Don’t destroy RTI, it's another ‘Data Protection Authority'

Shailesh Gandhi, former Central Information Commissioner commented that ‘a symbol of democracy, never to be sacked, for the people's right to know, is non-negotiable, and any attempt to change it, is highly deplorable. It can be highly abused by the state, like it was abused during 1975 Emergency in India. Mr. Shailesh Gandhi said:

Justice Srikrishna Committee, which was set up in 2017, after the Supreme Court’s Puttaswamy judgment has ignored the concerns raised by stakeholders. Earlier version of Bill has been extensive changes. It will destroy Article 19(1)(a) of the Constitution and play havoc the name of protecting privacy is destined to destroy the right to information through data changes.

They re-introduced the Personal Data Protection Bill without budging on the most contentious provision to exempt itself from the law. The Bill exercises very control over the major actors under the Bill – data principal, data fiduciaries and the Data Protection Authority of India (‘DPAI’). This authority sought to be established under the Bill that shall regulate and adjudicate upon the issues arising due to data breaches.

Strong argument will be codifying the rights and obligations of data principals and fiduciaries. In reality, it confers unchecked powers upon the executive that consequently dilutes the right to privacy. Data Protection law is supposed to be founded on the pillars of accountability and transparency. But it is not.

The danger of recommendation

The Committee had recommended the selection committee consist of the Chief Justice of India or her nominee, the Cabinet secretary and one person with expertise and repute in the data technology field. But this will prevent an important particular limb of the polity from exercising much high power over the DPAI, which will uphold its independence.

Elected political power leaders and judges will get high power through DPAI Bill. Because of this, political excessive power will totally be dependent upon the protection of fundamental right, especially Articles 19(1) and 19(2) of the Indian Constitution. Under section 42(2) of the DPAI Bill, the selection committee for appointing board members exclusively constitutes of members of the executive.

Control over the Executive

The selection committee under the Bill constitutes of Cabinet secretary of the Central government, secretary of the Government of India’s Ministry of Legal Affairs and secretary of the Government of India’s Ministry of Department dealing with Electronics and Technology.

In consequence, the members of Judiciary and an independent professional, as recommended, have been excluded from the selection process. The executive will absolutely be controlled by the Executive. Thus, the executive has absolute control over the appointment process of the board of DPAI. The six full-time members of the board shall be the representative of the executive. The rationale in the NTT case of the Supreme Court to an independent regulatory body can possibly be struck down.

Surveillances increases

Section 35 of the Bill allows the executive to exempt any state agency from obtaining consent of an individual before processing their data on specified grounds.

Despite the recommendation, the Bill permits additional grounds for such exemption. The Centre has been given excessive discretionary power. These governmental officers violates right to privacy and curbs other fundamental rights from being effectively exercised. It denies test of proportionality. Section 35 has increased the scope of the highest degree of surveillance.

This power affects the citizens. In the name of Security of State, and prevention, detection and investigation of crimes as legitimate grounds for processing personal data without the consent of the individual, subject to the tests of necessity and proportionality. With this excuse, Section 35 can use absolute exemption in the interest of sovereignty and integrity of India, public order and maintenance of friendly relations with foreign States.

Deny fundamental right of privacy

Data Protection law also subject to have the right to easily withdraw consent to process. With this law, their data without any repercussions can be withdrawn. If not, it can dilute the ‘free will’ requirement under the consent framework. The bill will be detrimental to the fundamental right of privacy.

Section 11(6) of the Bill states that if a data principal withdraws his consent without any ‘valid reason,’ then all legal consequences with respect to such withdrawal shall be borne by the data principal.

This provision has extremely diluted the consent framework envisaged within the Bill as recommended by the Committee. It has also added that element of ‘inappropriate pressure’ on the will of the individual that renders the choice/consent of the data principal invalid.

On the point of the ‘validity’ of the reason of withdrawal, the corporations have been brought under the scrutiny of the State, the fundamental right of the citizens is yet diluted. It appears to have been designed to bring all kinds of actor in the Bill under the direct or indirect control of the executive. Hence, the Bill legitimizes the use of unfettered power by the executive.

Deemed consent with Section 8 of Bill

It says under Section 2, Definitions (18) “public interest” means in the interest of any of the following: (a) sovereignty and integrity of India; (b) security of the State; (c) friendly relations with foreign States; (d) maintenance of public order; (e) preventing incitement to the commission of any cognizable offence relating to the preceding sub-clauses; and (f) preventing dissemination of false statements of fact.

Section 5 of the Bill: Grounds for processing digital personal data a person may process the personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act. This provision besides Section 7 and 8 clauses etc, is having potential power of abuse the ‘consent’.

This means a Data Principal will get all the power to deem to have given consent to the processing of her personal data if such processing is necessary: (1) in a situation where the Data Principal voluntarily provides her personal data to the Data Fiduciary and it is reasonably expected that she would provide such personal data; and Section 11. (Additional obligations of Significant Data Fiduciary) (1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including: (a) the volume and sensitivity of personal data processed; (b) risk of harm to the Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; (f) public order; and (g) such other factors as it may consider necessary; If the Bill is approved by the Parliament, increase various possibilities to consider as deem give consent for exemption. It could be a dangerous provision because it says ‘it is may’.

The Data Bill has totally ignored the ratio of Madras Bar Association v Union of India. The provision of the Selection Committee in the National Tax Tribunal Act (NTTA) was struck down by the Supreme Court as it comprised more executive members than judicial members. It was held unconstitutional because it contravened the institutional independence of the tribunal. The NTTA empowered the executive to decide transfers, the location, jurisdiction, and constitution of benches. It amounted to excessive executive interference. This principle would not, prima facie, extend to those tribunals which review the actions of independent regulators such as the Securities and Exchange Board of India, the Competition Commission of India, or the Telecom Regulatory Authority of India.

Under the DPDP authority and the selection committee or other officers will working a direct link with the executives, but will have no independence of authority. In addition, the DPAI also performs adjudicatory functions. The appellate adjudicatory officers are to be appointed by the board members of the DPAI who are solely appointed by the executive members. Such appointments could undermine the independence of the authority.