DPDP Act, 2023 Controversy with RTI Act

By /

Background

  • The Digital Personal Data Protection (DPDP) Act, 2023 was enacted following the Supreme Court’s landmark Puttaswamy judgment (2017), which declared the right to privacy a fundamental right under Article 21. 
  • The court had directed the government to establish a data protection regime, leading to the Justice B.N. Sri Krishna Committee (2018) and eventually the DPDP Act, 2023.
  • The RTI Act and Original Provision
    • The RTI Act, 2005 empowered citizens to seek information from public authorities. 
    • Section 8(1)(j) originally provided a balanced exemption i.e personal information need not be disclosed unless larger public interest justified it. 
    • This provision struck a proportionate balance between privacy and transparency.

What is the controversy?

  • Section 44(3) of the DPDP Act amends Section 8(1)(j) of the RTI Act, replacing the earlier balanced provision with a blanket exemption for all personal information with no exceptions, even in cases of larger public interest.
  • Earlier, assets and liabilities of public servants could be disclosed under RTI to probe corruption allegations. This is now blocked under the blanket exemption.
  • Even procurement records, audit reports, and public spending details can now be rejected on the premise of being ‘personal information.’
  • The amendment effectively shields public officials from accountability under the garb of privacy protection.
  • The statement of objects and reasons of the DPDP Bill is silent about the intent behind this amendment thus raising concerns about legislative transparency.

Constitutional Challenge

  • The amendment has been challenged in the Supreme Court as ultra vires the Constitution. 
  • The matter has been referred to a Constitution Bench given the constitutional sensitivity of the questions involved primarily the tension between Article 19 (freedom of speech and information) and Article 21 (right to privacy).

Digital Personal Data Protection Act, 2023

  • Objective and Scope
    • The Act establishes a legal framework for protection and lawful processing of digital personal data.
    • It applies to personal data collected in digital form within India.
    • It also covers non-digital data that is later digitised.
    • The Act applies to foreign entities offering goods or services in India.
    • It excludes personal data processed for purely personal purposes or publicly available data.
  • Consent and Rights of Data Principals
    • Personal data may be processed only for lawful purposes after obtaining valid consent.
    • Data principals retain the right to withdraw consent at any time.
      • Consent is not required for specified legitimate uses, including government benefits and emergencies.
    • Data principals have rights to access, correction, erasure, and grievance redressal.
      • They must not file false or frivolous complaints under the Act.
  • Obligations of Data Fiduciaries and Regulatory Framework
    • Data fiduciaries determine the purpose and means of data processing.
    • They must ensure accuracy, reasonable security safeguards, and breach notification.
    • Personal data must be erased once the purpose of processing is fulfilled.
    • The Act establishes the Data Protection Board of India to ensure compliance.
    • Appeals against Board decisions lie before the Telecom Disputes Settlement and Appellate Tribunal.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This will close in 0 seconds

Scroll to Top