The Digital Personal Data Protection Act 2023: Weakening of the Right to Information Act?

The Indian Parliament represents the predominant theatre of democratic deliberation and participation in the country and serves as the orienting source of nation-building strategy and legislative outlook. As a result, the quality of discussion of key bills in the Parliament represents a complex system of public consultation, standing committee reports, political concerns and federal cooperation. Drawing from this context, the passing of the final Digital Personal Data Protection Bill 2023 (DPDPB 2023, now an act) highlights a case of hasty deliberation, which stands in stark contrast to the Bill’s journey. Since 2018, versions of the Bill have been heavily debated, with concerns regarding its clauses being present till the very end. However, the final bill, which claimed to have incorporated years of concern and discussion, was passed in the Monsoon Session of Parliament in less than an hour and amidst an opposition walkout. The DPDPB was mired in an opaque consultation process in the months preceding the session, with the final version of the Bill coming as a surprise to all concerned stakeholders, in and outside Parliament. 

Notably, the criticism of the Bill lies not just in its clauses and spirit but also in the way in which the extensive deliberations of the past year were undermined by the manner in which the Bill was passed. The Bill was not sent to be examined by the Parliamentary Standing Committee on Communications and Information Technology and was adopted by the panel without seeing the final version. John Brittas, a Rajya Sabha member from the CPIM, gave a dissent note and questioned how the Standing Committee could endorse the Bill without seeing the original copy. Brittas was part of the Standing Committee that was seeking to examine the final version of the bill. Additionally, Brittas pointed out the potential threats the bill would pose to the Right to Information Act 2005 (RTI), which the DPDPB has amended.  

The DPDPB dilutes clause 8(i), which is the personal information clause of the RTI Act. According to the RTI Act, personal information is liable to be disclosed when it is relevant to the public interest or good. This includes details about the salaries of public servants, scheme beneficiaries, scheme performance and coverage, and other relevant information that affects the public interest. With the amendment brought by the DPDPB, all personal information is exempt from the RTI- effectively making the act redundant. 

The DPDPB also sets up the role of a “Data Fiduciary”, which is any person or entity who manages, processes or interacts with the data of other persons. While such a clause allows for a more systematic manner of tracking data flows, the particular clause raises concerns for the RTI Act. Generally, RTI applications are filed by community-level workers, activists and any persons on behalf of stakeholder groups who may not have the ability or access to file applications. This ensures that government schemes that affect the poor, student data and other publicly impactful data can be accessed for the purposes of research, political communication, advocacy and activism. However, with the passing of the DPDPB, any such person filing an RTI on behalf of others has to apply as a data fiduciary and receive government approval. Furthermore, there are guidelines for maintaining data by the data fiduciary, which may be difficult for certain RTI activists and community-level workers to maintain, leaving them open to risks of high financial penalties. 

The conflict between meaningful data protection and the transparency of public data systems must strike a balance. It is imperative that the latter is not used to manipulate and exploit personal data. In this context, the amendment of the RTI act is questionable, as there have been no significant instances of data manipulation or exploitation using information obtained through RTIs. In this context, the spirit of the DPDPB blurs the distinction between data for profit and data for advocacy. 

The personal information of individuals that do not impact the collective public life largely operates in the domain of personal consumer preferences, location data, telecommunication data and other data that the individual chooses to share with the platforms they interact with. Most of such data (except for when explicitly gathered for government schemes or by the government), occur in the domain of the private lives of individuals. Public information, on the other hand, constitutes any data about the individual, which, when aggregated, has an impact on the public interest. For example, the gender and number of working hours of MGNREGA workers, phone ownership, public servant information relevant to government schemes, etc. The RTI  has historically operated in the latter domain. 

Notably, the erstwhile RTI exemption clause under Section 8 accounted for privacy and data concerns and was orientated in a manner that necessitates an interpretation of public interest and activity. Additionally, the clause also mentions that there can be prevailing conditions under which personal information can be justifiably disclosed, and the State Public Information Officer or the Central Public Information Officer must carry out this decision. Finally, the clause mentions that any data that is available to Parliament or state legislatures cannot be denied to the public. This aspect of the RTI notably ensures that one, privacy needs are kept in mind when interpreting personal information disclosure, and two, practically ensures that the authorities must interpret the public interest aspect of the information and weigh it against the prevailing need. However, the DPDPB amendment causes this clause to simply collapse, reading it as “information which relates to personal information;”. 

This blanket exemption essentially does away with the need for interpretation of public interest and nullifies the three conditions that have to be met, using which personal information could be denied. These conditions are: if the information is not related to the public interest; if the information is not related to public activity; and if the disclosure of such information causes breach of privacy. The new exemption renders the denial clauses unnecessary, as any arbitrary interpretation may be used to deny information. This move has raised concerns regarding administrative transparency, and whether it signifies a disregard for accountability. The new amendments operate under an assumption of administrative goodwill, rather than explicitly codifying the spirit of public interest into the law itself.