DATA
PROTECTION BILL AND RTI - POLITY
News:
Personal Data Protection
Bill Will 'Severely Restrict Scope of RTI Act': Activists Write to MPs
What's
in the news?
● Recently,
the National Campaign for Peoples’ Right to Information wrote to Members of
Parliament raising alarm on the change that the Digital Personal Data
Protection Bill seeks to amend in the sections of Right to Information (RTI)
Act, 2005.
What
are the key provisions of the Data protection bill?
1. Applicability:
The Bill will apply to the processing of digital personal data within India
where such data is collected online, or collected offline and is
digitized. It will also apply to such
processing outside India.
● Personal data is defined as any data
about an individual who is identifiable by or in relation to such data.
2. Individual
consent: Personal data may be processed only for a lawful purpose for which
an individual has given consent and consent may be deemed in certain cases.
● For
individuals below 18 years of age, consent will be provided by the legal
guardian.
3. Role of data
fiduciary: Data fiduciaries will be obligated to maintain the accuracy of
data, keep data secure, and delete data once its purpose has been met.
● Data fiduciaries are who are
maintaining, processing, and storing any personal data.
4. Rights to
data principals: The Bill grants
certain rights to individuals including the right to obtain information, seek
correction and erasure, and grievance redressal.
5. Duties of
data principals: They must not: (i) register a false or frivolous
complaint, (ii) furnish any false particulars, suppress information, or
impersonate another person in specified cases.
Violation of duties will be punishable with a penalty of up to Rs
10,000.
6. Transfer of
personal data outside India: The
central government will notify countries where a data fiduciary may transfer
personal data. Transfers will be subject
to prescribed terms and conditions.
7. Exemptions:
The central government may exempt government agencies from the application of
provisions of the Bill in the interest of specified grounds such as security of
the state, public order, and prevention of offenses.
8.Data
protection board: The central government will establish the Data Protection
Board of India to adjudicate non-compliance with the provisions of the Bill;
● The central government will
prescribe:
○ Composition
of the Board,
○ Selection
process,
○ Terms
and conditions of appointment and service,
○ Manner
of removal.
● Key functions of the Board include:
○ Monitoring
compliance and imposing penalties,
○ Directing
data fiduciaries to take necessary measures in the event of a data breach,
○ Hearing
grievances made by affected persons.
9. Penalties:
The schedule to the Bill specifies penalties for various offenses such as: (i)
up to Rs 150 crore for non-fulfilment of obligations for children and (ii) up
to Rs 250 crore for failure to take security measures to prevent data
breaches. Penalties will be imposed by
the Board after conducting an inquiry.
10. Prevailing
of the bill: According to Section 29 (2) says that in case of a conflict
between the proposed Digital Personal Data Protection law and any other law,
the data protection law will prevail.
How
does it restrict the scope of accessing information under RTI act 2005?
1. Widening the
exceptions of the RTI Act: According to the RTI Act, citizens can access
all information, however, there are only 10 types of information which are
exempted under Section 8 (1) of the Act. If these exemptions are expanded, the
access to information under RTI gets constricted.
● Of
these 10 exemptions, “the most commonly misused exemption is Section 8(1)(j)
and accounts for 35% of refusals.
2. Legal
denial: What constituted illegal denial of information earlier, will be
converted to legal denial through the amendment in the RTI Act.
3. Restriction
to access basic information: The law will restrict the access to all
personal information of bureaucrats, politicians and judges contained in
election affidavits or asset disclosure forms which is necessary for a citizen
to evaluate the suitability of the candidate.
● They
can easily argue that the forced disclosure of their assets and income is in
violation of their fundamental right to informational privacy.
4. Broad
definition of personal information: Poor definition in the bill for
personal information will be used to deny the citizens access to information
even for normal public activity.
How
to bring a robust data protection law without affecting reasonable provisions
of RTI?
1. Clear
definition of personal information: To ensure that the RTI Act is not
undermined, the definition of personal information should be defined to only
include information that is truly sensitive or private.
2. Data
protection authority: The government should create a separate authority to
evaluate the information accessed through RTI Act, whether it is personal
information or not.
3. Enforcement
mechanism: Create a strong enforcement mechanism for the data protection
law. The RTI Act has a strong enforcement mechanism, with the right to appeal
to the courts. A robust data protection law should have a similarly strong
enforcement mechanism, with the right to appeal to the courts.
4. Clear
distinction of information: Government should clearly distinguish the
public and private information under the data protection law.
● Eg. Amendment of section 2(f) of the
RTI Act to define "public information".