This article is written by Anshika Sah and Isha Aggarwal, 2nd Year Students at Dr. Ram Manohar Lohiya National Law University.
The 2017 ruling in the case of Justice K. S. Puttaswamy v. Union of India played a pivotal role in shaping India’s privacy landscape. Given the rapid evolution of the digital sphere and the escalating concerns surrounding data privacy and individual rights, the Indian parliament responded by introducing the Digital Personal Data Protection (DPDP) Act, 2023. This Act is a part of the larger scheme of the ‘Digital India Vision’ of the Government of India.
At its core, the legislation aims to regulate the processing of digital personal data, aiming to strike a balance between individuals’ right to safeguard their personal information and the legitimate necessity of data processing. The Act addresses contemporary challenges, including the enforcement of specific obligations upon the data fiduciaries, outlines the rights and responsibilities of data principals, and introduces provisions governing the cross-border sharing of personal digital data.
While the act certainly has its merits, it is not devoid of shortcomings. Some of these are:
- The Act grants extensive discretionary authority to the government:
A simple reading of the Act shows that extensive and arbitrary discretionary powers have been granted to the government. Firstly, the Act contains various provisions granting exemptions to the government and its entities, certain classes of data fiduciaries, and startups. These provisions, found throughout the Act, have the potential to facilitate unchecked mass surveillance, which is violative of the right to privacy. For instance, the automatic exemption outlined in Section 17(1)(c) pertains to the processing of personal data in the context of crime prevention, potentially opening the door to practices like predictive policing, mass surveillance, etc.
Secondly, the compromised autonomy of the Data Protection Board since the appointment of the Chairperson and Members of the Board and the specification of their terms, among other things being vested in the Central Government, poses a noteworthy concern. This Board’s independence is paramount to ensure the impartial enforcement of data protection regulations. For instance, consider a scenario where the Board is tasked with investigating the misuse of personal data by a government entity. In such cases, a conflict of interest could emerge, given that the government possesses the authority to appoint, regulate, and determine the terms of the Board members. This effectively places the government in the roles of judge and enforcer in matters involving its own compliance. This could also lead to leniency in cases involving penalties, privacy violations, or government misconduct. Therefore, it is crucial to ensure the Board operates as an autonomous regulator rather than becoming a tool of the government.
Thirdly, Section 37 confers authority upon the Board to block access to content. This provision can be considered redundant, given that the government already holds such power under Section 69A of the IT Act, 2000. Also, these provisions lack essential safeguards, which raises the potential for bureaucratic overreach, which can disrupt online businesses. Furthermore, this power to block and remove access stretches beyond the intent and objectives of the Act.
Fourthly, under section 16(1), the Act restricts the transfer of personal data by Data Fiduciaries to certain countries, which will be as per the direction of the government. This approach does not provide any standard for deciding these ‘blacklisted’ countries, unlike the GDPR (one of the model global comprehensive legislation in this respect), which allows for data transfer only to countries with some level of data protection.
Fifthly, the Act allows the government to withhold information concerning personal data in cases of significant public interest. This grants the government an extended ground to deny requested information and potentially weaken the impact of the RTI Act, 2005. This has been done by way of Section 44(3) of the Act, which substitutes Section 8(1)(j) of the RTI Act, 2005 to ‘information which relates to personal information.’ This provision poses a risk to public access of vital information. This will have profound implications for transparency and accountability, potentially fostering secrecy, and undermining citizens’ ability to hold authorities responsible.
- The language of the Act is ambiguous and vague:
Several sections in the Act use language that is ambiguous, creating room for companies, government, and other relevant stakeholders to exploit these ambiguities. For instance, the Act grants the government the power to demand personal data from private companies “for purposes of this Act.” This is a vague phrase, lacking elaboration, thereby needlessly expanding the scope of the legislation. To address this, clarity must be introduced to the language used in the Act to ensure that the scope remains focused.
Similarly, the phrase “as may be prescribed” appears repeatedly throughout the Act. This grants room for excessive delegated legislation, thereby placing over-reliance on the rules and notifications framed by the Executives, as per the directions of the Government. Framing these provisions in the future would mean that these won’t undergo the same Parliamentary scrutiny as the Act itself, resulting in the potential creation of arbitrary rules exceeding the intent and scope of the parent legislation due to a lack of clear legislative standards.
- Challenges and ambiguities in Children’s Data Protection:
An additional concern presents itself in the Act’s definition of a child as an individual below 18. This definition leads to challenges in implementation strategies for children’s digital access, as it requires parental consent and age verification for data processing, as stipulated in section 9(1). This approach poses difficulties considering the extensive digital footprint of children in this age group. Thus, giving rise to issues of implementation feasibility and teenagers’ autonomy. This strict age-based definition of a child might inadvertently impose unnecessary compliance burdens. To address these concerns, adopting a more flexible approach and establishing differentiated criteria for data processing and consent based on maturity is advisable, balancing the need to protect teenagers’ rights to digital access and autonomy.
- Provides a free pass for scraping of publicly shared personal data:
There is also concern about the exclusion of voluntarily shared personal data from the purview of the DPDP Act, 2023. For instance, if someone shares personal information on social media, it’s outside the scope of the act. Given the lack of explicit consent, this raises concerns about the potential misuse of this data by companies for purposes like AI training. Furthermore, the language used in the act provisions, particularly in Section 3(c)(i), which talks about the processing of data by an individual for “any personal or domestic purpose, is ambiguous, creating uncertainty about its scope.
The Act has deviated from its initial objective of balancing data protection and processing, now clearly focusing more on the latter. The exclusion made under this part should fittingly consider the lack of digital literacy in India, especially concerning the consequences of certain actions. The Act, therefore, should offer clear guidelines on when and how such data can be processed, preventing the companies from exploiting the lack of consent. Precise definitions of terms like ‘any other person’ and other such terms should be defined explicitly to avoid government overreach. It should later encompass a consent mechanism for such data processing, too.
- Compensation to the victim:
Another significant concern is the lack of provision to compensate the victims of personal data breaches. As per the Schedule of the Act, the Data Protection Board is authorized to impose penalties as high as Rs. 250 crores on entities responsible for such breaches, which will be ultimately credited to the Consolidated Fund of India. This is in contradiction to the principle of restorative justice, an approach to address and resolve conflicts that focuses on repairing the harm caused to individuals and communities, rather than solely punishing offenders. This absence in the current Act eliminates an essential avenue for users to seek rightful compensation, leaving them without a means to seek appropriate restitution for their losses.
- No categorisation of personal data:
Digital data sensitivity levels can vary significantly, with information such as health records, biometrics, and financial data falling within the category of sensitive digital personal data. Consequently, these types of data require heightened protection when undergoing processing and storage. In contrast to prior iterations of the legislation, which differentiated between personal data and sensitive personal data, the current version lacks this crucial distinction. This departure from previous iterations of the Act, as well as the existing regulatory frameworks like the SDPI rules, gives rise to legitimate concerns regarding the efficacy of data protection measures, particularly when dealing with sensitive data.
The Way Forward
Considering the rapidly evolving digital sphere, there is a pressing need for a robust and systematic data protection framework. However, the Act in its current version raises certain red flags, which undermines its intended purpose. What is needed is a specific legislation that has precise and unambiguous language, leaving no room for vague phrases like ‘as may be prescribed’ or ‘for purposes of this Act.’ Furthermore, it is essential to rein in the overarching powers granted to the government by way of notifying the rules later, as these can foster unchecked surveillance, encroaching upon the fundamental right to privacy.
Although the Act establishes an independent body for overseeing its implementation, the actual independence of this body is not as absolute as the Act suggests. Wide-ranging powers have been conferred upon the government, questioning the body’s autonomy. To address these issues, it is essential to establish standards for provisions, including those related to the composition of the Board, exemptions granted to entities, protection of publicly available data, etc., to leave no scope for uncertainty. The Act must also incorporate a compensation mechanism for victims of data breaches for restitution of their losses.
Thus, the result of the Puttaswamy judgement is that it puts the onus on the government to ensure the fundamental right of privacy is preserved by making the Act self-sufficient. It must align with global data protection standards, positioning India prominently on the international stage regarding data security and privacy.