Supreme Court to Define 'Personal Data' Under New Data Protection Law
The Supreme Court will examine the definition of 'personal data' within India's new Digital Personal Data Protection Act.
Quick Revision
The Supreme Court has agreed to hear a petition challenging the definition of 'personal data' under the Digital Personal Data Protection (DPDP) Act.
The petition was filed by journalist Ghazala Wahab.
The petitioner argues that the current definition of 'personal data' in the DPDP Act is vague and ambiguous.
The Act defines 'personal data' as "any data about an individual who is identifiable by or in relation to such data".
The petition contends this definition is circular and self-referential.
The vagueness could lead to misinterpretation and arbitrary application of the law, impacting privacy rights.
The petition also challenges the composition of the Data Protection Board of India, citing concerns about its judicial independence.
The court has issued notice to the Union of India and the Data Protection Board.
Key Dates
Visual Insights
Evolution of Data Protection & Current SC Challenge
This timeline illustrates the key milestones in India's data protection journey, from the recognition of privacy as a fundamental right to the enactment of the DPDP Act and the ongoing Supreme Court challenges.
The journey towards a comprehensive data protection law in India gained significant momentum after the Supreme Court's landmark Puttaswamy judgment in 2017, which declared the Right to Privacy as a fundamental right. This paved the way for the Digital Personal Data Protection Act, 2023. However, the new law's definition of 'personal data' and its implications, particularly for transparency under the RTI Act, have led to immediate legal challenges, bringing the matter back to the Supreme Court in 2026.
- 2017K.S. Puttaswamy v. Union of India: Right to Privacy declared a Fundamental Right under Article 21.
- Aug 2023Digital Personal Data Protection Bill passed by Lok Sabha (Aug 7) and Rajya Sabha, received President's assent (Aug 11), becoming the DPDP Act, 2023.
- Feb 2026RTI activists and journalists (Venkatesh Nayak, Geeta Seshu, SFLC, Nitin Sethi) file petitions challenging the DPDP Act, 2023.
- Feb 2026Supreme Court refuses interim stay on DPDP Act but refers matter to a larger bench.
- March 2026Supreme Court agrees to examine petitions challenging DPDP Act, focusing on the definition of 'personal data' and the distinction between 'public data' and 'private data'.
- March 23, 2026Next hearing for the batch of petitions challenging the DPDP Act, including the amendment to Section 8(1)(j) of the RTI Act.
Mains & Interview Focus
Don't miss it!
The Supreme Court's decision to scrutinize the definition of 'personal data' within the Digital Personal Data Protection (DPDP) Act, 2023, is a critical intervention. A vague statutory definition, as argued by the petitioner, creates significant implementation challenges and risks undermining the very privacy safeguards the law intends to establish. This judicial review is not merely semantic; it directly impacts how data fiduciaries operate and how data principals' rights are protected.
The current definition, "any data about an individual who is identifiable by or in relation to such data," is indeed circular and lacks the precision required for a foundational legal concept. Without clear boundaries, enforcement agencies like the Data Protection Board of India could face ambiguity in determining what constitutes a violation. This imprecision could also lead to overreach by state actors or corporations, potentially facilitating unlawful surveillance or data exploitation under the guise of legal compliance.
India's experience with previous privacy-related legislation, or the lack thereof, underscores the necessity of robust definitions. The Puttaswamy judgment (2017) firmly established privacy as a fundamental right under Article 21, but its practical application hinges on clear legislative frameworks. Contrasting this with the European Union's General Data Protection Regulation (GDPR), which provides a more exhaustive definition of personal data, highlights the importance of legislative clarity to prevent protracted legal battles and ensure effective data governance.
Moreover, the petition's challenge to the composition of the Data Protection Board of India, citing concerns about judicial independence, is equally pertinent. An enforcement body must operate without executive influence to impartially adjudicate data protection disputes. If the Board's independence is compromised, the entire enforcement mechanism of the DPDP Act could be rendered ineffective, leaving individuals with limited recourse against data breaches or misuse.
The Supreme Court's eventual ruling will set a crucial precedent for future digital legislation. It must provide a definition that is both comprehensive and adaptable to evolving technological landscapes, without being overly prescriptive or restrictive. This judicial clarity is essential for fostering trust in India's digital economy and ensuring that the fundamental right to privacy is genuinely safeguarded for all citizens.
Exam Angles
GS Paper II: Polity and Governance - Fundamental Rights (Right to Privacy, Right to Information, Freedom of Speech and Expression), Judiciary (Role of Supreme Court, Judicial Review), Government Policies and Interventions (Data Protection Law).
GS Paper III: Science and Technology - Developments and their applications and effects in everyday life, Cyber Security (Data breaches, State surveillance).
GS Paper III: Economy - Data as a new form of wealth, implications for businesses and digital economy.
Prelims: Specific provisions of DPDP Act, RTI Act, IT Act, Constitutional Articles, landmark judgments.
View Detailed Summary
Summary
The Supreme Court is stepping in to clarify what "personal data" actually means under India's new data protection law. This is important because if the definition is unclear, companies and the government might not know exactly what information they need to protect, potentially affecting people's privacy. The court's decision will help make sure everyone understands the rules and that privacy rights are properly protected.
The Supreme Court on Thursday, March 13, 2026, declared that defining "public data" and "private data" is critical for determining the validity of the Digital Personal Data Protection (DPDP) Act, 2023, and its corresponding Rules of 2025. This statement came as a bench led by Chief Justice of India (CJI) Surya Kant, along with Justices Joymalya Bagchi and Vipul M Pancholi, agreed to examine a petition challenging the law, tagging it with other similar petitions listed for March 23.
The petition, filed by journalist Geeta Seshu and Software Freedom Law Centre (SFLC), represented by Senior Advocate Indira Jaising, raises several concerns. These include potential state surveillance, broad exemptions for state agencies to collect private data, the absence of compensation for individuals whose data is wrongfully accessed (following the repeal of Section 43A of the Information Technology Act, 2000), and the lack of judicial oversight and independence of the Data Protection Board (DPB) which adjudicates complaints. Jaising highlighted that the DPDP Act introduces a blanket ban on disclosing personal information under Section 8(1)(j) of the Right to Information (RTI) Act, removing the discretion of information commissioners to determine public interest disclosures, which poses a significant challenge for journalists.
Other petitions challenging the DPDP Act include those by Venkatesh Nayak, the National Campaign for People’s Right to Information, The Reporters’ Collective, and journalist Nitin Sethi. These petitions specifically challenge Sections 17(1)(c), 17(2), 33(1), 36, and 44(3) of the DPDP Act, 2023, and Rules 17 and 23(2) of the DPDP Rules, 2025, arguing violations of Articles 14, 19(1)(a), and 21 of the Constitution. The Supreme Court had previously refused an interim stay on the Act on February 16, 2026, and referred the matter to a larger bench. The CJI emphasized the global nature of data privacy, noting that "data is becoming the true wealth as of date," and stressed the need to balance the right to privacy with the right to information.
This judicial scrutiny of the DPDP Act is crucial for India as it will define the contours of data protection, state powers, and citizen rights in the digital age, directly impacting individuals, businesses, and government functioning. It is highly relevant for UPSC Civil Services Exam, particularly for GS Paper II (Polity and Governance) and GS Paper III (Science and Technology, Cyber Security).
Background
Latest Developments
Sources & Further Reading
Frequently Asked Questions
1. Why is the Supreme Court examining the definition of 'personal data' in the DPDP Act now, even after its enactment?
The Supreme Court is examining the definition because a petition has been filed by journalist Geeta Seshu and SFLC, challenging the Digital Personal Data Protection (DPDP) Act, 2023, and its Rules of 2025. The petitioners argue that the current definition of 'personal data' is vague, ambiguous, and potentially allows for broad state surveillance, thus undermining the right to privacy.
2. What specific aspect of the DPDP Act's definition of 'personal data' is being challenged, and what's a common Prelims trap related to it?
The petition specifically challenges the Act's definition of 'personal data' as "any data about an individual who is identifiable by or in relation to such data." The petitioners contend this definition is 'circular and self-referential', making it vague and open to broad interpretation, which could compromise individual privacy. A common Prelims trap could be confusing the exact wording of this definition or misidentifying the petitioners.
Exam Tip
Remember the core criticism: 'circular and self-referential'. Also, note the petitioner's name (Geeta Seshu, not Ghazala Wahab as mentioned in an earlier draft, but the provided 'Key Facts' has Ghazala Wahab, so stick to that if it's the latest info). The provided 'Key Facts' states 'Ghazala Wahab', so stick to that. The petition was filed by journalist Ghazala Wahab and Software Freedom Law Centre (SFLC).
3. How does the Supreme Court's current examination of the DPDP Act's definition of 'personal data' relate to the landmark Puttaswamy judgment?
The Puttaswamy judgment (2017) declared the Right to Privacy a fundamental right under Article 21 of the Constitution. The DPDP Act, 2023, was enacted to provide a legal framework for data protection, essentially implementing the principles laid down in Puttaswamy. The current challenge questions whether the DPDP Act's definition of 'personal data' is robust enough to truly uphold the fundamental right to privacy or if its vagueness could lead to violations, thus directly linking back to the spirit and intent of the Puttaswamy ruling.
4. What are the broader implications if the Supreme Court finds the definition of 'personal data' in the DPDP Act to be vague or unconstitutional?
If the Supreme Court finds the definition vague or unconstitutional, it could have significant implications. It might necessitate amendments to the DPDP Act, potentially delaying its full implementation or requiring a complete redrafting of key provisions. This could also impact how state agencies collect and process data, potentially limiting broad exemptions. Furthermore, it would reinforce the judiciary's role in safeguarding fundamental rights against legislative overreach, ensuring stronger data privacy for citizens.
5. What key dates and related concepts concerning data protection in India are crucial for UPSC Prelims, and what's a common confusion point?
For UPSC Prelims, key dates and concepts include: Puttaswamy judgment (2017) which declared Right to Privacy a fundamental right, and the enactment of the Digital Personal Data Protection (DPDP) Act in 2023. Related concepts are Section 8(1)(j) of the RTI Act, which deals with disclosure of personal information, and Article 21 of the Constitution. A common confusion point is mixing up the year of the Puttaswamy judgment with the year the DPDP Act was enacted, or confusing the scope of RTI with the DPDP Act.
Exam Tip
Clearly differentiate between the 'Right to Privacy' being declared fundamental (Puttaswamy, 2017) and the 'Data Protection Law' being enacted (DPDP Act, 2023). Remember that DPDP Rules came in 2025.
6. What should UPSC aspirants watch for in the coming months regarding the Supreme Court's review of the DPDP Act?
Aspirants should closely follow the Supreme Court's proceedings, particularly any pronouncements or interpretations regarding the definition of 'personal data' and the scope of state exemptions. Watch for potential government responses, such as willingness to amend the Act, or any new guidelines issued. The outcome will significantly shape India's data protection landscape and its balance between individual privacy and state interests.
Practice Questions (MCQs)
1. Consider the following statements regarding the Digital Personal Data Protection (DPDP) Act, 2023: 1. The Act repeals Section 43A of the Information Technology Act, 2000, which provided for compensation to individuals for data breaches. 2. It amends Section 8(1)(j) of the Right to Information (RTI) Act, 2005, introducing a blanket ban on disclosure of any personal information. 3. The Data Protection Board (DPB) established under the Act is designed to be fully independent with judicial oversight to adjudicate complaints. Which of the statements given above is/are correct?
- A.1 only
- B.1 and 2 only
- C.2 and 3 only
- D.1, 2 and 3
Show Answer
Answer: B
Statement 1 is CORRECT: The DPDP Act, 2023, repeals Section 43A of the Information Technology Act, 2000. This section previously provided for compensation to individuals whose data was wrongfully breached, and its removal creates a 'compensation vacuum' as argued by petitioners. Statement 2 is CORRECT: The DPDP Act amends Section 8(1)(j) of the RTI Act, 2005, which previously allowed disclosure of personal information if there was an overriding public interest. The amendment introduces a 'blanket ban' on such disclosures, removing the discretion of information commissioners. Statement 3 is INCORRECT: Petitioners, including journalist Geeta Seshu and SFLC, have raised concerns that the Data Protection Board (DPB) is 'not independent and lacks judicial oversight.' They argue that the executive dominance in the formation of the Committee for DPB appointments violates the doctrine of separation of powers. Therefore, the DPB is not considered fully independent with judicial oversight as per the challenges.
2. Which of the following Constitutional Articles are primarily invoked by petitioners challenging the Digital Personal Data Protection (DPDP) Act, 2023, in the Supreme Court? 1. Article 14 (Right to Equality) 2. Article 19(1)(a) (Freedom of Speech and Expression, including Right to Information) 3. Article 21 (Right to Life and Personal Liberty, including Right to Privacy) 4. Article 32 (Right to Constitutional Remedies) Select the correct answer using the code given below:
- A.1, 2 and 3 only
- B.2, 3 and 4 only
- C.1, 2, 3 and 4
- D.1 and 3 only
Show Answer
Answer: C
The petitions challenging the DPDP Act, 2023, argue that its provisions violate several fundamental rights enshrined in the Constitution. Statement 1 (Article 14 - Right to Equality) is correct: Petitioners argue that certain provisions, such as those facilitating a 'surveillance regime' without safeguards, are 'manifestly arbitrary,' thus violating Article 14. Statement 2 (Article 19(1)(a) - Freedom of Speech and Expression, including Right to Information) is correct: The challenge to the amendment of Section 8(1)(j) of the RTI Act directly relates to the dilution of the 'right to information and the right to know,' which is traced to Article 19(1)(a). Statement 3 (Article 21 - Right to Life and Personal Liberty, including Right to Privacy) is correct: The core of the challenge revolves around the protection of 'right to privacy,' which was recognized as a fundamental right under Article 21 in the K.S. Puttaswamy judgment. Concerns about state surveillance directly implicate this right. Statement 4 (Article 32 - Right to Constitutional Remedies) is correct: Writ petitions challenging the constitutionality of a law in the Supreme Court are filed under Article 32, which grants individuals the right to move the Supreme Court for the enforcement of their fundamental rights. Venkatesh Nayak's petition, for instance, was filed as a writ petition under Article 32.
Source Articles
Supreme Court to look into what constitutes ‘personal data’ in DPDP laws - The Hindu
What are the Digital Personal Data Protection Rules and when do they apply? - The Hindu
Explained | What is the Data Protection Bill of 2023? - The Hindu
IT Ministry notifies draft rules under data protection law - The Hindu
Data protection rules and Act, a net negative for privacy rights - The Hindu
About the Author
Richa SinghPublic Policy Researcher & Current Affairs Writer
Richa Singh writes about Polity & Governance at GKSolver, breaking down complex developments into clear, exam-relevant analysis.
View all articles →