India’s Digital Personal Data Protection Law Undermines Democracy
It Poses Significant Challenges to Investigative Journalism
Newsreel Asia Insight #7
Oct. 8, 2023
A law, purportedly aimed at safeguarding the personal data of Indian citizens, passed recently. However, critics argue that the legislation could serve as a tool to stifle investigative reporting and limit public access to information.
The Digital Personal Data Protection Act (DPDP), 2023, was notified in the gazette after being cleared in both houses of Parliament without much opposition. The Act, which allows the government to exempt itself and private entities from obligations, has raised concerns over unchecked powers granted to the central government, as reported by The Print.
While the Act fulfills a long-standing demand for regulation of personal information, privacy experts have pointed out that it does not protect citizens from surveillance and gives excessive power to the central government. One major criticism is the change the legislation makes to the landmark Right to Information (RTI) law, which has been used by millions of Indians to demand information from government departments and officials since 2005.
The new legislation changes a provision of the RTI law to exempt “personal information” from being disclosed. “Everything that people have been using the RTI law for – to hold governments accountable, to fight corruption [etc.] – has somewhere an element of personal information,” Anjali Bhardwaj, co-convenor of the National Campaign for People’s Right to Information, told the BBC.
The data protection law also imposes hefty fines, going up to 2.5 billion rupees, for non-compliance. This could discourage officers from disclosing answers related to personal information.
Among the criticisms of the Act is its potential to undermine journalism in India.
An op-ed published by Scroll said that the Bill could force journalists to reveal their sources and enables the government to censor news stories.
Clause 36 of the newly passed bill has become a particular point of contention, as it grants the Union government the authority to request any “information as it may call for” from a “data fiduciary.” Defined by the bill, a data fiduciary is any entity that processes personal data and is subject to most of the bill’s obligations.
For journalists and news organisations, this clause raises significant concerns. It could potentially encompass sensitive information accessed by media professionals, including details about journalistic sources and whistleblowers, the op-ed argued, adding that the clause might also extend to data about donors and subscribers to media outlets. Critics argue that such provisions could jeopardise the confidentiality integral to investigative journalism and could be used to intimidate or silence reporters and their sources.
The Editors Guild of India and Digipub have highlighted concerns over such clauses that could be used to target news media organisations.
The absence of any exemption for journalists, unlike previous versions of personal data protection bills, has also raised alarms.
When measured against the European Union’s General Data Protection Regulation (GDPR), though not perfect but widely regarded as the gold standard for digital privacy and protection, the Indian legislation falls markedly short.
The GDPR aims to give control to individuals over their personal data and to simplify the regulatory environment for international business. It applies uniformly across all EU member states. It requires clear consent for data processing and mandates transparency about how data is used. Individuals have the right to know why their data is being processed, where and for what purpose.
The European law includes exemptions for journalistic purposes, recognising the importance of freedom of expression and information. But it includes strict enforcement mechanisms with fines up to €20 million or 4% of the company’s annual global turnover for non-compliance.
The GDPR is also designed to minimise government interference, focusing on individual rights and corporate responsibility. And it emphasises strong privacy protections, including the “right to be forgotten,” allowing individuals to request the deletion of personal data.