During the recently concluded monsoon session of Parliament, the Government rammed through several key pieces of legislation amid repeated disruptions due to the opposition’s demand for a debate on the ethnic violence in Manipur that broke out on May 3. Crucial among these was the Digital Personal Data Protection (DPDP) Bill, 2023.
The government has called it path-breaking legislation in favour of the people but unfortunately, the Bill itself was passed rather surreptitiously within four days of introduction without any debate by a voice vote amidst the din in both Houses.
The warnings given by several opposition members that it would crush citizens’ privacy rights, leading to a surveillance state, and must be forwarded to a joint parliamentary panel for scrutiny failed to elicit a response from both the government and the Speaker in the Lok Sabha and the Chairman of the Rajya Sabha. The government did not waste any time in securing presidential assent on August 11, making it an Act.
The details of this important Act that defines the parameters of personal data protection remained shrouded in mystery till the very last day. According to members of the department-related Parliamentary Standing Committee on Communications and Information Technology from the opposition benches, the Bill’s final draft was not even shown to them.
Adding flavour to the design was the fact that the committee had adopted a report titled “Citizen’s Data Security and Privacy” supposedly containing the committee’s recommendations as late as July 26 but the opposition members in the committee claimed that they did not approve of the report as it was prepared bypassing parliamentary procedure. The procedure requires a Bill to be first introduced in either House before referral to a standing committee. They also alleged that they had little time to review the report.
Also Read: The Makings of a Digital Panopticon
In presenting the DPDP Bill, 2023, the government overrode the Justice B.N. Srikrishna Committee’s recommendations that were incorporated in the older Personal Data Protection Bill, 2019 and the recommendations of the joint parliamentary committee that had scrutinised the older Bill. The government even took back the draft bill that was released for public consultation in November 2022.
Now that the DPDP Bill has become an Act and is available for scrutiny, the extent to which it will prevent people from accessing information in public interest is becoming apparent. Digital rights activists have pointed out that the Act gives the government sweeping powers to collect any type and amount of private or personal data by exercising the exemptions that have been now codified. Such expansive powers in the hands of the state invariably leads to grave misuse of power and incentivises the creation of a surveillance state.
According to several people’s rights organisations, the DPDP Act sounds the death knell for the two basic rights of individuals—the right to seek information or ask questions and the right to privacy. These rights were unambiguously upheld by the nine-judge bench of the Supreme Court in its judgment on Justice K.S. Puttaswamy (Retd.) versus the Union of India in 2017.
On the face of it, the controversial law seems to provide relief from data breaches like pesky calls, spam emails, and targeted text messages by imposing hefty penalties of up to ₹250 crore on digital platforms or data fiduciaries that neglect and compromise data security but that is not the entirety of the story.
Attack on the Right to Information Act
The co-convener of the National Campaign for People’s Right to Information (NCPRI), Anjali Bhardwaj, says that the Act is a direct onslaught on the right to information. Put simply, it denies the people the right to ask questions and expose corruption in the name of protection of the right to privacy
“The DPDP Act effectively kills Section 8 (1) (j) of the RTI Act which is very nuanced and strikes a balance between privacy and information. It allows people to gather any such government information, including personal information unless the information has no relationship to any public activity or interest, or would cause an unwarranted invasion of the privacy of the individual. Such personal information can be given only if it is in the larger public interest. In the name of expanding the scope of Section 8 (1) (j), the government through the DPDP Act is saying that now no information related to a person shall be shared,” says Bhardwaj.
Since its inception in 2005, people have used the RTI Act to demand their rights and expose corruption, she says, and illustrates her argument through an example. Suppose an old woman is not getting a pension or rations. To get her due she seeks records of pension or rations under the RTI Act so that she can ascertain why she is not getting it and whether benefits due to her are being usurped by someone else. Armed with information, she appeals to the government and gets her dues by fixing accountability.
“If the DPDP Act stops disseminating granular personal information, then the RTI Act will lose its relevance. Put the same argument on a bigger scale. The DPDP Act’s provisions won’t allow you to seek information on big corporates who have taken loans from public sector banks, the custodians of public money, have swindled it, and escaped to other countries,” added Bhardwaj.
The scope of the DPDP Act seems very expansive and is almost all-pervasive. It can be applied even to the voter list, the basic tool in the hands of political parties and people to know if all citizens above 18 years residing in an area are accounted for or not.
No rules for the government
Questioning the intent of the Act, PRS Legislative Research, India’s top parliamentary research organisation, says it empowers the Central government to exempt the processing of personal data by government agencies from any or all provisions, in the interest of aims such as the security of the state and maintenance of public order. None of the rights of data principals and obligations of data fiduciaries (except data security) will apply in certain cases such as processing for prevention, investigation, and prosecution of offences.
Clause 17(2)(a) of the Act allows the Central government to issue a notification exempting any “instrumentality of the State” from the provisions of this Act, thereby keeping it out of the ambit of data protection restrictions, including internal sharing and processing of data. Section 17(4) allows the government and its instrumentalities to retain personal data for an unlimited period. There is no escape even for journalists, who customarily protect their sources, as under Section 36, the government can ask any public or private entity (data fiduciary) to furnish personal information of citizens.
Moreover, the Act does not require government agencies to delete personal data, even after the purpose for processing has been met. This may allow the government agency to collect data about citizens to create a 360-degree profile for surveillance. It may utilise data retained by various government agencies for this purpose, PRS said in its release.
Describing the DPDP Act as even harsher than the colonial government’s Official Secrets Act, 1923, RTI activist Nikhil Dey said, “Here is an Act where the government has all the powers and there is no escape but the people have no power. Every provision of the Act has been drafted very carefully to end all kinds of dissent.”
Explaining the nuances of the Act, Dey said, “About ‘personal data’ it says any data about an individual who is identifiable by or in relation to such data. This means you can name anything but cannot pinpoint any person. It defines ‘personal data breach’ as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data. It means, even if you have pinpointed a person for corruption, you cannot take the person’s name without his consent. And even the consent shall have to be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of personal data for the specified purpose.”
Question mark on independence of Ombudsman
The Act does provide for a Data Protection Board of India and says that it will function as an independent body. But how independent its members will be is anybody’s guess as Section 19 (1) of the Act says, “The Board shall consist of a Chairperson and such number of other Members as the Central Government may notify” and its subclause (2) says “the Chairperson and other Members shall be appointed by the Central Government in such manner as may be prescribed”.
Moreover, unlike other regulatory authorities with adjudicatory roles such as the Central Electricity Regulatory Commission, Competition Commission of India, and the Securities and Exchange Board of India which have five-year terms, the tenure of the chairperson and members of the Data Protection Board of India has been kept at two years. “A short term with the scope for re-appointment may affect the independent functioning of the Board,” pointed out PRS.
The Way Out
Many affected parties, especially the opposition, are actively thinking of knocking at the door of the Supreme Court as most provisions of the Act are in direct contravention of the nine-judge constitutional bench in the 2017 judgment which had specifically defined privacy.
According to Bhardwaj, Dey, and scores of other rights activists, as recourse to the Supreme Court may take time, the only possible way forward is to increase pressure on the government through mass movements to take back this black act.
The post The Great Data Heist: The Digital Personal Data Protection Act Incentivises Building Of A Surveillance State appeared first on Tatsat Chronicle Magazine.
