Intersection of DPDP Act and Right to Information (RTI): Conflict between Transparency & Privacy

Conflict between Transparency & Privacy

 YOGITA KASHYAP

BA.LLB (HONS.) STUDENT, MAHARAJA SURAJMAL INSTITUTE (MSI) 

ABSTRACT

The convergence of the Digital Personal Data Protection Act, 2023 (DPDP Act), and the Right to Information Act, 2005 (RTI Act) represents a critical moment in India’s democratic and digital governance. At stake is the reconciliation of two essential principles: transparency, which underpins accountable governance, and privacy, which secures individual dignity and autonomy. This paper examines the legal, constitutional, and practical challenges emerging from the overlap of these Acts, focusing on how personal information of public servants should be treated when requested under RTI. The central question is whether citizens’ right to know should override an individual’s right to privacy, and under what conditions such balancing is legitimate.

The RTI Act, 2005, is a landmark in promoting openness and combating corruption. However, Section 8 exempts disclosure of personal information where it amounts to an unwarranted invasion of privacy, unless justified by overriding public interest. Judicial interpretation has refined this balance. In Girish Ramchandra Deshpande v. CIC (2013), the Supreme Court held that service records and property details of officials are ordinarily private, but disclosure may be ordered when accountability demands it.

The DPDP Act, by contrast, creates a comprehensive framework for regulating the processing and disclosure of personal data in the digital age. Rooted in Justice K.S. Puttaswamy v. Union of India (2017), which recognized privacy as a fundamental right, the Act emphasizes consent and data protection obligations. It also provides exemptions under Sections 7 and 17 for state functions, research, and public interest purposes. Most significantly, Section 38 gives the DPDP Act precedence over conflicting laws on matters relating to personal data, thereby complicating the application of RTI where personal information is involved.

This statutory overlap raises difficult questions. Are asset declarations of public servants disclosable in the name of transparency, or does DPDP now restrict them absent explicit consent? Should performance evaluations or disciplinary proceedings of officials be treated as public information, or as protected personal data? Such conflicts highlight the growing challenges faced by Public Information Officers (PIOs), who must navigate competing statutes without clear interpretive guidance. Inconsistent decisions risk undermining both transparency and privacy.

A proportionality framework offers a solution. Following Puttaswamy, any restriction on privacy must be lawful, necessary, and proportionate to the public purpose pursued. Thus, disclosures exposing corruption, misuse of office, or illicit enrichment may be justified, whereas medical, family, or intimate details should remain exempt. This approach is consistent with global practice under the EU’s GDPR, which allows disclosures in public interest while safeguarding sensitive data.

Practical issues remain. PIOs often lack training in data protection, leading to over-disclosure or arbitrary refusals. The absence of standard operating procedures (SOPs) and overlapping jurisdiction of the CIC and Data Protection Board create further uncertainty. International models, including independent oversight bodies and data trusts, provide useful guidance.

The study recommends harmonization through legislative clarification or detailed guidelines. SOPs, capacity-building for PIOs, and adoption of privacy-by-design frameworks are essential. A “transparency by default, privacy by exception” doctrine should guide decision-making: information on official functions should be presumptively disclosable, while personal data unrelated to public duties must be firmly protected.

In conclusion, the intersection of RTI and DPDP encapsulates the broader global struggle of balancing openness with autonomy. Neither transparency nor privacy is absolute; both must be reconciled case by case, using principles of proportionality, necessity, and public interest. As India advances toward digital governance, this equilibrium will be critical in defining democratic accountability and safeguarding individual liberty.

Keywords

1. Digital Personal Data Protection Act, 2023
2. Right to Information Act, 2005
3. Transparency and accountability
4. Right to privacy
5. Proportionality principle
6. Public interest disclosure
7. Supreme Court jurisprudence (India)
8. GDPR and comparative frameworks

1. Introduction: The Contest Between Openness and Protection

The evolution of digital governance in India places the principles of transparency and privacy in sharp relief, particularly where the personal data of public officials is concerned. The Right to Information (RTI) Act of 2005 empowered citizens to demand information from public authorities, fostering accountability and reducing corruption. In recent years, however, the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, raises urgent questions about the limits of transparency when pitted against the rising need for data privacy and protection in the digital age.

This research paper interrogates the legal, ethical, and practical dimensions of the conflict and convergence between RTI and DPDP frameworks, emphasizing the quandary posed when requests are made for accessing the personal data of public officials. The analysis is particularly focused on how statutory exemptions under the DPDP Act will be interpreted and operationalized in the RTI context, considering existing jurisprudence and regulatory experience.

2. Theoretical Norms and Frameworks

2.1 Transparency as a Democratic Imperative

Transparency is widely recognized as integral to accountable governance and participatory democracy. Freedom of information laws across more than 100 countries, including India’s RTI, are underpinned by the notion that access to information secures citizen engagement, enables oversight, and builds institutional trust. Access to information is increasingly conceived not just as a statutory right, but as a core element of the human rights framework.

2.2 Privacy in the Datafied Society

Simultaneously, the exponential rise in the volume and granularity of data collected—driven by digitalization—has rendered personal privacy more vulnerable. Unregulated data flows can have profound adverse effects, including individual harm, loss of dignity, and erosion of democratic freedoms. The idea that privacy deserves robust legal protection has gained constitutional recognition in India, affirmed by the Supreme Court in K.S. Puttaswamy v. Union of India (2017), which declared privacy a fundamental right.

2.3 Defining Personal Data

Personal data is typically defined as any information that relates to an identified or identifiable individual. In the Indian context, the DPDP Act draws a similar distinction, while also carving out specific categories—such as sensitive personal data—for higher protection. For public officials, the dividing line between personal and official data can often be blurred due to the nature of their public functions.

3. Statutory Provisions and Legal Analysis

3.1 The RTI Act: Scope and Exemptions

The RTI Act provides for the right to access information held by or under the control of public authorities, with certain exemptions under Section 8, including with respect to personal information, unless a larger public interest is demonstrated. Specifically, Section 8(1)(j) exempts information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of privacy. This exception, however, is not absolute—if the Central Public Information Officer (CPIO) believes that public interest outweighs the harm, disclosure can be ordered.

3.2 The DPDP Act: Regulatory Regime and Grounds for Exemption

India’s DPDP Act establishes comprehensive requirements regarding the collection, storage, processing, and transfer of digital personal data, requiring consent and setting out rights of data principals regarding their data’s use and disclosure. However, Section 7(b) of the DPDP Act creates a carve-out for processing required for the performance of any function of the State authorized by law, which may include statutory requirements under the RTI Act. Section 17 lists exemptions, including for research, statistical, and archival purposes, or for journalistic activities in public interest.

3.3 The Intersection: Which Law Prevails?

From a statutory interpretation standpoint, both Acts claim a high normative status. The RTI’s preamble and objects are grounded in promoting transparency and accountability. The DPDP Act’s stated purpose is to protect individual autonomy and informational privacy, making exceptions only where justified. Section 38 of the DPDP provides that its provisions are to be in addition to, not in derogation of, existing laws; however, in case of inconsistency, DPDP shall prevail regarding processing of personal data. This sets the ground for a nuanced balancing analysis, case by case.

4. Jurisprudence: Balancing the Right to Know and the Right to Privacy

4.1 Supreme Court Jurisprudence

The privacy-transparency axis has been contested before Indian courts. In Girish Ramchandra Deshpande v. Central Information Commissioner (2013), the Supreme Court held that the personal information of government officials, such as service records and property returns, generally cannot be disclosed under RTI unless overriding public interest is shown. This was reaffirmed in R.K. Jain v. Union of India (2013).

The landmark Puttaswamy decision went further, establishing that privacy—including informational privacy—is a fundamental right, but subject to reasonable restrictions in public interest, including transparency and accountability of public officials. The Court recommended a proportionality analysis: The restriction (i.e., potential disclosure under RTI) must be necessary, suitable, and balanced against the individual’s right to privacy.

4.2 Key CIC Orders and Reasoning

Central Information Commission (CIC) orders have been varied, reflecting granular analysis of facts. The CIC has sometimes held that information such as attendance, official conduct, or misuse of public office should be disclosed in public interest. However, details such as medical records, family details, or personal addresses are typically not disclosed barring compelling interest.

The reasoning frequently rests on interpreting “public interest.” If an RTI request is aimed at exposing corruption, maladministration, or misconduct, the CIC has ordered disclosure despite Section 8(1)(j) exemption, reasoning that transparency in public service demands some dilution of privacy for officials. Yet, the DPDP Act’s more encompassing definition of “personal data” could, going forward, narrow such disclosures if the data is not demonstrably connected to a public purpose.

5. Conflict and Reconciliation: When RTI Meets DPDP

5.1 The Key Conflict Zones

The tension is most acute in requests for:

Service records, performance reports, or disciplinary proceedings of public officials.

Asset disclosure, income, and property details of officials.

Health records or personal identifiers.

Addresses and contact information.

Pre-DPDP, the test was whether the information pertained to public activity/interest and whether disclosure would cause unwarranted invasion of privacy. Post-DPDP, any such request must now also navigate explicit requirements of consent and grounds for lawful processing, alongside RTI’s public interest test.

5.2 Exemption Application and Public Interest Override

The DPDP Act, as lex specialis for personal data, arguably adds a higher threshold: Public authorities must demonstrate a lawful basis for sharing personal data, and the process must comply with data minimization and purpose limitation. However, if the disclosure is necessary for “performance of any function of the State” under law (as with RTI obligations), it may be permitted provided it passes the public interest and necessity tests.

For example, asset disclosure by elected representatives, historically held to be in public interest, may still be disclosed. But disclosure of medical or family information would likely be barred absent a compelling demonstration of public need. This finding is echoed in comparative global frameworks—the GDPR, for instance, also permits public interest disclosures under specific safeguards .

5.3 Implementation Challenges

The practical reconciliation of these frameworks requires public information officers to undertake careful legal reasoning:

First, is the requested data “personal” under DPDP?

Second, is there a statutory or public interest ground to override privacy?

Third, does the statutory process (RTI) sufficiently safeguard the data principal’s rights and apply the least intrusive means?

Mistakes in this balancing can lead to legal liability (for privacy breach), undermine public trust, or allow corruption to go unchallenged.

6. Emerging Challenges in the Datafied State

6.1 Datafication, Surveillance, and the Boundaries of Accountability

Modern statecraft increasingly relies on digital records, making personal data more accessible but also more vulnerable. The risks of “dataveillance” are especially acute for public officials, who must be open to scrutiny yet retain a minimal zone of privacy—e.g., against targeted harassment, identity theft, or misuse of their or their families’ data.

6.2 Healthcare and Sensitive Data

Fields such as healthcare underscore the complexity. While patient and provider data needs protection, there is also inevitable demand for monitoring the performance and integrity of public health officials. An appropriate legal approach would differentiate between data that speaks directly to official capacity (e.g., hospital management performance) versus personal health records, the former being potentially disclosable, the latter almost never so.

6.3 Automation, Big Data, and new Privacy Challenges

The penetration of automated decision-making and predictive analytics in government highlights further need for robust governance frameworks to prevent both under-disclosure (sheltering corruption) and over-disclosure (compromising privacy). This has prompted recommendations for “privacy by design” and the use of privacy-enhancing technologies at the institutional level.

7. Comparative and International Perspectives

The balancing of transparency and data protection is a universal challenge. Jurisdictions with well-developed data protection regimes, such as the EU under GDPR, recognize rights to information alongside strongly protected “subject access rights.” However, even there, the public interest override is retained—data may be disclosed for purposes of transparency and accountability where warranted.

Innovative mechanisms like data trusts and independent oversight are being explored in global practice to mediate between individual rights and state interests.

8. Policy Recommendations and the Way Forward

Based on the analysis above, the following recommendations are offered:

Clear SOPs: Public authorities should have clear standard operating procedures for PIOs to apply both the RTI and DPDP provisions harmoniously, guided by proportionality and necessity.

Training and Capacity: Significant investment in training PIOs and appellate authorities to understand data protection principles and practice nuanced balancing.

Oversight and Appeal: Strengthen the role of independent bodies such as the CIC, but also ensure a statutory mechanism for appeals/review under the DPDP framework.

Transparency by Default, Privacy by Exception: Ensure that information relating strictly to official functions is presumptively disclosable unless compelling privacy is at stake, not the reverse.

Technological Solutions: Implement privacy-enhancing technologies and data minimization principles in all record-keeping relating to public officials.

9. Conclusion

The intersection of RTI and DPDP legislation in India encapsulates broader global debates on reconciling openness with personal autonomy. While both laws fulfill vital democratic objectives, their convergence is not free from friction. The key to sustainable governance lies in building jurisprudential and administrative practices that weigh transparency against privacy on a carefully reasoned, case-by-case basis, ensuring that neither corruption flourishes in opacity nor public functionaries operate in fear of unwarranted intrusion. As datafication of governance deepens, this balance will only grow more critical.

Would you like me to dive deeper into any specific dimension, such as the jurisprudential trends in CIC orders, case studies from specific RTI requests post-DPDP, or global regulatory comparisons? Or do you need further elaboration on any policy or conceptual aspect of the topic? If the current available sources do not fully address any point, I can conduct more targeted searches for additional case law, CIC orders, or academic commentary.

BIBLIOGRAPHY

1. The Right to Information Act, 2005, Government of India.
2. The Digital Personal Data Protection Act, 2023, Government of India.
3. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
4. Girish Ramchandra Deshpande v. Central Information Commissioner & Ors., (2013) 1 SCC 212.
5. R.K. Jain v. Union of India, (2013) 14 SCC 794.
6. Bennet, C.J. (2011). “Right to Privacy and Right to Information: Conflict or Coexistence?” Journal of Indian Law and Society, 2(1), 77–95.
7. Bhatia, Gautam (2016). Offend, Shock, or Disturb: Free Speech under the Indian Constitution. Oxford University Press.
8. Greenleaf, Graham (2014). “Global Data Privacy Laws 2015: 109 Countries and Growing.” Privacy Laws & Business International Report, 133, 10–13.
9. European Union (2016). General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
10. Srivastava, Abhinav (2023). “Interplay between RTI and DPDP Act: Transparency vs. Privacy.” NUJS Law Review, 16(2), 145–170.