Naavi.org

I refer to the earlier article on this forum “Measure your data, Treasure your data” A movement for the year 2026.

This was followed by many articles on Data Valuation. (Data Valuation methods 1, Data Valuation Methods-2 and Data Valuation Methods 3). We also discussed Business Model Maturity Index Model and Data Valuation as a Service.

These highlighted  the need for PSUs to adopt a Data Valuation model since CAG has  given a direction  to the Auditors to answer the query “whether the Company has identified its data assets and whether it has been valued appropriately”.

This meant that PSUs needed to identify their data assets and also give a fair valuation thereof. This left most PSUs intrigued on how to value data assets and had to turn to the  discussions we have made since a long time on this issue.

To add to this  intrigue, now the petition in the Supreme Court on Section 44(3) has raised an issue whether the Public Information officers (PIO) of public authorities who have an obligation to disclose information under the RTI act are able to make an assessment of whether the requested release of information infringes privacy of any individual and if so whether the harm caused thereof outweighs the public benefit or not.

Assuming that most requested release would involve personal information disclosure, all PIOs therefore need to be proficient on DPDPA  and be capable of creating a judicially sustainable internal note on whether the disclosure is or is not violative of the DPDPA.

If the PIO makes any error, the organization will be exposed to the risk of a data principal raising a claim for damages and the DPB considering a penalty on the organization.

The twin challenges of data valuation and DPDPA impact on RTI disclosures will require  all PSUs to quickly start evaluating the “DPDPA Risk on their RTI obligation”.

FDPPI would like to advise all PSUs to start taking measures to assess their risks on the above two aspects and how to mitigate them.

Naavi

Synthetically generated with Content from Naavi.

When FDPPI was formed in 2018, three main objectives were set for the Section 8 Company.

First was to build an empowered Community of professionals who were “Knowledgeable”, “Efficient” and “Ethical”

Second was  to Enhance the intrinsic value and worth of the Profession of Data Protection Professionals.

Both these objectives are served firstly by the Awareness building initiatives, Secondly by the Certification and  thirdly by the development of Compliance framework.

It was interesting that FDPPI had added the third main objects of its constitution as

“To bring harmony in the pursuance of Civil Rights of individuals such as Privacy and Freedom of Expression along with the Right to Information and Right to Cyber Security without any profit motive”.

The time has now come to activate action to meet this third objective  in the light of the threat posed to the DPDPA by the three petitions filed in the honourable Supreme Court by Mr Venkatsh Nayak, Reporter’s Collective Trust and National Campaign for People’s Right to Information, represented by Ms Vrinda Grover, Mr Abhishek Manu Singhvi and Mr Prashant Bhushan.

These petitioners are approaching the Court as “Civil Liberty Activists” and claiming that the DPDPA 2023 and the Rules are damaging  the basic structure of Freedom of Speech ingrained under Article 19 of the Constitution and therefore should be scrapped wholly or partly.

FDPPI had anticipated that the “Right to Privacy” would come into conflict with “Right to Freedom of Expression” even before the current conflict arose. Hence it had the vision to add this third objective to its objective clause.

We are therefore now opposing  the petitions with the following argument.

1. Objective of DPDPA 2023 was to protect Personal Data and not “Right to Privacy”.
2. “Puttaswamy Judgement” neither defined “Privacy”  nor mandated the law to protect Privacy.
3. Government passed a  refined “Personal Data Protection Act” in the form of DPDPA 2023 after considering the different iterations presented and collecting public views and debating  at length in the JPC.
4. DPDPA 2023 recognizes Data Processors as “Data Fiduciaries” if they decide  the purpose and means of processing and mandates “Consent”, while providing some exemptions and recognition of legitimate use
5. Legitimate use as well as Exemption is determined on the basis of purpose of processing not on the nature of the data fiduciary.
6. Supreme Court holds both Right to Information and Right to Privacy as derivative Rights associated with Article 19 or Article 21. Both  need to be looked at as a shade lower right than the Right to Freedom of Expression and Right to Life and Liberty.
7. Government has defined a “Public Right to information” and “Public Right to protection of personal data” in the two acts namely RTI 2005 and DPDPA 2023.
8. When RTI 2005 was enacted, Puttaswamy judgement was not there and Privacy was not even considered a “Fundamental right”. Hence RTI had a free reign of interpretation which the petitioners are claiming now as inalienable fundamental Right.
9. With the Puttaswamy Judgement the fundamental condition under which RTI and Section 8(1)(j) existed has irrevocably changed. Now the Government and the Court cannot ignore the presence of the Puttaswamy Judgement and has to make Right to Information co-exist with Right to Privacy.(RTP)
10. It is therefore  imperative that  the activists of RTI and activists of RTP find a middle ground and cannot claim primacy of one right over the other.
11. Since RTP is a complicated concept which even the Supreme Court bench found it hard to define, it is not possible to expect a Government servant who is an administrative manager to take a judicious decision about what outweighs what.  Hence changes made to Section 8(1)(j) should be considered as a mandate on the Government by the Puttaswamy judgement.
12. Any disagreements between an RTI applicant and the PIO refusing information on RTP grounds  should be handled as a “Grievance” and redressed through appropriate appeals to DPB (Instead  of the Information Commissioner) which can go upto Supreme Court.
13. If “Journalists” claim to  be a category meant to protect Right to Information as a means to Right to freedom of expression, then there is a need to define “Journalist” in a manner that is relevant to the Digital world not restricting to those who  hold a “Press  Pass” that gives them entry into the Press Club or Press enclosure in the legislature. It should include every Blogger, Youtuber, Instagram account holder and even Telegram or WhatsApp Channel owner.
14. DPDPA 2023 has also not recognized any other profession including educationists or doctors or advocates or chartered accountants, SMEs, etc as exempted category and left the application of the Act only on the  basis of purposes
15. Government  has the right to declare and notify specific classes of data fiduciaries eligible for different exemptions for which a system in the form of designated officers is being set up.

These are the Fifteen Sutras which we would like the Supreme Court to take into account when it hears out the petitioners.

In view of the above,  DPDPA 2023 and the Rules cannot be questioned on the basis of it not being able to meet the “Exaggerated expectations of the petitioners”.

Let us learn  to co-exist and live in a world where RTI and RTP co-exists.

Naavi

The present proceedings in the Supreme Court on the Constitutionality of the DPDPA raise several  issues of concerning the relationship between informational privacy, transparency in governance and the regulatory framework governing digital personal data.

The most contentious provision which is being discussed is the Section 44(3) which is sought to be repealed.

The objection is that the current provision which is stated below has stood the test of time and  the proposed provision dilutes the RTI Act and consequently the “Right to Freedom of Expression” as well as the “Right to Freedom of Press”.

Pre-Amendment Section:

matters which come under the exemptions specified in this section shall not be disclosed

– information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: 

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Amended  Section:

– information which relates to personal information

In the current provision the PIO was expected to take a view on whether the  information is of personal nature and if so whether it infringes certain rights of Privacy. In the amended section, the PIO has to only identify if the information is personal or not.

What is personal information is defined in the DPDPA 2023 which was not in existence when RTI act of 2005 was enacted.

What is “Privacy” and how it can be “Infringed”, what is the “Harm” caused, “What is the  weight of public good vs individual harm” are not defined and remain vague. Expecting the PIO to decipher this is an unfair burden on a Government servant. Even the Courts will find it difficult to provide specific answers to these questions. Hence such questions can only be resolved in a subsequent appeal in a Court of law.

Also the declaration of “Right to Privacy” as a fundamental Right is a development after the Puttaswamy judgement and till then the MP Sharma Judgement and Kharak Singh Judgements  prevailed. They did not hold that Right to Privacy included “Information Privacy” and it was a “Fundamental Right”.  Hence after 24th  August 2017, there was a need to amend Section 8(1)(j) of the RTI act and that obligation has been fulfilled by Section 44(3) of  DPDPA 2023.

Hence Section 44(3) is a direct mandate of the Supreme Court  judgement in Puttaswamy case and cannot be altered by any bench of less than 9 members.

Hence during the Supreme Court trial starting from March 23rd or later, the following questions of law arise for consideration by the Court:

1. Whether after the 9 member SC bench in the case of Justice Puttaswamy judgement (2017) declaring that “Right to Privacy is a fundamental Right”, can the provisions of RTI Act, Section 8(1)(j) was mandatorily required to be amended.
2. Whether the requirement under the old Section 8(1)(j)  of RTI Act was an onerous judicial obligation cast on the PIO to determine
   1. whether the information sought to be released has no relationship to any public activity or interest, or
   2. Whether the information sought to be released  would cause unwarranted invasion of the privacy of the individual
   3. Whether the information sought to be released is in the larger public interest justifies the disclosure of such information
   4. Whether  the information sought to be released can be or cannot be denied to the Parliament or a State Legislature

4. If the RTI disclosure is considered under Section 8(2),  Whether a public authority can take a judicially appropriate decision on the disclosure outweighing the harm to the protected interests.
5. If the PIO errs in such judgement and discloses information, whether the public authority as a “Data Fiduciary” be held accountable for  the penalties under  Section 33
6. Whether the PIO being generous in disclosure can be held “Negligent” and penalized for incompetence?
7. Whether in such cases, the RTI applicant can be expected to Provide an assurance
   1. that to the best of his belief and knowledge, the information sought to be released does not infringe the privacy of any other individual,
   2. the possible harm caused to any individual/s outweighs the larger public interest in the disclosure
   3. the applicant indemnifies the public authority and the PIO of any harmful impact of penalties under section 33 of DPDPA 2023
8. Should only a DPO be designated as the PIO since credentials required to be a PIO are less stringent than that of a DPO?

We want Constitutional pundits to answer these questions.

Naavi

To

All Data Protection Professionals in India including all the Petitioners and their representatives  in the Supreme Court.

Dear Friends

Over a series of articles in Naavi.org, I have expressed my deep feelings  against the demand for scrapping DPDPA and DPDPA Rules. 

I am aware that the Court is unlikely to concede  the prayer for scrapping of DPDPA and only consider concerns on Section 44(3) and “Exemption for Journalists” as key issues to be addressed.

In expressing my views, as a Journalist, I have been aggressive and if I have hurt any individuals in this process, I honestly express my apologies. 

However, I have presented some suggestions on how the concerns of the petitioners may be addressed by reading down of the sections and providing clarity and by the Government in introducing some minor procedural changes.

I want all including the petitioners to think of these solutions and place it before the Court in the next hearing and not press for either scrapping of the DPDPA or for scrapping of Section 44(3) or for introducing a specific exemption  for the Journalists. 

Act is acceptable as it is and the rules are always subject to being improved. We shall all work towards improving the rules once the DPB is formed.

I request all those who have specific suggestions to address the concerns  expressed to send them here  for collation. They can also send it the Government so that it can be incorporated in the counter affidavit to be filed by the Government. 

MeitY as well as the Solicitor General of India who may argue the case are deemed to be aware of all the 16 plus articles published here. It is their prerogative  to either consider it or reject it and come up with their own suggestions or counters. 

In the past we have expressed that the Government  has not defended ITA 2000 properly when required and we donot want the same mistake to  be repeated now. Hence we have published these articles and placed it in public domain.

This information is also now available to the Court and I request the Registrar of Supreme Court to place the reference to these publications before the Court. I am enclosing a summaary of the suggestions in a document here as an attachment through a link.  This could be the starting point for further refinement with suggestions that may be given by other professionals.

Looking forward to a postitive approach to adopting DPDPA by all  sections of the society including the dissenting petitioners.

Yours sincerely

Naavi

Attachment: Suggestions Made