The Digital Personal Data Protection (DPDP) Bill is set to be introduced during the upcoming Monsoon Session of parliament for consideration and passage.
The draft of the Bill, circulated for consultation by the Ministry of Electronics and Information Technology (MeitY) in November 2022, was fraught with problems and was criticised both by transparency activists and those campaigning for the right to privacy.
While the version of the Bill that finally received the nod of the cabinet is not in the public domain, it is imperative to ensure that the data protection law does not suffer from the pitfalls that the previous draft had.
First, the law must not dilute the provisions of the Right to Information (RTI) Act, which has empowered millions of Indian citizens since its enactment in 2005.
To effectively hold their governments accountable in a democracy, people need access to information, including various categories of personal data. For example, the Supreme Court has held that citizens have a right to know the names of wilful defaulters and details of non-performing assets (NPAs) of public sector banks.
Democracies routinely ensure public disclosure of voters’ lists with names, addresses, and other personal data to enable public scrutiny and prevent electoral fraud. Experience of the use of the RTI Act in India has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of government schemes and welfare programmes, they must have access to relevant, granular information.
For instance, the Public Distribution System (PDS) Control Order recognises the need for putting the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and social audits of the PDS. In the absence of such publicly accessible personal data, it is impossible for intended beneficiaries to access their rightful entitlement of foodgrains.
To protect peoples’ right to privacy, the RTI Act includes an exemption clause under section 8(1)(j). In order to invoke this section to deny personal information, at least one of the following grounds has to be proven: the information sought has no relationship to any public activity or has no relationship to any public interest; or the information sought is such that it would cause unwarranted invasion of privacy and the information officer is satisfied that there is no larger public interest that justifies disclosure.
The Data Protection Bill of 2022 includes a provision to amend section 8(1)(j) to expand its purview and exempt all personal information from the ambit of the RTI Act! This would be a huge blow to the transparency regime in the country.
The Data Protection Bill must be harmonised with the provisions and objectives of the RTI Act. This would be in line with the recommendation of the Justice A.P. Shah report on privacy that said, “The Privacy Act should clarify that publication of personal data for public interest… and disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.”
Neither the recognition of the Right to Privacy, nor the enactment of a data protection law, requires any amendment to the existing RTI law.
Also read: Activists, Information Commissioners Fear Data Protection Bill Will Crush RTI Act Provisions
Second, given that the government is the biggest data repository, the law must not give wide discretionary powers to the executive.
The DPDP Bill, 2022, however, empowers the government to draft rules and notifications on a vast range of issues. For instance, the Union government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification, potentially resulting in immense violations of citizens’ privacy.
On the other hand, small NGOs, research organisations, associations of persons, and opposition parties that the government chooses not to include in the notification would have to set up systems to comply with the stringent obligations of a data fiduciary as described in the law.
Third, it is imperative that the oversight body set up under the legislation is adequately independent to act on violations of the law by government entities.
The draft Bill does not ensure autonomy of the Data Protection Board – the institution responsible for the enforcement of provisions of the law.
The Union government is empowered to determine the strength and composition of the Board, as well as the process of selection and removal of its chairperson and other members. Further, the chief executive responsible for managing the Board is to be appointed by the government, giving it direct control over the institution.
The Union government is also empowered to assign the Board any functions “under the provisions of this Act or under any other law.”
The creation of a totally government-controlled Data Protection Board, vested with powers of a civil court and empowered to impose fines of up Rs 500 crore, is bound to raise serious apprehensions of it becoming another caged parrot, open to misuse by the executive.
Fourth, the law must provide an accessible, people-friendly framework of grievance redress for affected persons to approach the oversight body. The 2022 Bill stipulates that the Data Protection Board shall be ‘digital by design,’ including receipt and disposal of complaints.
As per the latest National Family Health Survey-5, only one in three women in India (33%) ever used the internet. The DPDP Bill, therefore, effectively fails millions of people in the country who do not have meaningful access to the internet.
Finally, in the case of a data breach, the victim must be able to seek monetary compensation.
The DPDP Bill has no provision for compensation of any form. In fact, the Bill defines duties of a data principal (those whose personal data is collected) and provides for penalty imposition on them for registering frivolous complaints.
The authors are associated with the National Campaign for Peoples’ Right to Information and Satark Nagrik Sangathan.