Notwithstanding the different purposes[1] that the Personal Data Protection Bill, 2019 (“PDP Bill”) and the Right to Information Act, 2005 (“RTI Act’’) serve, both unequivocally recognise the need to protect personal information/data of an individual. While, the RTI Act allows the Central Public Information Officer (“CPIO”) to exempt personal information that may cause unwarranted invasion of privacy of any individual[2], the PDP Bill provides that its aim is to interalia “provide for protection of the privacy of individuals relating to their personal data”[3]. This write-up attempts to discuss the treatment of right to privacy under both the RTI Act and the PDP Bill.
Definition of personal information/data under the PDP Bill and the RTI Act:
The RTI Act does not define what is a personal information and leaves it to the wisdom of the CPIO to determine whether an information is personal or not and whether such information would cause unwarranted invasion of privacy of an individual.
The PDP Bill on the other hand defines not only “personal data”[4] but also the “sensitive personal data”[5] and the “critical personal data”[6].
Personal data in the PDP Bill is the “data about or relating to a natural person…. having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person”[7]. Sensitive personal data is such personal data which may reveal, be related to, or constitute, (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation etc[8]. The categories of financial data, biometric data, official identifiers, religious or political beliefs have been defined further. As regards the critical personal data, PDP Bill provides that critical personal data will be such personal data as may be notified by the Central Government[9].
It can be seen that the PDP Bill defines personal data in very broad terms as the words used are ‘any characteristic, trait, attribute or any other feature of identity’. This is probably to ensure that all and every kind of data which can be identified or claimed to be personal gets covered in the definition and the data principal[10] is ensured of protection of all kind of his/her personal data as such a wide definition would require the data fiduciary[11] to exercise caution while processing any and all kind of personal data be it ‘personal data’, ‘sensitive personal data’ or ‘critical personal data’.
Requirement of notice/obtaining consent under the PDP Bill and the RTI Act:
Under Section 11 of the RTI Act, the CPIO has to give notice to and obtain consent of the concerned individual, in case, the CPIO intends to disclose his/her personal information. The PDP Bill too requires that consent be obtained from the data principal at the stage of commencement of data processing and that without such a consent no personal data will be processed[12]. The sensitive personal data too, can be processed by a data fiduciary only on the consent of the data principal[13]. In fact, the data fiduciary has to inform the data principal through a notice about the individuals or entities including other data fiduciaries or data processors with whom data principal’s personal data can be shared[14].
Withdrawal of consent:
Under the RTI Act, there is no provision with respect to withdrawal of an individual’s consent. This is probably because, the CPIO would have already disclosed the data and the data would have become public. The individual however can appeal/complain to the Central Information Commission (“CIC”), that his personal information has been shared without obtaining his consent.
Under the PDP Bill, an individual can withdraw his consent and a consent will be valid only if it is capable of being withdrawn[15]. However, if consent is withdrawn without valid reasons, the data principal has to bear all legal consequences for the effect of such withdrawal[16]. A question arises that if the data has been processed and made public then even though the data principal withdraws its consent, what purpose would such a withdrawal serve?
Public interest under the RTI Act and the PDP Bill:
Under Section 8(1) (j) of the RTI Act, the CPIO may disclose personal information in case he/she is satisfied that the larger public interest justifies disclosure of such information. In certain cases[17] the data fiduciary too can process personal data without the consent of data principal and public interest is one of the grounds for processing of personal data without the consent of data principal.
Right to access one’s own personal data:
Under Section 17(1) of the PDP Bill, the data principal has the right to obtain his/her’s own personal data being processed or already processed by the data fiduciary, or any summary thereof. The RTI Act does not explicitly provide such a right but the courts have, in their various judgments laid down that an individual can seek his own personal information.
Personal data in public domain:
Under Section 14(1) of the PDP Bill, personal data can be processed without consent of the data principal for certain reasonable purposes specified therein. Publically available personal data is one of the reasonable purposes[18]. Under RTI Act there is no mention of publicly available personal information but courts have held that personal information available in public domain will not be considered as personal.
The right of erasure and the right to be forgotten under the PDP Bill:
Under the PDP Bill the data principal has the right of erasure of his personal data which he feels is no longer necessary for the purpose for which it was processed [19]. He also has the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary i.e. he has the right to be forgotten[20]. Such rights are not available under the RTI Act.
Conclusion:
Thus, both the RTI Act and the PDP Bill have a similarity in their approach towards upholding the privacy rights of an individual. Both require giving of notice to and obtaining consent of the concerned individual before/at the time of the disclosure/processing of personal information/data. Both allow disclosure/processing of information in public interest without consent. Personal data/information available in public domain can be processed/disclosed without consent of the individual and an individual can access his or her’s own personal information under both. The major differences being that under the PDP Bill, an individual can withdraw its consent but under the RTI Act, he cannot and that the PDP Bill also provides the extra rights of erasure and right to be forgotten to an individual.
[1]The aim of the RTI Act is to promote accountability and transparency in the government and its instrumentalities. The aim of the PDP Bill is interalia create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.
[2] Section 8(1) (j) of the RTI Act
[3] Preamble of the PDP Bill
[4] Section 3 (28) of the PDP Bill
[5] Section 3 (30) of the PDP Bill
[6] Explanation to Section 33(2) of the PDP Bill
[7] “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”
[8]Section 3 (30) of the PDP Bill
[9]Explanation to Section 33(2) of the PDP Bill
[10]Section 3 (14) of the PDP Bill-“data principal” means the natural person to whom the personal data relates;
[11] Section 3 (13) of the PDP Bill- “data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
[12] Section 11(1) of the PDP Bill
[13] Section 11 (3) of the PDP Bill
[14] Section 7(1) (g) of the PDP Bill
[15] Sections 7(1) (d) and 11 (2) (e) of the PDP Bill
[16] Sections 7(1) (d) and 11 (6) of the PDP Bill
[17] Sections 12, 13, 14 of the PDP Bill
[18] Section 14 (2) (g) of the PDP Bill
[19] Section 18 (1) (d) of the PDP Bill
[20] Section 20 (1) (d) of the PDP Bill
8 Comments
Comments are closed.