Abstract
In today’s digital transformation era, data holds a very important position, and violating its confidentiality may pose a significant risk to an individual and a nation as a whole. Our indulgence on various social media platforms like Facebook, X, Instagram etc. has increased to such a level that they have become a predominant part of our daily life. Often being unable to comprehend the outcome of our personal information on various online platforms we end up sharing our information with third-party browsers who further share our information. The best example of such a situation is when we start receiving multiple calls from various different unknown numbers.
In order to keep an eye on the stored data, the Government Of India, on August 11, 2023, passed “ The Digital Personal Data Protection Act 2023” to protect individual rights pertaining to data and ensure the safe transfer of data.
Keywords
Data Protection, Digital Personal Data, Data Fiduciary, Data Principal, Data Protection Board, Cross-border transfer of data.
Research Methodology
This paper is based upon research from various secondary sources like newspaper articles, magazines, journals, and websites and cites various provisions of The Digital Personal Data Protection Act, of 2023. It is descriptive in nature.
Review of Literature
Chief Justice DY Chandrachud in this judgement on the Right to Privacy stated the importance of the Privacy of individuals and called it one of the foundational pillars of the Indian Constitution.
In the Justice K.S. Puttaswamy V. Union of India case the Supreme Court bench called Right to Privacy as a fundamental right under Article 21 of the Constitution.
Introduction
The Facebook-Cambridge Analytica data scandal drew the attention of governments around the world in 2010 and made them realise that the priority of a 21st-century state should not only be to protect its citizens from external and internal violence but also to protect the data that their citizens possess in order to ensure the safety of the country and its citizens. The personal data of millions of Facebook users was collected without their consent by Cambridge Analytica (a British Consultancy Firm), which used this data for political advertising. This illegal attainment of data affected the privacy of almost 87 million users globally and 5.62 lakh Indians particularly.
In 2022, AIIMS, New Delhi witnessed another major breach of data privacy when five of its servers were attacked (later recovered), almost 1.3 terabytes of data was encrypted and the data of millions of patients was compromised.
With everything moving towards digitalisation that requires access to personal data, the protection of data becomes an even more sought-after issue. The Digital Personal Data Protection Act, of 2023 came into effect after being passed by both the Houses and with the assent of the President on August 11, 2023.
The Act focuses on processing digital personal data in such a manner that the rights of the individuals pertaining to their personal content is protected and the requirement of such data for lawful purposes can also be accomplished.
Since 2017, Justice K.S Puttaswamy (Retd) Case (Also known as the Aadhar Case)[1]under which the honourable Supreme Court overturned its prior judgements (MP Sharma[2] and Kharak Singh[3]) and stated that the Right to Privacy is part of the Fundamental Right Right to life (Article 21) and hence it cannot be infringed. It further stated under this judgement that state surveillance over the privacy of its citizens is quite a debatable issue in the current era.
This judgement was followed by the formation of B.N Shri Krishna Committee in 2017 which gave its report in 2018. The committee further affirmed the loopholes in the present data protection laws. This committee formulated the structuring of what we today are calling The Digital Personal Data Protection Act.
Personal Data vs Digital Personal Data
Any data which is identifiable by or in relation to a person about whom this data is is called Personal Data. Like name, address, email ID, location, IP Address etc. and when this data gets stored in digital form it is referred to as Digital Personal Data.
Data, according to Section 2(h) of the Digital Personal Data Protection Act of 2023, is a representation of information, facts, concepts, views, or instructions in a format appropriate for transmission, interpretation, or processing.
Data Principal, Data Fiduciary, Data Protection Board
According to this act, a Data Principal is an individual whose data is being collected, in case he/she is under 18 years of age then their parents/guardian acts as Data Principal
The entity (firm, corporation, individual, or state) that determines the goal and means of collecting and processing data has been referred to as a data fiduciary.
For instance, when one books a cab through any app, the user becomes a Data Principal as they are providing their information like their name, contact number, location etc. and the cab booking company becomes a Data Fiduciary as they are processing this data to provide the individual with the desired services.
Through this act, a Data Protection Board has been established as a supervisory authority to investigate complaints and issues relating to data protection. It does not have any power to issue guidelines or regulations.
Principles of the Act
The act takes into consideration all the parameters of data protection and security and lists out the rights and obligations of the Data Principal and Data Fiduciary.
1. Right to Consent
2. Restricting the purposes for processing of data
3. Data Minimization- Collection of data to the extent it is required
4. Accuracy of the Data
5. Storing a limited amount of data
6. Reasonable security precautions
7. Accountability in case of any breach of privacy and imposition of penalties in case of breach.
The cornerstone of this legislation is founded on the idea of “purpose” for the Data Fiduciaries in collecting data. Section 4 of the Digital Personal Data Protection Act of 2023 stipulates that data must be gathered, processed, and kept solely for the reason agreed upon by the Data Principal, unless the purpose falls under one of the law’s exceptions.
Furthermore, the Act also draws attention to the “Right to be forgotten” even though it is not explicitly mentioned in the act but in the recent judgement given by the Karnataka High Court in Sri Vasunathan vs. The Registrar-General[4] wherein the court stated that the Right to Erase or Right to be Forgotten provides an individual to request for the removal of his/her personal data present from the Internet. So in a situation wherein the Data Principal withdraws his/her consent, the Data Fiduciary is bound to erase the data given by the principal and the fiduciary now has no legal right to process the data. The data fiduciary has to remove any links, copies or duplicates of the data related to the principal from all or any internet platforms.
Obligations of Data Fiduciary
Section 4 of the Digital Personal Data Protection Regulations specifies the purposes for which data may be acquired –
1) Provided personal information voluntarily
2) The Data Principal has not indicated that he or she “does not agree” to the processing of personal data.
3) By the state and any of its instrumentalities for any function under any legislation in force in India at the time
4) For reasons of public interest
5) For the purpose of employment or to protect the employer from loss or responsibility.
Suppose an individual, opens a bank account using the mobile app or website of that bank. In compliance with government norms Know Your Customer is a compulsory process for opening a bank account. The individual chooses to opt for processing their personal data with the bank through a live, video-based customer identification process. Here the bank acts as a data fiduciary and it is the duty of the bank to provide the customer with a notice stating the purpose of processing the personal data of its customer.
It is also the duty of the Data Fiduciary that he/she must inform the principal, if the principal has shared the data before the commencement of this act, regards the terms and conditions and ask the principal for their consent for sharing the personal data.
For example, if a person registers themselves with an e-shopping app or any online platform and shares their personal data with the app or website before the commencement of this act, then upon the commencement of this act the data fiduciary is supposed to either through e-mail or in-app notification or through any other communication mode should inform the principal the purpose for processing the personal data.
The Data Fiduciary also poses the responsibility to present the provisions for obtaining the consent of the principal in non-ambiguous and lucid language in order to avoid any confusion. Also, the principal has the right to obtain these provisions in any language specified in the Eighth Schedule of the Constitution of India.
The act remains silent as to the extent up to which the disclosure by the fiduciary can be made or regarding any third-party disclosures.
Significant Data Fiduciaries
The Central Government has the authority to assign a class of Data Fiduciaries as “Significant Data Fiduciary” based on certain criteria like the quantity of data, the kind of personal data and its impact on the sovereignty and security of the country.
The best examples of Significant Data Fiduciaries are companies like Facebook, X, Instagram and even the Central Government as they all hold huge volumes of data stored with them.
The entities will be designated as Significant Data Fiduciaries by the Central Government and they will have to appoint a “Data Protection Officer” who will be based in India and act as a person of contact in cases of any redressal. The act also talks about the appointment of an independent “Data Auditor” who will be responsible for carrying out data audits.
The Digital Personal Data Protection Act borrows some provisions from Europe’s General Data Protection Regulation (GDPR), which defines “Sensitive Personal Data” as distinct personal information that is more sensitive than personal data and includes details about individuals such as their health records, sexual orientation, genetics, biometrics, and so on. It defines a set of processing reasons that take into account the legitimate interests of the Data Principal and the Data Fiduciary. It makes no specific reference of the definition of Legitimate Interest in its Act, but based on the general draught of the act, it can be assumed that here legitimate interest refers to activities that allow businesses to handle particular data while guaranteeing that no undue influence is perceived on the principle.
The “Personal Information Protection Law” (PIPL) that came into effect in 2021 focuses on giving rights to Data Principals to prevent misuse of their personal data.
Withdrawal of Consent
Section 6(4) states the right of the Data Principal to withdraw their consent for processing the data.
For example, a delivery app may contain our personal data like our name, locations, preferences, order history etc, all of this data will be lost once the principal withdraws its consent.
The entire purpose being putting so much emphasis on consent is to make organisations (fiduciaries) acknowledge the fact that the Data Principals are the sole owners of their personal data and their personal data cannot be used for purposes that they don’t agree upon. This act makes the Data fiduciaries custodians of the data for the agreed-upon purposes and not the rightful owners.
Data Principal: Rights
Chapter III of the Digital Personal Data Protection Act recognises the rights of the Data Principal to correct, update and erase their personal data from the records of the fiduciary.
Section 14 of the act also includes the rights of the principal to nominate an individual who can exercise their rights regarding the personal data shared in case of death or incapacity.
Furthermore, it is also the duty of the Data Principal to comply with the provisions of all the applicable laws for the time being in force while exercising the rights under the provisions of this act (Section 15).
Under Section 15 (e) the Data Principal is bound to share all verifiably authentic information with the Data Fiduciary.
Data Protection Board
The Data Protection Board of India is discussed in Chapter V of the Act. It is an independent organisation established by the Central Government that will serve as a civil court and will have the authority to conduct investigations, administer penalties, and enforce the requirements of this act.
The Board will consist of a chairperson and the number of members constituting the board will be decided by the Central Government. The chairperson would hold general superintendence power and would give directions on matters relating to all administrative matters. He/She could further authorise any officer of the Board to investigate any complaint or reference addressed to the board.
The act also mentions for Special Provisions -Section 16 of the Act, gives the Central Government the authority to restrict the transfer of personal data by a Data Fiduciary for processing it to any other country unless the nation has been recognised by the Central Government to possess suitable data security landscapes and the government can access the so provided data anytime it required, such nations have been referred to as “notified countries and territories”.
For example, a company named “X” has an individual’s data and wants to take it across the border, the act does not stop them from doing it, but according to the act the data can only be taken to those countries that fall under the Central Government’s list of notified countries.
A lot of countries have decided to put restrictions on websites and applications that hold the risk of illegal transfer of data across border and hamper the privacy of the data shared by the data principal.
Countries like the USA, India, Europe and Canada have banned the use of apps like TikTok due to the concerns arising from its sharing of content that tends to put in jeopardy public safety (posting content showing illegal activities, sharing violent and sexually explicit content, content that glorified self-harm etc.)
The Indian government found that the data shared by the Indian citizens on the app was widely accessible to the employees at the Beijing-based parent company. This posed a potential threat to the safety of the individuals and the country as a whole. Hence in 2020, the Indian government decided to ban TikTok.
A recent Forbes article drew attention to the fact that even after 3 years of banning the social media app TikTok by the government, it continues to hold and use the data shared by Indian citizens.
In August 2023, the Ministry of Electronics and Information Technology banned 232 online betting and loan apps in India claiming that these apps had third-party links with China. The ministry also observed that many of these loan apps were debt-trapping the users by increasing the interest rate to up to 3000%.
Exceptions
The act provides the Central Government or its instrumentalities with exceptions as to the fact that the personal data of the Data Principals can be processed by the State for the purpose of enforcing legal rights, for research or for gathering information regarding the mergers and amalgamation etc.
Individuals are also exempted from data processing for personal or domestic purposes under the Act. For example, a blogger who posts information on a website makes his or her information consensually public, and so the terms of the act do not apply to them[5].
Moreover, data like the name of the plaintiff and defendant in a judgement that are available in the public purview cannot be considered personal data and hence they cannot be asked to be removed.
Penalties
The Act sets heavy fines ranging from 10,000/- to 250 crore for failure to comply with a Data Fiduciary’s responsibility to adopt appropriate security controls to avoid personal data leaks. For example, a Data Fiduciary, such as a bank or financial institution, in possession of Data Principals’ personal data in physical form may fail to safeguard such data, even if it has been digitised. Some papers holding sensitive personal information of Data Fiduciaries are misplaced, resulting in financial fraud and the failure of Data Fiduciaries to follow security procedures to prevent a data breach.
Conclusion
In the era where a major part of our day-to-day life is influenced by various social media apps and broadly is dependent upon the usage of the Internet for every smallest of the conversations, it is important that the privacy of the data that we share should be maintained. With ever-changing geo-political dynamics between countries across the globe, almost all countries have realised the importance of codifying data protection and security laws in order to protect their citizens as well as to protect the security of the nation.
Through the 2023, Digital Personal Data Protection Act, every individual is being given the right to control his/her personal data and is also been given the authority to control his/her existence on the Internet.
This law caters to an arena which up till was left in the dark, even though it still has its shortcomings and loopholes, the fact that it attempts to create an environment for safer data sharing, personal data protection and prevention of personal data from being misused by the Data Fiduciaries cannot be ignored.
References
1.Anuradha Gandhi, Rachita Thakur, The Digital Personal Data Protection Act,2023- A Scenario of Arising Liabilities, Bar and Bench
2. Prashant Mali , Privacy Law: Right to be Forgotten in India, NLUI Law Review
3. Forber, India Banned TikTok in 2020. TikTok still has Access to Years of Indian’s Data
4. Press Information Bureau of India, Salient Features of Digital Personal Data Protection Bill,2023
5.Ministry of Electronics and Information Technology, Digital Personal Data Protection Act,2023
6. New York Times Article, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far
7.The Digital Personal Data Protection Act,2023- The Inconspicuous Absence of Legitimate Interest, Abhishek Mitra, Bar and Bench.
Gurdeep Kaur
Faculty of Law ,University of Delhi
[1] Justice K.S Puttaswamy & Ors. v. Union of India, Writ Petition (Civil) No. 494 of 2012,(2017) 10 SCC 1
[2] M.P. Sharma v. Satish Chandra , AIR 1954 SC 300
[3] Kharak Singh v. State of Uttar Pradesh, 1964,SCR (1) 332
[4] Sri Vasunathan v. The Registrar-General , (2017) W.P. No. 62038/2016
[5] [Section3(c) illustration]. The Digital Personal Data Protection Act,2023