DPDP Act Under Supreme Court Review: Key Constitutional Questions Explained

The Supreme Court review of the DPDP Act raises key constitutional questions on privacy, data protection, state surveillance powers, and the balance between individual rights and national security in India.

Table of Contents

Context

The Supreme Court of India has agreed to refer a batch of petitions to a Constitution Bench examining whether India’s digital data protection law weakens citizens’ right to information.
The petitions challenge Section 44(3) of the Digital Personal Data Protection Act, 2023, arguing that it undermines transparency guaranteed under the Right to Information Act, 2005.

Issue Before the Court

Petitioners contend that Section 44(3) creates a blanket prohibition on disclosure of “personal information” under RTI.
Arguing that the provision uses the right to privacy to effectively dismantle citizens’ right to know.
The concern raised is constitutional in nature, involving the balance between privacy, transparency, and democratic accountability.

Constitutional Arguments Raised

Section 44(3) of the DPDP Act, 2023 allegedly:
- Grants unguided discretion to the State to deny information.
- Extends the fundamental right to privacy to the government itself, which is constitutionally impermissible.
Alleged violations include:
- Article 19(1)(a): Unreasonable restriction on the right to free speech and expression, which includes the right to information.
- Article 14: Violation of equality by equating the privacy of public officials with that of private citizens.

Significance of the Constitution Bench Reference

The reference indicates that the issue goes beyond statutory interpretation.
The Constitution Bench is expected to clarify:
- The meaning of “personal information” in public law.
- The constitutional relationship between privacy and transparency.
- The permissible limits of data protection in a democratic state.
The outcome is likely to shape the future of RTI, data protection law, and standards of governmental accountability in India.

DPDP Act, 2023

Key features

● Consent-Based Processing Regime: Personal data can be processed only on the basis of explicit, informed, and withdrawable consent of the data principal.

● Rights of Data Principals: Recognises individual rights such as access to personal data, correction and erasure, and the right to grievance redressal.

● Enhanced Protection for Children: Mandates parental consent and prohibits data-processing practices that may cause harm to children.

● Significant Data Fiduciaries (SDFs): Empowers the government to classify certain entities as SDFs, subjecting them to stricter obligations like data audits and impact assessments.

● Government Exemptions: Allows limited exemptions for the State in the interests of national security, public order, research, and similar public purposes.

● Cross-Border Data Flow: Permits international transfer of personal data to notified countries while maintaining prescribed safeguards.

● SARAL Principle: Emphasises simplicity, clarity, and ease of compliance for both individuals and organisations.

Justice BN Srikrishna Committee

● Constituted to examine global data protection standards and recommend a comprehensive legal framework for India, forming the foundation of India’s data protection regime.