The dangers of the Digital Personal Data Protection Bill, 2023

The Supreme Court’s Puttuswamy judgement was crystal clear in affirming the citizen’s right to privacy as a fundamental right. Ever since the judgement, we have desperately needed a transparent and comprehensive law for the protection of personal data and a protection of this fundamental right. The Digital Data Protection Bill, 2023, however, threatens to undermine the very rights it should ideally seek to protect.

The DDP bill sadly joins the slew of laws that evidence the government’s intensifying crackdown on freedom of speech – much like the IT Rules, 2021, which had allowed greater governmental control over online content and threatened to weaken encryption, as well as freedom of expression online. I had raised an alarm on this when I was chairing the Parliamentary Committee on IT. The current bill follows suit and grants sweeping and unjustified powers to the government.

The bill establishes a Data Protection Board of India, which is designed to be at the mercy of the Central government, since all high-ranking officials of the board will be appointed by the government as per the bill. That in itself negates the idea of the autonomy imperative in a proper data protection framework. It gets worse: immunity from legal proceedings is extended to the government, the board, its chairperson, and members. The Board’s lack of independence, combined with its impunity and the absence of an independent regulatory authority, violates the stated intention of its proposed creation, and strips it of whatever little credibility it might have had. There is some relief that the appellate authority under the bill is the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which includes a judicial member. But this may not be enough; for the appeals will often deal with the right to privacy, which will have to be directed to the High Court rather than the TDSAT, which is primarily meant to adjudicate disputes between the telecom operators and TRAI or the Department of telecommunications.

The Bill empowers the government to exempt processing by government agencies from any or all provisions, in the “interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, [or] maintenance of public order.” These are elastic terms that can be interpreted very loosely. None of the rights of data principals and obligations of data fiduciaries (except data security) will apply in certain cases such as processing for prevention, investigation, and prosecution of offences. The bill does not bother to specify limits on the definitions of these vague reasons, terms that the government can easily abuse to violate freedom of expression and due process.

Using these exemptions, a government agency may collect data about its citizens to create a 360-degree profile for surveillance, which violates the proportionality test laid down in the Puttuswamy judgement. The state may utilise data retained by various government agencies to supplement this purpose because the bill also fails to put into place any meaningful safeguards against over-broad surveillance.

As a former chair of the IT Committee, from which I was defenestrated for asking too many questions the government did not want to answer, I note ruefully that the bill makes no provision for any parliamentary oversight. Contrast this to democracies like the United Kingdom, where the data protection law provides similar exemptions for national security and defence but requires prior approval by a Judicial Commissioner.

Perhaps most far-reaching in its dangers, this bill jettisons the Right to Information Act, 2005. It was this very government that sought to hollow out the RTI framework with the 2019 amendment, by giving the government control over the salaries, allowances, and other terms and conditions of service of Information Commissioners. The amendment to section 8(1)(j) of the RTI Act further prioritises the privacy of personal information over the right to information of citizens. The new amendment simply states that anything that relates to personal information may be denied in an RTI request. Whether that personal information has public interest attached to it or whether it has to be made available to Parliament, is now irrelevant.

To effectively hold government officials accountable, people need access to information, including various categories of personal data. Experience of the RTI Act in India has shown that people, especially the marginalised, require access to granular information to obtain the benefits of government schemes and welfare programmes. For instance, the PDS System recognises the need for putting the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and social audits of the PDS. In the absence of such publicly accessible personal data, it is impossible for intended beneficiaries to access their rightful entitlements and benefits.

The government is trying to justify these exemptions through the smokescreen of consent. However, clause 7 of the bill entitles the government to appropriate data for “certain legitimate uses”. Processing of personal data therefore may be done without obtaining the informed consent of the data principal whenever the government deems it appropriate. Apart from unreasonably putting the onus on unsuspecting individuals to correctly recognise all privacy risks entailed in complicated digital applications, consent is in this case presenting a false choice. A robust data protection framework will place the responsibility on data fiduciaries regardless of the consent level, rather than burdening individuals with the primary responsibility.

Look at this in context: the very idea of Digital India has been to promote a data economy where data is the foundation for all forms of economic transactions. Every digital infrastructure project from Aadhaar, UPI, and Digital Locker to CoWIN and Aarogya Setu has promoted this by providing Application Programming Interfaces to the private sector for building a data economy. Ultimately, the government is creating a database of identifiable information which can be interlinked, with no verifiable safeguard to prevent the profiling of citizens.

Even after leaving the Parliamentary Standing Committee on IT, I had spoken with the minister responsible, Ashwini Vaishnaw, a capable man for whom I have the highest respect, to urge him to attend to these concerns. He has made a conscientious effort to balance the need for provisions that will facilitate the work of digital entrepreneurs and the government’s understandable concerns over security. But he has not gone far enough in the direction of putting citizens’ interests first and allowing the government to step back a bit from its overweening power and obsessive desire for control.

I do not doubt that Mr Vaishnaw, like most of us, is convinced of the purity of his own good intentions. But what guarantees can he give for a future government? It all boils down to whether we want a law that potentially opens up the country to great dangers, if officials with malign intent are inclined to take advantage of all the vague language in the law. We must ask ourselves – is this the ‘new India’ we want to create? An India where citizens are potentially duped and stripped of their privacy by an Orwellian state that snoops on its own citizens?