Vajram-And-RaviVajram-And-Ravi
hamburger-icon

Neither The Right to Privacy nor The Right to Information

26-08-2023

11:46 AM

timer
1 min read
Mains GS-II: Governance
Neither The Right to Privacy nor The Right to Information Blog Image

Why in News?

  • Recently passed by Lok Sabha, the Digital Personal Data Protection Bill 2023 has retained the contents of the original version of the legislation proposed in November 2022, such as exemptions for the Centre.
  • Moreover, the bill makes the government less transparent to the citizens while making citizens transparent to both the government and private interests.

 

Key Features of the Digital Personal Data Protection Bill 2023

  • Applicability
    • The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised. 
    • Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  
    • It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.
  • Consent
    • Personal data may be processed only for a lawful purposefor which an individual has given consent. 
    • A notice must be given before seeking consent. Consent may be withdrawn at any point of time.
  • Rights and Duties of Data Principal (An individual whose data is being processed)
    • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
    • They will have certain duties. They must not: 
      • Register a false or frivolous complaint, 
      • Furnish any false particulars, suppress information, or impersonate another person in specified cases.
  • Obligations of Data Fiduciaries (the entity determining the purpose and means of processing)
    • Data fiduciaries must: 
      • make reasonable efforts to ensure the accuracy and completeness of data, 
      • build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, 
      • cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).
    • The storage limitation requirement will not apply in case of processing by government entities.
  • Data Protection Board of India
    • The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
    • The Central government has control in appointing members of the Data Protection Board.
  • Transfer of personal data outside India
    • The central government will notify countries where a data fiduciary may transfer personal data.  
    • Transfers will be subject to prescribed terms and conditions.
  • Exemptions: The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • Penalties
    • The schedule to the Bill specifies penalties for various offences such as:
      • up to Rs 150 crore for non-fulfilment of obligations for children and 
      • up to Rs 250 crore for failure to take security measures to prevent data breaches.  
    • Penalties will be imposed by the Board after conducting an inquiry.

 

Concerns Around the Bill

  • Exemption Powers to Centre: According to the Bill, the central government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order, etc.
  • Fear of Online Censorship
    • The Bill also states that if an entity is penalised on more than two instances, the central government, after hearing the entity, can decide to block their platform in the country.
    • This is a new addition to the measure, which was not present in the 2022 draft.
    • The proposal could add to the pre-existing online censorship regime already administered under Section 69 (A) of the Information Technology Act, 2000.
    • The highest prescribed penalty has been capped at Rs 250 crore for not having enough safeguards against data breaches.
  • The Control of Central Government in Appointments
    • The Chief Executive of the Data Protection Boardwill be appointed by the central government, which will also determine the terms and conditions of their service.
    • This means the Board, an oversight body, will be under the boot of the government as the chairperson and members are to be appointed by the central government, making the watchdog less effective.
  • No Discussion Around Restricting Data Collection
    • In Europe, the General Data Protection Regulation (GDPR) set a high standard for data protection.
    • For instance, in France, the data protection regulator was able to fine Google €50 million for violation of policies related to consent.
    • Still, there is a real danger of GDPR becoming a “paper tiger”, because the problem isn’t data protection, but data collection.
    • Restricting data collection is not even being discussed in the new Bill.

 

How does DPDP Bill 2023 Undermine the Right to Information and Right to Privacy?

  • Section 8(1)(j) of the RTI Act 2005 grants exemption from disclosure if the information sought relates to personal information, unless a public information officer feels that larger public interest justifies disclosure.
    • The DPDP Bill 2023 suggests replacing Section 8(1)(j) with just “information which relates to personal information”. It will undermine the RTI Act 2005.
    • For example, the current requirement for public servants (including judges and IAS) to disclose their immovable assets will no longer apply.
    • This is indeed “information related to personal information”, but it serves a larger public interest (for example, to identify public servants with disproportionate assets).
  • Tensions between RTI and Right to Privacy
    • Broadly, the two rights complement each other as the RTI seeks to make the government transparent to citizens, while the right to privacy is meant to protect them from government (and increasingly, private) intrusions into their lives.
    • Yet, there are some tensions between the RTI and the right to privacy. For example, under the MGNREGA, mandatory disclosure provisions are meant to ensure that workers can monitor expenditure and also facilitate public scrutiny through social audits.
    • Everyone has access to data about individuals registered under the Act, including when and how much was paid to each worker.
    • The flip side of this, that has become apparent in recent times, is that unscrupulous operators can monitor, even scrape data systematically, depriving workers of their hard-earned wages.
    • For example, showing up at their doorstep with offers of lucrative ‘savings or ‘insurance’.
  • Government and private entities can still access data citing ‘lawful purposes’
    • The Bill provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such data for lawful purposes.
    • The Bill defines“ lawful purposes” in the broadest possible manner as “any purpose which is not expressly forbidden by the law”.

 

Conclusion

  • The constitutionally protected right to privacy of individuals and their right to autonomy, are vulnerable when their personal/ non-personal data is not protected.
  • The DPDP Bill 2023, is an outcome of the debate around the right to privacy.
  • However, with a weak board combined with the lack of universal literacy and poor digital and financial literacy and an overburdened legal system, the chances are slim that citizens will be able to seek legal recourse when their privacy is breached.

 

Q1) What are some changes made to the Data Protection Bill?

One important change in the final version of the Bill relates to how it handles the transfer of data across different countries. It has moved away from a whitelisting approach, to a blacklisting mechanism. The bill allows global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted. The draft, released in November, said the Central government will notify countries or territories where personal data of Indian citizens can be transferred. A provision on “deemed consent” in the previous draft has been reworded to make it stricter for private entities. 

 

Q2) How will the new law on data protection affect the RTI Act?

In the version of the Digital Personal Data Protection Bill cleared for introduction in Parliament, there exists a section that would eliminate the majority of Section 8(1)(j) of the 2005 law. According to that section, personal information cannot be disclosed under the RTI Act “which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information”. The data Bill would remove all these caveats, prohibiting government agencies from sharing private information of any kind, regardless of the public interest it may entail.

 

Source: The Hindu

Download PDF

Download PDF

Download PDF

Share this article

Share this article
logo

© 2024 Vajiram & Ravi. All rights reserved