FDPPI has raised some issues against the Challenge filed in Supreme Court on the constitutional validity of DPDPA which is coming up for hearing on 13th May 2026.
Introduction: The Post-Puttaswamy Era
For decades, India’s transparency landscape operated on a relatively simple axis: the citizen’s right to know versus the state’s duty to disclose.
That era ended in 2017.
With the landmark Puttaswamy judgment, the Supreme Court elevated privacy to a fundamental right, sparking a high-stakes tension between the Right to Information (RTI) Act and the new Digital Personal Data Protection (DPDP) Act, 2023.
In the ongoing legal challenge before the Supreme Court, the Foundation of Data Protection Professionals in India (FDPPI) has stepped in as a crucial “middle-ground” expert.
Moving beyond the binary narrative of “Government vs. Petitioners,” this body of scholars and technologists argues that the DPDP Act isn’t an attack on transparency, but a necessary recalibration for a digital-first society.
Takeaway 1: Stop Calling it a Blanket Bar—Privacy Decisions Just Got a Promotion
Critics have been quick to label the amendment to Section 8(1)(j) of the RTI Act as a “blanket bar” on the disclosure of personal info.
But a closer look at the FDPPI’s argument suggests a “relocation of decisional responsibility” rather than a shutdown.
The core of the issue is “institutional suitability.
” After Puttaswamy , weighing privacy against transparency requires a complex “proportionality test”—a task for which a mid-level bureaucrat was never equipped.
By moving this decision to higher public authorities under Section 8(2), the law recognizes that balancing two fundamental rights is no longer a routine administrative checkbox .”The unamended Section 8(1)(j) required a Public Information Officer—typically a mid-level administrative functionary… to determine, at first instance, whether disclosure of personal information would cause ‘unwarranted invasion’ of privacy…
After Puttaswamy Juggement, this is constitutional adjudication of the highest order.”
Takeaway 2: Protecting the “Collateral” Citizen
The debate often focuses on the “right to know” about public officials, but it overlooks the “Collateral Third-Party Data Problem.”
When an RTI request targets welfare scheme records, it often inadvertently exposes the sensitive data of thousands of innocent citizens who never consented to being in the spotlight.
FDPPI argues that exposing this data is “constitutionally untenable” under the principle of informational self-determination. These citizens aren’t wrongdoers; they are simply beneficiaries whose data is caught in the crossfire.
The data at risk includes:
-
- Full names and home addresses
- Aadhaar references
- Bank account numbers
- Specific health conditions used for eligibility
- Detailed family records
Takeaway 3: Public Officials Aren’t “Private” (The Governance Distinction)
One of the most persistent fears is that the DPDP Act will serve as a shield for corrupt officials.
However, the FDPPI’s “interpretive suggestion” draws a sharp line between “personal info” and “functional info.
“The law is designed to protect the private lives of individuals, not the “Governance Contact Information” of public functionaries.
Official identities—names, designations, and work emails—are functional, not personal.
Under Section 3(c)(ii), the DPDP Act does not apply to personal data that is made or required to be made publicly available by the individual themselves or under any other law. Since official identities of public servants are already public via gazettes and appointment orders, they remain disclosable.
Takeaway 4: The Journalist’s Purpose-Based Protection
Is the DPDP Act a muzzle for the press?
Not necessarily.
While the Act lacks a categorical “journalist” identity exemption, the FDPPI points out that Section 17(2)(b) creates a “purpose-based” framework.
Processing data for “research, archival, and statistical purposes” is permitted, provided it doesn’t lead to a specific decision about the individual. This covers the “research loop” of investigative and data-driven journalism.
Furthermore, the FDPPI notes that journalists remain accountable through existing safeguards: the law of defamation and professional standards of accuracy and fair comment.
“The Intervener respectfully suggests… the development… of a framework for the registration of accredited journalists—including digital journalists, bloggers and online publishers—with conditional permissions for purpose-specific processing.”
Takeaway 5: “Significant” is a Guardrail, Not a Weapon
The threat of a ₹250 crore penalty has sent shivers through many organizations, but the phrasing of Section 33(1) contains a built-in constraint.
The Data Protection Board can only impose penalties if a breach is “significant.” This term acts as a legal shield, preventing the Board from weaponizing the Act over trivial or technical errors.
Interestingly, despite the headlines, India’s penalty cap is actually more conservative than global benchmarks. For instance, the GDPR allows for fines up to 4% of a company’s global turnover, which can dwarf a fixed ₹250 crore limit.
To ensure fairness, the Board must legally consider these four factors before setting a price tag:
-
- The nature, gravity, and duration of the breach.
-
- The type of personal data affected.
-
- Whether the breach is repetitive.
-
- Mitigation measures taken by the organization.
Conclusion: The Five-Year Evolution
As we look toward full operationalization by May 2027, the DPDP Act provides a “safety valve” in Section 17(5).
This five-year transitional flexibility allows the government to course-correct based on real-world friction.
However, one nuance remains: the controversial deletion of the “proviso” to Section 8(1)(j)—the rule that information shouldn’t be denied to a citizen if it can’t be denied to Parliament.
While the FDPPI defends the privacy recalibration, they notably do not defend the loss of this “informational symmetry” between the electorate and their representatives, suggesting it could be restored without compromising the core privacy framework.
Final Thought: As we move into a future where our digital identities are our primary identities, we cannot afford a transparency regime that doesn’t respect the right to be left alone?
Naavi
