The Ministry of Electronics and Information Technology has drafted a Digital Personal Data Protection (DPDP) Bill with the stated purpose of providing “for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes...” A data protection law must safeguard and balance peoples’ right to privacy and their right to information, which are fundamental rights flowing from the Constitution. Unfortunately, this Bill fails on both counts. There are at least four reasons why the Bill must be put through a process of rigorous pre-legislative consultation and redrafted before it makes its way to Parliament.
Diluting the RTI Act
First, the Bill seeks to dilute the provisions of the Right to Information (RTI) Act, which has empowered citizens to access information and hold governments accountable. Experience has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of welfare programmes, they must have access to relevant, granular information. For instance, the National Food Security Act recognises the need for placing the details of ration card holders and records of ration shops, including sale and stock registers, in the public domain to enable social audits of the public distribution system. In the absence of publicly accessible information, it is impossible for intended beneficiaries to access their rightful entitlement of food grains. This is equally true for delivery of other social security programmes such as old age pensions and scholarships. It is behind the cloak of secrecy that the rights of individuals are most frequently abrogated and corruption thrives. In recognition of this principle, democracies ensure public disclosure of voters’ lists with names, addresses and other details to enable scrutiny and prevent electoral fraud.
The RTI Act includes a provision to protect privacy through Section 8(1)(j). In order to invoke this Section to deny personal information, at least one of the following grounds has to be proven: the information sought has no relationship to any public activity or public interest or is such that it would cause unwarranted invasion of privacy and the Public Information Officer is satisfied that there is no larger public interest that justifies disclosure. The proposed Bill seeks to amend this Section to expand its purview and exempt all personal information from the ambit of the RTI Act.
Further, under the RTI Act, exemptions are not absolute. A key provision for limiting the exemptions is the proviso to Section 8(1) which states that “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.” The government has erred in interpreting this proviso as being applicable only to the privacy exemption of the RTI law. There are several judicial pronouncements stating that it is applicable to all exemptions. Based on an incorrect understanding of the RTI Act, this provision is sought to be deleted.
The DPDP Bill needs to be suitably amended and harmonised with the provisions and objectives of the RTI Act. This would be in line with the recommendation of the Justice A.P. Shah Report on privacy that the “Privacy Act should clarify that publication of personal data for public interest… and disclosure of information as required by the Right to Information Act should not constitute an infringement of Privacy.” Neither the recognition of the right to privacy, nor the enactment of a data protection law requires any amendment to the existing RTI law.
Second, by empowering the executive to draft rules on a range of issues, the proposed Bill creates wide discretionary powers for the Central government and thus fails to safeguard people’s right to privacy. For instance, under Section 18, it empowers the Central government to exempt any government, or even private sector entities, from the provisions of the Bill by merely issuing a notification.
Third, given that the government is the biggest data repository, it was imperative that the oversight body set up under the law be adequately independent to act on violations of the law by government entities. The Bill does not ensure autonomy of the Data Protection Board, the institution responsible for enforcement of provisions of the law. The Central government is empowered to determine the strength and composition of the Board and the process of selection and removal of its chairperson and other members. Further, the chief executive responsible for managing the Board is to be appointed by the government, which gives the government direct control over the institution. The Central government is also empowered to assign the Board any functions “under the provisions of this Act or under any other law.” The creation of a totally government-controlled Data Protection Board, vested with the powers of a civil court and empowered to impose fines up to ₹500 crore, is bound to raise serious apprehensions of its misuse by the executive.
Finally, the Bill stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints. As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet. The DPDP Bill, therefore, effectively fails millions of people who do not have meaningful access to the Internet.