There’s a lot that has already been said about the latest edition of the data protection bill. So in today’s Finshots, we pick 3 non-obvious bits from the bill that have created a flutter.

The Story

It all began in the hallowed halls of the Supreme Court in 2017. Nine judges of the highest court in the country passed a landmark ruling and said the ‘right to privacy’ is a fundamental human right. And since we all live in the digital age with bits of data just floating around everywhere, we needed rules in place to ensure that our data remained private. That we had control over how websites, apps, platforms, and companies collected and stored our data.

So the folks in the government quickly got to work — they were going to create India's first data protection law. They published the first draft in 2019 and asked for feedback. And there was a whole lot of it. So they went back to the drawing board and reworked it. Multiple times. In fact, the bill that was passed in the Lok Sabha a couple of days ago is the fourth attempt at getting it right. And it’s actually a fairly straightforward 33-page document. There’s hardly any legal jargon that’ll make you want to tear your hair out.

They’re calling it the ‘Digital’ Personal Data Protection Bill (DPDP). And it’ll deal with two types of data — one that’s collected digitally as you browse websites and social media platforms. And also data that’s collected offline and then fed into a computer.

Now the basic rules here are simple.

When someone wants your data, they need to tell you you exactly what they're using it for. And then they must seek your consent before collecting and processing such data. They can’t use the data any way they like. For instance, if a bank asks for your photograph while opening an account, they need to first seek consent on a separate personal data notice that clearly explains why they need it and how they’ll use it.

Also, if a person wants their data to be erased at some point, it should be easy to do that. No questions asked.

If the entity responsible for collecting the data doesn't do all this, they’ll have to incur heavy monetary penalties.

Now there are exemptions to this, of course. But that’s the gist of it. And there will be a Data Protection Board too. Think of it as an independent regulator that’ll make sure that disputes are handled quickly. All this sounds good and this is something that will definitely get errant businesses to be more mindful of how they handle and process personal data.

But there are some niggling issues people have been pointing out. And we want to highlight 3 interesting perspectives here.

Firstly, Reetika Khera, a professor of economics at IIT Delhi, thinks there might be a potential clash with the Right to Information (RTI) Act.

How, you ask?

See, the RTI came about in 2005. And it had one goal — if anyone wanted information related to the government, they could send a written request and the authorities were expected to furnish this information. Of course, there were exemptions such as not disclosing information which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual. But it also noted that these exemptions wouldn't apply if "the Central Public Information officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information.”

For instance, let’s say you wanted details of the real estate investments of public servants such as IAS officers. You could argue that it is personal information and an invasion of privacy. But, these are people in the public domain who serve the larger interest of the nation. And tracking their real estate investments could indicate whether they have disproportionate assets — that is, if there is a mismatch between the wealth they've amassed and their income. It could throw light on possible corruption. So the RTI takes precedence here.

But here's the thing. The DPDP clashes with the RTI since it deals with personal information. And while many people were expecting the bill to clarify that it would complement the RTI Act, there seems to have been a small amendment instead. This amendment removes a few key words that are otherwise present in the RTI Act.  And this simply says exemptions are valid for 'personal information' without the ifs and buts.

So in our earlier example, data on real estate holdings could definitely be categorised as personal information. And the worry now is that the government could very easily deny this information citing the DPDP bill. In fact, government officials have previously stated that everyone should also be entitled to the "right to privacy" even if they are operating in the public forum. So it seems this was coming anyway.

Secondly, there’s the matter of ‘content’.

Now the government already has the power to block content. They just have to cite Section 69A of the Information Technology Act and can order platforms such as Twitter and YouTube to delete content. But the objectionable content first has to satisfy one of 6 criteria — and these primarily involve things like a threat to “national security” and “public order”.

But they’ve gone ahead and included a clause about blocking content in the DPDP too — a Clause 37.

Now on the face of it, the wording is quite innocent. It simply says that if the Data Fiduciary, or the folks who’re responsible for storing and processing data, flout the rules twice, then the government will step in. It’ll allow the Data Fiduciary to give its side of the story. And if the government is not satisfied, it may stop it from conducting business.

So it makes sense. After all, the Fiduciary is handling people's personal data. So if they mess up, the government can step in to enforce its content blocking provision.

But there’s a problem. See, the IT Act clearly listed out the 6 reasons why content could be blocked. But the DPDP just says it can be blocked ‘in the interest of the general public’. And some folks believe that this could suddenly give the government a free rein on censorship. That it may be unconstitutional.

Also, this new clause in the DPDP seems to have come out of the blue. It wasn’t a part of earlier drafts. And that means the public couldn’t offer any feedback on it as well. The government decided. The government executed. Now technically the decision will be taken by the Data Protection Board which is seemingly an independent entity. However considering all members of the board are appointed by the Central Government itself, you could argue whether they're really independent.

And thirdly, the impact on journalism.

See, investigative journalism is hard work. Reporters often spend days poring through documents and convincing people in the know (who often prefer to remain anonymous) to blow the whistle on dubious activities — maybe a businessperson has offshore accounts managed by family members that they route money into secretly? Maybe a politician is playing favourites by handing out projects to his friends and family. These are things the public must know about.

But what if this person cries foul? What if they say that the journalist has published private or personal information about them and they didn’t consent to any of this?

Now here’s the problem. Earlier drafts of the Bill actually exempted journalists from certain obligations. They could go about their investigative work and publish stories without a problem. They just had to make sure it was factually correct. But it seems like that’s not the case anymore. There’s no exemption even if the story might be in ‘public interest’. And here’s what Newslaundry asked a few months ago:

Before the Panama Papers were published in 2016, what if the Indian Express had been hauled before a data protection board for violating the privacy of those who held accounts in tax havens?

Does that mean it’ll hurt investigative pieces from now on? Well, that’s what the journalists fear.

And finally, note that none of the provisions in the act may apply to the Central Government the way the Bill is currently worded. So yeah, you can see why a few people are worried about some aspects of this bill. But nonetheless, this should still set a precedent for businesses to be more mindful while dealing with personal data.

Until then…

Don't forget to share this article on WhatsApp, LinkedIn and Twitter.

We are hiring!!!

Our team at Ditto (by Finshots) is looking to recruit 'Insurance Advisors'. If you crave an exhilarating journey that challenges you, rewards your drive, and gives you the platform to build exciting initiatives, this is the perfect opportunity for you. Apply now.