DPDP Bill 2023: Question mark on privacy, more power to govt

Do you know there are ten agencies that are authorised to breach your privacy through “interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer” – without any oversight (of Parliament, independent authority or judiciary)?

This authority was given by the Ministry of Home Affairs (MHA) on December 20, 2018, under the Information Technology (IT) Act of 2000 and the IT Rules of 2009. These agencies are: Intelligence Bureau (IB), Narcotics Control Bureau (NCB), ED, CBDT, DRI, CBI, NIA, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (for areas in Jammu & Kashmir, Northeast and Assam) and Delhi’s Commissioner of Police.

Do you know there are many other central agencies, which don’t need such authorisation; they have been created to run mass surveillance projects?

Here are some examples: National Technical Research Organisation (NTRO) of the DoPT (under PMO); National Intelligence Grid (NatGrid) of the MHA itself; Crime and Criminal Tracking Network and Systems (CCTNS), a joint venture of Centre and states; Central Monitoring System (CMS) of the Ministry of Communications etc. Then there are many others under the MHA and Defence Ministry about which very little is known. Some are set up to collect and share (private) information (NatGrid, CCTN) with all other intelligence, security, and police agencies.

True, such surveillance is needed to protect national security, friendly relations, public order etc., but (a) how do you know their action is lawful and (b) for the specific purposes their action is meant to be? It would be naïve to think that an act is lawful (and fair) just because a law allows it; even a lawful act is not meant to be abused or carried out with mala fide intent or violate the due processes or without accountability, transparency, and oversight.

Recall the Pegasus investigating reports of 2021 which pointed to extensive use of the Israeli military-grade spyware – allegedly targeting hundreds of academics, human rights activists, journalists, opposition leaders, even MeiTY Minister Ashwini Vaishnaw who introduced The Digital Personal Data Protection (DPDP) Bill of 2023 to protect privacy, senior CBI officers, a Supreme Court judge and an Election Commissioner. What legal recourse is then left for the breach of their privacy? The IB and RAW are not even legal entities; created as they are under executive orders and “at least one” of these is known to have bought the Pegasus in the past.

What is the point in all the above?

It is that (i) the DPDP Bill of 2023, introduced in the Lok Sabha on August 3, 2023, doesn’t mention or cover any of these government agencies and their activities, and hence, it can’t protect your privacy from the government. A government is the biggest and most powerful entity to intrude into privacy in India and elsewhere in the world. That is why all developed countries like the US, the UK, Australia, Canada, New Zealand have multiple layers of oversight (accountability) mechanisms: parliamentary accountability, judicial accountability, expert accountability, and complaint mechanisms. India has none.

The onus is on the DPDP Bill of 2023 because (a) privacy is a fundamental right since 2017 (didn’t exist earlier) and (b) it would be the first legislative attempt to protect it.

On the contrary, the DPDP Bill of 2023 (ii) gives additional and unrestraint power to the Centre and its “any instrumentality” to breach privacy with no accountability and transparency. Additional because the power under the DPDP Bill of 2023 is in addition to such powers which exist in the IT Act of 2000 and the IT Rules of 2009, IT Rules of 2021, and IT Rules of 2023. Why it is unrestrained power (to the government) will become clear soon. The DPDP Bill of 2023 does promise to protect individual privacy from breaches by a data fiduciary (a company) collecting and using personal data but (iii) allows the government to exempt certain data fiduciaries from their legal “obligations” to follow under the law.

Before explaining these points in detail, here is one critical point about the MHA’s 2018 order mentioned earlier. The order says it is issued “in exercise of the powers conferred” by the IT Act (Section 69) and its 2009 Rules (Rule 4). But Section 69 also says (a) the “reasons” need “to be recorded in writing” and also subject to (b) “the procedure and safeguards…shall be such as may be “prescribed”. The MHA’s 2018 order is silent on both. Section 69 and the Rule 4 of the IT Rules 2009 don’t prescribe any procedure or safeguard, merely repeat each other – and hence, the onus was on the MHA order to do so.

So, the first principle of the DPDP Bill of 2023 – which is “lawful usage” of personal data, “protection from the breach” and “transparent access”, as spelled out by MoS for MeiTY Rajeev Chandrasekhar the day (August 3, 2023) the DPDP Bill 2023 was introduced in the Lok Sabha – stands violated by the MHA’s 2018 order.

The other five principles the minister listed are: purpose and storage limitation, data minimisation, protection and accountability, safe storage, and mandatory reporting of breach by data platforms. Note, not one of these principles talks about protecting privacy from the government – the biggest and perennial threat to individual privacy.

Progressively regressive privacy legislation

In fact, successive drafts of the bill (iv) progressively diluted privacy right by giving more and more powers to government, its “instrumentality” and data fiduciary (businesses) to breach it through exemptions and legal immunity – as it progressed from the first privacy bill of 2018 to the fourth in 2023. Note, the bill originates from the Supreme Court’s declaration of privacy is a fundamental right in 2017. Except for the 2018 iteration, none other privacy bill recognises this “fundamental right”. The third and fourth iterations actually shifted the primacy from protection of privacy to the “need to process” personal data and put the “right of individuals” (note, the word “fundamental” is missing) at par with the need.

The DPDP Bill of 2023 (v) makes the fundamental right to privacy so vulnerable as to virtually extinct it. Here is how.

· A new insertion (Clause 7) allows “access” to personal data to the Centre and any of its “instrumentality” for “legitimate purpose” – a new coinage – which is defined to include “any function” under “any law”, in the interest of sovereignty and integrity of India, security and public order. This is in addition to a wide range of “exemptions” given in national security, friendly relations, public order etc. (Clause 17 (2a)). Both powers are without checks and balances, without prescribed processes and guidelines to be followed.

· Another new insertion (Clause 17(3)) is exemptions from compliances (checks and balances) to certain data fiduciaries “including start-ups”. These exemptions include “obligations” (a) to inform individuals about the nature of personal data to be collected and the “purpose” of its processing (b) to comply with the law (including not to share and erase data when need is over) (c) to audit and study impact assessments (d) to provide summary of personal data (recognised as an individual’s “right”), processing activities and identities of other data fiduciaries with which the data is shared.

·New power (Clause 27) to the Centre for “blocking” access by the public to “any information generated, transmitted, received, stored or hosted, in any computer resource” – which didn’t exist in the earlier iterations. This is also in addition to the existing powers to regulate online content under the IT Act of 2000 and IT Rules of 2009, 2021, and 2023.

·New immunity (Clause 35) to the Centre, the Board, Board members, officers, and employees as it provides that “no suit, prosecution or other legal proceedings shall lie against” them for acting “in good faith”.

·Civil courts are out of the adjudication process – continuation of earlier iterations – but far more reprehensible because of two new provisions: (a) immunity to the Centre against legal proceedings and (b) Centre’s total control over the appellate tribunal – the TDSAT (specified this time) – as the Centre alone appoints the TDSAT’s chairman and members.

Count four more major vulnerabilities of the privacy continued through all iterations.

·Data Protection Board, which is the adjudicating authority, remains unformed ­and executive-controlled – its composition, manner of appointments, salaries and service conditions and the processes it would follow are not specified (Centre “may notify”). Appointments of employees too will be with prior Centre’s approval. All this amounts to handing over legislative powers to the executive. For the bill to then state (Clause 28) that the Board “shall function as an independent body” is not just ironic but farcical.

·No compensation for victims of data breach is provided; worse, the right to compensation provided under the IT Act of 2000 (Sections 43A, 81 and 87) is extinguished (Clause 44).

·The RTI Act of 2005 (Section 8) has been diluted (by Clause 44) by taking away the powers of information officers (IC) and appellate authority for RTI Act to decide disclosure of personal information on merit (test of public interest).

·“Consent” remains “free, specific, informed, unconditional and unambiguous” but undermined by (a) “deemed” consent (without consent) which gets a new coat or “legitimate use” (Clause 7) – for the purpose of national security, friendly relations, public order etc. and (b) a wide range of “exemptions” to the government, data fiduciary and the Board and its members/staff.

Count another one which protected privacy in the 2018 and 2019 iterations but deleted subsequently:

·Classification of personal data as “sensitive” (financial, health data etc.) and “critical” (were to be defined by the Centre) restricting domestic “processing” and banning from sharing outside India.

Given all this, the six principles behind the DPDP Bill of 2023 are a mere lip service and a far cry from the six principles behind the European Union’s GDPR (General Data Protection Regulation)– considered to be the best in the world in protecting privacy.

The last point about the DPDP Bill of 2023 is (vi) it has gone straight to the Lok Sabha after the Union Cabinet’s approval on July 5, 2023. It has neither been put in public domain for debate nor examined by a parliamentary standing committee – and may or may not go to it either, going by the MeiTY Minister Vaishnaw’s statement of August 4, 2023 (that the government will answer all concerns about it in the Parliament).

As for businesses, the privacy iterations have been progressively more friendly (after 2018 and 2019). Unlike the restrictions put earlier, personal data transfer to outside India for “processing” is allowed – unless restricted (2023). Its 2022 iteration had allowed such data transfers only to notified countries. Since the classification of personal data as “sensitive” and “critical” (existed in 2018 and 2019) no longer exists, it is now a free flow of personal data. Domestic companies are allowed to process personal data of people residing outside India too (restricted in the 2018 and 2019 iterations).