Stormy skies as Indian personal data protection weakens landmark law

18 August 2023

Vidhana Soudha, state legislature building in India. Source: Shutterstock.

Getting your Trinity Audio player ready...
  • Landmark legislation in India threatens to weaken the hard-won Right to Information law.

A new personal data law passed in India last week has met lashback from civil rights’ activists as it threatens to weaken what was dubbed the ‘sunshine law.’

The Right to Information (RTI) law allows people to access data from the government. Since it was passed in 2005, as a result of years of campaigning, millions of Indians have used the RTI law to ask questions and demand information from government departments and officials.

It wasn’t until last week, however, that India gained a law to regulate how the personal information of individuals is collected, stored and processed. The Digital Personal Data Protection Bill passed in parliament, fulfilling that long-standing demand.

Ashwini Vaishnaw, India’s minister of railways, electronics and information technology, said the bill would balance protecting user data with keeping the internet open.

Ashwini Vaishnaw, via Facebook.

With almost 1bn people connected to the internet, India’s digitization drive has been one of the world’s largest, building out an extensive network of digital infrastructure known as the India Stack, and collecting citizens’ personal information through its Aadhaar ID system.

There was no law governing how this data was shared by companies, government agencies and others, leaving the information open to misuse.

The law encompasses the “well-established principles” of data protection, Vaishnaw said, including limits on the purpose for which data can be collected and how long it can be stored while taking a more “flexible” approach than in the EU, he said.

It’s been pointed out that the law doesn’t protect citizens from surveillance and gives excessive power to the federal government in terms of application.

The new legislation also changes a provision of the RTI law to exempt “personal information” from being disclosed. That would include more or less all of the information currently sought under it.

Personal data law undermines RTI in India

“Everything that people have been using the RTI law for – to hold governments accountable, to fight corruption […] – has somewhere an element of personal information,” says Anjali Bhardwaj, co-convenor of the National Campaign for People’s Right to Information, which was central to getting the RTI law passed in 2005.

Activists have protested changes to the RTI law over the years. Source: Getty images via BBC.

The RTI law covers a wide range of organizations, including all departments formed under the Constitution or any government law or notification. Groups largely funded by the government, even indirectly, are also covered.

Implementation of the RTI law was imperfect. When the law functioned at its peak, information was still often denied on flimsy grounds, and successive governments have attempted to dilute it.

That’s why activists fear that the latest changes will make it even harder to get the answers that citizens should be able to access.

The RTI’s default position is that all information should be available to citizens (barring exceptions like national security).

In 2012, a public committee on privacy law headed by Justice AP Shaw had recommended that disclosures under the RTI Act shouldn’t be considered an infringement of privacy.

One of the clauses, currently under contention, says that if the information is of a personal nature and doesn’t relate to “public activity” or would cause an “unwarranted invasion” of an individual’s privacy, then the officer can deny the request – unless they find that it should be made available on the grounds of “larger public interest.”

The data protection law overrides this clause, merely stating that any information that “relates to personal information” can be denied – including any answer that identifies an individual.

“Earlier there was a filter that personal information should not have a relationship with any public activity or unwarranted invasion of privacy,” says Shailesh Gandhi, a former Central Information Commissioner who was responsible for deciding on complaints under the RTI Act.

The blanket ban on personal information is troubling because, as Mr. Gandhi pointed out, “you could relate any information to a person one way or another.”

In terms of impact, activists worry that the change will affect their ability to seek information to investigate corruption and ensure the delivery of basic rights.

For example, the Times of India heard from Rajsamand resident Chattar Singh, who helps people access government schemes, open bank accounts, create identity documents and get information about other digital services. When senior citizens raised the issue of low pensions with Mr. Singh, he said that “through RTI, I was able to check that they hadn’t submitted their annual verification and help restore their pension.”

The Digital Personal Data Protection Bill doesn’t allow third party data to be collected or accessed without consent, for example an NGO verifying names on an electoral list. There’s a huge penalty imposed for noncompliance: up to 2.5bn rupees ($30.1m).

So, although data protection is much needed in India, the new legislation seems to have missed the mark. It bars support from activists and muddies the supposed transparency of information that the Indian population are entitled to access.

It also has loopholes that are a green light for state surveillance.

Vaishnaw, the IT minister, defended the bill. “All the experts are very clear that there is no exception given which is outside the constitution,” he said, adding that the law had only four exemptions, compared with 16 under the EU’s GDPR.