Why is Data so Valuable?

The Idea of the New Data Protection Law

Tushar Dhara*

The Digital Personal Data Protection Act, 2023 was passed in August. It was preceded by several years of debates and postponements but the final draft was passed without much deliberation in Parliament. In just over a week, the final draft Bill breezed through the lower and upper Houses of the Parliament and received Presidential assent. The Act (DPDP henceforth) provides a legal framework “for the processing of digital personal data”i . India is the last but

one country in the G20 to pass a data protection law – which it did while holding the G20 presidency.

Why has data become so valuable? In the early 2000s Clive Humby, a British mathematician coined the phrase “Data is the new oil”ii . The statement has proved to be amazingly prescient. Consider the following metric: In 2006, the Financial Times estimated the top ten companies in the world based on market capitalisation (M-cap). ExxonMobil, the American oil and gas giant, was ranked number one at $446 Billion. In all, there were three other fossil fuel companies in the top ten: British Petroleum, Royal Dutch Shell and Gazpromiii. In 2023 the top ten list is dominated by tech firms. Apple - valued at around $3 Trillion - leads the list, followed by Microsoft, Alphabet (formerly Google) and Amazon. Meta (formerly Facebook) clocks in at number eight with a capitalisation of $735 Billion. The only energy firm in the top ten today is Saudi Aramco. Markets see more value in companies that have vast pools of data rather than vast reservoirs of oil and gas.

According to an estimate by Forbes magazine, 3.7 billion people worldwide use the internet and produce 2.5 quintillion bytes of data every single day!iv This estimate was made five years ago. A 2021 report by the Parliamentary committee on the Personal Data Protection said that the size of the internet is 44 zettabytes (one zettabyte is a billion terabytes).v The report further notes that India generates 150 exabytes of data annually (an exabyte is a million trillion bytes). India - with an economy of around $3.75 trillion, over 700 million internet users and 600 million active smart phones - is one of the fastest growing data nations in the world.

The increasing digitalisation of life means that every person generates a data footprint that can be collated and used by an entity to create a 360-degree profile: An individual’s opinions through her social media posts, favourite cuisine via orders on food delivery apps, places visited from trip data, purchases on e-commerce sites like Amazon or Big Basket, financial data from payment apps, personal details like age, sex, mobile numbers and email ids from online forms, and likes from Google searches.

Data has thus become a vital new resource for building the next generation of businesses. By integrating discrete datasets and applying algorithms and machine learning, new insights can be derived. India already has multiple datasets, including Aadhar, passport seva, open data stack (data.gov.in), the MCA21 data dump containing information on Indian corporates, goods and services tax network (GSTN), water resources information system (WRIS) housed within the Department of Water Resources, the Ministry of Rural Development’s DISHA and the Indian Space Research Organization’s Bhuvanvi. In addition, the government is pushing for a national digital public infrastructure under the moniker ‘India Stack’vii. India Stack is the collective name given to a set of open APIs that operate across identity, payments and data. Application Programming Interfaces - or APIs - are software tools that developers can use to build more complex apps. The bedrock of India Stack is a set of digital products centered around Aadhar, including Aarogya Setu, Unified Payments Interface (UPI) and FASTag.

This burgeoning information economy needed a comprehensive law to protect and regulate personal data.

What are the Main Provisions in DPDP?

The DPDP law borrows from the EU’s GDPR approach when defining “personal data” and extends coverage to all entities which process personal data. The law also has significant extraterritorial application. The DPDP has narrowly defined lawful grounds for processing personal data, while at the same time establishes purpose limitation obligations. It also creates a set of rights for individuals whose personal data is processed, including rights to receive notice, access and erasure. Further, it establishes a supervisory authority called the Data Protection Board of India.

At the same time DPDP provides significant exceptions to government bodies, especially law enforcement agencies. Other exemptions include publicly available personal data, processing for research and statistical purposes, and processing the personal data of foreigners by companies in India pursuant a contract with a foreign company (such as outsourcing companies). The Act also empowers the union government to request access to any piece of information from a data processing entity or an intermediary.

The DPDP Act establishes a national framework for processing personal data, replacing the more limited IT Actviii. Only digital personal data - or regular personal data that has been subsequently digitised - is covered by the law. Digital personal data has been defined as any data that can be used to identify an individual. However, DPDP does not contain increased protection for sensitive data like biometrics, health information, sexual orientation or religious affiliation.

Some Broad Exceptions - Public and Private

The law also includes some broad exceptions for data activities that threaten the “sovereignty and integrity” of India, the security of the state, etc. Justice Srikrishna is critical of such exemptionsxi. Some targeted exceptions also apply to companies, and are either well defined in the law or left to the government for specification. Under what can be called an “outsourcing exception,” the Act exempts companies based in India who process the personal data of people outside of India.

Almost No Restrictions on International Data Transfers

The definition of the “data principal” does not include any conditions related to residence or citizenship, meaning that fiduciaries based in India which process the personal data of foreigners within Indian territory may be covered by the Act. The Act also applies extraterritorially to processing of digital personal data outside India, if such processing is related to data principals within India. The DPDP does not currently restrict the transfer of personal data outside of India, unless the government specifically restricts transfers to certain countries (blacklisting).

“The DPDP Act requires that consent for processing of personal data be “free, specific, informed, unconditional and unambiguous”

Consent - the Primary Means for Processing Personal Data

Data fiduciaries need a lawful purpose to process personal data and this can be obtained either through consent by the data principal or for “legitimate use”. Based on the wording of the Act, fiduciary obligations to give notice and respond to access, correction and erasure requests are only applicable if the processing is based on consent.

The DPDP Act requires that consent for processing of personal data be “free, specific, informed, unconditional and unambiguous.” People whose personal data is processed must freely give their consent, without tying it to other conditions. In order to meet the “informed” criterion, the Act requires that notice be given to principals before or at the time that they are asked to give consent. The notice must include information about the personal data in question, the purpose for processing, the rights of data principals, and how to register a complaint to the Board.

Data principals must be given the option of receiving the information in English or a local language. The DPDP addresses the issue of legacy data, for which companies may have received consent prior to the enactment of the law. Fiduciaries have to provide a new notice to the data principals for the reuse of legacy data as soon as “reasonably practicable.” In which case, the data processing may continue till consent is withdrawn. Data fiduciaries can process personal data for the specific purpose provided to the data principal, and must obtain separate consent to process old data for a new purpose.

Data Principals - Rights and Obligations

The DPDP Act provides data principals a set of enumerated rights, which is limited compared to GDPRstyle legislation passed by the European Union. The DPDP guarantees right of access, erasure and correction. However, rights to data portability or objecting to processing based on grounds other than consent, and the right not to be subject to automated decision-making are missing. To compensate, DPDP provides for two other rights: grievance redressal and a right to appoint a nominee on behalf of the principal.

Section 15 of DPDP imposes duties on data principals, including an obligation to not impersonate or withhold information while providing personal data for government documents. Register a false or frivolous grievance is punishable. Non-compliance can result in a fine.

Parental Consent for Processing Personal Data of Minors

DPDP creates significant obligations for processing children’s personal data, with “children” defined as people under 18 years. Data fiduciaries are forbidden from processing children’s data that is “likely to cause any detrimental effect on the well-being of the child”. Data fiduciaries need to obtain verifiable parental consent before proceeding with such data. Similarly, consent must be obtained from a lawful guardian before processing the data of a person with disability. The Act also prohibits data fiduciaries from tracking children, or targeting them with advertisements.

The Act Creates a Data Protection Board to Enforce the Law

The DPDP Act empowers the government to establish a Data Protection Board as an independent overseer. The Board will have a chairperson and government-appointed members. The Board has been vested with the power to receive and investigate complaints, after the principal has exhausted the grievance redress mechanism set up by fiduciaries. While the Board is granted “the same powers as are vested in a civil court”, the Act specifically excludes any access to civil courts in the application of its provisions, creating a de facto limitation on effective judicial remedy

How Does The DPDP Act Affect Civil Society and Media?

Civil society, journalism bodies, opposition MPs and privacy rights organisations have raised several objections to the Act.

An analysis by the Internet Freedom Foundation finds that the legislation fails on key parameters of what a good privacy law should strive forx . The key principles of privacy are purpose limitation, data minimisation, accuracy and storage limitation. However, The DPDP Act compromises purpose limitation by stating that data can be processed without consent for “certain legitimate uses”. On data minimisation and storage limitation, the right to erasure is limited by the need to retain information for “compliance with any law for the time being in force” [Clause 12(3)] - which when combined with various sectoral/ other data retention requirements, may result in heavy dilution of this right. Clause 17(3) gives the government the ability to exempt a data fiduciary, including start-ups, from the requirement on completeness, accuracy and consistency of personal data.

Moreover, several Members of Parliament have raised concerns about the removal of the terms like “privacy”, “harm”, and “compensation” in the DPDP Bill, 2023xi. MPs have also questioned why the right to be forgotten and right to data portability was removed in the Act when it was part of the 2019 draft, and whether the data protection board will be independent. More seriously, there seems to be an absence of surveillance reform and a slew of fresh blocking powers that the Act hands to the government under Clause 37(1). Given the Pegasus spyware issue, the absence of checks on surveillance from a law that purportedly protects personal data raises questions about intent.

Concerns have also been raised by the journalists’ fraternity. The Editors Guild of India has expressed concern that the DPDP Act doesn’t provide exemptions for journalistic activities. In a statementxii it said that, “We are deeply concerned about the lack of exemptions for journalists from certain obligations of the law, where the reporting on certain entities in public interest may conflict with their right to personal data protection. This will lead to a chilling effect on journalistic activity in the country”. The Guild also noted that the Act doesn’t seem to contain any provisions for surveillance reform, and in fact widened the censorship powers vested in the government.

The Digipub News India Foundation, a body of digital media organisations, has expressed similar concerns. In a statement they noted that DPDP, 2023, could “potentially impinge on citizens’ and journalists’ rights to privacy, information, and freedom of expression.” Digipub has expressed concern about potential censorship and surveillance of journalists, and the lack of exemptions for journalistic activities.

The watering down of the Right to Information by the DPDP Act is a serious concern that has been flagged. Section 44 of the Act introduces amendments to other laws, ostensibly to protect privacy. Subsection 3 inserts the following line in Section 8 of the RTI Act: “information which relates to personal information”. Former Central Information Commissioner Sailesh Gandhi explains that this amendment would allow the government to decline any RTI requesting information relating to an individual. In a public petition, Gandhi has urged the Prime Minister to ensure that the change does not override or amend the RTI Actxiii.

Endnotes

  • The Digital Personal Data Protection Act, 2023
  • Viernes, F. A. (2021, September 14). Stop Saying ‘Data is the New Oil’ | by Francis Adrian Viernes | Geek Culture. Medium. Retrieved August 16, 2023, from https://bit.ly/48Lg4xj
  • Wikipedia. (n.d.). List of public corporations by market capitalization. Wikipedia. Retrieved August 18, 2023, from https://bit.ly/45AralH
  • Marr, B. (2019, March 9). How Much Data Do We Create Every Day? Forbes. Retrieved August 19, 2023, from https://bit.ly/46ynySH
  • Loksabha Secretariate. (2021, December). LOK SABHA .REPORT OF THE JOINT COMMITTEE ON THE PERSONAL DATA PROTECTION BILL, 2019 SEVENTEENTH LOK SABHA LOK SABHA SECRETARIAT. Parliament Digital Library. Retrieved August 18, 2023, from https://bit.ly/46PNCZd
  • ibid.
  • Pandey, J. (2019, March 9). India Stack: Public-Private Roads to Data Sovereignty. Internet Governance. Retrieved August 16, 2023, from https://bit.ly/3SfxcFJ
  • Supra Note i
  • SAIGAL, S. (2019, March 9). Data Protection Bill | Granting government exemption causes great concern, says Justice Srikrishna. The Hindu. Retrieved August 19, 2023, from https://bit.ly/3LZanSs
  • Internet Freedom Foundation. (2023, August 9). DPDPB, 2023 in the Parliament: Dialogue, Drama, and Discord. Internet Freedom Foundation. Retrieved August 13, 2023, from https://bit.ly/48SymN1
  • Supra note xxii
  • Editors Guild of India. (2023, August 6). EGI statement on Digital Personal Data Protection Bill, 2023. Editors Guild of India. Retrieved September 16, 2023, from https://bit.ly/3RZzecU
  • Gandhi, S. (2023, August 7). Save RTI : Citizen’s Empowerment. Change.org. Retrieved September 16, 2023, from https://bit.ly/3Qf0dj3

NEXT »

How does the Act Affect my Life? >>

July-September, 2023