How an amendment to the Data Protection Act puts the Right to Information at risk (2025)

The abovementioned dilution is the amendment to Section 8(1)(j) of the RTI Act through Section 44(3) of the DPDPA. Section 8(1)(j) of the RTI Act, as it stands now, exempts disclosure of information if it causes “an unwarranted invasion of privacy”. A disclosure of personal information that may infringe one’s privacy can only be made if “a larger public interest justifies the disclosure of such information”. Section 44(3) proposes to change this provision to only say “any information which relates to personal information”.

This means there will be a blanket restriction on disclosure of “any personal information” through the RTI Act. This is a significant departure from jurisprudence on transparency in other jurisdictions that have robust data privacy laws such as the European Union and the UK. The amendment also flies in the face of the Supreme Court’s settled principle on the necessity of balancing the right to transparency that flows from Article 19(1)(a) of the Constitution and the right to privacy which has been held to be an inherent part of Article 21 in the case Central Public Information Officer, Supreme Court of India v Subhash Chandra Agarwal.

There are many immediate and obvious concerns about the impact of such an amendment. For example, past successes through RTI investigations to ascertain businesses that may have profited from public sector procurement or verifying beneficiaries could be impossible after the amendment is enforced.

However, there is an unusual twist to the story. While the DPDPA envisions protecting the privacy of those in power, the applicants who seek information through the process must be utterly transparent with the powers that be.

Section 6(1) of the RTI Act provides a statutory right to citizens to file RTI request applications in electronic form. In 2023, the Supreme Court held that this means that all states, Courts and Union Territories must have an RTI web portal. In 2025, the states of Sikkim, Nagaland and Manipur made their RTI web portals. However, the web portals are so designed that they seek mandatory disclosure of Aadhar card, or other identity proof. While Bihar and Odisha have had RTI web portals since before the Supreme Court’s Order; they also make Aadhaar card or identity proof disclosure mandatory on their websites.

For anyone who has visited the Wikipedia page for “Attacks on RTI Activists in India”, this is a cause for immediate concern. However, the concern becomes amplified in light of an Office Memorandum (OM) issued by the Department of Personnel and Training (DoPT) under the Ministry of Personnel, Public Grievances and Pensions on June 20, 2017, stating: “the personal information details like Aadhar no. should not be asked for while handling applications.”

To make matters worse, the Central Information Commission (“CIC”) observed in Vishwas Bhambhurkar v Public Information Officer that “denial of information for lack of Aadhaar card will be a serious breach of right, which was guaranteed by the RTI Act and amounts to the harassment of the applicant”.

In light of the CIC’s judgment and the DoPT’s OM, mandating Aadhaar cards for RTI applications is a serious breach of privacy. This has not stopped the developers of the RTI web portals of Nagaland, Manipur, Sikkim, Bihar or Odisha from indulging in this practice. Among the five, Sikkim stands out as the only website designed by the National Informatics Centre, Sikkim. A body directly affiliated with the Ministry of Electronics and Information Technology should have even less of a reason to plead ignorance of a seven-year-old OM from another central ministry in relation to this issue. One would be hard pressed to find a good reason for any of the state governments to plead ignorance on an OM specifically issued with instructions on the process of filing RTI applications, while making a web portal for filing the applications.

However, the most unusual of the privacy concerns arise from the RTI web portal for Punjab. The state of Punjab mandates that a user must share their device location in order to be able to log into the RTI web portal. This mandatory sharing of location could very well violate the fundamental right to privacy recognised by the Supreme Court in K Puttaswamy v Union of India.

In Puttaswamy, the Supreme Court has clearly stated that “any infringement on privacy of an individual must pass the three-fold test of legality, necessity and proportionality”. It is difficult to imagine that a demand for device location data passes the proportionality test, specially paired with the “take it or leave it” manner in which it is provided. It certainly is concerning that disclosure of device location is made mandatory to avail a statutory right.

The Punjab RTI web portal’s privacy policy is also a significant departure from the other RTI web portals in the country. The portal reserves the right to gather certain information about the user, such as “IP addresses, domain name, browser type, operating system, the date and time of the visit, etc.” The website does claim however, that it does not process this data unless an attempt to damage the site has been detected.

Most peculiarly, the government also states that access to this data can be provided to “regulators, law enforcement or any third party” at government’s complete discretion.

The silver lining here is that the issue of unwarranted invasions of privacy on RTI web portals is limited to Punjab, Odisha, Bihar, Nagaland, Sikkim and Manipur. However, it is worth noting that nearly every RTI web portal in the country is incomplete in its onboarding of all public authorities. Which means that certain authorities can only be contacted through physical applications, submitted in person or by post.

Hence, demands for identity proofs by PIOs (public information officers) could largely be undocumented in these cases. This demand for identity proof practice may even be entirely undetectable, unless a wide-scale inspection of the practice is addressed by State and Central Information Commissions in the annual reports. As of date, the Annual reports published by the CIC and the SICs are entirely silent on this issue. The hope is that someday governments at the centre and the state will be uniform in the applicability of transparency laws and in upholding the privacy of applicants exercising their fundamental and statutory rights.

The writer is a lawyer with experience in transparency law, and is the creator of nagrikproject.in, an RTI web portal compliance tracker for states in India