Aayushi Choudhary & Vaibhav Gupta are the students of “Gujarat National Law University, Gandhinagar”
Introduction
In 2011, the Department of Personnel and Pensions initiated the first endeavor towards data protection. Fast forward a decade to August 11, 2023, the Digital Personal Data Protection Bill, 2023 (hereinafter referred to as the Act) was successfully passed. Notably, the 2019 version of the bill faced criticism for its complexity, while the 2022 iteration erred on the side of simplicity, albeit at the cost of excluding vital details.
The Act itself is grounded in the principle that digital personal data should be processed in a manner that upholds both individuals’ rights to safeguard their personal information and the necessity to process such data for legitimate reasons. This legislative measure is anticipated to enhance the ease of living and business in India.
This piece shall delve into the changes introduced in the Act 2023. Additionally, it will address certain key loopholes present in the Act. One notable concern is the Act’s failure to categorize sensitive information, potentially leaving critical data insufficiently protected. Another aspect examined is the potential impact of the Act on the Right to Information (RTI) Act, assessing whether the former weakens the latter. Furthermore, the exemption provided under “legitimate interest” will be explored, shedding light on the implications of each approach for data protection and individual rights.
Evolution From The Previous Bill
The primary objective of the Act is to establish a comprehensive framework for the protection and processing of personal data. The Act applies to the processing of personal data in India, including both online and digitized offline data, and shall further extend to the processing of such data outside India relating to the offering of goods or services in India. There are a number of changes from the previous bill. The state will now notify nations where personal data cannot be provided for processing, as opposed to the previous requirement that it notify nations where data can be transferred for processing. Instead of a positive list, the state will now issue a negative list. Relative to the complicated suitability matrix in other countries, this offers a significantly more straightforward approach. Second, it simplified compliance requirements for organizations that collect data and eliminated the requirement to obtain consent before transferring personal data to a third party for processing. Additionally, the earlier draft mandated that organizations obtain parental permission before processing child’s personal data; it has now been somewhat changed. The state may specify an age beyond that the company acquiring the data may no longer need parental consent if the personal information of minors is managed safely. Last but not least, compared to its earlier bill, which prescribes the maximum punishment, the Act specifies a penalty for each offense, which may be added together to determine the maximum punishment. The Board will take into account following factors:
- nature, severity, and duration of the violation;
- type and extent of the harmed personal information;
- amounts of benefit or loss realized; and
- remedial acts when assessing the applicable punishment.
Unaddressed Categorisation of Data
The vulnerable sexual minority in India often worry about being driven out. Facebook’s advertising division had previously come under fire for allowing businesses to target users using private information. For instance, businesses may advertise to Muslims, or political organizations could target individuals based on religious or political preferences. The data protection law in India presented a great opportunity to strengthen the right to privacy, particularly for the marginalized and disadvantaged, but the Act has blown it. The 2019 draft featured a distinctive subcategory of “sensitive personal data” that includes the key characteristics for safeguards: caste or tribe, sexual orientation, transgender or intersex status, sex life, and religious or political opinion or affiliation. This intensifies the disappointment.
Despite the fact that the Constitution protects the right to equality and forbids discrimination on the basis of race, religion, caste, sex, or place of birth, these rights are primarily enforced against the State. Since then, the Supreme Court has construed these fundamental rights to encompass the freedom of gender identity and sexual orientation. Many of those freedoms, however, are not yet legally applicable in India’s private sector, resulting in ongoing legal prejudice. Anti-discrimination legislation that addresses issues of inequity in the private sector are in place in South Africa and the United Kingdom. Significantly, the Act is the first national statute in India that refers to people by their she/her pronouns. Yet, even as the Act’s “usage” of pronouns receives applause, a transgender person’s status in the material world remains exposed to institutional discrimination in both public and private contexts. At present, the Act doesn’t have provisions that effectively promote an inclusive perspective of privacy.
Privacy V. Transparency
Advocates of the RTI Act have argued that the Act has weakened the former’s strength. Justice AP Shah Committee, which conducted a comprehensive investigation into data protection in 2012, has recommended that any information made available to the public under the RTI Act should not be compromised by a data protection law or a personal data protection law. In 2018, the Justice B.N.Srikrishna Committee examined the situation and recommended strengthening the harm test.
The harm test is included in Section 8(1)(j) of the RTI Act. The law’s aim is not to make whole categories of data unavailable to the public, and rather it outlines data that can be exempted from disclosure if it lacks relevance to public activity or interest. However, it is important to note that this waiver is not absolute. The majority of exemption provisions in Section 8 stipulate that disclosure can be prohibited or excused only when there is a specific harm to the public interest. The Section is amended by the Section 44(3) of the Act. The Act’s provision to remove the proviso under Section 8(1)(j) is another concern. The proviso specifies that citizens shall not be deprived of access to information that cannot be denied to the Legislature or State Assemblies. It will have an array of impacts on citizens, particularly with regard to their fundamental rights. As active participants in a republic, citizens had the power to hold the administration, as well as public officials from the local level up to Rashtrapati Bhavan, accountable for their actions and decisions.
The Joint Parliamentary Committee that vetted the Data Protection Bill 2021 did not make any recommendations to amend the RTI Act. The Act also has a detrimental impact on press freedom. There is a lack of independence and autonomy for the oversight body, the data protection board. Section 19 of the Act empowers the government to appoint chairpersons and decide members of the board. The government is an interested party, and it is against the principles of natural justice as the government will be the responding party before the data protection authority in relation to any complaint that any person, citizen or non-citizen, may bring before the data protection authority against a government agency that violates his or her rights. This aspect raises significant concerns.
Processing, Consent, and Legal Grounds: Act 2023’s Perspective
The Act draws considerably from the European General Data Protection Regulation (GDPR), albeit with key changes. The legal justifications for processing are among these changes. In addition to “legitimate interest,” the GDPR provides an established list of bases for processing under Article 6. The Personal Data Protection Act of Singapore, Section 15, which acknowledges that there may be circumstances in which processing of data is arguably essential without informed approval, serves as the basis for the Act, 2023. According to Section 6 of the Act, private information may only be handled for the stated objective and with the Data Principal’s permission. Such permission must be clear, unequivocal, unrestricted, free, precise, notified, and have an affirmative response. Before requesting consent, the Data Fiduciary must provide notice as per Section 5 that includes information about the Personal Data to be gathered and the intended use of the processing. The person whose data is being processed has the right to revoke her permission at any stage. Organizations are responsible for ensuring processors handling their data operate appropriately after a consent withdrawal. Notably, such consent, as per Section 7, shall not be required for ‘legitimate uses.’ In the previous bill, it was termed as deemed consent under Section 8. Numerous exceptions, which apply to both the public and private sectors, significantly diminish the importance of such consent. notably, this clause waives the requirement for consent in circumstances like pandemics or disease outbreaks. Therefore, even for private information like health records, government data collecting during these circumstances eliminates prior consent. Another exemption given to employers is very wide, it covers a wide range of subjects, such as employer protection, confidential knowledge, and services requested by the data subject, who is often an employee. This suggests employers may get a lot of information about employees without their knowledge. The provisions of consent will also not apply to data fiduciaries when processing is necessary for mergers, demergers and other schemes and for assessing financial liabilities in case of payment defaults.
Conclusion
The Supreme Court reiterated the fundamental right to privacy in the Puttaswamy decision, and Justice Chandrachud explained that this right comprises both restricting state authority in its activities and requiring the state to create legislative measures to protect these rights. This stance is consistent with the Act’s aim of protecting informational privacy, a key component of the idea of privacy as a whole, giving shape to the structure and content of a data protection Act. With regard to the growing number of internet users, data generation, and international trade, the Act represents a novel method to protect personal data. The Act’s implementation might fundamentally alter how digital personal data is managed, regulated, and protected in terms of privacy and sanctity. The Act’s loopholes and gray areas serve as a call to action for lawmakers, data protection authorities, and citizens alike, urging them to collaborate in refining and strengthening this legislative framework.