Many government as well as private sector organisations have personal data of citizens, clients and customers such as their names, addresses and contact details. Sensitive information like medical health data is also available.
If this personal information goes into the wrong hands, people could be harmed. Depending on the situation, they could become victims of identity theft, discrimination or even physical harm. That is the reason many countries have already enacted legislations to safeguard the personal data of their citizens.
Objective of Data Protection Bill 2023
The basic aim of the Digital Personal Data Protection Bill, 2023 is to establish a legislative framework for the protection of personal data. The law allows to oversee the personal data collected within India, both online and offline data that has been subsequently digitized isn’t misused. As per the data protection bill 2023 if the data processing takes place outside India but involves offering goods or services to the people within the country, the provisions of this bill would apply automatically.
The Union Minister of Communications, Electronics and Information Technology Mr Ashwini Vaishnaw had introduced the bill in the Lok Sabha on August 3rd 2023 in spite of the criticism from the opposition.
The opposition parties had been demanding to refer the bill to the standing committee for changes and modification. The Union Minister however defended the Govt’s stand and called this bill a “normal bill” and moved it for discussion.
The proposed data protection law applies to all the business ventures, societies, groups, clubs or any other public enterprises. Even a sole trader or self-employed person working for himself or herself comes under the ambit of the new law. This means organisations or individuals having registered entities and only employ a handful of staff or not employ any staff at all, they too come under the purview of the proposed Personal Data Protection Law.
Background
In 2017, the Supreme Court of Indiadeclared the Right to Privacy a fundamental right, as this is “intrinsic” to our guarantee of “life and personal liberty” under the provisions of the Article 21 of the Constitution. To understand this in a more easy way, the citizens of the country in an age of data are supposed to be granted the complete ownership of their personal data.
Unfortunately, the proposed Personal Data Protection legislation that is being debated, discussed and drafted since 2018 by the panel headed by Justice Srikrishna submitted a proposal to Govt in 2018. Several drafts were prepared and a joint parliamentary committee (JPC) was given several extensions to examine. The JPC on Data Protection Bill advised for extending the scope of this bill to cover non-personal data as well as specific breaches that may compromise the confidentiality, integrity or availability of such data. Among other things, it also wanted social media platforms that do not act as hands-off intermediaries to be held accountable as publishers for the content they host.
Principles of Data Protection
The usage of personal data by organisations must be done in a rightful manner through a transparent process. The personal data must only be used by the companies, organisations or any other legal entity for the same purpose for which it was acquired by them from people.
The data should be as minimum as possible and should be accuracy accurate as well. The personal data that is collected cannot be “stored perpetually by default” and the storage should be limited to particular fixed time duration and the data collecting organisations must ensure that no unauthorized collection or processing of the personal data is done.
The organisations and individuals who decide the purpose and means of the processing of personal data have to be held accountable for such acts.
Right to Consent
The Individuals need to give consent before their data is processed and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing. Individuals also have the right to withdraw consent from a Data Fiduciary. The term ‘Data Fiduciary”, referring to any entity determining how personal data is processed. This encompasses organizations collecting data for services, research, or marketing. The Digital Personal Data Protection Bill (DPDP Bill 2023) has a provision of ‘Significant Data Fiduciary’ (SDF), which carries additional obligations. SDFs are determined based on factors like data volume, sensitivity, processes, turnover, and technology use. The proposed law makes it mandatory on data fiduciaries to safeguard personal data and privacy. The makes sure the consent is sought, requiring it to be informed, specific, clear, and reversible.
Data Protection Board
The data principal means the natural person/individual to whom the personal data relates. The Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary (company). Data principals will also have the right to nominate an individual who will exercise these rights in the event of their death or incapacity. Under the new Data Protection Bill there is a provision to establish a Data Protection Board (DPB) to ensure compliance with the Bill. In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board.
DPDP Bill overrides RTI Act 2005
Several leading RTI activists like Aruna Roy,Nikhil Dey, Anjali Bhardwaj and many others across the country have been opposing some provisions contained in the DPDP Bill 2023. The activists had urged upon the Govt to adopt an extensive and rigorous pre-legislative consultation process for the proposed DPDP Bill, including ensuring dissemination of the draft bill through various modes and in multiple languages.
The Govt is said to have held only a handful of consultations and RTI campaigners were not invited in it.
Their main concern is the amendments made to RTI Act 2005 (section 8(1) (j) by the DPDP Bill, 2023 passed in Lok Sabha. The amendments in the the RTI Act, 2005 through the DPDP Bill will severely restrict the scope of the RTI Act and adversely impact the ability of people to access information as many people would take advantage of data protection law by not sharing public information under the garb of personal information as mentioned in section 8 (1) (J) of RTI Act 2005. The section 8(1)(j) of the RTI Act, 2005 reads:
“Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:”
While speaking during the debate on the new Data Protection Bill, Congress MP Adhir Ranjan Chowdhury called it a “sinister move” to “trample” the Right to Information Act, 2005. He added that the change will introduce an “era of corruption” because personal data like assets and liabilities, and educational qualification of “corrupt government functionaries won’t be revealed.”
Civil society activists led by Aruna Roy in a letter to Govt said,“Through this amendment, all personal information can be denied, even if disclosure of that information is relevant to the larger part of public activity or in public interest as provided for in Section 8 of the RTI Act. This gives legal sanction for government entities, government functionaries and political executives to remain opaque in their functioning “
Conclusion
The enactment of Data Protection Law is a welcome step but the way section 8(1)(j) of RTI Act 2005 has been amended through this act is not a good decision at all. The Govt should have held more consultations before introducing this bill in Lok Sabha. The section 8 (1) (j) of RTI Act 2005 prevents a public authority from sharing anyone’s personal information on two main grounds – that the disclosure will have no bearing on any public activity, and that revealing such information would cause unwarranted invasion of the privacy of an individual, unless such disclosure is justified in larger public interest. The DPDP Bill 2023 passed by the Lok Sabha says that the personal information of public officials will not be disclosed under the RTI Act 2005. The two key grounds, that such information could be disclosed provided it serves a larger public interest has been recommended to do away with.