Recently, the apex court in Anjali Bharadwaj[2] sharply criticized the Government for its unexplained delays in appointing Information Commissioners, noting that such administrative indifference has created massive backlogs and has already weakened the enforcement of the Right to Information Act. The Petitioner argued that systemic failures, coupled with a history of official bias in appointments where positions meant for individuals from diverse fields have been repeatedly filled by former government officials raise serious doubts about the institutional independence of transparency bodies. Against this backdrop, the newly established Data Protection Board under the Digital Personal Data Protection Act, 2023 faces the risk of inheriting the same structural shortcomings. If the Government continues with delayed appointments, opaque selection procedures, and concentrated bureaucratic control, the DPDP framework may become yet another institution that fails to serve citizens meaningfully, undermining both accountability and the very data protection rights it promises to safeguard. The historic and remarkable judgment of the apex court in the K.S. Puttaswamy[3] case led to the establishment of comprehensive data protection guidelines and a new legal framework in India. Following this landmark verdict, a committee chaired by Justice B.N. Srikrishna was constituted to examine issues relating to privacy and the personal data of individuals. The committee's recommendations, combined with subsequent legislative efforts, resulted in the enactment of the Digital Personal Data Protection Act, 2023, and the later notification of the DPDP Rules, 2025.
This is an umbrella legislation for the protection of Digital personal data. It is also important to note that the Act of 2023 supersedes several earlier less comprehensive legislation such as The Information Technology Act, 2000 and SDPI Rules 2011[4]. The IT Act, 2000[5] was India's first Comprehensive Act regulating Electronic Transactions, digital signature and E-Governance along with SDPI Rules 2011 only focused on providing a legal basis for electronic data, Cyber Crimes and digital signature, whereas a robust protective framework was brought only by introducing the DPDP Act, 2023.
Whilst SDPI Rules, 2011 were implemented with aim to impose liability on “body corporates”, which refers to the legal responsibility of a business entity for data breach in relation to Section 43A[6] of the IT Act 2000. Under Section 43A of the IT Act, a "body corporate" is broadly defined to include any company, firm, sole proprietorship, or association of individuals engaged in commercial or professional activities. The DPDP Act mainly governs the processing of digital personal data in India, as this personal data highly affects the privacy of individuals and this adaptable framework aims to foster trust and safety within India's growing digital ecosystem. Under the Act various systematic approach towards data protection has been taken to include individual whose data is being processed as the “Data Principal”, often referred to as the data owner. The “Data Fiduciary” is the entity (company, government body, etc.) that determines why and how the data will be processed. A “Data Processor” handles the data on behalf of the Data Fiduciary. The Act also introduces a “Consent Manager”, a neutral third party registered with the DPBI, who helps the Data Principal manage and withdraw their data consent through a single digital platform, making it easier for individuals to exercise control over their information .The Government recently notified the DPDP Rule 2025, After an 18-month rollout of the DPDP Act, 2023, the law is facing many questions regarding its various provisions and their impact on privacy.
Terminological ambiguity
The DPDP Act defines a "person" broadly to include individuals, Hindu Undivided Families (HUFs), companies, firms, and the State itself. However, "personal data" is defined only in relation to an "individual who is identifiable" by that data. This creates an ambiguity: Does the Act primarily protect only natural persons, or can companies also claim data protection under this law? Many interpret the law as focused on individuals, but the broad definition of "person" leads to broad denial of information on the pretext of personal information as almost Every detail pertains to an individual, whether directly or indirectly, since the owner of such data is invariably a natural person.
Overshadowing the constitutional Right to Information
Obtaining outcomes like the Raj Narain case[7] where Raj Narain challenged Indira Gandhi's 1971 election on the grounds of corrupt practices, misuse of government machinery, and violation of election laws, ultimately leading the Allahabad High Court to set aside her election would be significantly harder today due to the amendments introduced by the DPDP Act. The earlier RTI framework allowed courts and information officers to order disclosure of personal data when a larger public interest was involved, a principle that proved essential in cases exposing electoral misconduct. However, Section 8(1)(j) of the RTI Act, which Previously allowed public authorities to refuse personal information request only if no “larger public interest” Justifies disclosure. It is crucial to note that, DPDP Act seeks to amend this section of RTI Act, the broad denial powers under the amendment brought by DPDP Act, 2023 fundamentally damage the constitutional spirit of transparency. the DPDP Act removes the explicit “larger public interest” override in Section 8(1)(j), introduces a broader exemption for any “personal information,” and imposes steep penalties that make officials more likely to deny disclosures. Although Section 8(2) of the RTI Act technically remains, the shift in legal balance toward privacy and secrecy could make it far more difficult to access information that once enabled the judiciary to uncover abuses of power such as those revealed in the Raj Narain litigation.
The effective elimination of the "public interest" test makes it harder to expose corruption, potentially weakening public accountability which is considered essential for a functioning democracy and the right to information itself. The right to information guaranteed as a constitutional right under article 19(1)(a)[8] is significantly weakened due more general provision in DPD Act, which is removing the specific, well established public interest test from section 8 (1)(j) of RTI[9] for personal information creates an easy loopholes for officials to deny information simply by labeling it “personal”.
Hence, DPDP effectively turns RTI into a “Right to deny information” jeopardizing citizens right to uncover corruption or scrutinize government spending. Therefore, prioritizing privacy over the vital need for administrative accountability needs a more responsible approach requiring sensitivity towards personal data and accountability in governments actions.
Jurisdictional Overlap
The co-existence of the Indian Computer Emergency Response Team (CERT-In) established under IT Act, 2000 requires for strict six-hour incident reporting window and the Data Protection Board's "as soon as possible" notification requirement under the Digital Personal Data Protection (DPDP) Act creates a complex regulatory environment that necessitates harmonization.[10] The differing timelines and reporting mechanisms can lead to operational confusion for entities dealing with data breaches, who must balance the immediate need to satisfy national cybersecurity mandates with the comprehensive requirements for protecting individual privacy. A unified framework or explicit guidance clarifying the primacy of one authority over the other for specific incident types could streamline the reporting process, avoid potential duplication of effort, and ensure that both national security concerns and individual data rights are addressed efficiently and without conflicting regulatory burdens.
Disabled Persons' Rights and Blanket Consent Rule
Grouping persons with disabilities (PwDs) under the same consent rules as children (under 18), requiring a lawful guardian's consent for all data processing. This violates the principles of "supported decision-making" promoted by the Rights of Persons with Disabilities Act, 2016, and removes the autonomy of many PwDs to manage their own digital lives. For organizations handling data, the government has announced a phased implementation, with an 18-month grace period for compliance. Large data handlers are required to appoint a Data Protection Officer based in India. Apart from the provisions that are already in effect, some key rules such as the appointment of designated Data Principal Officers and Consent Managers will only become mandatory by November 2026, so to ensure proper compliance by firms handling large volumes of personal data, particularly those operating critical information and computer systems, so that data processing remains secure, accountable, and privacy-centric.
Lack of Independent oversight
The Data protection Board which includes a Chairperson and several members, all of whom are appointed by the Central Government based on recommendations from a Search-cum-Selection Committee composed largely of government officials. appointment process, along with the Board operating under the Ministry of Electronics and Information Technology (MeitY), creates a conflict of interest and compromises its autonomy, especially when adjudicating cases against the government itself. This has led to concerns that the body will not be able to function as a truly impartial, independent authority.
Although the DPDP Act, 2023 is presented as a consent-based data protection law, in reality it gives very wide powers to the Central Government through the Data Protection Board. The Board is not an independent body, it is fully appointed, controlled, and influenced by the government. This means the government can decide how investigations happen, which cases are taken up, what penalties are imposed, and even issue exemptions to itself and government agencies. As a result, instead of strengthening individual rights, the Act risks expanding State control over personal data while limiting accountability, making the “consent-based protection” more symbolic than effective.
Way forward
While the DPDP Act introduces a modern framework for data protection, its broad exemptions especially for national security and government functions must be balanced with constitutional mandates. Reasonable restrictions are necessary, but they should not dilute fundamental rights under Article 19, particularly freedom of speech and expression. At the same time, the rights of minorities and vulnerable groups, including persons with disabilities, must be protected to ensure that data protection remains accessible and inclusive. Further, the right to information should not be undermined by an overly broad interpretation of “personal data,” as transparency is essential to maintaining checks and balances in a socialist, democratic country like India. A stronger alignment between privacy, accountability, and constitutional values is therefore crucial for the Act to truly serve the public interest.
Author is a 5th year law student in Aligarh Muslim University.
Views Are Personal.
2. Anjali Bhardwaj vs Union Of India W.P.(C) No. 436/2018. ↑
3. K.S. Puttuswamy v. Union of India (2017) 10 SCC 1. ↑
4. Information Technology (Reasonable Security Practices and Procedures and
5. Sensitive Personal Data or Information) Rules, 2011, Gazette of India, Apr. 11, 2011. ↑
6. Information Technology Act 2000, Act No. 21 of 2000. ↑
7. Id. § 43A. ↑
8. Raj Narain v. Union of India (2019) 5 SCC 809. ↑
9. The Constitution of India 1950, art. 19(1)(a). ↑
10. Right to Information Act 2005, Act No. 22 of 2005, § 8 (1)(j). ↑
11. Davis Kanjamala, Obligations under CERT-In and DPDP – Not a zero-sum game (Bar & Bench, 13 October 2025) accessed on 19th November 2025 <https://share.google/htiKYjhxeN9ptZIEU>. ↑