'By extending the definition of 'personal' to include institutions and not just individuals, the State has equipped itself with a tool to block access to most kinds of information.'
The Digital Personal Data Protection (DPDP) Act, hailed by the government as landmark privacy legislation, is facing growing criticism from transparency advocates. Among the most vocal is Shailesh Gandhi, a former Central Information Commissioner and one of RTI's most tireless defenders.
In this wide-ranging interview with Rediff's Prasanna D Zore, Gandhi warns that the DPDP Act is less about protecting citizens' data and more about shielding the State and elite actors from public scrutiny.
"This is not a privacy law," he says, "it's a Right to Deny Information law in disguise."
Gandhi is particularly concerned about Section 38(2), which gives the DPDP Act overriding power over other laws, including the RTI Act. With penalties as high as Rs 250 crore, he believes public officials will simply opt for denial over disclosure, gutting the transparency regime built painstakingly over two decades.
What follows is a deep, troubling look into how a law meant to protect personal data may end up dismantling one of India's most empowering democratic tools.
How do you assess the Digital Personal Data Protection (DPDP) Act in the context of India's transparency framework?
Frankly, from a transparency and citizen empowerment perspective, the DPDP Act is extremely worrying. It appears to be framed with the stated goal of protecting personal data, but when you read the fine print, you realise that it poses a serious threat to the foundational principles of the Right to Information Act.
One of the most glaring issues is that while the Act is called the Digital Personal Data Protection Act, it never defines the word 'personal.' It only defines 'person' under Section 2(s), and that's where the problem begins.
According to this definition, a 'person' includes not only individuals but also Hindu Undivided Families, companies, firms, associations of persons, government bodies, and even artificial legal entities.
So if 'personal data' pertains to these 'persons,' it opens up the possibility of even a company or a government department classifying its data as personal and thereby denying access.
This could be used to shut off large categories of information that are currently accessible under the RTI Act. It's not just a data protection law -- it's a potential legal firewall against transparency.
What's the incentive here for the State or institutions to stretch the definition of 'personal' so far?
So that it gives them a wide legal cover to avoid accountability and transparency.
By extending the definition of 'personal' to include institutions and not just individuals, the State has equipped itself with a tool to block access to most kinds of information. It's the creation of what I call a new RDI -- Right to Deny Information.
When you create a law with such loosely defined and expandable terms, you open the door for arbitrariness and blanket denials. This goes directly against the grain of what the RTI Act aimed to achieve. And this isn't theoretical -- it will play out practically in RTI responses, in courtrooms, and in governance.
Are you saying this Act effectively builds a parallel regime that overrides RTI?
Absolutely. It creates a dual legal regime, but one that doesn't coexist peacefully. Instead, it's (the DPDP Act) designed to prevail (over the RTI Act).
The RTI Act was crafted as a tool to empower citizens with the right to ask questions and hold public institutions accountable. This (the DPDP) Act flips that.
It masquerades as a law for protecting citizens' privacy, but it's fundamentally an elite protection act. Its real use will be to shield government officials, corporations, and those in power from public scrutiny.
That's why I keep repeating: this is not a Right to Privacy law -- it's a Right to Deny Information law in disguise.
But the RTI Act already has a safeguard for privacy in Section 8(1)(j). Isn't that sufficient? Why bring in another layer?
That's precisely the point. Section 8(1)(j) of the RTI Act is a very thoughtful clause. It protects personal privacy, stating that information which relates to personal life and has no bearing on public activity or interest can be exempted from disclosure -- unless there's a larger public interest involved.
To help anyone to decide on the issue of privacy and public activity, it provides an acid test with a proviso: 'Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.'
Thus anyone claiming information on this count must make a determination that he would deny the information to Parliament.
It (the RTI Act) strikes a balance. It respects privacy but doesn't sacrifice transparency. The DPDP Act doesn't carry that nuance.
Worse, it includes a blanket supremacy clause -- Section 38(2) -- which says that if there's a conflict between the DPDP Act and any other law, the DPDP Act will prevail.
So, when a Public Information Officer is faced with an RTI application, she/he now has to look over her/his shoulder -- not just to check compliance with RTI but to ensure she/he doesn't fall foul of this new law that has penalties running into Rs 250 crore.
No one wants to take that kind of risk. The default response will be to deny.
That changes the whole incentive structure for disclosure. What consequences do you foresee once the DPDP Act is in full effect?
It will kill RTI slowly but surely. This Act effectively intimidates those who are responsible for disclosure. It builds a climate of fear and uncertainty around sharing information.
Public Information Officers, who are already overburdened and wary of litigation, will now have another powerful reason to refuse applications. They'll take the safe route, which is to deny rather than disclose.
What we'll see is a silent but systemic erosion of transparency -- especially in areas where it matters the most: political decision-making, corporate-government collusion, and high-level bureaucratic conduct.
Couldn't this have been mitigated through a few sensible amendments?
In 2023, I personally wrote to the government recommending just two clear safeguards.
First, they should have included a clause in Section 38 to clearly state that the DPDP Act will not override the RTI Act. That would have eliminated the ambiguity and reassured citizens and public authorities.
The Supreme Court has previously ruled that personal data must not be disclosed under RTI. Will that not make it difficult to challenge this law judicially?
The Supreme Court, particularly in the Girish Deshpande case and others since, has taken a conservative approach. It has often equated personal data with private space, even when the person is a public servant.
So yes, those judgments have already weakened RTI from within. Challenging the DPDP Act will be tough, because it aligns with that trend of over-emphasising privacy at the cost of accountability.
We may not get relief from the courts unless there's a fundamental shift in how they interpret the right to information.
In essence, then, the DDP law weaponises privacy to undermine transparency?
Yes. It takes the noble ideal of privacy -- something we all cherish -- and turns it into a shield for those who don't want to be questioned. It's a classic case of using one right to suppress another.
And let's be honest -- this won't protect the ordinary citizen. It won't stop your data from being harvested by big tech or misused by companies. What it will do is protect politicians, bureaucrats, and business interests from being exposed through RTI. That's the real game.
© 2025