Shrouded in Secrecy
Dangers in the DPDP Act
Amrita Johri & Anjali Bhardwaj*
The Digital Personal Data Protection (DPDP) Act, 2023 was passed in Parliament in the Monsoon session. The deliberative process around the legislation remained shrouded in secrecy and seemed largely focussed on the concerns of industry. Just prior to the bill being brought to Parliament, opposition members walked out of a meeting of the Parliamentary Standing Committee and submitted dissent notes, objecting to the adoption of a report on the issue of Data Protection — claiming that the
proposed bill was neither shown to the members nor formally referred to the committee.
The DPDP Act continues to suffer from the problems pointed out by civil society including the National Campaign for Peoples’ Right to Information (NCPRI) in the earlier drafts including weakening of the RTI Act through amendments and lack of independence and autonomy of the oversight body- the Data Protection Board.
Blow To Right To Know And Accountability
The Data Protection Act includes a provision to amend the Right to Information (RTI) Act, which has empowered millions of Indian citizens since its enactment in 2005. To effectively hold their governments accountable in a democracy, people need access to information, including various categories of personal data. For example, the Supreme Court of India has held that citizens have a right to know the names of wilful defaulters and details of the Non-Performing Assets (NPAs) of public sector banks. Democracies routinely ensure public disclosure of voters’ lists with names, addresses and other personal data to enable public scrutiny and prevent electoral fraud.
Experience of the use of the RTI Act in India has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of government schemes and welfare programmes, they must have access to relevant, granular information. For instance, the Public Distribution System (PDS) Control Order recognises the need for putting out the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and social audits of the PDS.
The RTI Act includes a provision to harmonise peoples’ right to information with their right to privacy through an exemption clause under Section 8(1)(j). Personal information is exempt from disclosure if it has no relationship to any public activity; or has no relationship to any public interest; or if information sought is such that it would cause unwarranted invasion of privacy and the information officer is satisfied that there is no larger public interest that justifies disclosure.
The enactment of a data protection law, therefore, should not require any amendment to the existing RTI law — this is also noted by the Justice AP Shah Report on Privacy. The DPDP Act, however, makes amendments to Section 8(1)(j) to expand its purview and exempt all personal information from disclosure. This threatens the very foundations of the transparency and accountability regime in the country.
Wide Discretion to Government
A primary objective of any data protection law is to curtail the misuse of personal data, including for financial fraud. Given that the government is the biggest data repository, a robust data protection law must not give wide discretionary powers to the government. The DPDP Act, unfortunately, empowers the executive to draft rules and notifications on a vast range of issues. For instance, the central government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification. This potentially allows the government to arbitrarily exempt its cronies and government bodies such as the Unique Identification Authority of India (UIDAI), resulting in immense violations of citizens’ privacy. On the other hand, small non-governmental organisations, research organisations, associations of persons and opposition parties, that the government chooses not to include in the notification, would have to set up systems to comply with the stringent obligations of a data fiduciary.
Caged Parrot by Design
Further, to meet its objective of protecting personal data, it is critical that the oversight body set up under a good legislation be adequately independent to act on violations of the law by government entities. The Act does not even make a pretence of ensuring autonomy of the Data Protection Board — the institution responsible for enforcement of provisions of the law. The central government has several powers including appointing the Chairperson and members and deciding the strength of the Board.
The creation of a totally government-controlled Data Protection Board, empowered to impose fines upto Rs.500 crore, is bound to raise serious apprehensions of it becoming another caged parrot — open to misuse by the executive to target the political opposition and those critical of its policies.
The failure to address these concerns in the DPDP Act means the citizens of the country have ended up with a law that empowers the central government while taking away peoples’ democratic right to seek information and use it to hold the powerful to account.
NEXT »
