(This is a Synthteitcally generated content)
Naavi
In continuation of our earlier discussions on DPDPA Challenge at Supreme Court, FDPPI held a public consultation on 7th March 2023. An introduction to the discussions on 7th March is available here: Notebook LM summarizes the Introduction to the debate
A Video of the discussions are found here
FDPPI has suggestions to make DPDPA acceptable to all including the petitioners of this challenge at Supreme Court. Some of it were discussed yesterday. More will be discussed in future writings.
Some of the immediate suggestions:
We donot recommend any change. However, it may be clarified that
-When an information is denied under the excuse of “Privacy”, the RTI applicant should be able to invoke the status of the organization as a Data Fiduciary and initiate a Grievance Redressal as a Right under Section 13 of DPDPA 2023. This escalates to the DPB and later to Supreme Court. The internal Grievance redressal would exhaust the appeal to CPIO before the applicant moves on to DPB.
-When information about the official is part of the release, it is considered as “Already Made Public” since all Government appointments at the level of PIO are often through written orders and even gazette notifications. Even otherwise it is considered as “Governance Contact Information” similar to “Business Contact Information” in the private sector. The contact information of PIO and CPIO are already in public domain and hence are not to be denied.
-When the information sought to be revealed includes the information of members of the public, it has to be backed by the consent from the data principals. It can be released in an anonymised form with the proviso that if it is de-anonymised, the de-anonymisation would be considered as a Section 66 offence under ITA 2000. If it is insisted that the information is released in identified form, at the level of Grievance Redressal, it may be referred to DPB
-Also whenever information of personal nature is released, an indemnity may be requested from the RTI applicant declaring that the information is required in larger public interest and outweighs the harm to the individual whose information is being released and that he would indemnify any consequences under DPDPA 2023 in that respect.
2. On Section 17(2)(b)
If a Journalist wants to conduct research or Social Audit, he may seek information under the exemption provided for Research. Since this is an exception, and it is not the only or primary activity of the Journalist to conduct a research, the Data Fiduciary needs to be satisfied that the requirment is for “Research”.
If agreeable, information may be released in a pseudonmous manner at first as per the security standards. If the applicant suspects any corruption, he may prefer to invoke his rights under BNS and seek more information and investigation.
If not agrreeable, the matter reverts to the Grievance redressal system under DPDPA.
3. On Section 17(1)(c)
In as much as the section is within Article 19(2) and more limited than the Article itself, there is no need to consider any changes.
Even where the purpose is for national security etc., the instrumenality of state which is permitted to use the exemption clause needs to be notified. Hence there are more than enough checks and balances against the misuse of the provision without hindering the investigative power of national security agencies.
Any further dilution of this provision would facilitate criminals to hide and erase their criminal trace using “Privacy” as an excuse.
4. On Section 36:
In as much as the poer to seek information is a necessity of Governance there is no need for change.
The data fiduciary who fears any harm to a data principal on account of a request under Section 36 may indicate the lack of consent and seek time for obtaining a special consent. If the situation is related to security, the official designated for collection of such information may indicate that no prior consent is required to be obtained and the Governent indemnifies the data fiduciary for any consequences arising out of such release of information subject to the data fiduciary acting in good faith and not conspiring with the data principal to raise complaints under DPDPA under false pretenses.
5. On Section 33:
The penalties are “Upto” a certain amount and there is no minimum penalty prescribed. The voultary undertaking provides for concessions in built into the powers of the DPB. Any allegations against the DPB decision is also available for judicial review through TDSAT and later the Supreme Court.
Hence there is no need for any changes in this section.
6. On Exemption for Journalists
DPDPA has so far not made any specific exemptions for any category of data principals including SMEs, Educational institutions, Charitable Institutions, Religious Institutions, Professions like Advocates,Chartered Accountants or Doctors. All exemptions and Legitimate use is based on purposes. Exemptions are available for Startups (On notification), Companies for mergers and acquisitions after court approval, Financial institutions after default etc. Further exemptions are also empowered for specific purposes and an official would be designated for the purpose of granting such exemptions. Those journalists or organizations of journalists who conduct Social Audits or public interest research may be given specific conditional permissions with obligations of purpose specific use, with data minimization, retention minimisation and accountability.
For this purpose a “Register of Approved Journalists for Research” may be created by the Ministry of Information and may include all Social media bloggers as “Digital Journalists”.
7. On Conflict with Puttaswamy Judgement
The Justice Puttaswamy Judgement (Aug 24, 2017) only directed that “Privacy is a Fundamental Right”. It is considered as subject to “Reaasonable Exemptions” under Article 19(2). There is no judicial definition of “Privacy” and it is left to interpretation on a case to case basis often with Judicial intervention if required. The Puttaswamy judgement did not specify any code for protection of Privacy.
The obligation to protect Privacy is now considered as a responsibility of the Prrivate Sector also because of the Kaushal Kishor judgement and the “Fiduciary” nature of the entity processing personal data imposes the necessary duties to the Data Fiduciary to not only protect the Right to Privacy but also all other fundamental rights.
The DPDPA does not profess to “Protect Privacy” and hence cannot be challenged on the ground that it does not protect Privacy. DPDPA defines its objective to “Protect the Right of individuals to protect their personal data” and this is sought to be achieved through “Consent”. Exceptions under Section 7 (Legitimate use) is available both for Private sector and Government sector and hence is non-discriminatory and purpose based. Exemptions under Section 17 is also availbe for both the Government sector and Private sector. Such exemptions are conditional and restrictive and within the limits of Article 19(2).
Hence there is no conflict of DPDPA 2023 with the Puttaswamy Judgement.
In view of the above, all three petitions may be summarily rejected at the time of the admission itself. Costs may be imposed on the petitioners for raising unsustainable grounds based on wrong interpretation of the legislation.
This does not preclude the DPDPA Rules from being improved upon through executive action of corrections only to meet the requirements of the Act in a matter better than what has been done now.
The Government may be directed to form a suitable expert committee for this purpose.
Naavi
Previous Reference:
Venkatesh Nayak
Reporter’s Collective
Views of the NCPRI are available in the video here:
Naavi’s preliminary views have been presented in the several articles listed below.
Notebook LM crates a Video summary of naavi’s articles in a 6 minute video
Naavi
Whether you agree or not with the views of Naavi expressed in the earlier articles ending with the “Summary of the Comments on the petitions filed at Supreme Court on DPDPA”
Considering that only 70 persons have taken the trouble to sign the online petition “I am the Real Public in India and I donot support scrapping of DPDPA and DPDPA Rules” raised by Naavi, FDPPI has now opened a larger public consultation through today’s open session moderated by Naavi. We expect some legal practitioners and academicians to contribute their thoughts to this challenge before us to either agree or disagree with the petition to “Scrap DPDPA”.
We hope the meeting room will overflow and hence join well in time not to miss the opportunity.
Naavi
The entire set of articles that we have discussed in the last fortnight on the DPDPA Challenge petitions in the Suprmene Court are available here.
Copies of the petitions
Venkatesh Nayak
Reporter’s Collective
These discussions cover the two petitions of Venkatesh Nayak and Reporters Collective Trust. We did not have a copy of the third petition filed by NCPI. The points raised in that petition may not be different and if we get the copy of the petition, we will study that also and present the details.
The objective of these articles is not to criticise learned cousels who are representing the case though we may be using some aggressive statements as part of the presentation.
We however make a specific request to the Supreme Court that in all PIL petitions of this nature an opportunity should be given to the general public to submit their views like what the Supreme Court recently did in the case of Digital Arrest related petitions where an Amicus was appointed to collect the information from the public. This should be a standard practice.
We are specially irked by the fact that instead of restricting the prayers to resolve specific concerns the petitioners were asking for “Stay” and “Scrapping of the Act”. This was unwarranted and lacked responsibility.
India has been waiting for a legislation of this type for a long time and when finally it was in place, trying to scuttle it was not considered a good idea. Hence we had to strongly intervene and put across our views.
We now have placed these views in the public and feel that the Court is obliged to consider this opinion besides what the Government may present. Court should atleast ask the Attorney General whether they have gone through these views.
We have directly kept the Ministry of Information Technology informed about these views and hence it is their responsiblity to bring them to the attention of the Court. In the past (eg: Section 66A case) MeitY did not present their case properly and let the section be scrapped. It should not happen this time.
There is no reason to make any changes including in Section 44(3). We have given some suggestions on how the concerns can be addressed and are ready to share more details of how the Data Fiduciaries need to address these issues.
The MeitY, the Attroney General and the Supreme Court should have an open mind to receive these suggestions and not stand on formalities.
Naavi and FDPPI will continue to take actions required to protect DPDPA and will present more analysis as and when required.
On March 7, FDPPI will conduct a virtual Round Table on the topic, All are welcome. The link to the session is Link to the virtual session is available below
Meeting Id: Zoom: 857 9546 4234
Passcode:dpdpa1
One more objection raised by Reporter’s Collective which is bizarre and sinister is the interpretation that while the Search Committee may recommend some candidates either for the Chairman’s position or the members of Data Protection Board, The Government may appoint some body other than the recommended persons.
It is not clear where from they got this creative idea which is unsubstantiated and completely ridiculous.
The petition goes further and states that sincethe DPB may act through a “Digital office” it is “exclusionary” forgetting that the law is meant only for “Digital Personal Data” and the related disputes and further that the disputes with Data Principals if any for personal remedy may be handled not by DPB but by the Adjudicating officer of ITA 2000. When the suject matter of the dispute itself is “Digital”, it is difficult to understand how the dispute can be settled without touching a “Digital Office”. The petitioner has just invented a reason to raise the dispute.
To support its view it has referred to several judicial decisions which have no relation to the formation of DPB through a process involving selection by a search committee consisting of three secreatries and two exernal persons.
Finally the petitioner thinks that the penalty of Rs 50 crores to Rs 250 crores are exaggerated forgetting that the recommendation is “Upto” Rs 50 crores or “Upto” Rs 250 crores. The law does not mandate specifically that the minimum penalty should be Rs 50 crores. The law also provides an option for Volunatary undertaking which could mean that in some instances, no finacial penalty may be impsoed at all and only certain remedial directions may be issued.
Petitioners also need to reflect that under GDPR penalties are at levels of 1 billion US dollars in some cases and comparitively the maximum penalties under the DPDPA are much lower.
The petitioners assume that though the Act provides that Government may exempt specific classes of fiduciaries or specific classes of data from parts of the act, and such selective exemptions may be for SMEs, or even for Religious institutions such as Temples or even for the Journalists, the Government is not empowered to grant such powers. This sort of statements are malicious and meant only to make the Court believe what is not true.
The petitioners need to be asked to justify some of these assetions or admit that they are committing “perjery”.
Thus on several grounds the petition from Reporter’s collective is considered as based on false premises meant to mislead the Court. It should ideally be rejected with a penalty.
We would have appreciated if the Reporter’s Collecive had restricted itself to express its concerns and seem specific remedies rather than asking for scrapping of the entire Act. This demand betrays that the petitioners have come with a pre-conceived conspiracy to get the act scrapped and prevent the Indian public rom getting whatever benefits they would have expeted from the “Right to Protect Personal Data” which the Act tries to provide.
We have our prescriptions on how the act and the rules may be inerpreted to the effect that none of the concerns expressed can be considered as not addressable with a suitable interpretation.
Naavi
