Introduction
The Digital Personal Data Protection Bill, 2023[1], which was presented in the Lok Sabha on August 3, 2023, by the Minister of Electronics and Information Technology, had been approved by the Parliament; specifically, it was passed by the Lok Sabha on August 7, 2023, and unanimously endorsed by the Rajya Sabha on August 9, 2023, subsequently receiving Presidential assent on August 11, 2023.[2]
The preceding Personal Data Protection Bills from 2019 and 2022, which were subjected to numerous amendments and were fraught with various concerns pertaining to data localization, transparency, and compliance burdens[3], were ultimately retracted by the Central Government. The aforementioned Bill was formulated following the SC ruling in Justice K.S. Puttaswamy vs. Union of India (2017),[4]wherein the Court affirmed the ‘Right to Privacy’ as an integral component of the fundamental right to ‘Right to Life’ as enshrined in Article 21[5] of the Indian Constitution, and recommended that the Central Government establish a legislative framework for the safeguarding of Personal Data.
Under DPDP, we explore various depths to the fundamental right of privacy modulated under the GDPR. Thorough research and drafting after critically analysing several judgements and precedents underscores the specific principles of the DPDP under the Indian Law. Different aspects of the Act have been investigated while scrutinizing their impacts and regulations, working under the judicial framework to safeguard the digital identity of an individual avoiding any adverse effects.
Right To Privacy
The entitlement to privacy constitutes a fundamental human right acknowledged in numerous international human rights frameworks. Within the realm of data protection, this entitlement is predominantly interpreted as the prerogative of individuals to regulate the manner in which their personal data is acquired, utilized, preserved, and disseminated. The idea of privacy is not new. Polis and Oikos, the public or political sphere and the private or familial sphere, respectively, were the divisions of ancient Greece. The ‘right’ to privacy, on the other hand, is a relatively contemporary concept. With the emergence of newspapers, television, and the internet, the concept of privacy has changed to focus more on privacy of data, even if the right to privacy can include both physical privacy and privacy connected to information. The attack on privacy takes the form of overreaching intrusion on private conversations, as seen in the recent Pegasus incident and the Edward Snowden exposé. We must remember, nevertheless, that the right to privacy encompasses much more than merely the freedom to communicate in confidence.[6]
Under General Data Protection Regulation (GDPR)[7]:
- Right to be Informed: Individuals possess the entitlement to receive comprehensive information regarding the collection and utilization of their personal data.
- Right of Access: Individuals are afforded the privilege to obtain access to their personal data along with ancillary information.
- Right to Rectification: Individuals hold the right to solicit amendments to any inaccurate or incomplete personal data.
- Right to be Forgotten: Individuals are permitted to request the removal of their personal data under specific conditions.
- Right to Restrict Processing: Individuals may demand the limitation or suppression of the processing of their personal data.
- Right to Data Portability: Individuals are entitled to acquire and reutilize their personal data across various services.
- Right to Object: Individuals may raise objections to the processing of their data under certain conditions, particularly in relation to direct marketing.
Under Indian Law
The Republic of India is in the process of developing an extensive data protection bill referred to as the Digital Personal Data Protection Bill (DPDP Bill), which is anticipated to encompass privacy rights analogous to those enshrined in the General Data Protection Regulation (GDPR). The proposed legislation aims to confer substantial authority to individuals over their personal data, incorporating rights such as access, rectification, and the capacity to revoke consent.[8]
Data Fiduciaries
A distinctive aspect of the DPDP Act is the categorization of data fiduciaries into various classifications based on the magnitude and sensitivity of the personal data, alongside other designated criteria. Organizations that routinely manage extensive volumes of individual personal data will be designated as significant data fiduciaries, thereby incurring supplementary responsibilities such as the appointment of a data protection officer, the engagement of an independent data auditor, and the execution of data protection impact assessments[9].
Conversely, smaller data fiduciaries, which encompass start-up enterprises, may be granted exemptions by the Indian Government from specific obligations, including the provision of notice, the assurance of accuracy, completeness, and deletion of personal data, as well as the safeguarding of data principals’ rights to access information.[10]
Cross Border Data Transfer
The DPDP Act facilitates the transference of personal data across international boundaries to all nations, barring any explicit prohibitions imposed by the Government of India. This framework presents a significantly streamlined methodology for international data transfers in contrast to the intricate framework of adequacy, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and Transfer Impact Assessments (TIAs) currently established under the General Data Protection Regulation (GDPR). While this makes the data transfer across the globe easy and anonymous; it also increases the threats of malicious data being processed feasibly which can tap the potential of laying the groundwork for the acts of terrorism, mode of communication for crimes and business running within the organized criminal world.
Section 16 of the DPDP Act delineates the regulatory framework governing the transnational transfer of personal data. The following is an overview of the principal stipulations:
- Territorial Limitations: The legislation permits Data Fiduciaries to transmit personal data to any jurisdiction, contingent upon compliance with the territories specified by the Indian Government. Certain nations may be identified as exempt from data transfer restrictions as communicated by the government.
- Adherence to Prevailing Legislation: The provisions of the Act are required to be in harmony with other Indian statutes that impose more stringent data protection protocols for cross-border data transfers, thereby ensuring the avoidance of discrepancies with elevated protection benchmarks.
The DPDP Act embraces a more lenient framework concerning international data transfers, diverging from earlier prohibitive versions. It delineates a foundational standard of protection whilst granting authority to sector-specific regulatory bodies to enforce more stringent measures if deemed necessary.[11]
Children’s Personal Data
Data controllers are permitted to process the data of minors (i.e., any individual under the age of 18) solely after acquiring verifiable consent from a parent or guardian. Furthermore, any form of tracking and behavioural monitoring of minors or targeted advertising directed towards minors is expressly forbidden[12]. It is important to note that this prohibition is applicable to all data controllers and is not limited to those entities that specialize in the processing of children’s data or that are otherwise cognizant of their collection and processing of such data. As a result, controllers that do not explicitly target minors are not afforded any reasonable deniability and must, therefore, operate under the assumption that it is probable they will collect and process the data of minors unless they possess a substantial degree of certainty that this will not occur. The legislation does not delineate the method by which a data controller is expected to secure “verifiable consent,” and it is anticipated that such guidance will be subsequently provided by governmental authorities through the establishment of implementing regulations.
Notably, the governmental authority may grant exemptions to specific data controllers from these supplementary obligation contingents upon the nature of the processing or the type of controller involved. For example, in instances where an Ed-Tech platform is designed to facilitate children’s education, the procurement of parental consent may be rendered obligatory for data subjects who are under the age of 15 (as opposed to 18) years. Nevertheless, to invoke this exemption, a controller must provide evidence to the governmental authority that its processing practices are demonstrably secure.[13]
Conclusion
The Digital Personal Data Protection Act, 2023 signifies a pivotal advancement in India’s initiatives to protect personal data whilst simultaneously stimulating the digital economy. It presents a judicious framework, integrating essential privacy safeguards with provisions conducive to business interests, thereby rendering it more responsive to the exigencies of global data flow in comparison to its predecessors and other international regulations such as the General Data Protection Regulation (GDPR).[14]
Through the introduction of adaptable mechanisms for cross-border data transfers and the acknowledgment of the distinctive challenges encountered by various categories of data fiduciaries, the DPDP Act not only fortifies data protection but also alleviates compliance burdens, particularly for nascent enterprises and smaller organizations. Furthermore, the Act’s stringent stipulations regarding the processing of minors’ data and the mandate for verifiable parental consent accentuate the government’s dedication to safeguarding vulnerable populations.[15]
In summary, the Digital Personal Data Protection Act embodies a thorough and forward-thinking legal framework that is congruent with global benchmarks while being specifically attuned to India’s unique requirements, thereby promoting a secure and flourishing digital ecosystem.[16]
[1] The Digital Personal Data Protection Bill 2023
[2] https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law?lang=en
[3] Explained: Why the Govt has withdrawn the Personal Data Protection Bill, and what happens now | Explained News – The Indian Express
[4] K.S. Puttaswamy and Anr. Vs. Union of India (2017) 10 SCC 1
[5] India Const. Art. 21
[6] The World Bank, Data Protection and Privacy Laws, https://id4d.worldbank.org/guide/data-protection-and-privacy-laws
[7] Chapter 3 – Rights of the data subject – General Data Protection Regulation (GDPR) (gdpr-info.eu)
[8] The Information Technology Act, 2000
[10] Mayuri Taware, “Obligations of Data Fiduciary and Protection of Data: An Analysis”, 5 INDIAN J.L. & LEGAL Rsch., vol. 5 (1), 5Issue2IndianJLLegalRsch1.pdf.
[11] digital-personal-data-protection-act-indias-new-data-protection-framework.pdf (cliffordchance.com)
[12] advisory-guidelines-on-the-pdpa-for-children’s-personal-data-in-the-digital-environment_mar24.pdf (pdpc.gov.sg)
[13]https://www.google.com/url?q=https://corporate.cyrilamarchandblogs.com/2023/08/children-and-consent-under-the-data-protection-act-a-study-in-evolution/&sa=D&source=docs&ust=1725575430571402&usg=AOvVaw17cReXurgDI7Wnd7ROu12d
[14] THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023, § 2(i), available at <https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf>.
[15] Lalit Kalra, “Decoding the Digital protection Act, 2023”, https://www.ey.com/en_in/cybersecurity/decoding-the-digital-personal-data-protection-act-2023.
[16] [The Viewpoint] Digital Personal Data Protection Act, 2023 – A Brief Analysis (barandbench.com)
Authored by: Abhigyan Choudhary
Student, DSNLU Vishakhapatnam
Leave a Reply