New Delhi: Terming criticism that the Digital Personal Data Protection (DPDP) Act gives “unchecked powers” to the government as “unfair”, the Union Minister of Railways, Communications, Electronics, Information Technology, Ashwini Vaishnaw, told ThePrint in an interview Saturday that it is a myth that the government is the biggest repository of data.
Data with social media platforms and big tech companies “is 1,000x more than what is there with the government”, said the minister, adding that contrary to what people believe, the DPDP Act does not dilute the Right to Information (RTI) Act.
The Digital Personal Data Protection Act (DPDP), 2023, was passed in Parliament in the monsoon session that concluded last week, and was notified in the gazette Saturday, after receiving the President’s accent. The next step of creating the required rules under the law will be published “in a few months”, the minister further said.
Also read: Six years in the making, data protection bill gets through Lok Sabha in less than an hour
Edited excerpts from the interview:
Experts have raised concerns over the DPDP Act giving unchecked powers to the government by way of exemptions as well as powers to block content.
I would like to address both these points head-on. The exemptions given in this Act for the State are very specific, and very limited in number. For example, the European GDPR [General Data Protection Regulation] provides 16 exemptions to the government, which include national security, foreign policy, crime investigation, crime detection, and even things as subjective as ethics for professional organisations and budgetary policy.
Whereas in our case, the exemptions are only for national security, for foreign relations, for public order… all of which is something that is already defined in the Constitution of India. Do you think somebody should expect the Constitution to be not followed? I think it’s a very unfair criticism. These are very limited and specific exemptions. The entire criticism is totally unworthy of even mentioning because somebody who reads the law will not make this criticism first.
Second, about Section 37 [which provides for blocking of content], if any platform or any app or any company repeatedly violates the citizens privacy, they pay the penalty but still continue to violate repeatedly… Shouldn’t the government have some extra provisions to deal with such repeated offenders? Isn’t that logical?
So, Section 37 is meant to deter those people who are repeatedly violating the privacy of citizens. And there are lots of checks and balances that have been kept. All the principles of natural justice are clearly written in the law itself, a reasonable opportunity of being heard is being given. But we cannot compromise with the privacy of citizens.
How will the law impact the government, given that it’s the biggest repository of citizen data. How will that work?
Firstly, we must come out of the myth that the government is the biggest repository of data. The data with social media platforms, and big tech is 1,000x more than what is there with the government. That is where the primary protection for the citizens privacy has to be provided. Big tech knows everything that you have because of the digital tools, because of the history, because of the variety of data that is getting collected. That’s why privacy is very, very important vis-a-vis the big tech.
Second, the exemptions to the government are very, very specific. And all the principles are there, including the principle of legality that personal data has to be collected only for legal purposes, the principle of purpose limitation, that the data will be used only for the purpose for which it is collected, the principle of data minimisation, that only that much data will be taken that is required, the principle of accuracy, that if there is any change, the person giving data has the right to make sure that the change is properly reflected, the principle of storage limitation, that an entity will store data only for the period for which the purpose is there.
Then, there is the principle of reasonable safeguards to make sure that all the steps are taken to protect personal data and, seventh and last, is the principle of accountability, that anybody who takes data from the citizens shall be accountable. All these principles have been followed. So these are very well thought through. Very well laid out globally accepted principles.
What about criticism that the new law dilutes the RTI Act?
Section 8 of the RTI Act is basically exemptions from the Right to Information… as soon as the Puttaswamy judgment [in 2018, on the Right to Privacy] was pronounced by the Supreme Court, immediately the right to privacy came into the picture.
From that day onwards, section 8(J) had become infructuous already. After the Puttaswamy judgment, only that personal data can be made public or used which is provided by law. So let’s say in the case of a public servant, if the data about educational qualification, asset statement and date of birth, address, etc, has to be made public by laws that are there in the country, it will be made public.
But now if somebody is asking that, here is an officer, I would like to know what kind of shirts he likes. That is personal information. Why should that be required to be given? But the assets statement that is required to be published by law will be published.
There is also criticism about the lack of independence of the Data Protection Board that is to be set up under the new law.
People really need to read the law properly. Where does independence come from? Independence comes from the law. The law clearly provides that the Data Protection Board [DPB] shall be independent. Independence comes when the term, the tenure, the terms and conditions, the remuneration, all those things are defined by law. And when the appointment process is defined by law.
I’ll give one example. SEBI [Securities and Exchange Board of India] is one of the most independent organisations in the country. Who appoints the chairperson and members of SEBI? The government. Who gives the salary to the members of SEBI and the chairperson of SEBI? The government. Who sets the terms and conditions of appointment? The government. Does that make them less independent? No. Independence comes from how you structure it in the law. Not from who appoints somebody. This [DPB] will be one of the most independent organisations like TDSAT [Telecommunications Dispute Settlement and Appellate Tribunal], RBI [Reserve Bank of India], SEBI… This will be a very important institution that will become critical to our digital economy.
Can you explain the reasoning for the graded approach being taken for processing of children’s personal data?
Children’s data is very, very important because that can have a significant impact on the way they grow up, and how they participate in society. So, very special, very important, significantly bigger obligations have been set on the fiduciaries who collect children’s data.
We understand that today’s generation is very tech-savvy. And there are so many sectors or so many segments where children are using technology for their betterment, for example education. So we have clearly created a graded way of treating children’s personal data. For example, in education, you don’t require that kind of a strict thing, but for let’s say, games, where we would like to prevent violence being shown to children, then it will be very strict.
For the children, it will be clearly defined which are the classes of data fiduciaries or apps and service providers who can process data at a lower age than 18, and for others we will require verifiable parental consent. Now we have so many digital public infrastructure elements like digiLocker [cloud-based platform for storage, sharing and verification of documents & certificates], like aadhaar verification. So we have that structure in place today. So that we can have verifiable parental consent.
Do you think this parental consent will work given our digital divide and the fact that a lot of people are still coming online for the first time?
It won’t be complicated because we have seen how rapidly public digital infrastructure has rolled out in the country. We have seen how even for MNREGA [Mahatma Gandhi National Rural Employment Guarantee Act], for Ayushman Bharat [health scheme], for CoWIN [portal for Covid vaccination], for practically every service that we have rolled out in the country, people have used digital means. And the reason why we have the digital-by-design implementation is that our prime minister has made it very clear that access to justice, access to grievance redressal and access to your rights being heard should be equal to the people living in larger cities and people living in smaller, far-flung villages.
Now that the Bill has become an Act. What will be the implementation process for it?
The President has given approval and the Bill is now a law. It’s the Digital Personal Data Protection Act. The second step for implementation is to create the digital platform… [for] design implementation process that we have proposed in this Act. We will be creating that digital platform.
The third will be setting up the Data Protection Board and fourth will be notifying the rules. A lot of work is going on in preparing the rules. The rule book will be as simple and as legible and as easy to understand as the Act is. The rule book should be published in a few months and step by step we move forward in implementing and putting the entire structure together. The application of this law will happen when the rules come in.
(Edited by Poulomi Banerjee)
Also read: India’s 1st Data Protection Act — what it could have been had proposed amendments been debated