Naavi.org

The present proceedings in the Supreme Court on the Constitutionality of the DPDPA raise several  issues of concerning the relationship between informational privacy, transparency in governance and the regulatory framework governing digital personal data.

The most contentious provision which is being discussed is the Section 44(3) which is sought to be repealed.

The objection is that the current provision which is stated below has stood the test of time and  the proposed provision dilutes the RTI Act and consequently the “Right to Freedom of Expression” as well as the “Right to Freedom of Press”.

Pre-Amendment Section:

matters which come under the exemptions specified in this section shall not be disclosed

– information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: 

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Amended  Section:

– information which relates to personal information

In the current provision the PIO was expected to take a view on whether the  information is of personal nature and if so whether it infringes certain rights of Privacy. In the amended section, the PIO has to only identify if the information is personal or not.

What is personal information is defined in the DPDPA 2023 which was not in existence when RTI act of 2005 was enacted.

What is “Privacy” and how it can be “Infringed”, what is the “Harm” caused, “What is the  weight of public good vs individual harm” are not defined and remain vague. Expecting the PIO to decipher this is an unfair burden on a Government servant. Even the Courts will find it difficult to provide specific answers to these questions. Hence such questions can only be resolved in a subsequent appeal in a Court of law.

Also the declaration of “Right to Privacy” as a fundamental Right is a development after the Puttaswamy judgement and till then the MP Sharma Judgement and Kharak Singh Judgements  prevailed. They did not hold that Right to Privacy included “Information Privacy” and it was a “Fundamental Right”.  Hence after 24th  August 2017, there was a need to amend Section 8(1)(j) of the RTI act and that obligation has been fulfilled by Section 44(3) of  DPDPA 2023.

Hence Section 44(3) is a direct mandate of the Supreme Court  judgement in Puttaswamy case and cannot be altered by any bench of less than 9 members.

Hence during the Supreme Court trial starting from March 23rd or later, the following questions of law arise for consideration by the Court:

1. Whether after the 9 member SC bench in the case of Justice Puttaswamy judgement (2017) declaring that “Right to Privacy is a fundamental Right”, can the provisions of RTI Act, Section 8(1)(j) was mandatorily required to be amended.
2. Whether the requirement under the old Section 8(1)(j)  of RTI Act was an onerous judicial obligation cast on the PIO to determine
   1. whether the information sought to be released has no relationship to any public activity or interest, or
   2. Whether the information sought to be released  would cause unwarranted invasion of the privacy of the individual
   3. Whether the information sought to be released is in the larger public interest justifies the disclosure of such information
   4. Whether  the information sought to be released can be or cannot be denied to the Parliament or a State Legislature

4. If the RTI disclosure is considered under Section 8(2),  Whether a public authority can take a judicially appropriate decision on the disclosure outweighing the harm to the protected interests.
5. If the PIO errs in such judgement and discloses information, whether the public authority as a “Data Fiduciary” be held accountable for  the penalties under  Section 33
6. Whether the PIO being generous in disclosure can be held “Negligent” and penalized for incompetence?
7. Whether in such cases, the RTI applicant can be expected to Provide an assurance
   1. that to the best of his belief and knowledge, the information sought to be released does not infringe the privacy of any other individual,
   2. the possible harm caused to any individual/s outweighs the larger public interest in the disclosure
   3. the applicant indemnifies the public authority and the PIO of any harmful impact of penalties under section 33 of DPDPA 2023
8. Should only a DPO be designated as the PIO since credentials required to be a PIO are less stringent than that of a DPO?

We want Constitutional pundits to answer these questions.

Naavi

To

All Data Protection Professionals in India including all the Petitioners and their representatives  in the Supreme Court.

Dear Friends

Over a series of articles in Naavi.org, I have expressed my deep feelings  against the demand for scrapping DPDPA and DPDPA Rules. 

I am aware that the Court is unlikely to concede  the prayer for scrapping of DPDPA and only consider concerns on Section 44(3) and “Exemption for Journalists” as key issues to be addressed.

In expressing my views, as a Journalist, I have been aggressive and if I have hurt any individuals in this process, I honestly express my apologies. 

However, I have presented some suggestions on how the concerns of the petitioners may be addressed by reading down of the sections and providing clarity and by the Government in introducing some minor procedural changes.

I want all including the petitioners to think of these solutions and place it before the Court in the next hearing and not press for either scrapping of the DPDPA or for scrapping of Section 44(3) or for introducing a specific exemption  for the Journalists. 

Act is acceptable as it is and the rules are always subject to being improved. We shall all work towards improving the rules once the DPB is formed.

I request all those who have specific suggestions to address the concerns  expressed to send them here  for collation. They can also send it the Government so that it can be incorporated in the counter affidavit to be filed by the Government. 

MeitY as well as the Solicitor General of India who may argue the case are deemed to be aware of all the 16 plus articles published here. It is their prerogative  to either consider it or reject it and come up with their own suggestions or counters. 

In the past we have expressed that the Government  has not defended ITA 2000 properly when required and we donot want the same mistake to  be repeated now. Hence we have published these articles and placed it in public domain.

This information is also now available to the Court and I request the Registrar of Supreme Court to place the reference to these publications before the Court. I am enclosing a summaary of the suggestions in a document here as an attachment through a link.  This could be the starting point for further refinement with suggestions that may be given by other professionals.

Looking forward to a postitive approach to adopting DPDPA by all  sections of the society including the dissenting petitioners.

Yours sincerely

Naavi

Attachment: Suggestions Made

(This is a Synthetically generated content)

Naavi

In continuation of our earlier discussions on DPDPA Challenge at Supreme Court, FDPPI held a public consultation on 7th March 2023.  An introduction to the discussions on 7th March is available here: Notebook LM summarizes the Introduction to the debate

A Video of the discussions are found here

FDPPI has suggestions to make DPDPA acceptable to all including the petitioners of this challenge at Supreme Court. Some of it were discussed yesterday. More will be discussed in future writings.

Some of the immediate suggestions:

1. On Section 44(3): 

We do not recommend any change. However, it may be clarified that

-When an information is denied under the excuse of “Privacy”, the RTI applicant should be able to invoke the status of the organization as a Data Fiduciary and initiate a Grievance Redressal as a Right under Section 13 of DPDPA 2023. This escalates to the DPB and later to Supreme Court. The internal Grievance redressal would exhaust the appeal to CPIO before the applicant moves on to DPB.

-When information about the official is part of the release, it is considered as “Already Made Public” since all Government appointments at the level of PIO are often through written orders and even gazette notifications. Even otherwise it is considered as “Governance  Contact Information” similar to “Business Contact Information” in the private sector. The contact information of  PIO and CPIO are already in public domain and hence are not to be denied.

-When the information sought to be revealed includes the information of members of the public, it has to be backed by the consent from the data principals. It can be released in an anonymized form with the proviso that if it is de-anonymised, the de-anonymisation would be considered as a Section 66 offence under ITA 2000. If it is insisted that the information is released in identified form, at the level of Grievance Redressal, it may be referred to DPB

-Also whenever information of personal nature is released, an indemnity may be requested from the RTI applicant declaring that the information is required in larger public interest and outweighs the harm to the individual whose information is being released and that  he would indemnify any consequences under DPDPA 2023 in that respect.

2. On Section 17(2)(b)

If a Journalist wants to conduct research or Social Audit, he may seek information under the exemption provided for Research. Since this is an exception, and it is not  the only or primary activity of the Journalist to conduct a research, the Data Fiduciary needs to be satisfied that the requirement is for “Research”.

If agreeable, information may be released in a pseudonymous manner at first as per the security standards. If the applicant suspects any corruption, he may prefer to invoke his rights under BNS and seek more information and investigation.

If not agreeable, the matter reverts to the Grievance redressal system under DPDPA.

3. On Section 17(1)(c)

In as much as the section is within Article 19(2) and more limited than the Article itself, there  is no need to consider any changes.

Even where the purpose is for national security etc., the instrumentality of state which is permitted to use the exemption clause needs to be notified. Hence there are more than enough  checks and balances against the misuse of the provision without hindering the investigative power of national security agencies.

Any further dilution of this provision would facilitate criminals to hide and erase their criminal trace using “Privacy” as an excuse.

4. On Section 36:

In as much as the poer to seek information is a necessity of Governance there is no need for change.

The data fiduciary who fears any harm to a data principal on account of a request under Section 36 may indicate the lack of consent and seek time for obtaining a special consent. If the situation is related to security, the official designated for collection of such information may indicate that no prior consent is required to be obtained and the Government  indemnifies the data fiduciary for any consequences arising out of such release of information subject to the data fiduciary acting in good faith and not conspiring with the data principal to raise complaints under DPDPA under  false pretenses.

5. On Section 33: 

The penalties are “Upto” a certain amount and there is no minimum penalty prescribed. The voluntary undertaking provides for concessions in built into the powers of the DPB. Any allegations against the DPB decision is also available for judicial review through TDSAT and later the Supreme Court.

Hence there is no need for any changes in this section.

6. On Exemption for Journalists

DPDPA has so far not made any specific exemptions for any category of data principals including SMEs, Educational institutions, Charitable Institutions, Religious Institutions, Professions like Advocates,Chartered Accountants or Doctors. All exemptions and Legitimate use is based on purposes. Exemptions are available for Startups  (On notification), Companies for mergers and acquisitions after court approval, Financial institutions after default etc. Further exemptions are also empowered for specific purposes  and an official would be designated for the purpose of granting such exemptions. Those journalists or organizations of journalists who conduct Social Audits or public  interest research may be given specific conditional permissions with obligations of purpose specific use, with data minimization, retention minimization and accountability.

For this purpose a “Register of Approved Journalists for Research” may be created by the Ministry of Information and may include all Social media bloggers as  “Digital Journalists”.

7. On Conflict with Puttaswamy Judgement

The Justice Puttaswamy Judgement (Aug 24,  2017) only directed that “Privacy is a Fundamental Right”. It is considered as subject to “Reasonable Exemptions” under Article 19(2). There is no judicial definition of “Privacy” and it is left to interpretation on a case to case basis often with Judicial intervention if required.  The Puttaswamy judgement did not specify any code for protection of Privacy.

The obligation to protect Privacy is now considered as a responsibility of the Private Sector also because of the Kaushal Kishor judgement and the “Fiduciary” nature of the entity processing personal data imposes the necessary duties to the Data Fiduciary to not only protect the Right to Privacy but also all other fundamental rights.

The DPDPA does not profess to “Protect Privacy” and hence cannot be challenged on the ground that it does not protect Privacy.  DPDPA defines its objective to “Protect the Right  of individuals to protect their personal data” and this is sought to be achieved through “Consent”. Exceptions under Section 7 (Legitimate use) is available both for Private sector and Government sector and hence is  non-discriminatory and purpose based. Exemptions under Section 17 is also available for both the Government  sector and Private sector. Such exemptions are  conditional and restrictive and within the limits of Article 19(2).

Hence  there is no conflict of DPDPA 2023 with the Puttaswamy Judgement.

In view of the above, all three petitions may be summarily rejected at the time of the admission itself. Costs may be  imposed on the petitioners for raising unsustainable grounds based on wrong interpretation of the legislation.

This does not preclude the  DPDPA Rules from being improved upon through executive action of corrections only to meet the requirements of the Act in a matter better than what has been  done now.

The Government may be directed to form a suitable expert committee for this purpose.

Naavi

Previous Reference:

Venkatesh Nayak
Reporter’s Collective

Views of the NCPRI are available in the  video here:

Naavi’s preliminary views have been presented in the several articles listed below.

Notebook LM crates a Video summary of naavi’s articles in a 6 minute video

Naavi

Whether you agree or not with the views of Naavi expressed in the earlier articles ending with the  “Summary of the Comments on the petitions filed at Supreme Court on DPDPA” 

Considering that only 70 persons have taken the trouble to sign the online petition “I am the Real Public in India and I donot support scrapping  of DPDPA and DPDPA Rules”  raised by Naavi, FDPPI has now opened a larger public consultation through today’s open session moderated by Naavi. We expect some legal practitioners and academicians to contribute their thoughts to this challenge before us to either agree or disagree with the petition to “Scrap DPDPA”.

We hope the meeting room will overflow and hence join well in time not to miss the opportunity.

Naavi