What About Accountability?
Unfulfilled Expectations from the DPDP Act, 2023
Swapna Jha*
On August 24, 2017 the Supreme Court of India gave a ruling that laid the foundation for the ‘Right to Privacy’ jurisprudence in the country. In KS Puttaswamy v Union of India the court held that the right to privacy is a fundamental right under Article 21 of the Constitution of India, thus recognising privacy as intrinsic to the right to life and liberty. The ruling of the nine-judge bench set the stage for the enactment of a single-statute legislation by the government for the protection and regulation of personal data.
A Timeline from PDPB to DPB to DPDP
A month before the judgment, the Ministry of Electronics and Information Technology (MeitY) had constituted an expert committee under the chairmanship of Justice B.N. Srikrishna to examine the issues related to data protection. In July 2018, the committee released a 176-page report which, among other things, laid out the first draft of a data protection act. The Personal Data Protection Bill, 2018 (PDPB, 2018) proposed that certain types of compliance were required to be made for the use of all forms of personal data. While broadening the rights given to individuals and proposing data localisation for certain forms of sensitive data, it imposed major financial penalties in case of non-compliance. Further, the Bill suggested the creation of an independent regulatory body called the Data Protection Authority for the enforcement of the legal framework.
The government revised the Srikrishna draft and introduced it in the Lok Sabha as the Personal Data Protection Bill, 2019 (PDPB, 2019). In December of that year the Bill was sent to a Joint Parliamentary Committee (JPC) for review by members of both houses.
The JPC submitted its report in December, 2021, along with a new iteration of the Bill called the Data Protection Bill, 2021 (DPB, 2021). However, in August 2022 the government withdrew the Bill citing the “extensive changes” that the JPC had made to the 2019 Bill. MeitY released yet another version in November - The Digital Personal Data Protection Bill, 2022 (DPDP, 2022) – and sought comments from the public.
In 2023, after years of reiterations and an alphabet soup of shorthand, India finally has its data protection law, the Digital Personal Data Protection Act, 2023 (henceforth the Act), which received the assent of the President on August 12, 2023.
“In KS Puttaswamy v Union of India the court held that the right to privacy is a fundamental right under Article 21 of the Constitution of India, thus recognising privacy as intrinsic to the right to life and liberty.
Oh, those Exemptions
However, the wide powers given to data fiduciaries need to be critically analysed. Section 7 of the Act allows a fiduciary to process data for “certain legitimate uses”. This is the second way through which personal data can be processed, in addition to the “voluntary” provision given by a data principal. A close reading suggests that the said section has narrowed the consent process down to ‘certain legitimate uses’ which includes the use of personal data for specified purposes, for the state and any of its agencies, as well as for any of the legitimate uses as specified under Section 17.
Section 17, however, exempts the state and its agencies from some of the provisions in the Act when it comes to processing data. Some exemptions are vague and arbitrary. For instance, “in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognisable offence relating to any of these, and the processing by the central government of any personal data that such instrumentality may furnish to it”. Further, “The central government may, before expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification.”
A blanket exemption will give unregulated powers to the government, which may adversely affect privacy of citizens and lead to the creation of a “mass surveillance state”
The Act also exempts from its scope the processing of personal data of principals located outside the territory of India by an entity based in India.
Moreover, the government has been given powers to exempt some fiduciaries, including startups, from certain provisions of the Act, based on the volume and nature of the personal data they process. Most arbitrary is the power given to the government to exempt “notified state entities” from the Act entirely in the interests of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, and maintenance of public order.
The union and states governments will be among the largest data fiduciaries, since they will be in possession of the personal data of 1.4 billion citizens. The loopholes that grant exemptions to government agencies give the state unfettered power over data without the necessary safeguards in place1 . Moreover, the legal text outlining the exceptions is vague and broadly framed.
The blanket exemptions instead should have been replaced with exemptions for specific purpose, thus avoiding arbitrariness. A blanket exemption will give unregulated powers to the government, which may adversely affect privacy of citizens and lead to the creation of a “mass surveillance state”. While the Act allows the state to override consent from the data principal for the purpose of providing subsidies and benefits, it does not provide for purpose limitation, which is defined as using data only for the specified purpose. This provision would be open to misuse by the state or its agencies. The Act has also, unfortunately, removed the public interest exception to disclosure of personal information under the Right to Information Act, thereby diluting accountability and transparency in the functioning of government officials.
Section 9 of the Act provides protection for children’s data, but sub-section 9(4) allows the government to exempt fiduciaries from general restrictions in processing children’s personal data, subject to some conditions. Similarly, sub-section 9(5), exempts the need to seek parental consent for processing personal data of specific age groups of children.
Section 37 of the Act allows the government to block public access to certain fiduciaries in consultation with the Data Protection Board. This could potentially enable the government to completely shut down a service provider in India. The board can recommend blocking of access if a platform or internet service provider has been penalised twice, or if it finds that there is the need to protect the “interests of the general public”. A moot point, however, is that content blocking, which is becoming almost a norm in India, may not necessarily be in public interest.
While the basic structure of the law is similar to the European Union’s General Data Protection Regime (GDPR), India’s approach has the distinction of shielding the biggest fiduciary i.e. the state from data transparency and accountability. The DPDP Act, 2023 has more limited scope for data processing because it grants wide exemptions to government
agencies, and hands over regulatory powers to the government. Furthermore, there are no special provisions to process or protect sensitive personal data, and the government has the power to access information from fiduciaries, the board and intermediaries.
The omission of critical elements such as the absence of a definition of “reasonable security safeguards,” lack of provisions for compensation indicate the failure by the legislative branch in creating a comprehensive legislation that makes citizens’ privacy its cornerstone.
The right to privacy imposes on the state a duty to protect the privacy of an individual. The failure to do so should incur a corresponding liability on the state. The right to life and individual liberty are inalienable to human existence and not a matter of largesse granted by the state. And that is why it is imperative to acknowledge that the right to privacy is a fundamental right. Any violation by the state of this right must pass the test of being fair, just and reasonable under Article 21 and, equally, it must satisfy the test laid down in the Puttaswamy judgment. It is here that India’s DPDP Act 2023 may fall short of its stated purpose and also may fail to ensure that the state will not infringe on the right to privacy as guaranteed by the Constitution.
European Union’s GDPR vis-à-vis DPDPA
The GDPR is a comprehensive data privacy law that sets guidelines for the collection, processing, storage, and transfer of personal data. It is one of the most significant data protection laws in the world and has set the tone for other countries to follow suit. The GDPR applies to all organisations that process personal data of EU citizens, regardless of location. These regulations seek to protect the privacy rights of individuals and ensure that their personal data is processed in a transparent and secure manner. It came into force on May 25, 2018.
Unlike DPDPA, there is no vested right under GDPR to process the data for lawful purposes except for the purpose of protection of rights of natural persons.
The GDPR classifies personal data into two categories :
- regular personal data and
- special categories of personal data.
The latter category includes personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, genetic or biometric data processed for the purpose of identification, sex life, and sexual orientation. Special categories of personal data are subject to distinct compliance requirements, especially the legal basis that can be adopted for the processing of such personal data.
On the other hand, the DPDPA applies to a broader set of personal data without further categorising it into sensitive or critical personal data. Given that there is no such classification or further categorisation of personal data, there is no statutory requirement to implement separate compliance standards for different kinds of personal data collected.
The GDPR does not distinguish between classes of data controllers while prescribing compliances and obligations. However, the DPDPA intends to classify certain data fiduciaries as ‘significant data fiduciaries’ with increased compliance obligations, such as the appointment of a data protection officer responsible for grievance redressal, the appointment of an independent data auditor, conducting Data Protection Impact Assessments and such other compliances as may be prescribed. The classification will be based on factors like the volume and sensitivity of personal data collected, the risk of harm to data principals, the potential impact on India’s sovereignty and integrity, etc. Further, the DPDPA empowers the government to notify certain data fiduciaries or class of data fiduciaries to whom compliances will not apply regarding consent obligations, the obligation to ensure accuracy of personal data collected, data retention obligations, enhanced compliances while collecting children’s personal data, and the obligation to give effect to data principal’s requests in relation to their personal data.
Both the GDPR and the DPDPA recognise consent of individuals as one of the legal bases for processing personal data. However, the DPDPA has introduced the novel concept of ‘consent managers’. Consent managers are data fiduciaries who may, on behalf of the data principals, collect and manage consent provided by them. Consent managers will enable data principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. Every consent manager will be required to be registered with the Data Protection Board (‘the Board’) in such manner and subject to such technical, operational, financial, and other conditions as may be prescribed.
Unlike the GDPR, the DPDPA does not provide the right of data portability in favour of data principals. While such a right was incorporated in the Personal Data Protection Bill, 2019, it has not been incorporated in the final DPDPA.
The DPDPA sets out certain duties for data principals. Pursuant to the same, data principals have been directed to refrain from instituting any false or frivolous complaints or grievances against data fiduciaries. They have also been directed to submit verifiably authentic information. Any non-compliance with these duties will attract imposition of financial penalties. On the other hand, there is no such corresponding provision under the GDPR.
While the GDPR and the DPDPA have a lot in common, the approach and means taken by both legislations are different, as outlined above. The GDPR is, comparatively, more prescriptive whereas the DPDPA appears to tilt the balance in favour of the state and its agencies as it lays down certain fundamental ideas and leaves many implementation-related aspects to subordinate legislations, rules, and regulations to follow.
Endnotes
- Chandran, R. (2022, January 19). In India’s surveillance hotspot, facial recognition taken to court | Context. Context News. Retrieved September 12, 2023, from https://bit.ly/3RVtMrd
NEXT »
