In an era where data has become the dominant marker of economic prowess, any promulgation of legislation in this domain warrants meticulousness and circumspection, apart from having a far-sighted perspective. When British mathematician Clive Humby declared ‘data as the new oil’ in 2006, he himself wouldn’t have foreseen the pervasive impact. Unlike oil, data is something that can be used and reused.At the outset, we wish to raise a pertinent question and then separate the truth from the tsunami of hype created around the Digital Personal Data Protection Act, 2023 by looking closely at multiple issues of concern that have unfortunately been swept under the carpet.Is it a balancing Act or a disquieting retreat?In a hasty sweeping stride, the government recently secured the passage of the Digital Personal Data Protection Bill, 2023 in both houses of Parliament without any meaningful discussion. It got the assent of the president on August 11, 2023 – within two days of its passing by the Rajya Sabha. It is being touted as a landmark piece of legislation with the potential to redefine the contours of data governance in the contemporary digital landscape. Yet, beneath its professed intentions lies a labyrinth of clauses and provisions that warrant meticulous scrutiny.This Act has ignited significant debate and concern amongst citizens, industry and experts alike. Although the legislation ostensibly seeks to safeguard individual privacy and data rights, a closer examination of its provisions unfurls pressing concerns about its efficacy, transparency, and the potential reverberations of its implementation. This article is an earnest attempt to unravel the ramifications of this Act, primarily focusing on the pivotal aspects of ‘delegated legislation’, ‘Data Protection Board’, ‘Voluntary Undertaking,’ ‘Reasonable Security Safeguards,’ dilution of Data Fiduciary and Data Processor responsibilities, transgressions against the RTI Act and Information Technology Act, and an assortment of exemptions it confers, raising concerns about its commitment to safeguarding individual rights and privacy.Excessive reliance on delegated legislationDelegated legislation grants considerable discretion to various administrative agencies which has the potential to lead to rampant abuse or the exercise of excessive power. Under the pretext of making the legislation lean, the Government has deliberately laid this piece of legislation at the mercy of subordinate agencies. In the dissenting judgment in the verdict of the Supreme Court on demonetisation, Justice B.V. Nagarathna reminded us that unguided and unlimited powers under delegation would be ex-facie arbitrary and suffer from the vice of unconstitutionality.The Act’s over-reliance on the phrase “as may be prescribed” raises concerns about the lack of clarity and specificity in its provisions. There is excessive delegated legislation, as the legislation does not largely go into the specifics of the implementation. It seems as if the government’s favourite catchphrase “as may be prescribed” is the highlight of this DPDP Act. It has been used 28 times in a 21-page Act with 44 sections. The ambiguity has been kept so that the government can take arbitrary decisions. No legislation can be seen as sound proof if the majority of the clauses are termed with the ‘as may be prescribed’ provision. Thus, it is the liberty of the government, that is executive, to take the decision at its convenience. This not only erodes the transparency of the legislative process but also undermines the public’s ability to understand the scope and implications of the law.Also read: Digital Personal Data Protection Law Raises Questions About Consistency With Right to Privacy RulingStriking a discordant noteThe pursuit of justice for aggrieved parties (sans compensation) requires recourse to the Data Protection Board, necessitating its independence. Yet, the DPDP Act permits the Union government to appoint the chairperson and board members, without specifying any selection procedure, undermining its independence.This provision contradicts the recommendations of the Joint Parliamentary Committee on the 2019 Personal Data Protection Bill, which sought the nomination of board members by a Selection Committee comprising, in addition to bureaucrats, (i) Attorney General of India, (ii) an independent expert from fields such as data protection, information technology, or cyber laws, and (iii) Directors of an IIT and an IIM.The very nature of independence of the Board is scuttled with this arbitrary nature of appointment. This latitude in appointment curtails the Board’s autonomy, resonating discordantly with the principle of an independent body.Voluntary undertaking: a haven for delinquentsAt the heart of the DPDP Act is Section 32, which introduces a perplexing paradigm of ‘Voluntary Undertaking.’ The provision bestows the Data Protection Board with the authority to accept voluntary undertakings from those in non-compliance with the Act’s provisions and to stop further enquiry. The true import of this provision is not in its apparent benign essence, but in the potential, it holds to provide a cloak for delinquents to sidestep penalties.This can lead to a situation where offenders can dodge fines up to a staggering Rs 250 crore per offence by giving a mere undertaking, thus nullifying the deterrent essence of the legislation. By enabling data fiduciaries to escape penalties for non-compliance, the legislation unwittingly forges a let-out clause that could potentially be exploited by those with unscrupulous intent. This, in turn, could dilute the accountability ethos of the Act and result in inadequate enforcement.Evasion of compensation and accountabilityA glaring lacuna is the absence of provision for awarding compensation by the Data Protection Board to aggrieved data principals. While penalties can be imposed by the Board on data fiduciaries for contravening the provisions of the Act, which goes to the Consolidated Fund of India as per section 34, it is not equipped with the power to award any compensation to the aggrieved Data Principals. This deficiency hampers the effectiveness of the legislation in redressing actual harm suffered by individuals resulting from data breaches or privacy infringements. Curiously, the Act stipulates penalties of up to Rs 10,000 for Data Principals for non-observance of certain provisions of the Act.The absence of compensatory measures reflects a lopsided emphasis on purported punitive actions rather than restorative justice, a scenario that is particularly hard to swallow in the backdrop of the aforementioned ‘voluntary undertaking’ implications.Uncharted waters of reasonable security safeguards and transgressions to IT ActWhile sub-section (5) of section 8 of the Act purports to grant the Data Protection Board the potential to proceed against a Data Fiduciary for breaches of their obligation to implement ‘reasonable security safeguards’ against personal data breaches, with the power to impose a penalty up to Rs 250 crores, it falters in expounding the meaning of the term ‘reasonable security safeguards’. This paucity of clarity engenders room for interpretation and potential misuse.The Act refrains from defining the contours of reasonable security safeguards and from imposing a responsibility upon the Government to delineate it at least by way of Rules. This absence may beget a veneer of compliance, wherein entities could manipulate trivial safeguards to evade liability. How can the Data Protection Board arrive at a finding of committing failure by a data fiduciary in taking reasonable security safeguards in an instance of personal data breach, when the legislation doesn’t define the same? The transformation of ‘reasonable security safeguards’ into an obscure abstraction dilutes the assurance of data protection.Such artful manipulation is further underscored by the Act’s proposal to omit sections 43A and 87(2)(ob) of the Information Technology Act, 2000. Section 44(2) (a) of the DPDP Act is for obliterating section 43A of the IT Act, 2000. Section 43(A) of the IT Act, 2000 enabled an affected person (Data Principal) to demand damages by way of compensation from a body corporate for any negligence in implementing and maintaining reasonable security practices and procedures while processing, dealing or handling any sensitive personal data or information in a computer resource which the said body corporate owns, controls or operates. Likewise, section 44(2) (c) of the DPDP Act is for abrogating section 87(2)(ob) of the IT Act, supposed to be the only provision which cast a duty upon the central government to prescribe by Rules what are the “sensitive personal data or information” and what are the “reasonable security practices and procedures” to be followed by a body corporate while processing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates – against the breach of which an affected party (Data Principal) can demand compensation from a body corporate under section 43A of the IT Act.Also read: When ‘Data Protection’ Undermines People’s ProtectionSo not only does the government prevent a data principal from seeking compensation for data breach under this DPDP Act, but also clandestinely succeeded in removing the two enabling provisions from the Information Technology Act, 2000 – killing three birds with one stone! By quashing the provisions in IT Act, the Act curbs the avenues for affected parties to seek compensation for data breaches and accentuates their precarious situation, setting a trajectory that contrasts with the European Union’s General Data Protection Regulation (GDPR), which robustly provides for right to compensation for breach of personal data.Symphony of exemptions and accountability erosionA conspicuous vulnerability looms in the mosaic of exemptions strewn across the Act. Section 17 grants the Union government carte blanche to exempt government agencies and data fiduciaries, including start-ups, from various provisions. The blanket dispensation to government agencies, ostensibly anchored in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, poses queries about the unbridled exercise of executive power and can result in undue infringement of privacy rights.Disproportionate exemptions for government entities might inadvertently facilitate the sidestepping of data protection mandates, eroding the legislation’s core intent. Besides, the wide-ranging powers of the Union government to exempt data fiduciaries or classes of data fiduciaries from various provisions of the Act has the potential for misuse and will jeopardise the effectiveness of the legislative edifice, allowing select entities to evade their responsibilities. Likewise, there is no bar for the government in operating the available data, whether digital or non-digital, which has been converted into the digital format and stored for any period of time. The data principals have no ‘right to be forgotten’ in so far as the government and its instrumentalities are concerned.Torpedoing the Right to Information ActThe Act’s impending effect on the Right to Information Act, 2005 also merits close attention. Section 44(3) of DPDP Act abrogates the essence of Section 8(1)(j) of the RTI Act, effectively rendering the lion’s share of information exempt from the RTI’s purview. Erstwhile section 8(1)(j) of the RTI act allowed even personal information to be disclosed if the larger public interest justifies the disclosure of such information or it is related to any public activity or interest; even if the disclosure causes unwarranted invasion of the privacy of the individual, and further insists that all personal information shall be provided if it is such an information which cannot be denied to the Parliament or a State Legislature. This has been obliterated in the Digital Personal Data Protection Act, 2023 thereby making all personal information exempt from disclosure.The result would be that the Public Information Officers can reject a substantial number of RTI applications, under the guise of personal information, if they desire so. This ominous change would fundamentally weaken the RTI Act and threaten transparency and accountability in governance, curtailing public access to information and eroding the very bedrock of democracy.Erosion of data processor accountabilityThe Act’s propensity to dilute data processor accountability is conspicuous. In its previous iteration as the 2022 Bill, data processors were equally responsible for safeguarding personal data and notifying data breaches to the Board and Data Principals. However, the 2023 Act eschews this obligation, potentially enabling data processors, often foreign conglomerates, to elude direct legal repercussions for data breaches. This shift towards appeasing favouritism compromises the accountability of data processors in safeguarding personal data and undermines the principle of shared responsibility.Dilution of liability for data sharingLikewise, as per the 2022 Bill, a data fiduciary was responsible for the lapses/wrong actions of another data fiduciary with whom they share data. This has been dropped in the 2023 Act. This change attenuates the accountability framework and reduces the incentive for data fiduciaries to ensure proper handling and watchful sharing of personal data.Data principal rightsThe 2023 Act doesn’t either make it obligatory for data fiduciaries to obtain consent from data principals before sharing data with other data fiduciaries or data processors. This compromises data principals’ authority over their personal data and raises concerns about the uninformed and uncontrolled sharing of personal data.Likewise, the 2023 Act no longer requires local storage of data. Businesses can transfer data to those foreign countries which are not in the negative list to be notified by the Indian government – what would be the criteria for such a negative listing? Can it be used as a leverage to exhort foreign countries to toe the line of the Union government? Furthermore, the exclusion of the stipulation for local data storage unfurls the spectre of data transference to foreign jurisdictions without well-defined criteria, necessitating introspection into diplomatic dynamics and the preservation of national interests. Also read: Why the Personal Data Protection Bill Won’t Stop Data Proliferation in Digital IndiaA spectrum of ambiguities, omissionsThe DPDP Act introduces ambiguity in critical areas such as data portability, data storage requirements and processing of non-digital personal data. This inherent ambiguity opens the gateway to divergent interpretations and potential misuses of the legislation.Exemption for processing children’s dataThough the Act proposes to introduce some protection for children’s data in section 9, it dilutes those objectives in the same breath by introducing exemptions thereon. Section 9(4) of the Act allows the government to declare any classes of Data Fiduciaries to be exempted from the general restrictions in processing children’s personal data, such as obtaining verifiable consent from the parent/guardian of the child, not undertaking tracking or behavioural monitoring of children or targeted advertising directed at children, etc., subject to such conditions as may be prescribed by Rules.Equally alarming is section 9(5), which permits the government to exempt any Data Fiduciary from the need to seek parental consent for processing personal data of specific age groups of children or to empower a data fiduciary to undertake tracking or behavioural monitoring of children or targeted advertising directed at children, if the government is satisfied that the history of data processing by that Data Fiduciary is verifiably safe. This raises concerns of potential tracking, behavioural monitoring, and targeted advertising directed at children without the knowledge or consent of their parents.An unending exerciseAn intricate web of exemptions casts a shadow over the Act’s integrity. Sections 7(b), 7(c), 7(e), and 7(i) provide data fiduciaries broad leeway to process personal data for diverse purposes, often without explicit consent. This may inadvertently facilitate unwarranted surveillance, discrimination or coercion.Exploitative use of Data by the State: Section 7(b) and 7(c) grant broad permissions to Data Fiduciaries to process personal data for the State and its instrumentalities. While section 7(b) allows for the use of personal data for any government purpose without explicit consent, even by converting the non-digital data to digital form without the permission of the data principal, section 7(c) gives blanket permission for a Data Fiduciary to process any personal data for the State or any of its instrumentalities in the name of sovereignty, integrity or security of the state. These clauses can potentially be exploited for surveillance and manipulation under the pretext of governmental functions.Bypassing Legal Procedures: Section 7(e) enables Data Fiduciaries to process personal data for the purpose of complying with foreign judgments or orders relating to contractual or civil claims, without the permission of Indian courts. This provision essentially circumvents the established legal framework in India for complying with foreign judgments through courts of competent jurisdiction in India, raising questions about the Act’s commitment to due process. It provides for direct execution of foreign judgments without the permission of Indian courts – bypassing the Code of Civil Procedure, 1908 – by circumventing the relevant provisions regarding the compliance of foreign judgments through courts of competent jurisdiction in India as discussed in sections 13,14 and 44A r/w 2(5) and 2(6) of the Code of Civil Procedure, 1908.Employer’s power over employee data: Section 7(i) provides employers with the authority to process personal data for employment-related purposes, potentially compromising the privacy and rights of employees.Absence of data profiling protectionAs per clause 4(2) of 2022 Bill, the foreign data processing of Indian persons in connection with ‘data profiling’ was also envisaged to be brought under the ambit of the legislation. Now this ‘profiling’ has been dropped from section 3(b) of the 2023 DPDP Act, thereby making this Act apply only to foreign data processing relating to activity of offering goods or services to data principals in India. Data processing relating to any profiling is also a crucial area and the omission raises concerns about the potential misuse of personal data for profiling and targeted marketing. This omission contradicts international trends and overlooks the significance of profiling in the modern digital landscape.Exclusion of non-digital and anonymised dataThe Act’s failure to include non-digital personal data, anonymised data, and non-personal data within its ambit raises questions about the comprehensiveness of the legislation. Such exclusions contradict the recommendations of the Joint Parliamentary committee on the previous Personal Data Protection Bill, 2019 and overlook potential privacy risks associated with these data categories.Absence of right to data portabilityThe Act’s failure to include the right to data portability is a significant shortcoming, considering that the 2019 version of the bill, Joint Parliamentary Committee Report and international regulations such as the GDPR recognise this right. The absence of this provision limits users’ authority over their own data.Removal of sensitive and critical data distinctionThe government’s decision to remove the distinction between sensitive and critical personal data in 2023 Act eliminates the need for enhanced protection for specific categories of personal data. This move dilutes the protection offered to sensitive information. The distinction between different categories of personal data was recommended by Justice B. N. Srikrishna and was included in the Personal Data Protection Bill, 2019 and the Joint Parliamentary Committee recommendations as well – all are now ‘digital personal data’ and none have any proper protection or right for compensation.Absence of provisions for compensation for harmThe concept of “harm to data principal” has been removed from the Act, and instead, it focuses on protecting the “rights of data principals”; albeit the Act does not include provisions that enable data principals to seek compensation for infringements on their deemed rights.The 2019 Bill, JPC Report on 2019 Bill and 2022 Bill had all defined ‘harm’. The DPDP Act ought to have included provisions delineating the types of “harm” to data principals on breach of personal data, the occurrence of which would provide locus standi to a data principal in raising a claim for compensation by approaching Data Protection Board/Appellate Tribunal.The conundrum of individual rightsFrom potential misuse of children’s data to granting excessive power to the State, the Digital Personal Data Protection Act, 2023 falls short of ensuring comprehensive data protection. Furthermore, the omission of critical elements such as the absence of definition of reasonable security safeguards, lack of provisions for compensation, and unfettered power of the government to grant a deluge of exemptions indicate a missed opportunity to create a robust framework for safeguarding individuals’ digital rights. It brings forth a labyrinthine journey, one fraught with uncertainties and ambiguities. Its lack of specificity, clarity and accountability leave a trail of apprehensions impacting data principals and the broader data protection landscape in India. Striking a harmonious balance between individual rights and emerging digital exigencies remains an enduring challenge. The ambiguities, omissions, and exemptions within the Act may lead to inadequate enforcement, reduced accountability, and diminished transparency.The Right to Privacy has been held to be sacrosanct to human existence and an inalienable facet of human dignity and autonomy. Recently, in the context of ‘Pegasus’ surveillance software, the Supreme Court observed, “The right to privacy is directly infringed when there is surveillance or spying done on an individual, either by the State or by any external agency”. The widespread storage and collection of personal data of individuals, taken without consent, violates the principles of “personal informational privacy”.It has been unequivocally declared by the constitution bench of the Supreme Court in Justice K.S Puttaswamy (Retd.) v. Union of India and Ors. that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”. Thus, the onus lies on the Indian legal system to ensure that the DPDP Act 2023 withstands the scrutiny of judicial review and charts a course toward data sovereignty, rather than being marred by half-measures and veiled compromises.John Brittas is a Rajya Sabha member and Aneesh Babu is a researcher.
