This blog is written by Agastya Kaushik, a First-year law student of ILS Law College

Introduction:

India is one of the biggest internet users in the world, and today, the world is more connected than ever. Consequently, personal data has emerged as one of the most valuable commodities, and so needs to protect individual privacy and prevent misuse of personal information. In the landmark judgment Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court of India recognized the right to privacy as a fundamental right under Article 21 of the constitution. It was a defining moment as this laid the foundation for data protection and privacy laws in India. The Digital Personal Data Protection Act was passed in August 2023, the passing of which has long been awaited with many previous data protection bills failing to make it through the parliament. The act tries to balance individual rights and the need to process data legally. Before this, India did not have comprehensive privacy laws. The DPDP follows India’s Personal Data Protection Bill (PDPB) 2022 which shared provisions with European Union’s General Data Protection Regulation however, after much debate and criticism the act was withdrawn. The act brings a shift and represents both a challenge and an opportunity for organizations, particularly those involved in collecting and processing customer data. Let us take a closer look at the bill and its key principle.

Special Provisions of the Digital Personal Data Protection Act 2023:

The act strengthens the rights of individuals, or “Data Principals” as defined under Section 2, sub-clause (j), by introducing the concept of “Consent Withdrawal” through which consent to provide access to data can be withdrawn at any time. Organizations must be prepared to carry out these changes effectively, allowing individuals to maintain control over their data. Moreover, the Act ensures that only those consents will be considered valid which are freely given, specific, well informed, and are not ambiguous. It forces companies to establish well-managed consent management systems and prevents them from obtaining consent through vague terminologies for data processing. Additionally, Individuals or Data principals have been given the right to know how their data is being processed, the ability to correct or delete their data, and certain mechanisms to address their concerns by providing grievance redressal.

The act introduces special provisions for the processing of children’s data under Section 9 of the Act. Organizations must ensure that the consent of parents is taken in case an individual is below the age of 18. The act also restricts data use which prohibits tracking or behavioral monitoring of children’s data and prevents companies from exploiting their online behavior and subjecting them to risks. The provision also ensures data collected from children is protected with adequate protection measures.

Another provision introduces additional obligations for entities classified as “Significant Data Fiduciaries,” as mentioned under Section 10, which includes the appointment of a data protection officer responsible for oversight and compliance, conducting data protection impact assessments, and regular data audits, among others.

Some Critical Drawbacks:

The Personal Data Protection Bill (PDPB) 2022 defined “sensitive personal data” and “personal data” separately, but this distinction is missing in the present Act, where “personal information” is used as a common term for both. Sensitive personal data could be any data that could make an individual more susceptible to discrimination and abuse for example religion, place of birth, sex, caste, etc. Categorizing data in such a manner could have been fruitful as such sensitive data would be given additional protection measures and thus would safeguard the marginalized and vulnerable groups.

Section 17 of the Digital Personal Data Protection Act 2023 has raised significant concerns about potential misuse. It grants the government the power to process data without consent in certain exceptional cases, such as national security. However, these exceptions are vaguely defined, leaving room for misuse by the government. In comparison, the General Data Protection Regulation in the European Union allows exemption in case of national security but with well-defined limitations and strictness. Additionally, once the government declares certain conditions that fall under these exemptions there is no external body that can question or review the decision. Furthermore, there is a lack of transparency, meaning vast amounts of data could be processed in the name of national security, potentially resulting in state surveillance.

Concerns about the independence of “The Data Protection Board of India” is also a matter to investigate as the appointments to the board are made directly by the government. The Act is limited in scope, and the need to raise awareness and educate the masses about data protection is not addressed—something the government may need to focus on in the future.

Conclusion:

The Digital Personal Data Protection Act is a significant step forward in protecting personal data introducing various safeguards. However, there are critical drawbacks in the act under section 17 which raises concern and the issue of state surveillance, absence of provision for sensitive personal data, and absence of judicial oversight are areas of concern that need to be addressed shortly. Despite these issues, the Act provides a strong foundation for data protection in India, with hopes for evolution shortly. Bringing clearer definitions, judicial oversight, and the introduction of sensitive personal data could improve the act and bring about the right balance between privacy and state needs. Thus, both refinement and implementation of the Act are necessary for it to serve its purpose.

Reference:

[1] The Digital Personal Data Protection Act, 2023

[2] The European Union’s General Data Protection Regulations, 2016

[3] Observer Research Foundation article on The Draft Digital Personal Data Protection Bill 2022: https://www.orfonline.org/research/the-draft-digital-personal-data-protection-bill-2022-recommendations-to-the-ministry-of-electronics-and-information-technology visited on 5/7/2024

[4] Justice K.S. Puttaswamy (Retd) and Anr v Union of India and Ors (2017) 10 SCC 1 (India).

[5] Ministry of Statistics and Programme Implementation, ‘Data Privacy’ (Press Information Bureau, 24 July 2024) https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2036287 visited on 5/7/2024

[6] Ministry of Electronics and IT, ‘Salient Features of the Digital Personal Data Protection Bill, 2023’ (Press Information Bureau, 9 August 2023) https://pib.gov.in/PressReleasePage.aspx?PRID=1947264 visited on 5/7/2024