In a move that underscores the monumental shift in India’s digital governance landscape, the Supreme Court of India has formally referred the batch of petitions challenging the constitutional validity of the Digital Personal Data Protection (DPDP) Act, 2023, to a five-judge Constitution Bench. As a legal practitioner who has observed the evolution of privacy laws from the Kharak Singh era to the landmark Puttaswamy judgment, I view this development not merely as a procedural step, but as a critical juncture in our democratic narrative. The core of the dispute lies in the delicate, often precarious, balance between the individual’s Right to Privacy and the collective Right to Information—two pillars that define the modern Indian citizen’s engagement with the State.
The decision to refer the matter to a larger bench stems from Article 145(3) of the Constitution, which mandates that any case involving a “substantial question of law as to the interpretation of this Constitution” must be heard by a minimum of five judges. The challenges against the DPDP Act are not merely technical; they are existential to the framework of transparency that has been painstakingly built over the last two decades. While the Court has declined to grant an interim stay on the Act’s enforcement for the time being, the judicial scrutiny it will now undergo will determine the future of data sovereignty and administrative accountability in India.
The Crux of the Controversy: Privacy vs. Transparency
The primary grievance raised by the petitioners—a group comprising transparency activists, legal scholars, and civil society organizations—revolves around the perceived dilution of the Right to Information (RTI) Act, 2005. For nearly twenty years, the RTI Act has been the “sunlight” that serves as the best disinfectant for administrative opacity. However, the DPDP Act, through Section 44(3), introduces significant amendments to Section 8(1)(j) of the RTI Act.
Under the original RTI framework, personal information could be withheld only if it had no relationship to any public activity or interest, or if it would cause an unwarranted invasion of privacy. Crucially, even then, the information could be disclosed if the Public Information Officer (PIO) was satisfied that the larger public interest justified the disclosure. The DPDP Act effectively removes this “public interest” override by creating a blanket prohibition on the disclosure of personal information. Petitioners argue that this creates a shield for corrupt officials and hampers social audits, as almost any data held by the government can now be categorized as “personal data.”
Understanding the Constitutional Stakes
As a Senior Advocate, I must emphasize that the Supreme Court is now tasked with reconciling two fundamental rights that are often in competition. In Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), a nine-judge bench declared privacy to be a fundamental right under Article 21. Conversely, the Right to Information has long been held to be an integral part of the Right to Freedom of Speech and Expression under Article 19(1)(a).
The Constitution Bench will have to apply the “Doctrine of Proportionality” to determine if the restrictions imposed by the DPDP Act on the Right to Information are “necessary” and “proportionate” to the goal of protecting data privacy. The question is: Can the State use the shield of privacy to extinguish the sword of transparency? If the DPDP Act is allowed to supersede the RTI Act in its current form, there is a legitimate fear that the “Right to Know” will be reduced to a secondary concern, subordinate to an overly broad definition of data protection.
The Implications of Section 44 and the RTI Amendment
The specific legal friction point is the amendment that replaces the existing proviso in Section 8(1)(j) of the RTI Act. Historically, the law stated that information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person. By omitting the nuances of the original section and replacing it with a strict non-disclosure clause for personal data, the DPDP Act potentially creates a “dark zone” in governance. From the perspective of administrative law, this could lead to a significant increase in the rejection of RTI applications, as “personal data” is defined so broadly in the new Act that it encompasses any data about or relating to an individual who is identifiable.
The Preservation of the Status Quo: Why No Interim Stay?
The Supreme Court’s refusal to stay the enforcement of the Act is consistent with the settled principle of presumption of constitutionality. Courts are generally hesitant to stay a primary legislation enacted by the Parliament unless there is a glaring, ex-facie unconstitutionality. However, the lack of a stay puts “Data Fiduciaries”—including government bodies and private corporations—in a position where they must begin compliance measures. For the legal fraternity and corporate entities, this means navigating an environment where the law is “active but under clouds.”
The Role of the Data Protection Board
Another significant area of concern that the Constitution Bench will likely examine is the independence of the Data Protection Board of India (DPB). The DPB is the adjudicatory body tasked with enforcing the Act and imposing penalties that can go up to five hundred crore rupees. Critics argue that the central government exercises excessive control over the appointment, salary, and removal of the Board members. This raises questions about the “Separation of Powers.”
If the executive is the largest data collector (the biggest Data Fiduciary) and also the authority that appoints the “judge” (the DPB) to oversee data breaches, the principle of Nemo judex in causa sua (no one should be a judge in their own cause) is potentially compromised. A Constitution Bench is the appropriate forum to decide whether the DPB satisfies the requirements of an independent judicial or quasi-judicial body as envisioned by the Constitution.
Arguments Regarding “Vagueness” and “Excessive Delegation”
In our submissions before high courts in similar matters, we often highlight the “Doctrine of Vagueness.” The DPDP Act leaves much to be determined by “rules to be notified later.” This excessive delegation of power to the executive allows the government to define critical aspects of the law—such as the rights of children, the transfer of data outside India, and the exemptions for state agencies—without further parliamentary oversight. The petitioners argue that such wide-ranging powers given to the executive through subordinate legislation could lead to arbitrary enforcement, violating Article 14 of the Constitution (Right to Equality).
State Exemptions and National Security
Section 17 of the DPDP Act grants the central government the power to exempt any “instrumentality of the State” from the provisions of the Act in the interest of sovereignty, integrity of India, and public order. While national security is a legitimate ground for restriction, the lack of a “sunset clause” or a robust judicial oversight mechanism for these exemptions is a point of contention. The Constitution Bench will have to decide if these exemptions are a “reasonable restriction” or if they provide a “blanket immunity” that renders the Right to Privacy illusory when the State is the violator.
Impact on the Digital Economy and Compliance
From a commercial law perspective, the industry is watching this case with bated breath. India is a global hub for data processing. Any uncertainty regarding the constitutional validity of the DPDP Act creates a volatile environment for foreign direct investment (FDI). While the industry largely welcomes a structured data protection regime, the “balancing act” performed by the Supreme Court will determine the compliance costs and the legal risks associated with data handling in India.
Data fiduciaries are currently advised to adopt a “privacy by design” approach. However, if the Constitution Bench eventually strikes down or reads down certain provisions—especially those related to RTI or state exemptions—it will necessitate a massive recalibration of digital infrastructure. The legal community is advising clients to maintain flexibility in their data processing agreements to account for the potential judicial outcome.
Conclusion: A Landmark in Indian Constitutionalism
The referral of the DPDP Act challenges to a 5-judge bench is a testament to the vibrancy of Indian democracy. It signifies that the Supreme Court recognizes the “digital citizen” as a constitutional entity whose rights cannot be bartered away for administrative convenience. This case is not just about data; it is about the “Power of the State” versus the “Liberty of the Individual.”
As the bench prepares to hear these arguments, the focus will remain on whether the DPDP Act serves as a protective shield for the citizen or a cloak for the State. We must remember that in the digital age, data is not just information—it is an extension of the self. Any law that seeks to regulate this data must be tested on the anvil of constitutional morality. The upcoming proceedings will undoubtedly result in a judgment that will be cited globally, as countries everywhere struggle with the same dilemma: how to protect privacy without sacrificing the transparency that is essential for a functioning democracy.
For now, the Act remains the law of the land. But its ultimate legacy—whether it will be remembered as a milestone for privacy or a millstone for transparency—rests in the hands of the Constitution Bench. As lawyers, we look forward to a rigorous intellectual debate that will further refine our understanding of fundamental rights in the 21st century.
