The government is set to introduce the Digital Personal Data Protection (DPDP) Bill in Parliament.
The final draft is shrouded in secrecy.
Last week, Opposition members walked out of a meeting of the Parliamentary Standing Committee and submitted dissent notes
Objecting to the adoption of a report on the DPDP Bill — they claimed that the Bill was neither shown to the members nor formally referred to the committee.
Story so far
In November 2022, the Ministry of Electronics and Information Technology (MeitY) publicly circulated a draft of the Bill for consultation.
It was fraught with problems.
While campaigns and concerned citizens shared their suggestions, MeitY focused primarily on consulting industry and big tech companies on a law that will have vast ramifications for the information regime in India, and will impact every citizen of the country.
Do not repeat the errors
It is imperative that the data protection law does not suffer from the infirmities that the previous draft had and safeguards peoples’ fundamental rights, i.e., both the right to information and the right to privacy.
The Data Protection Bill of 2022 includes a provision to amend the Right to Information (RTI) Act, which has empowered millions of Indian citizens since its enactment in 2005.
To effectively hold their governments accountable in a democracy, people need access to information, including various categories of personal data.
For example, the Supreme Court of India has held that citizens have a right to know the names of wilful defaulters and details of the Non Performing Assets (NPAs) of public sector banks.
Democracies routinely ensure public disclosure of voters’ lists with names, addresses and other personal data to enable public scrutiny and prevent electoral fraud.
Experience of the use of the RTI Act in India has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of government schemes and welfare programmes, they must have access to relevant, granular information.
For instance, the Public Distribution System (PDS) Control Order recognises the need for putting out the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and social audits of the PDS.
Threat to transparency, accountability
The RTI Act includes a provision to harmonise peoples’ right to information with their right to privacy through an exemption clause under Section 8(1)(j).
Personal information is exempt from disclosure if it has no relationship to any public activity; or has no relationship to any public interest; or if information sought is such that it would cause unwarranted invasion of privacy and the information officer is satisfied that there is no larger public interest that justifies disclosure.
The enactment of a data protection law, therefore, does not require any amendment to the existing RTI law — this is also noted by the Justice A.P. Shah Report on Privacy.
The DPDP Bill 2022, however, proposes amendments to Section 8(1)(j) to expand its purview and exempt all personal information from disclosure. This threatens the very foundations of the transparency and accountability regime in the country.
A primary objective of any data protection law is to curtail the misuse of personal data, including for financial fraud.
Given that the government is the biggest data repository, an effective data protection law must not give wide discretionary powers to the government.
The DPDP Bill, 2022, unfortunately, empowers the executive to draft rules and notifications on a vast range of issues.
For instance, the central government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification.
This would potentially allow the government to arbitrarily exempt its cronies and government bodies such as the Unique Identification Authority of India (UIDAI), resulting in immense violations of citizens’ privacy.
On the other hand, small non-governmental organisations, research organisations, associations of persons and Opposition parties, that the government chooses not to include in the notification, would have to set up systems to comply with the stringent obligations of a data fiduciary.
Further, to meet its objective of protecting personal data, it is critical that the oversight body set up under the legislation be adequately independent to act on violations of the law by government entities.
The draft Bill does not even make a pretence of ensuring autonomy of the Data Protection Board — the institution responsible for enforcement of provisions of the law.
The central government is empowered to determine the strength and composition of the board, as well as the process of selection and removal of its chairperson and other members.
The chief executive responsible for managing the board is to be appointed by the government, giving it direct control over the institution.
The creation of a totally government-controlled Data Protection Board, empowered to impose fines upto ₹500 crore, is bound to raise serious apprehensions of it becoming another caged parrot — open to misuse by the executive to target the political opposition and those critical of its policies.
These concerns need to be urgently addressed before the DPDP Bill is enacted.
Unfortunately, given the manner in which Bills are being passed in the Parliament, without any debate or discussion, the citizens of the country might end up with a law that empowers the central government while taking away peoples’ democratic right to seek information and use it to hold the powerful to account.