Not only does it sound the death knell for the RTI Act, but it also makes anyone and everyone who deals with someone else’s information liable for prosecution for any breach of its provisions
The DPDP Bill threatens to establish a legal information regime that will be under the enormous control of the central government. (File)
тАЬWhen I use a word,тАЭ Humpty Dumpty said in rather a scornful tone, тАЬit means just what I choose it to mean тАФ neither more nor less.тАЭ
тАЬThe question is,тАЭ said Alice, тАЬwhether you can make words mean so many different things.тАЭ
тАЬThe question is,тАЭ said Humpty Dumpty, тАЬwhich is to be master тАФ thatтАЩs all.тАЭ
This central government certainly seems to have absorbed the basic lesson from Lewis CarrollтАЩs Through the Looking Glass тАФ all that matters is who is the master, controller and arbiter. Humpty DumptyтАЩs logic and the Digital Personal Data Protection Bill (DPBP) Bill 2023 tabled in the┬аLok Sabha┬аfor тАЬdiscussion and passageтАЭ are synonymous examples of brazen, self-proclaimed re-crafting of words.
Also Read | Data protection Bill passed in Lok Sabha: What it says about privacy, CentreтАЩs powers, right to info
The DPDP Bill threatens to establish a legal information regime that will be under the enormous control of the central government. It is vast in scope, unworkable in scale, authoritarian in control, and arbitrary in practice and applicability. Not only does it deliberately and brazenly sound the death knell for the RTI Act through a lethal amendment, but it also makes anyone and everyone who deals with someone elseтАЩs information a тАЬdata fiduciaryтАЭ, liable for prosecution for any breach of its provisions.
The reality is that if this Bill is passed, millions of us are, and will be, in continual breach of its provisions. As the master of the law, the central government will decide how to steer it, when and whom to target, and even possess the ability to influence the extent of penalties through its control over the regulatory body. The Bill is a serious and worrying potential threat to journalists, politicians, researchers, activists, academics and, of course, the constant irritant тАФ the RTI user. This is no alarmist view, as it becomes apparent when we examine certain provisions of this Bill. Who does the Bill protect? What constitutes a breach? How will that breach be acted upon? By whom will action be taken? What will the eventual outcome be and who will it benefit? To address this, let us scrutinise some important provisions of the Bill that Parliament is being enjoined to enact.
Under Section 2(t), тАЬтАШpersonal dataтАЩ means any data about an individual who is identifiable by, or in relation to such dataтАЭ. In one sense, this means the entire universe of information that helps us interact with each other as human beings. тАЬPersonal data breachтАЭ under section 2(u) in the law means тАЬany unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity or availability of personal dataтАЭ. To put this simply, unless you have the express тАЬconsentтАЭ of the other person, you cannot process any personal information that has been digitised in any way. The person responsible for any potential breach is called a тАЬdata fiduciaryтАЭ under section 2(i) and means тАЬany person who alone or in conjunction with other persons determines the purpose and means of processing of personal dataтАЭ. The person to be protected is the тАЬdata principalтАЭ defined under 2(j) of the Act as тАЬthe individual to whom the personal data relates.тАЭ
Also Read┬а|┬аDigital Personal Data Protection Bill 2023, a much-needed legislation, says India Inc
In sum, just these four provisions imply that all of us who use and process information and data are liable for prosecution unless we have obtained the тАЬconsentтАЭ of the data principal. The тАЬconsentтАЭ outlined in section 6(1) says тАЬThe consent given by the data principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data, for the specified purpose, and be limited to such personal data as is necessary for such specified purpose.тАЭ
The agency responsible for protecting the data principal against violations of the law is the Data Protection Board of India, established under Chapter V. This board is tasked with receiving, investigating, and taking action on breach complaints. The appointment of the Board rests with the government and serves under terms and conditions determined by the executive. Notably, the Board possesses the adjudicating authority equivalent to that of a civil court, as stipulated in Chapter VI. Within this framework, the Board has the capacity to request the assistance of police officers or officers from the central government or a state government. The Board is also vested with the power to levy penalties on those found to have breached the provisions of the Act, with the potential fine amount extending up to Rs 250 crores.
Also Read | Data Protection Bill 2023: What the law must do for children online
There are two major implications of this regulatory framework. First, this law grants privacy тАЬrightsтАЭ to all Indian citizens. However, it establishes a single centralised Data Protection Board responsible for dealing with all complaints, issuing orders, and levying penalties. This approach is obviously unworkable, as the Board will ultimately end up arbitrarily selecting whom to investigate and penalise. And it is highly likely that this choice will be guided and influenced by its тАЬmastersтАЭ. The power to impose huge penalties on the few the board chooses to act against will be totally arbitrary, just like the bulldozers and JCBs, this will become yet another legal instrument used by the central government today, to persecute and prosecute political opponents тАФ this will have a chilling effect on many others who are using information (without тАЬconsentтАЭ) that is inconvenient for the government.
Advertisement
Also Read | Bill on table, a new worry: Could data protection Bill weaken the RTI Act?
While the law should ideally protect individuals from both the surveillance state and big data companies, who have been commercially mining data, it instead grants the government sweeping immunity from the applicability of this Act and carves out a special space for the commercial use of data. Under Section 37 (1) (b), there is a provision for the central government to block content on the internet, so the larger technology and information companies will be brought in line to make sure that such тАЬdata fiduciariesтАЭ will remain subservient to the priorities of the government. The few exemptions outlined in Sections 7 and 17 of the Bill come with qualifications and conditions that are to be defined by the government, thereby effectively ensuring that the government becomes the тАЬmasterтАЭ and ultimate authority within the entire information framework.
One obvious potential legal obstacle to this entire framework is the celebrated RTI Act, which mandates that data and information associated with public use and purpose must be retained in the public domain. The RTI Act creates a harmony between the RTI and the Right to Privacy within the exemption clause under section 8(1)(j), a balance that will be demolished through this new Act. Instead of fostering a similar balance, this current Bill supersedes the Right to Information Act and exploits the fundamental Right to Privacy as a justification and legal sanction to hide the use or misuse of public resources by any identifiable person including public officials. The Bill could also potentially result in significant consequences for legally mandated information disclosures under Section 4 (2) of the RTI Act and other information that the government may choose not to disclose. With this single alteration to Section 8 (1)(j) of the RTI Act, its potential use for curbing corruption and curbing the arbitrary exercise of power stands not just amended, but repealed тАФ effectively transforming the RTI Act into a тАЬRight to Deny Information ActтАЭ.
This Bill if enacted and implemented will destroy transparency and fail to meet its goal of protecting data privacy. There is a need to have personal data protected from surveillance by the state and from commercial exploitation by big data companies. In fact, this law actually makes the large tribe of people who keep our democracy and our economy healthy and alive by using information and data for public purposes, тАЬviolatorsтАЭ of the law, subject to fines that could be in crores. The mandate of a minuscule board to deal with all complaints across this vast and populous country makes this implementation machinery naturally arbitrary, and inefficient.
With the vast power to frame subordinate legislation, grant exemptions and control many aspects of the Board, the government is the real тАЬmasterтАЭ in interpreting and implementing this draconian law. That is something all parliamentarians should understand when they take up the Bill for тАЬdeliberation and enactmentтАЭ. Even the ruling party should understand that one day they might also be at the receiving end, and someone else might be the master.
To protect the right to make informed choices, this Bill needs to go back to the drawing board. The Editors Guild of India has understood its potential implications and just issued a statement that it should be sent to a Parliamentary committee for serious re-examination, and redrafting. Other stakeholders, including parliamentarians, also need to take a serious look at the Bill and join the debate. It can undermine the future of their work, and the health of our democracy.
Advertisement
The writers are social activists with the Mazdoor Kisan Shakti Sangathan (MKSS) and National Campaign for PeoplesтАЩ Right to Information
aniltikotekar4sme.com 