Article 21 Trust and Rethink Aadhaar analysed the Digital Personal Data Protection Bill (DPDP) 2023 (now Act) and raised several concerns surrounding issues such as missing rights from the Bill, excessive exemptions to government and its instrumentalities, weak Data Protection Board, amendment to the Right to Information Act etc.
The critique outlined that the Act has failed to recognise the right to privacy as a fundamental right-the right that was held to be an intrinsic part of Part III of the Constitution by the Supreme Court of India in K S Puttaswamy (privacy) judgment and equally recognised by the earlier drafts of the Act. The Act has created a framework where data protection and privacy have been pushed back and data processing has been given primacy thus diluting the very purpose of the Act.
The other concern that the submission highlighted was in relation to the definition of personal data (Section 2 (t)) that has now obliterated the difference between personal data, biometric data and sensitive data and the state is empowered to process any data under section 7 of the Act without the explicit consent of the data principal. While the law mandates that the data fiduciary shall obtain consent (under Section 6) before processing the data of the data principal, the law is silent on the transfer of data to third parties and it makes no provision of notice under Section 5 for such transfer.
The DPDP Act in its present form has omitted some of the important rights such as the right to be forgotten and the right to data portability which featured in the previous iterations and diluted the right to erasure in Section 12. Enjoyment of rights, as per the new Act, has been made contingent upon the performance of the duties. The Section related to the duties appeared for the first time in a data protection law, cannot be found in other jurisdictions around the globe and disincentivises the citizens from exercising their rights. While the Act is silent on the compensation aspect in cases of harm or injury caused to the data principal in cases of breach, it makes a provision of penalty under Section 33 of the Act in cases of non-fulfilment of duties.
The Act exempts State instrumentalities from the rigours of the law under Section 17 permits the processing of data without the consent of the data principal in certain situations. Section 17(2) gives blanket powers to the Central Government to exempt any of its instrumentality from the application of the Act on grounds undefined and vague grounds such as maintenance of public order, security of state etc. It also violates the principles of purpose limitation and storage.
The Data Protection Board is a toothless tiger and has been tailored in a manner that all the provisions related to it give exclusive power to the Central Government pertaining to the selection, removal, and salaries of the board chairperson and members making the board an ineffective authority. Section 36 and 37 further empowers the Government to order the blocking of any information from the public, empowering it to curb free speech and information.
The attack on RTI through an amendment to Section 8(1)(j) was another grave concern that needs to be resisted. The government has empowered itself to deny any information to citizens even if it involves public interest.
Please read our detailed critique here