Author: Atheena K

Executive Summary

The Digital Personal Data Protection (DPDP) Act, 2023, enacted on August 11, 2023, aims to regulate the processing of digital personal data, ensuring a balance between an individual’s right to privacy and the lawful use of personal data. The Act provides a framework for the protection, processing, and transfer of personal data, outlining obligations for data fiduciaries (entities managing data), as well as rights and duties for individuals (data principals). However, the Act raises concerns regarding state exemptions and the lack of provisions for data portability and the right to be forgotten.

Background

The DPDP Act was introduced to address gaps in India’s legal framework on personal data protection, previously governed under the Information Technology (IT) Act of 2000. The need for standalone legislation became critical following the Supreme Court’s recognition of privacy as a fundamental right in the Puttaswamy judgment (2017). The Act applies to the processing of digital personal data within India, as well as the processing of such data outside India, when related to Indian citizens.

Key Features

• Applicability: The DPDP Act applies to the processing of personal data in digital form, including data collected within India and outside India if it is linked to goods or services offered to Indian citizens.
• Consent: Data can only be processed for lawful purposes after obtaining the consent of the individual (data principal). Legitimate uses, including state functions, medical emergencies, and employment, do not require consent.
• Obligations of Data Fiduciaries: Entities controlling data (data fiduciaries) must ensure data accuracy, provide data protection, and erase personal data when it is no longer needed. They must also report breaches and implement a grievance redressal system.
• Exemptions for State Agencies: The central and state governments are exempt from many of the Act’s requirements under the guise of national security, public order, and related concerns. These exemptions raise significant privacy concerns.
• Data Protection Board of India: The Act mandates the establishment of the Data Protection Board of India to oversee compliance, manage complaints, and impose penalties in case of violations.

Key Issues

1. State Exemptions and Privacy Violations: The wide-ranging exemptions granted to government agencies could lead to unchecked data collection and surveillance, potentially undermining citizens’ privacy rights. There is little accountability built into these exemptions, which may result in misuse.
2. Lack of Key Data Rights: Unlike global standards like the General Data Protection Regulation (GDPR), the DPDP Act does not provide individuals with the right to data portability or the right to be forgotten. This limits users’ control over their data and its movement across platforms.
3. Cross-border Data Transfers: The Act permits data transfers to foreign jurisdictions, except those restricted by the government. This raises questions about whether adequate safeguards will be put in place to protect Indian citizens’ data from being misused in countries with weaker data protection laws.
4. Short Tenure of Data Protection Board Members: The two-year term for members of the Data Protection Board, with the possibility of reappointment, may undermine the board’s independence and its ability to function as a truly impartial regulatory authority.
5. Children’s Data Protection: While the Act prohibits data processing that can harm children’s well-being, it lacks clarity on what constitutes “detrimental” processing and how this will be assessed.

Recommendations

1. Strengthen Oversight of State Exemptions:
   1. The Act should include clear guidelines and limitations on the use of exemptions for state agencies. Any government processing of personal data should be subject to rigorous oversight to prevent misuse. This can be achieved through the appointment of independent auditors and mandatory transparency reports on how exemptions are applied.
   1. Introduce Safeguards Against Surveillance: To prevent the misuse of personal data for surveillance, the Act should adopt principles of necessity and proportionality when state agencies process data under exemptions. This includes defining strict conditions for data retention and providing mechanisms for independent review of government data processing.
2. Establish a Robust Data Rights Framework:
   1. Right to Data Portability: The Act should introduce the right to data portability, enabling individuals to transfer their personal data between service providers seamlessly. This will empower consumers by promoting competition and providing individuals more control over their data.
   1. Right to be Forgotten: Including the right to be forgotten will give individuals the ability to request the deletion or de-indexing of outdated or irrelevant personal data. This would be particularly useful in cases where data available online negatively impacts an individual’s reputation or safety.
   1. Right to Data Minimization: Data fiduciaries should be required to collect and retain only the minimum amount of data necessary for the specific purpose. This can help reduce risks associated with unnecessary data processing and potential breaches.
3. Tighten Regulations for Cross-border Data Transfers:
   1. The Act’s provisions on cross-border data transfers should be strengthened by introducing a thorough evaluation mechanism for countries receiving Indian citizens’ data. Transfers should only be allowed if the recipient country has robust data protection standards equivalent to that of India’s.
   1. Implement Data Localization for Sensitive Data: For highly sensitive categories of personal data, such as financial or health information, the Act should require that at least one copy be stored on servers located in India. This ensures better control and oversight of sensitive data and aligns with global best practices.
4. Expand the Mandate and Capacity of the Data Protection Board of India:
   1. Increase Tenure and Accountability: The two-year tenure for Data Protection Board members should be extended to at least five years, with no provision for immediate reappointment, to ensure independent functioning. Further, an external advisory committee comprising data privacy experts should be established to provide strategic guidance to the Board.
   1. Data Breach Notification: The Act should mandate clear timelines and protocols for data breach notifications to affected individuals and the Data Protection Board. Delays in notifying breaches can increase the risks of harm, including financial and reputational damage.
5. Clarify and Enhance Protections for Children’s Data:
   1. Define Harm to Children: The Act should clearly define what constitutes a “detrimental effect” on children’s well-being when their data is processed. This can include detailed guidelines on harmful data practices, such as behavioral monitoring and targeted advertising aimed at children.
   1. Parental Consent Verification: For minors under 18, the Act should provide specific methods for verifying parental consent, ensuring that children’s data is not processed without proper authorization.

References 

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023. (n.d.). https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf 

The Digital Personal Data Protection Bill, 2023. (n.d.). PRS Legislative Research. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023