In continuation of our earlier discussions on DPDPA Challenge at Supreme Court, FDPPI held a public consultation on 7th March 2023. An introduction to the discussions on 7th March is available here: Notebook LM summarizes the Introduction to the debate
A Video of the discussions are found here
FDPPI has suggestions to make DPDPA acceptable to all including the petitioners of this challenge at Supreme Court. Some of it were discussed yesterday. More will be discussed in future writings.
Some of the immediate suggestions:
- On Section 44(3):
We donot recommend any change. However, it may be clarified that
-When an information is denied under the excuse of “Privacy”, the RTI applicant should be able to invoke the status of the organization as a Data Fiduciary and initiate a Grievance Redressal as a Right under Section 13 of DPDPA 2023. This escalates to the DPB and later to Supreme Court. The internal Grievance redressal would exhaust the appeal to CPIO before the applicant moves on to DPB.
-When information about the official is part of the release, it is considered as “Already Made Public” since all Government appointments at the level of PIO are often through written orders and even gazette notifications. Even otherwise it is considered as “Governance Contact Information” similar to “Business Contact Information” in the private sector. The contact information of PIO and CPIO are already in public domain and hence are not to be denied.
-When the information sought to be revealed includes the information of members of the public, it has to be backed by the consent from the data principals. It can be released in an anonymised form with the proviso that if it is de-anonymised, the de-anonymisation would be considered as a Section 66 offence under ITA 2000. If it is insisted that the information is released in identified form, at the level of Grievance Redressal, it may be referred to DPB
-Also whenever information of personal nature is released, an indemnity may be requested from the RTI applicant declaring that the information is required in larger public interest and outweighs the harm to the individual whose information is being released and that he would indemnify any consequences under DPDPA 2023 in that respect.
2. On Section 17(2)(b)
If a Journalist wants to conduct research or Social Audit, he may seek information under the exemption provided for Research. Since this is an exception, and it is not the only or primary activity of the Journalist to conduct a research, the Data Fiduciary needs to be satisfied that the requirment is for “Research”.
If agreeable, information may be released in a pseudonmous manner at first as per the security standards. If the applicant suspects any corruption, he may prefer to invoke his rights under BNS and seek more information and investigation.
If not agrreeable, the matter reverts to the Grievance redressal system under DPDPA.
3. On Section 17(1)(c)
In as much as the section is within Article 19(2) and more limited than the Article itself, there is no need to consider any changes.
Even where the purpose is for national security etc., the instrumenality of state which is permitted to use the exemption clause needs to be notified. Hence there are more than enough checks and balances against the misuse of the provision without hindering the investigative power of national security agencies.
Any further dilution of this provision would facilitate criminals to hide and erase their criminal trace using “Privacy” as an excuse.
4. On Section 36:
In as much as the poer to seek information is a necessity of Governance there is no need for change.
The data fiduciary who fears any harm to a data principal on account of a request under Section 36 may indicate the lack of consent and seek time for obtaining a special consent. If the situation is related to security, the official designated for collection of such information may indicate that no prior consent is required to be obtained and the Governent indemnifies the data fiduciary for any consequences arising out of such release of information subject to the data fiduciary acting in good faith and not conspiring with the data principal to raise complaints under DPDPA under false pretenses.
5. On Section 33:
The penalties are “Upto” a certain amount and there is no minimum penalty prescribed. The voultary undertaking provides for concessions in built into the powers of the DPB. Any allegations against the DPB decision is also available for judicial review through TDSAT and later the Supreme Court.
Hence there is no need for any changes in this section.
6. On Exemption for Journalists
DPDPA has so far not made any specific exemptions for any category of data principals including SMEs, Educational institutions, Charitable Institutions, Religious Institutions, Professions like Advocates,Chartered Accountants or Doctors. All exemptions and Legitimate use is based on purposes. Exemptions are available for Startups (On notification), Companies for mergers and acquisitions after court approval, Financial institutions after default etc. Further exemptions are also empowered for specific purposes and an official would be designated for the purpose of granting such exemptions. Those journalists or organizations of journalists who conduct Social Audits or public interest research may be given specific conditional permissions with obligations of purpose specific use, with data minimization, retention minimisation and accountability.
For this purpose a “Register of Approved Journalists for Research” may be created by the Ministry of Information and may include all Social media bloggers as “Digital Journalists”.
7. On Conflict with Puttaswamy Judgement
The Justice Puttaswamy Judgement (Aug 24, 2017) only directed that “Privacy is a Fundamental Right”. It is considered as subject to “Reaasonable Exemptions” under Article 19(2). There is no judicial definition of “Privacy” and it is left to interpretation on a case to case basis often with Judicial intervention if required. The Puttaswamy judgement did not specify any code for protection of Privacy.
The obligation to protect Privacy is now considered as a responsibility of the Prrivate Sector also because of the Kaushal Kishor judgement and the “Fiduciary” nature of the entity processing personal data imposes the necessary duties to the Data Fiduciary to not only protect the Right to Privacy but also all other fundamental rights.
The DPDPA does not profess to “Protect Privacy” and hence cannot be challenged on the ground that it does not protect Privacy. DPDPA defines its objective to “Protect the Right of individuals to protect their personal data” and this is sought to be achieved through “Consent”. Exceptions under Section 7 (Legitimate use) is available both for Private sector and Government sector and hence is non-discriminatory and purpose based. Exemptions under Section 17 is also availbe for both the Government sector and Private sector. Such exemptions are conditional and restrictive and within the limits of Article 19(2).
Hence there is no conflict of DPDPA 2023 with the Puttaswamy Judgement.
In view of the above, all three petitions may be summarily rejected at the time of the admission itself. Costs may be imposed on the petitioners for raising unsustainable grounds based on wrong interpretation of the legislation.
This does not preclude the DPDPA Rules from being improved upon through executive action of corrections only to meet the requirements of the Act in a matter better than what has been done now.
The Government may be directed to form a suitable expert committee for this purpose.
Naavi
Previous Reference:
Venkatesh Nayak
Reporter’s Collective
Views of the NCPRI are available in the video here:
Naavi’s preliminary views have been presented in the several articles listed below.
