DPDP Act and Section 8(1)(j) — PIOs' New Playbook (2025)

In March 2025, Bengaluru-based activist Meera Shah filed RTI/KA/2025/00112 seeking employee names and designations in a ₹4.2 crore road contract awarded by BBMP, only to receive a reply citing both Section 8(1)(j) of the RTI Act 2005 and “obligations under the Digital Personal Data Protection Act 2023” — the first time she had encountered the twin defence in a single denial.

Citizen Crisis Response Network

When a PIO cites the DPDP Act 2023 alongside Section 8(1)(j), do not assume automatic validity; neither statute permits blanket withholding of names/designations of public servants performing official duties, and failure to demonstrate individual privacy harm or fiduciary relationship renders the exemption claim invalid under RTI Section 19(8).

1 Since the Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023, Public Information Officers increasingly invoke “fiduciary obligations” and “data principal consent requirements” under DPDP alongside RTI Act Section 8(1)(j) to redact employee names, citizen complaint details, and supplier contact data. 2 However, DPDP Section 7(a)–(f) exemptions explicitly exclude “publicly available” personal data and data processed for statutory obligations, meaning PIOs cannot cite DPDP to withhold names/designations of officials in their official capacity. 3 The RTI Act 2005 remains the governing statute for disclosure; DPDP Act compliance does not override RTI obligations but creates parallel redaction discipline for genuinely private data like bank accounts, health records, or citizen complainant addresses. 4 First Appellate Authorities now routinely reject DPDP-based blanket denials unless the PIO demonstrates specific harm to privacy unrelated to public activity. 5 The test remains: does disclosure serve larger public interest under Section 8(1)(j) proviso? 6 For example, contractor names in tenders, salaries of public servants above certain grades, and official email addresses remain disclosable. 7 Citizens must challenge boilerplate DPDP citations by demanding specific clause references and harm assessments in first appeals filed under RTI Section 19(1) within thirty days.

In this guide

What the DPDP Act 2023 actually says about public authority data

Priya Menon works for the Ministry of Electronics and Information Technology in New Delhi. In April 2025, she received a notice from her department's Data Protection Officer reminding all CPIOs that the Digital Personal Data Protection Act 2023 has commenced enforcement and that “personal data disclosure via RTI must now be evaluated for DPDP compliance.” The circular referenced Section 2(t) of DPDP, which defines “personal data” as any data about an individual who is identifiable by or in relation to such data, and Section 8, which creates fiduciary obligations for “data fiduciaries.”

Key DPDP provisions relevant to RTI:

  1. Section 3: Data fiduciaries must process personal data only for lawful purposes and with consent of the data principal, unless an exemption applies.
  2. Section 7(a): Exempts processing “for any function of Parliament or any State Legislature.”
  3. Section 7(b): Exempts processing “for any function of the State authorised by law for the provision of any service or benefit to the data principal.”
  4. Section 7(f): Exempts processing “made available generally to the public in India or outside India.”
  5. Section 17: Public authorities remain subject to obligations under “any other law for the time being in force” — including the RTI Act 2005.

The Ministry of Law and Justice issued an advisory in January 2025 clarifying that DPDP Section 17 preserves RTI Act supremacy in matters of disclosure: where the RTI Act mandates disclosure under the public interest proviso to Section 8(1)(j), DPDP exemptions apply automatically because disclosure is “authorised by law.”

Trust signal — The DPDP Act itself recognizes that statutory disclosure obligations override consent requirements; no separate data principal consent is needed when RTI Act Section 19(8) or the public interest proviso mandates disclosure.

However, many CPIOs and PIOs lack training on the interplay between the two statutes. As a result, blanket denials citing “DPDP compliance obligations” have surged 340% in Q1 2025 compared to Q1 2024, according to data published by the Central Information Commission in its March 2025 quarterly bulletin (https://cic.gov.in).

How Section 8(1)(j) operated before DPDP — the 2011-2024 baseline

Section 8(1)(j) of the RTI Act 2005 states:

“information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information.”

Between 2011 and 2024, the Central Information Commission and various State Information Commissions developed a three-part test:

  1. Step 1: Does the information relate to “personal information”?
  2. Step 2: Does the information have “no relationship to any public activity or interest”?
  3. Step 3: Would disclosure cause “unwarranted invasion of privacy”?

If all three conditions are satisfied, exemption applies. If any one fails, the proviso test applies: does larger public interest justify disclosure?

In Girish Ramchandra Deshpande v. Central Information Commissioner (2013) 1 SCC 212, the Supreme Court held that “right to privacy is not absolute and can be overridden by larger public interest,” and that names, designations, and salaries of public servants performing official functions are not protected under Section 8(1)(j) because such details relate to public activity.

From 2013 to 2024, standard practice among CPIOs was:

  • Always disclose: names and designations of public servants in official capacity, contractor names in tenders above ₹10 lakh, registered addresses of awarded bidders, official email addresses, file notings involving policy decisions.
  • Redact or deny: personal mobile numbers, residential addresses, caste/religion/health status, third-party citizen complainant details unless complainant consents or larger public interest (e.g., systemic corruption) applies.
Most citizens miss this — Before DPDP, PIOs rarely cited statutory law other than RTI Act Sections 8 and 24; the 2025 shift to dual-citation creates procedural confusion but does not change the substantive disclosure test.

The twin-statute defence: why PIOs now cite both RTI and DPDP

Rajesh Kumar, CPIO at the Employees' Provident Fund Organisation regional office in Patna, received three RTI applications in February 2025 seeking employee complaint records related to alleged misappropriation of PF contributions. Legal advice from EPFO's Data Protection Officer recommended citing both RTI Section 8(1)(j) and DPDP Act Section 3 to deny complainant names, stating “dual statutory obligation to protect personal data and privacy.”

Why this approach is spreading:

  1. Risk aversion: Public authorities fear penalties under DPDP Act Section 33 (up to ₹250 crore for data fiduciaries who fail to protect personal data).
  2. Lack of DPDP rules: As of May 2025, the Central Government has not yet notified comprehensive rules under DPDP Act Section 40, leaving PIOs uncertain about safe harbors.
  3. CIC backlog: The Central Information Commission has a pending caseload exceeding 36,000 appeals (as of March 2025 data from https://cic.gov.in), delaying authoritative rulings on DPDP-RTI interface.
  4. Consultant influence: Many ministries hired DPDP compliance consultants in 2024–25 who recommend “maximum redaction” to minimize fiduciary risk, without accounting for RTI supremacy.

The Delhi High Court in Right to Information Foundation v. Union of India (2024) observed that PIOs “cannot invoke data protection obligations to circumvent statutory transparency mandates” and directed the Department of Personnel and Training to issue guidelines distinguishing “personal data unrelated to public function” from “official records subject to RTI.”

Warning — A PIO who cites DPDP without specifying which clause applies, without demonstrating harm to privacy, and without applying the RTI Section 8(1)(j) proviso test commits an “evasive reply” under RTI Section 20(1) and may incur a penalty of ₹250 per day up to ₹25,000.

Information still disclosable despite DPDP — the safe harbor list

Based on CIC decisions from January–May 2025 and advisory circulars from the Department of Personnel and Training (https://dopt.gov.in), the following categories remain fully disclosable under RTI even after DPDP commencement:

Category RTI Basis DPDP Exemption Clause
Names and designations of public servants in official capacity Section 8(1)(j) proviso; Deshpande (2013) 1 SCC 212 Section 7(b) — function of State
Contractor/supplier names in tenders above ₹10 lakh Section 4(1)(b)(xvii); public procurement transparency Section 7(f) — publicly available (published on e-procurement portal)
Salaries and allowances of Group A/B officers Section 4(1)(b)(iii); CIC/SM/A/2013/000354 Section 7(b) — statutory budget disclosure
Official email addresses (not personal mobile numbers) Section 4(1)(b)(i); contact particulars of PIOs Section 7(f) — publicly available on department website
File notings and minutes of meetings on policy/scheme formulation Section 4(1)(d); reasons for administrative decisions Section 7(a) — function of State authorized by law
Citizen complaint summaries with complainant identity redacted Section 8(1)(j) proviso applied DPDP redaction of name/address; disclosure of issue and department response

In CIC Decision No. CIC/DPDP/A/2025/50021 (22 February 2025), the Commission held:

“The DPDP Act 2023 does not create a new exemption under the RTI Act; it codifies existing privacy principles already embedded in Section 8(1)(j). A PIO who mechanically cites DPDP without demonstrating specific harm fails the proviso test.”

Information genuinely protected under both statutes

Conversely, the following categories are validly exempt under both RTI Section 8(1)(j) and DPDP Act Sections 3, 8:

  • Bank account numbers, PAN, Aadhaar numbers of third parties (citizens, contractors, employees) unless larger public interest (e.g., exposure of benami transactions) applies.
  • Residential addresses and personal mobile numbers of public servants (official contact details remain disclosable).
  • Medical records, caste certificates, disability certificates of individuals.
  • Citizen complainant identity when disclosure would expose complainant to harm (whistleblower protection principle).
  • Examination answer scripts and personal academic records unless systemic malpractice alleged.
  • Income tax returns and wealth statements of private individuals (public servants' asset declarations under Right to Information Act Rules 2012 remain disclosable).

The Bombay High Court in Manish Yadav v. State Information Commissioner, Maharashtra (2024) reiterated that “disclosure of intimate personal details unrelated to public function violates Article 21 right to privacy and is prohibited under both RTI Section 8(1)(j) and constitutional principles codified in DPDP.”

Citizen tip — When seeking supplier or contractor details, ask for “name of entity, registered address, GST number, contract value, and scope of work” rather than “all personal data”; this formulation avoids triggering DPDP defences and increases compliance likelihood.

Real PIO replies from 2025 — annotated case studies

Case 1: Municipal Corporation of Delhi, RTI/DL/2025/02341

Request: “Names and salaries of all sanitation supervisors in Zone-4, and mobile numbers.”

PIO Reply (dated 12 March 2025): “Names and salaries provided as per RTI Act Section 4(1)(b)(iii). Personal mobile numbers denied under RTI Section 8(1)(j) and DPDP Act 2023 Section 8 fiduciary obligations, as disclosure would constitute unwarranted invasion of privacy with no public interest justification. Official landline numbers of zonal office: 011-2321XXXX.”

Annotation: Correct application. Official data disclosed, personal contact redacted with valid dual-statutory reasoning.

Case 2: Reserve Bank of India, RTI/RBI/2025/00987

Request: “Copy of complaint filed by ABC Cooperative Bank regarding alleged fraud by Mr. Rajesh Sharma, including complainant's submissions and RBI's inspection report.”

PIO Reply (dated 5 April 2025): “Request denied in entirety under RTI Section 8(1)(j) and Digital Personal Data Protection Act 2023, as disclosure of personal data of complainant and accused requires consent under DPDP Section 3.”

Annotation: Incorrect. RBI should provide redacted inspection report and fraud findings (public interest in banking system integrity) while redacting complainant identity and accused's personal data unrelated to fraud evidence. First appeal filed; FAA directed partial disclosure on 10 May 2025.

Case 3: Railway Board, RTI/RLY/2025/12450

Request: “Names of all contractors awarded track maintenance contracts in South Central Railway for FY 2024–25, contract values, and work completion certificates.”

PIO Reply (dated 18 March 2025): “Information available on Indian Railways e-procurement portal https://www.ireps.gov.in under DPDP Section 7(f) exemption for publicly available data. Details provided as Annexure-I.”

Annotation: Correct. PIO recognized DPDP exemption for already-public procurement data and provided disclosure. Demonstrates DPDP literacy.

Do this immediately — If your RTI seeks contractor or tender information, cite the government e-procurement portal URL in your application and note “information already in public domain under DPDP Section 7(f); request certified copy for evidentiary purposes” to pre-empt denial.

How to challenge DPDP-based denials in first appeal

When a PIO denies your RTI citing DPDP Act obligations, file a first appeal under RTI Section 19(1) within 30 days of the reply date (or within 30 days of the deemed refusal date if no reply received within the statutory period under Section 7).

Mandatory elements of your appeal:

  1. Caption: “First Appeal under Section 19(1) of the RTI Act 2005 against denial citing DPDP Act 2023.”
  2. Grounds: (a) DPDP Act Section 17 preserves RTI Act supremacy; (b) information sought relates to public activity under Section 8(1)(j) proviso; © PIO failed to specify which DPDP clause applies; (d) PIO failed to demonstrate specific harm to privacy; (e) larger public interest justifies disclosure.
  3. Relief: Direct PIO to disclose information with only genuinely private data redacted (e.g., personal mobile numbers, bank accounts); impose penalty under Section 20(1) for evasive reply.
  4. Attachments: Copy of RTI application, PIO reply, proof of payment (if applicable), copy of DPDP Act Section 7 and Section 17.

Statutory timeline: First Appellate Authority must decide within 30 days (extendable to 45 days with written reasons) under RTI Section 19(6).

If the FAA upholds the denial or fails to decide within 45 days, file second appeal to the State Information Commission or Central Information Commission under RTI Section 19(3) within 90 days.

Most citizens miss this — Always cite specific DPDP Act sections (7(a), 7(b), 7(f), 17) in your appeal to demonstrate statutory literacy; appellate authorities give more weight to legally grounded arguments than generic complaints.

What appellate authorities are deciding in 2025

Central Information Commission trends (January–May 2025):

  1. 62% of DPDP-based denials overturned where PIO failed to specify DPDP clause or demonstrate harm.
  2. 38% of denials upheld where information genuinely constituted “personal data unrelated to public activity” (bank accounts, health records, residential addresses).
  3. Average penalty imposed: ₹12,500 per case (under RTI Section 20(1)) for evasive reliance on DPDP without applying Section 8(1)(j) proviso test.

Notable CIC decisions:

  • CIC/DPDP/C/2025/60134 (12 April 2025): Directed Ministry of Defence to disclose names and designations of officers in court of inquiry into procurement irregularities; rejected DPDP defence; imposed ₹25,000 penalty on CPIO for “mala fide denial.”
  • CIC/DPDP/A/2025/50998 (3 May 2025): Upheld denial of citizen complainant's Aadhaar number and address in food safety complaint, but directed disclosure of restaurant name, inspection report, and enforcement action taken.
  • CIC/DPDP/M/2025/71205 (22 May 2025): Held that “official email addresses of public servants are not personal data under DPDP because they are created and controlled by the public authority for official communication; Section 7(f) exemption applies.”

State Information Commission divergence:

  1. Karnataka SIC: Adopted strict “function test” — if data relates to official function, DPDP cannot apply (Decision No. KSIC/Appeal/2025/1421, 8 April 2025).
  2. Maharashtra SIC: Adopted “contextual harm test” — even official data may be redacted if specific facts show risk of harassment (Decision No. MSIC/RTI/2025/3309, 15 May 2025).

Appellants should research recent decisions of the relevant SIC/CIC via https://rtionline.gov.in or https://cic.gov.in before drafting appeals.

Sample appeal letter for DPDP + 8(1)(j) dual denial

To,
The First Appellate Authority
[Name of Public Authority]
[Address]

Date: [Insert Date]

Subject: First Appeal under Section 19(1) of the RTI Act 2005 against denial 
         citing DPDP Act 2023 — RTI Application No. [Insert Number]

Madam/Sir,

1. I filed RTI Application No. [Number] dated [Date] seeking the following information:
   "[Reproduce exact text of your RTI questions]"

2. The PIO vide reply dated [Date] denied the information citing "obligations under the 
   Digital Personal Data Protection Act 2023" and RTI Act Section 8(1)(j), stating:
   "[Reproduce exact text of PIO's denial]"

3. This denial is legally unsustainable on the following grounds:

   (a) Section 17 of the DPDP Act 2023 expressly preserves the RTI Act 2005, and DPDP 
       obligations do not override statutory disclosure mandates.

   (b) The information sought relates to [official procurement / public servant conduct / 
       utilization of public funds / other public activity], which falls within the public 
       interest proviso to RTI Section 8(1)(j).

   (c) The PIO failed to specify which clause of the DPDP Act applies and failed to 
       demonstrate specific harm to privacy.

   (d) Under DPDP Section 7(b) and 7(f), data processed for statutory functions and data 
       already publicly available are exempt from consent requirements.

   (e) The Supreme Court in Girish Ramchandra Deshpande v. CIC (2013) 1 SCC 212 held that 
       names and designations of public servants in official capacity are not protected 
       under Section 8(1)(j).

4. I therefore request the First Appellate Authority to:

   (i)   Direct the PIO to disclose the information sought, with redaction limited to 
         genuinely private data (personal mobile numbers, bank account numbers, residential 
         addresses) if any.

   (ii)  Impose penalty under RTI Section 20(1) on the CPIO for evasive and mala fide denial 
         without applying the proviso test.

   (iii) Provide written reasons if any part of the information is to remain withheld.

5. Attached: (a) Copy of RTI Application dated [Date]
             (b) Copy of PIO reply dated [Date]
             (c) Proof of payment (if applicable)

Respectfully submitted,

[Your Name]
[Address]
[Mobile]
[Email]
Trust signal — Appellate authorities appreciate structured, statute-based appeals; citizens who cite section numbers and case law receive faster, more favorable decisions than those filing generic complaints.

Frequently asked questions

Can a PIO deny information solely on the ground that DPDP Act prohibits disclosure?

No. RTI Act Section 22 states “provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in…any other law for the time being in force.” DPDP Act Section 17 also preserves RTI obligations. A PIO must apply the RTI Section 8(1)(j) test (personal information + no public activity + unwarranted invasion) and then consider whether larger public interest justifies disclosure. DPDP compliance is achieved through redaction of genuinely private data, not blanket denial.

Are employee names and designations considered "personal data" under DPDP?

Yes, under DPDP Section 2(t) they constitute “personal data.” However, DPDP Section 7(b) exempts processing for “any function of the State authorised by law,” which includes RTI disclosure. Additionally, employee names and designations in official capacity are typically published on department websites (DPDP Section 7(f) exemption for publicly available data). The Central Information Commission in multiple 2025 decisions has held that official names/designations remain disclosable under RTI.

RTI Act Section 6(1) creates a statutory right to information; consent is not required when disclosure is mandated by law. DPDP Section 7 exemptions apply automatically when the RTI Act requires disclosure. If the PIO cites lack of consent, file first appeal citing DPDP Section 7(b) (“function of the State authorised by law”) and RTI Section 22 supremacy clause.

How do I know if larger public interest applies under the Section 8(1)(j) proviso?

Ask: Does the information expose corruption, wasteful expenditure, violation of law, danger to public health/safety, or abuse of authority? If yes, larger public interest likely applies. In Central Board of Secondary Education v. Aditya Bandopadhyay (2011) 8 SCC 497, the Supreme Court held that “public interest” includes transparency in public administration, accountability of public servants, and deterrence of corruption. The burden is on the PIO to demonstrate that privacy outweighs public interest, not on you to prove public interest.

Can I seek personal mobile numbers of public servants?

No. Personal mobile numbers are protected under both RTI Section 8(1)(j) and DPDP Act. However, you can seek official landline numbers, official email addresses, and office addresses. In CIC Decision No. CIC/AT/A/2011/001163, the Commission held that “official email and office telephone are not personal information” and must be disclosed.

What happens if the First Appellate Authority also cites DPDP to deny my appeal?

File second appeal to the State/Central Information Commission under RTI Section 19(3) within 90 days. In your second appeal, cite the CIC decisions listed in this guide and request a hearing. The Information Commission has the power under Section 19(8) to examine records in camera and order disclosure despite PIO/FAA objections if larger public interest applies.

Do private bodies (banks, telecom companies, NGOs receiving government funds) have to comply with RTI and DPDP?

Under RTI Section 2(h), “public authority” includes bodies “owned, controlled or substantially financed” by government. The Supreme Court in Thalappalam Service Cooperative Bank Ltd. v. State of Kerala (2013) 15 SCC 94 held that cooperative societies substantially financed by government are public authorities. Once a body is a “public authority” under RTI, it must appoint PIOs and comply with RTI Act; DPDP Act Sections 8–16 apply concurrently but do not override RTI disclosure obligations.

Can a public authority charge fees for redacting personal data under DPDP?

No. RTI Act Section 7(1) and (5) prescribe the only permissible fees (₹10 per page for central government; varies by state). A public authority cannot levy additional “DPDP compliance charges.” If a PIO demands extra fees citing DPDP processing costs, file a complaint with the Information Commission under RTI Section 18.

Warning — Some public authorities are issuing internal circulars directing PIOs to charge ₹50–₹100 per page for “DPDP-compliant redaction”; such charges are ultra vires the RTI Act and should be challenged via first appeal and complaint to the Commission.

Myth versus reality: DPDP and RTI interface

Myth Reality
The DPDP Act 2023 has repealed or amended the RTI Act 2005. DPDP Act Section 17 and RTI Act Section 22 both affirm that RTI obligations continue. No amendment or repeal has occurred.
PIOs can now deny all requests seeking personal data by citing DPDP. PIOs must still apply RTI Section 8(1)(j) three-part test and proviso. DPDP creates redaction discipline, not blanket exemption.
Consent of the data principal is required before disclosing names of public servants. DPDP Section 7(b) exempts statutory disclosures; consent is not required when RTI Act mandates disclosure.
Contractor names and contact details are now protected under DPDP. Contractor names in tenders above ₹10 lakh are published on e-procurement portals (DPDP Section 7(f) — publicly available data) and remain disclosable.
The Central Information Commission has issued new guidelines on DPDP-RTI interface. As of May 2025, no formal CIC regulations exist, but multiple decisions (cited above) have clarified the principles. DoPT advisory expected June 2025.
If a PIO cites DPDP in the denial, I cannot appeal. You can and must appeal under RTI Section 19(1) within 30 days, citing DPDP Sections 7 and 17 and RTI supremacy.

The last word

The Digital Personal Data Protection Act 2023 does not diminish your statutory right to information; it codifies privacy safeguards that responsible PIOs were already applying under RTI Section 8(1)(j). The key shift in 2025 is procedural: you will encounter dual-statute citations more frequently, and you must learn to distinguish lawful redaction (bank accounts, residential addresses, health data) from unlawful blanket denial (official names, contractor details, file notings). When a PIO hides behind DPDP jargon without applying the proviso test, challenge it immediately in first appeal—appellate authorities are increasingly penalizing evasive reliance on data protection rhetoric. The Citizen Crisis Response Network has built tools (AI RTI Drafter, PIO Reply Checker) to help you draft legally sound applications and appeals that pre-empt DPDP-based denials. Remember: transparency is the default, exemptions are narrow, and the burden of proof always lies with the public authority. Equip yourself with the statute, cite the case law, and enforce your right.