On 12 August 2023, the Digital Personal Data Protection Act received the assent of the President of India, clearing the way for the act to come into force when notified by the central government.
It is the first law made for data processing in India and makes several amendments to the Right to Information Act and the Information Technology Act. According to the preamble of the law, the aim is to provide for the processing of digital personal data in a way that “recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes” and for other related matters. There is no doubt that this act will have a profound impact on how data generated by Internet users will be collected and used, among other things.
But despite being the first of its kind, the act is not without its concerns. In conversation with Law live, advocate and digital rights activist Appar Gupta said the law was an emergency when compared to contemporary legislation in other jurisdictions, and not in a good way. According to Gupta, the bill – which has already been passed and signed into law but remains to be implemented – was intended by the government to implement the 2017 Supreme Court ruling. K Puttaswamy a decision that states the right to privacy in Article 21 of the Constitution. However, the government’s efforts have largely failed.
The interview was conducted two days before the Digital Privacy Act received the President’s assent, and the full interaction can be viewed on YouTube. Here are the highlights of the interview:
Exceptions for data processors according to the law
While explaining the framework of the law, Gupta highlighted what he said were extremely broad exemptions in the act that essentially make data principal consent completely meaningless. The law defines as the data principal the natural person to whom the personal data refer, as well as the legal guardian of a minor and the legal guardian of a person with a disability acting on their behalf. This is the basis on which ordinary people are placed, according to the new law. Although the data principal is intended to be the primary beneficiary of a data protection law, Gupta raised concerns about consent requirements.
As an example of the “broad exceptions” under the law, Gupta pointed to section 7(g), which states that government consent will not be required to process data to take measures to provide medical treatment or health services during an epidemic, outbreak of disease or other threat to public health.
Likewise, it highlighted the broad exemptions under Section 7(i) for using the data for employment purposes. This was particularly worrying because India is a country where the government is the largest employer of people.
“The exemption for certain legitimate uses where consent is presumed runs afoul of several international data protection statutes,” Gupta said after using these illustrations.
Obligations, positive obligations and sanctions for citizens
Gupta pointed out that data protection laws do not impose criminal liability obligations for breaches by ordinary people. Section 15 of the Act creates obligations on data principals to comply with all provisions of this Act. These obligations, particularly in section 15(b) of the Act, also create a broad obligation not to impersonate another person while providing your personal data, which may create scope for unfairly penalizing individuals who may not have a digital identity. literacy, such as senior citizens who depend on their relatives to operate their electronic devices.
Gupta then spoke about Section 15(c), which creates an affirmative duty on citizens not to suppress any material information while providing personal data for government documents. He explained that many people often provide incomplete information related to their home addresses and intentionally leave out other personal information to protect themselves from stalking or harassment. And this law creates a field for sanctioning these unscrupulous citizens. Fine up to Rs. 10,000 can be imposed on an ordinary citizen for failure to comply with any of the obligations under Section 15 of the Act.
A ‘total aberration’ in modern data protection laws
Because of the multiple affirmative duties of the data principal, the act is a complete departure from data protection legislation in other countries, Gupta said.
Another reason why the DPDP Act is a departure, Gupta explained, is because of section 17 (3), which gives the central government the power to exempt certain data trustees or a class of data trustees from certain obligations under that act such as processing data because of “extent and nature” of personal data processed.
For more context, the law identifies “data trustee” and “data processor” as entities or interested parties that will collect or use the data from the data principal. Structurally, the data principal entrusts the data trustee with the data, and the data processor then processes personal data on behalf of the data trustee.
On the exception that some data trustees or class of data trustees can be notified, Gupta said there is no metric as to what volume or nature of personal data processing would give the central government discretion to grant those exceptions.
In this context, Gupta recommended the work done by Australian academic Graham Greenleaf, who, among other things, carried out a comparative analysis of all data protection legislation. In this regard, Gupta explained that these features – positive data principal obligations, central government power to grant exemptions to data trustees based on the “volume and nature” of personal data processed, to name a few – cannot to be found in data protection laws around the world that made the Digital Privacy Act and beyond.
Amendments and additions to the Law on IRT
The Right to Information Act, as it existed before the enactment of the DPDP Act, maintained a “balancing act” between an individual’s right to access public information and the protection of individuals from unnecessary intrusions into their privacy.
Section 8(1)(j) of the RTI Act excludes personal information which has no connection with any “public activity or interest” or which may lead to an “unwarranted invasion of the privacy of an individual” from the purview of information , which can be sought in accordance with the law. But an exception was made for personal information, the disclosure of which a public information officer or appeals authority considered was justified by the “broader public interest”. The proviso to this clause states that personal information which cannot be denied to Parliament or any State Legislature cannot also be denied to an RTI applicant.
The applicability of this provision and the exemption it creates have been challenged several times all the way to the Supreme Court. And now the section has been amended to exclude the ‘wider public interest’ parameter altogether. In other words, an RTI applicant cannot seek any information related to ‘personal information’ even if the larger public interest dictates its disclosure. The amendment also removes the proviso.
Gupta said section 8(1)(j), as amended by the legislation, no longer struck a balance between invasion of privacy and the wider public interest. He said it could be used in an “oppressive way” to limit the flow of public information and could cause tangible harm to many people.
Data Protection Board ‘Lacks Independence’
Another concern raised by Gupta is over the power of the central government to request information from the data protection board, which is to be set up when this law comes into effect, and to refer suo moto complaints to it about alleged data breaches.
The Data Protection Board will be the authority under the Act to register and appoint consent managers to resolve issues relating to any unauthorized processing, sharing or use of data without the consent of the data subject. A consent manager is someone who will liaise between the data principal and the data trustee, and in turn the data processor, and will serve as a single point of contact to allow the data principal to grant, manage, review and withdraw their consent through a platform.
Gupta argued that the central government’s power to require information and make recommendations suo motu complaints to the board were alarming. He explained this with a hypothesis: when a public document is accessed by a journalist or transparency activist, the central government can file a complaint with the board, leading to a conflict of interest. This is because the central government will appoint this board and determine the terms of service of its members. This raised concerns about the fairness and independence of the data protection board.
In closing, Gupta said the government’s new data protection law needs “significant improvements.” “Several injuries have been caused by the Data Protection Act; not only for privacy but also for transparency,” he said. But he also expressed hope that over a period of time, lawyers through their analysis, criticism and activism can help refine the law in the future.
(Editing by Awstika Das)
Advocate Apar Gupta is a lawyer and writer on democracy and technology. He has been involved in several landmark constitutional cases at the intersection of technology and democratic rights, such as Shreya Singhal (Section 66A case), Gaurav Vyas (Internet shutdown case) and most notably KS Puttaswamy, in which the Supreme Court held that the right to privacy is an aspect of the right to life under Article 21 of the Constitution. He is also the co-founder of the Internet Freedom Foundation, a non-governmental organization that protects digital privacy, free speech and innovation.