ABSTRACT
The research paper aims to analyze the recent Personal Data Protection Act 2023, its pros and cons. How it was formulated and what was the need for such a legislation in the first place. Data is the new currency and as India is a growing technological economy the need for data protection laws is the need of the hour. India not only stores data but also transfers it to other businesses and MNCs. This can lead to massive data breaches and leaks which need a strong security and protection system in place. The legislation helps to not only increase users’ awareness regarding data breach and privacy but also inform them about their rights and duties. The act provides various rights and duties to the data principals(one’s who give data) and data fiduciaries(one’s who collect data). Other legislations regarding data protection are analyzed. A brief history of how the current Act came into picture and what committees were involved in the making and forming a report of it. Various features and challenges regarding the act are examined in the research paper. The researcher attempts to give a holistic overview of the whole act.
KEYWORDS
Data, PDP ACT, Data protection, Data breach, Data principal
INTRODUCTION
“DATA” is defined as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.[1] India has the world’s second largest population and a continuously developing economy therefore large amounts of data is required, collected and processed from India. In this new age of technology data is the new currency. Therefore, adequate measures are required to protect “data” as they contain crucial and private information about individuals such as names, emails, addresses, bank details, mobile number and health information. India has 700 million internet users and 400 million smart phone users generating a large amount of data on a daily basis. India is producing 150 exabytes of data annually and is among the fastest data generating nations in the world.[2] Data helps organizations and companies to improve their services, technologies, products and resources. But this collection and procession of data by larges MNCs, businesses and corporations has often led to data breaches. As India up till 2017 did not have any proper law or concept regarding regulation and processing of personal data, firms and companies have gone scot-free without consequences for massive data breaches of their customers and users. “Personal Data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.[3] A few of the biggest data breaches of the 21st century:
ADOBE: 150 million accounts were impacted. Credit card details and account information was stolen.
EBAY: 145 million accounts were impacted. Personal data of users was leaked. Financial information was compromised of users.
LinkedIn: 165 million accounts impacted. Stolen users account information and passwords were being sold on Russian forums for 5 bitcoins.[4]
FACEBOOK: 530 million plus accounts were affected. 530 million Facebook users account information was publicly posted on hacking forums. [5]
SBI: over 1200 state bank of India employees’ data had been leaked on telegram. Sensitive and critical information about the employees such as passbook, Aadhar card and voter card were made public.[6]
AADHAR CARD: In early 2018, Indian government’s identification database Aadhar (similar to SSN) was reported to be leaking information on every registered Indian citizens including names, bank details and other private information like biometric data.[7]
Therefore, due to these continuous breaches developing a legal framework regarding protection of data was seen as the need of the hour. Different countries already have legislations in places regarding data safety.
The European union has the GDPR(general data protection regulation). The GDPR came into effect on May 25th 2018. The intent of this legislation was to protect the data of the common populace of the EU(European union). It deals with all kinds of processing of personal data and has stringent procedures in place for the protection of data within and outside European Union. A few significant features of the GDPR are that 1)consent forms are made easier to understand and follow. For example, most users click “I AGREE” without even reading the terms and conditions due to its verbosity and complexity. GDPR ensures that informed consent is collected 2)In the event of a breach of users’ data a supervisory authority sends a breach notification to help them protect their information 3)create awareness among its citizens. Essentially this legislation of the European Union puts citizens at the core of the regulatory framework.
In the United States laissez-faire approach is followed and there does not exist a separate legislative framework regarding the data protection. Rather, US courts have recognized a right to privacy by piecing together limited privacy protections reflected in First, Fourth and Fourteenth amendment to the US constitution.
Genesis of the Indian legislation to deal with data protection stems from the nine-judge bench Supreme court case Justice KS Puttaswamy vs Union of India(2017). In that case, the court declared “privacy” as a fundamental right under Article 21 of the constitution. In this case even the doctrine of proportionality was put forth which stated that infringement of right to privacy should be proportional to need for such infringement. [8] Thus, it is the duty of the state to put forth legal frameworks protecting data privacy of individuals. This set-in motion the formation of a committee by the central government in 2017. Justice BN Srikrishna chaired the committee. In 2018 the committee submitted its report “A Free and Fair Digital Economy”. In December 2019 this report was introduced in the Lok Sabha and it was referred to a joint parliamentary committee. Later the joint parliamentary committee submitted its report and released it for public consultation. On 3rd August the Digital Personal Data Protection bill was introduced in the Lok Sabha. On 7th August it was passed by the Lok Sabha and Rajya Sabha. On 9th August it marked the completion of parliamentary approval process. On 11th August “The Digital Personal Data Protection Act” was formed.
RESEARCH METHODOLGY
This paper is of descriptive nature and the research is based on secondary sources for the deep analysis of the recent data protection act of India. Secondary sources of information like newspapers, journals, committee reports and websites are used for the research.
REVIEW OF LITERATURE
The main purpose of the “The Digital Personal Data Protection Act” is to provide a legal framework for the processing and protection of personal data. [9] Processing of data is the collection, storage, recording, retrieval and transmission of personal data through wholly or partly automated means. Therefore, the act establishes “Data Principals” and “Data Fiduciaries” by linking the private data given by individuals and the way this data is collected and stored, thereby also providing each with their own set of rights and duties.
Protection of data helps an organization, firm or a business(data fiduciary) from fraudulent activities such as hacking, phishing and identity theft. It helps the users by protecting their identities. The act puts forth a legal framework that aids in this protection of data. As this legislation is relatively new there are various grey areas that need to be addressed and should be amended. But it is a great step as it addresses new issues faced by people/nations in the current developing technological age.
KEY FEATURES OF THE ACT[10]
1)Applicability: The act applies to the processing of digital data within India where data is collected in digital form and also non-digital form but digitized subsequently. And outside India, if offering goods and services to Indian citizens. This ensures protection of private data of citizens of India when it is given to foreign and national firms and businesses. But there are some exclusions to the applicability. When processing of data is done by an individual for personal or domestic use, and when data is made available publicly by data principal or any other person under legal obligation to make such data available.
2)Consent: For processing of data consent is the primary legal ground. Consent must be “freely given”, “specific”, “informed” and must able to be withdrawn. A notice is to be provided before seeking consent. The notice should contain details of the personal data and the purpose of processing that data. Consent will not be required for “legitimate uses” some of which include a)medical emergency b)data provided voluntarily by an individual c)provision of benefit or service by the government d)employment.
3)Various Rights and Duties of Data Principals: The act gives various rights to data principals. Such as a)right to obtain information about processing b)erasure of data c)nominate another person in case of death or incapability. They are also given various duties and the one which is highlighted is regarding identity theft. Severe repercussions to someone who will impersonate someone else.
4)Responsibility of Data Fiduciaries: The act provides various obligations to be performed by data fiduciaries while they collect, store, use or process data. They are expected to build safe security systems to prevent a data breach. Erase personal data once the purpose has been met and retention is not necessary for legal purposes. Data Fiduciaries are made more reliable and accountable for the critical information collected.
5)Data Protection Board of India: Central government establishes the data protection board in India. It will prescribe details such as number of members to be appointed to the Board and the selection process. The board will function as a court for matters relating to data breach and data protection. It will have the power to impose penalties. It will also direct data fiduciaries to take necessary steps in event of a data breach. It will also hear grievances made by affected persons. Appeals against the decisions of the board, as per Section 29 of the Digital Personal Data Protection Act, shall lie with Telecommunications Dispute Settlement and Appellate Tribunal.
With these provisions in place, they give Data Fiduciaries a standard operating procedure to process data and also help in upholding the rights of Data principals by protecting their data from breaches, hacking, phishing and any other malicious activity. It provides a legal framework to a longstanding issue in India. It helps increase awareness amongst citizens regarding these problems. Though this act is a positive step towards data protection there are still some issues prevalent and challenges present in the provisions of the Act which should be addressed and amended.
CHALLENGES
1)Affects RTI(Right To Information) Act:[11] The new Digital Personal Data Protection act removes provisions from the Section 8(1)(j) that allow public interest disclosure. Now due to the new amendment the RTI Act cannot disclose information on the account of it being personal data. This restricts citizens of India from taking personal information from the government. Personal information is nothing but name, address and number among other things. This will also have an effect on the democracy of the country. During elections it is required the voter list is made public, the voter list contains personal information and according to the act personal information cannot be disclosed. This can hamper the democratic process of free and fair elections as there can be vote tampering and electoral fraud. Political parties could easily add and delete names of voters from communities that may or may not have voted for the party.
2)Violative of Article 21 Right to Privacy: [12]There are many exemptions offered to the state for personal data processing which may have an adverse impact on the right to privacy. Article 12 of the constitution state includes a)central government b)state government c)local bodies d)authorities and companies set up by the government. According to the Act the central government is empowered to exempt any instrumentality of the state from adverse consequences citing reasons such as national security of state and maintenance of public order. IT minister Ashwini Vaishnaw has said that the exemptions have been carved out specifically as per the constitutional mandates. He also stated that during an emergency state cannot go around seeking consent for processing of data because the state will have to act quickly to ensure safety.[13] The Supreme court in Justice K.S Puttaswamy (Retd.) v. Union of India and Ors(2017) had held that any infringement of the right to privacy should be proportionate to the need for such interference. Under these exemptions the government has been given a lot of power to collect, store and process any data without consent under the garb of national security and maintenance of public order.
3)Cross Border Transfer: [14]The Act permits transfer of data from India to other countries without restrictions. Unless the government bans the transfer to another country through a notification. Due to this provision there which would be no protection available against personal data breaches of Indian citizens in foreign states. In the absence of strong data protection laws in a foreign country, data stored and processed may be more vulnerable to breaches or unauthorized sharing with private government as well as private entities. The solution to this problem is data localization. It is the practice of storing of storing and processing data within the geographical boundaries of the state. This reduces cross border transfer of data and risk of being breached in foreign states. The most important aspect of data localisation is having control over our own data which makes the country more resistant to issues around privacy, information leaks, identity thefts, security etc.[15]
4)Issue of Surveillance: [16]In the act it is mentioned that the Central government can ask any data fiduciary to “furnish any such information as it may call for”. A data fiduciary according to the act is anyone who processes data. This will have a massive impact on media and journalism especially investigative journalism and reporting. As the central government has received several exemptions from processing personal data under the reason of security and maintenance of public order, the government can easily misuse this power to silence their opposition or media against them. It becomes a threat to whistle-blowers and other confidential media sources. There are no safeguards on what information it can ask for.
5)Harm arising from processing of personal data not regulated[17]: When personal data is processed various harms like identity theft, profiling, discrimination, unreasonable surveillance can occur which are not regulated under the current Act. This is a major impact to an individuals’ privacy rights. The 2019 bill required measures to prevent such harms from being caused and there were methods of regulation put forth by the Srikrishna committee. But as the bill evolved through the years into an Act this regulation was not taken into consideration.
The Central Government has been given a lot of exemptions in the provisions of the act. This causes nothing but suspicions regarding the intent behind these exemptions. Is the primary objective of the act to protect private data of citizens or is it just another means of making the central government more powerful by giving them censorship and surveillance power. Another issue is the formation of the data protection board. The central government has been given complete authority over it. Lawyers, Scholars and even judgements of Supreme courts state that tribunals(here data protection board) must remain independent of control by executive to uphold and safeguard constitutional rights of the citizens. These are a few of the challenges present in the current legislation which need to be addressed as they can be misused and even hamper the democracy of the country.
SUGGESTIONS
Though this act is a great step forward towards personal data protection there are many suggestions which were put forth by the Srikrishna and the Joint parliamentary committee. Government should create efficient data fiduciaries for storage, protection and collection of data because it is a universally acknowledged fact that data collected by authorized government agencies for e-commerce or e-governance is not properly protected and can be misused . The situation may improve if the government ensures proper auditing, storage and retention of the documents.
Data localization should be the goal because that not only ensures safety and security of data within the country’s boundary but also will help in generation of employment. There should be a check on the exemptions provided to the government as they can censor and process data at their own accord, by using provisions like maintenance of public order and security. This can be a great hindrance to journalists and opposition parties to the government. They can be surveilled over and censored at the accord of the government. There should be some checks and balances in place so that central government does not end up misusing its powers. As the government has power to exempt any instrumentality of the state from adverse consequences citing a)national security reasons b)relations with foreign governments and c)maintenance of public order. Government can use any of these reasons to get hold of lot of personal data against their political opponents, dissenting parties/groups, media outlets and independent journalists speaking against the government policies among other things. It can be used as a surveillance system and a tool to crush dissenting voices.
The data protection board established should be separated from the executive. Under the current act the central government has been given the authority to appoint the board members. This defeats the purpose of having a tribunal as it can be easily influenced by the central government and just becomes another puppet of the state. And as the appointment of the members is short term that is only 2 years with eligibility for reappointment it increases the control and influence of the executive.
CONCLUSION
The act helps in finally addressing the longstanding issue of processing and protection of Personal Data of citizens of India. However, various details regarding the implementation of the stipulated provisions of the Act and their necessary clarifications are required and that can only take place with the setting up of the Data Protection Board and the promulgation of rules under the act. It helps in providing a legal framework and a guideline for the protection of personal data. It provides various legal rights and duties to Data principals and Data fiduciaries. It provides a path to Indian businesses and firms regarding how they should approach processing of data and new privacy norms. It also helps in creating awareness among users regarding their data protection rights and harms that can be caused with data breaches. While the notification of the Sections of the Act for their implementation is still awaited, one has to wait and watch how the Courts interpret wide empowering provisions and in what manner the Act evolves.
MALHAR JOSHI
ILS LAW COLLEGE, PUNE
[1] THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023,NO.22, ACTS OF PARLIAMENT, 2023(INDIA) SECTION 2(h)
[2] REPORT OF THE JOINT COMMITTEE ON THE PERSONAL DATA PROTECTION BILL,2019 (PARA 1.2)
[3] THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023,NO.22, ACTS OF PARLIAMENT, 2023(INDIA) SECTION 2(u)
[4] CSOonline, https://www.csoonline.com/ article/213 0877 /the-biggest-data-breachesof-the-21 st-century.html (last visited on Sep.11 2023)
[5] Firewall Times, https://firewalltimes.com/facebook-data-breach-timeline/ (last visited on Sep.11 2023)
[6] India Today, https://www.indiatoday.in/india/story/telegram-channels-leak-data-of-12-thousand-sbi-employees-ignored-some-red-flag-2405024-2023-07-11 (last visited on Sep.12 2023)
[7] Wikipedia, https://en.wikipedia.org/wiki/Data_breaches_in_India (last visited on Sep.11 2023)
[8] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017) 10 SCC 1, AIR 2017 SC 4161
[9] THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023,NO.22, ACTS OF PARLIAMENT, 2023(INDIA) PREAMBLE
[10] PRS India, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (THINK TANK) (last visited on Sep.13 2023)
[11] Hindustan Times, https://www.hindustantimes.com/india-news/ncpri-disappointed-over-dpdp-bill-calls-proposed-amendments-regressive-raises-concerns-over-privacy-and-rti-101691136173655.html (last visited on Sep.12 2023)
[12] PRS India, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (THINK TANK) (last visited on Sep.11 2023)
[13]Hindubusinessline, https://www.thehindubusinessline.com/news/data-protection-law-to-be-in-force-soon-vaishnaw/article67179401.ece (last visited on Sep.11 2023)
[14] PRS India, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (THINK TANK) (last visited on Sep.11 2023)
[15] Drishti IAS, https://www.drishtiias.com/to-the-points/paper3/Data-Localisation (last visited on Sep.13 2023)
[16]Scroll.in, https://scroll.in/article/1054094/a-censorship-tool-in-disguise-how-the-data-protection-bill-will-hurtjournalists#:~:text=As%20previously%20explained%20by%20Scroll,the%20Right%20to%20Information%20Act. (last visited on Sep.13 2023)
[17] PRS India, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (THINK TANK) (last visited on Sep.13 2023)