You are currently viewing DPDP Act Back in Focus: Why the Supreme Court Is Reviewing “Personal Data” in India

DPDP Act Back in Focus: Why the Supreme Court Is Reviewing “Personal Data” in India

Why DPDP Act, 2023 is Back in Focus?

The (Digital Personal Data Protection) DPDP Act, 2023 has once again come into the spotlight, but this time not because of compliance deadlines or penalties. Instead, it is being closely examined by the Supreme Court of India, raising important questions about how data privacy is defined in India.

The issue began when concerns were raised that the law could be used to classify even information of public importance as “personal data.” This could potentially restrict access to such information, especially for journalists and citizens who rely on transparency through the Right to Information Act, 2005. The argument is that if too much information is labelled as personal, it may weaken the Right to Information (RTI), which is a key part of a democratic system, where transparency, accountability, and citizens’ right to access government information are essential.

During the hearing, the court acknowledged that there is a need to clearly define what constitutes “personal data” and what should remain accessible as public data. The Chief Justice of India, Justice Surya Kant emphasized that a balance must be maintained between an individual’s right to privacy and the public’s right to access information. The court also raised an important question—at what point should information related to a public figure or public office be treated as private rather than public?

Another concern highlighted was that the term “public interest,” which traditionally allowed access to certain types of information, is not explicitly emphasized in the current framework in the same way as before. Experts, including Indira Jaising, have argued that this could limit the ability of journalists to access information that is necessary for public awareness and accountability.

Because of these concerns, the Supreme Court of India has decided to examine the matter in detail, with the next hearing scheduled for March 23, 2026. The outcome of this case could play a significant role in shaping how data privacy and transparency coexist in India going forward.

Read more about this in detail here.

Why the DPDP Act 2023 / DPDP Rules 2025 Have Been Challenged

The Digital Personal Data Protection Act, 2023 has been challenged due to concerns that it could restrict public access to information, expand regulatory control, and impose significant penalties of up to ₹250 crore, while still leaving room for interpretation around what qualifies as personal versus public data.

“The term ‘public interest’ has been deleted from the DPDP Act. Journalists cannot access data which is in public interest.”
— Indira Jaising

There is a growing concern that labeling large amounts of data as “personal” may restrict access to information that should otherwise be available in the public domain. The lack of clearly defined boundaries between personal and public data adds to this confusion, especially when it comes to information related to public officials.

At the same time, experts have pointed out that reduced clarity around “public interest” may impact journalism and accountability. There are also concerns that broadly worded provisions could lead to overreach if not interpreted carefully. Another point being discussed is that while penalties are significant, they are directed toward the state, and there is limited direct compensation mechanism for affected individuals.

Overall, the situation highlights a deeper issue—the ongoing tension between privacy and transparency, and how both can be balanced without weakening either.

Newspaper clipping style showing headline “DPDP Act 2023 in Spotlight” with Supreme Court and digital personal data icons

What is DPDP Act, 2023?

To understand why this matters, it is important to look at why the law was introduced in the first place. The DPDP Act was enacted in 2023, was designed to create a structured framework for handling personal data in India.

With the rapid growth of digital platforms, businesses, and online services, large volumes of personal data—ranging from contact details to financial and behavioral information—were being collected, often without clear accountability or standardized safeguards.

The Act was introduced to address these challenges by ensuring that organizations collect and use data responsibly, obtain user consent, and implement safeguards against misuse. It also gives individuals greater control over their personal data, including the ability to access, correct, or delete their information.

The law was passed in 2023, and what is now being discussed are the DPDP Rules, 2025, which define how the law will be implemented in practice—covering compliance procedures, timelines, and enforcement.

Why DPDP Rule, 2025 is Important & What Relevance it Has for Organizations that Deal with Huge Data Daily ?

India today generates massive amounts of data across sectors like fintech, e-commerce, and digital services. Ensuring compliance under the DPDP framework is not an overnight task. Organizations need time to assess their current systems, identify gaps, and implement the required controls.

This is especially important because non-compliance can lead to significant financial penalties, going up to ₹250 crore depending on the nature of the violation.

What Businesses Must Do to Stay DPDP Compliant in 2026, read here.

Penalty for Non Compliance of DPDP Rule

The Act outlines several tiers of penalties, each tied to specific obligations:

Violation CategoryMaximum PenaltyTrigger / Explanation
Failure to implement reasonable security safeguards (Section 8(5))Up to ₹250 croreWhen a data fiduciary fails to implement basic safeguards leading to a breach or risk
Failure to notify breach (Section 8(6))Up to ₹200 croreDelay or failure in informing authorities or affected individuals
Children’s data violations (Section 9)Up to ₹200 croreProcessing children’s data without required safeguards
Significant Data Fiduciary violations (Section 10)Up to ₹150 croreNon-compliance by entities with higher regulatory obligations
Other violationsUp to ₹50 croreCovers general non-compliance
Duties of individualsUp to ₹10,000Misuse of rights or providing false information

Understand the Difference Between Data Privacy and Data Protection , read here.

Conclusion

The DPDP framework is built on three principles—consent, purpose limitation, and responsibility. Organizations must take clear permission before collecting data, use it only for the intended purpose, and ensure it is properly protected.

As the law continues to be interpreted and implemented, one thing remains clear—data privacy is no longer just a technical or legal issue. It sits at the intersection of individual rights, business responsibility, and public transparency, and how this balance is achieved will define India’s digital future.

Get Started with DPDP Compliance

If you’re still figuring out where to begin, now is the right time to take action on your DPDP compliance journey.

At Prime Infoserv, we offer reliable DPDP compliance services designed to help businesses understand, implement, and manage requirements with ease. As an affordable DPDP service provider in India, we focus on making compliance simple, effective, and accessible for organizations of all sizes. Start Preparing Early. Call: +91 9147712576 | Email: mail@primeinfoserv.com

Leave a Reply