TeaThe Ministry of Electronics and Information Technology has drafted a Digital Personal Data Protection (DPDP) Bill, which aims to “provide for the processing of digital personal data in a manner that meets both the right and the need for protection of personal data of individuals”. to process personal data for legitimate purposes…” A data protection law must protect and balance people’s right to privacy and their right to information, which are fundamental rights derived from the Constitution Unfortunately, this bill has failed on both counts. There are at least four reasons why the bill should have been put through a process of rigorous pre-legislative consultation and redrafted before making its way to Parliament. should be done.
Dilution of RTI Act
First, the Bill seeks to dilute the provisions of the Right to Information (RTI) Act, which has empowered citizens to access information and hold governments accountable. Experience has shown that if people, especially the poor and marginalised, are to have any hope of reaping the benefits of welfare programmes, they must have access to relevant, detailed information. For example, the National Food Security Act recognizes the need to keep records of ration shops, including details of ration card holders and sales and stock registers, in the public domain to enable social audit of the public distribution system. In the absence of publicly accessible information, it is impossible for the intended beneficiaries to access their rightful entitlement of food grains. This is equally true for the delivery of other social security programs such as old age pensions and scholarships. It is under the cover of secrecy that the rights of individuals are most often abrogated and corruption flourishes. In recognition of this principle, democracies ensure public disclosure of voter lists with names, addresses and other details to enable scrutiny and prevent electoral fraud.
The RTI Act includes a provision to protect confidentiality through section 8(1)(j). For invoking this section for refusal of personal information, at least one of the following grounds has to be proved: The information sought has no relation to any public activity or public interest or is such that it is a matter of confidentiality and public interest. causes unwarranted attack on the information officer is satisfied that there is no overriding public interest justifying the disclosure. The proposed Bill seeks to amend this section to widen the scope of this section and to exclude all personal information from the purview of the RTI Act.
Further, the exemptions under the RTI Act are not absolute. An important provision to limit the exemption is the provision of section 8(1), which states that “information which cannot be denied to Parliament or a State Legislature shall not be denied to any person.” The government has interpreted this provision to apply only to the confidentiality exemptions of the RTI Act. There are several judicial pronouncements saying that this applies to all exemptions. The demand for deletion of this provision has been made on the basis of a misunderstanding of the RTI Act.
The DPDP Bill needs to be suitably amended and harmonized with the provisions and objectives of the RTI Act. This would be in line with the recommendation of Justice AP Shah’s report on privacy that “the Privacy Act should make it clear that the publication of personal data is in the public interest … and that disclosure of information required by the Right to Information Act should not violate privacy”. ” Neither the recognition of the right to privacy nor the enactment of a data protection law requires any amendment to the existing RTI Act.
Second, by empowering the executive to draft rules on a number of issues, the proposed Bill creates wide discretionary powers for the central government and thus fails to protect people’s right to privacy. For example, under Section 18, it empowers the Central Government to exempt any government, or even private sector entities, from the provisions of the Bill simply by issuing a notification.
government regulation
Third, given that the government is the largest data repository, it was imperative that the oversight body set up under the law is sufficiently independent to act on violations of the law by government entities. The Bill does not ensure the autonomy of the Data Protection Board, which is the body responsible for implementing the provisions of the Act. The Central Government is empowered to determine the strength and composition of the Board and the procedure for the selection and removal of its Chairman and other members. Furthermore, the chief executive responsible for managing the board has to be appointed by the government, which gives the government direct control over the institution. The Central Government is empowered to assign any functions to the Board “under the provisions of this Act or under any other law”. The creation of a fully government-controlled data protection board, vested with the powers of a civil court and empowered to impose fines of up to ₹500 crore, is bound to raise serious apprehensions of its misuse by the executive.
Finally, the Bill stipulates that the Data Protection Board will be ‘digital by design’, including for the receipt and disposal of complaints. According to the latest National Family Health Survey, only 33% of women in India have ever used the internet. Therefore, the DPDP bill effectively fails the millions of people who do not have meaningful access to the Internet.