SC to study what constitutes ‘personal data’ in DPDP laws

Here is the complete UPSC study note on the topic:

SC to Study What Constitutes 'Personal Data' Under DPDP Laws

1. At a Glance

The Supreme Court of India (three-judge Bench, headed by CJI Surya Kant) agreed in March 2026 to examine the definition of "personal data" and "public data" under the Digital Personal Data Protection (DPDP) Act, 2023 and DPDP Rules, 2025. [S1]
The petition alleges the DPDP framework effectively dilutes the Right to Information (RTI) Act, 2005 by creating a "blanket ban" on RTI applications seeking personal information, without a public-interest override. [S1]
This is a GS-II topic at the intersection of Fundamental Rights (Article 21 – right to privacy), information rights, and data governance; also relevant to GS-III (digital economy, data regulation).
The case tests a critical constitutional tension: privacy vs. transparency in a democratic polity.

2. Why in the News

On 13 March 2026, the Supreme Court issued formal notice to the Union Government on a petition filed by journalist Geeta Seshu and the Software Freedom Law Center (SFLC), represented by senior advocates Indira Jaising and Paras Nath Singh. [S1]
The trigger: DPDP Rules, 2025 were notified on 14 November 2025 by the Ministry of Electronics and Information Technology (MeitY), bringing the DPDP Act, 2023 into full operational effect — prompting civil-society concerns about RTI erosion. [S2][S3]
The petition argues Section 44(3) of the DPDP Act imposes a blanket bar on RTI disclosures of "personal information," while the Act deleted the "public interest" exception that previously existed in Section 8(1)(j) of the RTI Act, 2005. [S1]

3. Background & Evolution

Year	Milestone
2005	RTI Act enacted; Section 8(1)(j) allowed disclosure of personal info if public interest outweighs privacy harm
2017	SC's K.S. Puttaswamy v. Union of India declared Right to Privacy a Fundamental Right under Article 21
2018	Justice B.N. Srikrishna Committee submitted report proposing India's first comprehensive data protection law
2019	Personal Data Protection Bill, 2019 introduced; referred to Joint Parliamentary Committee (JPC)
2022	JPC report submitted; original Bill withdrawn by government; replaced by revised draft
Aug 2023	Digital Personal Data Protection Act, 2023 enacted — India's first dedicated data protection legislation [S4]
Jan 2025	Draft DPDP Rules, 2025 released for public consultation; 6,915 inputs received from citizens and stakeholders [S5]
Nov 2025	DPDP Rules, 2025 notified (14 November 2025); 18-month phased compliance period begins [S2][S3]
Mar 2026	SC agrees to define "personal data" vs. "public data"; notice issued to Union Government [S1]

4. Core Static Facts

The Legislation - Full name: Digital Personal Data Protection Act, 2023 - Enacted: August 2023 (received Presidential assent) - Administering Ministry: Ministry of Electronics and Information Technology (MeitY) - Rules: DPDP Rules, 2025 — notified 14 November 2025 [S2] - Compliance window: 18 months from notification of Rules for organisations [S3]

Key Definitions & Concepts - "Personal data": Any data about an identifiable individual (natural person); the Act does not exhaustively enumerate what qualifies — the SC case arises precisely from this ambiguity [S1] - "Data Principal": The individual to whom personal data relates - "Data Fiduciary": Entity that determines purpose and means of processing personal data - "Consent Manager": Registered entity enabling Data Principals to give/manage consent - "Data Protection Board of India": Adjudicatory body established under the Act; structurally under the Executive (a key criticism) [S1]

Key Sections in Dispute - Section 44(3) DPDP Act: Amends Section 8(1)(j) of RTI Act — creates a categorical bar on disclosure of "personal information" via RTI - Section 8(1)(j) RTI Act (amended): Earlier allowed disclosure if public interest outweighs privacy; the "public interest" override has been deleted by the DPDP Act [S1] - Section 44(3) is the provision challenged as imposing a "blanket ban"

Petition Details - Petitioners: Geeta Seshu (journalist) + Software Freedom Law Center (SFLC) - Senior Advocate: Indira Jaising; Advocate: Paras Nath Singh - Bench: Three-judge Bench headed by CJI Surya Kant - Court action: Issued formal notice to Union Government [S1]

5. Multi-Dimensional Analysis

Legal / Constitutional

Article 21 (Right to Life & Personal Liberty) encompasses the Right to Privacy (Puttaswamy, 2017) — the DPDP Act is the statutory expression of this right.
Article 19(1)(a) (Freedom of Speech & Expression) includes the right to receive information — journalists argue the DPDP framework unconstitutionally curtails this.
Tension between two statutory regimes: RTI Act, 2005 (transparency) vs. DPDP Act, 2023 (privacy); SC asked to reconcile.
Petition also challenges the Data Protection Board's structural dependence on the Executive, raising separation-of-powers concerns. [S1]

Ethical / Governance

"Public interest" deletion: Removal of the public interest exception from Section 8(1)(j) RTI Act enables public officials to shield information under privacy cover — undermining accountability of power-holders. [S1]
Asymmetric surveillance: Petition claims the Act "legalises disproportionate state surveillance" while creating a "compensation vacuum" for aggrieved citizens. [S1]
Regulator independence: A data protection regulator structurally dependent on the Executive cannot be expected to rule against state surveillance — governance design flaw. [S1]
Government position: DPDP Act "upholds privacy while preserving transparency under RTI" — the amendment merely requires care in assessing personal data disclosures, not blanket prohibition. [S4]

Social

Journalists, civil society, and researchers rely on RTI to access data about public figures, government expenditure, and policy outcomes — DPDP laws threaten investigative journalism's toolkit.
Marginalised communities depend on journalists and activists to expose rights violations; restricting data access under privacy norms could silence accountability reporting.
The "personal data" vs. "public data" binary is critical: data of elected representatives, public servants, and corporations should arguably be in the "public" domain.

Scientific / Technological

DPDP Rules, 2025 introduce concepts like "significant data fiduciaries" (entities with high data-processing volumes subject to stricter obligations) — relevant to Big Tech regulation.
The Rules frame a consent-based model: personal data may be processed only with consent or on certain "legitimate uses" (e.g., state subsidies, national security).
An 18-month phased compliance window is provided to allow Indian data processors to re-engineer systems. [S3]

Administrative

MeitY is the nodal ministry; Data Protection Board of India is the quasi-judicial adjudicatory body — but it is constituted by and answerable to the Central Government.
Draft Rules consultation (Jan 2025): Received 6,915 public inputs — showing civil society engagement before final notification. [S5]
Ambiguity in defining "personal data" creates implementation uncertainty: what data can public authorities withhold under DPDP vs. disclose under RTI?

6. Recent Developments (Last 12–18 Months)

January 2025: MeitY released Draft DPDP Rules, 2025 for public consultation; deadline set at 18 February 2025. [S6]
6,915 inputs received from citizens and stakeholders during the draft consultation phase. [S5]
14 November 2025: DPDP Rules, 2025 officially notified by the Central Government; 18-month phased compliance window commences. [S2][S3]
13 March 2026: Supreme Court (CJI Surya Kant Bench) agreed to examine definitions of "personal data" and "public data" under DPDP laws; notice issued to Union Government on petition by Geeta Seshu and SFLC. [S1]
The petition specifically challenges the deletion of the "public interest" clause from RTI Act Section 8(1)(j) via Section 44(3) of the DPDP Act. [S1]

7. Prelims Hooks

DPDP Act, 2023 is India's first dedicated digital personal data protection legislation.
The Act is administered by the Ministry of Electronics and Information Technology (MeitY).
DPDP Rules, 2025 were notified on 14 November 2025.
The Rules provide an 18-month phased compliance period for organisations.
Section 44(3) of the DPDP Act amends Section 8(1)(j) of the RTI Act, 2005.
The DPDP Act deleted the "public interest" override that previously allowed RTI disclosure of personal information.
The adjudicatory body under the DPDP Act is the Data Protection Board of India.
The Right to Privacy was declared a Fundamental Right under Article 21 by the Supreme Court in K.S. Puttaswamy v. Union of India (2017) — the constitutional anchor for the DPDP Act.
The petition before the SC in March 2026 was filed by journalist Geeta Seshu and the Software Freedom Law Center (SFLC).
The SC bench examining the DPDP personal-data question is headed by Chief Justice of India Surya Kant.
Senior advocate Indira Jaising represents the petitioners in the SC case.
The SC case seeks to define and distinguish "personal data" from "public data" — a distinction the DPDP Act itself does not make explicit.
6,915 inputs were received during the Draft DPDP Rules, 2025 public consultation.
The Justice B.N. Srikrishna Committee (2018) was the foundational expert body that recommended India's data protection framework.
The Data Fiduciary (not the Data Principal) determines the purpose and means of processing under the DPDP Act.

8. Mains Relevance

GS Papers: Primarily GS-II (Polity, Governance, Rights); also GS-III (Digital Economy, Technology)

Syllabus Headings: - GS-II: Government policies and interventions for development; Statutory bodies; Fundamental Rights; Issues relating to Right to Information - GS-III: Awareness in the fields of IT, Space, Computers; Challenges and issues in data governance

Plausible Mains Questions: 1. "The Digital Personal Data Protection Act, 2023 protects privacy at the cost of transparency." Critically evaluate this assertion in light of recent judicial scrutiny of the DPDP framework. 2. Discuss the constitutional tension between the Right to Privacy (Article 21) and the Right to Information (Article 19). How does the DPDP Act, 2023 attempt to balance these rights, and where does it fall short? 3. "An independent data protection regulator is essential for meaningful data governance in India." Examine the structural design of the Data Protection Board of India under the DPDP Act, 2023 in this context.

9. Related Topics to Study Next

Topic	Connection
Right to Information Act, 2005	DPDP Act directly amends Section 8(1)(j); essential to understand the original exemption regime
K.S. Puttaswamy v. Union of India (2017)	Constitutional bedrock for DPDP Act; established Right to Privacy under Article 21
Justice Srikrishna Committee Report (2018)	Origin document of India's data protection framework; compare recommendations with enacted law
General Data Protection Regulation (GDPR), EU	Global benchmark; DPDP Act is compared/contrasted with GDPR in debates
Surveillance and National Security Exceptions	DPDP Act's national-security carve-outs affect civil liberties; Section 17 exemptions
Data Protection Board of India	Adjudicatory architecture, appointment process, independence concerns
Digital India Mission / IndiaStack	DPDP operates within this digital infrastructure ecosystem
Freedom of the Press and Article 19(1)(a)	Journalistic freedom dimensions raised directly in the SC petition

10. Common Errors / Trap Areas

Confusing DPDP Act (2023) with the earlier PDP Bill (2019): The Personal Data Protection Bill, 2019 was withdrawn in 2022; the current law is the DPDP Act, 2023 — a substantially rewritten legislation.
Wrong ministry: Data protection is under MeitY, not the Ministry of Law & Justice or the Ministry of Home Affairs.
"Public interest" still exists in RTI — wrong: Section 44(3) DPDP Act deleted the public-interest exception from Section 8(1)(j) RTI Act; aspirants often assume it still applies.
Data Protection Board ≠ independent regulator: Unlike SEBI or TRAI, the Data Protection Board is constituted by and functionally under the Central Government — a key distinction tested in analytical questions.
DPDP Rules notified in 2025, NOT 2023: The Act was enacted in August 2023, but the implementing Rules were notified only in November 2025 — over two years later; confusing these dates is a common error.

11. Sources

[S1] "SC to study what constitutes 'personal data' in DPDP laws" — The Hindu (13 March 2026) — (tier: 4) — [Article content as provided in the user excerpt]
[S2] "Government notifies DPDP Rules to empower citizens and protect privacy" — PIB Press Release — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190014 — (tier: 1)
[S3] "Digital Personal Data Protection (DPDP) Rules, 2025" — PIB — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655 — (tier: 1)
[S4] "DPDP Act, 2023 Upholds Privacy While Preserving Transparency Under RTI" — PIB — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2158506 — (tier: 1)
[S5] "Draft DPDP Rules, 2025 Receive 6,915 Inputs from Citizens and Stakeholders" — PIB — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148944 — (tier: 1)
[S6] "MeitY releases Draft Digital Personal Data Protection Rules, 2025 for public consultation" — PIB — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090048 — (tier: 1)

Note: WebFetch was disabled per retrieval budget; all facts are grounded in the article excerpt [S1] and PIB search-result snippets [S2–S6]. No speculation has been used.