Data Protection Bill And What Issues Common Indian May Face

All you need to know about the much coveted digital personal data protect act 2023 and the issues that the indian citizenry may face in the light of the right of privacy, overriding private consent etc.

CONTEXT

The President has given assent to the new the Digital Personal Data Protect, Act 2023 on 11th August, 2023. The Act will come into force on a date that will be notified by the Central Government but the latest Act of the Modi Government has much in it to look for tout de suite.

The Bill of 2023 is likely to have multifaceted regulatory and compliance implications on businesses, private life and social security of the Indian citizenry.

The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The key matters and analysis on this law has been provided in the following two categories below.

PART A: HIGHLIGHTS AND KEY POINTS

1. The Bill protects digital personal data (that is, the data by which a person may be identified) by providing for the following:

• The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
• The rights and duties of Data Principals (that is, the person to whom the data relates);and
• Financial penalties for breach of rights, duties and obligations.

2. The Bill also seeks to achieve the following:

• Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
• Enhance the Ease of Living and the Ease of Doing Business; and
• Enable India's digital economy and its innovation ecosystem.

3. The Bill is based on the following seven principles:

• The principle of consented, lawful and transparent use of personal data;
• The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
• The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
• d) The principle of data accuracy (ensuring data is correct and updated);
• e) The principle of storage limitation (storing data only till it is needed for the specified purpose);
• f) The principle of reasonable security safeguards; and
• g) The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

PART B: KEY ISSUES AND ANALYSIS

Exemptions to the State may have adverse implications for privacy

Personal data processing by the State has been given several exemptions under the Bill. As per Article 12 of the Constitution, the State includes: (i) central government, (ii) state government, (iii) local bodies, and (iv) authorities and (v) companies set up by the government. There may be certain issues with such exemptions.The Bill may enable unchecked data processing by the State, which may violate the right to privacy. The Supreme Court (2017) has held that any infringement of the right to privacy should be proportionate to the need for such interference. Exemptions for the State may lead to data collection, processing, and retention beyond what is necessary. This may not be proportionate, and may violate the fundamental right to privacy.

The Bill empowers the central government to exempt processing by government agencies from any or all provisions, in the interest of aims such as the security of the state and maintenance of public order. None of the rights of data principals and obligations of data fiduciaries (except data security) will apply in certain cases such as processing for prevention, investigation, and prosecution of offences. The Bill does not require government agencies to delete personal data, after the purpose for processing has been met. Using the above exemptions, on the ground of national security, a government agency may collect data about citizens to create a 360-degree profile for surveillance. It may utilise data retained by various government agencies for this purpose. This raises the question whether these exemptions will meet the proportionality test.

For interception of communication on grounds such as national security, the Supreme Court (1996) had mandated various safeguards including: (i) establishing necessity, (ii) purpose limitation, and (iii) storage limitation. These are similar to the obligations of data fiduciaries under the Bill, the application of which has been exempted. The Srikrishna Committee (2018) had recommended that in case of processing on grounds such as national security and prevention and prosecution of offences, obligations other than fair and reasonable processing and security safeguards should not apply. It observed that obligations such as storage limitation and purpose specification, if applicable, would be implemented through a separate law. India does not have any such legal framework.

Whether overriding consent for purposes such as benefit, subsidy, license, and certificates is appropriate

The Bill overrides consent of an individual where the State processes personal data for provision of benefit, service, license, permit, or certificate. It specifically allows use of data processed for one of these purposes for another. It also allows use of personal data already available with the State for any of these purposes. Hence, it removes purpose limitation, which is one of the key principles for protection of privacy. Purpose limitation means data should be collected for specific purposes, and should be used only for that purpose. The question is whether such exemptions are appropriate.

Since data taken for various purposes could be combined, this could allow profiling of citizens. On the other hand, if consent were required, individuals would have the autonomy and control over collection and sharing of their personal data.

The Bill does not regulate harm arising from processing of personal data

The Bill does not regulate risks of harms arising out of processing of personal data. The Srikrishna Committee (2018) had observed that harm is a possible consequence of personal data processing. Harm may include material losses such as financial loss and loss of access to benefits or services. It may also include identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling. It had recommended that harms should be regulated under a data protection law.

The Personal Data Protection Bill, 2019 had defined harm to include: (i) mental injury, (ii) identity theft, (iii) financial loss, (iv) reputational loss, (v) discriminatory treatment, and (vi) observation or surveillance not reasonably expected by the data principal. The 2019 Bill required data fiduciaries to take measures to prevent, minimise, and mitigate risks of harm. These included undertaking evaluation of these risks in impact assessments and audits. It also granted the data principal the right to seek compensation from data fiduciary or data processor, where the data principal has suffered harm. The Joint Parliamentary Committee, examining the 2019 Bill, had recommended retaining the provisions regarding harm arising from processing of personal data. General Data Protection Regulation (GDPR) of the European Union also regulates risks of harm and provides for compensation to the data principal in the event of harm.

Right to data portability and the right to be forgotten not provided

The Bill does not provide for the right to data portability and the right to be forgotten. The 2018 Draft Bill and the 2019 Bill introduced in Parliament provided for these rights. The Joint Parliamentary Committee, examining the 2019 Bill, recommended retaining these rights. GDPR also recognises these rights. The Srikrishna Committee (2018) observed that a strong set of rights of data principals is an essential component of a data protection law. These rights are based on principles of autonomy, transparency, and accountability to give individuals control over their data.

Right to data portability

The right to data portability allows data principals to obtain and transfer their data from data fiduciary for their own use, in a structured, commonly used, and machine-readable format. It gives the data principal greater control over their data. It may facilitate the migration of data from one data fiduciary to another. One possible concern has been that it may reveal trade secrets of the data fiduciary. The Srikrishna Committee (2018) had recommended that to the extent it is possible to provide the information without revealing such trade secrets, the right must be guaranteed. The Joint Parliamentary Committee had observed that trade secrets cannot be a ground to deny the right data portability, and it may only be denied on the ground of technical feasibility.

Shorter appointment term may impact independence of the Board

The Bill provides that members of the Data Protection Board of India will function as an independent body. Members will be appointed for two years and will be eligible for re-appointment. A short term with the scope for re-appointment may affect independent functioning of the Board. Key functions of the Board are monitoring compliance, carrying out investigations, and adjudging penalties. In case of Tribunals, the Supreme Court (2019) had observed that short-term along with the provisions of re-appointment increases influence and control of the Executive. Regulatory authorities with adjudicatory role such as the Central Electricity Regulatory Commission and the Competition Commission of India have a term of five years under respective Acts. In case of TRAI, the term of appointment is three years. The term of appointment to SEBI is five years, specified through Rules.

SOURCES:

1. Pib.gov.in, Meity.gov.in
2. The Indian Express, The Times Of India And The Hindu
3. The Wire, Bar And Bench And Various Commentaries Of Experts Of The Field

Author's note and disclaimer:

1. The author does not offer any legal opinion or advice through this article. Views include personal opinionand opinion of other experts of the matter. These are results of extensive research of other independent materials on DPDPB 2023 that are freely available across various platforms. The author disclaims any liability that may arise on use of the article and professional advice is warranted.
2. This article is an assimilation of various views, commentaries and discourse on data protection, data privacy and the concerned DPDPB 2023 and the author claims no responsibility of the information given.