OCTOBER 25, 2023

By M G Kodandaram, IRS, Assistant Director (Retd), Advocate & Consultant

Personal Data Protection- a Fundamental Right

THE unanimous decision in the Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors., (2017-TIOL-311-SC-MISC-CB), pronounced by a nine-judge bench of the Supreme Court of India in August 2017 is a march forward that was expected to usher a new and fair regime in privacy protection of the citizens of the country. Before the Puttaswamy judgment, the status of privacy as a fundamental right in India was unclear. This judgment marked a crucial turning point in India's privacy protection journey, recognizing privacy as a fundamental right, setting the stage for a comprehensive privacy legislation. The judgment unequivocally recognized the right to privacy as an inherent and essential part of individual liberty, dignity, and personal autonomy, protected under Article 21 of the Indian Constitution. This groundbreaking decision solidified the constitutional basis for privacy protection in India and paved the way for a more comprehensive approach to privacy laws.

Justice Srikrishna Commission, officially known as the "Committee of Experts on Data Protection Framework for India", was set up with a primary objective to draft a data protection law for India that would align with global privacy standards and provide individuals with robust rights and protections for their personal data. As of 2017, India did not have a standalone law on personal data protection.  Use of personal data was regulated under section 43A of the Information Technology (IT) Act, 2000 as amended read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 .

Journey of PDP Bill

The Commission authored a draft of the Personal Data Protection Bill (PDP for brevity) in 2018 that was formally introduced as the PDPB 2019 in the Indian Parliament. This bill had the objective of overseeing the management of personal data, establishing a protection framework for privacy and personal data in India that aligned with international data protection standards, notably the European Union's General Data Protection Regulation (GDPR). Among its provisions for safeguarding individual privacy, the draft legislation aimed to empower individuals with more control over the collection and utilization of their personal data and enabled them a claim for damages for the harm caused due to data breaches by fiduciaries.The cited judgment was instrumental in the drafting of the PDP Bill, which aimed to regulate the processing of personal data and enhance the rights of individuals regarding their personal data.

The PDP Bill 2019, which underwent review by a Joint Parliamentary Committee, eagerly anticipated by citizens as a pivotal piece of legislation to mitigate the adverse effects of digital fiduciaries on individual rights, surprisingly was withdrawn from Parliament during August 2022. Subsequently, in November 2022, a Draft Digital Personal Data Protection (DPDP) Bill was released for public consultation. Regrettably, this process did not accommodate public input on restoring privacy rights as vouched in the Constitution. In August 2023, the Digital Personal Data Protection Bill, 2023 was presented in Parliament and subsequently enacted as the DPDP Act, 2023 on August 8, 2023.

Apex court's Decision Derailed

The DPDP Act demonstrates a notable lack of oversight compared to the commitments made to the Apex court by the Central Government during the proceedings of the stated case. The court has regarded privacy law as being equivalent to fundamental rights, but the current Act significantly diminishes this legal stance. (Please read- Inadequacies in the Digital Personal Data Protection Act, 2023 TIOL- AUGUST 21, 2023 by the author).Furthermore, the Act eliminates the right to claim damages for potential harm resulting from the handling of personal data, as previously established under Section 43A of the former law, as discussed in further part of this article. Despite the 2018 Srikrishna Committee's recognition of risks, encompassing financial loss, identity theft, and discrimination, the present DPD Act does not address these issues. The 2019 Bill offered a clear definition of harm and enforced preventive measures, alongside granting individual the power to seek compensation. Similar mechanisms for addressing harm can be found in many privacy protection laws across globe, including the European Union's GDPR. The current Indian law lacks provisions for compensating victims, leading the author to assert that this law is regressive in its application when it comes to safeguarding the privacy rights of individuals.

The allusion to a "two steps forward and three steps backward" scenario in the title implies that despite the presence of the DPDP Act, privacy protection has encountered many setbacks. While the Puttaswamy judgment and the PDP Bill represented significant advancements, from the existed IT 2000 as amended, concerns persist regarding deficiencies, among others, in safeguarding the rights of privacy breach victims and the enforcement of privacy rights within the nation after the enactment of DPDP Act, 2023.

Personal Data Protection under IT laws

The erstwhile Section 43A of the ITA 2000, introduced through the 2008 amendments (effective from 27-10-2009), tackled the issue of data breaches and made it mandatory for entities handling ‘ sensitive personal data' to implement reasonable security practices and procedures, which marked the initial stride towards establishing a legal framework for data protection in India. The section stipulated that any corporate entity handling sensitive personal data in a computer resource would be liable to pay damages if it failed to adhere to reasonable security practices, resulting in wrongful loss or gain to any individual. Concurrently, the government introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules in 2011. These rules outlined precise guidelines and measures that entities were obligated to follow to ensure the protection of sensitive personal data. The introduction of Section 43A and the associated rules marked a better moment in India's approach to data privacy. For the first time, the legal framework acknowledged the significance of safeguarding sensitive personal data and placed responsibilities on entities handling such data and on breach, safeguarding the interest of the victim. This development not only empowered individuals to seek remedies in the event of data breaches but also compelled businesses to adopt improved data protection practices.

Regrettably, the inadequate execution and performance of adjudication officers have rendered this provision ineffectual, reducing it to a symbolic measure with no real impact. (Please read- In Quest of 'Person'- Challenge Caused by Cyber Law - NOVEMBER 20, 2015 by the Author) Despite appeals from citizens, the Central government did not take any proactive measures for proper adjudication of the cases by the designated officials,leaving the victims to bear the brunt of the harm.

Unfortunately, the DPDP Act of 2023 does not encompass even the expectations and relief mechanisms provided in Section 43A of the IT Act, as it has omitted this mechanism in the legislation (see subsection (2) of section 44 of the PDPD Act 2023). Consequently, the remedies that were previously available to victims under Section 43A and the associated regulations within the Information Technology Act of 2000 have been negated. Sensitive personal data, as covered and protected in the earlier law, which meant personal information relating to “(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) bio-metric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise” have not found any place in the present law. Further the DPDP Act takes precedence in matters pertaining to personal data protection, leaving individuals without the means to seek compensation for harm resulting from the mishandling of their personal data by data fiduciaries.

No Relief to victims

In 2018, the Srikrishna Committee and the PDP Bill of 2019, when presented in Parliament, acknowledged the potential harm to the personal data in the digital age and recommended that the law should encompass provisions to prevent such harm breaches. (Please read - Proposed Indian privacy law – TIOL DECEMBER 21, 2020 by the Author). Now, with the DPDP Act of 2023, these risks and harms to individuals resulting from the mismanagement of personal data processing are not comprehensively regulated. The personal data harms can range from tangible losses like financial loss to intangible consequences such as identity theft, damage to one's reputation, discrimination, and unwarranted surveillance or profiling. Unfortunately, victims are now left without adequate protection under this ostensibly progressive law.

Furthermore, if a report of personal data breach by the individual cannot be substantiated during adjudication proceedings (as outlined in section 15 read with serial number 5 of the penalty schedule od DPDPA 2023), the principalis imposed with a penalty of ? 10,000, essentially undermining the sanctity of privacy as a fundamental right. This situation renders the ideals and hopes of the highest court's decision in the Puttaswamy case, and the assurances enshrined in Article 21 of the Constitution as unattainable for the Indian citizen.

The Way Forward

The Central government, along with state governments, is actively promoting the adoption of digital technology in their administrative processes and encouraging citizens, businesses, and other entities to integrate digital technology as an essential aspect of development. However, there has been a notable deficiency in providing adequate and timely cybersecurity measures in the form of legislation and enforcement. This gap has created an environment conducive to cybercriminals, leading to a surge in cybercrimes, including personal data thefts and crimes thereon, as recent data indicates. The policing and prevention of digital crimes have not received the necessary reinforcement, resulting in favorable conditions for fraudsters. The law enforcing authorities are complacent in acting on prosecuting cybercrimes, especially digital personal data, and privacy breaches with respect to individuals. The digital citizen lacks robust legal protection, as avenues for redress are limited and futile. Furthermore, as previously explained, the regulation regarding personal data and privacy protection has taken a step backward due to the weakened legal framework. The digital Nagarik eagerly anticipates an appropriate amendment to this new law to restore their rights, at the very least, to the level assured by the Apex court.

[The views expressed are strictly personal.]