This article has been written by Prasenjeet Sudhakar Kirtikar and edited by Shashwat Kaushik pursuing a Diploma in Corporate Litigation from LawSikho. In this article, we will discuss the measures taken by some countries to handle data protection and how India made a provision to protect the digital personal data of its people by enacting the Digital Personal Data Protection Act 2023. We will discuss the scope, nature, salient features, and drawbacks of the Act, along with its effect on Indian society, administration, and e-commerce.
It has been published by Rachit Garg.
Table of Contents
Every human being living in a society has personal information such as his name, age, address, profession, income, marital status, educational qualification, his likings and dislikings, where he goes, and what he does. Also information about his family, like the number of family members and their individual personal information. This set of personal information about an individual can also be termed personal data about that individual. In a modern society, every citizen has the expectation that his or her personal data should not be made public without his or her consent. On the other hand, state agencies and business entities require the personal data of individuals to understand the needs and interests of individuals and society in order to achieve socioeconomic growth.
The inception of the revolution in information technology at the beginning of the 21st century has brought the world closer together to form a big, giant global village where information of all kinds is exchanged. With the rise of social networking, digital marketing, and other similar concepts, information about people has also been shared and controlled by both government agencies and business entities.
In this era of digital socio-economic growth to protect the privacy of people and to avoid use of their personal data without their consent, the need for statutory control over such digital data transactions has been opinionated even at the international level.
The impact of globalisation and the emergence of the information technology revolution gave rise to complexity in business transactions across the world beyond imagination. Along with the expansion of online business sectors like digital marketing and digital advertising, they exploded like never before.
Nowadays, this business growth in digital form also demands marketing and advertising to amass the vast personal information of individuals to synthesise and understand the trends pertaining to their likes and dislikes. This disclosure of digital personal information on various online business platforms gives rise to a universal concern to safeguard the privacy of individuals. Even state agencies can misuse this digital data for their own good, giving a blow to the process of democratisation.
The issue of protecting the personal information of individuals in digital form has given heads up to various international organisations as well as countries across the globe. Therefore, in order to create a perfect shield to protect the digital personal data of citizens, various countries enacted laws and made stringent provisions to punish the wrongdoer for non compliance.
As per the report of the United Nations Conference on Trade and Development (UNCTAD), 137 out of 194 countries (71%) have enacted legislation in some form to protect digital data and the privacy of their people. In Europe, 44 out of 45 countries; in the Asia Pacific region, 34 out of 60 countries; in Africa, 33 out of 54 countries; and in America, 26 out of 35 countries have enacted laws to protect the data privacy of their citizens.
In 2018, the European Union (EU) enacted and implemented the General Data Protection Regulation, which proved to be a significant guideline for other organisations and countries. Another important framework for data privacy was framed by the United States in the form of the California Consumer Privacy Act (CCPA) in 2018, which came into force in 2020 after a few amendments. The Asia Pacific Economic Cooperation (APEC) also developed data privacy principles known as the APEC Privacy Framework in December 2005. Moreover, some of the significant global organisations, like the Organisation for Economic Cooperation and Development (OECD), also developed Guidelines for Personal Data Protection in 1980, which were later updated in 2013, which proved to be a benchmark for other international entities, like the International Energy Agency (IEA).
The Singapore government enacted the Personal Data Protection Act (PDPA) in 2012, which came into operation in 2021, addressing the need for the protection of digital personal data of its citizens. The Act regulates the collection, use and disclosure of personal data by organisations and has a very special provision for the Do-Not-Call (DNC) registry, in which information is registered for customers/citizens who do not want to be called by a business agency for marketing. The Personal Information Protection Law (PIPL) passed by the People’s Republic of China is its first comprehensive law enacted to protect personal digital data. The PIPL is mostly inspired by the guidelines showcased in the GDPR of the EU. In the case of Canada, BILL C-27 is an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. Also, the United Kingdom has enacted the Data Protection Act 2018 by simply following the directions of GDPR. The Act also provides for the transfer of personal data to third countries and defines six different data protection principles. It is important to mention here that enactments like CCPA, GDPR, PIPL and others proclaim anonymized data as non-personal data. The anonymization of data means “ the process by which personal data is modified in such a way that the person to whom it belongs can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other party”. In other words, the privacy of the person is completely protected.
In coordination with international policy and business affairs, India has realised the need to enact a data protection act for its people.
Also, being an emerging superpower, our country is attracting various kinds of global businesses trying to get established in the vast Indian market. In the process of conducting online business, the personal data of Indian citizens remains at stake. To safeguard the privacy of the Indian masses and to understand the scope of privacy law, the Government of India appointed a committee of experts under the chairmanship of Justice B.N. Srikrishna. In December 2010, the committee submitted its report, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians,” which eventually paved the way for the enactment of the Digital Personal Data Protection Act, 2023 (the Act) in India.
Now let us discuss the commencement, scope, important definitions and salient features of the Digital Personal Data Protection Act 2023.
Digital Personal Data Protection Act, 2023
As per Section 1(2) of the Act, the Central Government of India is vested with the power to decide on what date the provisions of the Act will take effect. It is the discretion of the central government to notify the implementation of different provisions on any date it deems fit by publishing the same in the official gazette. Since the Act has retrospective effect, such provisions will help the responsible stakeholders set up a mechanism to adhere to the rules and regulations as per the Act. Also, as per Section 17(5), the Central Government has the power to declare non application of any provision of this Act to any data fiduciaries for a specific time. This power can be exercised within five years of the commencement of the Act, not after that.
On September 28, 2023, Rajiv Chandrasekhar, India’s Minister of State for Electronics and IT, gave around a one year time period to big giants like Google and Meta to set up a framework for compliance with the Act and also announced that the process of setting up the Data Protection Board would start within a month.
The Act ensures the synthesis of digital personal data in such a way that it protects the right to privacy of the citizens of India. Once consent is given, it can be withdrawn anytime by exercising the right to withdraw consent under Section 6(4); the person can exercise the right to access information about his personal data under Section 11(1); the right to correction, completion, updating and erasure of such data can be exercised under Section 12(1); the right to grievance redressal is provided as per Section 13(1); and the Act also offers a unique feature of the right to nominate under Section 14(1).
All the above rights are guaranteed by the Act, which forms part and parcel of the right to privacy, which further falls under the right to live and personal liberty enshrined in Article 21 of the Constitution of India.
In Justice K.S. Puttaswamy (Retd.) and Anr. vs. Union of India and Ors. (2017), the Supreme Court held that the right to life and liberty also includes the right to privacy. Therefore, the Act very well safeguards the right to life and personal liberty by prohibiting the leakage of digital personal information.
As per Section 9 of the Act, it is applicable to children and persons with disabilities, and their right to privacy can be protected through their guardians. The section also prohibits child behavioural monitoring and targeted advertising.
As per Section 3(a), only the personal data that is in digital form and the personal data taken in non form but digitised later fall within the ambit of the Act. However, it is difficult to find out whether a non digitized data is digitised later or not.
As per Section 3(b), the digital personal data of the citizens living in India, though shared outside India, also falls under the purview of this Act.
It is also important to understand that, as per Section 3(c) of the Act, if any citizen discloses his own data voluntarily, then the Act does not apply. For example, while commenting on any post on Facebook or Twitter, the name and profile of the person can be seen by others. Such disclosure of identity will be the sole responsibility of the person.
This law is applicable to all kinds of digital business entities (data fiduciaries), all kinds of agents (data processors) and the state synthesising the digital personal data of Indian citizens.
Some important definitions
The Act has introduced a few new concepts to engulf the roles of different stakeholders related to the transaction of digital personal data. Below are some of the concepts as defined in the Act.
Data principal: As per Section 2(j), a data principal is a person whose personal data is at stake. It includes children and people with disabilities.
Data diduciary: As per Section 2(i), all kinds of business entities have the custody of digital personal data of other individuals for a specific purpose.
Data processor: As per Section 2(k), a person acting on behalf of the data fiduciary and playing an important role in synthesising digital personal data.
As per Section 2(l) of the Act, a data protection officer is a person appointed by a significant data fiduciary. The Act has also defined the Data Protection Board under Section 2(c) and its consent manager under Section 2(g), who will help the data principal manage, review and withdraw his consent. The Act also has the unique feature of addressing a person as “she” instead of “he” as per Section 2(y), irrespective of their gender. According to Section 2(t), personal data can be any data with the help of which the person can be identified and as per Section 2(n), digital personal data can be any personal data available in digital form.
Salient features of the Act
In coordination with other major international statutes like GDPR, the Act provides for special features to protect the right to privacy of the Indian masses. Let us discuss and understand some of the essential features of the Act.
- Data security: It helps to strengthen India’s digital economy and its ecosystem by trying to achieve balance between ease of doing business and protection of people’s privacy.
- For the first time in the Indian parliamentary law making process, “she” is used instead of “he,” recognising the addressee as a woman.
- Definitions: That provides for different names for different stakeholders in the transaction of digital data, for example, “data fiduciary” for business entities, “data principal” for a person to whom the personal data relates, “data processor” for an agent of data fiduciary who is processing personal data of other people, etc.
- Application: As per Section 3, the provisions of the Act are applied to personal data only if it is in digital form or in non digital form if digitised later within India or outside India for a person living in India. However, any provision of this Act will not apply when the data principal himself discloses his personal data on any digital platform, e.g., disclosing your name and profile by commenting on any post on Facebook, Twitter or any similar social networking platform.
- Notice: As per Section 5, a notice must be served to the data principal to inform about the manner and purpose for which her digital personal data is going to be used.
- Consent: As per Section 6(1), a consent provided by the data principle must be free, unconditional and clear to agree on using her personal data for any specific purpose. It is also important to note that if any consent taken from the data principal violates any provision of the Act, then such consent will be invalid. E.g., if any consent is taken saying that the data principal will not approach any authority to file any complaint against the data fiduciary, such consent will be invalid. Moreover, the data principal will have the right to manage, review and withdraw her consent with the help of a consent manager registered with the Data Protection Board established as per the Act.
- State`s powers: As per Section 1(2), the Central Government will decide the dates for the implementation of different provisions of the Act. The state and its agencies have been given rights under Section 7(b) to process digital personal data for the purpose of subsidy, benefit and other similar services as per government policies. The state also has the power to use the personal digital information of citizens in the interest of the sovereignty and integrity of India. As per Section 7, digital personal data can be used for some legitimate purposes, such as responding to medical emergencies like pandemics, epidemic, ensuring the safety of people during social disturbances, etc.
A very significant provision of the Act lies under Section 16(1), which grants the Central Government the power to restrict the transfer of personal data to any country outside India. Similarly, Section 40 provides power to the central government to make rules pertaining to various provisions of the Act and Sections 42 and 43 give the Central Government the power to amend the schedule and remove difficulties in the practical implementation of the Act respectively.
- Obligations on data fiduciaries: The Act imposes huge responsibility on data fiduciaries and data processors working on behalf of data fiduciaries in terms of serving notice, taking consent, and ethical use of digital personnel data. It also mandates the data fiduciary to report to the Data Protection Board about leakage of personal information.
As per Section 10(2), it is an obligation of the significant data fiduciary to appoint a data protection officer and to conduct a Data Protection Impact Assessment and other relevant audits from time to time.
- Rights and duties of data principal: Chapter 3 of the Act provides for various rights of the data principal, such as right to access his digital information, right to correct and erase his data, right to file a complaint with an appropriate authority, right to nominate and also provides for duties of the data principal, such as not to commit any kind of fraud or legal mistake pertaining to the provisions of this Act or any other law.
- Exceptions: However, it is also important to understand that the rights provided under this act for the protection of digital data of Indian citizens are not absolute and, as per Section 17, certainly bear some exceptions, such as:
- processing of personal data by any court or tribunal is valid.
- processing of personal data of an insolvent to decide his assets and liabilities.
The Central Government has been almost exempted from any obligation with regard to the synthesis of digital personal data of citizens under the Act and is free to use such data in the name of research and development. It is also empowered to decide on the application of any provision of this Act to any class of data fiduciaries within the five years of implementation of the Act.
- Data Protection Board of India and Appellate Tribunal: The board will have perpetual succession and members can be reappointed; they are also protected for any action taken in good faith. The board is empowered to inquire into any breach of information security, can direct any remedial action, impose a fine on the wrongdoer and also has powers similar to those of a civil court to conduct proceedings. And also, there is a provision for an appeal to the Tribunal against any order passed by the Data Protection Board.
- Punishments: The task of protecting the digital personal information of citizens has been taken very seriously by the Indian parliament, which has enacted stringent punishments for infringements of the right to privacy. For example, if a data fiduciary violates his obligations as per the Act, he will be liable for a fine of Rs. 250 crore (Rs. two hundred and fifty crore).
A few more important features:
- The Act prohibits child behavioural monitoring and targeted advertising.
- The complaints can be resolved with the help of the Alternative Dispute Resolution (ADR) system.
- All sectors and business segments functioning digitally are under the purview of this Act.
The conscience behind enacting the Act was to address issues related to the protection of the privacy of people for healthy socio-economic growth. However, the present Digital Personal Data Protection Act, 2023, showcases some concerns that need to be addressed in the near future. Let us try to understand some major concerns pertaining to the provisions of the Act.
- Unlimited power and zero liability of the state: The Central Government has power to decide the dates for the implementation of different provisions of the Act. The state also has power to use personal digital information of citizens in the interest of sovereignty and integrity of India, which can be misused by government agencies in the name of national security. Similarly, Sections 40, Section 42 and 43 give the Central Government the power to make rules related to various provisions, the power to amend the schedule and the power to remove difficulties in the practical implementation of the Act, respectively, which can be misused for political gains by controlling large public information.
Also, the Central Government has been given the power to regulate and exempt significant data fiduciaries without any liability to provide a reason for the same. In the same way, the Central Government can appoint and reappoint members of the Data Protection Board as per its will.
- Definition of child: A person below the age of 18 years is considered a child as per the Act. But it is necessary to see if someone of that age really needs to be taken care of when it comes to the protection of private information.
- Application: The Act is applicable to digital data and non-digital data if digitised later. But how will a person know that the information he has provided by filling out a form as a hard copy is digitised or not digitised by the data fiduciary? If he is not aware of that, subsequently, how will he exercise his other rights as per the Act. Also, there is no provision for any data submitted in non-digital form.
- International guidelines: the Act failed to follow the international guidelines and even the provisions of previous drafts to include the provisions related to “sensitive personal data” and “anonymisation of data.”
- Data Protection Board of India: The Data Protection Board of India is expected to be one of the most independent and powerful institutions as it protects privacy of the entire nation. Unfortunately, it is completely controlled by the Central Government.
Also, it has a perpetual nature and reappointment of members is allowed, which will result in corruption and unethical practises.
- Classification of offences: The Act failed to classify different types of online offences and extent of offences. For example, a data fiduciary steals digital personal data for financial gain and another data fiduciary steals to commit a more serious crime. Will they be punished in a similar way?
Impact of the act on Indian society, business and government administration
Impact on Indian society:
- Need to spread awareness: Just like other statues, for effective implementation of the Act, the active participation of people is very important.
- More safety: Upon implementation of the Act, the individuals will feel more secure as they will not receive any unwanted calls or unexpected flashing advertisements while watching their favourite programme on any online platforms.
- Exercising rights as per the Act: They can question any private business entity about their personal data and can complain to the Data Protection Board to ask for details.
The major obligations under the Act lie with business entities. It is going to be a challenging task for online businesses to adhere to the provisions of the Act. They will have to develop mechanisms for consent management, to fulfil data principals` rights and for data breach notification. They will also have to conduct data privacy impact assessments and audits. They will need to prepare for a data inventory, plan to limit third party access to digital data, and implement a few more technical safeguards and training programmes. This entire process will add additional one time cost and recurring costs to the business.
Impact on government administration:
- Role of protector: The state enters into the role of protector of data with increased responsibility towards data privacy. After the implementation of the Act, the state will be accountable for breaches of information, among other responsibilities. It will have to monitor information transactions even outside of India.
- Credibility: As the Act provides the Central Government with vast powers and exempts its officials from any kind of punishment, it becomes the duty of the State to prove its credibility by avoiding any unethical practises.
- Efficiency: The state will have to set up a strong digital infrastructure to check online data leakages and frauds. Since data protection is going to be a new area of adjudication,the Data Protection Board and related offices must respond to complaints from the public more efficiently.
Heads up for the common man:
Though the implementation of the Act will take some time, it is important for a common man to understand his rights and duties as per the Act. Let’s discuss a hypothetical situation:
As a customer, when you visit a showroom to purchase a car, you will be asked to fill out a form as a visitor. It is your right to reject it if you don’t want to fill it. That will make sure if you have consented to the sharing of your information or not. Further, if you are filling out that form, it is your right to know for what purpose and until what time in the future it is going to be used. Also, make sure that you receive all the information about the use of your personal data and about your rights under the Act from the business entity, i.e., the data fiduciary.
This is applicable wherever and whenever you provide your personal information to any person, representative or business group in the name of a survey, data collection, providing facilities, giving attractive offers or any other activity.
India has now joined the club of countries, which shows a concern for the protection of the privacy of their citizens. By following significant guidelines provided by the majority of the acts at the international level, India also expressed its progressive view by enacting the law on data privacy. However, the Act showcases some concerns pertaining to the role of the Central Government. Though private entities are well monitored by the provisions of the Act, the central government remains almost outside its purview.There is no provision in the Act to curb the wrongful action committed by government authorities. On the contrary, they are exempt from any kind of punishment in the name of “action taken in good faith”. Thus, it can be clearly observed that the Act mostly focuses on private entities and gives a free hand to the state to handle the personal data of individuals at its will.
Though there are many loopholes in the present, the lawmakers also made a provision in the Act to amend any provision to fulfil the ultimate purpose of digital personal data protection of citizens of India.
In what possible way and within how much time will the state implement the Act ? How will the business entities set up an efficient framework in response to the Act ? And most importantly, how will the Indian masses exercise their rights and duties to protect their own personal data on all kinds of digital platforms? Time will answer.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: