The Lok Sabha, on Monday, passed the Digital Personal Data Protection Bill (DPDP), 2023. This legislation seeks to define the responsibilities of entities handling and processing digital data while protecting individuals' right to privacy in India.
The fundamental goal of the DPDP Bill is to develop a comprehensive framework for personal data protection. This paradigm applies to personal data acquired in India, including both online and offline data that has been digitised.
Since the Supreme Court determined in the landmark Puttaswamy judgement (2017) that privacy is a fundamental right of Indian citizens and that the government must enact legislation to protect this right, a data protection law has been in the works. The current DPDP Bill is the third revision of India’s draft data protection law.
What are the key highlights of the Bill?
Application of the Bill:
The Bill is applicable while processing of personal data collected within India's territory when it is digitally stored or digitised after being initially collected in non-digital form. It is also applicable outside of India, if the processing is in connection with any activity related to offering of goods or services to users within the territory of India.
In case of cross border data flow, the Centre will come up with a allow list of countries where data of Indian citizens are allowed to be stored.
It is not applicable to the data made publicly available by the user (on social media or via blogs), or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
Responsibilities of data fiduciaries:
Data fiduciaries refers to "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data".
Data fiduciaries can only process personal data for lawful purposes for which an individual has given consent or for "certain legitimate uses" prescribed in the Bill. They are required to give users a notice before requesting their consent. In case a user gave consent before the inception of this Act, the data fiduciary must give this notice "as soon as it is reasonably practicable".
The Bill mandates that the notice must inform users in clear and plain language what personal data will be collected and purpose of the same. Additionally, the consent must “be free, specific, informed, unconditional and unambiguous with a clear affirmative action". Users have the right to withdraw consent at any time with the same ease as they were able to give consent.
Personal data must be erased once the user withdraws their consent or as soon as it is reasonable to assume that the specified purpose is no longer being served. A data fiduciary is mandated to protect personal data in its possession and also notify both the Data Protection Board and each affected party in case of a data breach.
"Legitimate uses" do not require consent:
According to the Bill, legitimate uses are those cases where data fiduciary can do away with seeking a consent from the user. This happens if the user willingly provides the data fiduciary their personal information for a designated purpose and has not told the fiduciary that they do not consent to the use of their personal information. For instance, when a user gives a store their mobile number to receive the bill, the store may utilise that information to send a receipt.
It also refers to the cases where state or its agencies need data to "perform any function under any law or in the interest of sovereignty and integrity of India or security of the State to provide any subsidy, service, benefit, certificate, license, or permit to the user".
Apart from this, court orders, employment, medical emergency, epidemic and disasters are also cases of legitimate uses.
Processing children’s data:
Verifiable consent must be obtained from the parent of the child (defined as anyone under the age of 18) or the lawful guardian before processing any personal data of the child. Any processing of personal data should not be undertaken which is “likely to cause any detrimental effect on the well-being of a child”.
Exemptions under the Bill:
The Central Government can be exempted from the Bill in cases related to the sovereignty and integrity of India, security of state and maintaining public order. It is also exempted from the Bill while processing any personal data that an exempted entity may furnish to it.
Furthermore, users have no right to ask for the deletion of their personal data that the government or its instrumentalities have collected about them, and they are free to keep that data for as long as they want, whether or not the original purpose for collecting it has been fulfilled.
Based on the quantity and type of personal data they handle, the Central Government has the authority to exempt specific data fiduciaries or a class of data fiduciaries, "including startups".
The Central Government may issue a notification within five years of the commencement date of this Act stating that any provision of this Act shall not apply to such data fiduciary or classes of data fiduciaries for the time period that may be indicated in the notification.
Rights and duties of data principles:
According to the Bill, the individual to whom the personal data relates is called the data principle. They have the the right to request a summary of their personal data which is being processed by the data fiduciary and the processing activities undertaken by the data fiduciary with respect to such personal data.
They can also ask for the identities of any other data fiduciaries and data processors with whom the personal data has been shared, provided the secondary data fiduciary is not authorised by law to obtain such personal data “for the purpose of prevention or detection or investigation of offences or cyber incidents".
They also have the the right to request for correction of misleading or inaccurate personal data, completion of incomplete personal data and updating personal data. They can also request for the erasure of their personal data unless the retention is not necessary under compliance of any law.
They also have the right to “readily available means of grievance redressal provided by a Data Fiduciary or a Consent Manager”. A data principle can nominate any other individual, who shall, in the event of death or incapacity of the user, exercise their rights.
A data principle must comply with all applicable laws under the Bill, should not impersonate others while providing their personal data, should not suppress any important material information and lastly, should not register a false or frivolous grievance or complaint.
Is the Bill more intrusive than protective?
Speaking to BOOM, Prateek Waghre, policy director of Internet Freedom Foundation, pointed out that the Bill has been expanding its exemptions with each version. "Apart from retaining the power to exempt any government instrumentality from the application of the DPDP, the Union Government now has the the power to exempt certain data fiduciaries including private entities and start-ups", he said. The mention of "start-ups" is very unclear as of now, according to Waghre.
The "deemed consent" from the earlier versions has now been rebranded as "legitimate uses". However, the content of the clause largely remains the same, wherein, the processing of personal data may be done without obtaining the informed consent of the data principal in certain situations. "The scope of these legitimate uses is very expansive and leaves very little out of its purview," said Waghre.
Any personal information made publicly available by a data principal or another person in order to comply with the law is excluded from the DPDP Bill. According to Nikhil Pahwa, founder and editor of Medianama, a technology policy analysis website, this will help AI companies scrape all publicly available data and use it to build their large language models to build their databases.
In a conversation with The Core, Pahwa said, "From a privacy perspective, it means that any information being made public can be scraped and copied and used by anyone anywhere. And in fact, there have been lawsuits against a facial recognition company, Clearview AI in the United States and it lost those lawsuits because they were scraping social media photographs of people to train their AI and identify people.”
The DPDP Bill also seeks to amend the Right to Information (RTI) Act by restricting its scope, and giving “wide discretionary powers” to the Union government, according to Waghre. The amendment to Section 8(1)(j) of the RTI Act will lead to non disclosure of all personal information to the citizens (for example, official information, such as, minutes of a particular meeting). Earlier, this was just applied to sensitive personal information.
The RTI Act originally stated that, “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person”.
Speaking to The Core, Pahwa pointing out towards the impracticality of the provision in relation to the children consent. He said, "“In making an attempt to protect children, what's happened here with this bill is that every single website, every single app will have to verify the age of every individual using that service and it has to be verifiable consent." So, children who are growing up between 13 and 18, will be robbed of agency, as they would need parental permission to do anything on the internet, even accessing a news website.
Nevertheless, Pahwa believes that the bill has taken the right approach on data localisation. He said, “Cross-border data flows, which is that the data of Indian citizens can be stored outside of India unless there is a local regulator which mandates data localization." According to the Bill, the Centre will come up with a block list which will block data from being stored in certain jurisdictions.
Another slight improvement in the Bill, pointed out by Waghre was the "narrowed scope of duties of data principal". According to him, "The concept of duties of a data principal is itself flawed and should not exist, but the government has narrowed its scope as compared to earlier versions, which is a good thing."
Do you always want to share the authentic news with your friends?