Proposed Data Protection Law Overrides RTI
As we live in a data driven world the sharing of this data indeed gives us lots of benefits but at the same time it is not safe as well. When our personal data being available with lots of people, individuals and organisations, our privacy is at risk? Many Govt or private sector organisations have personal data about their clients and customers like names, addresses, contact details. Sensitive information like medical health data is also available with people. When this personal information goes into the wrong hands people could be harmed. Depending on the situation, they could become victims of identity theft, discrimination or even physical harm. That is the reason many countries have already enacted legislations to safeguard the personal data of their citizens. The Govt of India also introduced the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in parliament and this was passed by the Lok Sabha on Monday August 7th 2023 amid criticism from opposition parties and Right to Information Activists. The bill contains substantial penalties, which ranges between Rs 50 crore to a maximum of Rs 250 crore, for those found violating the provisions of this proposed law.
What is Data Protection Bill 2023
The basic aim of the Digital Personal Data Protection Bill, 2023 is to establish a legislative framework for the protection of personal data. The law allows to oversee the personal data collected within India, both online and offline data that has been subsequently digitised isn’t misused. As per the data protection bill 2023 if the data processing takes place outside India but involves offering goods or services to the people within the country, the provisions of this bill would apply automatically.
The Union Minister of Communications, Electronics and Information Technology Mr Ashwini Vaishnaw had introduced the bill in the Lok Sabha on August 3rd 2023 in spite of the criticism from the opposition. The opposition parties had been demanding to refer the bill to the standing committee for changes and modification. The Union Minister, however, defended the Govt’s stand and called this bill as a “normal bill” and moved it for discussion. The proposed data protection law applies to all the business ventures, societies, groups, clubs or any other public enterprises. Even a sole trader or self-employed person working for himself or herself also comes under the ambit of the new law. This means organisations or individuals having registered entities and only employ a handful of staff or not employ any staff at all, they too come under the purview of the proposed Personal Data Protection Law.
SCs judgement
The Supreme Court of India In 2017 declared the Right to Privacy a fundamental right, as this is “intrinsic” to our guarantee of “life and personal liberty” under the provisions of the Article 21 of the Constitution. To understand this in a more easy way , the citizens of the country in an age of data are supposed to be granted the complete ownership of their personal data. Unfortunately the proposed Personal Data Protection legislation that is being debated , discussed and drafted since 2018 by the panel headed by Justice Srikrishna submitted a proposal to Govt in 2018. Several drafts were prepared and a joint parliamentary committee (JPC) was given several extensions to examine. The JPC on Data Protection Bill advised for extending the scope of this bill to cover non-personal data as well as specific breaches that may compromise the confidentiality, integrity or availability of such data. Among other things, it also wanted social media platforms that do not act as hands-off intermediaries to be held accountable as publishers for the content they host.
Right to Consent
The Individuals need to give consent before their data is processed and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing. Individuals also have the right to withdraw consent from a Data Fiduciary. The term ‘Data Fiduciary,’ referring to any entity determining how personal data is processed. This encompasses organisations collecting data for services, research, or marketing. The Digital Personal Data Protection Bill (DPDP Bill 2023) has a provision of ‘Significant Data Fiduciary’ (SDF), which carries additional obligations. SDFs are determined based on factors like data volume, sensitivity, processes, turnover, and technology use. The proposed law makes it mandatory on data fiduciaries to safeguard personal data and privacy. The makes sure the consent is sought, requiring it to be informed, specific, clear, and reversible.
Data Protection Board
The data principal means the natural person/individual to whom the personal data relates. The Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary (company). Data principals will also have the right to nominate an individual who will exercise these rights in the event of their death or incapacity. Under the new Data Protection Bill there is a provision to establish a Data Protection Board (DPB) to ensure compliance with the Bill. In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board. But the constitution of this board is sole responsibility of Govt and there can be pick and chose during this process. Like Information Commission under RTI , there is no role of opposition while constituting Data Protection Board .
DPDP v/s RTI
Several leading RTI activists like Aruna Roy , Nikhil Dey, Anjali Bhardwaj and many others across the country have been opposing some provisions contained in the DPDP Bill 2023. The activists had urged upon the Govt to adopt an extensive and rigorous pre-legislative consultation process for the proposed DPDP Bill, including ensuring dissemination of the draft bill through various modes and in multiple languages. The Govt is said to have held only a handful of consultations and RTI campaigners were not invited in it. Their main concern is the amendments made to RTI Act 2005 (section 8(1) (j) ) by the DPDP Bill, 2023 passed in Lok Sabha today. The amendments in the the RTI Act, 2005 through the DPDP Bill will severely restrict the scope of the RTI Act and adversely impact the ability of people to access information as many people would take advantage of data protection law by not sharing public information under the garb of personal information as mentioned in section 8 (1) (J) of RTI Act 2005. The section 8(1)(j) of the RTI Act, 2005 reads:
“Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:”
Congress MP Adhir Ranjan Chowdhury while speaking during the debate on the new Data Protection Bill said that it was a “sinister move” to “trample” the Right to Information Act, 2005. He added that the change will introduce an “era of corruption” because personal data like assets and liabilities, and educational qualification of “corrupt government functionaries won’t be revealed
Noted RTI campaigner in India Aruna Roy in a letter to Govt said “Through this amendment, all personal information can be denied, even if disclosure of that information is relevant to the larger part of public activity or in public interest as provided for in Section 8 of the RTI Act. This gives legal sanction for government entities, government functionaries and political executives to remain opaque in their functioning.”
Conclusion
The enactment of Data Protection Law is a welcome step but the way section 8(1)(j) of RTI Act 2005 has been amended through this act is not a good decision at all. The Govt should have held more consultations before introducing this bill in Lok Sabha. The DPDP Bill 2023 passed by the Lok Sabha says that the personal information of public officials will not be disclosed. In future corrupt government officials would take refuge under this provision and sharing of information under RTI can be restricted.
Dr Raja Muzaffar Bhat is an Acumen Fellow. He is Founder and Chairman of Jammu & Kashmir RTI Movement