AUGUST 21, 2023

By Mr M G Kodandaram, IRS, Assistant Director (Retd.), Advocate & Consultant

Introduction

THE much-anticipated enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) occurred on August 11, 2023, following approval from both houses of Parliament and Presidential assent. The DPDPA, ('the Act,' for brevity) aims to oversee the handling of digital personal data, preserving individuals' right to safeguard their personal information while accommodating lawful data usage and related matters. While prioritizing privacy, the Act also recognises the importance of nurturing innovation and economic progress. It establishes a framework allowing businesses to process personal data for legitimate purposes, promoting responsible data practices while upholding privacy rights.

Presently, India lacks a dedicated and independent law exclusively for safeguarding personal data. To address this gap, the Central government initiated a personal data protection Commission in 2017, led by Justice B. N. Srikrishna. During this period, India's Supreme Court issued a significant ruling in the Puttaswamy case, affirming privacy as an integral component of the right to life outlined in Article 21 of the Constitution. In July 2018, the Commission submitted an extensive report, laying the groundwork for forthcoming privacy and data protection legislation. Building upon this report's recommendations, the Personal Data Protection Bill (PDPB) of 2019 was introduced in the Lok Sabha in December of that year. After a thorough review by a Joint Parliamentary Committee, their findings were presented in December 2021. However, the bill's progress was halted in August 2022 when it was withdrawn from parliamentary proceedings. Following inputs from diverse stakeholders on the Draft Bill published for public feedback in November 2022, the Digital Personal Data Protection Bill of 2023 was ultimately introduced in Parliament in August of this year. This landmark legislation is now in effect, underscoring India's commitment to safeguarding digital personal data, respecting individual privacy rights, and aligning with contemporary data-driven priorities.

Digital Personal Data

As defined in the Act, "data" pertains to information, facts, ideas, opinions, or instructions presented in a format suitable for human or automated interpretation, communication, or processing. "Automated” refers to any digital process capable of independent operation in response to provided instructions or for data processing purposes. Furthermore, "personal data" (section 2(t)) is defined as information related to a recognizable individual.

The Act's applicability covers the management of digital personal data within India under two circumstances: (i) data acquired through online means, or (ii) offline data subsequently digitized. Additionally, the Act's jurisdiction extends to the processing of personal data beyond India's borders if it involves providing goods or services within the country. Nonetheless, the Act does not extend to (i) personal data managed by individuals for personal or household reasons, and (ii) personal data made publicly accessible by either the individual it pertains to or any other individual compelled by prevailing Indian laws to disclose such data.

Data Principal and Data Fiduciary

According to section 2(j), the term "Data Principal" pertains to the individual to whom the personal data relates. If the individual is: (i) a child, their parents or legal guardian are encompassed; and (ii) a person with a disability, their appointed legal guardian is included. A data principal, whose personal data undergoes processing, possesses rights to: (i) access processing details, (ii) request data rectification and erasure, (iii) nominate a representative in case of incapacitation or demise, and (iv) address grievances. Responsibilities encompass refraining from: (i) submitting false complaints, and (ii) providing false information or assuming others' identity, potentially incurring penalties up to Rs 10,000.

An individual or group responsible for determining the purpose and means of processing personal data is termed a "Data Fiduciary" (section 2(i)). The data fiduciary is obligated to: (i) ensure data accuracy and completeness, (ii) implement reasonable security measures to prevent breaches, (iii) promptly inform the Data Protection Board of India and affected parties in case of breaches, and (iv) erase data when its purpose is fulfilled, and retention is not legally required (storage limitation). Government entities are exempt from the storage limitation and data erasure rights of data principals.

Consent and Data Processing

Processing encompasses automated or manual actions involving digital personal data, including collection, sharing, erasure, etc. Consent is essential for legal processing, underscoring informed choices. Nine scenarios in section 7 allow processing without consent. Data fiduciaries process data for consent-based purposes, while the State does so in specific instances such as emergencies. Consent from parents/guardians is obtained for minors. Data fiduciaries must not adversely affect minors' well-being or engage in tracking or targeted advertising.

Certain circumstances exempt rights and duties, including preventing offenses and government activities for security or public order. The government holds the power to exempt activities from the Act. Data transfer abroad is permitted, except to restricted countries.

Data Protection Authority

The Act establishes a Data Protection Authority (DPA) responsible for enforcing regulations, investigating breaches, and imposing penalties. The formation of the Data Protection Board of India is overseen by the Central government. Board functions encompass: (i) ensuring compliance and penalties, (ii) guiding actions during breaches, and (iii) addressing grievances. Board members serve two years and are eligible for reappointment. Appeals are directed to TDSAT. The DPA ensures transparency and accountability. Penalties range from Rs. 10,000 to Rs. 250 crores based on the extent of violation. Businesses are mandated to align with privacy regulations, obtain consent, and safeguard data. Firms must proactively adjust and assess data practices, including encryption, access control, and breach protocols. Breach penalties can reach Rs. 250 crore. Adhering to the Act's privacy standards is imperative for compliance.

Inadequacies in the Act

The Act exhibits noteworthy gaps attributed to State exemptions, potentially leading to privacy concerns. Exemptions include data processing by government entities, raising questions about unchecked surveillance infringing upon privacy rights. The Act permits government agencies to retain data even after its purpose is fulfilled, potentially enabling extensive surveillance under the pretext of national security. These exemptions might not align with proportionality principles or established safeguards. Additionally, the Act allows data repurposing without consent, challenging privacy principles. This approach could result in citizen profiling, highlighting the necessity for stronger safeguards and balanced exemptions.

The other shortcomings in the protection of privacy rights of individuals are as follows -

The Digital Personal Data Protection Act of 2023 (DPDPA) represents a significant stride in safeguarding digital personal data in India while honouring privacy rights and encouraging innovation. However, significant gaps within the Act warrant attention. The Act's limitations in regulating potential harm from data processing may undermine individual rights and interests. Moreover, the omission of the right to data portability and the right to be forgotten reduces individual data control and raises questions about informed consent.

Concerns also surface about the potential impact of the Board's short appointment term on its independence. Historical instances of Executive influence emphasize the necessity of establishing a robust, autonomous regulatory framework. Additionally, the authority to exempt data fiduciaries from consent notice obligations requires careful implementation to ensure transparency and informed consent.

Addressing these inadequacies is vital to bolster the Act's effectiveness and comprehensively protect individual rights. Striking a balance between privacy, innovation, and government interests is essential for crafting a resilient data protection framework grounded in autonomy, transparency, and accountability. As India progresses in the realm of digital data governance, rectifying these shortcomings will be pivotal in establishing a just, balanced, and forward-looking data protection landscape.

Data is the pollution problem of the information age, and protecting privacy is the environmental challenge — Bruce Schneier (Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World)

[The views expressed are strictly personal.]