SEPTEMBER 17, 2024

By Mr M G Kodandaram, IRS. Assistant Director (Retd)

ADVOCATE and CONSULTANT

Personal Data and Privacy Protection

IN today's digital era, where data is often viewed as a valuable asset, protection of personal information has gained tremendous significance. The surge in online activities, social media, e-commerce, and digital communication generates vast amounts of data on a daily basis, offering immense opportunities for both businesses and governments. However, this extensive data generation also brings considerable risks, especially concerning privacy violations. Personal information is routinely collected, processed, and shared by governmental, commercial, and non-commercial entities for various purposes, increasing the likelihood of data breaches, unauthorized access, identity theft, and misuse, thereby endangering individuals' privacy. With the rise of sophisticated cyber threats, such as phishing, ransomware, and malicious surveillance, the exposure of sensitive information can result in severe financial loss, reputational harm, and emotional distress. In an era where technology is advancing at an unprecedented pace, the slow and passive approach to developing a robust legal and regulatory framework has failed to adequately safeguard individuals' privacy, as guaranteed by the Constitution of India. Establishing robust data protection frameworks is vital for nurturing public trust, encouraging ethical data use, and creating a secure digital environment where technological progress does not compromise individual freedoms.

Journey of Personal Data Protection in India

The journey of privacy protection in India has been long and multifaceted, shaped by judicial decisions, public discourse, and legislative efforts. Until 2017, India lacked a dedicated personal data protection law, though the Information Technology (IT) Act of 2000 provided limited protection through Section 43A and the 2011 IT Rules. The execution of this law by officials from the Ministry of Electronics and Information Technology has undermined public trust in the safeguarding of personal data and privacy. The apparent shortcomings in the implementation process have eroded citizens' confidence in the effectiveness of measures designed to protect their sensitive information. (Please read- In Quest of 'Person'- Challenge Caused by Cyber Law- NOVEMBER 20, 2015 - By the Author)

The movement toward robust data protection gained momentum with the Supreme Court's landmark judgment in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India [2017) 10 SCC 1, AIR 2017 SC 4161]. On August 24, 2017, the court ruled that the right to privacy is a fundamental right under Article 21 of the Indian Constitution, primarily in the context of challenges to the Aadhaar scheme, which involved the collection of biometric data. This decision stressed the need for a legal framework to safeguard personal data from misuse by both private entities and the state.

In response, the government formed a Committee of Experts on Data Protection led by Justice B.N. Srikrishna, tasked with drafting a data protection law. In 2018, the Srikrishna Committee presented its report along with a draft Personal Data Protection Bill, focusing on key principles like data minimization, purpose limitation, and transparency. The draft bill proposed a consent-based framework for data collection and processing, as well as the establishment of a regulatory body, the Data Protection Authority (DPA).

The Personal Data Protection (PDP) Bill, 2019, introduced in Parliament, incorporated many of the committee's recommendations but faced criticism for its broad government exemptions and stringent data localization requirements. Following scrutiny by a Joint Parliamentary Committee (JPC), which submitted its report in 2021, the Bill still faced significant opposition. Consequently, the government withdrew the bill in August 2022, citing the need for a more streamlined legal framework that addressed data governance complexities while focusing on commercial interests. (Please read - Proposed Indian privacy law - DECEMBER 21, 2020, and Are commercial interests interfering with the Citizens' Privacy Rights? -NOVEMBER 08, 2021- by the Author). The assurances given by the Government to the Apex Court regarding the creation of a suitable law to restore the fundamental rights guaranteed under Article 21, while imposing reasonable restrictions, have remained nothing more than an illusion.

In August 2023, the government introduced the Digital Personal Data Protection (DPDP) Bill, which narrowed its focus to personal data protection and omitted broader privacy provisions. While this marked a more concise legislative approach, concerns arose about its limited protection, particularly regarding government exemptions and the exclusion of relief for privacy violations. The DPDP Act, 2023, was passed by Parliament and received presidential assent in August 2023, marking the culmination of years of legal and legislative efforts. (please read-Inadequacies in the Digital Personal Data Protection Act, 2023 - AUGUST 21, 2023, India's Privacy Journey - Two Steps Forward, Three Steps Back - OCTOBER 25, 2023, Waning 'Public Interest' - RTI Act, 2005 amended by DPDP Act, 2023 - OCTOBER 31, 2023 , DPDP Act 2023 Falls Short on Addressing 'Harm' -NOVEMBER 28, 2023- and, Privacy at Stake: Evaluating Data Principal Rights in the DPDP Act 2023- MARCH 19, 2024 by the Author) However, the delayed implementation of DPDP Rules and the diluted scope of the act leave individuals vulnerable to privacy violations, raising concerns about the future of data protection in India.

Delay in Framing of DPDP Rules

The full potential of the weaker DPDP Act depends on the timely framing of the accompanying rules, which are crucial for outlining enforcement procedures and regulations. These rules are intended to establish the operational framework, detailing how personal data should be collected, processed, stored, and transferred, as well as defining individuals' rights regarding their data. However, the delay in implementing these rules has created uncertainty, leaving both individuals and businesses unclear about their obligations and protections in terms of data privacy.

This delay is particularly concerning given the rising number of privacy breaches. Data leaks, unauthorized access, misuse of sensitive information, and cyber-attacks are becoming more frequent. Major incidents involving prominent companies and institutions have exposed the personal information of millions, leading to financial fraud, identity theft, and emotional harm. In India, breaches like those involving Aadhaar and banking data have highlighted the urgent need for comprehensive data protection laws. Despite these increasing risks, the lack of finalized DPDP Rules has left minimal safeguards for personal data elusive.

A central aspect of the DPDP Act is the establishment of the Data Protection Authority (DPA), which is intended to supervise the enforcement of data protection regulations. The DPA's role includes monitoring organizational compliance with the rules, addressing public complaints, and enforcing penalties for non-compliance. The early creation of the DPA is vital for enhancing India's data protection framework. However, the delay in finalizing the rules has postponed the formation of this crucial regulatory body, leaving a gap in oversight. Without the DPA, there is a risk that data breaches and privacy violations may occur with minimal accountability and repercussions.

Implication in Delay in making of Rules

The delay in implementing the DPDP Rules carries several negative implications and foremost among them is the lack of effective management and response to personal data breaches. Accountability is a foundation of global data protection laws, but without these rules, data fiduciaries cannot be held responsible for mishandling or improper storage of personal data. This absence of legal clarity allows breaches to potentially go unnoticed or unpunished, leaving individuals exposed to risks.

In the absence of explicit guidelines, businesses and organizations operate in a largely unregulated environment, increasing the potential for data misuse, such as unauthorized sharing or selling of personal information. As India integrates further into the global digital economy, the lack of a robust data protection regime may adversely affect international business relations, particularly with countries that enforce strict privacy regulations, like those in the European Union. The delayed enforcement of DPDP Rules could also deter foreign investment in data-sensitive sectors such as technology and e-commerce.

Consumers depend on strong legal frameworks for privacy protection. Without the DPDP Rules, individuals lack clear recourse in the event of data breaches and may remain uninformed about such incidents due to ambiguous notification requirements. The ongoing delay not only jeopardizes the safety of personal data but also threatens India's global reputation in digital governance.

Conclusion

As the digital landscape evolves, safeguarding personal data has become increasingly crucial. While the DPDP Act, 2023 represents a minimal progress, delays in implementing the Law and the associated rules have created significant gaps in the privacy protection framework. This delay exacerbates existing issues of privacy breaches, leaving individuals vulnerable to misuse of their personal information. For India to truly advance as a digital economy, it must prioritize the prompt implementation of these essential rules, ensuring accountability and security in data handling. As digital transformation accelerates, finalizing and implementing the DPDP Rules is essential to protecting personal data, restoring trust in the digital ecosystem, and maintaining India's leadership in the global digital economy.

[The views expressed are strictly personal.]