The Digital Personal Data Protection Bill, 2023 (DPDP Bill), introduced in the monsoon Session of Parliament, is by far a revised version of the previously considered data protection legislation.  Although the earlier bill was introduced in the public domain and stake-holders were given an opportunity to give their comments and suggestions, after it was reortedly modified incorporating the suggestions, the members of parliament or the standing committee on the subject did not get an opportunity to know about its revised content.  When the first draft of the Data Protection Bill was prepared in November 2022, there were concerns that it would nullify the intended objectives. Even then, the government was more interested in the reactions of the big tech companies and industry representatives than that of the citizenry. In this era of all-encompassing digital communication and transactions, personal information affects every citizen of the country, but it did not seem to have bothered the government. Now, every recent move seems to be aimed at ensuring that the final draft of the bill does not reach the public domain at all. It is not only the opposition that has pointed out that the Parliament is hasty in passing a Bill without adequate discussion and not following the procedures required for introducing a Bill. The Union Cabinet approved the bill on July 5. But the MPs have not even seen the draft of the bill.

In 2017, the central government appointed a committee comprising experts in the field of information security under the chairmanship of Justice BN Srikrishna and after passing through various stages, it has come up now as a bill in the current Parliament session. However, the opposition parties walked out of the committee meeting last Wednesday, protesting the lack of transparency and the fact that only the review report f the committee was shown instead of the draft bill. The government's primary concern was only making sure for optics that it bore the stamp of approval of the committee. Even then, members were given access to the report only 24 hours before the discussion. It is obvious that the Centre believes the Bill's content should not be substantively discussed but should be got passed anyway. Citizens expect that the parties dealing with the collection and distribution of digital information will protect their privacy. According to the bill, the data protection board formed by the government is supposed to resolve the complaints and implement the law.  But for that,  there should be a complaint placed before it.  In a digital data-driven economy, individuals have limited knowledge and control over where and when data is transferred. At this stage, it is only  the board that can come to his rescue. But if the board has the power to intervene only after receiving a complaint, the user is helpless since  the data is transferred without his knowledge. For example, a user may not know if a food delivery company transfers personal data based on the customer's online transactions in violation of the mutual agreement between them. Protection can be provided only if an active intervention is made by the board on behalf of the user. But there is no indication that this role was envisioned for the board. And further and more pertinent, when it is the government itself that collects and uses the data the most, and if it is the agency of the same government that has to check the complaints, the mechanism will be futile.

The main criticism against the Bill is that in the guise of the main objective, it aims to undo some important provisions of the Right to Information (RTI) Act. The government is eager to withhold much of the information required to be provided under the RTI Act in the name of upholding personal privacy. Although the government has repeatedly stated that the main objective is to maintain a balance between the citizens' right to know and the protection of personal information, the effect is that the government has a loophole to deny citizens much of the information they want to know about government activities. In fact, the RTI Act itself has sections aimed at this balance. According to Section 8(1) j of the Act, personal data will not be shared be denied if it violates privacy or is not essential in  public interest. This is a level of protection for personal information. However,envisaged changes to this section will result in the denial of any type of personal information.  As a matter of fact,  all information related to the conduct of officials or their corruption may include some personal information, but if it is withheld under the pretext of personal privacy, a source of information for the public will be denied. Overall, digital privacy and RTI are made to appear as conflicting laws.  This juxtaposition eventually ends up denying citizens access to information, at the same time maintaining the government's ability to pry into personal information in critical situations. It would not be wrong to suggest that between the lines perhaps it is such a legal scenario that the present administration aims at.

Tags: