A note from the author:

As a data privacy practitioner with over 10 years of experience advising NGOs, ed-tech platforms, AI providers, and government entities on compliance with emerging digital rights frameworks, I offer this critical analysis of two contemporary developments that spotlight the delicate interplay between privacy legislations, transparency imperatives, and responsible innovation under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) read with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”).

The DPDP Act remains yet to be fully enforced (with phased implementation of core obligations continuing until approximately May 2027). Yet, key elements, including the RTI amendment and certain immediate provisions, are operational. These cases illustrate both the data privacy regime’s strengths in protecting vulnerable data principals and its structural vulnerabilities around proportionality, enforcement readiness, and sectoral exemptions.

Supreme Court's Review of DPDP Act amendments to the RTI Act, 2005

Factual Context and Constitutional Challenge

On 16 February 2026, a three-Judge Bench led by the Chief Justice of India issued notice in multiple writ petitions (including The Reporters Collective Trust v. Union of India, W.P.(C) No. 211/2026 and petitions by RTI activists such as Venkatesh Nayak) challenging core provisions of the DPDP Act and Rules, with particular emphasis on Section 44(3) of the DPDP Act.

The matter has been referred to a Constitution Bench for hearing in March 2026. No interim stay was granted, but the Court acknowledged the issues as “complex, sensitive yet interesting” requiring authoritative balancing of privacy (Art. 21) and freedom of speech/expression (Art. 19(1)(a)).

Relevant DPDP Provision and Its Effect on RTI

Section 44(3) of the DPDP Act directly amends Section 8(1)(j) of the RTI Act by substituting the earlier calibrated exemption with a near-blanket bar on disclosure of “any information which relates to personal information.”

Before the amendment:

• Information was exempt only if it had “no relationship to any public activity or interest” or would cause “unwarranted invasion of the privacy of the individual,” subject to the overriding proviso that disclosure could still occur where “larger public interest justifies the disclosure.”

After the amendment:

The public-interest override and relational test are effectively removed, creating an absolute shield for any data classifiable as “personal information” under the DPDP Act’s broad definition (Section 2(t): “any data about an individual who is identifiable by or in relation to such data”).

Critical Assessment of the subject matter

From a privacy advocate’s standpoint, the amendment is a welcome legislative recognition of the fundamental right to privacy articulated in K.S. Puttaswamy (2017).

It prevents RTI from becoming a tool for doxxing or harassment and aligns disclosure norms with DPDP’s core architecture:

• Processing is lawful only under consent (Section 6: free, specific, informed, unconditional, unambiguous) or

• The narrowly enumerated “legitimate uses” in Section 7 (e.g., State functions under law, medical emergencies, employment safeguards)

However, the blanket ban on disclosure of personal data is apparently disproportionate and risks violating the three-pronged Puttaswamy test (legality, necessity, proportionality).

By removing the statutory balancing mechanism that Parliament itself had enacted in 2005, the amendment tilts excessively toward privacy at the expense of democratic accountability.

The public officials’ asset details, performance metrics, or conflict-of-interest data, while undeniably “personal”, often bear direct relation to public duty. Denying access without any public-interest gateway could shield maladministration, contrary to the RTI Act’s transformative object.

Compounding concerns are DPDP’s own expansive State powers:

• Section 7(b)–(d) permits processing without fresh consent for subsidies, benefits, or sovereign functions;

• Section 36 (challenged in the petitions) empowers the Central Government to call for information from any Data Fiduciary; and

• Section 8(1) imposes strict accountability on Data Fiduciaries (including government instrumentalities) but does not cabin governmental access rights.

The DPDP Rules, 2025 (notified 13 November 2025), notifying a phased enforcement (Rules 1–2, 17–21 immediate; core consent/security rules in 18 months) means the amendment is already biting while full safeguards lag.

Outlook

The decision of the Supreme Court to refer this issue to a 5-member Constitution Bench is laudable. I expect the bench to read down the blanket ban on disclosure and restore a proportionality overlay consistent with both statutes.

Until then, public authorities should voluntarily apply the pre-amendment test as a matter of good governance.

Uncomplicate DPDP Act Compliance.

Request for a free 1-1 meeting with our expert DPDP Act Consultants