As The Digital Personal Data Protection (DPDP) Bill, 2023 is likely to be tabled in parliament this week, concerns have been raised about the content of the new legislation. Opposition MPs allege that they have not even seen a draft of the Bill, and activists have raised alarm over the Bill’s inherent dangers to the Right to Information (RTI) Act.
“The purpose of the Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto,” states the description of the Bill in the legislative business list of the ongoing monsoon session.
“The Bill employs plain and simple language to facilitate ease of understanding. The Bill aims to establish the comprehensive legal framework governing digital personal data protection in India,” it adds.
While the Union cabinet gave its approval to the Bill, which has been in the works for several years, on July 5.
The Union government first constituted a Committee of Experts on Data Protection chaired by Justice B. N. Srikrishna to examine issues relating to data protection in 2017.
The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha in December 2019 on the basis of the recommendations of the committee report which was submitted in July 2018.
The Bill was then referred to a Joint Parliamentary Committee which submitted its report in December 2021. The following August the Bill was withdrawn from Parliament.
In November 2022, the Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Bill, 2022 for public feedback.
Analysts and activists have since raised concerns about the Bill, saying that it fails to adequately address the data protection concerns and instead facilitates data processing activities of state and private actors.
As the Bill is expected to be tabled in parliament this week, opposition MPs have alleged that the government is bypassing parliamentary procedure.
Parliamentary procedure entails that once a Bill is approved by the cabinet, it is tabled in parliament. Parliamentary rules also lay down that a Bill can only be sent to a standing committee after it has been introduced in either house of parliament.
Opposition MPs who are members of the Department Related Parliamentary Standing Committee on Communications and Information Technology told The Wire that the committee on Wednesday (July 26) adopted a report titled as ‘Citizen’s data security and privacy’ which contains a report on the examination and recommendations of the committee on the Digital Personal Data Protection Bill.
At least two MPs who were at the meeting said that they walked out of it, as the report was adopted in violation of parliamentary procedure, as the Bill had not been introduced in either the Lok Sabha or the Rajya Sabha.
CPI(M) MP John Brittas, a member of the committee, has written a letter to Lok Sabha Speaker Om Birla on Friday asking him to refrain from giving permission to lay the report of the Standing Committee in Parliament and send the report back to the committee.
“It is imperative to note that the said Digital Personal Data Protection Bill had neither been introduced before either of the Houses of Parliament till date, nor was it referred to the Standing Committee by the Chairman of the Rajya Sabha or the Speaker, as the case may be, for examination,” said Brittas in his letter, accessed by The Wire.
Brittas said that under Rules 331E (1) (b), 331H (a) and 331H (b) of Lok Sabha Rules and Rules 270 (b) & 273 (a) of the Rajya Sabha Rules, the Standing Committees are explicitly prohibited from examining any Bills that have not been referred to them by the chairman or the speaker after their introduction in either House.
“Hence, it is evident that the above Report of the Standing Committee on Communications and Information Technology, said to be adopted on 26th July 2023, is void ab initio and is ultra vires of the powers of the Standing Committee conferred by the Rules. The Rules proscribe the Standing Committee from examining such a yet to be introduced Bill,” the letter states.
“It can be found beyond an iota of doubt that the impetuous action of the Committee in including comments and recommendations on this Bill is far beyond its jurisdiction and as such, rendering the Report liable to be nullified.”
Opposition MPs said that the committee members were given a draft of the report 24 hours before the meeting scheduled for Wednesday, but not the Bill.
“They cannot give the Bill. Because the Bill approved by the Union cabinet has not seen the light of the day so far,” said Brittas to The Wire.
“Furthermore, how can they give the Bill if the government of India has not introduced the Bill in parliament?
“And they are talking about the data protection Bill released in November 2022. After that the government said that we have uploaded the Bill for the comments of the general public and stakeholders and all your concerns when the Bill is finalised. I presume they would have incorporated or discarded the concerns. We saw in the media that the cabinet has approved it. A Bill that has been approved but not released to the parliament, how can a standing committee adopt a report on that?”
“It could either be that they are relying on the draft bill, which is infructuous activity or they may be inferring the bill that is highly unwarranted. Either way it is not acceptable.”
Jawhar Sircar, TMC MP who is also a member of the committee, told The Wire that since the final draft of the Bill has not even been seen and the report was not shared with the committee, the opposition members decided to walk out of the meeting.
“At the Wednesday committee meeting we were supposed to endorse the report without having seen it. We walked out because at the meeting all they were seeking was our endorsement so there was no point.”
Threat to RTI Act
Meanwhile, activists have raised concerns that the Bill poses a threat to the RTI Act by severely restricting its scope.
Anjali Bharadwaj, co-convenor of the National Campaign for Peoples’ Right to Information (NCPRI), said that the RTI Act already balances right to information with the right to privacy.
“Under Section 8(1)j the law describes exemptions related to personal data. It essentially states that any personal data which would cause unwarranted invasion of the privacy of the individual or does not serve larger public interest, that information will not be shared under the RTI law.
“This is a nuanced provision which balances right to information with right to privacy. With the data protection bill, the government is expanding the scope of this exception. They have said that any information which is personal data will be exempted from being given under RTI law. If they can prove there is a larger public interest only then can information of personal data can be provided under RTI.
“This is a huge problem. Under the RTI law we don’t have to give reasons for asking for information. The onus is on the government or the information officer to say why information should not be given. But if this clause is amended as the bill seeks to then the burden will be on the seeker of the information.”
Bharadwaj said that this would deal a severe blow to those using the RTI law to hold the government accountable for the delivery of public services.
“If there is an old woman who is not getting pension or ration, the only way to prove that there is no corruption is to ask the government for lists about who is getting rations and how much and check it to make sure there is no corruption and if there is corruption, then report it. Personal data would include names, phone numbers and addresses of individuals. NPAs (Non performing assets) of public sector banks-there is great interest in knowing who wllful defaulters are. If people ask for those lists now it will be exempt. Voter lists which help show voter fraud will also become impossible to access because those also give personal data. All of this use of RTI law will stop with this bill and deal a huge blow to the RTI regime.”
Venkatesh Nayak, director of the Commonwealth Human Rights Initiative, New Delhi said that the Bill also does not clearly state how the data protection board will be harmonised with the information commissions at the Centre and state levels, which decide public interest in RTI requests.
“Under the RTI law it is the information commissions at the central or state level who will decide whether 8 (1)j is appropriately invoked. It is not clear in this new Bill what is the scope of the data protection authority because under the RTI it is the information commissions which is supreme but under the new bill the data protection authority is supreme. There is no harmonisation about how they will operate,” he said.
“It is a poorly thought out idea of protecting personal data which otherwise would be accessible under RTI Act. And that is not how other advanced countries like the UK and New Zealand function where one authority decides these matters for freedom of information and they have guaranteed autonomy from government control. But under the new bill, the data protection authority will be completely under government control.”
Fails to protect personal data
Bharadwaj said that the Bill fails in its intended purpose of ensuring that people’s privacy and people’s personal data is protected from misuse.
“There are very real concerns that corporates and public sector undertakings who hold a lot of personal data will be left out of the ambit of this law which will fail therefore from protecting personal data,” she said.
“The law is silent on surveillance which is why this law was needed. The data protection board had to be independent of the government which is the largest repository of information and personal data. But the appointment and removal of the chairperson and members of the board will be under the government and it will also control the functions of the board.
“It then means that it will be a completely government controlled board and there is a great potential of misuse by the government to not go after those who the government finds favourable and go after those who are inconvenient for the government like NGOs or political parties.
“All this makes the Bill completely ineffective and also affects people’s right to information by amending the RTI Act,” she added.
Sircar said that the Bill as seen in November 2022 fails to fulfil its purpose of protecting privacy and offers amnesty to big tech companies to use personal data.
“The government has been trying to bring big tech under its control. In this triangular war between big tech, government and common people-they are trying to tame big tech. This particular Bill is more of amnesty to big tech in the name of data fiduciaries, which allows them to get away easily and gives them a leeway.
“It’s a great disappointment for those who were waiting for five years for a bill for data protection of citizens, that the last of the bills that is finally being passed offers little protection against the outreach of the technical and corporate world. Moreover, the government itself is including public order as the last word in the matter. This endangers our position rather than offering protection.”
With the Bill expected to be introduced this week, final discussions on the Bill in parliament also seem unlikely.
The Union government has sought to pass Bills with little to no debate as opposition MPs continue to protest in the house demanding a statement from Prime Minister Narendra Modi.
A no-confidence motion moved by the Congress is also awaiting a discussion in the Lok Sabha.
“This government is trampling upon every rule as well as rules and regulations of precedence,” said Brittas.
“The established precedent is that once a no confidence motion is admitted, it needs to be discussed. They have admitted the motion but not taken it for consultation and are bringing bill after bill. They are trampling on every rule and regulations and precedents in the country. Even the standing committee’s behaviour is also a violation of the rules.” The Wire