‘Personal data bill will boost digital economy, says Nasscom.’ This industry response to the Digital Personal Data Protection (DPDP) Bill 2023 that was introduced in Parliament reveals the real purpose of the Bill — legalising data mining rather than safeguarding the right to privacy.
The right to privacy was reaffirmed by a nine-judge Constitutional bench of the Supreme Court in 2017. It set an international benchmark and illustrated the new challenges to the right to privacy posed by the digital age. The DPDP Bill 2023, which was introduced in the Lok Sabha last week, is an outcome of the debate around the right to privacy.
The right to information provides us access to government documents to ensure transparency and accountability of the government. Enacted as a law, the Right to Information Act (RTI) 2005 has played a critical role in deepening democratic practices. The much-awaited DPDP Bill 2023 ends up undermining our right to information, without doing much to protect our right to privacy.
Complementary or competing rights?
In a crucial way, the two rights complement each other. Broadly speaking, the right to information seeks to make the government transparent to us, while the right to privacy is meant to protect us from government (and increasingly, private) intrusions into our lives.
Yet, there are some tensions between the right to information and the right to privacy. For example, under the Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA), mandatory disclosure provisions are meant to ensure that workers can monitor expenditure and also facilitate public scrutiny through social audits. Everyone has access to data about individuals registered under the Act, including when and how much was paid to each worker. The flip side of this, that has become apparent in recent times, is that unscrupulous operators can monitor, even scrape data systematically to swindle workers of their hard-earned wages (for example, showing up at their doorstep with offers of lucrative ‘savings’ or ‘insurance’ or with wares to sell).
However, the recently introduced DPDP Bill 2023 makes little attempt to deal with these hard questions. Instead, it makes the government less transparent to us while making us transparent to both the government and private interests.
The Bill states that it is “A Bill to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such data for lawful purposes”. Section 4(2) defines “lawful purposes” in the broadest possible manner as “any purpose which is not expressly forbidden by the law”. Thus, as scraping information on wages/pensions paid to workers/ pensioners or mobile numbers of government scheme beneficiaries from government portals is “not expressly forbidden”, data mining can merrily continue. Section 36 allows the central government to ask the Board, data fiduciary or others to “furnish such information as it may call for”. Sections 4(2) and 36 together make our data fair game for both government and private entities.
Undermining the Right to Information
The Right to Information Act 2005 anticipated some of these tensions and the consequent need to limit its own reach. Therefore, Section 8 of the RTI 2005 listed situations where “exemption from disclosure of information” would be granted.
Section 8(1)(j) grants exemption from disclosure if the information which relates to personal information sought “has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual”, unless a public information officer feels that larger public interest justifies disclosure. It set a high benchmark for exemption – “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.” The DPDP Bill 2023 suggests replacing Section 8(1)(j) with just “information which relates to personal information”.
This will undermine the RTI 2005. To give just one example, the current requirement for public servants (including judges, and Indian Administrative Service officers) to disclose their immovable assets will likely be off limits. This is indeed “information related to personal information”, but it serves a larger public interest (for example, to identify public servants with disproportionate assets).
Ignoring social, political and legal context
The DPDP 2023 suffers from other shortcomings. For instance, the Data Protection Board, an oversight body will be under the boot of the government as the chairperson and members are to be appointed by the central government (Section 19). The DPDP Bill 2023 attempts to pass off a lame-duck as a watchdog.
In Europe, the General Data Protection Regulation (GDPR) set a high standard for data protection. It has a strong watchdog that operates in a society with universal literacy, and high digital and financial literacy. For instance, in France, the data protection regulator was able to fine Google €50 million for violation of policies related to consent. Yet, Edward Snowden warned of the real danger of GDPR becoming a “paper tiger”, that “the problem isn’t data protection, the problem is data collection.” Restricting data collection is not even being discussed in India.
A weak board combined with the lack of universal literacy and poor digital and financial literacy, as well as an overburdened legal system, mean that the chances that citizens will be able to seek legal recourse when privacy harms are inflicted on them are slim.
Reetika Khera is a professor of economics at the Indian Institute of Technology Delhi