Neither the right to privacy nor the right to information: The  Digital Personal Data Protection (DPDP) Bill

• Posted on August 8, 2023
• Editorials,GS-2,GS-3

Neither the right to privacy nor the right to information: The  Digital Personal Data Protection (DPDP) Bill

Context:

The Digital Personal Data Protection (DPDP) Bill 2023 for the digital economy, inadvertently exposes a deeper motive behind the bill. Contrary to its aim of safeguarding privacy rights, this legislation seems to be paving the way for legalized data mining.

 

Relevance:

GS-02 (Government Policies, Fundamental Rights)

GS – 03 (Cyber Security) (IT & Computers)

 

Prelims:

• Digital Personal Data Protection Bill
• Right to Privacy

 

Mains Question:

• Discuss the interplay between the right to information and the right to privacy in the context of the DPDP Bill 2023. (150 words)

 

Digital Personal Data Protection (DPDP) Bill 2023

• The Bill aims to process digital personal data that considers both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. It also provides a set of rules and best practice methods for Government to use the Personal Data.

Features of the Bill:

1. Scope and Applicability: The Bill applies to the handling of digital personal data within India. It also extends to the processing of personal data outside India if it involves offering goods or services to, or profiling individuals in, India.
2. Consent Guidelines: Processing personal data must have a lawful purpose and an individual’s consent. Prior to seeking consent, a notice must be provided containing specifics about the data to be collected and its purpose. Consent can be withdrawn at any time. For those under 18 years old, the legal guardian provides consent.
3. Rights and Responsibilities of Data Owners: Individuals whose data is being processed (data principals) have rights, including the right to access information about processing, request correction or erasure of data, and designate a representative in case of incapacity or death.
4. Cross-Border Data Transfer: The central government will identify countries where data fiduciaries can transfer personal data. Such transfers will be subject to specified terms and conditions.
5. Exemptions and Data Protection Board: Certain cases are exempt from the rights of data principals and duties of data fiduciaries, except data security. The Data Protection Board of India, established by the central government, will oversee compliance, impose penalties, manage data breaches, and address grievances. Penalties, as defined in the Bill, range from up to Rs 200 crore for children’s rights violations to Rs 250 crore for inadequate data security measures.

 

Dimensions of the Article:

• Complementary or Competing Rights?
• Contours of Data Control: The DPDP Bill
• Undermining the Right to Information
• Neglected Context and Oversight

 

Complementary or Competing Rights?

• The dynamics of the right to information and the right to privacy are complementary to each other.
• Where the former seeks to keep governments transparent and accountable, the latter stands as a bulwark against governmental and private intrusions.
• A poignant illustration of this can be found in the Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA), where mandatory disclosure provisions foster public scrutiny but can inadvertently expose vulnerable individuals to manipulation.

 

Contours of Data Control: The DPDP Bill

• The DPDP Bill 2023, framed to process digital personal data, steers into ambiguity.
• By defining “lawful purposes” expansively as anything “not expressly forbidden by the law,” the bill allows for unrestrained data mining, even from government portals.
• This broad mandate for data collection is further underscored by Section 36, which empowers the central government to requisition data from a multitude of sources.
• Consequently, the bill places the personal data within the crosshairs of both governmental and private entities, blurring the lines of personal and public domains.

Undermining the Right to Information

• Section 8(1)(j) of the RTI Act offers exemptions if the requested personal information lacks a connection to public activity or interest, or if its revelation would infringe upon individual privacy.
• The DPDP Bill 2023 seeks to supplant this comprehensive clause with a narrower interpretation.
• This shift could potentially exclude pertinent disclosures, such as the disclosure of assets by public servants.
• While ostensibly aligned with data protection, this alteration compromises transparency and public interest.

 

Neglected Context and Oversight

• The proposed Data Protection Board, a supposed guardian of data privacy, succumbs to governmental influence as the chairperson and members appointed to the board is by the central government.
• This weakens its independence and hampers its efficacy.
• This portrays a nominal guardian in contrast to robust counterparts like the European General Data Protection Regulation (GDPR) watchdog.
• Moreover, concerns voiced by Edward Snowden about data protection versus data collection highlight a broader concern: the bill’s inability to address data collection in a meaningful manner.

Way forward:

• A balance between data protection and transparency is paramount, demanding amendments that uphold both rights. Establishing an empowered, independent Data Protection Board, coupled with a more nuanced understanding of the interplay between data collection and data protection, can pave the way for a robust regulatory framework.
• To chart a course forward, India must seek to strengthen its regulatory mechanisms, fostering a climate where both transparency and personal privacy flourish in the digital age.