This piece has been authored by Aishwarya,4th year BBA LLB Student, KIIT School of Law, Bhubaneswar
“Have you ever visited a fancy showroom where the sales executives ask for your number before E-billing?” Of Course, most of us must have experienced this when we have been asked to provide our details before handing over the final bill. But what if that information gets leaked? What if our numbers get circulated or misused by a third party? What are the legal safety mechanisms available in these scenarios? These are some questions that come to our mind when we think about the protection mechanisms available for safeguarding our personal data.
The rise of Internet in this growing digital economy has led to consumers’ data such as their names, ages, places of residence, Adhar details, etc. become an essential information, and the chances of misuse and fraud have also increased at a faster pace. The Concern of privacy preservation which emerged as a focal point in the landmark case of Justice K.S Puttaswamy vs Union of India ensures that individuals have full authority and control over their personal data, safeguarding their privacy rights. After this landmark judgment, several efforts have been made to introduce comprehensive legislation that can safeguard the individual’s personal information from cyber attacks, frauds, threats, and misuse. One such expert committee was the Justice BN SriKrishna Committee that was formed on 31st July, 2017 which recommended strengthening privacy laws by introducing the Draft Data Protection Bill. [A1] However, after deliberations and discussions for almost 5 years, the parliament finally came up with the final draft of The Digital Personal Data Protection Bill, 2023 which has recently been approved by both the houses of the parliament to become an Act, “The Digital Personal Data Protection Act, 2023”.
Salient Features of the Act
Under the new Act, some important terminologies have been introduced. As provided under section 2(j) of the Act, “Data Principal” refers to an individual who generates the data, As per section 2(i),“Data Fiduciary” refers to an individual or entity that will store or process the data generated by the Data Principal, “Data Sovereignty[i]” states that the issues about the data will be dealt by the laws of only those jurisdictions where the data has been generated and the term “Data Localization[ii]” states that the International MNCs will store the data generated in India in servers that will remain in India. These data cannot be stored in international servers. [A2]
Application of the Act: The Digital Personal Data Protection Act, 2023 will be applicable to digital data collected in India through online mode or has been converted into digital data thereafter. The Act will also be applicable to personal data collected outside India provided those data are collected to provide goods & services within India. However, the said Act shall not apply to the personal data where the data is processed by an individual for domestic use and is made or caused to be made publicly available by the Data Principal or any other person under an obligation (under any law in force in India during the time being) to make such personal data available to the public.
The importance of ‘Consent’: As per Section 5 of the Act[A3] , a notice has to be given to the Data Principal by the Data Fiduciary before obtaining consent where such consent has to be free, unambiguous, specific, informed, unconditional with a bonafide intention as per Section 6 and such consent, as per section 7 of the Act, shall not be essentially required for the ‘legitimate uses’. The term ‘legitimate uses’ inter alia includes; (i) a specified purpose for which the data has been provided by an individual voluntarily where it has not been indicated by the Data Principal that the consent is not there (ii) to provide benefits to the Data Principal by way of subsidy, certificate, license or permit (iii) for the interest of sovereignty and integrity of the state (iv) for compliance with any judgment or decree (iv) for responding to any medical emergency or sudden outbreak (v) for employment purposes.
Obligations of Data Fiduciary: The obligations of Data Fiduciary have been mentioned u/s 8, 9, and 10 of the Act where the Data Fiduciary must process the data only after obtaining due consent from the Data Principal or for certain legitimate uses. He also has to adopt some safety measures to prevent the breach of personal data and in case a breach takes place, he has to inform the Board and the concerned Data Principal in the manners prescribed. The Data Fiduciary has to obtain the consent of the parents of the disabled child before processing any personal data as per section 9 of the said Act.
Rights & Duties of the Data Principal: The Rights & Duties of the Data Principal have been dealt with u/s 12 to 14 where the Data principal has the right to (i) correction, completion updating and erasure of personal data (ii) have a readily available grievance redressal (iii) Nominate a person who will act on his behalf in the event of death or any unavoidable circumstances. His duties include not to impersonate another person while providing the personal data, complying with the provisions of the applicable laws, ensuring that he/she is not registering any false or frivolous complaints, etc.
Data Protection Board of India: The Data Protection Board of India shall be considered a Court of Civil nature having original jurisdiction to entertain the matters and any other Civil Court will be barred u/s 39 to entertain such suit or proceeding in which the Board has power to adjudicate upon. The Board will consist of a Chairperson and other members as the Central Government may notify and the Board will exercise powers and perform functions that are laid down u/s 27 and 28 of the Act which includes imposition of penalties, inquiring into the breach and complaints, giving urgent directions in case of the breach of any personal data and many more. If any individual is not satisfied with the decision of the Board, he may prefer an appeal u/s 29 with the Telecommunication Dispute Settlement and Appellate Tribunal (TDSAT) within 60 days from the date of receipt of the Board’s decision. He can also go for appeal before the Hon’ble Supreme Court u/s 18 of the Telecom Regulatory Authority of India (TRAI) if he is dissatisfied with the order of the TDSAT.
Some Positive Aspects of the Act
The major highlight of the Act is the quantum of penalties to be imposed for the commission of various offences and breaches where the amount of penalty extends from 200-250 Cr. as provided in the schedule. With this new Act, the Companies and businesses dealing in personal data will have to develop an SOP (Standard Operating Procedure) and adopt certain training procedures to comply with the provisions of the Act ensuring the protection of personal data of its customers. The Digital Personal Data Protection Act, 2023 aims to create a thorough national structure for handling personal data, replacing the existing limited data protection framework under the IT Act where the current rules offer basic protections for specific categories such as ‘sensitive’ personal data[iii] like sexual orientation and health data. Moreover, the Act can attract innovation by encouraging businesses to invest in technologies in our country that comply with the data protection standards, thereby promoting economic growth.
Major Concerns and Pitfalls[A4]
- Misuse of Power by the Superior Authority–The Central Government will be the key enforcer of the law and the Centre’s power to appoint members of the Data Protection Board could influence the Board. The provisions of the said Act also allow the Central Government to bypass norms seeking citizen consent. This may lead to a violation of the fundamental right to privacy. The Act also empowers the Central Government u/s 17 of the Act to exempt from any of the provisions in the interest of the security of the state and where it is necessary for maintaining the public order. Using these exemptions, the Government agency may collect an individual’s data up to any extent in the name of surveillance.
- Threat to Right to Privacy- Certainly, it tends to upset the delicate balance between privacy and the Right to Information as provided through the recent amendment to section 8(1)(j) of the Right to Information Act, 2005, through section 44(3) of the Act. This is because as per the exemptions provided in the Act, now the Public Information Officers (PIOs) can reject RTI applications, claiming the requested information pertains to personal data, potentially expanding their authority.
- Cross- Border Transfers–And what about the cross-border transfer of Data? Does the Act provide adequate safety mechanisms for its prevention? The Act provides that the Central Government may restrict the transfer of any personal data to other territories or countries through a notification u/s 16 but the provision fails to provide any explicit restriction on the transfer of data which may lead to unauthorized sharing of personal data with the foreign government in the absence of any adequate protection mechanism.
- Processing of Children’s Personal Data–The Act requires all the Data Fiduciaries u/s 9 to obtain verifiable consent from the parent before processing the personal data of the child but the main question arises as to how these entities will verify the age of children and obtain the consent of their parents. The provision is silent on the process/ manner of doing so.
- Ambiguous Language- Another drawback of the Act is the vagueness of language of some of the provisions of the said Act where the meaning is not clear which can cause ambiguity resulting in the misinterpretation of those provisions. Moreover, the absence of provisions like “contractual necessity” and “legitimate interests” u/s 7 of the Act, unlike in General Data Protection Regulation (GDPR) style protection laws, means private entities have fewer options for processing personal data without consent, even for routine or essential purposes.
The Act presents India’s unique stance on the aspect of modern data protection addressing certain industry requirements such as cross-border data transfers but overlooks essential aspects such as mandatory stakeholder consultations for government-framed rules. While it introduces significant changes, the Act lacks a detailed explanation of the methods and processes of how the purpose will be achieved or how the tasks will be executed. The extensive exemptions of the Centre and its agencies from utilizing personal data also raises concerns regarding the violation of the Right to privacy. However, we need to wait for the Courts to interpret the wider provisions of the Act and then decide whether the Act has been able to achieve the purpose sought or not.
[i] Deepak Thakur,’Data Sovereignty: Here’s How Critical it is for India’s Digital Roadmap’ ETCIO (India, 10 Oct 2022)
[ii] Svantesson, D. (2020), “Data localisation trends and challenges: Considerations for the review of the Privacy Guidelines”, OECD Digital Economy Papers, No. 301, OECD Publishing, Paris, https://doi.org/10.1787/7fbaed62-en.
[iii] Luke Irwin,’The GDPR:What is sensitive Personal Data? (IT Governance European Blog, 3 Dec 2020) <https://www.itgovernance.eu/blog/en/the-gdpr-what-is-sensitive-personal-data> accessed 3 November 2023