Digital Personal Data Protection Act can lead to muzzling of voices within the media, civil society and Parliament
Desmond Redden was our civics teacher in middle school. It must have been him who first taught me about the chain of democratic accountability. This is what I said in the Rajya Sabha last week: “The government is responsible to Parliament. And Parliament is responsible to the people. So when Parliament does not function, the government shirks its responsibility to be accountable to the people.” That’s why it suits this government not to allow Parliament to run smoothly.
In the three-week monsoon session, the BJP sneaked through 23 bills. Many of the Bills that were passed are fundamentally flawed. Multiple speakers from the INDIA parties strongly expressed themselves during the debate on the Delhi ordinance. Sadly, the Prime Minister’s obstinacy not to speak in Parliament on Manipur forced the INDIA parties to walk out when the Digital Personal Data Protection (DPDP) Bill and other Bills were being discussed.
The DPDP Act 2023 stands out as an example of the systematic wreckage of parliamentary and democratic procedure. A law to protect data has been due for a decade. To bring you up to speed, there was the committee on privacy by Justice A P Shah in 2012, followed by the K S Puttaswamy judgment establishing privacy as a fundamental right in 2017. Then came the committee headed by Justice B N Srikrishna (2018) and a version for Parliament (2019). In 2021, a report was presented by the Joint Parliamentary Committee (of which I was a member). A year later, the Bill was withdrawn. Soon thereafter a new bill, “The Digital Personal Data Protection Bill” 2022, was put out for public consultation. This is when the Union government usurped all rules and procedures. Let me share an example. Comments under this “public consultation” could only be made in English and were kept private. The Standing Committee on Information Technology decided to discuss this bill without Parliament formally referring the Bill to it. Fishy. The committee drafted a report without consulting its own members and only shared it with them a night prior to the meeting. Parallely, the Union Cabinet approved an unknown version of the Bill in July 2023 and surreptitiously bypassed all scrutiny. When the monsoon session began, there were at least three versions of the Bill “circulating” on the streets of Lutyens. Yet again, the Union government had cocked a snook at the legislative process.
If this wasn’t enough, the Act (as passed) is rife with problems. In a swoop, the Union government has bestowed upon itself excessive and overreaching powers to determine what can be said, by who, and where. The government now holds the power to “block” “access” to any information in the “interest of the general public”. By leaving such “interests” undefined, it is free to place wide-ranging restrictions on content publishing and consumption. This shrinks the space for press freedom and will make more Siddique Kappans in the future. Joining the CBI and ED, in the roster of agencies that need to be independent but only do the Union government’s bidding, is the new Data Protection Board (DPB). While this is technically supposed to be an autonomous data governance authority, the fact that it will be constituted entirely by the Union government ensures its functioning will be remote-controlled. The Union government and its agencies can exempt themselves from any and all obligations of the Act, including those that penalise non-consensual processing of data. At a time when there already exist reports of evidence planting by state agencies in the devices of those critical of the government (think Father Stan Swamy), it is disturbing how these new powers could further increase violations. The DPDP Act of 2023 also kills one of the most powerful instruments of transparency available to us — the Right to Information Act of 2005. Used often to seek information that the government refuses to provide even in Parliament, the Bill has disproportionately empowered government Public Information Officers to reject RTI applications. Safe to say the Digital Personal Data Protection Act is barely about how data can be processed. It is yet another devious tactic to muzzle voices within the media, civil society and Parliament.
One would have assumed too that the Personal Data Protection Act would at least be technically accurate. The Act fails there as well. The decision to exclude publicly available personal data from its jurisdiction is erroneous. Technology-policy expert Nikhil Pahwa told this columnist: “The Indian government has created a massive national security risk by keeping publicly available personal data out of the ambit of the DPDP 2023. This robs citizens of any protections against wanton profiling and surveillance by third parties, and legalises profiling of the kind done by a Chinese company, Zhenhua Data Information Technology, for the Chinese government, as has been reported by The Indian Express in 2020.”
The IT Minister and the junior IT Minister have been in overdrive trying to make their (weak) case. Nothing will cut. The DPDP Act is a piece of furtive legislation that is fundamentally flawed.
[This article appeared in The Indian Express | Friday, August 18, 2023]