The Digital Personal Data Protection Bill 2023 (DPDP-2023) has been notified by the government, after its advances through the routine legislative process. The Bill has been iterated from the year 2017. India, with the passing of this bill, has now embarked upon a journey in the world arena with the essential concerns of Digital Personal Data and with the essential enforcable Privacy Control, for both organisations, individuals, and government under the ambit of a clear-cut law. All stakeholders will now have to engage and identifying the nuances to ensure a seamless integration of these principles into the corporate and personal data landscape.
The Government of India, is looking at a period of 9 months, for the implementation of this landmark legislation.
What does it have for the Corporates, Organisations and Individuals is now a matter of contemplation and clarification. The nitty-gritty, in the implementation process, is a matter that will have to be looked upon, by different stakeholders, especially the Government. This will have to be done through Frameworks, Guidelines, Rules, Regulations, Compliances, Jurisprudence, etc. The relevent rules for the enforcement of the Bill is still at the drawing board and will be notified in the year 2024.
The Data Protection Board (DPB), which is a Board mandated in the Bill is a constitutional entity with powers of adjudication and verification of compliances and verdicts dealing with privacy-related disputes and issues. The DPB, which will comprise of members drawn from the Centre. This Team and its Office will be Digital in nature and the proficiency and management of this Board is also keenly watched by the stakeholders: with many questioning, especially its independence with respect to the aspects to include, receipt of complaints, verification, adjudication, legal/judicial management, investigation, and penal imposition and enforcement.
The concept of consent for ‘legitimate use’ and strengthened consent withdrawal rights not only offer opportunities for streamlined procedures and enhanced transparency but also mandate a profound commitment to upholding data protection standards. The Bill in its raw form, speculates the regulation of digital personal data to safeguard individual’s rights and allows lawful processing of personal data. The bill applies to online and offline personal data collected in India and processing both inside and outside of India. The Law will also take into consideration goods or services and the related personal and non-personal data in India.
What is the Significance of the Bill in the Indian Scenario and its Salient Points:
-
- The DPDP Bill defines “Personal Data” broadly to include any data about an individual who is identifiable by or in relation to such data. The DPDP Bill also introduces a definition of ‘digital personal data,’ defined to mean personal data in digital form.
- The Act once in force, will provide for the rights and duties of the citizen/resident (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the “Data Fiduciary” (Data Fiduciary: is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data), on the other hand.
- It Introductions the key rights and duties for Data Principles (Data Principle: is defined as “Data Principal” is the individual to whom the personal data relates).
- How to handle the data related to a child (Below 18 years of age) when the right and privacy of such child is concerned in the Data Protection and Usage ecosystem, has also been spelt out in the bill. Here again, where such an individual is a child, the term includes the parent or lawful guardian of the child. Where the individual is a person with disability, it includes their lawful guardian acting on behalf of such individual. Also, the DPDP Bill stipulates the coverage of Data of natural individuals only.
- The Bill distinguishes the “Data Processor” who is a natural or legal person, public authority, agency or other body, will/may in the management of services/goods process the data/personal data on behalf of a data fiduciary.
- The Bill designates a “Consent Manage”,( ‘consent managers.’ Consent manager has been defined as a person registered with the Board, and acts as a single point of contact to enable a data principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform), who will be accountable to the data principal and will be required to act on behalf of the data principal in such manner and subject to obligations as may be prescribed in the provisions of the Bill.
- The Bill will keep the personal data of a user safe, and gives the Personal Data Subject more liberty on how to port their personal data and its usage.
- The Bill proposes a Team called the ‘The Data Protection Board of India’ (“Board”) to appointed by the government, to be the adjudicatory body for enforcement of the DPDP Bill. The Board may also, in its duties, impose penalties on Consent Managers in certain instances.
- The bill aims to make entities like internet companies, mobile apps, and business houses more accountable and answerable about collection, storage and processing of the data of citizens as part of “Right to Privacy“.
- Exemptions provided in the Bill – The Act once in place have provided for rights to the data principal and also obligations of data fiduciaries (except data security) where in the below mentioned aspects will not be applicable in specified cases. These include:
-
-
- prevention and investigation of offences, and
- enforcement of legal rights or claims.
- The Bill has also provided The Central Government rights to notify through formal notifications; exempt certain activities from the application of the Bill. These include:
- processing by government entities in the interest of the security of the state and public order, and
- research, archiving, or statistical purposes.
-
- DPDP Bill permits cross border transfers of personal data to non-restricted territories. The Act will also stipulate, the Transfer and Storage of Data across boundaries, wherein in this case the Central Government has kept the right, by notification, and can restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. (Probable Whitelist or Blacklist of Countries or Enterprises/Organisations.
The concerns in this Bill/Act, that should bother Corporates/ Organisations/ Individuals:
A search on the text of the Bill/Act; fetches the words “by Notification” six times and “Notification” ten times. Hence, it is a revelation, that the bill needs more ‘looks’ and ‘re-looks’. Also, the level of uncertainty will also be a concern to the entities on which the law is going to be applicable upon. The colossal fine amounting to a maximum of ₹.250 Cr (for a maximum of upto ₹.500Cr), is also a matter of concern, for its judiciousness and justification to the commensurate offence. A few grave concerns are enumerated below:
-
-
- The concern that the Act/Bill may enable the personification of the State becoming a “Surveillance State”.
- The Status of entities who may be penalised and Blacklisted, leading to consumer inconvenience, thereby leading to those consumers and their data (of individuals) held by the defaulter, making the final redressal or resolution murky.
- The provisions of law, being non judicious and thus leading to legal litigation and matter subjudice, ultimately leading to inconvenience to the consumer.
- The compliance and verification of deletion by data fiduciaries, when requested upon.
- The factor of bias and incompetence or wrongful pro-government act of the Data Protection Board (DPB).
- Independence of DPB, and the interference by the government machinery.
- The non-compliance of “Consent”.
- When government decides to block an entity, how will the customers if yet a subscriber, ensure his/her continued services or subscription.
- Concerns of ‘How to protect the RTI Act 200s provisions, in the lite of implementation of DPDP 2023’.
- The upholding of the Supreme Court mandate of the three principles as entailed in the Puttaswamy Judgement, Legal aim (Purpose); proportionality; and Legal.
- Cutting the Clutter with respect to the ‘thin line’ with regard to the powers vested with government for “National Security”
- The violation by entities and its misuse by foreign state and non-state stakeholders.
- The aspect of Inter-state, prejudice; while whitelisting/blacklisting of countries, thereby leading to jeopardy of consumers, who intend drawing continued services from involved entities.
-
Conclusion:
The journey of the DPDP in India, dates back in some simmering, from the year 2008. (The introduction of the new Section 43A under the Information Technology (Amendment) Act, 2008 (“Amendment”) inter alia put an obligation on companies to protect all sensitive personal data and information that they possessed, or dealing with or those handling these data using a computer resource (by implementing and maintaining reasonable security practices and procedures.). The aspect has been highlighted in many form, under various judgements of the Constitutional Court Orders, across the country.
The challenge to the Aadhaar Project in India, in the year 2017, in the much-celebrated Supreme Court judgment in K.S. Puttuswamy v. Union of India (“Puttaswamy Judgement”), brought out and recognised ‘privacy’ as intrinsic to the right to life and liberty, guaranteed vide Article 21 of the Constitution of India; thus reiterating ‘the right to privacy’ a fundamental right. While chiefly dealing with the scope of rights of a citizen as against the State, the Puttaswamy Judgement also touches upon protections to be accorded to individuals in the private sphere. The Supreme Court linked the value of privacy to individual dignity and used long-standing precedence to hold that the State has a positive burden of maintaining and preserving this dignity. As a result, the Puttaswamy Judgement is not only the basis of establishing a prohibition against privacy-violative State action, but also forms a basis for the State’s mandate to regulate private contracts and private data sharing, in the interest of individual privacy. This inturn, highlighted the topic of Data Protection. This Judgement, also saw the re-enactment and re-defining of the Aadhaar Act in India.
Never the less; following this ruling, the Indian government took steps to enhance data protection in the country. In August 2017, they constituted a committee of experts, led by Justice BN Srikrishna, to address privacy concerns and propose measures to bolster privacy laws. The committee’s recommendations included measures, such as imposing restrictions on data processing and collection, establishing a Data Protection Authority, implementing the right to be forgotten, advocating data localization, and other pertinent measures to safeguard individuals’ privacy rights in India. (Srikrishna Committee recommendation that followed)
Though the DPDP 2023 suffers from certain shortcomings, the bare act, tries to bring in illustrations to amplify the statement of the Act. The large number of ‘add’ through different means to enable the act, will surely form part of the iteration, to facilitate the complete fructification of the Act in India. Notwithstanding, we now have a Law, that will enable interaction among stakeholders and countries across the globe, to enable partnership and also to carry out business with them.
The fact that India is poised to be the largest populated and one of the largest growing economies of the world, is also positioned to be one of the largest data markets in the world. A comprehensive data protection and governance regulation will certainly influence and greatly contribute to the evolution of the global data governance landscape, and also the participation of India in the global arena.