Author- Ayush Shukla, a student at Savitribai Phule Pune University
ABSTRACT- On August 2023, the Indian Parliament passed the Digital Personal Data Protection Act 2023 (DPDP Act), finally giving India its first broad-based cross-sectoral law on personal data protection. This law has come after more than five years of protracted deliberation. The question that this paper will seek to answer is whether such a long period of debate has produced an efficient law. More precisely, whether the DPDP Act protects personal data sufficiently, while maintaining a balance between the rights of individuals for protection of their personal data and the need to process such data for legitimate purposes laid down in the preamble of the Act.
In this direction, the paper first outlines key features of the DPDP Act, while also contrasting it with previous drafts, particularly the former official bill introduced in Parliament in 2019. The second part of the paper looks at the DPDP Act from two viewpoints, certain problem areas are identified in the law and how these have implications for consumers, business, and the Indian state. The act is placed within the developments and debates carried out over the last five years. This paper finally speculates upon the factors that are most likely to shape the evolution of data protection regulation in India over the next few years. The central intent of the Act is to modulate the extraction of digital personal data and respect individuals’ right to secure their data while acknowledging the necessity of processing and using such data for lawful purposes. The language employed in the Act is straightforward, certifying easy comprehension for all. Moreover, the Act aims to establish a comprehensive legal framework to govern digital personal data protection in India.
Introduction- With the advent of the Digital Personal Data Protection Act, 2023, India has entered a new epoch of data protection. Hitherto, data-related issues in India were solely governed by the Information Technology Act, 2000, and the Information Technology Rules, 2011, regarding reasonable security practices and procedures and sensitive personal data or information (the “SPDI Rules”). These laws have well-recognized limitations, and in an age when personal data is becoming a matter of increasing concern, the DPDP Act brings much-needed consolation.
The Digital Personal Data Protection Act, 2023 is the second version of the Bill presented to Parliament and fourth overall version. It came following a draft by an expert committee that was floated for public comments in 2018. This was followed by the government’s own draft-the Personal Data Protection Bill, 2019-which was introduced in Parliament in 2019. A parliamentary committee reviewed that version and put out its report in December 2021. The government then withdrew that bill and in November floated a fresh draft for public consultation-the draft Digital Personal Data Protection Bill, 2022. Compared to its previous avatar, this was very different. The 2023 Act takes the 2022 draft as its basis in the main but incorporates new provisions with regard to the questions dealt with in the present paper.
Incidentally, these drafts were preceded by the landmark Supreme Court ruling in Justice K.S. Puttaswamy v. Union of India, 2017, where right to privacy was recognized as part of the fundamental right to life and informational privacy was included within its purview. This judgment, however, did not explain information privacy nor provided any mechanism for its protection.
First Government Draft of the Law, The Personal Data Protection Bill, 2019, put up in December 2019 was comprehensive, sought to bring on board a broad economy-wide data protection framework overseen by a powerful regulatory body-the Data Protection Authority, DPA. This version had in place a preventive framework with many obligations for entities processing personal data. These different requirements began with notice and consent of persons, providing storage of data in a secure and accurate manner and for use only for stated purposes. It also provided for conditions on deletion after achieving the purpose of the data and gave the consumer certain rights pertaining to access, erasure, and portability of data. The bill would ensure business enterprise installs security measures and transparency and applies “privacy by design.” It was also supposed to establish mechanisms for redressal of grievances. It also recommended that “consent managers” be established-intermediaries to manage and obtain consent on behalf of individuals.
The Bill in 2019 presented a regime in which personal information was fragmented into different forms and demanded more protection for “sensitive” and “critical” personal information. It categorized a number of businesses as “significant data fiduciary” and imposed additional burdens on them, like their requirement to register in India, having audits pertaining to data, and impact assessments about data. It restricted cross-border flow for a set category of data and provided the DPA with powers to enforce penalties upon non-compliance. This bill went on further to criminalize the deanonymization of anonymized datasets, among other actions.
Some exceptions were made in the 2019 bill, liberating certain entities and businesses from notice and consent under specific conditions. The exceptions covered notice and consent applicability under the lawful functions of a state; medical and health emergencies; disruption to public order; processing data related to employees of an entity; prevention and detection of an unlawful act; whistle blowing; and credit recovery, among others.
The bill also included a provision that enabled the government to order the government regulation of non-personal data. It granted permission to the government to request certain non-personal data from private entities, so long as the government established the terms and conditions for such requests. In general, the Bill proposed a comprehensive, cross-sectoral data protection regime in 2019 and imposed preventive measures on businesses-known as “data fiduciaries”-and rights on individuals-known as “data principals.”.
The draft regulatory framework was largely in line with the bill of 2018 through the Srikrishna Committee. Retired Justice B.N. Srikrishna of the Supreme Court-headed committee was formed in July 2017 by the Ministry of Electronics & Information Technology for developing data protection norms. The recommendations of the committee were influenced by big regulatory trends, especially the GDPR of the European Union. Although the preventive scheme of the bill was generally welcomed, its scope has been a source of concern in creating heavy demands on compliance which may fall both on large and small businesses, with a DPA possessing wide regulatory and supervisory powers. The possible novelty of such legislation and the absence of any lead time in its implementation carried the risk of overregulation or under-regulation.
The DPDP Act, which came into being in 2023, draws from the Government of India’s November 2022 draft, which took a fundamentally different approach toward regulating data protection. The subsequent section will outline key provisions of the DPDP Act.
Data Protection Obligations
The PDPB requires that personal data is processed by a data fiduciary in accordance with the recognized principles of processing. Speaking narrowly, the Bill requires the following conditions to be satisfied for data fiduciary:
- Process Data with Purpose: Process personal data only for a lawful and specific purpose, which is explicit and unambiguous.
Principle of the Fair and Private Processing: The processing of personal information must be done fairly, reasonably and in a manner which ensures privacy. It must be done in view of the purpose or purposes. And also the expectations of the Data Subject in such cases. - Principle of Limitation of Collection: Personal information shall be collected in a way so as to ensure it is limited to personal information that is necessary for the purpose of processing for which the personal information is processed.
- Provide Notice: The data fiduciary shall provide data principals notice about the collection and processing of their personal data, and other information such as the purpose of the processing, the identity of the data fiduciary, the period of retention, the rights of the data principals, and other ancillary information.
- Data Quality: The personal data should be complete, accurate, up-to-date, and not misleading.
- Limit Retention: Personal data shall not be retained for longer than the purpose of the processing and shall be deleted once the said processing is complete.
- Accountability: Accountability shall be ensured in respect of the requirements of the PDPB.
- Consent: Consent from the Data Principal regarding processing their personal data shall be obtained, which shall be free, informed, specific to the purpose, indicated unambiguously by affirmative action, and revocable at any time.
Analyzing the DPDP Act, 2023
This section analyses the Digital Personal Data Protection (DPDP) Act, 2023 from two standpoints. First, it details the broad architecture of the law, its salient features, and the concerns regarding it. Second, the Act is situated within the development of its previous avatars and a process of debate leading to this construction.
How Well Does the DPDP Act, 2023, Safeguard Privacy?
The DPDP Act is India’s first all-inclusive data privacy law. It provides compulsive consent from individuals before processing can take place; there are only a few limited exceptions. The Act introduces the right to access, the right to rectification, the right to update, the right to erasure of data of the consumer, and gives the right to nomination. It also provides extra protection for any kind of processing involving data of children. The Act limits the use of data by a business, notice for collection and processing of data, and the implementation of security measures. A business would also have to establish mechanisms for grievance redressal, while complaints would be disposed of and penalties imposed by the DPB.
It is considered a milestone to set a statutory framework for data protection in India. Furthermore, it will set baseline standards in the years to come for data handling practices in businesses. Any protections afforded by it will have considerable variance in success depending on how the government decides to approach its implementation and enforcement of the Act-for instance, whether the majority of enforcement falls squarely on data-intensive industries or is done more broadly. However, a number of provisions within the Act raise some level of concern regarding the potential falling short in safeguarding privacy.
The first is that the exceptions to consent under the Act are highly granting to the state and can easily surpass the interest of private entities over and above state interests. Such may be in order, especially in cases of emergencies, but the broad application of such exceptions undermines privacy protection. The latter would include, for example, Section 7(b), allowing the government to dispense with consent requirements because a beneficiary has once consented to another state benefit. This could lead to database aggregation since it would relieve government agencies from the obligation to erase personal data once its purpose has been served.
Similarly, Section 17(1)(c) provides an exemption for data processing related to law enforcement and national security, while Section 17(2)(a) gives a blanket exemption from the operation of the entire law to government agencies dealing with matters of sovereignty, security, and public order. This creates an area of activities which no longer falls within the ambit of requirements of data privacy, which is worrisome in light of the wide discretionary power that would be afforded the state.
Secondly, the powers of the government under the Act to make rules might also work to undermine the protection that the Act confers. For example, Section 17 allows the government to exempt within five years from the commencement of this Act any undertaking or class of undertakings from the operation of all or any of the provisions of the Act, without suggesting when this should be done and under what conditions. Although it already has an exemption for startups and nascent industries provided in Section 17(3), the broad nature of the exemptions under Section 17(5) can be employed to side track the aims of the Act.
This is similar to how Section 9(4) enables the government to exempt a business from obligations in respect of processing children’s data without laying out clear criteria or conditions on when such exemption may be allowed. This opens up doors to abuse and erodes the potential effectiveness of the law.
Third, there are a number of concerns regarding the design and functioning of the DPB. While the Board is an independent body with a narrow mandate, while its members have to possess specific qualifications, the Act does not specify the number of members or requires more than one legal expert, highly problematic given that the board’s main tasks include the issuance of penalties and compliance decisions.
In addition, the chairperson could assign functions and proceedings to the other board members. Circumstances may arise when the legal representative does not participate in the significant proceedings-a fact that may compromise the impartiality of the decision-making process. Another worrying issue is the ambiguous division between the role of the chairperson and the inquiry members.
What logically follows from this would be that even as the DPDP Act establishes data privacy protection in India for the first time, until all provisions are complied with and discretionary powers in certain areas are fully checked, true effectiveness of this Act is hard to achieve. In essence, the effectiveness of the Act rests on its prudent implementation and conformity to its letter and spirit by the government.
Concerns
While the DPDP Act is hailed as a strong data protection law, the reality is quite different. It is flawed, in that most of the provisions in the Act are still at the mercy of the Central Government. These are very genuine apprehensions about the possibility of unhampered and unwarranted rule-making, which could lead to uncertainties and gaps in the regulatory framework. It is also ironical that the same law which protects the rights of the individual places some responsibilities upon him.
Similar to the 2022 Bill, the DPDP Act also gives exemption powers to the Central Government. The 2023 version, however, goes much further in giving such blanket exemptions and does not offer any criterion to block unreasonable surveillance. It lists exemptions for a data fiduciary or any class of data fiduciary-cum-startups. For the sake of clarity, startup is defined as “a private limited company, partnership firm, or limited liability partnership incorporated in India, recognized as such according to the criteria and process notified by the relevant department within the Central Government.” In this respect, the 2022 Bill had provided for the Central Government to consider consent given by a data principal, in certain cases and with certain requirements, and taking away the ability for an opt-out. This has remained in the DPDP Act under the new name “certain legitimate uses.”
Transition period: The Act would grant a transition period required to make such transition seamless for the businesses. The new and strict requirements laid down by the DPDP Act may require far-reaching changes to be made by the data fiduciary.
Without transitional time, full-scale non-compliance is bound to happen. A good transition period will afford the business entity sufficient time to ensure that their operations are brought in line with the requirements of the Act, minimising possible disruptions and paving the way for smoothly transitioning into the new regime for data protection.
Conclusion-
The DPDP Act represents the culmination of at least five years of constant heated debate and negotiation; it brings into law statutory personal data protection for the very first time in India. Building on essential architecture, this framework will have to be redeveloped and rethought many times in practice over the next few years. Against the backdrop of the brilliant groundwork that the Act lays, much more will have to be developed in practice in the years to come if there is to be real personal data protection. Whether the previous drafts of the bill would have provided much superior privacy protection is not clear. However, the changes in the content of the bill do reflect the change in outlook of the government on issues related to privacy. The present draft of the Act, as compared to other earlier draft versions, with a lesser impact on Indian businesses, is pragmatic and balanced.
For that matter, the Act itself is relatively modest and pragmatic, which in many ways is not a bad thing. In some instances, however, such pragmatism may come at the cost of strong privacy protection. Owing to the large amount of discretion accorded to the Central Government, much depends upon the seriousness of the government in safeguarding privacy. The DPDP Act is a symbol of India’s comprehensive approach to personal data protection, supported by intense debate and consultation. It caters to the urgent requirements of a backdrop characterized by bourgeoning use of the internet, data generation, and international flow of data. The DPDP Act is more representative of India’s unique take on new data protection. It brings about some very important changes for how Indian businesses handle privacy and personal data, but its provisions are not quite as wide-ranging as standards like the General Data Protection Regulation.
Criticism has remained, with some considering that the Act is going to stifle innovation because it is perceived to have stringency, while others feel it may not do enough to provide individual privacy in particular, given that it grants discretionary powers to the Central Government. The much-anticipated upcoming rules and regulations-so to say-developed by the issuance of further delegated legislation-will prove critical to their shaping and addressing how these challenges are properly positioned. Much like the consultation with stakeholders that has been done for recent updates to the Information Technology Rules relating to online gaming, transparency and a set process would go a long way in the release of these rules. This may even result in a robust and effective data protection framework for India’s technology sector.
Footnotes-
- Justice K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
- Section 2(1)(w), Information Technology Act, 2000.
- Section 37, Digital Personal Data Protection Act, 2023.
- Section 37(2), Digital Personal Data Protection Act, 2023.
- Section 2(n), Digital Personal Data Protection Act, 2023.
- Schedule 2, Digital Personal Data Protection Act, 2023.
- Section 16(1), Digital Personal Data Protection Act, 2023.
- Section 13, Digital Personal Data Protection Act, 2023.
- Section 6(1), Digital Personal Data Protection Act, 2023.
- Section 6(3), Digital Personal Data Protection Act, 2023.
- Section 6(7), Digital Personal Data Protection Act, 2023.
- Section 8(7), Digital Personal Data Protection Act, 2023.
- Clause 25(1), Digital Personal Data Protection Bill, 2022.
- Section 29(2), Digital Personal Data Protection Act, 2023.
- Schedule 5, Digital Personal Data Protection Act, 2023.