The Digital Personal Data Protection Act 2023 (DPDP) that got approval along with 21 other Bills in the recently concluded Monsoon session of Parliament overlooks several factors like transparency and accountability, says John Brittas, CPI-M Member of Parliament in Rajya Sabha. He is one among the 31-member standing committee and one of those opposing this Bill tooth and nail in its present form. Brittas is a journalist by profession, and has been associated with Kairali TV as its managing director, and was the former Business Head of Asianet Communications. Terming the present Government to be ‘hubris’, he reveals the lacunae in the new Law while speaking to Manoj Varghese.

Q: How does the Digital Personal Data Protection Act impact the fundamental rights of a citizen?

A: The DPDP law has been pondered upon from 2017 onwards. The legislation seeks to provide a legal framework to the right to privacy, held as a fundamental right by the Supreme Court in the Puttaswamy verdict. Later, Justice Shri Krishna report and Joint Parliamentary Committee reports in 2019 also substantiated it. The whole country had a great expectation from this Bill to protect the privacy of data. The law provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. The present Bill that has been passed by the Parliament without even a discussion is a ‘dampener’ or even ‘very dangerous’. Dangerous in the sense that the two pillars of accountability and transparency are missing. I had submitted a 12-point ‘Dissent note’ with regard to the IT standing report, which was placed in the Parliament.

Q: What are the major concerns raised in your ‘Dissent note’?

A: In the present form, the Act provides vast powers to the government. Our primary concern is with the government itself. To recollect, Pegasus Spyware exposed government invading into the privacy of a common man and Bhima Koregaon case witnessed the ‘trap’. As per the Act, the government agencies are exempted and it can exclude any private agency too as per their wishes and whimsies. The litigation chart of Supreme Court or High Courts mentions the government to be either a petitioner or respondent in majority of the court cases. As per the new law, a citizen is forbidden to file a case against the government. The government already handles a major chunk of data through the Aadhaar card, PAN card, ration card, bank transactions, and passport records among others.

Q: What is the ‘right to forget’ in the legislation?

A: For example, I am giving a particular personal data to the Facebook for a specific duration of 5 or 10 years. But after 2 years, I have the right to forget and the FB is not entitled to sell this data to any other agency. Whereas, in the case of government, there is no bar in the use of operating the available data, which is converted into the digital format and stored. It is a matter of major concern.

Q: Is ‘dictating terms’, is what is being feared?

A: There is excessive delegated legislation, as the legislation does not largely go into the specifics of the implementation. It seems as if the Government’s favourite catchphrase “as may be prescribed” is the highlight of this Act. It has been used 28 times in a 21-page Act with 44 clauses. The ambiguity has been kept so that the government can take arbitrary decisions. No legislation can be seen as sound proof if majority of the clauses are termed with ‘as may be prescribed’ provision. Thus, it is the liberty of the government that is executive to take the decision at its convenience. The essence of a legislation is completely lost.

Q: What about the powers bestowed upon the DPDP Board?

A: The law revolves around DPDP Board, which is the nucleus of the legislation. An aggrieved party who has to get justice is expected to approach this DPDP Board, which needs to be independent of executives. But here, the Government has been given the power to arbitrarily appoint the board members as per their choice. The Joint Parliamentary Committee Report on the Personal Data Protection Bill, 2019 had recommended that a Selection Committee shall nominate the Data protection Authority. Members of the Committee should include: (i) Attorney General of India, (ii) an independent expert from fields such as data protection, information technology, or cyber laws, and (iii) Directors of an IIT and an IIM.  But 2023 Act permits Central Government to appoint chairperson and members of Data Protection Board. The very nature of independence of this board is scuttled with this arbitrary nature of appointment.

Q: Does the law impart fiduciary security?

A: Fiduciary security means that if a private company is found violating with our data, they may be booked or punished. Clause 32 of the legislation talks about ‘Voluntary Undertaking’, under which the Data Protection Board has powers to accept voluntary undertaking with respect to non-compliance with any provisions of the proposed Act. Such a provision allows those delinquents who are non-compliant of the Act to avoid penalties by giving a mere undertaking. The fiduciaries can voluntarily submit an undertaking and get out of litigation without facing any punishment. They can submit an undertaking saying that inadvertently something has gone out on their part and they are not liable to it. Moreover, if you look at any model legislation elsewhere, including the European Union, the aggrieved party has the right to get a compensation. Here, there is no provision for any compensation, but only a provision for penalty up to maximum 250 crores.

Q: Has this DPDP law anything to do with the RTI Act?

A: This legislation will also scuttle the RTI Act, which had come into existence after so much of deliberations. Section 8(1)(j) of the RTI act allows even personal information to be disclosed if the larger public interest justifies the disclosure of such information, or it is related to any public activity or interest; even if the disclosure causes unwarranted invasion of the privacy of the individual, and further insists that all personal information shall be provided if it is such an information which cannot be denied to the Parliament or a State Legislature. This has been deleted vide section 44(3) of the new Digital Personal Data Protection Act 2023 thereby making all personal information exempt from RTI Act. This would fundamentally weaken the RTI Act and adversely impact the ability of people to access information and will definitely curtail transparency in the Government. Thus, the accountability and transparency have been removed by invading into the RTI act.

Q: How is it hampering the IT Act?

A: Clause 44(2) (a) of the Act proposes to omit Section 43(A) of the IT Act. Section 43(A) of the IT Act, 2000 enables an aggrieved person to demand compensation from a body corporate for any negligence in handling any sensitive personal data, thereby causing wrongful loss or wrongful gain to any person. This further accentuates the precarious situation of Data Principals. The GDPR of EU, on the other hand, specifically provides for Right to compensation to an aggrieved party under Article 82 for damage caused as a result of an infringement of the provisions of the regulation.

Q: What is the way out?

A: The DPDP legislation is vague, reasonable security and safeguards are not defined. The private companies are not accountable for any safeguards and will get away without paying any compensation. Three birds are being shot by one stone. The way out would be to approach the Supreme Court for a judicial review.