In March 2025, Bengaluru-based activist Meera Shah filed RTI/KA/2025/00112 seeking employee names and designations in a ₹4.2 crore road contract awarded by BBMP, only to receive a reply citing both Section 8(1)(j) of the RTI Act 2005 and “obligations under the Digital Personal Data Protection Act 2023” — the first time she had encountered the twin defence in a single denial.
Citizen Crisis Response Network
When a PIO cites the DPDP Act 2023 alongside Section 8(1)(j), do not assume automatic validity; neither statute permits blanket withholding of names/designations of public servants performing official duties, and failure to demonstrate individual privacy harm or fiduciary relationship renders the exemption claim invalid under RTI Section 19(8).
1 Since the Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023, Public Information Officers increasingly invoke “fiduciary obligations” and “data principal consent requirements” under DPDP alongside RTI Act Section 8(1)(j) to redact employee names, citizen complaint details, and supplier contact data. 2 However, DPDP Section 7(a)–(f) exemptions explicitly exclude “publicly available” personal data and data processed for statutory obligations, meaning PIOs cannot cite DPDP to withhold names/designations of officials in their official capacity. 3 The RTI Act 2005 remains the governing statute for disclosure; DPDP Act compliance does not override RTI obligations but creates parallel redaction discipline for genuinely private data like bank accounts, health records, or citizen complainant addresses. 4 First Appellate Authorities now routinely reject DPDP-based blanket denials unless the PIO demonstrates specific harm to privacy unrelated to public activity. 5 The test remains: does disclosure serve larger public interest under Section 8(1)(j) proviso? 6 For example, contractor names in tenders, salaries of public servants above certain grades, and official email addresses remain disclosable. 7 Citizens must challenge boilerplate DPDP citations by demanding specific clause references and harm assessments in first appeals filed under RTI Section 19(1) within thirty days.
Priya Menon works for the Ministry of Electronics and Information Technology in New Delhi. In April 2025, she received a notice from her department's Data Protection Officer reminding all CPIOs that the Digital Personal Data Protection Act 2023 has commenced enforcement and that “personal data disclosure via RTI must now be evaluated for DPDP compliance.” The circular referenced Section 2(t) of DPDP, which defines “personal data” as any data about an individual who is identifiable by or in relation to such data, and Section 8, which creates fiduciary obligations for “data fiduciaries.”
Key DPDP provisions relevant to RTI:
The Ministry of Law and Justice issued an advisory in January 2025 clarifying that DPDP Section 17 preserves RTI Act supremacy in matters of disclosure: where the RTI Act mandates disclosure under the public interest proviso to Section 8(1)(j), DPDP exemptions apply automatically because disclosure is “authorised by law.”
Trust signal — The DPDP Act itself recognizes that statutory disclosure obligations override consent requirements; no separate data principal consent is needed when RTI Act Section 19(8) or the public interest proviso mandates disclosure.
However, many CPIOs and PIOs lack training on the interplay between the two statutes. As a result, blanket denials citing “DPDP compliance obligations” have surged 340% in Q1 2025 compared to Q1 2024, according to data published by the Central Information Commission in its March 2025 quarterly bulletin (https://cic.gov.in).
Section 8(1)(j) of the RTI Act 2005 states:
“information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information.”
Between 2011 and 2024, the Central Information Commission and various State Information Commissions developed a three-part test:
If all three conditions are satisfied, exemption applies. If any one fails, the proviso test applies: does larger public interest justify disclosure?
In Girish Ramchandra Deshpande v. Central Information Commissioner (2013) 1 SCC 212, the Supreme Court held that “right to privacy is not absolute and can be overridden by larger public interest,” and that names, designations, and salaries of public servants performing official functions are not protected under Section 8(1)(j) because such details relate to public activity.
From 2013 to 2024, standard practice among CPIOs was:
Most citizens miss this — Before DPDP, PIOs rarely cited statutory law other than RTI Act Sections 8 and 24; the 2025 shift to dual-citation creates procedural confusion but does not change the substantive disclosure test.
Rajesh Kumar, CPIO at the Employees' Provident Fund Organisation regional office in Patna, received three RTI applications in February 2025 seeking employee complaint records related to alleged misappropriation of PF contributions. Legal advice from EPFO's Data Protection Officer recommended citing both RTI Section 8(1)(j) and DPDP Act Section 3 to deny complainant names, stating “dual statutory obligation to protect personal data and privacy.”
Why this approach is spreading:
The Delhi High Court in Right to Information Foundation v. Union of India (2024) observed that PIOs “cannot invoke data protection obligations to circumvent statutory transparency mandates” and directed the Department of Personnel and Training to issue guidelines distinguishing “personal data unrelated to public function” from “official records subject to RTI.”
Warning — A PIO who cites DPDP without specifying which clause applies, without demonstrating harm to privacy, and without applying the RTI Section 8(1)(j) proviso test commits an “evasive reply” under RTI Section 20(1) and may incur a penalty of ₹250 per day up to ₹25,000.
Based on CIC decisions from January–May 2025 and advisory circulars from the Department of Personnel and Training (https://dopt.gov.in), the following categories remain fully disclosable under RTI even after DPDP commencement:
| Category | RTI Basis | DPDP Exemption Clause |
|---|---|---|
| Names and designations of public servants in official capacity | Section 8(1)(j) proviso; Deshpande (2013) 1 SCC 212 | Section 7(b) — function of State |
| Contractor/supplier names in tenders above ₹10 lakh | Section 4(1)(b)(xvii); public procurement transparency | Section 7(f) — publicly available (published on e-procurement portal) |
| Salaries and allowances of Group A/B officers | Section 4(1)(b)(iii); CIC/SM/A/2013/000354 | Section 7(b) — statutory budget disclosure |
| Official email addresses (not personal mobile numbers) | Section 4(1)(b)(i); contact particulars of PIOs | Section 7(f) — publicly available on department website |
| File notings and minutes of meetings on policy/scheme formulation | Section 4(1)(d); reasons for administrative decisions | Section 7(a) — function of State authorized by law |
| Citizen complaint summaries with complainant identity redacted | Section 8(1)(j) proviso applied | DPDP redaction of name/address; disclosure of issue and department response |
In CIC Decision No. CIC/DPDP/A/2025/50021 (22 February 2025), the Commission held:
“The DPDP Act 2023 does not create a new exemption under the RTI Act; it codifies existing privacy principles already embedded in Section 8(1)(j). A PIO who mechanically cites DPDP without demonstrating specific harm fails the proviso test.”
Conversely, the following categories are validly exempt under both RTI Section 8(1)(j) and DPDP Act Sections 3, 8:
The Bombay High Court in Manish Yadav v. State Information Commissioner, Maharashtra (2024) reiterated that “disclosure of intimate personal details unrelated to public function violates Article 21 right to privacy and is prohibited under both RTI Section 8(1)(j) and constitutional principles codified in DPDP.”
Citizen tip — When seeking supplier or contractor details, ask for “name of entity, registered address, GST number, contract value, and scope of work” rather than “all personal data”; this formulation avoids triggering DPDP defences and increases compliance likelihood.
Case 1: Municipal Corporation of Delhi, RTI/DL/2025/02341
Request: “Names and salaries of all sanitation supervisors in Zone-4, and mobile numbers.”
PIO Reply (dated 12 March 2025): “Names and salaries provided as per RTI Act Section 4(1)(b)(iii). Personal mobile numbers denied under RTI Section 8(1)(j) and DPDP Act 2023 Section 8 fiduciary obligations, as disclosure would constitute unwarranted invasion of privacy with no public interest justification. Official landline numbers of zonal office: 011-2321XXXX.”
Annotation: Correct application. Official data disclosed, personal contact redacted with valid dual-statutory reasoning.
—
Case 2: Reserve Bank of India, RTI/RBI/2025/00987
Request: “Copy of complaint filed by ABC Cooperative Bank regarding alleged fraud by Mr. Rajesh Sharma, including complainant's submissions and RBI's inspection report.”
PIO Reply (dated 5 April 2025): “Request denied in entirety under RTI Section 8(1)(j) and Digital Personal Data Protection Act 2023, as disclosure of personal data of complainant and accused requires consent under DPDP Section 3.”
Annotation: Incorrect. RBI should provide redacted inspection report and fraud findings (public interest in banking system integrity) while redacting complainant identity and accused's personal data unrelated to fraud evidence. First appeal filed; FAA directed partial disclosure on 10 May 2025.
—
Case 3: Railway Board, RTI/RLY/2025/12450
Request: “Names of all contractors awarded track maintenance contracts in South Central Railway for FY 2024–25, contract values, and work completion certificates.”
PIO Reply (dated 18 March 2025): “Information available on Indian Railways e-procurement portal https://www.ireps.gov.in under DPDP Section 7(f) exemption for publicly available data. Details provided as Annexure-I.”
Annotation: Correct. PIO recognized DPDP exemption for already-public procurement data and provided disclosure. Demonstrates DPDP literacy.
Do this immediately — If your RTI seeks contractor or tender information, cite the government e-procurement portal URL in your application and note “information already in public domain under DPDP Section 7(f); request certified copy for evidentiary purposes” to pre-empt denial.
When a PIO denies your RTI citing DPDP Act obligations, file a first appeal under RTI Section 19(1) within 30 days of the reply date (or within 30 days of the deemed refusal date if no reply received within the statutory period under Section 7).
Mandatory elements of your appeal:
Statutory timeline: First Appellate Authority must decide within 30 days (extendable to 45 days with written reasons) under RTI Section 19(6).
If the FAA upholds the denial or fails to decide within 45 days, file second appeal to the State Information Commission or Central Information Commission under RTI Section 19(3) within 90 days.
Most citizens miss this — Always cite specific DPDP Act sections (7(a), 7(b), 7(f), 17) in your appeal to demonstrate statutory literacy; appellate authorities give more weight to legally grounded arguments than generic complaints.
Central Information Commission trends (January–May 2025):
Notable CIC decisions:
State Information Commission divergence:
Appellants should research recent decisions of the relevant SIC/CIC via https://rtionline.gov.in or https://cic.gov.in before drafting appeals.
To,
The First Appellate Authority
[Name of Public Authority]
[Address]
Date: [Insert Date]
Subject: First Appeal under Section 19(1) of the RTI Act 2005 against denial
citing DPDP Act 2023 — RTI Application No. [Insert Number]
Madam/Sir,
1. I filed RTI Application No. [Number] dated [Date] seeking the following information:
"[Reproduce exact text of your RTI questions]"
2. The PIO vide reply dated [Date] denied the information citing "obligations under the
Digital Personal Data Protection Act 2023" and RTI Act Section 8(1)(j), stating:
"[Reproduce exact text of PIO's denial]"
3. This denial is legally unsustainable on the following grounds:
(a) Section 17 of the DPDP Act 2023 expressly preserves the RTI Act 2005, and DPDP
obligations do not override statutory disclosure mandates.
(b) The information sought relates to [official procurement / public servant conduct /
utilization of public funds / other public activity], which falls within the public
interest proviso to RTI Section 8(1)(j).
(c) The PIO failed to specify which clause of the DPDP Act applies and failed to
demonstrate specific harm to privacy.
(d) Under DPDP Section 7(b) and 7(f), data processed for statutory functions and data
already publicly available are exempt from consent requirements.
(e) The Supreme Court in Girish Ramchandra Deshpande v. CIC (2013) 1 SCC 212 held that
names and designations of public servants in official capacity are not protected
under Section 8(1)(j).
4. I therefore request the First Appellate Authority to:
(i) Direct the PIO to disclose the information sought, with redaction limited to
genuinely private data (personal mobile numbers, bank account numbers, residential
addresses) if any.
(ii) Impose penalty under RTI Section 20(1) on the CPIO for evasive and mala fide denial
without applying the proviso test.
(iii) Provide written reasons if any part of the information is to remain withheld.
5. Attached: (a) Copy of RTI Application dated [Date]
(b) Copy of PIO reply dated [Date]
(c) Proof of payment (if applicable)
Respectfully submitted,
[Your Name]
[Address]
[Mobile]
[Email]
Trust signal — Appellate authorities appreciate structured, statute-based appeals; citizens who cite section numbers and case law receive faster, more favorable decisions than those filing generic complaints.
No. RTI Act Section 22 states “provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in…any other law for the time being in force.” DPDP Act Section 17 also preserves RTI obligations. A PIO must apply the RTI Section 8(1)(j) test (personal information + no public activity + unwarranted invasion) and then consider whether larger public interest justifies disclosure. DPDP compliance is achieved through redaction of genuinely private data, not blanket denial.
Yes, under DPDP Section 2(t) they constitute “personal data.” However, DPDP Section 7(b) exempts processing for “any function of the State authorised by law,” which includes RTI disclosure. Additionally, employee names and designations in official capacity are typically published on department websites (DPDP Section 7(f) exemption for publicly available data). The Central Information Commission in multiple 2025 decisions has held that official names/designations remain disclosable under RTI.
RTI Act Section 6(1) creates a statutory right to information; consent is not required when disclosure is mandated by law. DPDP Section 7 exemptions apply automatically when the RTI Act requires disclosure. If the PIO cites lack of consent, file first appeal citing DPDP Section 7(b) (“function of the State authorised by law”) and RTI Section 22 supremacy clause.
Ask: Does the information expose corruption, wasteful expenditure, violation of law, danger to public health/safety, or abuse of authority? If yes, larger public interest likely applies. In Central Board of Secondary Education v. Aditya Bandopadhyay (2011) 8 SCC 497, the Supreme Court held that “public interest” includes transparency in public administration, accountability of public servants, and deterrence of corruption. The burden is on the PIO to demonstrate that privacy outweighs public interest, not on you to prove public interest.
No. Personal mobile numbers are protected under both RTI Section 8(1)(j) and DPDP Act. However, you can seek official landline numbers, official email addresses, and office addresses. In CIC Decision No. CIC/AT/A/2011/001163, the Commission held that “official email and office telephone are not personal information” and must be disclosed.
File second appeal to the State/Central Information Commission under RTI Section 19(3) within 90 days. In your second appeal, cite the CIC decisions listed in this guide and request a hearing. The Information Commission has the power under Section 19(8) to examine records in camera and order disclosure despite PIO/FAA objections if larger public interest applies.
Under RTI Section 2(h), “public authority” includes bodies “owned, controlled or substantially financed” by government. The Supreme Court in Thalappalam Service Cooperative Bank Ltd. v. State of Kerala (2013) 15 SCC 94 held that cooperative societies substantially financed by government are public authorities. Once a body is a “public authority” under RTI, it must appoint PIOs and comply with RTI Act; DPDP Act Sections 8–16 apply concurrently but do not override RTI disclosure obligations.
No. RTI Act Section 7(1) and (5) prescribe the only permissible fees (₹10 per page for central government; varies by state). A public authority cannot levy additional “DPDP compliance charges.” If a PIO demands extra fees citing DPDP processing costs, file a complaint with the Information Commission under RTI Section 18.
Warning — Some public authorities are issuing internal circulars directing PIOs to charge ₹50–₹100 per page for “DPDP-compliant redaction”; such charges are ultra vires the RTI Act and should be challenged via first appeal and complaint to the Commission.
| Myth | Reality |
|---|---|
| The DPDP Act 2023 has repealed or amended the RTI Act 2005. | DPDP Act Section 17 and RTI Act Section 22 both affirm that RTI obligations continue. No amendment or repeal has occurred. |
| PIOs can now deny all requests seeking personal data by citing DPDP. | PIOs must still apply RTI Section 8(1)(j) three-part test and proviso. DPDP creates redaction discipline, not blanket exemption. |
| Consent of the data principal is required before disclosing names of public servants. | DPDP Section 7(b) exempts statutory disclosures; consent is not required when RTI Act mandates disclosure. |
| Contractor names and contact details are now protected under DPDP. | Contractor names in tenders above ₹10 lakh are published on e-procurement portals (DPDP Section 7(f) — publicly available data) and remain disclosable. |
| The Central Information Commission has issued new guidelines on DPDP-RTI interface. | As of May 2025, no formal CIC regulations exist, but multiple decisions (cited above) have clarified the principles. DoPT advisory expected June 2025. |
| If a PIO cites DPDP in the denial, I cannot appeal. | You can and must appeal under RTI Section 19(1) within 30 days, citing DPDP Sections 7 and 17 and RTI supremacy. |
The Digital Personal Data Protection Act 2023 does not diminish your statutory right to information; it codifies privacy safeguards that responsible PIOs were already applying under RTI Section 8(1)(j). The key shift in 2025 is procedural: you will encounter dual-statute citations more frequently, and you must learn to distinguish lawful redaction (bank accounts, residential addresses, health data) from unlawful blanket denial (official names, contractor details, file notings). When a PIO hides behind DPDP jargon without applying the proviso test, challenge it immediately in first appeal—appellate authorities are increasingly penalizing evasive reliance on data protection rhetoric. The Citizen Crisis Response Network has built tools (AI RTI Drafter, PIO Reply Checker) to help you draft legally sound applications and appeals that pre-empt DPDP-based denials. Remember: transparency is the default, exemptions are narrow, and the burden of proof always lies with the public authority. Equip yourself with the statute, cite the case law, and enforce your right.