How Does the DPDP Act Balance Privacy, Transparency, and State Power?

India’s Digital Personal Data Protection Act, 2023 (DPDP Act), is the country’s first major law governing digital personal data. The Act aims to protect people’s privacy rights while also allowing organisations and the government to process personal data for legal and valid purposes. On one hand, the law is considered an important step toward protecting privacy in the digital world. However, since its introduction, the Act has also faced criticism for creating several constitutional and legal concerns. Critics believe that although the law aims to safeguard privacy, some of its provisions may reduce transparency, give more power to the government, and weaken accountability systems.

The constitutional discussion around the DPDP Act is closely connected to the important Supreme Court judgment in the Justice K. S. Puttaswamy v. Union of India case, where privacy was recognised as a fundamental right under Article 21 of the Constitution. The Court stated that any limitation on privacy must meet the tests of legality, necessity, and proportionality. Many experts and critics now question whether the DPDP Act fully meets these constitutional requirements.

1. Conflict Between Privacy and Right to Information (RTI)

One of the major legal concerns about the DPDP Act is its effect on the Right to Information (RTI) system. Through Section 44(3), the Act changed Section 8(1)(j) of the RTI Act, which limits the sharing of “personal information” held by government authorities. Critics argue that this change may reduce transparency and make it easier for government departments to refuse information requests.

Example:
A citizen files an RTI application asking for details of travel expenses spent by a senior government official using public money. Earlier, such information could be shared if it served a larger public interest. After the amendment, authorities may refuse to provide the information by saying it is “personal data,” even when it relates to public accountability. Critics believe this may reduce transparency in governance and weaken anti-corruption efforts.

This creates a constitutional conflict between two important rights:

• Right to Privacy (Article 21)
• Right to Information under Article 19(1)(a), which is connected to freedom of speech and expression.

In the future, courts may have to decide where an individual’s privacy ends and public accountability begins.

2. Government Exemptions and Concerns About Excessive Surveillance

Another major constitutional concern about the DPDP Act is the wide exemptions given to government agencies under Section 17 of the Act. The law allows the Central Government to exempt certain government bodies from following some compliance requirements for reasons such as national sovereignty, state security, public order, or preventing crimes. Critics argue that these exemptions are too wide and do not include enough checks and safeguards.

Example:
Suppose a law enforcement agency collects location data, phone records, or online activity in the name of national security. Because of these broad exemptions, citizens may have very limited ability to question excessive data collection or ask for accountability. Critics worry that this may lead to excessive surveillance without proper judicial supervision.

This issue raises important constitutional concerns under the Puttaswamy proportionality test:

• Is the restriction really necessary?
• Is it reasonable and proportionate to the purpose?
• Are there proper safeguards to prevent misuse?

Critics believe that the Act gives too much power to the government without clearly explaining the safeguards needed to prevent misuse.

3. Concerns About the Independence of the Data Protection Board

The DPDP Act creates a regulatory body called the Data Protection Board of India. However, unlike some fully independent regulators in other countries, this Board is appointed and controlled by the Central Government. Critics question whether the Board can act independently, especially when investigating government agencies for privacy violations.

Example:
Imagine a government department faces a major data breach that exposes citizens’ Aadhaar-linked information. If the same government appoints the Board responsible for investigating the issue, critics argue that there may be concerns about independence and fair decision-making.

This raises constitutional concerns under Article 14 (Right to Equality), which requires laws to work fairly and without unfair treatment or arbitrary action. If people believe the regulator is not independent, it may reduce trust in how privacy laws are enforced.

4. Concerns Over Excessive Government Rule-Making Powers

Another legal concern about the DPDP Act is the large amount of power given to the government to make rules. Many important details of the law, such as consent requirements, data breach reporting, age verification, and responsibilities of Significant Data Fiduciaries, are not clearly explained in the Act and are left to future government rules.

Critics argue that giving too much rule-making power to the government may reduce parliamentary oversight and allow important policy changes without proper discussion in Parliament.

Example:
A startup may build its privacy systems based on the current compliance rules. However, if the government later makes major changes through notifications or new rules, businesses may face confusion, uncertainty, and additional compliance costs.

From a legal perspective, this raises concerns about whether Parliament has given too much law-making power to the executive branch of the government.

5. Limited Privacy Rights Compared to Global Standards

Some legal experts believe that the DPDP Act gives individuals fewer rights compared to global privacy laws such as the General Data Protection Regulation (GDPR). For example, rights such as data portability and a strong right to be forgotten are not as broad or detailed under the DPDP Act. Many privacy professionals also believe there is a gap between protecting user rights and giving flexibility to organisations.

Example:
A person who wants to permanently remove old personal information from an online platform may have fewer legal options in India compared to a citizen in Europe under GDPR.

Although this may not directly create a constitutional issue, critics argue that a privacy law focused on individual rights should provide stronger protections for people.

6. Impact on Journalism and Freedom of Expression

Journalists have also expressed concerns that the DPDP Act may indirectly affect investigative journalism. Unlike earlier draft versions of India’s data protection laws, the final Act does not include a separate exemption for journalistic activities. Critics believe this may create confusion for journalists who use personal data while reporting on corruption or matters of public interest.

Example:
Suppose an investigative journalist is reporting on a financial scam involving public officials. During the investigation, the journalist may need to use personal information to uncover facts. If privacy claims are given more importance than public-interest reporting, it could make investigative journalism more difficult in practice.

This issue is connected to Article 19(1)(a) of the Constitution, which protects freedom of speech and expression.

Conclusion

The DPDP Act is an important step in India’s digital governance system because it officially recognises the need to protect personal data and privacy. However, the law has also started an important constitutional and legal debate. Issues related to government exemptions, changes to the RTI Act, surveillance concerns, independence of the Data Protection Board, wide government rule-making powers, and possible effects on media freedom continue to raise questions among legal experts and privacy professionals. Recent cases challenging the law before the Supreme Court suggest that the courts may finally decide how to balance privacy, transparency, and government power under the Act. While the law improves privacy protection for individuals, its long-term success may depend on whether courts view it as a rights-based law that adheres to constitutional principles and values.

In my view, India’s DPDP Act deserves appreciation for finally bringing personal data protection into law. However, calling it a complete privacy law is difficult when concerns such as government surveillance, weakening of RTI protections, and the lack of a truly independent regulator remain unresolved.

The DPDP Act is an important starting point, not the final solution. Its long-term success will depend on whether Parliament makes the Data Protection Board more independent, whether courts place reasonable limits on government exemptions, and whether the public-interest role of RTI is properly protected. Until then, the law helps address some privacy risks, but may not fully protect individuals from the most powerful threats.