Earlier this month, the president gave her assent to the Digital Personal Data Protection Act, 2023. The absence of such a law had meant that India was never taken as a serious player in the global digital economy. Six years in the making, the law lays down the rights of internet users, such as knowing what information about one is held by which company, duties of companies to secure and responsibly share such data, and a mechanism to enforce these rights and duties. This law is certainly not the finished article. But in the deluge of criticism it has faced, some of it justified, others less so, the big picture is lost — the law provides the beginnings of a framework to protect our privacy in a meaningful manner.
Before this, any company could process data belonging to children indiscriminately. It could send targeted advertisements and track children online. In an early example of the potential harm this could cause, a decade ago, the world was shocked to learn that Target, an American retail giant, knew about a teenager’s unwanted pregnancy even before her own father because she was buying unscented lotion from them. This law prevents such a situation from taking place in India. It is a testament to the fact that India now takes its responsibilities towards its citizens, particularly its children, seriously.
Critics are right, however, in pointing out that despite having enacted a laudable law, the State can potentially exempt itself from almost all important obligations under it. The Central government can grant any State entity total exemption from all obligations under the Act if doing so is in the interest of the sovereignty, integrity, and security of India and so on. While grounds as sensitive as these do justify some exemptions, entirely exempting certain entities is absurd. The Central Bureau of Investigation, which investigates several cases impinging on national security and public order, also has in its possession other kinds of data, such as personnel records of its officers, names and information of witnesses in closed cases and so on. It makes little sense to provide a blanket exemption to the CBI for these kinds of information. It is likely that this overly broad power of exemption will be duly curtailed by courts.
Second, critics have claimed that the membership of the Data Protection Board of India, a statutory body set up under this law, is such that the Board cannot be truly independent. As a matter of fact, this is accurate. It is likely to lead to another challenge in court and a tussle between the government and the judiciary over the prerogative to appoint members to important public bodies. We have been here before, with the appointment of tribunal members, judges of the high court and the Supreme Court, the CBI chief, and, most recently, the Election Commissioners. This is a pointless debate. Genuine independence cannot be secured by focusing solely on who makes appointments, as an office-bearer is likely to be beholden to the appointer, no matter who it is. True independence can be better secured through transparent processes, the need for detailed annual reports, and other such methods which foster direct accountability to the public. It is time to reorient our focus than continuing to sing a broken tune.
Finally, the criticism that has most weight is the deleterious effect of this law on the right to information. By amending the Right to Information Act, the DPDP Act virtually paralyses it. As a result, under the RTI Act, there is no obligation to disclose any information which can be construed as ‘personal information’ — data about an individual through which the individual can be identified. If a public sector bank has to be bailed out because it gave out a massive loan which has now gone bad, there is an overwhelming public interest in knowing who took out the loan. Under the RTI Act, however, this will no longer be possible as that will pertain to the personal information of the defaulter.
This was always the likely result of a blinkered campaign for the right to privacy that did not fully grasp its implications on other, hard-won, rights. When I had argued the right to privacy matter in the Supreme Court, this is why I had cautioned against defining an overbroad right to privacy — it would lead to secrecy where public interest demanded transparency. At the time, many saw my arguments as a stand against privacy. It was nothing of the kind. By reframing the argument as the right to have autonomous control over data, I was attempting to balance the privacy of an individual citizen with the public interest in transparency. But the shrillness of those demanding privacy silenced most other voices, including those of RTI activists who are now left picking up the pieces.
This represents the problem of a lot of well-intentioned activism that is geared for X (formerly Twitter). Nuance is dead, a different point of view is cancelled, and only facile agreement, or better still, likes and reposts are encouraged. The reason why the DPDP Act today does not also protect the right to information, as the Srikrishna Committee (of which I was a member) had originally recommended, is because that attempt was unthinkingly trashed, claiming that it would affect RTI. This was the exact converse of the truth. But if government-appointed committees were to be lambasted for something they didn’t do, for wholly extraneous reasons, it isn’t surprising that someone in government decided to go ahead and actually do it. All of us outside government now need to regroup and introspect as to how to reverse this position.
Last weekend, I was part of a lively debate at the Tollygunge Club in Calcutta, arguing for the motion that protecting privacy is futile. That motion was deservedly rejected by the discerning audience, which hoped that governments would do their bit to enable citizens to take control over their own digital lives. Despite all its faults, the DPDP Act is the first step in that direction. Now it is for all of us — ordinary citizens, civil society groups, corporations, and governments — to build from here.
Arghya Sengupta is Research Director, Vidhi Centre for Legal Policy. Views are personal