Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the webspellchecker domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/naaviorg/domains/naavi.org/public_html/wp/wp-includes/functions.php on line 6121
Naavi.org | Towards building Cyber Jurisprudence in India
All Data Protection Professionals in India including all the Petitioners and their representatives in the Supreme Court.
Dear Friends
Over a series of articles in Naavi.org, I have expressed my deep feelings against the demand for scrapping DPDPA and DPDPA Rules.
I am aware that the Court is unlikely to concede the prayer for scrapping of DPDPA and only consider concerns on Section 44(3) and “Exemption for Journalists” as key issues to be addressed.
In expressing my views, as a Journalist, I have been aggressive and if I have hurt any individuals in this process, I honestly express my apologies.
However, I have presented some suggestions on how the concerns of the petitioners may be addressed by reading down of the sections and providing clarity and by the Government in introducing some minor procedural changes.
I want all including the petitioners to think of these solutions and place it before the Court in the next hearing and not press for either scrapping of the DPDPA or for scrapping of Section 44(3) or for introducing a specific exemption for the Journalists.
Act is acceptable as it is and the rules are always subject to being improved. We shall all work towards improving the rules once the DPB is formed.
I request all those who have specific suggestions to address the concerns expressed to send them here for collation. They can also send it the Government so that it can be incorporated in the counter affidavit to be filed by the Government.
MeitY as well as the Solicitor General of India who may argue the case are deemed to be aware of all the 16 plus articles published here. It is their prerogative to either consider it or reject it and come up with their own suggestions or counters.
In the past we have expressed that the Government has not defended ITA 2000 properly when required and we donot want the same mistake to be repeated now. Hence we have published these articles and placed it in public domain.
This information is also now available to the Court and I request the Registrar of Supreme Court to place the reference to these publications before the Court. I am enclosing a summaary of the suggestions in a document here as an attachment through a link. This could be the starting point for further refinement with suggestions that may be given by other professionals.
Looking forward to a postitive approach to adopting DPDPA by all sections of the society including the dissenting petitioners.
In continuation of our earlier discussions on DPDPA Challenge at Supreme Court, FDPPI held a public consultation on 7th March 2023. An introduction to the discussions on 7th March is available here: Notebook LM summarizes the Introduction to the debate
A Video of the discussions are found here
FDPPI has suggestions to make DPDPA acceptable to all including the petitioners of this challenge at Supreme Court. Some of it were discussed yesterday. More will be discussed in future writings.
Some of the immediate suggestions:
On Section 44(3):
We do not recommend any change. However, it may be clarified that
-When an information is denied under the excuse of “Privacy”, the RTI applicant should be able to invoke the status of the organization as a Data Fiduciary and initiate a Grievance Redressal as a Right under Section 13 of DPDPA 2023. This escalates to the DPB and later to Supreme Court. The internal Grievance redressal would exhaust the appeal to CPIO before the applicant moves on to DPB.
-When information about the official is part of the release, it is considered as “Already Made Public” since all Government appointments at the level of PIO are often through written orders and even gazette notifications. Even otherwise it is considered as “Governance Contact Information” similar to “Business Contact Information” in the private sector. The contact information of PIO and CPIO are already in public domain and hence are not to be denied.
-When the information sought to be revealed includes the information of members of the public, it has to be backed by the consent from the data principals. It can be released in an anonymized form with the proviso that if it is de-anonymised, the de-anonymisation would be considered as a Section 66 offence under ITA 2000. If it is insisted that the information is released in identified form, at the level of Grievance Redressal, it may be referred to DPB
-Also whenever information of personal nature is released, an indemnity may be requested from the RTI applicant declaring that the information is required in larger public interest and outweighs the harm to the individual whose information is being released and that he would indemnify any consequences under DPDPA 2023 in that respect.
2. On Section 17(2)(b)
If a Journalist wants to conduct research or Social Audit, he may seek information under the exemption provided for Research. Since this is an exception, and it is not the only or primary activity of the Journalist to conduct a research, the Data Fiduciary needs to be satisfied that the requirement is for “Research”.
If agreeable, information may be released in a pseudonymous manner at first as per the security standards. If the applicant suspects any corruption, he may prefer to invoke his rights under BNS and seek more information and investigation.
If not agreeable, the matter reverts to the Grievance redressal system under DPDPA.
3. On Section 17(1)(c)
In as much as the section is within Article 19(2) and more limited than the Article itself, there is no need to consider any changes.
Even where the purpose is for national security etc., the instrumentality of state which is permitted to use the exemption clause needs to be notified. Hence there are more than enough checks and balances against the misuse of the provision without hindering the investigative power of national security agencies.
Any further dilution of this provision would facilitate criminals to hide and erase their criminal trace using “Privacy” as an excuse.
4. On Section 36:
In as much as the poer to seek information is a necessity of Governance there is no need for change.
The data fiduciary who fears any harm to a data principal on account of a request under Section 36 may indicate the lack of consent and seek time for obtaining a special consent. If the situation is related to security, the official designated for collection of such information may indicate that no prior consent is required to be obtained and the Government indemnifies the data fiduciary for any consequences arising out of such release of information subject to the data fiduciary acting in good faith and not conspiring with the data principal to raise complaints under DPDPA under false pretenses.
5. On Section 33:
The penalties are “Upto” a certain amount and there is no minimum penalty prescribed. The voluntary undertaking provides for concessions in built into the powers of the DPB. Any allegations against the DPB decision is also available for judicial review through TDSAT and later the Supreme Court.
Hence there is no need for any changes in this section.
6. On Exemption for Journalists
DPDPA has so far not made any specific exemptions for any category of data principals including SMEs, Educational institutions, Charitable Institutions, Religious Institutions, Professions like Advocates,Chartered Accountants or Doctors. All exemptions and Legitimate use is based on purposes. Exemptions are available for Startups (On notification), Companies for mergers and acquisitions after court approval, Financial institutions after default etc. Further exemptions are also empowered for specific purposes and an official would be designated for the purpose of granting such exemptions. Those journalists or organizations of journalists who conduct Social Audits or public interest research may be given specific conditional permissions with obligations of purpose specific use, with data minimization, retention minimization and accountability.
For this purpose a “Register of Approved Journalists for Research” may be created by the Ministry of Information and may include all Social media bloggers as “Digital Journalists”.
7. On Conflict with Puttaswamy Judgement
The Justice Puttaswamy Judgement (Aug 24, 2017) only directed that “Privacy is a Fundamental Right”. It is considered as subject to “Reasonable Exemptions” under Article 19(2). There is no judicial definition of “Privacy” and it is left to interpretation on a case to case basis often with Judicial intervention if required. The Puttaswamy judgement did not specify any code for protection of Privacy.
The obligation to protect Privacy is now considered as a responsibility of the Private Sector also because of the Kaushal Kishor judgement and the “Fiduciary” nature of the entity processing personal data imposes the necessary duties to the Data Fiduciary to not only protect the Right to Privacy but also all other fundamental rights.
The DPDPA does not profess to “Protect Privacy” and hence cannot be challenged on the ground that it does not protect Privacy. DPDPA defines its objective to “Protect the Right of individuals to protect their personal data” and this is sought to be achieved through “Consent”. Exceptions under Section 7 (Legitimate use) is available both for Private sector and Government sector and hence is non-discriminatory and purpose based. Exemptions under Section 17 is also available for both the Government sector and Private sector. Such exemptions are conditional and restrictive and within the limits of Article 19(2).
Hence there is no conflict of DPDPA 2023 with the Puttaswamy Judgement.
In view of the above, all three petitions may be summarily rejected at the time of the admission itself. Costs may be imposed on the petitioners for raising unsustainable grounds based on wrong interpretation of the legislation.
This does not preclude the DPDPA Rules from being improved upon through executive action of corrections only to meet the requirements of the Act in a matter better than what has been done now.
The Government may be directed to form a suitable expert committee for this purpose.
Considering that only 70 persons have taken the trouble to sign the online petition “I am the Real Public in India and I donot support scrapping of DPDPA and DPDPA Rules” raised by Naavi, FDPPI has now opened a larger public consultation through today’s open session moderated by Naavi. We expect some legal practitioners and academicians to contribute their thoughts to this challenge before us to either agree or disagree with the petition to “Scrap DPDPA”.
We hope the meeting room will overflow and hence join well in time not to miss the opportunity.
These discussions cover the two petitions of Venkatesh Nayak and Reporters Collective Trust. We did not have a copy of the third petition filed by NCPI. The points raised in that petition may not be different and if we get the copy of the petition, we will study that also and present the details.
The objective of these articles is not to criticize learned counsels who are representing the case though we may be using some aggressive statements as part of the presentation.
We however make a specific request to the Supreme Court that in all PIL petitions of this nature an opportunity should be given to the general public to submit their views like what the Supreme Court recently did in the case of Digital Arrest related petitions where an Amicus was appointed to collect the information from the public. This should be a standard practice.
We are specially irked by the fact that instead of restricting the prayers to resolve specific concerns the petitioners were asking for “Stay” and “Scrapping of the Act”. This was unwarranted and lacked responsibility.
India has been waiting for a legislation of this type for a long time and when finally it was in place, trying to scuttle it was not considered a good idea. Hence we had to strongly intervene and put across our views.
We now have placed these views in the public and feel that the Court is obliged to consider this opinion besides what the Government may present. Court should atleast ask the Attorney General whether they have gone through these views.
We have directly kept the Ministry of Information Technology informed about these views and hence it is their responsibility to bring them to the attention of the Court. In the past (eg: Section 66A case) MeitY did not present their case properly and let the section be scrapped. It should not happen this time.
There is no reason to make any changes including in Section 44(3). We have given some suggestions on how the concerns can be addressed and are ready to share more details of how the Data Fiduciaries need to address these issues.
The MeitY, the Attorney General/SolicitorGeneral and the Supreme Court should have an open mind to receive these suggestions and not stand on formalities.
Naavi and FDPPI will continue to take actions required to protect DPDPA and will present more analysis as and when required.
On March 7, FDPPI will conduct a virtual Round Table on the topic, All are welcome. The link to the session is Link to the virtual session is available below
