Opinion Nikhil Dey and Aruna Roy write: Data Protection Bill does not protect us — it attacks our rights

“The question is,” said Humpty Dumpty, “which is to be master — that’s all.”

This central government certainly seems to have absorbed the basic lesson from Lewis Carroll’s Through the Looking Glass — all that matters is who is the master, controller and arbiter. Humpty Dumpty’s logic and the Digital Personal Data Protection Bill (DPBP) Bill 2023 tabled in the Lok Sabha for “discussion and passage” are synonymous examples of brazen, self-proclaimed re-crafting of words.

The DPDP Bill threatens to establish a legal information regime that will be under the enormous control of the central government. It is vast in scope, unworkable in scale, authoritarian in control, and arbitrary in practice and applicability. Not only does it deliberately and brazenly sound the death knell for the RTI Act through a lethal amendment, but it also makes anyone and everyone who deals with someone else’s information a “data fiduciary”, liable for prosecution for any breach of its provisions.

The reality is that if this Bill is passed, millions of us are, and will be, in continual breach of its provisions. As the master of the law, the central government will decide how to steer it, when and whom to target, and even possess the ability to influence the extent of penalties through its control over the regulatory body. The Bill is a serious and worrying potential threat to journalists, politicians, researchers, activists, academics and, of course, the constant irritant — the RTI user. This is no alarmist view, as it becomes apparent when we examine certain provisions of this Bill. Who does the Bill protect? What constitutes a breach? How will that breach be acted upon? By whom will action be taken? What will the eventual outcome be and who will it benefit? To address this, let us scrutinise some important provisions of the Bill that Parliament is being enjoined to enact.

Also Read | Lok Sabha clears Data Protection Bill amid disruptions by Oppn over Manipur issue

Under Section 2(t), “‘personal data’ means any data about an individual who is identifiable by, or in relation to such data”. In one sense, this means the entire universe of information that helps us interact with each other as human beings. “Personal data breach” under section 2(u) in the law means “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data”. To put this simply, unless you have the express “consent” of the other person, you cannot process any personal information that has been digitised in any way. The person responsible for any potential breach is called a “data fiduciary” under section 2(i) and means “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”. The person to be protected is the “data principal” defined under 2(j) of the Act as “the individual to whom the personal data relates.”

In sum, just these four provisions imply that all of us who use and process information and data are liable for prosecution unless we have obtained the “consent” of the data principal. The “consent” outlined in section 6(1) says “The consent given by the data principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data, for the specified purpose, and be limited to such personal data as is necessary for such specified purpose.”

The agency responsible for protecting the data principal against violations of the law is the Data Protection Board of India, established under Chapter V. This board is tasked with receiving, investigating, and taking action on breach complaints. The appointment of the Board rests with the government and serves under terms and conditions determined by the executive. Notably, the Board possesses the adjudicating authority equivalent to that of a civil court, as stipulated in Chapter VI. Within this framework, the Board has the capacity to request the assistance of police officers or officers from the central government or a state government. The Board is also vested with the power to levy penalties on those found to have breached the provisions of the Act, with the potential fine amount extending up to Rs 250 crores.

There are two major implications of this regulatory framework. First, this law grants privacy “rights” to all Indian citizens. However, it establishes a single centralised Data Protection Board responsible for dealing with all complaints, issuing orders, and levying penalties. This approach is obviously unworkable, as the Board will ultimately end up arbitrarily selecting whom to investigate and penalise. And it is highly likely that this choice will be guided and influenced by its “masters”. The power to impose huge penalties on the few the board chooses to act against will be totally arbitrary, just like the bulldozers and JCBs, this will become yet another legal instrument used by the central government today, to persecute and prosecute political opponents — this will have a chilling effect on many others who are using information (without “consent”) that is inconvenient for the government.

While the law should ideally protect individuals from both the surveillance state and big data companies, who have been commercially mining data, it instead grants the government sweeping immunity from the applicability of this Act and carves out a special space for the commercial use of data. Under Section 37 (1) (b), there is a provision for the central government to block content on the internet, so the larger technology and information companies will be brought in line to make sure that such “data fiduciaries” will remain subservient to the priorities of the government. The few exemptions outlined in Sections 7 and 17 of the Bill come with qualifications and conditions that are to be defined by the government, thereby effectively ensuring that the government becomes the “master” and ultimate authority within the entire information framework.

One obvious potential legal obstacle to this entire framework is the celebrated RTI Act, which mandates that data and information associated with public use and purpose must be retained in the public domain. The RTI Act creates a harmony between the RTI and the Right to Privacy within the exemption clause under section 8(1)(j), a balance that will be demolished through this new Act. Instead of fostering a similar balance, this current Bill supersedes the Right to Information Act and exploits the fundamental Right to Privacy as a justification and legal sanction to hide the use or misuse of public resources by any identifiable person including public officials. The Bill could also potentially result in significant consequences for legally mandated information disclosures under Section 4 (2) of the RTI Act and other information that the government may choose not to disclose. With this single alteration to Section 8 (1)(j) of the RTI Act, its potential use for curbing corruption and curbing the arbitrary exercise of power stands not just amended, but repealed — effectively transforming the RTI Act into a “Right to Deny Information Act”.

This Bill if enacted and implemented will destroy transparency and fail to meet its goal of protecting data privacy. There is a need to have personal data protected from surveillance by the state and from commercial exploitation by big data companies. In fact, this law actually makes the large tribe of people who keep our democracy and our economy healthy and alive by using information and data for public purposes, “violators” of the law, subject to fines that could be in crores. The mandate of a minuscule board to deal with all complaints across this vast and populous country makes this implementation machinery naturally arbitrary, and inefficient.

With the vast power to frame subordinate legislation, grant exemptions and control many aspects of the Board, the government is the real “master” in interpreting and implementing this draconian law. That is something all parliamentarians should understand when they take up the Bill for “deliberation and enactment”. Even the ruling party should understand that one day they might also be at the receiving end, and someone else might be the master.

To protect the right to make informed choices, this Bill needs to go back to the drawing board. The Editors Guild of India has understood its potential implications and just issued a statement that it should be sent to a Parliamentary committee for serious re-examination, and redrafting. Other stakeholders, including parliamentarians, also need to take a serious look at the Bill and join the debate. It can undermine the future of their work, and the health of our democracy.

The writers are social activists with the Mazdoor Kisan Shakti Sangathan (MKSS) and National Campaign for Peoples’ Right to Information