Introduction
The Right to Information (“RTI”) Act, 2005, born out of grassroots struggles, remains a cornerstone of transparency and accountability in India. It gave citizens a powerful statutory tool to hold public authorities answerable. The Digital Personal Data Protection Act, 2023, however, threatens to weaken this achievement by broadening privacy-based exemptions that can obstruct legitimate disclosures. While privacy is vital, privileging it over transparency risks shielding public authorities from scrutiny. In a democracy, the presumption must favour openness, with privacy carved as an exception, not the rule. Strengthening RTI is essential to preserve public discourse and democratic accountability.
What is RTI Act, 2005?
The origins of the RTI Act lie in the grassroots struggles of the Mazdoor Kisan Shakti Sangathan (MKSS) in rural Rajasthan during the 1990s. Villagers and civil society groups demanded fair wages and access to employment records, using Jan Sunwais (public hearings) as a tool of accountability. This movement, led by activists such as Aruna Roy and Nikhil Dey, transformed transparency into a people’s demand. Several states, including Tamil Nadu, Goa, and Rajasthan, responded by enacting their own RTI laws.[1] India began the process of institutionalising the right to information with the Freedom of Information Act, 2002, based on the recommendations of the H.D. Shourie Committee. Although the Freedom of Inforcriticized was criticized as being defective, it was later replaced by the Right to Information Act, 2005, when the UPA government and the National Advisory Council (NAC), through civil society inputs, sought to develop a better law. Enforced from October 12, 2005, the RTI Act became a landmark in Indian democratic governance, institutionalising transparency, enhancing public accountability, and empowering citizens across all levels of government.
Before the formal enactment of the Right to Information Act, 2005, the conceptual foundations of citizens’ right to know were laid through significant constitutional adjudication in India. The Supreme Court progressively articulated the Right to Information as intrinsic to the freedom of speech and expression under article 19(1)(a). In State of U.P. v. Raj Narain, the Court underscored that governmental secrecy is an antithesis to democracy, affirming citizens’ entitlement to know about matters of public importance. This reasoning was further advanced in S.P. Gupta v. Union of India, where the Court declared disclosure of government documents as the rule and secrecy as an exception, justified only by national security or overriding public interest. The jurisprudential trajectory reached a turning point in Union of India v. Association for Democratic Reforms, wherein the Court mandated disclosure of electoral candidates’ backgrounds, recognising the right to information as essential to participatory democracy. Similarly, in People’s Union for Civil Liberties (PUCL) v. Union of India, the Court explicitly linked information access to freedom of speech, reasoning that an informed citizenry is indispensable for democratic governance. Collectively, these precedents crystallised the jurisprudential ethos that culminated in the statutory recognition of transparency and accountability through the RTI Act, 2005.
Since its enactment, the contours of the Right to Information Act, 2005 have been significantly shaped by judicial interpretation. In Reserve Bank of India v. Jayantilal N. Mistry, the Supreme Court found that the RBI must disclose financial information of banks, and rejected the argument of an exception based on fiduciary relationship in section 8 of the RTI Act in order to enhance accountability as a regulator. In Central Public Information Officer, Supreme Court of India v. Subhash Chandra Agarwal, the Court found that the office of the CJI is subject to the RTI Act and emphasised that transparency and judicial independence can co-exist if the disclosure is guarded by constitutional provisions and public interest. The courts have set the limits of the term ‘public authority.’ For example, in Thalappalam Service Coop. Bank Ltd. v. State of Kerala, the Supreme Court found that only entities which are substantially financed or controlled by the government are “public authorities” under section 2(h) of the RTI Act. The Court also developed a fine-grained position related to RTI and privacy. In Girish Ramchandra Deshpande v. CIC, in which it held that personal information of public servants could be denied under section 8(1)(j) of the RTI Act, unless the appellant could establish a larger public interest. The judgment was a judicial balancing act of transparency and privacy and foreshadowed arguments that would come to a head with the recognition of the right to privacy as a fundamental right in K.S. Puttaswamy v. Union of India. In Union Public Service Commission v. Angesh Kumar, the Supreme Court denied access to raw marks and processes for evaluation due to protections afforded private and sensitive data under section 8(1)(j). The ruling in Angesh Kumar was a marked departure from the doctrine of transparency and accountability. The reason given was logistical and allied issues with anonymising the evaluator of UPSC CSE Mains examination answer scripts.
Courts in all jurisdictions have reaffirmed the essential nature of transparency in democratic governments, yet also acknowledged the emergence of data protection and privacy. In the United States, the Supreme Court case New York Times Co. v. The United States, upholding freedom of press and the public’s right to know, made clear the rejection of government secrecy purportedly supporting national security. The Canadian case Dagg v. Canada established the balance between access to government information with individual privacy and introduced the first mention of privacy in connection with freedom of information regimes. The South African Constitutional Court case of President of the Republic of South Africa v. M & G Media Ltd. stated unequivocally that access to information from the state is a right in the Constitution, bounded only by exceptions that are legitimate. The UK Supreme Court in Kennedy v. The Charity Commission reiterated that transparency is a constitutional value even beyond any statutory provisions in the Freedom of Information Act, 2000, and is one facet of ensuring accountability for public decisions. Meanwhile, the European Court of Justice did a great job of navigating the tensions between personal data protection and freedom of expression in Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy. This case while affirming privacy rights akin to the GDPR, it stressed balancing them with public interest and freedom of expression, particularly the right to know, while rejecting excessive government secrecy under the pretext of national security.
The Digital Personal Data Protection (“DPDP”) Act, 2023 is India’s first comprehensive data protection legislation, to protect an individual’s personal data in the digital sphere. In July 2018, the B.N. Srikrishna Committee released its report titled, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, along with a draft Personal Data Protection Bill, 2018. This was in response to the Supreme Court’s landmark ruling in Justice K.S. Puttaswamy v. Union of India, it proposed safeguards against data misuse. It also brought to the fore the concepts of Data Fiduciaries, Data Principals, informed consent, purpose limitation, and data minimisation. The draft bill addressed rising concerns of data misuse and privacy violations by regulating the collection, processing, storage, and transfer of personal data by government and private entities.
The DPDP Act empowers individuals to access, rectify, and erase personal data, and establishes a Data Protection Board for oversight. However, broad state exemptions and its amendment to section 8(1)(j) of the RTI Act raise concerns over diluted transparency and weakened accountability. Ultimately while the DPDP Act is an important step with respect to data governance, its effectiveness depends on how it will be implemented on the ground and the oversight of the judiciary. However, the complex intersectionality with the DPDP Act, and concerns particularly related to the proposed amendment of section 8(1)(j) of the RTI Act through the section 44(3) of the DPDP Act is less addressed formally. The above discussed precedents, Indian and foreign, reflect global consensus and judicial efforts to uphold the right to information while safeguarding privacy, institutional autonomy, and national security through carefully crafted limitations.
Conflict between RTI, 2005 and DPDP, 2023
Currently, section 8(1)(j) of the RTI Act exempts the disclosure of personal information unless it has a relationship to public activity or interest, or if a larger public interest justifies its disclosure which is also as mentioned in the proviso that “Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person”.
The DPDP Act aims to shorten this clause, broadening the scope for exempting information that ‘relates to personal information’. Critics argue the change may limit government disclosure, undermining the RTI Act’s role in ensuring transparency and accountability. Opponents of this amendment contend that this blanket exemption for personal information could simply be used to deny public access to critical information concerning public servants, such as their assets and liabilities, presently considered to serve a public purpose, and possibly result in arbitrary actions of public officials in disposing of RTI Applications at an initial stage. As such, there is a risk of diminishing the public’s right to know and bolstering bureaucratic control over information at the expense of transparency, which the RTI Act seeks to promote more broadly within government.
Section 44(3) of the DPDP Act, read with section 8(1)(j) RTI, creates tension between privacy and transparency. While protecting privacy is legitimate under Puttaswamy, a blanket bar fails proportionality; anonymisation on the other hand offers a less restrictive means to balance accountability with individual privacy. The DPDP Act aims to protect individuals’ digital personal data. However, the potential impact of the proposed amendments on the RTI Act has raised fears that it could be used to undermine access to information in the public domain by invoking privacy rights.
Does section 44(3) of the DPDP Act make section 8(1)(j) of the RTI Act weak?
Section 44 of the DPDP Act, 2023 is an important move for India to reform its statutory regime to safeguard and prioritise data across various domains. Section 44 allows Parliament to make consequential amendments to existing laws to ensure that there is consistency with the DPDP framework. A significant change under section 44(3) is to the RTI Act, 2005, by way of an amendment to obtain a drafting amendment to section 8(1)(j) of the RTI Act. The amended language provides that all public authorities in India can deny access to “information which relates to personal information,” just being the public authority whose information is being preserved does not have to weigh public interest against privacy obligations.
Without a public interest test, the principles of the RTI Act may be diluted as an act that has for years been heralded as a way to bring transparency and public oversight to government and allow citizens participation in the political process. Activists, journalists, and opposition leaders have called for a repeal of section 44(3) and have suggested that privacy should not impede democratic transparency. And while there are many issues at play in this debate, the significance of section 44 must also have a two-part meaning; that the relations between preserving personal data and the principles of open and accountable government, as laid out in the article 19(1)(a) of the Constitution of India.
Harmonising the two Acts
The Right to Information Act, 2005 (RTI) and the Digital Personal Data Protection Act, 2023 (DPDP) reflect two necessary but different spheres of legislation. The RTI Act is an important piece of legislation that helps create transparency and accountability in governance, while the DPDP Act, on the other hand, emphasizes an individual’s right to privacy in a world of data. Clearly, both values are important in a democratic society, but balancing them is difficult, especially when one value may be seen as detracting from the other. The DPDP Act has multiple provisions in it that directly override some of the transparency obligations contained in the RTI Act, thereby introducing potential issues regarding the mechanisms for accountability to citizens. The prioritization of privacy in the DPDP Act potentially contrasts starkly with the very purpose of the RTI Act, meaning that the DPDP Act may actually impair (or at least limit) our access to essential information that comprise the openness of governance.
Epilogue
In today’s highly digitised and connected society, the value of personal data privacy has never been more pronounced. However, modern democratic government must continue to ensure elements of transparency and accountability. The existence of the RTI Act and DPDP Act accentuates the heavier burden of finding the balance between protecting individual privacy rights with protecting the people’s ability to hold government accountable through their right of access. Finding this balance will take mindful consideration from policy makers; however, there must be a defined line on what constitutes appropriate privacy protections versus improper use of the law to cloak government actions as appropriate government activities in the name of personal privacy. Defining this line will honor both personal privacy and institutional transparency, thereby reinforcing the fragile balance that is taking shape in developing democracies online. While India considers this constitutional dilemma between the Right to Information Act, 2005 and the Digital Personal Data Protection Act, 2023, lessons from previous decisions in India and internationally can help find a constitutional balance between transparency and privacy. Current decisions celebrate the role of the judiciary in promoting democratic accountability while drawing a line at evolving individual concepts of data protection. However, the web of global experience corroborates a shared commitment to openness in governance; but not at the expense of other equally important rights to protect personal data privacy. Therefore, India’s laws must contemporise to balance these competing rights in such a way that privacy is sought without compromising public transparency and vice-versa.
(This post has been authored by Devansh Malhotra, an Advocate in the Punjab and Haryana High Court, and, Rohit Kumar Shrivastava, a final-year MCLIS student at NLIU, Bhopal)
CITE AS: Devansh Malhotra and Rohit Kumar Shrivastava, ‘The Right to ‘Know’ v. The Right to say ‘No’: Who Wins This Privacy Face-off?’ (The Contemporary Law Forum, 13 September 2025) <https://tclf.in/2025/09/13/the-right-to-‘know’-v.-the-right-to-say-‘no’:-who-wins-this-privacy-face-off?> date of access.