Data Protection Bill: NCPRI Flags Regressive Amendments to RTI Act, Lack of Autonomy for Oversight Body
Image for representational purpose. Credit: The Wire
New Delhi: The National Campaign for Peoples’ Right to Information (NCPRI) has expressed disappointment over the Digital Personal Data Protection Bill, 2023 (DPDP Bill) introduced in the Lok Sabha on August 3. In a statement released on Thursday, the NCPRI highlighted that this new version of the Bill still retains several issues that have been raised before. In their previous analysis, endorsed by privacy-focused groups and campaigns, the NCPRI had outlined concerns about regressive amendments to the RTI Act and the lack of independence and autonomy of the oversight body, the Data Protection Board. However, the government has not addressed them adequately, it said.
The statement read: “It is well established that access to granular information, including personal information, is critical to empower people to undertake collective monitoring and ensure they are able to access their rights and entitlements. This principle is well recognised and has been adopted in various welfare programs and schemes. The proposed Bill will potentially place impediments and restrictions on such public disclosures.”
The NCPRI also emphasised the need for an extensive and inclusive pre-legislative consultation process for the DPDP Bill, which seems to have primarily catered to industry concerns. The current version of the DPDP Bill continues to raise concerns, particularly regarding amendments to the RTI Act that could restrict citizens' access to information and the excessive powers vested in the Central government along with the lack of independence of the Data Protection Board.
“Section 19 of the bill vests in the Central Government wide powers, including appointing the Chairperson and members and deciding the strength of the Board. This lack of independence of the oversight mechanism is extremely worrying and it is imperative that such a board function without the interference of the Central Government to enable the protection of rights of people,” it added.
Please read the full text of the statement below:
Statement on the Digital Personal Data Protection Bill, 2023 introduced in Lok Sabha
The National Campaign for Peoples’ Right to Information (NCPRI) is disappointed to note that the Digital Personal Data Protection Bill, 2023 (DPDP Bill) introduced in the Lok Sabha today (3/8/2023) continues to suffer from the problems pointed out by NCPRI in the previous draft. The NCPRI had sent a detailed analysis, which was also endorsed by groups/campaigns working on privacy, on the bill put out for public consultation by MEITY in November 2022. The submission had highlighted key issues including the regressive amendments being made to the RTI Act and the lack of independence and autonomy of the oversight body- the Data Protection Board.
We are disappointed to note that on both counts, the government has failed to address the concerns. The submission had also highlighted the need to adopt an extensive and rigorous pre-legislative consultation process for the proposed DPDP Bill, including ensuring dissemination of the draft bill through various modes and in multiple languages. The consultative process continued to be extremely narrow and seems to have largely focused on the concerns of industry. The NCPRI was not invited for any consultation following the submission.
Our key concerns with the DPDP Bill, 2023 introduced in Lok Sabha today are:
Amendments to the RTI Act (Section 44(3))
The amendments proposed to the RTI Act, 2005 through the DPDP Bill will severely restrict the scope of the RTI Act and adversely impact the ability of people to access information. Section 8(1)(j) of the RTI Act, 2005 states:
“8. (1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,- xxx (j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:”
The exemption is not absolute and information has to be disclosed if it is such that cannot be denied to the Parliament or a State Legislature (proviso to 8(1)), if public interest in disclosure outweighs the harm to the protected interests (section 8(2)) or if the information relates to any event or matter which has taken place twenty years ago (section 8(3)).
The draft DPDP Bill proposes the following amendments to the RTI Act-
“44(3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely:— “(j) information which relates to personal information;”.”
The proposed amendment to section 8(1)(j) of RTI Act therefore seeks to exempt all personal information. It does away with the exceptions carved out within the section based on which personal information could have been disclosed. Currently, in order to deny personal information, at least one of the following grounds has to be proven- information sought has no relationship to any public activity; or information sought has no relationship to any public interest; or information sought would cause unwarranted invasion of privacy and PIO/appellate authority is satisfied that there is no larger public interest that justifies disclosure. The proposed blanket exemption is especially problematic since it does not limit the exemption from disclosure to only sensitive personal information.
Further, the proposal to amend the RTI Act through the Data Protection Bill appears to have been drafted based on an incorrect understanding of the RTI law. The draft Bill errs in interpreting the proviso to section 8(1), which states that “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”, as being only applicable to section 8(1)(j) and not to the whole of section 8(1). A perusal of the original gazette notification of the RTI Act shows that by virtue of its placement and indentation, it is applicable to all of section 8(1) and not merely section 8(1)(j). There are several judicial pronouncements to this effect.
It is well established that access to granular information, including personal information, is critical to empower people to undertake collective monitoring and ensure they are able to access their rights and entitlements. This principle is well recognised and has been adopted in various welfare programs and schemes. The proposed Bill will potentially place impediments and restrictions on such public disclosures.
The amendments proposed to the Right to Information Act, 2005 through the Data Protection Bill, will fundamentally weaken the RTI Act for the reasons highlighted above. We believe that the legal framework for privacy and data protection should complement the RTI Act and in no way undermine or dilute the existing statutory framework that empowers citizens to hold power structures to account. The provisions of the Draft Data Protection Bill need to be suitably amended and harmonized with the provisions and objectives of the RTI Act. This would be in line with the recommendation of the Justice A.P. Shah Report on Privacy (2012) that, “The Privacy Act should clarify that publication of personal data … in public interest, use of personal information for household purposes, and disclosure of information as required by the Right to Information Act should not constitute an infringement of Privacy.” Neither the recognition of the Right to Privacy, nor the enactment of a data protection law, requires any amendment to the existing RTI law. Therefore, there should be no amendments to the RTI Act.
Excessive powers vested in Central government & lack of independence of the Data Protection Board
Given that the government is the biggest data repository, the law should not give wide discretionary powers to the executive. The DPDP Bill, 2023, however, empowers the government to draft rules and notifications on a vast range of issues (S. 40). The Union government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification, potentially resulting in immense violations of citizens’ privacy (S. 17(2) and 17(3)).
It is concerning to note the lack of autonomy of the Data Protection Board, the principal authority under the draft Bill to enforce compliance with the provisions of legislation. Section 19 of the bill vests in the Central Government wide powers, including appointing the Chairperson and members and deciding the strength of the Board. This lack of independence of the oversight mechanism is extremely worrying and it is imperative that such a board function without the interference of the Central Government to enable the protection of rights of people.
The creation of a Data Protection Board not adequately independent of the government, with powers to impose fines of up to Rs 250 crore (the central government can raise the maximum penalty imposable under the law to Rs. 500 crore by amending the schedule), raises apprehensions of potential misuse by the executive. (S. 28, S. 33 & S. 42)
The proposal that the Board will be ‘digital by design’, including in the receipt of complaints, pronouncement of decision and other functions, will make it exclusionary and outside the reach of millions of Indians.
Get the latest reports & analysis with people's perspective on Protests, movements & deep analytical videos, discussions of the current affairs in your Telegram app. Subscribe to NewsClick's Telegram channel & get Real-Time updates on stories, as they get published on our website.