MARCH 19, 2024

By Mr M G Kodandaram, IRS. Assistant Director (Retd) ADVOCATE and CONSULTANT

THE Data Protection and Privacy Act (DPDP) of 2023 purports to establish a comprehensive legal framework aimed at safeguarding individuals' privacy rights with reference to their personal data in digital form. However, an analysis of the stated law reveals that it fails to adequately protect individual privacy or provide recourse for damages resulting from personal data breaches by fiduciaries. Instead, it appears to primarily serve as a legal mechanism enabling fiduciaries to manage digital personal data while discouraging individuals (principals) from lodging complaints against breaches by fiduciaries.

Not only does the law neglect to uphold the privacy rights and protect sensitive personal data of principals, but it also seems designed to dissuade principals from seeking restitution for harms resulting from breaches by fiduciaries. (Please read DPDP Act 2023 Falls Short on Addressing 'Harm' by the author). The present article examines the shortcomings in the legal framework, emphasizing its inclination towards favoring fiduciaries who neglect privacy safeguards, a fundamental entitlement guaranteed to citizens under Article 21 of the Constitution of India.

Genesis of DPDP Act

The genesis of the DPDP Act emanates from the widespread exploitation of digital technologies to clandestinely harvest individuals' personal data for commercial ends, fostering a climate of unease among the populace. In 2012, Justice K.S. Puttaswamy (Retd.) filed a petition with the Supreme Court of India, contesting the constitutionality of the 'Aadhaar Project' on grounds of privacy infringement. This landmark case, Justice K.S. Puttaswamy v/s Union of India, (2017-TIOL-311-SC-MISC-CB), concluded on August 24, 2017, with the Supreme Court affirming privacy as an intrinsic aspect of the right to life and personal liberty under Article 21, constituting a fundamental right enshrined by the Constitution. Acknowledging privacy as fundamental, the Apex Court shielded citizens (principals) from entities conducting data collection and processing (fiduciaries) without proper consent. Following extensive deliberations, delays, and negotiations, the DPDP Act was ultimately promulgated in the Official Gazette on Friday, August 11, 2023.

The implementation of the DPDP Act in India comes six years after the Supreme Court acknowledged the fundamental right to privacy, inclusive of informational privacy, within the "right to life" provision of India's Constitution. In this landmark verdict, the nine-judge bench of the Apex Court urged the Indian Government to institute "a meticulously structured regime" to safeguard personal data. The DPDP Act of 2023 is presented as a comprehensive legislative framework crafted to safeguard the rights and privacy of individuals concerning their personal data.

Significance of Data Privacy

'Data Privacy' encompasses regulations governing the acquisition and management of data, contingent upon its 'sensitivity'. It chiefly concerns personal health data and personally identifiable information, including financial records, medical histories, social security or ID numbers, names, birthdates, and contact information. This focus on data privacy extends to all sensitive information handled by organizations, encompassing that of customers, shareholders, and employees. Often integral to business operations, development, and financial management, this data requires protection to ensure it remains accessible only to authorized individuals. Upholding data privacy not only thwarts malicious exploitation by criminals but also aids in compliance with regulatory standards.

Data protection involves the strategic and procedural measures implemented to safeguard the privacy, availability, and integrity of sensitive data. Crucial for organizations involved in the collection, processing, or storage of sensitive information, these protective measures aim to prevent data corruption, loss, or unauthorized access. Although data protection and privacy are closely linked and vital, they have distinct meanings. Data privacy revolves around determining data access, whereas data protection concerns implementing access restrictions. Data privacy sets the foundation for the tools and processes employed in data protection. While establishing data privacy guidelines doesn't guarantee prevention of unauthorized access, implementing data protection may not completely safeguard sensitive data. Both elements are crucial for maintaining data security.

No Protection for Personal Data

The purpose of the DPDP Act is explicitly articulated as: "An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto." This statement emphasizes the dual objective of respecting individuals' right to safeguard their personal data while acknowledging the necessity of processing such data for legitimate purposes and related matters.

The Act defines the term "personal data" as "digital personal data," specifically referring to personal data in digital form (Section 2(n)). Furthermore, it defines "data" as any representation of information, facts, concepts, opinions, or instructions that are suitable for communication, interpretation, or processing by human beings or automated means (Section 2(h)). Notably, the law does not incorporate the terms "privacy" or "sensitive personal data" into its provisions.

In essence, while the Act acknowledges the importance of processing digital personal data with due regard for individuals' rights, it lacks explicit provisions regarding privacy or the protection of "sensitive personal data". Moreover, the absence of references to personal identifiers of data subjects underscores potential limitations in addressing individual privacy concerns within the legislative framework.

The definition provided for personal data is not only abstract but also subject to ambiguous interpretations. There is a noticeable absence of any mention of 'personal identifiers' of the data subject (principal) throughout the legislation. Questions arise regarding whether images, audio, metadata, analytics, video transcripts, and other sensitive data fall within the scope of personal data. Is there a mechanism in place to distinctly categorize sensitive, confidential, personally identifiable information, and public data, and subsequently formulate separate governing rules for each category? These questions are seemingly left for data fiduciaries to contemplate. This creates a significant gap in the Act, as organizations can argue during a breach that the leaked data is not of a personal nature. Moreover, it diminishes the severity of data breaches involving information other than personal data, which could encompass company assets, copyright information, and various other types of data.

Ability to Protect Privacy

Section 3(c)(ii) of the Act provides a means to evade the scraping of publicly shared personal data by stipulating that the law does not encompass personal data disclosed by the user in the public domain. The Act provides an illustration: 'if an individual shares personal data on social media while expressing her opinions through blogging, the processing of this data falls outside the scope of the data protection law'. Consequently, companies are permitted to process publicly available personal data without obtaining consent or adhering to other provisions outlined in the Act. This grants AI services the ability to extract publicly accessible personal data from the internet for training their models. Furthermore, it opens up possibilities for facial recognition tools to utilize publicly available profile photos in order to refine their systems.

Consent for data sharing is not obligatory, and when consent is sought, fiduciaries are not mandated to disclose the recipients of the data or the intended purposes. The notice provided to users during consent acquisition provides minimal insight into the handling of their personal data, as it only outlines the data collected and its intended use, unlike prior version of the bills which necessitated disclosure of data retention durations, sharing with third parties, data origin, cross-border transfer details, among others. Moreover, there is no obligation for fiduciaries to publish privacy policies on their websites as mandated by earlier iteration of the bills.

The DPDP Act grants data principals a specific set of rights, though limited compared to those offered by General Data Protection Regulation (GDPR EU). These rights include the right of access, the right to erasure and correction, and the right to receive notice prior to consent being requested, akin to the right to information in the GDPR. However, notable omissions from the DPDP Act are the 'rights to data portability', 'to object to processing on grounds other than consent', and to 'not be subjected to solely automated decision-making'. The scope of the right of access is quite restricted, granting data principals only the right to request and obtain a summary of the processed personal data. There are no provisions in place to protect sensitive and critical personal data under the current legislation. Previously, earlier versions of the bill categorized certain types of data, such as health, biometric, or financial information, as sensitive and critical, requiring enhanced measures for processing and storage. However, these classifications are absent in the current Act.

The DPDP Act empowers the Data Protection Board to impose penalties of up to ?10,000 on users (principal) who fail to fulfill their prescribed duties outlined in the legislation. These duties encompass various responsibilities, such as adhering to applicable laws while exercising rights, abstaining from impersonation when providing personal data, disclosing all relevant information accurately, refraining from lodging false grievances or complaints with a Data Fiduciary or the Board, and furnishing only authentic information during processes of correction or erasure. However, the Act lacks provisions enabling users to address breaches by fiduciaries/ companies, except in cases where fiduciaries are obligated to inform the authorities. Victims have no means to conduct independent investigations into fiduciary actions to assess harm to their sensitive personal data. The law does not enforce the maintenance of records detailing processing activities or data flow within organizational infrastructure, including storage locations of personal data. Without such mandates, managing Data Principal rights poses significant challenge. The Act focused on user privacy protection should not impose penalties on users, as it undermines the very legislation's purpose.

Fiduciaries Obligations Diluted

It is essential for the country to enact a data protection law that safeguards the privacy rights of citizens, rather than granting unrestricted freedom to fiduciaries/ companies and the government to collect and process personal data in any manner they choose. There is a lack of clarity regarding the security measures that companies must enact to prevent data breaches. While the Act mandates companies to implement "reasonable security safeguards" to mitigate breaches, the definition of "reasonable" remains unspecified in the Act. Failure to uphold these measures can result in penalties of up to Rs 250 crores. However, this penalty does not provide compensation to users, the victims of data breaches, as none of the imposed fines are directed towards them. Moreover, the removal of section 43A of the IT Act, 2000, eliminates the provision for such compensatory measures.

Under a provision that could be termed an "outsourcing exception," (section 17) the Act provides exemptions for Indian companies processing personal data of individuals outside of India under a contract with a foreign-based company. These exemptions relieve them from core DPDP obligations, such as the rights of access and erasure typically held by data principals. Instead, these companies are primarily obligated to adhere to data security requirements. While Section 8[6] requires data fiduciaries to report any data breach to the board, there remains an absence of a specified timeline for reporting such breaches. This omission represents a significant as it opens the possibility for data fiduciaries to intentionally conceal breaches to avoid penalties imposed in the event of a data breach.

Typically, a security audit functions as a standard assessment aimed at determining whether a fiduciary has implemented effective controls to safeguard sensitive personal data. These audits pinpoint deficiencies and weaknesses that could potentially lead to data breaches. Under the DPDP, organizations are granted the discretion to choose whether to conduct such audits. Given that the law was enacted in 2023, later than in many other countries, it became imperative to enforce regular security audits for specific sectors like Fintech and Healthcare, which handle sensitive data such as financial and health records. These audits are to be carried out by certified third-party vendors, with reports submitted to a government-established board. Countries such as the USA, Singapore, UAE, and even smaller nations like Oman already have policies mandating regular third-party security audits for companies operating in certain sectors. While there is a provision for audits recommended by the Central Government for specific organizations, based on factors such as data concerning national security or public order, this falls short of establishing a comprehensive mandate for security audits across relevant sectors.

Moving Forward

Looking ahead, the DPDP Act, aimed at establishing a solid legal framework to protect individuals' privacy rights regarding personal data, falls short upon closer scrutiny. It fails to adequately safeguard individual privacy or offer recourse for damages resulting from breaches by fiduciaries, seemingly prioritizing the interests of these commercial entities and potentially dissuading individuals from pursuing complaints.

Originally conceived due to concerns about the widespread misuse of digital technologies to covertly gather personal data, the DPDP Act lacks full coverage of privacy concerns and sensitive data protection despite the Supreme Court's recognition of privacy as a fundamental right. The Act's definition of personal data lacks clarity, leaving room for interpretation and potential loopholes, while its enforcement mechanisms are insufficient to hold fiduciaries accountable or compensate breach victims. Moreover, exemptions and outsourcing clauses dilute fiduciaries' responsibilities and undermine data principals' rights, compounded by the absence of specific reporting timelines for data breaches, which could facilitate intentional concealment by fiduciaries.

Although the Act allows for security audits, their discretionary nature and sector-specific mandates leave significant gaps in data protection measures. Thus, while representing a step toward addressing privacy concerns, the DPDP Act fails to provide robust protection or enforce accountability, undermining its purpose.

Considering these shortcomings, significant amendments are necessary to ensure comprehensive protections for personal data and accountability for fiduciaries. Without such revisions, the Act may fall short of its intended goal. Given the dynamic digital landscape, there is an urgent need for a structured and comprehensive personal data protection framework to uphold citizens' privacy rights.

In the aftermath of the Puttaswamy judgment, it is imperative for the government to take proactive steps to strengthen the Act, safeguarding the fundamental right to privacy. This involves not only fortifying the legislation but also ensuring its alignment with global data protection standards, thereby positioning India as a leader in advocating for data security and privacy on the international stage.

[The views expressed are strictly personal.]