Media not wrong in dreading the all-powerful DATA body
With too many definitions as regards the DATA Act implementation of rules under it is creating problems, one too many. Journalists have reason to fear that the Digital Personal Data Privacy (DPDP) Act may soon evolve into a monster. Worried over the impeding devilish garb, members from the Press Club of India (PCI) and the Indian Women Press Corps (IWPC) have shot 35 questions to the Ministry of Electronics and Information Technology (MeiTy) for urgent clarification.
This stems from the questions raised by the ministry’s secretary S. Krishnan during a July 28 meeting he had with representatives of PCI, IWPC, DIGIPUB, and the Editors Guild of India. The media professionals wanted an exemption to the DPDP law, which they perceived was a threat to their democratic functioning. Over 1, 000 journalists drawn from 23 elected media bodies sought the MeiTy Minister Ashwini Vaishnaw’s intervention, while pointing out that the Act did not provide journalistic exemption.
A ‘chilling effect’:
The provisions regarding data fiduciaries in the DPDP Act 2023, particularly Sections 28 and 36, could seriously affect journalists. By classifying reporters and media organisations as “data fiduciaries,” the Act can potentially threaten source confidentiality and impose impractical consent requirements for newsgathering.
The Board and the Government will ‘request’ information from any “data fiduciary,” a definition critics say could include the media personnel.
There are concerns that the Data Protection Board (DPB), whose members and chairperson are appointed by the Central government, could lack autonomy, making it more likely to acquiesce to government demands. Beyond these specific sections, the DPDP Act creates several other serious issues for the press.
No newspaper or website can bear the killing penalties, because non-compliance with the Act can result in fines of up to ₹250 crore. This high financial risk has a “chilling effect” on investigative journalism and accountability reporting, where a single misstep could bankrupt a media outlet.
In addition, the DPDP Act amended the RTI Act by removing a key public interest override. This allows public officials to withhold information by claiming it is “personal data,” weakening a critical tool journalists use to expose corruption and hold the government accountable.
Stifling a critical source:
Many whistleblowers were killed by vested interested leaders, mafia etc. The threat of their identities being exposed could discourage informants and whistleblowers from coming forward, stifling a critical source for investigative journalism.
All in the name of ‘consent’:
Do individuals involved in journalistic work and organisations need to seek prior consent from the person about whom they are doing a story, or whose “personal data” such as identification details are contained in a press report?
For a story involving personal data (such as names or photos), a journalist would need to get “informed, clear, and unambiguous” consent from every person mentioned. This is not practical for breaking news, crowd reporting, or investigative stories, potentially making such reporting illegal.
Reporting will be a horrible experience:
Reporting whether for print, broadcast or online media requires several details such as name, age, gender, location, profession, caste, class, income are required to authenticate a story. Without these details, the story will be incomplete, vague, and likely to be rejected. Much of this information is set to fall within the definition of “personal data”. Blanking out this type of data will lead to a hollowing out of stories, particularly field reportage and will adversely affect the media, per se. What are the specific clauses in the act that provide exemption for publishing such details as part of regular journalistic work?
A ‘developing news story’ can be crime:
In the case of a developing news story such as coverage of a riot, a terror attack, or a natural disaster, spontaneous street interviews, etc., is the person involved in journalistic activity (data fiduciary) required to go through the elaborate process of obtaining consent from the subjects (data principal) according to the provisions and clauses mentioned under Section 5 and Section 6 before reporting the story?
Prior nod for an interview?
Draft Rule 3 demands that the data fiduciary’s notice be “in clear and plain language” and given before processing. How can live spot reporting, spontaneous street interviews, undercover reporting, etc., comply, and will MEITY clarify that journalistic collection in the public interest need not issue advance notices?
Potential threats:
There are 35 questions that are not explained, and each could become a threat. Journalists are seeking suggestions to democratise the process that may likely violate the journalists’ right to work granted under Article 19 of the Constitution. They do not have any legal validity, and any number of clarifications may not satisfy the problems of the journalistic profession.
The PCI, along with IWPC, needs to discuss with the principal DG, PIB, and senior officials of the MeiTy ministry to meet the original demand of the scribes-amending the Act to include the line, ‘journalistic work is exempted’.
Definitions and their consequences:
Though they are penal provisions or exceptions, most problems take root in the very definitions. Journalists should understand the implications of the definitions of “automated”, “data fiduciary”, “data principal” and “data processor” provided in Section 2 of the Digital Personal Data Protection Act 2023.
Fiduciary is a complex principle:
It will make news gathering a near impossible thing for print, electronic media and social media journalists. Unlike previous drafts of the bill and data protection laws in other countries, the final DPDP Act does not exempt newsgathering from its provisions. This forces journalists to operate like any other data fiduciary. A fiduciary is a person or organization acting with a high degree of trust on behalf of another, managing their assets and putting their interests first. A data fiduciary is a specific type of fiduciary under India’s DPDP Act. Examples include trustees, financial advisors, and executors of wills. They are primarily responsible for ensuring data is processed lawfully, fairly, and transparently, according to the Digital Personal Data Protection Act 2023.
(The writer is a former Central Information Commissioner, and presently Professor, School of Law, Mahindra University, Hyderabad)