The Supreme Court of India declared that both the Right to Privacy (Nijata ka Adhikaar) and the Right to Information (Soochana ka Adhikaar) are fundamental rights of every citizen of India flowing from the Constitution of India. Thus, it is imperative that the legislative authorities make sure that the data protection regulations do not violate these fundamental rights. However, many concerns have been raised by individuals and organizations that the Digital Personal Data Protection Act 2023, may weaken the Right to Information Act 2005. In this article, we will examine the changes that the Digital Personal Data Protection Act 2023 will make to the Right to Information Act 2005 and how these changes may weaken the Right to Information Act 2005.

History of Data Protection Laws

Numerous significant occurrences, such as the Computer Revolution in the 1980s, the Economic Policy of 1991, the United Nations Commission on International Trade Law in 1996, and various other influential factors, prompted the Indian government to institute legislation intended to protect its citizens’ data and confront challenges pertaining to cybercrime. This legislative initiative led to the formal implementation of the Information Technology Act of 2000, commonly known as ITA-2000 or the IT Act. Subsequently, numerous amendments have been enacted to the IT Act in response to the evolving needs and progress of society.

In 2011, the Central Government implemented the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, using its authority outlined in clause (ob) of sub-clause (2) of section 87 of the IT Act, 2000. These rules were designed to enforce a mandate that prioritises body corporate in safeguarding and managing personal data.

In 2017, the Supreme Court acknowledged the Right to Privacy as a fundamental right. As a result, the government became obligated to uphold individual privacy. This landmark ruling was delivered by a nine-judge bench of the Supreme Court in the case of Justice KS Puttaswamy vs Union of India.

In 2018, the Reserve Bank of India (RBI) introduced a directive requiring all authorised Payment System Operators (PSOs) to ensure that all data associated with payment systems is stored exclusively within the territorial limits of India. Following this, in 2019, the RBI introduced further regulations, disallowing these entities from storing card details. Nevertheless, these entities were allowed to preserve solely the last four digits of the card number, with strict instructions against retaining the complete card number.

In 2021, the Central government enforced the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, leveraging its authority as defined in sub-section (1), clauses (z) and (zg) of sub-section (2) of section 87 of the IT Act, 2000. This action entailed the supersession of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The 2021 guidelines were designed to heighten the accountability of social media platforms, such as Facebook, Instagram, Twitter, and others.

In 2018, a committee chaired by Justice B.N. Srikrishna was convened to deliberate and devise a comprehensive data protection framework for India. Following this, the initial draft of the Personal Data Protection Bill, 2018 was publicly disclosed. After extensive deliberations, an updated version, known as the Personal Data Protection Bill, 2019, was introduced in the Lok Sabha. However, this specific bill was later withdrawn in 2022. On 18th November 2022, the Ministry of Electronics and Information Technology released a revised legislative proposal for public scrutiny concerning the data protection framework. Subsequently, this proposal was presented in the Lok Sabha on 9th August 2023 and officially enacted into law on 11th August 2023.

KEY PROVISION OF THE DATA PROTECTION
ACT, 2023

The Digital Personal Data Protection Act, 2023 introduces two pivotal terms that are integral to its framework –

Data Principle

According to Section 2(j) of the Digital Personal Data Protection Act, 2023, any individual to whom the collected data pertains is referred to as a Data Principle.

Rights of Data Principle

• The Data Principle holds the right to request information regarding the processing of their personal data from the Data Fiduciary, to whom they have previously granted consent for the processing of their personal information.
• The Data Principle possesses the right to request rectification, completion, updating, and deletion of the personal data they have previously supplied to the Data Fiduciary.
• The Data Principle holds the right to nominate another individual who will act on their behalf regarding the Data Principle’s rights in case of their death or incapacity.
• The Data Principle also holds the right to access an easily accessible grievance redressal mechanism, which they can utilize in the event of any action or inaction by the Data Fiduciary concerning the fulfilment of their obligations.

Duties of Data Principle

• The Data Principle should not register any false or frivolous complaint.
• The Data Principle must refrain from providing inaccurate information or assuming the identity of another individual in particular instances.
• The Data principal could incur a penalty of up to Rs 10,000 for breaching any of the prescribed duties.

Data Fiduciary

According to Section 2(i) of the Digital Personal Data Protection Act, 2023, a Data Fiduciary is defined as an individual or a collective entity that, either independently or in collaboration with others, determines the purpose and methods for processing another person’s personal data.

Obligations of Data Fiduciary.

• The Data Fiduciary is required to disclose the purpose for collecting the Data Principal’s data.
• The Data Fiduciary must obtain free and informed consent before processing the data of the Data Principal.
• The Data Fiduciary must ensure the accuracy and completeness of the data they process concerning the Data Principal.
• The Data Fiduciary must implement all necessary security measures to prevent data breaches
• If a data breach occurs, the Data Fiduciary is required to promptly notify both the Data Protection Board (DPB) and the individuals affected by the breach.
• The Data Fiduciary must delete the Data Principal’s data once the purpose for its collection is fulfilled or upon the Data Principal’s explicit request to erase their data.
• The Data Fiduciary could face penalties of up to Rs 200 crore for failing to meet data protection obligations, especially concerning data related to children.
• The Data Fiduciary might face penalties of up to Rs 250 crore for failing to implement adequate security measures.

DPDP ACT, 2023 VS RTI ACT, 2005

Section 8(1)(j) of the RTI Act, 2005 stipulates that unless the Central Public Information Officer, the State Public Information Officer, or the respective appellate authority is convinced that revealing personal information serves a significant public interest, any other information associated with personal data, unrelated to public activities or public interest, and potentially leading to an unwarranted intrusion into an individual’s privacy, shall not be disclosed to the public.

Provided that the information that cannot be denied to the Parliament or a State Legislature shall not be withheld from any individual.

Through the Digital Personal Data Protection Act of 2023, the government is striving to broaden the scope of Section 8(1)(j) of the RTI Act, 2005. This amendment implies that, despite its relevance to public activities or public interest, individuals will no longer be able to access personal data from the government. Consequently, the government will possess increased authority to decline RTI applications by asserting that the information pertains to personal data, following the amendment.

Following the amendment to Section 8(1)(j) of the RTI Act, 2005, a substantial amount of information, including details concerning public servants, beneficiaries of various schemes, voter lists, and other pertinent data impacting public interest, will now be beyond the accessible scope of the general public.

Other Criticism of the DPDP Act

• The central government will possess the authority to designate members of the Data Protection Office.
• The central government will be granted the authority to circumvent the requirement of obtaining consent from the Data Principle when gathering data.
• Governmental bodies will be granted immunity or exemption from facing adverse consequences in the event of a data breach.
• The central government will have the authority to decide who falls under the category of Data Fiduciary and who can be exempted from it.

CONCLUSION

As India is undergoing a rapid transformation into a digital economy, it will face various cyber-attacks and cyber-crimes. Therefore, it is crucial to have a Data Protection Bill that makes data-collecting and data-processing institutions accountable for any data loss of citizens. But it is also very important to ensure that the Data Protection Bill does not violate the democratic rights of citizens.

Therefore, it is crucial to balance the two. However, it is undeniable that no law is passed perfectly in one go. We should wait for the Digital Personal Data Protection Act, 2023 to show its impact and see how the government implements it. If there are any issues or shortcomings, the Digital Personal Data Protection Act, 2023 can always be amended.

References.

1.  Cyber Blog India
2. The Right to Information Act, 2000.
3.  The Digital Personal Data Protection Act, 2023.
4. Digital Personal Data Protection Act, 2023- Wikipedia.
5.  The Digital Data Protection Act 2023: Weakening of Right to Information Act?