IT is a contentious law. Contentious in that it has been debated, debated and redebated. The law in question- -the Digital Personal Data Protection Act (DPDPA), 2023, which was passed by Parliament in the truncated and noisy monsoon session -has since been gazetted and notified after the President put her signature on it. The final step will be to craft the necessary rules under the Act. IT Minister Ashwani Vaishnav told the media that the rules are likely to be published “in a few months”.
Right to privacy
The first draft of this Act was released in 2018 and led to plenty of fireworks with RTI activists and strong advocates of the right to privacy raising a string of objections to the Bill as it was drafted. It never went to Parliament and saw four more iterations– 2019, 2021 and 2022 and finally 2023. But it would be fair to say that it is still a work in progress like the Right to Information Act which has been amended since its original avatar was gazetted in 2005.
While the Government in one case amended it in 2019, multiple cases in the Supreme Court and elsewhere have given more teeth to the law. For example, the SC in November 2019, upheld the decision of the Delhi High Court bringing the office of Chief Justice of India under the purview of the Right to Information (RTI) Act.
One of the most debated points about the law is the provision giving exemptions to the Government to access this data. The Internet Freedom Foundation believes that the law is a violation of the original intent which was to protect the rights of individuals.
The opposition has been vociferous that the exemptions to the Government will only be `misused` by the powers that be, including agencies to access data from companies and the personal data of individuals with no one being the wiser. Journalists believe that protecting sources could be even more arduous with big brother watching. They also feel using RTI to ferret information will be that much harder.
Specific exemptions
Answering this question, Vaishnav told The Print in an interview, “I would like to address both these points head-on. The exemptions given in this Act for the State are very specific and very limited in number. For example, the European GDPR [General Data Protection Regulation] provides 16 exemptions to the government, which include national security, foreign policy, crime investigation, crime detection, and even things as subjective as ethics for professional organisations and budgetary policy.
“Whereas in our case, the exemptions are only for national security, for foreign relations, for public order… all of which is something that is already defined in the Constitution. Do you think somebody should expect the Constitution to be not followed? I think it’s a very unfair criticism. These are very limited and specific exemptions. The entire criticism is totally unworthy of even mentioning because somebody who reads the law will not make this criticism first,”he said.
Despite the vociferous public defence and assurances to protect the rights of individuals, there is still anxiety about how the law will finally be used. But the Government, especially Vaishnav, in multiple statements on the subject is categorical that the aim is to protect the citizen. Infact, one of the most important aims, states the Minister, is to make big tech companies more accountable. “Some of the major social media companies that operate in the country have huge data of users. For those companies, the law is very clear about their responsibilities and there are punitive consequences if they violate the law,” the Minister said. Data breach fines could be as high as Rs 250 crores.
This column does not have the luxury of space to debate the law and its multiple provisions in detail at this point. There are many provisions that will only be open to dissection once the rules are framed. Already the big tech companies and activists are asking for a consulting process to take place before the rules are firmed up and frozen. But there is much to learn from the RTI Act. In spite of its many flaws, the Act has been transformational in more ways than one.
It has empowered the Indian citizen like nothing else. It has democratised right down to the grassroots the process of scrutiny and accountability. Individuals, institutions and officials are all accountable. It has undoubtedly helped in bringing forth greater transparency and efficiency into the system. The data protection Act, after five iterations, is a beginning. It is a work in progress. A real assessment will require the rules to be framed and the Act to get going before one can give a fair opinion.