The Digital Personal Data Protection Act (DPDPA), 2023 – which was passed in the Rajya Sabha – has now become a law. It received presidential assent on August 12.
However, it appears that the law is impeded by several fundamental flaws, which are likely to prevent it from fulfilling the purported objectives that were sought to be achieved when it was being drafted as a data protection and privacy law. More importantly, the law may ultimately be seen as a tool through which the government will be able to circumvent the already scant mechanisms that are available to individuals with regard to their ability to exercise informational autonomy and ensure the privacy of their personal data.
The initial Digital Personal Data Protection Bill was prepared and delivered to the Ministry of Electronics and Information Technology (MeitY) by an expert committee headed by Supreme Court Justice B.N. Srikrishna in 2018. This happened after a year of deliberations and changes since the need for a privacy law was articulated in the landmark 2017 judgment of Justice K.S. Puttaswamy v. Union of India. In the ruling, the Supreme Court bench held privacy as a fundamental right protected under Article 21 of the constitution.
Both the letter and spirit of the law have seen several deviations since that time. However, the 2018 draft Bill, for instance, recognised the importance of appropriately classifying data, affording special consideration to protect personal data which is deemed sensitive in nature. The most recent iteration of the law however does not make a distinction between personal data and sensitive personal data, nor does it afford any additional consideration to adequately protect such data.
There are some advantages. For instance, for the first time, personal data belonging to or identifying children will have to be classified separately, with such data carrying a greater degree of security and privacy. The law also seeks to reduce the rate and impact of data breaches targeting Indian businesses. The Digital Personal Data Protection law, however, goes a step beyond by imposing penalties for cases where data is breached as a result of a lack of implementation of adequate security controls.
It could be said that the law isn’t balanced, because it provides wide exemptions to the processing of personal data to the government. For instance, data can be processed “in the interest of prevention, detection, investigation or prosecution of any offence […] in India.” These kinds of exemptions are dangerous as they stand to legitimise widespread and unwarranted collection of data under the guise that such collection and processing may ultimately be useful for preventing or deterring a crime.
In theory, any data belonging to any person, at any time, may potentially be useful in the future indefinitely for the prevention or detection of a crime, retrospectively or otherwise. In that light, unchecked and surreptitious government surveillance is not only still a risk with the DPDPA, but such surveillance now has legal backing, too.
Security agencies will have significant authority to collect and retain any data whatsoever, as is typically the case with exemptions relating to the maintenance of sovereignty, integrity, security of the state, preservation of public order, prevention of offences, and incitement to commit offences.
The law also exempts processing of personal data held outside of India. The government is also exempt from being required to delete any data that it possesses, regardless of the purpose it may have been collected for, on the request of an individual, or by way of a prescribed data retention period.
The government is not bound by purpose limitations, allowing data collected for one specified purpose be used for a new, incompatible purpose, which stands in contrast to the regulations imposed on businesses. However, certain types of data, particularly sensitive personal data, would legitimately warrant prescribed retention periods. It’s worth noting that the law does not prioritise one category of data over another, except in cases involving data related to or concerning children.
Further exemptions for the government relate to data deemed “necessary for research, archiving or statistical purposes […]” as long as such data is not used to make a decision for the persons whom the data identifies. This may seem an agreeable exemption when compared to the ones described above, but exemptions for purposes such as research or archival are overly broad, and may still violate the constitutional right to privacy of individuals.
In summation, the Act conflates the concept of informational privacy and leaves much to be desired as it substitutes information security with the ability of an individual to exercise autonomy over the privacy of their data. The enactment of the DPDPA in this state appears to deviate from the original vision of what the law could have been, especially since the need for such legislation was first articulated in the Right to Privacy judgment.
Karan Saini is a Delhi-based security researcher with Infosec Clinic.