Introduction. The technological advancements, increasing digitization of the society and the shift of nearly all economic activities and human interactions to online platforms has elevated the importance of data privacy rights. [1] In recent years, many countries have initiated measures to implement data protection requirements, or are actively considering such actions. Likewise, India is also taking initiatives in the direction of enacting a data protection framework. Recognizing the importance of a data protection legislation, six years after the Supreme Court’s recognition of privacy as a fundamental right under the Indian Constitution, the Indian government has undertaken the endeavor to draft a data protection legislation. Recently, the Union cabinet approved the Digital Personal Data Protection Bill, 2023 (“2023 Bill”), which was introduced in the Lok Sabha on August 3, 2023. [2] In the light of its potential to substantially affect the Indian economy, this article will examine the Right to Privacy and the 2023 Bill in India.
Right to Privacy as a Fundamental Right in India
The Indian Constitution stipulates that “no individual shall be deprived of their life or personal liberty except according to procedure established by law” [3]. The Supreme Court in cases like Kharak Singh v The State of U.P., interpreted this Article 21 provision to encompass the protection of privacy. [4] Although the Constitution does not explicitly recognize a right to privacy as a fundamental right, the Court in Kharak Singh case recognised it as an integral aspect of personal liberty. [5] Yet the constitutional provision remained unclear, as contradicting decisions on the status of privacy as a fundamental right had also been given. [6] The prevailing view among the majority of judges in both Kharak Singh and MP Sharma cases was that the Right to Privacy cannot be attributed the status of a Fundamental Right. [7]
However, the data privacy related debate initially surfaced in India during discussions concerning the Aadhar card, which establishes a biometric system in India. This biometric system was made mandatory for accessing specific public services and benefits, however, the system facilitated disclosure of personal data to private enterprises as well. In the light of this background, the Supreme Court of India gave its seminal ruling in 2017, [8] acknowledging privacy as a fundamental right under Article 21 of the constitution, and thus also putting the debate to rest [9]. This judgment also pronounced ‘informational privacy’ to be an important aspect of the right to privacy. [10] This led to part of the Aadhar scheme being held violative of the right, even though the overall regime was upheld.
Development of Data Protection Regulation in India
Currently, India’s existing data privacy law is embodied in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“2011 Rules”), formulated under Section 43A of the Information Technology Act, 2000 (“IT Act”). [11] In 2008, IT Act was amended to insert this section 43A which mandates that a body corporate handling any ‘sensitive personal data’ must adopt reasonable security practices, and the Act allows for compensation in cases where data is not adequately protected, also the amendment inserted section 72 dealing with penalties for intentional breaches of personal data. [12] Notably, the IT Act does not address data protection explicitly and is concerned more with cybercrime issues, and as a result, fundamental terms and concepts like personal data, processing, consent etc. remain undefined. [13] Therefore, the need for a legislation specifically dedicated to Data Protection arose when the court was confronted with the question around privacy in the Aadhar case in 2017.
Even though in 2017, the Puttaswamy judgement established right to privacy as a constitutional right, it is crucial to understand that data protection is a subset of privacy and not an identical concept. [14] Data protection law may relate to handling of data, even in cases where individual privacy may not be directly implicated. As a result, data protection legislation is often more comprehensive than privacy laws since it encompasses a broader range of data. [15]
The Supreme Court in Puttaswamy [16] judgement, mandated the Indian government to establish a committee which would develop a comprehensive data protection framework and thus in response, the Justice B.N. Srikrishna Committee was established in 2018 with the task of drafting the Personal Data Protection Bill, 2018 (“PDPB”). [17] This bill closely followed the privacy frameworks in other jurisdictions such as the GDPR and Asia-Pacific Economic Cooperation (APEC) Privacy framework. [18] The PDPB 2019 underwent scrutiny by the Joint Parliamentary Committee which was formed for this purpose. However, it appears that the bill did not adequately encompass all the raised concerns regarding certain potential drawbacks associated with it [19] and therefore, it was subsequently withdrawn on 3 August 2022 by the Ministry of Electronics and Information Technology (‘MeitY’), with the intention to come up with a more comprehensive data protection legislation. [20]
On 18 November 2022, a draft of the Digital Personal Data Protection Bill, 2022 (‘the DPDP Bill’) was released by MeitY and finally, The Digital Personal Data Protection Bill, 2023 (‘2023 Bill’) which is the fifth iteration of such bill, was recently introduced in the Parliament on 3rd August 2023. The 2023 bill draws its foundation from principles that underpins personal data protection laws in other jurisdictions such as the General Data Protection Regulation (GDPR) [21]. Some of these shared principles include lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality and accountability. [22]
A Few Key Highlights of the 2023 Bill
Key Definitions: The bill provides comprehensive definitions for several key terms. ‘Data’ is construed as information, facts, ideas, viewpoints or instructions presented in a manner conducive for communication, interpretation or processing, either by individuals or through automated means. [23] ‘Digital Personal Data’ refers to any personal data in digital format. [24] ‘Personal Data’ encompasses information pertaining to an individual who can be identified directly or indirectly based on that data. [25] It is noteworthy that this definition is not only confined to factual details about a person but may include any data (for instance, opinions) if such data enables identification of the individual. The individual to whom the personal data pertains is referred as ‘Data Principal’, [26] and in the case of a child, their parents or lawful guardian assume the role of Data Principal. [27] The bill further designates ‘Data Fiduciary’ as any person who either independently or in conjunction with other persons, determines the purpose and means of processing of personal data. [28]
This definition is on similar lines as the definition of ‘Data Controller’ under GDPR. Similarly, ‘Data Processor’ is referred as any individual processing personal data on behalf of a Data Fiduciary. [29] Lastly, the term ‘Processing’ concerning personal data, refers to a as a wholly or partly automated procedure or set of operations performed on digital personal data [30]. It includes various activities such as collection, recording, organisation, structuring, storage, adaptation, retrieval, erasure or destruction etc. [31]
Applicability and scope of the bill: The bill applies to processing of ‘Digital Personal Data’ which means personal data in digital form, [32] i.e., personal information which is collected either in digital format or in non-digital format, but which has been subsequently converted into a digital format. [33] Bill’s scope extends to the processing of digital personal data even when carried out outside the territory of India, if such processing is related to providing goods or services to Data Principals within the territory of India. [34] The Bill does not cover non-personal data, non-digital data, data processed for personal/domestic use, and any data that is made publicly available by the Data Principal or by any individual under a legal obligation to do so. [35]
Notice and Consent requirement: Firstly, the bill states that processing of personal data of Data Principal shall only be carried out for a lawful purpose, with the explicit consent of the Data Principal and for specific legitimate purposes. Lawful purpose is further construed as any purpose that is not expressly prohibited by law. Additionally, the Data Fiduciaries are obligated to provide Data Principals with a notice while obtaining consent from them [36].
The notice shall contain description of the personal data to be processed, the specific purpose of such processing, details regarding the manner in which a Data Principals may exercise their rights to withdraw consent, seek grievance redressal, and guidance on the process for data principles to file a complaint with the Data Protection board.[37] According to Clause 6 of the bill, consent provided by the Data Principal must be voluntary and out of their free will, specific, informed, unconditional and clearly expressed without any ambiguity, and it must be a clear explicit affirmative action demonstrating their consent for the processing of their personal data solely for the designated objective, and limited to the extent necessary for that specific purpose. [38] Also, the bill gives Data Principal the entitlement to withdraw/revoke such consent at any time. [39]
General Obligations of ‘Data Fiduciary’ and the Provisions of ‘Significant Data Fiduciary’: First and foremost, the Data Fiduciary has to bear the responsibility of adhering to the provisions of the Bill, even for any processing activities carried out on their behalf by a data processor. [40] Data Fiduciary has to put in place appropriate technical and organizational measures to ensure compliance with the provisions of the Bill. [41] The entity must also ensure that it takes reasonable security measures to prevent any unauthorized access or breach of personal data. [42] In circumstances of personal data breach, it is again the responsibility of the Data Fiduciary to provide notice of such breach to the Board and every affected Data Principal. [43] The Data Fiduciary is obligated to erase data along with ensuring that their Data Processors also delete the same, in instances where the Data Principal withdraws their consent or when it is reasonably believed that the intended purpose is no longer fulfilled, provided that retention of such personal data is necessary for adhering with any law in force. [44] Among other general obligations, the Data Fiduciary is required to establish a grievance redressal mechanism for the Data Principal [45]. Additionally, the Data Fiduciary must make public the contact information of a Data Protection Officer (DPO) who can address any inquiries raised by Data Principals regarding the processing of their personal data. [46]
The bill grants the Central Government the authority to designate/notify ‘Significant Data Fiduciary’ based on an assessment of factors like the volume and sensitivity of processed personal data, the potential risk to the rights of the Data Principal, potential impact on India’s sovereignty and integrity, any risk to democracy, and considerations related to state security and public order. [47] The ‘Significant Data Fiduciaries’ are obligated to designate a DPO and an independent data auditor [48]. Moreover, they also have the responsibility to carry out regular ‘Data Protection Impact Assessments’ and periodic audits. [49]
Rights and Obligations of Data Principal: The proposed bill confers upon the Data Principal the right to request specific information from the Data Fiduciary, to whom they previously granted consent for processing their personal data. Such information comprises a summary of their personal data undergoing processing, comprehensive details of processing activities involved, and the identities of other participating entities i.e., Data Fiduciaries and Data Processors who received their data, along with a description of the shared data.[50] Furthermore, the bill endows the Data Principal with the right to rectify, complete, update and erase their personal data for which they previously gave consent [51]. The Data Fiduciary is obligated to erase personal data upon such request by Data Principals, provided that retention is necessary for the specific purpose or for compliance with any prevailing law. [52] Additionally, Data Principal has the authority to appoint/designate another person to exercise their rights in the case of death or incapacity, and the bill also includes a right to seek grievance redressal. [53]
In addition to the rights, the bill also outlines the obligations of the Data Principal. Some of these duties includes refraining from impersonating another person while providing personal data, ensuring full disclosure of essential information when submitting personal data for any official documents or identity proofs issued by the state, refraining from making false or baseless complaints to a Data Fiduciary or the board, and providing verifiably authentic information when exercising the right to correction/erasure under the bill. [54]
Cross-border data transfers allowed under the Bill: The proposed bill permits data transfers to all jurisdictions unless specifically prohibited by the government through official notification. [55] The bill does not provide the specific conditions that may lead to the barring of certain countries from data transfers. However, if there is any stringent sector-specific regulations on data transfers, such regulations will continue to operate or remain applicable. [56]
Creation of Data Protection Board: Bill provides for establishment of a Data Protection Board of India by the Central Government, which will act as the adjudicatory and enforcement body under the bill. [57] The principal responsibilities of the board would encompass overseeing compliance matters, imposing sanctions for any breaches, issuing directives to data fiduciaries in response to any data breach and adjudicating grievances lodged by affected individuals. [58]
Penalties: The bill provides Data Protection Board with the power to impose a monetary penalty if the board determines that a person has significantly breached the provisions of the bill. [59] If a Data Fiduciary or Data Processor fails to inform both the board and the individuals impacted by a personal data breach, they could face a potential penalty of Rs.200 crore. [60] Furthermore, the Data Fiduciary or Processor may face penalties of up to Rs. 250 crores for their failure to implement adequate and reasonable security measures. [61] Additionally, in the event of an inquiry, if the Board determines that a person’s failure to comply with the provisions of the bill is of substantial nature, it is empowered to levy penalties as outlined in Schedule of the Bill, with each penalty of maximum ₹500 crores for each instance of non-compliance. [62]
Conclusion:
A diverse range of responses, including both favourable and unfavourable assessments, have emerged within the legal community in response to the bill. On the positive side, the bill is generally viewed as a proactive measure to enhance data privacy protections that signifies an important advancement in India’s digital landscape. Conversely, criticisms have also been voiced concerning certain aspects of the Bill.
Notable apprehensions have emerged regarding the scope of power granted to the Union government. For instance, the appointment of members to the Data Protection Board members by the Union Government raises legitimate concerns regarding the board’s independence in decision-making. [63] Additionally, wide exemptions have been afforded to the Government, allowing them considerable scope in data processing activities. [64] Furthermore, the Bill provides the Government with the power to exempt any class of Data Fiduciaries, including start-ups, from adhering to many provisions outlined in the Bill and this power can be exercised without the procedural safeguards. [65] Another point of criticism pertains to exclusion of personal data which is made publicly available by a Data Principal from the scope of the bill, thereby undermining the Data Principal’s ability to effectively safeguard their personal data from potential online scrapping activities. [66]
[1] Sayantan Chanda, Data Privacy and Elections in India: Microtargeting The Unseen Collective 18., Indian Journal of Law and Technology, Volume 18 Issue 2. https://repository.nls.ac.in/cgi/viewcontent.cgi?article=1115&context=ijlt
[2] Digital Personal Data Protection Bill 2023 Introduced in Lok Sabha amidst Opposition https://www.businesstoday.in/technology/news/story/digital-personal-data-protection-bill-2023-introduced-in-lok-sabha-amidst-opposition-392694-2023-08-03
[3] Article 21 of the Indian Constitution.
[4] [1962] INSC 377; 1963 AIR 1295 1964 SCR (1) 332.
[5] Ibid.
[6] M.P. Sharma a v. Satish Chandra 1954 AIR 300, 1954 SCR 1077.
[7] Jayanta Boruah and Bandita Das, ‘Right to privacy and Data Protection under Indian legal regime (16 March 2021), DME Journal of Law, Volume 1, 2020, https://papers.ssrn.com/abstract=3827766
[8] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 [157].
[9] Nivedita Baraily, ‘An Analysis of Data Protection and Privacy Laws in India’ 4., International Journal of law Management and Humanities, Volume IV, Issue I, 2021, DOI: http://doi.one/10.1732/IJLMH.25766.
[10] Anirudh Burman, Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?
(2020), Carnegie India <https://carnegieendowment.org/files/Burman_Data_Privacy.pdf
[11] (n 7).
[12] Ibid.
[13] Graham Greenleaf, ‘Promises and Illusions of Data Protection in Indian Law’ (2011) 1 International Data Privacy Law 47. https://academic.oup.com/idpl/article/1/1/47/759660
[14] Christopher Kuner ‘The Path to Recognition of Data Protection in India: The Role of the GDPR and International Standards’, National Law Review of India, vol. 33 no. 1 (2021)
[15] Ibid. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3964672
[16] Justice Puttaswamy v. Union of India
(2017) https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf
[17] Francois Godement, Digital Privacy: How Can We Win Battle? (2019)
https://www.institutmontaigne.org/ressources/pdfs/publications/digital-privacy-how-can-we-win-battle-study.pdf
[18] (n 8).
[19] Chanda (n 1).
[20] India: Comparing the Digital Personal Data Protection Bill, 2022 and the GDPR’ (DataGuidance, 24 January 2023) https://www.dataguidance.com/opinion/india-comparing-digital-personal-data-protection-0
[21]https://www.hindustantimes.com/analysis/digital-personal-data-protection-bill-a-brief-overview-lok-sabha-monsoon-session 101690988066427.html
[22] ibid.
[23] Clause 2(h) of the Digital Data Protection Bill, 2023
[24] Clause 2(n) of the Digital Data Protection Bill, 2023.
[25] Clause 2(t) of the Digital Data Protection Bill, 2023.
[26] Clause 2(j) of the Digital Data Protection Bill, 2023.
[27] Clause 2(j) of the Digital Data Protection Bill, 2023.
[28] Clause 2(i) of the Digital Data Protection Bill, 2023.
[29] Clause 2(k) of the Digital Data Protection Bill, 2023.
[30] Clause 2(x) of the Digital Data Protection Bill, 2023.
[31] Ibid.
[32] Clause 2(n) of the Digital Data Protection Bill, 2023.
[33] Clause 3(a) of the Digital Data Protection Bill, 2023.
[34] Clause 3(b) of the Digital Data Protection Bill, 2023.
[35] Clause 3 (c) of the Digital Data Protection Bill, 2023.
[36] Clause 5 (1) of the Digital Data Protection Bill, 2023.
[37] Clause 5 (1) of the Digital Data Protection Bill, 2023.
[38] Clause 6 of the Digital Data Protection Bill, 2023.
[39] Clause 6(4) of the Digital Data Protection Bill, 2023.
[40] Clause 8(1) of the Digital Data Protection Bill, 2023.
[41] Clause 8(4) of the Digital Data Protection Bill, 2023.
[42] Clause 8(5) of the Digital Data Protection Bill, 2023.
[43] Clause 8(6) of the Digital Data Protection Bill, 2023.
[44] Clause 8 (7) of the Digital Data Protection Bill, 2023.
[45] Clause 8(10) of the Digital Data Protection Bill, 2023.
[46] Clause 8(9) of the Digital Data Protection Bill, 2023.
[47] Clause 10(1) of the Digital Data Protection Bill, 2023.
[48] Clause 10(2) (a) & (b) of the Digital Data Protection Bill, 2023.
[49] Clause 10(2) (c) of the Digital Data Protection Bill, 2023.
[50] Clause 11(1) of the Digital Data Protection Bill, 2023.
[51] Clause 12(2) of the Digital Data Protection Bill, 2023.
[52] Clause 12(3) of the Digital Data Protection Bill, 2023.
[53] Clause 13 the Digital Data Protection Bill, 2023.
[54] Clause 15 of the Digital Data Protection Bill, 2023.
[55] Clause 16 of the Digital Data Protection Bill, 2023.
[56] Clause 16 of the Digital Data Protection Bill, 2023.
[57] Clause 18 of the Digital Data Protection Bill, 2023.
[58] Clause 27 of the Digital Data Protection Bill, 2023; also see ‘The Digital Personal Data Protection Bill, 2023’ (PRS Legislative Research)
<https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023>
[59] Clause 33 of the Digital Data Protection Bill, 2023.
[60] Saurav Mukherjee, ‘Explained: Digital Personal Data Protection Bill’ (mint, 3 August 2023) https://www.livemint.com/news/india/explained-digital-personal-data-protection-bill 11691063664201.html
[61] ibid.; also see Schedule of the Digital Data Protection Bill, 2023.
[62] Ibid.; also see Schedule of the Digital Data Protection Bill, 2023.
[63] IFF’s First Read of the Draft Digital Personal Data Protection Bill, 2023 (Internet Freedom Foundation, 3 August 2023) https://internetfreedom.in/iffs-first-read-of-the-draft-digital-personal-data-protection-bill-2023/
[64] ibid.
[65] Charu Singh, Data Protection Bill: Implications Of Wide Exemptions To Government’ (BQ Prime, 4 August 2023) https://www.bqprime.com/nation/digital-personal-data-protection-bill-experts-raise-key-concerns
[66] IFF’s First Read of the Draft Digital Personal Data Protection Bill, 2023 (n 63).
Author: Anupriya Singh, Master Student at Tilburg University Law and Technology & Intern Data Privacy and Digital Law EU Digital Partners
