Data Privacy and Protection in India: Analysing the Digital Personal Data Protection Act, 2023

ABSTRACT

 In contemporary times, protection of personal data has emerged as one of the most fundamental legal, economic, and human rights concerns. Data privacy refers to the protection of personal data from unauthorised access to it, including its collection, processing and dissemination. India has grappled with serious data protection challenges as until recently a strong legal framework to tackle the issue was absent from the scene. The Digital Personal Data Protection Act, 2023 (DPDPA) constitutes India’s first comprehensive data protection legislation.

This paper critically evaluates the evolution and structure of the Act, its purpose and scope, as well as its application. It also examines the key principles and obligations as given under DPDPA (2023), who it exempts, the criticism it has garnered, and the way forward for India in the arena of privacy laws.

INTRODUCTION

 The Right to Privacy was elevated to the status of a fundamental right under Articles 14, 19, and 21 of the Indian Constitution in the landmark judgement in Justice K.S. Puttaswamy v. Union of India¹. Prior to that, the Supreme Court of India dismissed the essentiality of the right to privacy in decisions such as M.P. Sharma v. Satish Chandra², and Kharak Singh v. State of UP³. DPDPA came into effect from 11 August, 2023, and comprises India’s first data protection statute dedicated to safeguarding the right to keep private, in matters of personal data. This Act replaces the protection provided earlier under the Information Technology (IT) Act, 2000. The IT Act (2000) provided reasonable security to “sensitive personal data”⁴ only, whereas the ambit of DPDPA (2023) covers all digital personal data. The Act of 2023 puts forth a modern privacy code, compatible with the current ever-evolving digital scenario of the twenty-first century.

PURPOSE, SCOPE, AND APPLICABILITY OF THE ACT

The Ministry of Law and Justice states that the Act seeks “to provide for the processing of digital personal data”⁵ in such a way that both the right of an individual to protect his or her personal data as well as the processing of such data for lawful purposes is acknowledged. It

defines “personal data”⁶ as any such data that renders an individual identifiable by virtue of it or in relation to it. Nevertheless, protection is not extended to such personal data which is processed by an individual for domestic or personal purposes, or made public by relevant persons.

The scope of DPDPA (2023) includes:

• Data Fiduciaries – person(s) determining the means and purpose of processing of such data⁷.
• Data Processors – person(s) processing data on behalf of the Data Fiduciaries⁸.
• Data Principal – individual(a) to whom the personal data is related⁹.

However, government agencies are exempted from liabilities which would normally be levied in case of a data breach for reasons such as maintenance of public order, national security, or in the prevention of offences. The provisions of this Act are applicable within the territory of India, as well as beyond the territory of India provided that the processing of such data is related to the offering of goods and services within India¹⁰.

GROUNDS FOR PROCESSING DATA

 DPDPA (2023) states that the processing of personal data should only be done for a “lawful purpose”¹¹, meaning that the law does not expressly bar from achieving such a purpose. This includes State functions, employment purposes and medical emergencies. The Act highlights “consent”¹² as the central ground for processing personal data, which must be “free, specific,

informed, unconditional and unambiguous with a clear affirmative action”¹³. The consent thus obtained should also indicate that the individual agrees to the processing of his or her personal data. The processing of his or her data should be restricted only for the purpose that he or she has consented to. Overstepping the set boundary would constitute a data breach.

RIGHTS OF DATA PRINCIPALS

The Act grants Data Principals the following rights:

• Right to obtain data for the purpose of processing it¹⁴.
• Right to correction, completion, updating and erasure of an individual’s personal data¹⁵.
• Right to redressal of grievances¹⁶.
• Right to nominate an individual to act in his or her place post the death or “incapacity”¹⁷ of the Data Principal¹⁸.

However, the DPDPA (2023) overleaps several globally notable rights such as the right to be forgotten, the right to data portability, and the right against automated decision-making.

ESTABLISHMENT OF DATA PROTECTION BOARD (DPB)

 This Act establishes a corporate body¹⁹ by the name of the Data Protection Board of India²⁰, with powers to acquire, hold and dispose movable as well as immovable property. It consists of a Chairperson and other members, appointed by the Central Government. Powers of the Board are

• Conducting inquires
• Imposing penalties
• Issuing directions
• Modifying, suspending, withdrawing or cancelling

EXEMPTIONS

Government agencies are exempted from major obligations including consent requirements, limitations on purpose and storage of personal data vis a vis

• For the performance of State functions, or in the interest of sovereignty and integrity of India, or for the security of the State²¹.
• When responding to medical emergencies²²
• In the interest of public health²³
• For the purpose of maintaining public order²⁴
• For the purpose of employment²⁵.

CRITICISM

• Use of wide terminology for lawful use of personal data may give way to loopholes which results in undermining the autonomy of an individual.
• Contrary to the provisions in the General Data Protection Regulation (GDPR)²⁶, the Act excludes the “right to be forgotten”, which undertakes the erasure of an individual’s digital footprint. Critics believe that such an omission weakens the overall framework.
• The dilution of fiduciary obligations are somewhat insufficiently regular, compared to the earlier drafts.
• The exemptions under DPDPA (2023) lead critics to be apprehensive that such exemptions might enable unchecked State access to personal data, and therefore mass surveillance, violating individual autonomy and liberty.

THE WAY FORWARD

To ensure a strong presence in the domain of privacy law, India must strengthen the chassis of DPDPA by fostering its self-dependency and autonomy. Exemptions present in the Act currently should be minimised, so as to restore the confidence of

the individuals it vows to protect. By cutting down on State surveillance, individuals will be able to regain autonomy over themselves. Restoration of the rights of individuals, for instance, by including the right of erasure will improve the current standing of India, pertaining to the stage of data protection. Furthermore, the future

calls for regulated and disclosed use of AI (Artificial Intelligence) in data processing, of which India’s legal system should take due cognizance while there is still time.

CONCLUSION

 The Digital Personal Data Protection Act, 2023 represents a decisive step by the Indian legal system towards the establishment of a rights-based data protection apparatus. The framework is built on consent, accountability, transparency and limitation of purpose for which personal data of an individual can be employed. The Act strives to balance the rights of individuals to whom the detail is related and a growing economy. While it ensures individuals that their personal data is immune to unwarranted examination, it also lets the reins loose on the subject of State agencies desiring to make use of such data. This creates a sense of angst among

critics as well as ordinary citizens who fear that the State might consider itself licensed to encroach upon the personal liberty of the citizens. That being the reason, the Digital Personal Data Protection Act requires amendments that ensure transparency and individual autonomy, in order for India to be able to build an able-bodied digital society, the framework of which

aligns with the values prescribed in the Constitution of India.