Harmonizing Privacy and Accountability (RTI vs DPDP) 21 Feb 2026

The recent operationalization of the Digital Personal Data Protection (DPDP) Act, 2023, presents a profound challenge to the foundational principles of transparency and accountability enshrined in the Right to Information (RTI) Act, 2005. While ostensibly aimed at safeguarding individual privacy in an increasingly digital landscape, the Act's broad exemptions for personal data, particularly its intersection with the RTI regime, risks creating a significant regulatory paradox that could dismantle years of progress in government transparency. This analytical piece argues that the DPDP Act, in its current formulation, disproportionately prioritizes privacy over accountability, thereby fostering information asymmetry and potentially undermining democratic governance. This tension between two fundamental rights – the right to information and the right to privacy, both affirmed by the Supreme Court of India in Puttaswamy v. Union of India (2017) – requires careful conceptual framing. India is currently grappling with the challenge of harmonizing these rights, where the DPDP Act, 2023, as implemented, appears to grant an overriding supremacy to individual privacy without adequate safeguards for public interest disclosures, effectively diluting the spirit of the RTI Act.

UPSC Relevance Snapshot

• GS Paper II: Governance, Constitution, Fundamental Rights, Government Policies and Interventions for Development in various sectors, Statutory, Regulatory and Quasi-judicial Bodies.
• GS Paper IV: Ethics and Human Interface, Probity in Governance, Right to Information, Codes of Ethics, Ethical Dilemmas.
• Essay Angle: The balancing act between rights; Technology and governance; Transparency vs. Privacy in the Digital Age.
• Prelims: Key provisions of RTI Act and DPDP Act, landmark Supreme Court judgments, functions of CIC/Data Protection Board.

Institutional Landscape: A Clash of Frameworks

The Right to Information Act, 2005, established a robust framework for citizens to access information held by public authorities, subject to certain exemptions. Its Section 8(1)(j) specifically deals with personal information, allowing disclosure only if it serves a larger public interest, a test that placed the onus on the public authority to justify non-disclosure. The subsequent advent of the Digital Personal Data Protection Act, 2023, while critical for data privacy, significantly alters this dynamic, creating a potential legislative overlap that demands immediate reconciliation. Key institutional and legal frameworks shaping this debate include:

• The Right to Information Act, 2005 (RTI Act):
  • Section 8(1)(j): Exempts information that relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual, *unless the Central Public Information Officer or the State Public Information Officer or the appellate authority is satisfied that the larger public interest justifies the disclosure of such information.* (Emphasis added)
  • Central Information Commission (CIC) & State Information Commissions (SICs): Appellate bodies for RTI requests, responsible for interpreting and enforcing the Act.
• The Digital Personal Data Protection Act, 2023 (DPDP Act):
  • Section 17(2): States that the provisions of the RTI Act, 2005, shall not apply in respect of personal data, if such personal data is being processed by a public authority.
  • Data Protection Board of India (DPBI): Proposed independent body responsible for enforcing the DPDP Act, investigating breaches, and imposing penalties.
  • Data Fiduciary: Entity determining the means and purpose of processing personal data (includes public authorities).

The Argument: DPDP's Overreach and the Erosion of RTI

The primary concern emanating from the DPDP Act, 2023, particularly Section 17(2), is its potential to significantly curtail the scope of information accessible under the RTI Act, 2005. By stating that the RTI Act "shall not apply in respect of personal data" processed by a public authority, the DPDP Act effectively creates an absolute exemption, removing the crucial "larger public interest" test that historically allowed for the disclosure of personal information when accountability demanded it. This shift marks a concerning regression from established transparency norms. The National Campaign for People's Right to Information (NCPRI) and the Commonwealth Human Rights Initiative (CHRI) have explicitly voiced apprehensions, highlighting how Section 17(2) of the DPDP Act could be interpreted to exempt vast swathes of information that are routinely sought under RTI, including details of public officials, government expenditure on individuals, and beneficiaries of public schemes. For instance, information regarding the educational qualifications of public servants, the assets declared by elected representatives, or even details of disciplinary actions, which are often considered 'personal data,' could now be withheld without recourse to the public interest proviso. This significantly undermines the very essence of public accountability.

The legislative intent behind the RTI Act's Section 8(1)(j) was to balance privacy with transparency through a nuanced public interest test. The DPDP Act, however, appears to override this careful balance with a blanket exemption, creating a chilling effect where Public Information Officers (PIOs) may err on the side of non-disclosure to avoid potential penalties under the new data protection regime. This legislative oversight or deliberate design risks transforming public authorities into opaque entities, where critical information related to public services, tenders, and grievance redressal mechanisms could become inaccessible.

The Counter-Narrative: Protecting Individual Privacy

It is crucial to acknowledge the legitimate and pressing need for robust data protection legislation in India. The rapid digitalization of public and private services necessitates a framework to protect citizens from data breaches, identity theft, and misuse of their personal information. The Supreme Court's declaration of the right to privacy as a fundamental right underscores its constitutional importance. The DPDP Act aims to bring India in line with global standards for data protection, fostering trust in the digital economy and ensuring India's position as a responsible digital power. Furthermore, a truly robust privacy regime is essential for individual autonomy and dignity. Without adequate data protection, citizens are vulnerable to surveillance, discrimination, and manipulation. The DPDP Act, by introducing concepts like consent, data principal rights, and significant penalties for non-compliance, seeks to empower individuals over their personal data. The potential for misuse of personal information, even in the name of transparency, cannot be dismissed. Therefore, proponents argue that the DPDP Act is a necessary evolution, and any perceived reduction in RTI's scope is a justifiable trade-off for enhanced individual privacy and data security.

International Comparison: The GDPR and Public Interest

Examining international best practices, particularly the European Union's General Data Protection Regulation (GDPR), reveals a more nuanced approach to balancing privacy with public interest. While GDPR is stringent on data protection, it explicitly incorporates provisions for public interest overrides, ensuring that data protection does not become an absolute barrier to legitimate public scrutiny or research. In countries like the UK, their Data Protection Act (which implements GDPR) explicitly recognizes the symbiotic relationship with their Freedom of Information Act, allowing for disclosure of personal information when the public interest in disclosure outweighs the public interest in withholding. This provides a judicial or regulatory mechanism for balancing these competing rights, a mechanism that appears to be diluted or absent in India's DPDP Act, specifically concerning its interaction with the RTI Act.

Structured Assessment

The friction between the DPDP Act, 2023, and the RTI Act, 2005, demands a critical assessment across policy design, governance capacity, and behavioural factors. The current legislative architecture risks creating an imbalance that could prove detrimental to democratic accountability.

Policy Design Adequacy

• The DPDP Act's Section 17(2) represents a significant design flaw in its interaction with existing transparency legislation. By seemingly eliminating the "larger public interest" override for personal data disclosure under RTI, it creates an absolute exemption that is out of step with progressive data protection regimes internationally.
• The absence of clear guidelines or a robust mechanism within the DPDP Act to reconcile privacy concerns with legitimate demands for public accountability is a critical omission. This lack of clarity places Public Information Officers (PIOs) in an unenviable position, potentially leading to arbitrary decisions.

Governance Capacity

• The effectiveness of the DPDP Act, and its harmonization with RTI, hinges on the operational independence and capacity of the Data Protection Board of India (DPBI). Concerns persist regarding the appointment process of DPBI members and its potential for executive influence, which could compromise its ability to objectively balance competing interests.
• The training and sensitization of PIOs and public authorities on the nuanced interpretation of both Acts will be crucial. Without a clear framework from the Central Information Commission (CIC) or the Supreme Court, there is a high probability of conservative interpretations leading to increased information denials.

Behavioural/Structural Factors

• A broad interpretation of the DPDP Act by public authorities could lead to a 'chilling effect,' where information related to public services, beneficiary lists, or even details of government expenditures are withheld citing privacy concerns, thereby increasing opacity.
• This shift risks reducing public trust in governmental processes and creating barriers for civil society organizations and media in scrutinizing public affairs. It could lead to a rise in appeals and legal challenges, placing additional burden on the already stretched information commissions and judiciary.

Way Forward

To harmonize privacy and accountability, several policy recommendations are crucial. Firstly, the government should introduce amendments to the DPDP Act, specifically Section 17(2), to reintroduce a public interest override for personal data disclosures under the RTI Act, aligning it with international best practices like GDPR. Secondly, clear guidelines must be issued by the Department of Personnel and Training (DoPT) and the Central Information Commission (CIC) to all public authorities, detailing the precise interplay between the two Acts and providing a framework for PIOs to assess public interest. Thirdly, the Data Protection Board of India (DPBI) needs to be established with demonstrable functional and financial independence, ensuring its appointments are transparent and merit-based to build public trust. Lastly, a comprehensive capacity-building program for PIOs and Data Protection Officers (DPOs) is essential to foster a nuanced understanding of both privacy principles and transparency obligations, facilitating informed decision-making and reducing arbitrary denials.