Asthaba Jadeja
Abstract
On August 3, 2023, the Central Government presented the Digital Personal Data Protection Bill (DPDP), 2023, before the Lok Sabha. This legislative proposal delineates stipulations applicable to enterprises engaged in data management and processing, along with safeguarding individual entitlements. The principal objective of this bill is to disallow the transfer of data across international borders, impose penalties on corporations for breaches of data security, and furnish a structured groundwork for the establishment of a data protection authority, entrusted with the oversight of adherence to these regulations.
Since it was introduced in the Lok Sabha on 3 August, it took less than two hours for the Bill to be cleared in both houses without much opposition, and 10 days to be notified. The Bill became an Act without any amendments, except for a correction in a section referenced by Information Technology minister Ashwini Vaishnaw himself. Unlike the previous iterations, the DPDPB appears to have been framed in an urgency and does not adhere to its own foundational principles in the explanatory note: “openness, safety and trust, and accountability.”
Background
Enacted in 2018, the General Data Protection Regulation (GDPR) stands as a seminal data privacy regulation pioneered by the European Union (EU), designed to fortify the security and privacy of personal data for EU citizens. This framework meticulously outlines protocols for the acquisition, handling, and retention of personal information by organizations, affording individuals augmented authority over their own data. Concomitantly, the Indian Digital Data Protection Bill of 2023 derives inspiration from the GDPR’s foundational tenets, albeit with adaptations tailored to India’s unique digital landscape.
India lacked an independent legislation dedicated to data protection. The usage of personal data was governed under the Information Technology (IT) Act of 2000. In 2017, the national government established a panel of experts on Data Protection, chaired by Justice B. N. Srikrishna, with the mandate to assess data protection concerns in the nation. The panel finalised its findings in July 2018. Guided by these recommendations, the Personal Data Protection Bill of 2019 was presented before the Lok Sabha in December 2019.
The bill was subsequently referred to a Joint Parliamentary Committee, which issued its report in December 2021. In August 2022, the bill was retracted from the parliamentary proceedings. Subsequently, a preliminary version of the bill was made available for public consultation in November 2022. This led to the introduction of the Digital Personal Data Protection Bill of 2023 in Parliament in August 2023. The DPDP Bill 2023 is the fifth iteration of the Bill since 2018.
The Bill
The DPDP Bill provides certain rights to data principals, which include right to access information about personal data including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc.
The DPDP Bill contemplates the establishment of a Data Protection Board (“DPB”), as an enforcement body, which will have powers, inter alia, to direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach, inquire into such breach, impose penalties for non-compliances, inspect any document, summon and enforce attendance of any person etc. An appeal may be preferred against an order of the DPB before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) established under the Telecom Regulatory Authority of India Act, 1997 within specified timelines, and in the prescribed manner. An appeal against the order of the TDSAT may be preferred before the Supreme Court of India.
Exemptions
The exemptions provided in the Bill are as follows:
- For notified agencies, in the interest of security, sovereignty, public order, etc.;
- For research, archiving or statistical purposes;
- For startups or other notified categories of Data Fiduciaries;
- To enforce legal rights and claims;
- To perform judicial or regulatory functions;
- To prevent, detect, investigate or prosecute offences;
- To process in India personal data of non-residents under foreign contract;
- For approved merger, demerger etc.; and
- To locate defaulters and their financial assets etc.
Penalties
- Monetary penalties for breach – Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, etc.
No Compensation – The DPDP Bill does not provide for payment of compensation to data principals whose personal data has been compromised. This is a deviation from the IT Act which allows affected data principals to claim compensation from a data fiduciary who failed to implement reasonable security safeguards and as a consequence, have caused wrongful loss or gain. That said, the DPDP Bill casts certain duties on the data principals, amongst others, to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB, etc. For any breach in observance of such duties, the data principals may be penalised up to INR 10,000.
Concerns
The introduced bill raises apprehensions regarding the potential for State influence over the appointment of data protection board members, thereby potentially undermining the efficacy of the Data Protection Authority of India. The bill grants the central government the capacity to circumvent requisites for explicit citizen consent and exempts ‘instrumentalities of the state’ from adverse repercussions, citing grounds such as national security, diplomatic relations, and public order maintenance.
Noteworthy exemptions for personal data processing by the State are outlined in the bill, aligning with Article 12 of the Constitution, encompassing the central government, state government, local bodies, and government-established authorities and entities. The implications of these exemptions warrant scrutiny, particularly considering their potential impact on the Right to Information Act of 2005. Proposed amendments to Section 8(1)j of the aforementioned Act could potentially erode the Act’s safeguards for sharing personal information only when absolutely necessary in the broader public interest.
The bill’s provisions could lead to a centralisation of data, potentially conflicting with the right to privacy as emphasised in the 2017 Puttaswamy judgement. While safeguarding digital data is paramount, given the multi-faceted derivation of the fundamental right to privacy, as articulated in the 2017 Puttaswamy judgement, the contemporary landscape underscores the necessity for sizeable data availability to train artificial intelligence (AI) algorithms, crucial for the competitiveness of economies and the preservation of national strategic autonomy. However, the introduced right to data erasure, as stipulated in the bill, could impede this imperative, and its implications warrant careful consideration.
Notice and consent are the core elements of any data protection law around the world. Consent gives the data principal control over its use. In the DPDPB, consent means permission which is “freely given, specific, informed, and unambiguous indication.” Before requesting consent, a notice shall be given to the data principal in clear and plain language, which contains details about the nature of the data collected and its use. More importantly, consent is withdrawable at any moment.
The penultimate iteration, of November 2022, was discussed by the Parliamentary Standing Committee on Communications and Information Technology headed by Prataprao Jadhav (Shiv Sena). The committee adopted a report related to it on 26 July this year and tabled in the Lok Sabha on 1st August. However, opposition ministers on the committee alleged that their concerns had not been addressed in the report.
Way Forward
The path ahead entails a meticulous reevaluation and refinement of the Digital Personal Data Protection Bill (DPDP) of 2023, taking into meticulous consideration the highlighted concerns within the aforementioned article. Recognizing the pivotal significance of data safeguarding in the contemporary digital landscape, a collaborative approach involving a spectrum of stakeholders including legal experts, technologists, and civil society is of paramount importance.
This collective endeavour has the potential to yield amendments that effectively strike a harmonious balance between the preservation of individual privacy, while also fostering innovation and serving national security interests. Ensuring the establishment of transparent and unequivocal mechanisms for the selection of members to the data protection board is imperative, thereby assuring their autonomy from any undue influences.
Additionally, a comprehensive and thorough review of exemptions, particularly those related to state entities, and their potential repercussions on existing legislative frameworks such as the Right to Information Act, stands as a prudent measure to avert any unforeseen consequences. Given the evolving landscape of data utilisation, the formulation of intricate solutions that artfully harmonise the requirement of data accessibility for the progression of artificial intelligence with the sacrosanct nature of individual data sovereignty and privacy rights is imperative.
An ideal data protection law must balance between people making a meaningful and informed choice and should not compel or deny people from making their privacy choices. This could be accomplished with the government formulating a robust data protection law that safeguards people from unintended privacy harms, by actively protecting their rights and respecting their freedom and autonomy.
A holistic strategy must be embarked upon to fortify data protection norms, seamlessly amalgamating legal frameworks with robust technological paradigms for enhancing data security and governance. Throughout the iterative process of deliberations and amendments, it remains quintessential to uphold the core tenets of democratic principles, ensuring that the voices and apprehensions of citizens are duly regarded, thereby fostering a regulatory milieu that espouses both the tenets of data protection and the pursuit of societal progress.
Acknowledgement: Author would like to thank Chaitanya, Aaswash, Nikita and Tripti for their kind comments and suggestions to improve the article.
References
Ministry of Electronics and IT. 2018. https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
Ministry of Electronics and IT. 2022. https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf
Ministry of Electronics and IT. 2023. Salient Features of the Digital Personal Data Protection Bill, 2023
https://pib.gov.in/PressReleasePage.aspx?PRID=1947264
https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
PRS Legislative Research. 2023. Legislative Brief Digital Data Protection Bill, 2023. https://prsindia.org/files/bills_acts/bills_parliament/2023/Legislative_Brief_Digital_Personal_Data_Protection_Bill_2023.pdf
PRS Legislative Research. 2023. Digital Data Protection Bill, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
Arun,T. 2022. Digital Data Protection Bill: An Eye on Whom?
https://www.impriindia.com/insights/data-protection-bill-eye-on-whom/
Agrawal, Aditi. 2023. India’s 1st Data Protection Act — what it could have been had proposed amendments been debated. The Print. https://theprint.in/india/governance/indias-1st-data-protection-act-what-it-could-have-been-had-proposed-amendments-been-debated/1711991/
P, Arun. 2023. A Soft Tone with a Tiger Claw: A Critical Commentary on the Digital Personal Data Protection Bill, 2022. Economic and Political Weekly 58 (6).
https://www.epw.in/journal/2023/6/commentary/soft-tone-tiger-claw.html
He Li, Lu Yu & Wu He (2019) The Impact of GDPR on Global Technology Development, Journal of Global Information Technology Management, 22:1, 1-6, DOI: 10.1080/1097198X.2019.1569186
About the Author
Asthaba Jadeja, is a third year student (Sociology Honours) in Kishinchand Chellaram College.
