The Digital Personal Data Protection Act, 2023: Assessing And Navigating The Impact Of The Recent Legislation
On August 3rd 2023, when the Bill was passed it was intended to cover the
processing of digital personal data that is collected in India, whether it is
done so online or off. If the processing is being done to offer goods or
services in India, it also applies to processing done outside of India. This
legislation has the intention to give importance to one's consent as it states
that only with the subject's consent and for legitimate purposes may personal
data be handled.
But this legislation also creates certain exceptions for certain lawful
purposes, such as the processing by the State in order to process applications
for permits, licenses, benefits, and services, or the voluntary data sharing by
the individual, consent may not be required. The bill also stated how data
fiduciaries are required to keep data accurate, safe, and deleted once its
purpose has been served.
Individuals are granted a number of rights under the Bill, including the right
to information, the ability to request correction and erasure, and the right to
access grievance procedures. In the interest of specific reasons, such as the
security of the state, public order, and the prevention of crimes, the central
government has the power to exclude government agencies from the application of
the Bill's requirements.
The Data Protection Board of India is created by the national government to make
decisions regarding Bill requirements that are not being followed. On 11th
August 2023, the Digital Personal Data Protection was passed and it became
Digital Personal Data Protection Act, 2023.
Imperative of Data Fiduciary under the Act
"Data Fiduciary" is a body which is already mentioned or named by the current
Indian law. Under the DPDP Act, the term "Data Fiduciary" has been introduced to
describe a person who, individually or jointly with others, "determines the
purpose and means of processing" personal data in accordance with Data
Principles.
This definition includes both natural persons (such as any individual) and
artificial or juristic persons (such as a company, firm, or other organization).
In addition, the DPDP Act establishes a distinction between a "Data Fiduciary"
and a "Significant Data Fiduciary" and sets forth the necessary responsibilities
and obligations for each.
In order to ensure compliance with the DPDP Act, Data Fiduciaries must, among
other things, put in place the necessary technical, legal, and security
safeguards and set up grievance processes. In addition to their own compliance,
Data Fiduciaries are accountable for any Data Processors (i.e., anyone hired to
process data on behalf of the relevant Data Fiduciary) as well. In terms of
additional responsibilities, a Data Fiduciary is specifically held accountable
for the personal information of Data Principals who are minors.
In order to ensure compliance with the DPDP Act, Data Fiduciaries must, among
other things, put in place the necessary technical, legal, and security
safeguards and set up grievance processes. In addition to their own compliance,
Data Fiduciaries are accountable for any Data Processors (i.e., anyone hired to
process data on behalf of the relevant Data Fiduciary) as well.
In terms of additional responsibilities, a Data Fiduciary is specifically held
accountable for the personal information of Data Principals who are minors. As
mentioned before the act draws a distinction between "Data Fiduciary" and
"Significant Data Fiduciary", the differentiation is mainly based on various
components like "value" and "sensitivity" of the private data that is being
dealt by "Data Fiduciary" versus the threat present to a data principal.
Elucidation of the term "consent"
The DPDP Act states up front that Data Fiduciaries may only use any personal
data of an individual for legitimate purposes only with the consent (or "deemed"
consent") of such individual; and in a way that complies with the DPDP Act and
other applicable laws. It states unequivocally that "consent" (with relation to
a Data Principal) refers to consent that is freely given, explicit, and
informed.
Such consent must be unequivocal and can take the shape of any affirmation or
action that amply demonstrates that a Data Principal has consented to the
processing of his or her personal information. In order to obtain this consent,
Data Fiduciaries are required to send relevant Data Principals (including even
those whose consent was obtained prior to the issuance of the act) a notice
that, among other things, specifies the data that is intended to be collected.
Additionally, in response to such notice, an explicit request must be made to
the pertinent person in order to obtain their consent (in the format required).
In order to accomplish this, Data Fiduciaries must first appoint a "Data
Protection Officer" (whose information must be communicated with the Data
Principal when requesting consent) and a "Consent Manager" (i.e., a particular
class/category of Data Fiduciary under the DPDP Act).
Importantly, a Data Principal has the choice to not only provide consent to a
Data Fiduciary but also to revoke that consent through the Consent Manager, a
recognised organization that acts on a Data Fiduciary's behalf and is answerable
to the Data Principal. A Consent Manager must offer a Data Principal a clear
platform or method to "give, manage, review, or withdraw" their consent in order
to fulfill this obligation. When a Data Principal's consent is revoked, Data
Fiduciaries are responsible for making sure that their personal data is no
longer processed (within a "reasonable time").
Requiring consent for data collection and sharing, stiff fines for data
breaches, and requirements for data fiduciaries (companies that collect and
retain data) are the positive facets included in this act. "However, if you look
more closely, you'll see that there are no specifics. There is no map available.
The regulation must be as explicit as possible in order to be effective"
according to Prateek Waghre, policy director of the Internet Freedom Foundation.
Use of the phrase "As May Be Prescribed"
Delegated legislation provides several administrative authorities a great deal
of discretion, which could result in widespread misuse or the use of excessive
power. The Government purposefully left this piece of law up to the whims of
subordinate agencies under the guise of making the legislation lean. Justice B.V.
Nagarathna reminded us that unrestricted and unfettered powers under delegation
would be ex-facie arbitrary and suffer from the vice of unconstitutionality in
his dissenting opinion in the Supreme Court's decision on demonetisation.
The overuse of the phrase "as may be prescribed" in the Act raises questions
about the lack of precision and detail in its provisions. Due to the fact that
the legislation does not extensively cover the details of execution, there is an
excessive amount of delegated power. The DPDP Act's main feature appears to be
the government's go-to phrase, "as may be prescribed." It appears 28 times in
44-sections in a 21-page Act.
To allow the government to make arbitrary decisions, the ambiguity has been
maintained. If most of the phrases are referred to as "as may be prescribed,"
then no law can be said to be insulated. Therefore, the executive branch of the
government is free to make the choice whenever it sees fit. This not only
reduces the openness of the legislative process but also makes it more difficult
for the general people to comprehend the reach and ramifications of the law.
Section 32: The integral part of the Act
The DPDP Act's central portion, Section 32, introduces the perplexing paradigm
of "Voluntary Undertaking." The clause gives the Data Protection Board the power
to accept voluntary commitments from those who are not abiding by the Act's
rules and to halt further investigations. The fundamental significance of this
clause lies not in its seemingly innocuous nature but rather in the potential it
possesses to act as a shield for offenders to avoid punishment.
This could result in a scenario where criminals can avoid fines up to an
astounding Rs 250 crore per crime by providing a simple assurance, negating the
law's deterrent intent. The law unintentionally creates a let-out clause that
might potentially be used by persons with dishonest intentions by allowing data
fiduciaries to avoid fines for non-compliance. In turn, this might weaken the
Act's emphasis on responsibility and lead to ineffective enforcement.
Implied Exemptions under DPDPA
The Act's patchwork of exemptions conceals a glaring weakness. The Union
government is free to exempt government entities and data fiduciaries, including
start-ups, from a number of rules under Section 17. A question about the
unrestrained use of executive power is raised by the broad permission granted to
government agencies, which is ostensibly anchored in the interests of India's
sovereignty and integrity, the security of the State, friendly relations with
foreign States, the maintenance of public order, or preventing incitement to any
cognizable offense related to any of these. This can lead to an excessive
invasion of privacy rights.
Section 9(5) is also concerning because it gives the government the authority to
waive the requirement that Data Fiduciaries obtain parental consent before
processing the personal data of certain age groups of children or to give them
the go-ahead to track or monitor the behavior of children or to use their data
to target advertisements to children if it determines that their track record of
data processing is demonstrably secure. The possibility of surveillance,
behavioral analysis, and targeted advertising for children without their
parents' knowledge or consent raises concerns.
Data Fiduciaries are given extensive permissions under Sections 7(b) and 7(c) to
treat personal data on behalf of the State and its agencies. Section 7(c) grants
a Data Fiduciary broad permission to process any personal data for the State or
any of its instrumentalities in the name of sovereignty, integrity, or security
of the state, whereas Section 7(b) permits the use of personal data for any
government purpose without explicit consent, even by converting the non-digital
data to digital form without the permission of the data principal. These clauses
may be used for monitoring and manipulation while ostensibly serving official
purposes.
Conclusion:
The Supreme Court has stated, in reference to the monitoring operation
"Pegasus," that "the right to privacy is directly violated when there is
surveillance or spying done on an individual, whether by the State or by any
external agency." The ideals of "personal informational privacy" are violated by
the widespread storing and gathering of individuals' personal data taken without
their consent under this current legislation.
India's dedication to enhancing data privacy in a world that is increasingly
going digital is reflected in the Digital Personal Data Protection Act, 2023.
The Act includes significant safeguards, but it also poses significant queries
about how to strike a balance between individual privacy, legal use, and
governmental control. Although the Act has a noble purpose, there are a number
of obstacles and potential problems in its execution, particularly in relation
to ambiguous criteria, government interference, and repurposing current
institutions to handle complicated data governance issues.
References:
PRS Legislative Research, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
Ashneet Hanspal , Aditi Mendiratta and Gaurav Bhalla, Analysis of Digital
Personal Data Protection Bill, 2019, January 04, 2023, https://www.mondaq.com/india/data-protection/1267190/analysis-of-the-digital-personal-data-protection-bill-2022
Section 8, Digital Personal Data Protection Act, 2023
John Brittas and Aneesh Babu, What Lies Beneath the PR Blitz on the new Data
Protection Act,August 27, 2023 https://thewire.in/government/what-lies-beneath-the-pr-blitz-on-the-new-data-protection-act
Section 32, Digital Personal Data Protection Act, 2023
Rashmi Rajagopal, 16 August 2023, 'New data protection law draws criticism',
https://www.deccanherald.com/india/karnataka/bengaluru/new-data-protection-law-draws-criticism-2648820
Section 17, Digital Personal Data Protection Act, 2023
Section 9(5), Digital Personal Data Protection Act, 2023
Section 7, Digital Personal Data Protection Act, 2023
Law Article in India
You May Like
Please Drop Your Comments