You may have heard the famous statement from Google’s CEO in 2010: “There was 5 Exabytes of information created between the dawn of civilization through 2003,” he said, “but that much information is now created every 2 days, and the pace is increasing.” It is often said that “Data is the new Oil.” This should be enough to show the importance of data.
While the Right to Access the Internet is protected by the Indian Constitution as a fundamental right, the data you generate while being on the Internet also needs to be protected, and thus come the Data Protection Laws.
Introduction
In early August 2023, the Indian Parliament passed an important Act, the Digital Personal Data Protection (DPDP) Act, 2023. This law marks India's first complete legislation on personal data protection, drafted after five years of detailed discussions and planning. The central question to explore is whether the long discussion led to the creation of an effective law—one that not only sufficiently protects personal data but also achieves a balance between an individual's right to data privacy and the necessity for lawful data processing, as outlined in the Act’s introduction.
The journey to the 2023 Act involved several versions. Initially, a draft was created by a panel of experts and shared for public input in 2018. This was followed by the government's 2019 bill, the Personal Data Protection Bill, which was extensively reviewed and later withdrawn by a parliamentary committee in December 2021. In response, a fresh draft titled the Digital Personal Data Protection Bill, 2022 was released for public consultation in November 2022, laying the groundwork for the 2023 legislation.
A landmark 2017 Supreme Court ruling in Justice K.S. Puttaswamy and Anr. v. The Union of India played a crucial role in shaping the right to privacy as a fundamental aspect of the right to life in India. This decision highlighted the necessity for protecting informational privacy, although it didn't specify exact methods for enforcement.
The government's 2019 version proposed a complete data protection framework guided by a strong Data Protection Authority (DPA). It introduced a preventive model that required data collectors to inform and obtain consent from individuals, ensure data accuracy and security, and restrict data usage to stated purposes. The bill also introduced "consent managers" to facilitate consent transactions on behalf of individuals and categorized data to impose stricter protections on sensitive information.
Businesses were designated as "data fiduciaries" with strict obligations such as data localization, audits, and impact assessments. The bill also allowed exceptions to consent under specific conditions like state functions, emergencies, and certain business operations.
While the 2019 bill's complete approach was seen as a step forward, its broad scope raised concerns about high compliance costs for both large and small businesses and the creation of a powerful DPA with extensive regulatory authority. These factors introduced the risk of either excessive or insufficient regulation, particularly given the novelty of such a comprehensive data protection framework in India.
Key Features of the DPDP Act, 2023
-
Simplifies data protection compared to its 2019 predecessor, easing business obligations while enhancing government powers without clear guidelines.
-
Applies to both residents and non-residents in India, covering data processing related to goods or services provided to individuals within India, regardless of the provider's location.
-
Data processing is permissible for any lawful purpose with free, specific, informed, and clear consent, defining legitimate uses like state-provided services and critical state functions.
-
Individuals have better rights, including access to their data, requesting corrections and erasure, and withdrawing consent, with specific protections for minors against harmful data processing.
-
Data fiduciaries must ensure data security, accuracy, prompt breach notifications, and data erasure upon consent withdrawal or fulfilment of purpose, with special obligations for significant data fiduciaries.
-
The 2023 Act scales back strict data localization requirements, allowing the government to restrict data transfers to certain countries if necessary, primarily for national security purposes.
-
Certain data processing activities are exempt for legal enforcement, research, and public order, with the government retaining broad powers to exempt entities, impacting uniform data protection measures.
-
The 2023 Act establishes the Data Protection Board of India (DPB) with a limited scope, focusing on data breach prevention and compliance, unlike the powerful Data Protection Authority proposed in 2019.
-
The DPB can impose substantial penalties for non-compliance, and data fiduciaries can settle complaints through voluntary agreements, with appeals directed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
-
Allows the government to block public access to services provided by penalized data fiduciaries based on DPB recommendations, adding significant governmental control over data fiduciaries.
The DPDP Act, 2023 represents a major shift in India’s approach to data protection, aiming to balance regulatory oversight with the flexibility needed for diverse business practices and technological advancements. However, the broad powers granted to the government and the simplified regulatory body may raise concerns about effective oversight and uniform application of the law.
Analyzing the DPDP Act, 2023
How well does the DPDP Act of 2023 protect privacy?
For the first time, the 2023 Act establishes a law in India that governs data privacy. It sets rules requiring consent before personal data can be processed and outlines specific exceptions within the law. The Act gives individuals rights to access, correct, update, and delete their data and to nominate someone to manage their data after their death. It introduces added protections for children’s data and outlines clear responsibilities for businesses, including the need to inform consumers about data collection and ensure data security. The Act also sets up a system for consumers to address grievances through the Data Protection Board (DPB), which also holds the power to impose penalties for non-compliance.
This new legal framework aims to establish basic standards of behaviour and compliance for data-collecting businesses over time. The effectiveness of the law will largely depend on how it's implemented and enforced, such as whether the focus will be on data-heavy industries or applied more broadly across the economy.
Potential Issues with the Act:
Despite the establishment of a framework, there are concerns regarding certain provisions of the Act that could potentially weaken the protections it intends to offer:
-
State Exemptions: The Act allows significant exceptions for state functions, which could potentially over-empower the government compared to private entities. For instance, the law might let the government bypass consent requirements under certain broad circumstances like government service provisions, which could lead to extensive data pooling by government agencies without strict purpose limitations.
-
Discretionary Powers: The government has discretionary powers that could potentially weaken the protections, such as declaring certain businesses or industries exempt from the law’s provisions for up to five years without clear guidelines on how these exceptions are applied or how long they last.
-
Data Protection Board Design Issues: The structure of the Data Protection Board (DPB) raises concerns about its ability to function impartially and effectively. The board has limited regulatory powers and is highly dependent on the chairperson’s discretion in its operational functions, which could impact its ability to enforce the law impartially.
Implementation of the Data Protection Law
The DPDP Act, now law, will develop through three main regulatory inputs:
-
Central Government Rules:
-
The government will create rules on consumer notices, consent managers, data breach reporting, parental consent for children's data, and consumer rights.
-
It will also define roles for Data Protection Board (DPB) members, significant data fiduciaries, and appellate tribunal procedures.
-
These rules are less intense than those proposed for the Data Protection Authority (DPA), suggesting a lighter regulatory touch to foster innovation and flexibility.
-
DPB Decisions:
-
The DPB's decisions will guide businesses on compliance and help develop data protection jurisprudence.
-
The effectiveness of the DPB will hinge on the quality and clarity of its decision-making, shaping market behavior and future regulations.
-
DPB Directives:
-
The DPB's directives will influence regulatory practices despite the Act's lack of detailed guidance on issuing directives.
-
Internal checks, such as allowing entities to respond to draft directives, are essential to avoid unbalanced regulatory actions.
Conclusion
The overall regulatory trajectory will impact India’s tech markets and data handling policies. Challenges include centralized rule-making powers, particularly the authority to grant exemptions, which depends on the competence and autonomy of government departments. This setup might develop regulatory expertise within government departments before potentially transitioning to an independent regulatory framework, but it could also lead to overreach if not managed carefully.
Data sovereignty and security concerns, reflected in provisions like the government’s power to block access to certain information, will continue to shape data protection regulations. Interactions between the DPDP Act and other laws governing social media and IT services will further influence the data protection landscape as India's digital infrastructure and regulatory frameworks evolve.
While the DPDP Act sets the stage for comprehensive data protection, its successful implementation will depend on balanced and transparent regulatory practices, thoughtful government oversight, and a flexible approach to adapting to technological advancements and market dynamics.