Imagine filing an RTI to understand why your local authority denied you a benefit, only to be told that the relevant file is now “personal data” and cannot be shared. That is the quiet shift India woke up to, the following month. On 14 November 2025, the Government of India notified the Digital Personal Data Protection (“DPDP”) Rules, 2025, thereby operationalising significant portions of the Digital Personal Data Protection Act, 2023 (“DPDP Act”). Concomitantly, by virtue of a consequential amendment, a critical phrase in the Right to Information Act, 2005 (“RTI Act”) was aligned with DPDP’s definition of “personal data.” While the Government frames this development as part of its SARAL (simplicity, accountability, responsibility, authenticity, and lawfulness) agenda, the legal and policy implications for institutional transparency are far from trivial.

What seems like a minor change in the RTI Act, inserting a new data-protection definition, could potentially lead to a significant loss of transparency. This piece argues that the amendment, while seemingly insignificant, could undermine the robust culture of transparency that India has built over the decades. Without a deliberate harmonisation framework, the SARAL promise risks becoming a cover for greater secrecy, raising concerns about the potential loss of transparency.

II. What Exactly Changed? Tracing the Textual Amendment to Section 8(1)(j)

To fully grasp the significance of the amendment, one must first understand its precise legal mechanics. The DPDP Rules notification gives effect to a statutory provision that modifies Section 8(1)(j) of the RTI Act to substitute its previous reference of “personal information” with a definition that is in line with the DPDP Act’s definition of “personal data.” 

Under the DPDP Act, “personal data” is a broadly defined expression. It covers not only the traditional defining traits of name, address, phone number, and email, but also online identifiers, metadata, and behavioural data. Despite this extensive definition, the Rules impose rigorous obligations on fiduciaries (data holders) relating to consent management, data minimisation, security, verification of minors, and breach reporting, not to mention the potential for regulatory remediation, penalties, and the establishment of a Digital Data Protection Board.

Retrospectively, before the amendment, however, jurisprudence under the RTI Act considered “personal information” in an extraordinarily narrow interpretation. Matters that would be deemed not “operationally relevant” to the public interest or governance, such as notes in a personal diary, internal deliberations, or, for example, issues concerning certain aspects of employment belonging to a corporation, are often shielded by Section 8(1)(j). The judicial pronouncements in Girish Deshpande v. Information Commission and in Cen. Pub. Information Officer, Sci. v. Subhash Chandra Agarwal drew a fine line between the confidentiality of private citizen matters and the public accountability of the Government, usually forcing disclosure where the existence of a compelling public necessity was established. 

The significance of the amendment lies in the fact that Central Public Information Officers (“CPIOs”) and Information Commissions are now required to interpret RTI requests through the DPDP lens. Information that once fell outside the “personal information” exclusion may now squarely fall within the DPDP definition of “personal data.” This could potentially lead to the misuse of the new definition, resulting in a significant expansion of what may be denied under Section 8(1)(j). 

III. Doctrinal Consequences: A New Privacy-Heavy Presumption?

The shift in definition carries not just semantic weight but doctrinal and interpretive implications. Three interlocking consequences merit particular scrutiny: (a) the expansion of the “personal data” category; (b) the effective weakening of the RTI public-interest override; and (c) the interplay with constitutional privacy jurisprudence under Puttaswamy.

A. Expansion of the “Personal Data” Category

Now that the definition of “personal data” under the DPDP Act is operational, information that may not have been classified as capable of being refused disclosure under the RTI Act may fall within the ambit of non-disclosure. Thus, metadata, such as login timing, IP addresses, devices used, etc., can now be treated as personal data. Additionally, inter-departmental administrative information (for example, logs of inter-departmental discussions, emails, and draft policy papers) that contain personal identifiers may now be more legitimately refused if part of the information falls within the meaning of “personal data” and its disclosure would result in a contravention of DPDP obligations.

This is likely to cover information about decision-making processes, communications related to decision-making, papers regarding governance, and other relevant topics. This extension creates vast ramifications. A request for information covered by principles of governance might have been hitherto considered valid even though it might, incidentally, have contained personal identifiers. Now, if such identifiers contain DPDP-protected information, CPIOs could deny information on the basis that the entire information, including any details of governance, was “personal data” unless it could be separated or “sanitised.”

B. Collapse of the Public-Interest Override Standard

One of the bedrock principles of RTI jurisprudence is the public-interest override. Under the RTI Act, even if information contains personal or sensitive data, disclosure may be warranted when the public interest in transparency outweighs the privacy stake. Courts and the Central Information Commission (“CIC”) have repeatedly upheld that accountability and transparency in governance must not be sacrificed merely for the sake of protecting personal privacy.

With the DPDP amendment, however, the contours of this balancing act are ambiguous. The DPDP Act does not clearly provide for a public-interest override in the same manner; its structure is primarily geared toward protecting data subjects and regulating fiduciaries. The lack of an explicit, statutory balancing test in DPDP raises the risk that CPIOs will treat “personal data” as a categorical refusal ground, sidelining or significantly weakening the public-interest argument. This potential weakening of the public-interest argument should be a cause for concern and an urgent need for action. 

In the absence of statutory clarifications, there is little to prevent an overly cautious or literalistic application of the DPDP definition, which may compromise transparency. Unless interpretive guidance or institutional norms are established, the amendment could render the public-interest override in RTI largely illusory. This lack of clarity and potential for misuse could lead to a significant reduction in the public’s ability to access information about governance and decision-making processes.

C. Interaction with Puttaswamy

The Supreme Court’s landmark Puttaswamy judgment provides a constitutional framework for privacy in India. It articulates a tripartite test: legality (a legal basis for restriction), necessity (a legitimate aim), and proportionality (the restriction must not be excessive).

Under the amended RTI regime, DPDP provides a strong legal basis for non-disclosure (legality) and arguably a legitimate aim (protection of personal data). However, whether the proportionality requirement is being satisfied is less clear. There is a risk that the broad privacy protections under DPDP might be treated as intrinsically proportionate, without a demand for granular public-interest justification or a commitment to the least-restrictive alternative.

IV. Administrative Impact: How CPIOs and Commissions Will Actually Behave

Beyond doctrinal concerns, the practical implications of the amendment merit immediate attention. The following factors are likely to shape how the RTI regime operates in practice.

1. Risk Aversion of Bureaucracy: CPIOs are already risk-averse. When faced with a new definition that seems more restrictive and legally mandated, bureaucrats are more likely to refuse outright rather than risk partial disclosure.
2. Lack of Official Standard Operating Procedures (“SOPs”): There is currently little publicly available detailed guidance on how CPIOs should apply the DPDP definition in RTI contexts. Without SOPs, decisions may vary wildly across ministries, resulting in inconsistency and confusion.
3. Training Vacuum: Many CPIOs and Information Commission staff may lack sufficient knowledge of data-protection law. Understanding obligations under DPDP (consent, breach, data minimisation) is far removed from standard RTI training.
4. Appeal & Backlog Pressure: With broader refusal grounds, more decisions are likely to be appealed. This could significantly increase the workload for the State and CICs, which are already grappling with backlogs.
5. Institutional Conflict: The Digital Data Protection Board, once constituted, may interpret DPDP definitions in a way that conflicts with how Information Commissions adjudicate RTI appeals. Without clarity on the hierarchies of authority and precedential weight, appeal decisions may become unpredictable.

These administrative realities are not speculative; they are grounded in how transparency regimes typically function, especially when new statutory regimes interact with existing ones. The risk of drift toward secrecy, under the guise of data protection, is therefore non-trivial.

V. The Systemic Problem: India now has two parallel Access-to-Information Logics

At its core, the amendment reveals a systemic tension in India’s regulatory architecture: there are now two parallel, and potentially conflicting, logics of access to information.

1. Privacy-First Regime (DPDP) – The DPDP Act and its Rules place significant emphasis on the protection of personal data. Fiduciaries are required to obtain consent (where applicable), restrict use, implement security measures, and offer redress through a regulatory board.
2. Transparency-First Regime (RTI) – The RTI Act is animated by democratic accountability. Its founding logic is that public authorities should not withhold information unless a carefully defined exception applies. Information Commissions were established precisely to uphold the public’s right to know.

The amendment imposes DPDP’s privacy-first logic onto RTI adjudication without offering a harmonisation mechanism. This raises critical risks, such as statutory asymmetry (what has primacy: data protection or transparency?), contradictory institutional mandates (Data Protection Board v. CICs), and a lack of an interpretive hierarchy to guide CPIOs and Commissioners. In the absence of structured cross-institutional coordination and interpretive norms, decisions are likely to diverge, thereby undermining legal certainty and public trust.

VI. Towards Harmonisation: A Legal and Institutional Framework for Coherence

The interaction between the DPDP regime and the RTI framework cannot be left to ad hoc interpretation by individual Public Information Officers or Information Commissions. If India wishes to preserve the democratic value of transparency while strengthening privacy protections, a principled harmonisation framework is imperative. This framework must operate across three planes: doctrinal calibration, statutory and regulatory clarification, and administrative capacity.

A calibrated doctrinal test is the first pillar of harmonisation. CPIOs should be guided through a structured inquiry that begins by identifying whether the requested record contains “personal data” within the meaning of the DPDP Act. This determination must not be conflated with the broader question of refusal; it serves merely to acknowledge the applicability of data-protection considerations. The second step must require an assessment of the likely harm arising from disclosure, not privacy harm in the abstract, but concrete, material risks such as profiling, reputational damage, or undue intrusion. The third step should institutionalise the balancing exercise already familiar to RTI jurisprudence: where public interest in transparency is compelling, it should outweigh moderate privacy concerns. CPIOs should be required to record reasons for each stage of this inquiry, enabling appellate scrutiny and promoting consistency.

At the statutory and regulatory level, targeted reforms can support this doctrinal realignment. Amendments to the RTI Rules may introduce an explicit “balancing factors” clause that guides officers on when public interest justifies disclosure. Equally important is the codification of a mandatory redaction duty, that is, refusal of an entire document should be a measure of last resort, invoked only where redaction is genuinely impossible or would defeat the purpose of disclosure. Furthermore, the Government should clarify, through an advisory issued jointly by the Department of Personnel and Training and the Ministry of Electronics and Information Technology (“MeiTY”), that Information Commissions retain interpretive primacy in matters of transparency. This is vital to prevent jurisdictional friction between the Commissions and the Digital Data Protection Board, whose mandates could otherwise be placed in inadvertent tension.

The third axis of harmonisation lies in institutional capacity building. The amendment effectively introduces a new layer of technical and legal complexity into RTI processing. Yet, CPIOs, First Appellate Authorities, and even Information Commissioners remain largely untrained in data protection concepts. A national training programme, delivered in partnership with MeitY and state administrative training institutes, is necessary to develop a common interpretive vocabulary. Standard operating procedures issued by the CIC and SICs can further stabilise decision-making by providing model reasoning templates, for both disclosure and refusal, that incorporate the harmonised doctrinal test. Because the amendment represents a significant shift in administrative practice, a transitional period, during which data-protection-based refusals must contain heightened reasoning requirements, would serve both pedagogic and accountability functions.

Taken together, these doctrinal, regulatory, and administrative interventions construct a coherent framework for balancing privacy and transparency. Without such harmonisation, the DPDP-aligned amendment risks becoming a blunt instrument of secrecy; with it, India can move toward a model where privacy protections and the right to information coexist in a principled and democratically robust manner.

VII. Conclusion

The 2025 DPDP Rules represent a crucial step in establishing a robust data-protection regime in India, and the Government’s public framing underscores a commitment to responsible, rights-respecting governance. However, the consequential amendment to the RTI Act, if left unaccompanied by interpretive and institutional safeguards, risks undercutting the very transparency that underlies democratic accountability.

By inserting a strong data-protection definition into RTI without establishing a harmonisation mechanism, the amendment opens the door to systematic refusals under the guise of “personal data.” In doing so, it threatens to tilt the balance decisively in favour of privacy at the expense of openness.

To preserve the spirit of SARAL while guarding against secrecy, India needs a deliberate, principled recalibration: one that embeds a clear doctrinal test, robust administrative SOPs, institutional coordination, and capacity building. Only then can we ensure that privacy protections reinforce, rather than erode, the promise of RTI in India’s democracy.