first comprehensive law for safeguarding the digital personal data of its citizens.
- It establishes a legal framework that recognizes both the right of individuals to protect their data and the need for organizations to process that data for lawful purposes.
- The Act replaces Section 43A of the IT Act, 2000, and supersedes the SPDI Rules, 2011, making the DPDP Act the primary legal instrument governing digital personal data in India.
- Consent-Centric and Rights-Based Framework:
- The Act mandates specific, informed, and clear consent for processing digital personal data.
- Individuals (data principals) gain rights to access, correct, delete, and seek grievance redressal for their data.
- Obligations on Data Fiduciaries & Special Safeguards:
- Data fiduciaries must ensure purpose limitation, data minimisation, security safeguards, and timely breach reporting.
- Additional protections apply for children’s data, including banning profiling or targeted advertising.
- Governance, Enforcement & Cross-Border Rules:
- Establishes the Data Protection Board of India to enforce compliance and impose monetary penalties.
- Allows cross-border data transfer by default, with the government empowered to restrict certain jurisdictions for security or public interest.
- Penalties: The Act provides for steep financial penalties (up to ₹250 crore) for breaches related to children’s data, security failures, and non-compliance with obligations.