Kishalaya Pal and Kanika Verma
INTRODUCTION
Amidst all the fervency and chaos in the parliament, which has become more profound and prevalent than ever before, the Digital Personal Data Protection (DPDP) Bill (hereinafter, DPDP Act) was passed. In fact, this bill demanded nuanced discussion and debate to modulate the draft considering its technical nature and far-reaching effects on safety of citizens, viability of corporates and security of the nation. In a major shift from the erstwhile Sensitive Personal Data or Information (SPDI) Rules, 2011, this Act will create the Data Protection Board of India comprising of technical experts, a statutory body dedicated to adjudicate on non-compliance with the provisions of the act.
At the first glance, DPDP comes across as a legislature joining the ranks of SEBI Act, TRAI Act, etc., Similar to these acts, DPDP Act lays down legislative and administrative controls over terms, operations, functioning and other facets of an economic activity through dedicated institution, all supported by penalties or incentives designed to ensure compliance. However, this Act has raised serious concerns about privacy and RTI because of exemptions provided to the state in view of national security and the drastic amendment to the Right to Information Act(hereinafter, RTI Act).Both of these liberties are guaranteed as fundamental rights under Article 21 and 19 of the Constitution respectively.
While cases like Shamsher Kataria case (Competition Act) and Indian Broadcasting and Digital foundation case (TRAI Act) show that even these sector-specific regulations of the neoliberal economy are no more immune under the garb of commercial imperatives than any other law. However, the DPDP Act has an air of distinction about it, and hence is pertinent to be discussed. This is because the Act impairs one of the most important bastions of democracy, the RTI Act and sanctions untoward state surveillance.
TROUBLE SPOTS OF THE ACT AND THEIR EXTRAORDINARINESS
1. Clouds over the ‘Sunshine Law,’ RTI
Often touted to be India’s ‘Sunshine’ law, it provides expedited access to government information to the common citizenry thus fostering government transparency. Section 8(j) of the RTI Act provided for exemptions from government disclosure only of that personal information which has no public activity or interest. Section 44 of the DPDP Act amended it to all those “information which relates to personal information”. Therefore, the government can unfairly hide under the shield of this exemption just by proving that the information relates to personal information. The detriment to transparency is two-fold.
Firstly, it obviates the adjudication of the CPIO or SPIO which are statutory authorities to determine whether the larger public interest is justified by the disclosure of such information. As a result, once the information is found to be even remotely personal, the RTI applicant will no longer have an opportunity to satisfy the CPIO or SPIO of the importance of the disclosure and obtain the information.
Secondly, this is particularly awry as the RTI Act only defines “information” and therefore the phrase “relates to personal information” largely means such information which has elements of identifiable information about someone’s personal profile. However, Section 2(t) of the DPDP Act defines “personal data” as any data about an individual who is identifiable by or in relation to such data and Section 2(h) defines “data” as “representation of information”. When read together, this implies that personal information itself has a wide ambit and relates to “personal information” as Section 44(3) excesses the exemption beyond reasonability. This is also against the well-established principle that mandates strict construction of exemption clauses as was held in Subhash Chandra Agarwal case among others.
2. A step towards a ‘surveillance state’
Another major concern being flagged is that the Government is being provided a freehand for surveillance, thus compromising with the citizen’s right to privacy. Section 7(c) legitimizes, in absolute terms, the use of personal data by a data fiduciary for the performance of any function in the interest of security of the state, whereas Section 17(2) nullifies the application of the entire DPDP Act in respect of the processing of personal data. It must be noted that the ground of exemption under Section 7(c) goes beyond the bounds of ‘under any law’ and includes much more subjective notions like ‘interest of sovereignty and integrity of India or security of the State’. The dearth of clarity in the specious statute can be conveniently abused to the detriment of the citizen’s fundamental rights.
It is also in direct contravention of the Privacy report which recommended the formulation of a Privacy Act to be enforced by Privacy Commissioners. Among other proposals, it recommends that various sectors of industry be regulated by Self-Regulated Organizations (SROs) that will work under the supervision of privacy commissioners. With the establishment of the Data Protection Board of India it should assume that role and the obligation to safeguard privacy should be expressly provided for. More importantly, it argued for horizontal applicability on both the government and the private sector. In fact, the report was itself set in the backdrop of Government’s increasing collection of data through various measures.
3. The State is a significant data fiduciary, if not more
Section 10 of the DPDP Act provides for the classification of those entities which fulfil the criteria laid down under sub-clause (1) as “Significant Data Fiduciaries (SDF)” requiring higher scrutiny through independent data audit of the compliance, Periodic Data Protection Impact Assessment, etc. Independent audit and regular monitoring could have been safeguarded against government excesses. However, the Government itself is conferred with the power to determine whether an entity qualifies as an SDF or not.
In reality, however, the state is one of the largest repositories of personal data along with having state of the art technologies to analyze and process them, thus compounding the risks even further. There are various programs run by the government like the NATGRID, an integrated intelligence grid used for counterterrorism, NETRA to analyze flow of data on the internet and NCRB’s National Automated Facial Recognition System that collect and analyze personal data. The Government also collects massive volumes of data to undertake social welfare schemes efficiently. The scale and abundance of these programs clearly fulfil the criteria laid down under Sub-section (1). However, if it suits the government, it can exempt it from any such greater scrutiny. Empowering the government with such power when it itself should be the most intensely scrutinized entity is against natural fairness.
MITIGATING THE UNNECESSARY EVIL
1. Need for a consequentialist stance
State must be bestowed with certain special powers for the larger goods like ensuring security, counterterrorism, and other public interests. Even the sacred fundamental rights guaranteed by the constitution have restrictions attached to them. The judgement noted that the seamless structure put in place by the digital ecosystem can be exploited to wreak havoc and destruction on civilised societies. Various studies show that attacks cyber-attacks like phishing costs the economy more than hundreds of million rupees. Therefore, consequentialist stance of the state in its policy and legislations is completely justified and the DPDP bill is representative of that. However, the proportion of the excesses should always be at par with the need and each of those powers should be conferred with the state only when it is absolutely warranted. The gravity of the matter requires a more objective and surgical approach than to just adhere to broad, albeit indisputable notions of ‘balancing privacy and national security’.
2. Remedy with Greater objectivity: The US’s CIPA
One way to rationalize the legislature is to objectively address the legitimate concerns of the Government. The state security exemptions are based on the apprehension that adversaries of the state will use data sensitive to the investigation or other operations against counter-terrorism to their advantage like to find ways to circumvent prospective counterterrorism operations. The apprehension can be mitigated even if instead of declining to proceedings in whole, that information which is sensitive to the security of the state be severed out and let the rest of harmless information be proceeded against. The USA’s CIPA, which provides for a confidential “pretrial conference” to consider classified information that may arise in the adjudication proceedings, can serve as a touchstone for formulating a procedural law around it. Such forums held in confidentiality can be used as the platform to severe the sensitive data out and proceed with the rest of the data.
CONCLUSION
The DPDP act makes some of the most radical changes in the balancing equation of citizens’ rights and state’s imperatives. This act alters the foundation of democracy by compromising on right to information and right to privacy. Any such change can only be justified when no further moderation is possible without endangering the security and public interest. However, that is not the case and with nuanced legislation backed by democratic intent, the closest to ideal can be achieved.
The authors are 5th Year and 2nd Year students of Dr. Ram Manohar Lohiya National Law University
Image Credits: Outlook India
Constitutional Law Society 
Leave a comment