INTRODUCTION
Over the years Indian laws have tended to be more and more organized with a special emphasis on accessibility. This trend is not recent however, since such centralization of benefits under a patchwork of different laws catering to one part of the society or a singular administrative issue into a single document as a process has been taking place since the start of the decade. As liberalization, privatization and globalization became the national policy of a post-license era government of 1994, new laws were required to provide a centralized legislation to organize regulation-bodies as a replacement to variously emanated sources of authority, otherwise exclusively vested towards different broader administrative issues and finances. Hence sector-specific legislations like the Competition Act, TRAI Act, etc. were born to regulate the different facets of a neoliberal economy. The Maintenance of Parents and Senior Citizens Act, 2007 (Maintenance Act), can serve as an good example of such a law; it guarantees the legal right of maintenance of Senior Citizens by their children, and caters a vulnerable section of the society who have been affected negatively by this rapid modernization. Before the formation of the law, Senior Citizens were protected by a patchwork of laws like the Hindu Adoption and Maintenance Act, Protection of Women from Domestic Violence Act, §125-128 of the Code of Criminal Procedure, etc., but none as exclusively as the Maintenance Act. This brought simplicity and accessibility of litigation both to lawyers and Senior Citizens.
In a similar fashion, data privacy protection laws originated from a number of sources but not a singular comprehensive piece of legislation. It is constitutionally protected by the interpretation of Article 21 by the Supreme Court in K.S. Puttaswamy v. Union of India; by the Information Technology Act (“IT Act”), which specifically intends to protect electronic data; the Privacy Rules that provides a regulating procedure to handle sensitive personal data; some sections of the Indian Contract Act, 1872 and the Indian Penal Code, 1860; and the Copyright Act, 1957 along with Credit Information Companies Regulation Act, 2005. These laws however touched upon various facets of the issue, and there was no comprehensive legislation. In fact, the IT Act which expressively wished to be a pioneer legislation on data protection in India failed to address so in an exhaustive manner, thus becoming non-sufficient in protection of data and hence the need of a separate legislation was felt.
HOW THE ACT PASSES AND SURPASSES
Thus, the Digital Personal Data Protection Act 2023 (“the DPDP Act”) was born. The DPDP Act “provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.” The official stance in the press-release goes on to laud a number of added achievements to the DPDP Act along with being the first of a kind to use the pronoun “she” in place of “he” to address the actors in the Act and hence “acknowledges women in Parliamentary law-making.” It was passed on 7th August, 2023 by a voice vote, amid chaos in the Assembly over the Manipur issue. The Opposition repeatedly stressed on their fears of a built up to a “surveillance state” due to the exemptions provided to the State and a contentious clause giving broad exemptions for some companies by the passage of the said Act while the Government maintained and defended the Centre’s access to the citizens’ data as “lawful and legitimate in national security and emergencies”. A top journalists’ body too have shared similar concerns as the Opposition.
Evidently, the law is marred by various issues other than the one mentioned above. One of the major issues with this law, is the fact that it impairs the Right to Information Act, 2005 (“RTI Act”) by amending §8(1)(j) effectively substituting “information which relates to personal information”, thus making it possible for any kind of data even remotely personal as exempted from the application of RTI Act. The DPDP Act, by §35, basically bars any legal action against the Central Government, the Board, its Chairperson and any Member, officer or employee working under the Act; §37 empowers the Centre on the advice of the Board to block access to information to the public about a Data Fiduciary related to any activity offering goods or services, thus hampering a person’s Right to Trade; §39 puts a bar on the jurisdiction of the Court, and hence, there is effectively no way to perform legal action against the decisions of the Board. The authority to recognize a Data Fiduciary lies with the Government, while one of the biggest repository of data is possessed by the Government itself. Hence, the Government can legally exempt itself from the application of the Act as well.
The object of this article is however, not to dwell upon the various shortcomings and potential misuse of the Act. The main objective here is to find whether the Act has any exclusive benefit for the masses of Indians who are continuously and unintentionally trading with their data daily with no understanding or care of its consequence. The answer to that is grim.
WHERE THE ACT FALTERS
The Act has set-up a very accessible redressal system to remove their consent over the access of their data by Data Fiduciaries. §5(2) makes it compulsory for the Data Fiduciary to give notice of the:
- Use of the requested data
- Mechanism to resign consent
- Complaint mechanism to the Board.
§6(1) of the DPDP Act defines consent as free, specific, informed, unconditional and unambiguous, with clear affirmative action, with the limitation put on such personal data as is necessary for such specified purpose. Therefore, if such personal data is requested that has no connection with the purpose for which the Data Fiduciary request, even with the active consent of the Data Principal, the collection of the same will be a violation of the Act. The consent in this case can easily be taken in the form of Click-Wrap contracts, but §6 goes on to say in §4 that the withdrawal of the consent must be as easily facilitated, as when the consent was taken from the Principal.
Nevertheless, all that glitters, is not gold. The DPDP Act provides a mandated layout of a consent withdrawal mechanism to be undertaken by the Data Fiduciary, but does not compel them to delete the Principal’s personal data once the requirement that necessitated the collection of the same is fulfilled. In fact, although §8, which deals with the responsibility of the Data Fiduciary to delete such data, under §7 such deletion is required after consent withdrawal, §8(8) dilutes this duty in case of the inaction of the Data Principal. Thus, the duty to enjoy the right to be forgotten, as observed by the Srikrishna Committee (2018), by the Data Fiduciary, lies on the Data Principal. It is thus, rightly observed that “the success of the law hinges on the citizens of the country being aware of their rights and pursuing their rights through the grievance redressal mechanism under the DPDP Act”.
Unlike the Maintenance Act (as discussed above) which mandates the Government to take measures towards the publicity and the awareness of the given Act amongst the people and specifically to the Senior Citizens under §21, the Act makes no obligation on the Data Protection Board to sensitize their rights under the Act and thus the large mass of people remain outside the cover of the benefits of the Act. The entire point of such a comprehensive legislation was to secure the personal data of the citizens from the clutches of various Data Processors and Fiduciaries, which turns out to be its greatest short-coming. The Act coming into effect only on the active request of withdrawal on the part of the Data Principal renders the Act meaningless, since it was to ensure the safety of the citizens’ personal and private information without them needing to participate in the web of bureaucracy.
ROLE OF THE STATE AND THE DIGITAL PANOPTICON
On the other hand, the law does serve one purpose: to facilitate State control on the people’s data and to severe its liabilities from the consequences of such. As discussed above, the State has been given various exceptions as a Data Fiduciary itself, while limiting the scope of public scrutiny. §7 of the DPDP Act exempts the State from the deletion of the personal data of the people for various purposes ranging from the facilitation of access of State benefits to the addressing of National Security and other concerns, which are vague and ambiguous at best. The DPDP Act removes purpose limitation and overrides consent of an individual where State processes the personal data. It directly contravenes the Privacy Report which recommended the formulation of a Privacy Act which directed that various sector of industry be regulated by Self-Regulated Organizations (SROs). §15 of the Act effectively detaches its liability towards the Data Principal and instead restricts them from taking legal action against the State.
Thus, the DPDP Act has evidently turned the State into a “panopticon” with the passage of this law, first introduced by political philosopher Jeremy Bentham, which has now been further extended and can be applied on the new-age digital world. The State has the access to digital surveillance, the citizens under its watch, while an iron curtain separates the State from the people by limiting their space for imposing accountability. The amendment of the RTI Act further leads to the unilateral concentration of such power. The law further serves no purpose, as long as the right that it provides to the people needs constant reassertion, rather than having an automated mechanism to delete such data so as all people can enjoy the same. The prospect of people applying for the deletion of their personal data every time they consented for the processing of their data, say in a website, is impractical to think of, and most would not even be aware of the technical procedure or even their right to be forgotten in the first place to put some substance in the Act.
CONCLUDING REMARKS
Therefore, the Act in its current state is not workable. Even if it is deemed workable, it requires necessary reforms like the amendment of §8(8) and mandating the deletion of personal data after the requirement is fulfilled or within a reasonable time, taking more accountability on the shoulders of the Government, remove the bar on judiciary and reconsider the amendment to the RTI Act, balancing privacy and national security in a more harmonious manner by taking a consequentialist stance rather than functioning on apprehension, allowing the public to know what data the Government holds, mandating sensitization programs, making provisions to regulate the purpose of the data collection, and create a Self-Regulated Organization with the functions of the Board, that can recognize the State as a Data Fiduciary and which would leave no scope of self-exemption on the extension of the Act on the functioning of the State organs, processing personal data of citizens. Until then, the balance of the power of possession of personal data tips favorably towards the State, and there exists no mechanism to correct it.
The Author is a first-year law student at National Law University Odisha.
This article was the 2nd Runners Up in the 1st CLS-NLUO Essay Writing Competition 2023-24
Image Credits: Shutterstock
Constitutional Law Society 
Leave a comment