Why Personal Data Protection Bill Will 'Severely Restrict Scope of RTI Act' ?

The Data Protection Bill must be harmonised with the provisions and objectives of the RTI Act. This would be in line with the recommendation of the Justice A.P. Shah report on privacy that said, “The Privacy Act should clarify that publication of personal data for public interest and disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.”

Neither the recognition of the Right to Privacy, nor the enactment of a data protection law, requires any amendment to the existing RTI law.

Second, given that the government is the biggest data repository, the law must not give wide discretionary powers to the executive.

The DPDP Bill, 2022, however, empowers the government to draft rules and notifications on a vast range of issues. For instance, the Union government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification, potentially resulting in immense violations of citizens’ privacy.

On the other hand, small NGOs, research organisations, associations of persons, and opposition parties that the government chooses not to include in the notification would have to set up systems to comply with the stringent obligations of a data fiduciary as described in the law.

Third, it is imperative that the oversight body set up under the legislation is adequately independent to act on violations of the law by government entities.

The draft Bill does not ensure autonomy of the Data Protection Board – the institution responsible for the enforcement of provisions of the law. The Union government is empowered to determine the strength and composition of the Board, as well as the process of selection and removal of its chairperson and other members.

Further, the chief executive responsible for managing the Board is to be appointed by the government, giving it direct control over the institution.

The Union government is also empowered to assign the Board any functions “under the provisions of this Act or under any other law.” The creation of a totally government-controlled Data Protection Board, vested with powers of a civil court and empowered to impose fines of up Rs 500 crore, is bound to raise serious apprehensions of it becoming another caged parrot, open to misuse by the executive.

Fourth, the law must provide an accessible, people-friendly framework of grievance redress for affected persons to approach the oversight body.

The 2022 Bill stipulates that the Data Protection Board shall be ‘digital by design,’ including receipt and disposal of complaints.

Finally, in the case of a data breach, the victim must be able to seek monetary compensation. The DPDP Bill has no provision for compensation of any form.

In fact, the Bill defines duties of a data principal (those whose personal data is collected) and provides for penalty imposition on them for registering frivolous complaints. 

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA