Defining what constitutes “public data” and “private data” is crucial to determining the validity of the Digital Personal Data Protection (DPDP) Act 2023 and corresponding rules 2025, the Supreme Court said on Thursday as it agreed to examine a petition challenging the law alongside a batch of similar petitions listed later this month.
The court was dealing with a petition filed by journalist Geeta Sishu with the Software Freedom Law Center (SFLC) that raised concerns about state surveillance, exemptions given to state agencies to collect private data, compensation in cases of illicit or illegal access, lack of judicial oversight and the independence of the Data Protection Board that adjudicates complaints.
“Ultimately, the question to be determined is what is public data and what is private data,” a bench headed by Chief Justice of India Surya Kant said. The court issued notice on the petition and published it along with a batch of petitions challenging the DPDP Act on March 23.
Senior advocate Indira Jaisin, who represented the petitioners along with advocate Paras Nath Singh, said the law poses great difficulty for journalists who depend on obtaining information about public officials. The law imposes a blanket prohibition on disclosure of any personal information under Section 8(1)(j) of the Right to Information (RTI) Act.
Jaising added: “The law does not specify what is public and what is private, and this requires judicial intervention.”
“Any person, so long as he holds a public office…, can have information relating to such a person described as private data. We want you to suggest hypothetical situations in which this problem could occur,” the bench, also comprising Justices Joymalia Bagchi and Vipul M Pancholi, said.
Under RTI, information commissioners have discretion to determine what information is in the public interest, Jaising said. Under this law, that discretion has been taken away, she said.
At the same time, the state can “request any information even for reasons of maintaining public order…”
She further noted that the law also abolished the provision to compensate an individual if his or her data was illegally accessed or breached. The law repeals Section 43A of the Information Technology Act 2000 which provides for compensation to an individual whose data has been wrongfully breached.
“There is a fear of state surveillance and any complaints will be heard by the Data Protection Board (DPB) which is not independent and lacks judicial oversight,” Jaising finally added.
“We will formulate the issues to be considered. There must be a balance between the right to privacy and the right to information. Neither right should become an obstacle to the other right,” the bench said.
The court informed Jaisingh that it is looking into the privacy issue in another matter involving WhatsApp and Meta over their data sharing policy. “There, the data of the entire citizen goes into the hands of a private entity. Data has become the real wealth by now.”
Jaising told the court that the present petition represents a comprehensive challenge to the DPDP Act and Rules, which is broader than the issues raised in the petitions pending before the court.
The present petition pointed out that Sections 7(c) and 17(2)(a) of the DPDP Act give unfettered powers to the State to direct data fiduciaries to undertake processing of personal data of Indian citizens in a legal vacuum. It also empowers the Center with unrestricted discretion to override the DPDP Act and rules on principles such as lawful processing, fairness, transparency, informed consent, purpose limitation, data minimization, storage limitation and reasonable security safeguards.
“In the absence of judicial oversight and any other procedural safeguards, the DPDP laws fail the standards of necessity and proportionality by allowing the state to collect an indefinite amount (in terms of variety and quantity) of sensitive personal data through mass surveillance programmes. They not only evade well-established principles of the DPDP law, but also lack clear and enforceable standards to prevent state processing of extraneous data,” the petition said.
