Table of Contents
THE CONTEXT: In August 2023, the Parliament passed the Digital Personal Data Protection Act (DPDPA), 2023. The Act holds significance as a fundamental component of the comprehensive structure of technology regulations and protection of privacy being developed in the country. In this context, this article analyses various aspects of the Act in order to enable the students to develop the right perspective.
NEED FOR DIGITAL DATA PROTECTION LAW
- Way back in 2006, the British mathematician Mr Clive Humpy was able to visualize the importance of data and said that ‘Data is the New Oil’. Digital data has become a precious tradable commodity that can potentially be a competitive leverage for market players.
In India, according to one estimate, the digital population reached close to 700 million active internet users with 467 million social media users creating mammoth digital data. As a result, India has emerged as the second-largest internet market. When digital data has emerged as an all-pervasive business enabler, its generation, ownership, sharing, data protection and maintenance of mutual trust among data transmitters assume greater significance.
- Personal data is information that relates to an identified or identifiable individual. Businesses as well as government entities process personal data for the delivery of goods and services and processing personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations.
However, unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right. It may subject individuals to harm such as financial loss, loss of reputation, and profiling.
- In August 2017, the 9 Judges Bench of the Supreme Court in its verdict in Justice K.S. Puttaswamy (Retd) vs. Union of India case held that the Right to Privacy is a fundamental right under Article 21.
As technologies like Artificial Intelligence advance and permeate various aspects of daily lives, the potential for extensive data collection, analysis, and manipulation grows exponentially and without effective data protection measures, individuals’ personal information is at risk of being exploited, leading to privacy breaches, identity theft, and other malicious activities.
THE KEY FEATURES OF THE ACT
The Bill applies to the processing of digital personal data within India where such data is:
- collected online, or
- collected offline and is digitised.
The provisions of the Act will also apply to the processing of personal data outside India if it intends to offer goods or services in India.
- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual and a notice must be given before seeking consent.
- Consent may be withdrawn at any point in time.
- Consent will not be required for ‘legitimate uses’ defined in the Bill.
- For individuals under 18 years of age, consent will be provided by the parent or the legal guardian.
Rights of data principal:
- An individual whose data is being processed (data principal), will have the right to:
- obtain information about processing,
- seek correction and erasure of personal data,
- nominate another person to exercise rights in the event of death or incapacity, and
- grievance redressal.
Duties of data principal: They must not:
- register a false or frivolous complaint, and
- furnish any false particulars or impersonate another person in specified cases.
- Violation of duties will be punishable with a penalty of up to Rs 10,000.
Obligations of data fiduciaries: The entity determining the purpose and means of processing (data fiduciary) must:
- make reasonable efforts to ensure the accuracy and completeness of data,
- build reasonable security safeguards to prevent a data breach,
- inform the Data Protection Board of India and affected persons in the event of a breach, and
- erase personal data as soon as the purpose has been met and also the retention (time limit for storing the data) is not necessary for legal purposes.
For government entities, storage limitation and the right of the data principal to erasure will not apply.
DATA PROTECTION BOARD OF INDIA
The central government will establish the Data Protection Board of India. Key functions of the Board include:
- monitoring compliance and imposing penalties,
- directing data fiduciaries to take necessary measures in the event of a data breach, and
- hearing grievances made by affected persons.
- Board members will be appointed for two years and will be eligible for re-appointment.
Appeals against the decisions of the Board will lie with TDSAT (Telecom Disputes Settlement and Appellate Tribunal).
The rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases.
The central government may, by notification, exempt certain activities from the application of the Bill. These include:
- processing by government entities in the interest of the security of the state and public order, and
- research, archiving, or statistical purposes.
The schedule to the Bill specifies penalties for various offences such as up to:
- Rs 200 crore for non-fulfilment of obligations for children, and
- Rs 250 crore for failure to take security measures to prevent data breaches.
Penalties will be imposed by the Board after conducting an inquiry.
THE SIGNIFICANCE OF THE DATA PROTECTION ACT
- Protects the privacy of the individual: The Data Principal (DP) has to give written consent to generate and process the data indicating the specific purpose of its use. DP can also withdraw the consent at any time or can restrict its use. The Act also grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- Safeguards the legitimate aim of the state: Exemptions to data processing by the State on grounds such as sovereignty and integrity may lead to data collection, processing, and retention beyond what is necessary.
- Enables growth and innovation: The Act holds immense importance in the present digital landscape and it will solidify India’s position as a global leading innovation hub, the IT industry and stimulate India’s digital thought leadership globally.
- Promotes digital economy: The Act provides a regulatory framework that balances the interests of consumers, businesses, and the government while ensuring the digital economy is secure, transparent, and trusted.
- Independent authority to implement: The Act provides for the creation of a Data Protection Board (DPB) to enforce the compliance of provisions of the legislation.
- Matching with the international regime: The DPDP Act follows the global minimum standard for privacy and data protection and forms a solid foundation for building effective protection and trust for individuals and developing common international approaches to transborder data flows.
CRITICISMS OF THE ACT
- May violate the right to privacy: The Supreme Court in Justice K.S. Puttaswamy (Retd) vs. Union of India (2017) has held that any infringement of the right to privacy should be proportionate to the need for such interference.
However, the Act empowers the central government to exempt processing by government agencies from any or all provisions, in the name of security of the state and maintenance of public order. Such exemptions for the State may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy giving rise to the apprehensions that the collected data might be used to create a 360-degree profile for surveillance.
- Curtails access to information: The RTI Act includes a provision to harmonise peoples’ right to information with their right to privacy through an exemption clause under Section 8(1)(j). Personal information is exempt from disclosure if it has no relationship to any public activity however; the DPDPA exempts all personal information from disclosure. This threatens the very foundations of the transparency and accountability regime in the country.
- Does not address the issues arising from the processing of personal data: The Act falls short of regulating harm arising from the processing of personal data. The Srikrishna Committee (2018) observed that harm is a possible consequence of personal data processing which includes financial loss, loss of access to benefits or services, identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling.
- Not enough protection in case of cross-border transfer of data: The Act provides for the central government to restrict the transfer of personal data to certain countries through a notification. This implies the transfer of personal data to all other countries without any explicit restrictions.
This mechanism may not provide adequate protection. In the absence of robust data protection laws in another country, data stored outside India may be more vulnerable to breaches or unauthorised sharing with foreign governments as well as private entities.
- Independence of the Data Protection Board of India: The Act provides that members of the Data Protection Board of India will function as an independent body. A short-term appointment (2 years) with the scope for re-appointment may affect the independent functioning of the Board.
WHETHER THE DPDP ACT 2023 REALLY PROTECTS PRIVACY?
The inclusion of exemptions in the DPDP Act has the potential to result in an expansion of data collection, processing, and retention beyond the bounds of what is deemed essential. The potential lack of proportionality and potential infringement upon the fundamental right to privacy may be observed. The Act also does not mandate government agencies to erase personal data once the processing purpose has been fulfilled. In the case of PUCL vs Union of India (1996), the Supreme Court imposed several safeguards that must be adhered to, including the establishment of necessity, purpose limitation, and storage limitation. The obligations of data fiduciaries under the Act, which have been exempted, bear resemblance to these safeguards and raise questions about privacy.
As CJI DY Chandrachud has asserted that the establishment of any robust data protection system necessitates a meticulous and delicate equilibrium between the interests of individuals and the valid apprehensions of the state. The government has maintained that it needs some exemptions and cannot be treated at par with private entities in all cases for various reasons connected with issues including terrorism, law and order, and public health emergencies. Although there is merit in the government argument, exemptions without procedural safeguards may create the fear of a surveillance state. It is commendable that the IT Minister recently indicated that as and when the Act is implemented, procedural safeguards will also be introduced. Although this is a welcome step, other concerns like ‘consent dilution’, penalty for data principal, selective compliance regime etc. need to be addressed.
DATA PROTECTION LAWS AROUND THE WORLD
General Data Protection Regulation (GDPR)
- GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals of the European Union (EU). The law came into effect in May 2018 and applies to all 28 of European Union members.
- Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information.
- Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation.
- Companies are also required to respect the rights of data owners – or face penalties for not doing so.
- The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.
- The PDPA recognises both the need to protect individuals’ personal data and the need for organisations to collect, use or disclose personal data for legitimate and reasonable purposes. By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses.
- Organisations are required to comply with various data protection obligations if they undertake activities relating to the collection, use or disclosure of personal data.
- The Privacy Act 2020 repealed and replaced the Privacy Act 1993 and came into effect on 1 December 2020.
- The Act strengthens privacy protections and promotes early intervention and risk management by agencies (the name used for any organisation or person that handles personal information) and enhances the role of the Privacy Commissioner.
- New Zealand agencies also ensure that personal information sent overseas is protected by comparable privacy standards.
- The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
- Misleading the agency in a way that affects someone else’s information, and destroying documents containing personal information also attracts fines of up to $10,000.
- There is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR, addresses the use, collection, and disclosure of data instead, there is limited sector-specific regulation. The approach towards data protection is also different for the public and private sectors.
- The activities and powers of the government vis-a-vis personal information are well-defined and addressed by broad legislation such as the Privacy Act, the Electronic Communications Privacy Act, etc.
THE WAY FORWARD
- Given that the government is the biggest data repository, an effective data protection law must not give exemptions and wide discretionary powers to the government which could possibly result in immense violations of citizens’ privacy.
- The creation of a government-controlled Data Protection Board is bound to raise serious apprehensions of it becoming another caged parrot open to misuse by the executive to target the political opposition and those critical of its policies. The concerns need to be urgently addressed.
- The Act also provides for the executive to exempt a single company or a class of companies from compliance. It might lead to a partisan than a constitutionalist regime which may not be appropriate.
- A robust data protection law is just one aspect of a broader framework for digital governance. To ensure comprehensive regulation, cyber security, competition, artificial intelligence, and other relevant areas must also be addressed. The European Union’s approach can provide valuable insights.
- BN Srikrishna committee also suggested, that there is a conflict of fundamental rights, between transparency and privacy. This requires careful balancing given the fact that neither the right to privacy not the right to information is absolute.
- The idea of a fee to prevent frivolous appeals might pose a barrier to grievance redressal. Hence it is necessary to have a relook on the provisions dealing with penalties to encourage informed, alert and proactive participation from the masses.
- The government must not only notify new data rules at the earliest but must also ensure an orderly transition to new data rules once they are notified.
THE CONCLUSION: The Digital Personal Data Protection Act will not only create an essential framework of trust between individuals and enterprises processing their data but also set explicit norms for accountability and responsible data handling. It is a promising and welcome step as it addresses concerns like cross-border data transfer and remedies for unauthorised data processing. However, concerns about the way the new law deals with the rights to information and free speech, surveillance reform, and the regulatory structure need to be addressed.
Mains Practice Questions:
Q.1 Does the Digital Personal Data Protection (DPDP) Act 2023 erode the right to information and weaken the accountability of public servants to citizens? Critically analyse.
Q.2 Discuss the salient feature of the Digital Personal Data Protection (DPDP) Act 2023. Do you think that instead of protecting the privacy of individuals it creates a friendly regime for data processing? Argue.Spread the Word