How the ‘strict’ Data Act is diluting RTI

The government made many provisions to insulate itself from most of the data protection, making it less transparent and accountable

By M Sridhar Acharyulu
Published: Friday 08 September 2023
Photo: iStock

The Digital Personal Data Protection Bill, 2023 recently became law in the country. However, the DPDP law, also called the Data Act, will severely affect the Right to Information Act (RTI), 2005.

The Data Act looks like a conflict between two fundamental rights, that is, the right to information, part of Article 19 (1) and Article 21 of the Constitution of India, protection of life and personal liberty.

The amendment to the Right to Information, through the DPDP law, was criticised by some as “neither the right to privacy nor the right to information”.

The RTI Act is acclaimed as the most empowering legislation for democracy. Ever since it has come into effect, it has been of great help to every segment of society to obtain relevant information capable of protecting general Constitutional rights.

It has built-in adequate safeguards through Section 8 (1) (j) while fighting against harassing bureaucracy or protecting helpful officers. For a small fee of Rs 10, one could secure individual privacy with important exemptions with exceptional impact.

When the RTI Act was enacted, it had ten critical exemptions under Section 8 (1) and the law served democracy primarily for good governance.  

On the other hand, the new law changed the text and context of RTI by reinterpreting the provisions of Section 8 (1). The provisions stated that “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person”. Now it only applicable to Section 8 (1)(j) and not to the whole of Section 8 (1).  

There is almost no instance where the release of information under RTI has caused any significant loss to any national or personal interest that deserves to be protected. Parliament should have understood the need to safeguard offices and protect the RTI Act against indirect attempts to destroy it through the DPDP bill.

Open ‘myth’ of data law

The RTI Act, 2005 came into being after fighting for a couple of decades over access. Only a close reading of the 2005 Act and the Data Act can clarify the myths surrounding them. Both Acts have a significant effect, separately and together. 

The objective of Data Act as on title is

An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and matters connected therewith or incidental thereto.

It does not refer to the Right to Information Act; indirectly, it said, “the right of individuals…connected therewith or incidental thereto”.

The Statement of Objects and Reasons in the Bill in 2019, before it was amended in the 2023 form, said:

1. In the matter of Justice KS Puttaswami and another vs Union of India [WP 494 of 2012], a nine Judge Constitutional Bench of the Supreme Court, while delivering its judgment on August 24, 2017, declared “privacy” as a fundamental right under Article 21 of the Constitution. Subsequently, on September 26, 2018, a five Judge Constitutional Bench of the Supreme Court while delivering its final judgment in the above case impressed upon the Government to bring out a robust data protection regime.

3. The proposed Legislation seeks to bring a robust data protection framework for India and to set up an Authority for protecting personal data and empowering the citizens with rights relating to their personal data ensuring their fundamental right to “privacy and protection of personal data”

They directly deal with “privacy and protection of personal data”. 

An earlier form of the bill presented before Lok Sabha said: 

Whereas the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy

This is the most essential sentence in the second part of Objective as presented in 2019 because it impacts the constitutional fundamental law, as explained by the Supreme Court in 2017 in KS Puttaswamy vs Union of India.

Not just Section 44

No one should mistake that the Data Act 2023 amended just one provision — Section 44 — of the RTI Act and that Parliament retained the rest of the RTI. Each provision of the Data Act will have a serious impact on RTI as well. 

Unfortunately, the amendment of Section 8 (1) (j) at Section 44 (3) of the Digital Personal Data Protection Bill 113 of 2023 (DPDP) leads to a serious fear that it will convert RTI into a Right to denial of information. The authorities will refuse to part with useful information under the cover of corruption.

The Data Act and RTI Act, as the last provision in Section 44 of the Data Act, says 

(3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely: —, …and (j) the information which relates to personal information 

This Section (1) (j) under the above through Data Act, does not say whether it applies to the complete RTI Act, 2005.

Interestingly, the government used Section 44 of the Data Act, of 2023, through 

“(1) In section 14 of the Telecom Regulatory Authority of India Act, 1997, in clause (c), for sub-clauses (i) and (ii), the following sub-clauses shall be substituted, …:..” which diluted, means, will remove the oxygen pump, from the patient of Right to Information Act 2005, “last nail in the coffin” through the “…shall be substituted, namely:— 

“(j) information which relates to personal information;” S(1)(j).

Dangerous definition of a ‘person’

The Data Act, 2023, which was recently passed by Parliament, directly gives a dangerous definition of a ‘person’ in Act Section 2(s), 

(t) “personal data” and 

(u) “personal data breach” in read with exemption amended RTI. 

The meaning of the word “data” [2(h)] under the Data Act will also restrict the wide power of the changed RTI. 

(h) “data” means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means;

Hence, the following words, as defined, are very significant provisions from the point of view of RTI. 

  • (i) “data fiduciary”, 
  • (j) “data principal”, 
  • (k) “data processor, 
  • (n) “digital personal data”

Over and above, the (v) “prescribed” means prescribed by rules made under this Act. The entire power is now concentrated with the Union Ministry of Information.

Any critic suffers the impact of increasing power through the ‘application’ of Section 3 of the Data Act in the processing of ‘digital personal data’. Lucky for us, Act Section 3(c) will not apply.

The illustration said: “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply”.

Section 6 of the Data Act provided the consent, supported with illustrations to explain, it says “..and be limited to such personal data as is necessary for such specified purpose”.

Empowering the two Acts

Every provision, with RTI reference, is empowered by the Data Act, especially with Section 6. In Section 9 about the processing of personal data of children, the power goes on centralisation in “ the case may be, in such manner as may be prescribed”. 

We do not know whether Parliament realised the power of the Data Act. 

Every provision of the law said,“ the notification may specify.” The expression ‘may’ should be understood as giving complete power to the officers of the Union minister and the Prime Minister. Where over ‘may be prescribed’ is the dangerous power, ‘may’ indeed gives the power to the officer concerned.

The section called ‘special provisions’ gives the power in Section 16 of the Data Act. Not only here, but Section 17 enhances scope through exemption:

“…(1) The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where —...” 

Most specifically “(c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India” leaves it to officers to decide.

Several state governments and the central government, including personal information, are needed to empower people to undertake collective monitoring and ensure access to their rights and entitlements, besides various welfare schemes.

The government made many provisions to insulate itself from most of the data protection, citing protection of national security, managing foreign relations, maintaining public order and even preventing crimes. This makes the states less transparent and accountable, affecting the liberty of the people. 

Under the Data Act, violation of the provision could invite a high penalty for a data breach of up to Rs 250 crore. It requires compliance for the collection and processing of personal data to prevent a breach. 

This means whole power resides in Section 40, in addition to many provisions specifically and gets general authority through ‘power to make rules’, “(2) In particular and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely:—" through every (a) to literally to (z) of Section 40 of the Data Act. 

The point to be noted is that the Centre assumed more powers over and above the state governments, in violation of federal principles. 

What is ‘good faith’?

Section 35 gives more power ‘in good faith’ provision. Now who defines ‘good faith’ and ‘bad faith’? Though it is available in almost all enactments, its impact explains its power.

The Bill was passed by Parliament on August 9, 2023 and the President consented on August 12, 2023. The most important Bill was passed by both Houses of the Parliament without just discussion in a couple of days.

Nothing is left to Parliament, democracy and the rule of law. Absolute power resides in the President through the Prime Minister.

M Sridhar Acharyulu is the former Central Information Commissioner

Views expressed are the author’s own and don’t necessarily reflect those of Down To Earth

Subscribe to Daily Newsletter :

Comments are moderated and will be published only after the site moderator’s approval. Please use a genuine email ID and provide your name. Selected comments may also be used in the ‘Letters’ section of the Down To Earth print edition.