Is Privacy Becoming the New Excuse for Secrecy in India’s Digital State?

When the petitions challenging India’s Digital Personal Data Protection Act, 2023 were called out in open court this week, the courtroom was not merely witnessing another constitutional skirmish. It was watching a deeper anxiety surface—an anxiety about what kind of digital democracy India is becoming. The immediate trigger was technical and legal: whether the DPDP Act and the Rules notified in 2025 lawfully dilute the Right to Information regime by shielding “personal data” from disclosure. But the unease runs far wider. At stake is a fundamental question that India has not yet answered with confidence: in an age where data is power, how much secrecy can the state legitimately claim in the name of privacy, and how much transparency must it still tolerate in the name of accountability?

The Supreme Court’s decision to issue notices, tag multiple Public Interest Litigations, and place the matter before a larger bench signals that the Court itself senses the constitutional weight of the problem. This is not simply about statutory interpretation or delegated legislation. It is about the uneasy coexistence of two rights that have, until now, been seen as complementary rather than conflicting: the right to privacy under Article 21, affirmed with near-reverential clarity in the Puttaswamy judgment, and the right to information, flowing from Article 19(1)(a) and operationalised through the RTI Act, which for two decades has been the citizen’s most effective tool against opaque governance.

The DPDP Act arrived with an ambitious promise. India, the government said, needed a modern data protection law—one that could regulate Big Tech, protect citizens from misuse of personal data, and create trust in the digital economy. In many respects, that promise resonated. Indians are among the most prolific generators of data in the world, from Aadhaar-linked welfare systems to ubiquitous digital payments. The absence of a comprehensive privacy framework had long been an anomaly, especially after the Supreme Court declared privacy to be a fundamental right. Few serious observers deny that some form of data protection law was inevitable, even overdue.

The controversy, however, lies in how the Act chose to reconcile privacy with transparency. By amending Section 8(1)(j) of the RTI Act, the DPDP framework removes the long-standing public interest override that allowed disclosure of personal information if it served a larger public purpose. Under the new regime, “personal data” is insulated far more broadly, with fewer explicit exceptions. To activists and transparency advocates, this is not a minor tweak but a structural shift. Information that once helped uncover disproportionate assets, conflicts of interest, or administrative favouritism could now be lawfully withheld, simply because it relates to an individual—even if that individual is a public servant acting in an official capacity.

Supporters of the DPDP Act counter that this alarm is exaggerated. They argue that privacy cannot be a second-class right, constantly sacrificed at the altar of public curiosity. In an era of data leaks, digital profiling, and reputational harm, the state has a duty to protect individuals, including bureaucrats and officials, from intrusive fishing expeditions. The RTI Act, they point out, was never meant to legitimise voyeurism. From this perspective, the DPDP Act is not an attack on transparency but a long-needed correction, bringing India closer to global data protection norms.

This argument is not without force. Across jurisdictions, courts and legislatures have struggled with the same balance. The European Union’s GDPR, often cited as the gold standard of privacy regulation, also restricts disclosure of personal data. Yet the comparison is incomplete unless one also acknowledges the institutional context. In many European states, robust oversight mechanisms, independent regulators, and strong whistleblower protections coexist with privacy laws. India’s accountability ecosystem is far more fragile. RTI, for all its flaws and abuses, has functioned as a low-cost, decentralised check on power, accessible to ordinary citizens rather than only to courts or regulators.

This is where the constitutional tension sharpens. The Supreme Court has repeatedly held that rights must be harmonised, not ranked in isolation. Privacy and free speech, privacy and transparency, privacy and accountability—none of these are zero-sum conflicts. In Puttaswamy itself, the Court was careful to note that privacy is not absolute and may yield to compelling state interests, provided the restriction is lawful, necessary, and proportionate. The present challenge asks whether the DPDP Act’s blanket approach to personal data under RTI meets that test of proportionality, or whether it goes further than necessary, eroding the informational rights of citizens in the process.

Consider a familiar, almost mundane scenario. A citizen files an RTI seeking details of assets declared by a senior public official, suspecting corruption. Under the older regime, such information could be disclosed if the public interest outweighed the privacy interest. Under the new framework, the response may simply be a refusal, citing personal data protection. The citizen is then left to pursue expensive litigation or abandon the inquiry altogether. Multiply this by thousands of small, local cases—panchayat-level appointments, municipal contracts, university selections—and the cumulative effect on grassroots accountability becomes clear.

The government insists that fears of opacity are misplaced, pointing to safeguards and exemptions that still allow disclosure in certain circumstances. But critics note that these safeguards are often couched in vague language, leaving wide discretion with public information officers and ministries. Discretion, in the Indian administrative context, has rarely been a friend of transparency. The concern is not merely that information will be denied, but that denial will become routine, normalised, and difficult to challenge.

This brings us to the role of delegated legislation. Much of the operational detail of the DPDP regime lies not in the Act itself but in the Rules framed by the Ministry of Electronics and Information Technology. Rule-making is, of course, a legitimate executive function. But when rules significantly affect fundamental rights, courts have traditionally subjected them to closer scrutiny. Petitioners argue that the Rules notified in 2025 effectively redraw the contours of the RTI Act without adequate parliamentary debate, using data protection as a vehicle. If this argument finds favour, the case could become a landmark in administrative law as much as in privacy jurisprudence.

The state’s defence, predictably, invokes efficiency and uniformity. A fragmented approach, it argues, would undermine data protection by allowing RTI disclosures to punch holes in the privacy framework. From this view, privacy must be enforced consistently, even if it means some loss of transparency. Yet this framing assumes that privacy and transparency are inherently antagonistic. In reality, they often serve the same democratic end: limiting arbitrary power. Transparency exposes wrongdoing; privacy protects individuals from misuse of power. When either is weakened, it is usually citizens, not institutions, who suffer.

A useful way to understand this conflict is through a simple question: whose privacy is being protected, and from whom? The DPDP Act does little to distinguish between the privacy interests of an ordinary citizen and those of a powerful public official. Treating both identically may appear neutral, but neutrality can mask inequality. A government clerk and a cabinet minister do not stand on the same footing when it comes to public scrutiny. Democratic accountability demands a higher threshold of openness from those who wield authority.

It is telling that many of the petitions before the Court have been filed not by corporations or political rivals, but by activists who have used RTI as a tool of civic engagement. For them, the DPDP amendments feel less like a privacy shield and more like a curtain drawn over the workings of the state. This perception matters. Laws do not operate in a vacuum; they derive legitimacy from public trust. A privacy regime that is seen as primarily protecting the state from scrutiny risks losing that trust, no matter how well-intentioned its design.

There is also a practical dimension that deserves attention, particularly for lawyers, compliance officers, and public authorities. How should an information officer respond to an RTI application that involves personal data? Should they default to denial, fearing penalties under the DPDP Act, or attempt a nuanced balancing exercise, risking legal uncertainty? The Act offers limited guidance. In the absence of clear judicial interpretation, risk-averse behaviour is likely to prevail. Over time, this could hollow out the RTI mechanism not through overt repeal, but through administrative inertia.

International experience suggests that this outcome is not inevitable. Several jurisdictions have developed workable models that balance privacy with transparency through detailed guidelines and independent oversight. In the United Kingdom, for instance, the Information Commissioner’s Office issues granular guidance on when personal data can be disclosed in the public interest. The existence of a strong, independent regulator makes such balancing credible. India’s proposed Data Protection Board, by contrast, is still finding its institutional footing, and its independence remains a subject of debate.

At a deeper level, the controversy reflects a shift in how the Indian state conceives information. For much of the RTI era, information held by the government was seen as a public resource, with secrecy as the exception. The DPDP framework subtly reverses this presumption, treating data—personal or otherwise—as something to be tightly controlled, shared sparingly, and guarded by default. This shift aligns with a global trend towards data governance, but it sits uneasily with India’s democratic ethos, where information has often been the citizen’s only leverage against an unresponsive bureaucracy.

One cannot ignore the political context either. Transparency laws thrive in environments where dissent is tolerated and accountability is valued. When public debate becomes polarised, and institutions are under strain, even well-crafted privacy laws can be perceived as tools of control. The Supreme Court, aware of this context, now faces the delicate task of crafting a doctrine that protects privacy without suffocating transparency.

The Court has, in the past, risen to similar challenges. Its jurisprudence on free speech, electoral reforms, and environmental transparency shows an ability to balance competing interests with nuance. What is required here is not a blunt invalidation of the DPDP Act, nor an uncritical endorsement of its RTI amendments, but a principled reading that preserves the essence of both rights. This may involve reading back a public interest override into the RTI framework, or issuing guidelines that limit the scope of “personal data” in the context of public functions.

As Justice Louis Brandeis famously observed, “Sunlight is said to be the best of disinfectants.” The quote is often invoked in transparency debates, sometimes simplistically. Brandeis himself understood that exposure without restraint can also cause harm. The challenge is not to choose between sunlight and shade, but to decide where each is appropriate. In India’s digital age, where data can both empower and endanger, this balance becomes even more critical.

The outcome of the current hearings will likely shape this balance for years to come. A ruling that privileges privacy at the cost of transparency may be welcomed by those wary of data misuse, but it risks weakening one of India’s most effective accountability tools. Conversely, a decision that preserves RTI’s public interest core while respecting genuine privacy concerns could reaffirm the Court’s role as a constitutional mediator, capable of adapting old rights to new realities.

For practitioners, the message is clear: the era of easy answers is over. Handling information requests will require careful judgment, documented reasoning, and an awareness of constitutional principles, not just statutory checklists. For citizens, the stakes are higher still. The right to ask questions of those in power is not a technical privilege; it is a democratic habit, cultivated over time and easily lost if neglected.

Ultimately, the debate over the DPDP Act and RTI amendments is not about choosing privacy over transparency or vice versa. It is about refusing to accept a false choice. A mature constitutional order must be capable of protecting individual dignity without insulating power from scrutiny. As the Supreme Court deliberates, it has an opportunity to remind both the state and its citizens that rights are not silos, but parts of a larger democratic architecture. If that reminder is delivered with clarity and conviction, the present controversy may yet strengthen, rather than weaken, India’s digital constitutionalism.