By Sujit Bhar
It has been a while since the Supreme Court declared that the right to privacy was a fundamental right. This landmark decision had been delivered on August 24, 2017, and had come off the Justice KS Puttaswamy (retd) vs Union of India case. The nine-judge top court bench, headed by the then Chief Justice of India (CJI) JS Khehar concluded that the “right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.
That was not all. The icing on the judgment was an observation by CJI Khehar, who borrowed from former US Supreme Court Justice Louis Brandeis and equated privacy with the “right to be let alone”. The judge wrote: “The right to be let alone is a part of the right to enjoy life. The right to enjoy life is, in its turn, a part of the fundamental right to life of the individual.” That would lead to the right to be forgotten.
Eight years have passed since the judgment, yet the private data of Indians in general have been subject to illegal and forced scrutiny by almost all investigative and other agencies in the interim. This includes Finance Minister Nirmala Sitharaman’s recent order that the Income Tax Department would be provided enough teeth to look into even social media feeds of assesses, if required. Justice Khehar’s observation about the right to be forgotten has been forgotten.
For all practical purposes, Indians today live in glass houses, their private data being either controlled by government agencies or packaged, sold and misused by all manner of corporate entities.
At the same time the Right to Information (RTI) Act, 2005, existed as a sharp tool in the hands of the public, granting citizens the right to access information from public authorities. The law promotes transparency and accountability in government operations and empowers citizens to seek information. The Act mandates timely responses to information requests and provides a mechanism for appeals if requests are denied or inadequately addressed.
Logically, the judgment and the RTI Act, working hand in hand, could afford the common man a safe niche within an intrusive societal structure. However, with huge data also existing in the cyber domain, there arose the need for personal data protection. The Digital Personal Data Protection (DPDP) Act, 2023, was supposed to be a logical progeny to Justice BN Srikrishna-engineered Personal Data Protection Bill of 2018. It isn’t. Intended to replace the outdated IT Act of 2000, the DPDP Act was expected to address modern challenges including platform regulation, digital competition, and critical infrastructure protection with enhanced penalties for non-compliance. It seems to have incorporated some more sinister designs within its infrastructure.
Before elaborating, one needs to realise the nature of the soil these seeds have germinated in, and for that one needs to go back to 2017, just before the right to privacy was declared a fundamental right by the top court. The entire issue emanated from legal disputes over the Aadhaar Identity Programme. At that point, the government’s position was that a constitutional right to privacy was unnecessary and that the government could instead safeguard citizens’ privacy through a data protection law. That argument was dismissed by the Court, but while the legislation process continued, the government’s position never changed.
Hence many more rewordings of the Justice Srikrishna-led committee report happened, and as per legal experts each version thereafter has been worse than the previous one. They diluted privacy rights and increased executive control. The experts point out that the final version not only fails to establish a dedicated regulator, it also lacks standard safeguards against government access to data and even grants excessive regulatory authority to the central government.
The Government Bias
The DPDP Act incorporates flexibility, which means that certain data protection statutes can be relaxed to serve certain objectives of the government. In many cases, wordings are broad and vague. There are exemptions incorporated to the central government and other government bodies. Exemptions apply to most publicly available personal data, and excuses are that such data processing for research and statistical purposes are supposedly expedient.
There remains the scope of processing of foreigners’ personal data by Indian companies under contracts with foreign firms (such as outsourcing companies).
And there remains the bureaucracy of notification. The Act authorises the centre to gather notification from the Board to request access to any information from entities processing personal data, intermediaries (as defined by the Information Technology Act, 2000), or the Board itself and to order restrictions on public access to specific information. Such notifications would come in the garb of “security” and such other “serious” issues, but would always be targeted.
One glaring example would be Section 17(2). This (see box: The contentious section below) earns for the government a broad exemption from its own provisions for personal data processing. The exemption is broad in the sense that it applies to state entities designated by the central government, as well as to the central government when handling personal data provided by such entities. The excuse is the usual: national security.
Dilution of The RTI Act
While the DPDP Act itself looks like a double-edged sword, in effect it could also dilute another very important piece of legislation, the Right to Information (RTI) Act.
This was recently pointed out in public through a joint memorandum, presented by more than 120 leaders from various parties of the INDIA bloc, to the Union Minister for Electronics and Information Technology Ashwini Vaishnaw. The memorandum urges the government to repeal a provision in the DPDP Act that dilutes the RTI Act.
According to the memorandum, Section 8(1) (j) of the RTI Act allows personal information to be disclosed if the larger public interest justifies such disclosure. According to the Opposition, Section 44 (3) of the DPDP Act alters this provision of the RTI Act. Now even if the information is related to a public activity or interest, it cannot be disclosed under RTI. The DPDP Act also removes the crucial proviso in the RTI Act that stated, “information which cannot be denied to Parliament or a State legislature shall not be denied to any person.” (See box: The disclosure conundrum below)
This has been recently announced to the media in a press conference held in New Delhi by Gaurav Gogoi, the deputy leader of the Congress in the Lok Sabha; John Brittas, CPI(M)’s Rajya Sabha MP; Priyanka Chaturvedi, Shiv Sena (UBT)’s MP; Javed Ali Khan, Samajwadi Party Rajya Sabha member; DMK’s MM Abdulla; and RJD spokesperson Nawal Kishore.
Gogoi pulled no punches when he said: “This is a surreptitious, mischievous and malicious attempt by the government to undermine the RTI Act.”
According to Brittas, who was a member of the Joint Parliamentary Committee that reviewed the Act, the Opposition had pointed out the negative effect the new law would have on RTI by way of dissent notes to the final report, but all this was ignored. “RTI was a milestone in the trajectory of our nation. It empowered citizens to directly hold the government responsible. In one stroke, the government has done away with the RTI,” he said. Chaturvedi’s claim is that this new legislation would take the country from “right to information” to “road to ignorance”.
Of course, there are some legitimate concerns of personal information leakages, but data, such as personal bank loan data to TransUnion CIBIL Limited, are already under analysis, with little or no permission received from the customer of the bank. While such blatant leakages must be stopped, it must also be guaranteed that corruption in high offices must come to light.
The Contentious Section
Section 17(2) of the DPDP Act, 2023, says:
“The provisions of this Act shall not apply in respect of the processing of personal data:
(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and Processing of personal data outside India.
“(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”
The wordings have been kept suitably vague and the scope so broad that any situation can be woven into this section if and when needed. The section could, for all practical purposes, nullify much of the Act.
The Disclosure Conundrum
Section 8(1)(j) of the Right to Information Act, 2005, outlines an exemption from disclosure for information that relates to personal information, where the disclosure would have no public activity or interest, or would cause an unwarranted invasion of privacy
The Section reads as follows:
“Section 8(1)(j) in The Right to Information Act, 2005
“(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information…”
Meanwhile, the DPDP Act’s Section 44(3) amends Section 8(1)(j) of the Right to Information (RTI) Act of 2005, which exempts certain types of information from disclosure.
The Section reads as follows:
“Section 44(3) in DPDP Act, 2023
“(3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely:
“(j) information which relates to personal information;”.
The concerns are real. According to RTI activists this amendment could be misused to deny critical information about government officials and public servants. e.g., Information like Assets and liabilities of public servants could be withheld using the new clause.
Under the original RTI Act, information on assets declared by politicians, judges, and bureaucrats was made public. Under the new amendment, such information could now be denied outright.
Details of government contracts and public expenditure: RTI applications have previously revealed instances of corruption and financial irregularities in government projects. e.g., Commonwealth Games scam (2010) [one may note that the court has acquitted Suresh Kalmadi in this case], where RTI disclosures supposedly exposed corruption in infrastructure projects. Section 44(3) has the power to block such disclosure on the grounds of personal information.
The post An Act to Protect The Government appeared first on India Legal.