Data Protection – Overview of DPDPA, 2023 #1

Last week, the Parliament enacted and the President assented to the Digital Personal Data Protection Act, 2023 (DPDPA / Act). Once notified by the Government of India, this legislation will significantly impact your experience of the digital world. For example, your consent will be required whenever anyone wants to use any personal information related to you. This will compel any company handling personal data to materially alter how they function, as they were essentially operating in the wild-west till now (For example, what you do on the internet is available for anyone to see for Rs. 490). Having said that, the Act contains unusual exceptions with respect to the government, which can continue operating in wildwest and do whatever it deems necessary with your personal data. Previous iterations of the Act were also criticised by civil society on this ground. 

Nevertheless, considering the relevance of this enactment to any undertaking collecting digital data (basically every business these days) and its implications to the right to privacy, I will analyse each chapter of the Act on this blog in the coming weeks. In my analysis, I will compare the provisions of the Act with similar provisions in Europe’s General Data Protecion Regime, 2016 (GDPR). Courts across Europe have extensively interpreted provisons of GDPR and we will benefit from the study of their case law. 

In this introductory post, I will highlight the Good, the Bad and the Ugly of DPDPA. Hopefully, this will provide a foundation for what is about to come on this blog in the coming weeks. 

THE GOOD 

The Union Minister for Electronics and Information Technology has waxed lyrical about the Act in the Parliament. He has claimed that the DPDPA will protect privacy even more than GDPR as it does not provide for as many exceptions. Although I do not agree with this claim, we at least now have a data protection legislation. While DPDPA leaves a lot to be desired, there is now a legislation which will impose a semblance of regulation. This is barely ‘Good’ though as I am applauding the DPDPA for merely existing. Be that as it may, apart from its existence, the only noteworthy provision in DPDPA is Section 8(6) which requires data fiduciaries to inform each data principle, in case the personal data in their custody is breached. This is important as personal data in the custody of several entities including public authorities such as UIDAI (responsible for Aadhaar database) has been breached recently, and many of them did not even inform affected individuals. Thus, the inclusion of Section 8(6) is encouraging. 

THE BAD 

I have a lot to say here. For one, the Minister for Electronics and Information Technology claimed that consent is at the heart of DPDPA but Section 7 lists 8 different situations where your personal data could be processed by data fiduciaries without your consent. Section 8(g), for example, permits fiduciaries to use your personal data in any manner to provide a ‘health service’ during an ‘epidemic, outbreak of disease or any other threat to public health’ (Think, Aarogya Setu).  Apart from this, as I flagged earlier, there are unusual exceptions for the government. Section 17(2) permits the government to exempt any number of its instrumentalities from the rigours of the Act. So, exempted entities do not need your consent while processing data. Furthermore, Section 17(4) exempts every instrumentality of the government from the obligation of erasing personal data when Data Principal withdraws her consent or when the purpose for which data was collected is no longer being served [See Section 8(7)]. So, government can store data for even longer than is necessary. Thus, as mentioned above, government can basically continue functioning in the wild-west even after the Act comes into force. This is bad as the Indian Government collects vast amounts of data, including biometric data, under the Digital India project. 

THE UGLY

In a previous post, I had highlighted how a previous iteration of DPDPA does not even compensate individuals whose privacy is violated. The DPDPA has retained those provisions and effectively removed any incentive a data principal might have in pursuing an expensive litigation against a corporate before the Data Protection Board. In fact, the DPDPA in Section 34 has clarified that all sums realised by way of penalties imposed by the Board shall be credited to Consolidated Fund of India. The ugliness is that DPDPA does not stop here and omits Section 43A of the Information Technology Act, 2000, the only statutory provision which entitles data principals to seek compensation when corporates violate their right to privacy. Beyond this, there are concerns regarding how this important legislation was enacted as most Members of the Parliament chose to not participate in the discussion. This demonstrates how important privacy concerns are for those in power and opposition. Internet Freedom Foundation has broken down the numbers from the Parliament in this post and their analysis shows that only 16 members spoke on the bill across both houses. 

In the coming years, as DPDPA starts affecting every aspect of our life, it will be important to go back to that post and remember that when it mattered the most, our elected representatives decided not to speak.