How Does India’s New Data Protection Law Affect our Right to Information

On 11th August, 2023 the Digital Personal Data Protection Act (“DPDP”) came into force. This is India’s first legislation to regulate the use, control and collection of the citizens’ personal data across different digital media. One of the focal points of this Act is that it prohibits any digital stakeholder, including e-commerce platforms, social networking sites and even government entities, from processing citizens’ personal data without their expressed consent. There are some exceptions to this prohibition like one voluntarily sharing their personal data or the State processing the data for the purposes of government licences, schemes etc.. 

This Act is likely to have strong bearings on various existing civil and digital laws. One such law is the Right to Information Act, 2005 (RTI). In this Weekly, we’ll delve into how the new DPDP Act will change the scope of the RTI Act and what impact it will have on the citizens. 

What is the Right to Information Act ?

The Right to Information Act was enacted in 2005 to promote transparency and accountability of the government and its agencies by empowering citizens to seek any information related to the government’s work. In a democracy, government officials are essentially public servants and accordingly answerable to the citizens. With this ethos, the RTI Act enabled access to information held by any public authority. 

The Act defines a ‘public authority’ as any body of government constituted by: 

• the Constitution, 
• or through a law made by either the Parliament or the State Legislatures,
• or through any notification or order of the Central or State Government. 

Public Authorities can also mean non-governmental bodies which are financed by or affiliated to the government. For e.g., the Ministry of Information and Broadcasting, the All India Institute of Medical Sciences, Wrestling Federation of India etc. 

The Act grants citizens the right to obtain information from such public authorities through a simple application, made either online or in writing. A citizen can seek information about any written records, documents, certified copies, public correspondences, official orders, digital records and even samples of materials used for a specific purpose. Any information which is in public interest can be sought under the RTI Act. If any information is gathered by any public authority from a private institution for a lawful purpose, citizens can also have access to such information. 

The public authorities are obligated to respond to RTI requests within 30 days of receipt of such requests. However, Section 8 of the Act permits the public authorities to refuse access to certain categories of information to the public on necessary and reasonable grounds. Although,even if a public authority refuses to provide the information sought, the citizens have the right to appeal against the decision to higher authorities. 

According to numerous judgements, the Right to Information has been deemed a fundamental right within the scope of Article 19(1)(a) of the Indian Constitution which givets the Right to Freedom of Speech and Expression to every citizen. 

What does the DPDP Act say about the Right to Information?

According to the DPDP Act, 2023, any individual whose personal data is being collected, used or processed by any entity, has the right to acquire information about the nature and the purpose of processing the said information. No entity, defined as ‘data fiduciary’ in the act can collect or process personal data without the expressed consent of the individual, defined as the ‘data principal’ in the Act. The person can also ask for the personal data to be corrected or modified. 

According to section 11(1) of the Act, the person can obtain the following information from the data fiduciary:

• The summary of all the personal data being collected by the data fiduciary and details of all activities to be done using such data. This includes knowledge about the purpose of the said data, duration of recording the data etc.
• The details and identities of every entity with whom the data fiduciary has shared their personal data, as well as an accurate description of all the data shared.

While this is in sync with the RTI Act, section 11(2) of the DPDP Act imposes certain restrictions on the person’s right to information regarding their personal data. According to this provision, no information regarding the details of entities with whom one’s personal data has been shared can be obtained from a data fiduciary if :

• the entity with whom the information was shared was authorised by law
• or, the information was shared in response to a written request from an authorised entity to prevent or detect or investigate cyber crimes or for prosecution or punishment of any legal offences. 

This exemption can potentially exclude a broad scope of information related to digital personal data from a citizen’s access. However, the process of application for information and the due procedure under the RTI Act remains unchanged.