Data Protection Act 2023 vs Right to Info Act: A Governance

The Digital Personal Data Protection Act 2023 has generated considerable attention due to its potential impact on data privacy and regulation. The act introduces several significant changes compared to previous drafts, aiming to establish a robust framework for safeguarding personal data in India.

One major shift in the act is the move from deemed consent to specific legitimate uses of personal data. Unlike the previous draft, which faced criticism for allowing non-consented processing in the "public interest," the 2023 version outlines specific circumstances where personal data can be processed without explicit consent.

The pivotal change introduced in the Digital Personal Data Protection Act 2023 involves the shift from the concept of deemed consent to the establishment of specific legitimate uses for personal data processing. This alteration represents a fundamental shift in the approach towards data privacy and consent, aiming to enhance individuals' control over their personal information while enabling legitimate data processing activities.

Under the previous drafts and norms, data processing was often presumed to be permissible unless explicitly denied by the data subject. This approach, known as "deemed consent," came under scrutiny for potentially undermining individuals' autonomy and exposing their personal data to a wide array of purposes without their explicit approval.

The Digital Personal Data Protection Act 2023 recognizes the significance of obtaining clear and informed consent from individuals before their personal data is processed. It outlines distinct circumstances under which personal data may be processed without the need for explicit consent. This transition from a default presumption of consent to the principle of specific legitimate uses signifies a more stringent and nuanced approach to data processing.

By delineating these specific legitimate uses, the act aims to strike a balance between protecting individuals' privacy rights and allowing necessary data processing for essential purposes. These legitimate uses encompass scenarios where personal data processing is crucial for matters such as the performance of a contract, compliance with legal obligations, protecting vital interests, executing public functions, and other purposes explicitly outlined in the act.

This shift addresses concerns related to privacy intrusion and data misuse by providing a clear framework for lawful data processing. It ensures that personal data is processed only when necessary and for well-defined purposes, aligning with the principles of transparency and accountability.

The move from deemed consent to specific legitimate uses is expected to bolster individuals' trust in data processors, encourage responsible data governance, and foster a culture of data privacy. However, as with any regulatory change, the effectiveness of this shift will depend on its implementation, enforcement mechanisms, and the degree to which it safeguards individuals' privacy rights while facilitating legitimate data-driven activities.

The recently passed Digital Personal Data Protection Act has ignited a fervent debate, centered around Clause 44(3) of the act, which seeks to amend Section 8(1)(j) of the Right to Information Act (RTI). This amendment has elicited diverse interpretations, with its proponents highlighting its alignment with a significant Supreme Court ruling, while critics voice apprehensions about its potential impact on transparency and accountability.

Section 44(3) introduces a fundamental change by amending Section 8(1)(j) of the RTI Act, resulting in the complete exemption of personal information from disclosure. Initially, Section 8(1)(j) permitted the withholding of personal information under specific conditions, such as when disclosure was unrelated to public activity or interest or when it invaded an individual's privacy. However, this amendment strips away the option for disclosing personal information if deemed in the larger public interest.

Supporters of the amendment argue that it is consistent with the landmark Puttaswamy judgment, where the Supreme Court acknowledged the right to privacy as a fundamental aspect of individual freedom. Advocates contend that the amendment aligns with the principles established in this ruling by upholding the balance between privacy and public access to information. They assert that the amendment mirrors pre-existing Section 8(1)(j) exemptions and aims to strike an equilibrium between individual privacy and governmental transparency.

On the other hand, critics express concerns about the amendment's potential ramifications for transparency and accountability within governance. They worry that amending Section 8(1)(j) could limit citizens' access to personal data held by public authorities, thereby curbing the public's ability to scrutinize government actions and decisions. Critics fear that the amendment may undermine the effectiveness of the RTI Act, weakening the mechanisms that hold governments accountable to the people.

This divergence of opinions surrounding the amendment reflects broader debates concerning the tension between safeguarding individual privacy and maintaining governmental transparency. As digital technologies evolve, the challenge of balancing these competing values becomes increasingly complex. While proponents prioritize protecting personal data in line with established legal precedents, critics stress the importance of preserving avenues for citizens to access information critical for upholding democratic principles.

Ultimately, the implications of Clause 44(3) will unfold through its practical application. The ongoing debates underscore the broader struggle to reconcile divergent imperatives in the digital era: preserving individual privacy rights while ensuring government accountability through transparency. As stakeholders navigate this complex landscape, the long-term impact of the amendment will shape the evolving relationship between privacy, transparency, and governance.
 

The act excludes personal data that has been publicly disclosed by data principals(Data principal has been defined as the natural person to whom the personal data relates to,essentially citizens) or made publicly available by law from its scope. This exemption raises concerns about potential misuse and unregulated data processing, which could undermine individual control over personal information.

The act introduces a more restrictive approach to international data transfer. It blocks the transfer of personal data to countries not notified by the central government, aiming to ensure that data protection standards are upheld even in cross-border scenarios.

The act expands exemptions granted to government instrumentalities, including state instrumentalities notified by the central government. While exemptions can be vital for certain purposes, the broader scope has raised debates about potential misuse and its implications for data privacy.

The act establishes the Data Protection Board of India, tasked with overseeing the implementation and enforcement of the law. However, concerns have been raised about the appointment process of board members by the central government, potentially affecting its independence.

The Digital Personal Data Protection Act 2023 presents a significant milestone in India's data privacy landscape. While it reflects extensive consultation and aims to address various concerns, debates persist around specific clauses, exemptions, and potential implications for citizens' data rights. The act's impact on the broader data ecosystem and its effectiveness in striking a balance between privacy and regulation remain subjects of ongoing discussion and analysis.