The dangers in the Digital Personal Data Protection Bill

The government is set to introduce the Digital Personal Data Protection (DPDP) Bill in Parliament.

The Bill includes a provision to amend the Right to Information (RTI) Act, which has empowered millions of Indian citizens since its enactment in 2005.
To effectively hold the governments accountable in a democracy, people need access to information, including various categories of personal data.
For example, the Supreme Court of India has held that citizens have a right to know the names of wilful defaulters and details of the Non Performing Assets (NPAs) of public sector banks.
Experience of the use of the RTI Act in India has shown that if people, especially the poor and marginalised, are to have any hope of obtaining the benefits of government schemes and welfare programmes, they must have access to relevant, granular information.
For instance, the Public Distribution System (PDS) Control Order recognises the need for putting out the details of ration card holders and records of ration shops in the public domain to enable public scrutiny and social audits of the PDS.

The RTI Act includes a provision to harmonise peoples’ right to information with their right to privacy through an exemption clause under Section 8(1)(j).
The DPDP Bill 2022, however, proposes amendments to Section 8(1)(j) to expand its purview and exempt all personal information from disclosure.
This threatens the very foundations of the transparency and accountability regime in the country.
The DPDP Bill, 2022, unfortunately, empowers the executive to draft rules and notifications on a vast range of issues.
For instance, the central government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification.
This would potentially allow the government to arbitrarily exempt its cronies and government bodies such as the Unique Identification Authority of India (UIDAI), resulting in immense violations of citizens’ privacy.

Further, to meet its objective of protecting personal data, it is critical that the oversight body set up under the legislation be adequately independent to act on violations of the law by government entities.
The draft Bill does not even make a pretence of ensuring autonomy of the Data Protection Board — the institution responsible for enforcement of provisions of the law.
The central government is empowered to determine the strength and composition of the board, as well as the process of selection and removal of its chairperson and other members.
The chief executive responsible for managing the board is to be appointed by the government, giving it direct control over the institution.
The creation of a totally government-controlled Data Protection Board, empowered to impose fines upto ₹500 crore, is bound to raise serious apprehensions of it becoming another caged parrot — open to misuse by the executive to target the political opposition and those critical of its policies.

These concerns need to be urgently addressed before the DPDP Bill is enacted.
Else, the citizens might end up with a law that empowers the central government while taking away peoples’ democratic right to seek information.