Advocate Balachander Reddy
RTI Reply On Digital Personal Data Protection Law Exposes Serious Legal, Administrative & Constitutional Lapses; Ministy of Information and Technology (MeitY) failed to disclose any Gazette Notification enforcing Digital Personal Data Protection Act, 2023 ( DPDP Act 2023)
The case highlights serious transparency and legality concerns arising from an RTI reply on the Digital Personal Data Protection Act, 2023, which admitted that the Act has not yet been enforced while simultaneously claiming that the Digital Personal Data Protection Rules, 2025 have been notified to operationalize it. This contradiction strikes at the core principle that subordinate legislation cannot exist without an operative parent statute. The CPIO’s response was found to be cryptic and evasive, as it failed to provide certified Gazette notifications, law ministry vetting records, file notings, or inter-departmental correspondence, despite no statutory exemption being invoked. Reliance on website links was held insufficient under the RTI Act. Drawing from the mandate of maximum disclosure laid down by the Supreme Court of India, the matter raises issues of violation of the right to information, legal certainty, and citizens’ right to privacy. The applicant has therefore sought appellate intervention to secure full, reasoned, and certified disclosure in public interest.
Brief Factual Matrix:
In a significant development affecting the fundamental right to privacy of over 140 crore Indian citizens, an RTI application filed in good faith by Advocate Yennam Balachander Reddy has exposed serious inconsistencies, opacity, and procedural infirmities in the Government’s handling of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the purported Digital Personal Data Protection Rules, 2025.
The RTI application, dated 14 November 2025 vide Reg.No.DITEC/R/T/25/00877 submitted to the Ministry of Electronics and Information Technology (MeitY), sought detailed statutory, administrative, and legal information regarding:
- Enforcement and operationalization timelines of the DPDP Act,
- Authority and process for rule-making,
- Vetting by the Ministry of Law & Justice,
- File notings, legal opinions, and inter-ministerial correspondence.
The reply issued by the Central Public Information Officer (CPIO) on 12 December 2025 is cryptic, mechanical, evasive, and non-speaking, thus defeating the object and purpose of the RTI Act, 2005 and undermining Article 19(1)(a) of the Constitution. The reply compels the applicant to invoke Section 19 of the RTI Act, 2005 and file a First Appeal.
Key Admissions in the CPIO Reply:
The CPIO stated:
“The Digital Personal Data Protection Act, 2023 (DPDP) has been enacted which provides the legal framework for data protection and mandates Data Fiduciaries to implement security safeguards as well as robust technical and organisational measures while processing the digital personal data. The DPDP Act is not yet enforced. Enforcement timelines of the DPDP Act are available on the Ministry website at the following URL: https://www.meity.gov.in/documents/act-and-policies. Digital Personal Data Protection Rules, 2025 (DPDP Rules, 2025) have been notified to operationalize the provisions of the Digital Personal Data Protection Act, 2023. Copy of DPDP Rules, 2025 may be downloaded from the following link: https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf.”
A bare reading of this reply reveals:
1. The DPDP Act has not yet been enforced.
2. No Gazette notification bringing the Act or its provisions into force has been provided.
3. Despite this, the Ministry claims the DPDP Rules, 2025 have been notified and operationalize the Act.
This response raises grave legal and constitutional concerns.
Fundamental Legal Contradiction: Rules Without an Enforced Act
It is settled law that subordinate legislation cannot operate independently of its parent statute. If the DPDP Act itself has not been brought into force through a Gazette notification under Section 1(2), then:
- The notification of Rules is legally meaningless, and
- Any claim that the Rules “operationalize” the Act is ultra vires the Constitution and the parent statute.
This contradiction creates an absurd situation:
- Citizens are told their data protection law is not yet in force,
- Yet regulated entities are expected to comply with Rules that are said to operationalize an unenforced Act.
Such ambiguity undermines legal certainty, rule of law, and legitimate expectations of citizens and fiduciaries alike.
Failure to Disclose Certified Documents
Despite clear RTI queries, the CPIO has failed to provide certified copies of:
- Gazette notifications enforcing the DPDP Act (if any),
- Gazette notification of DPDP Rules, 2025,
- Final Rules vetted by the Ministry of Law & Justice,
- Draft Rules, amendments, or explanatory notes.
Directing the applicant to a website link cannot satisfy statutory obligations under Sections 2(j) and 7(1), particularly when certified copies are explicitly requested.
Silence on Law Ministry Vetting and File Notings
The CPIO has completely ignored RTI queries seeking:
- File notings related to the DPDP Act and Rules,
- Inter-departmental correspondence between MeitY and the Ministry of Law & Justice,
- Legal opinions, comments, and objections during vetting,
- Committees, working groups, and their Terms of Reference.
No exemption under Sections 8, 9, or 11 of the RTI Act has been invoked. This silence amounts to deemed refusal, denying citizens access to essential governance information.
CBSE v. Aditya Bandopadhyay and the Mandate of Maximum Disclosure
In CBSE v. Aditya Bandopadhyay (2011) 8 SCC 497, the Hon’ble Supreme Court laid down:
“The RTI Act should be interpreted in a manner that fosters transparency and accountability in the working of public authorities.”
The Court further warned against piecemeal, evasive, or technical replies, observing:
“Indiscriminate and incomplete responses defeat the purpose of the Act.”
The present CPIO reply, avoiding disclosure of file notings, legal opinions, and statutory notifications, reflects a restrictive and defensive approach, directly contrary to the Supreme Court’s mandate.
Public Interest: The information sought is of immense public significance:
- It concerns the personal data of all Indian citizens,
- Imposes compliance obligations on startups, MSMEs, corporations, and government bodies,
- Determines potential civil and criminal liabilities, and
- Impacts India’s global commitments on digital trade and data protection.
Opaque governance of such a transformative law:
- Violates Article 21 (Right to Privacy),
- Erodes parliamentary intent,
- Creates scope for arbitrary enforcement,
- Undermines Ease of Doing Business.
Democratic Accountability at Stake
The DPDP law governs the digital lives of an entire nation. Citizens are constitutionally entitled to know:
- When the law comes into force,
- Who vetted it,
- On what legal advice,
- Through what institutional process.
The CPIO reply, instead of clarifying, has deepened uncertainty and raised more questions than answers.
Apparent Violations of RTI Act
The reply prima facie violates:
- Section 7(1) – incomplete and misleading information,
- Section 2(f) – non-disclosure of records held,
- Section 2(j) – denial of certified copies,
- Spirit of Section 4 – proactive disclosure obligations.
Conclusion
The CPIO reply, marked by contradictions, non-disclosure, and absence of reasoned response, is in clear violation of Sections 2(f), 2(j), 7(1), and the spirit of Section 4 of the RTI Act, 2005 and is contrary to the Supreme Court’s mandate in CBSE v. Aditya Bandopadhyay (2011) 8 SCC 497, which mandates maximum disclosure, institutional transparency, and accountability. By failing to provide certified statutory documents, suppressing file notings and legal vetting records, and issuing a cryptic, mechanical, and evasive reply, the CPIO has defeated the purpose of the RTI Act and undermined citizens’ constitutional right to know in a matter of immense public importance, affecting privacy, governance, and rule of law.
In these circumstances, Advocate Yennam Balachander Reddy is intending to file a First Appeal under Section 19(1) of the RTI Act, 2005, challenging the impugned reply and seeking complete, certified, and reasoned disclosure in the larger public interest.
Read reply issued by the Central Public Information Officer (CPIO) on 12 December 2025
