Introduction
With Parliament finally passing the Digital Personal Data Protection Act, 20231 (hereinafter “the Act”) the digital space in India will see a significant shift. The Act has finally introduced some much awaited and needed legislative regulations on functions such as the use, collection, processing, transfer, storage, etc. of personal data all the while attempting to balance data privacy interests with those of data fiduciaries whose business functions extensively are dependent upon their ability to collect, process, use and transfer personal data. Data fiduciaries have been defined under Section 2(i)2 as any person, natural or artificial, who determines the purposes and methods of personal data collection. This would end up including e-commerce platforms, social media platforms and the like. However, if they are only providing the goods and services but are not really accessing any personal data, then such an entity would only be a data processor as defined under Section 2(k) of the Act. The roles thus vary depending upon the degree of involvement in the collecting and processing of data.
As data has become central to consumerism, businesses will be significantly impacted by the regulations introduced by this new Act. With increased breaches and security concerns accompanying the rapidly increasing trend of large-scale data collection, the Act is certainly a welcome introduction despite the fact that it will pose certain initial challenges to data fiduciaries and processors as they would have to adapt and accommodate the rights of the data principal as provided for under the Act.
Some critical drawbacks vis-à-vis enforceability
The Act certainly does leave some things to be desired and does not exactly fully realise its purpose of safeguarding data privacy and protecting individuals from breaches. The fatal flaw arguably remains that it has oversimplified how “data” itself is classified. “Data” in the Act is broadly defined as a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation and/or processing either by human beings or automated means. “Personal data” is further defined as any data about an individual who is identifiable by or in relation to such data. While the 2022 Bill created a distinction for “sensitive personal data” and “personal data”, the new Act has neglected to do so. While it remains unclear what brought on this change, not only is it a missed opportunity but it may also result in multiple challenges going forward. Firstly, the marginalised continue to be vulnerable and the need for an added layer of protection, fine-tuned specifically to certain types of breaches, remains unaddressed.3 “Sensitive personal data” would have been any data relating to sex, religion, etc. which makes a data principal more vulnerable to discrimination and abuse. A separate classification and added protection for factors discrimination on the basis of which has been even constitutionally protected, would certainly have been an opportunity to safeguard the marginalised. A wide classification of all kinds of information as just “personal data” oversimplifies something which is increasingly dynamic and complex in nature. The extent and variety of data which is collected, mined, and processed, has become increasingly unfathomable.
From an economic perspective too, classifying everything as just “personal data” may create increased workload and difficulties for data processors and fiduciaries. Rather, a classification of the said “data” into smaller categories such as “economic data”, “personal data”, “sensitive personal data” and so on, would have made it much easier to comply with regulatory norms. The degree of compliance required, protection expected on the part of data fiduciaries and regulatory framework as put in place including how the data could be processed, shared, stored and so forth, would have helped create a more comprehensive system of both regulation and penalisation. Both the data fiduciaries and the data principals would in the long run be better off in such a case.
The other fatal flaw which remains is the fact that the Act for the most part is only providing a rough outline/structure meaning that much of it remains contingent upon delegated legislation and further notifications, rules and regulations being framed by the Central Government. Compliance with the same hence may become difficult as the full extent and nature of the same remains unclear. This also means that the Act gives the Government extensive powers and rein over the application of the Act, blurring the separation between the legislature and the executive. The trend of vague definitions is common even elsewhere in the Act. For example, the term “lawful purpose” remains undefined whereas some other countries in their data protection legislations have opted to provide a list of purposes which may classify as “lawful” to reduce the scope for ambiguity. The more detailed and well- set out an Act, the easier it is to comply with. It appears in its bid to ease business operations while still providing some sort of protection, the Act may have become too bare and hence may prove to be counterproductive.
A summary of the obligations placed on data fiduciaries under the Act
The Act, as an obvious consequence, certainly has increased the administrative burden on the data fiduciaries as it increases the obligations placed upon them and calls upon them to fester principles of transparency and accountability. The Act aims to empower and protect the data principals, granting them greater control over what data they are consenting to being collected and processed, for what purposes, to what extent and enables them to withdraw/alter the consent even after it has been given.
Multiple other nations such as the European Union, Singapore, and the United States of America, already have in place data protection legislation, with varying degrees of success, which after some initial difficulties and challenges have been streamlined and data fiduciaries have learned to comply with the same and have evolved systems to aid with it. The same adjusting curve will also be required once the Act is enacted in India, albeit longer given the fact that it remains vague. However, since the onus of ensuring protection, safety and precaution remains on the data fiduciaries, it would be prudent for them to start the process at the earliest opportunity. The Act tasks the data fiduciaries with certain compliance requirements which at the onset would be taxing to achieve.
Consent requirement
Purpose of limitation and bare minimum information
A salient feature of the Act is the “consent” requirement. Business entities or rather data fiduciaries would now need to obtain express, free, informed, specific and unambiguous consent from the users before collecting, processing, sharing, or using their personal data for any purpose. At the time of collection of such personal data, per Section 5(1) of the Act4, the fiduciary ought to inform the data principal of the personal data which is being collected and the purpose for which it is being collected, the manner in which he/she exercise their rights as provided for under this Act and the manner in which he/she may raise a complaint to the Board. The manner of the same is yet to be prescribed, however.
What may also be dubbed as the purpose limitation, Section 7(a) of the Act5 restricts the usage and collection of personal data only for the specified purpose for which consent was obtained while collecting it. Apart from this, the section does provide for other scenarios under which personal data may be processed by the data principal, the same relates to State instrumentalities and other certain objectives in case of some extremities. Data fiduciaries would now have to be better prepared with clarity on the purpose of obtaining the data, the ways they will use it and so forth as all these details would have to necessarily be shared with the data principal. Additionally, there is also the obligation to collect the bare minimum data as may be required for the said purpose, and nothing beyond that. These features allude to attempts at incorporating the principles set out in the landmark privacy judgment of 2017 in K.S. Puttaswamy (Privacy-9J.) v. Union of India.6
Interestingly, the informed consent requirement has not been limited to just data which is proposed to be collected after the enactment of this Act. Where the consent from the data principal has been collected prior to the commencement of the Act, Section 5(2) places upon the fiduciaries the responsibility to give to the data principal a notice informing them of details as previously mentioned. After providing such a notice, the fiduciary may continue to process the personal data until the data principal withdraws their consent. This certainly complicates things for the data fiduciaries and creates a humongous administrative burden only made worse whenever the data principal exercises their right to withdraw the consent.
Right of the data principal to withdraw consent and demand erasure, corrections, etc.
Section 6(4) of the Act7 provides for the right to withdraw consent when the consent given by the data principal is the basis of the procession of personal data. The data principal may withdraw their consent at any time, and it is the duty of the fiduciary to ensure that the data principal can do it with as much ease with which it had given the consent, to begin with. While the withdrawal of such consent will not impact the legality of the data processed up until that point, the fiduciary within a “reasonable time” ought to cease, on its own or through its data processors, any further processing of the personal data. The data so collected would thus have to be erased of sorts from their servers. The data principal also has the right to demand correction, completion, updating and erasure of their personal data for which they had previously given consent for. Compliance with the same is compulsory for the fiduciary unless retention of such data is necessary for the specified purpose under the Act or for compliance with any law in force at the time.
This certainly poses trouble and increased workload for the fiduciaries who have been put to strict compliance with these provisions under the Act. The need to invest in systems suited to navigate such processes is pertinent.
Right to obtain information and grievance redressal
Additionally, the data fiduciary has been tasked with the duty to make available to the data principal grievance redressal mechanisms regarding the performance of its obligations under the Act. They may also appoint a Consent Manager to whom a data principal may reach out for any information vis-à-vis their data and its usage. The data principal now retains the right to call upon the fiduciary to provide details of a summary of personal data, identities of all other processors and fiduciaries with whom it has been shared and what has been shared, any other relevant information, unless the data has been shared upon a request made in writing for the purpose of prevention, detection or investigation of offences, cyber incidents or for prosecution/punishment. Thus, the data fiduciaries would now have to invest in and devise such systems which enable them to readily maintain such complex and streamlined records. The data principal may manage, review, give or withdraw their consent through these managers who will be accountable to them under the Act.
Responsibility of the data fiduciary to protect and secure the data so collected
Section 8 of the Act8 has placed the complete responsibility for ensuring compliance with the provisions of the Act and for protection of the personal data as collected upon the data fiduciaries. They ought to now take all appropriate/reasonable measures so as to ensure that the personal data is protected from any kind of “breach”. The responsibility of protection of any data being processed on their behalf by a data processor would be upon the data fiduciaries. The data fiduciaries would now have to invest in data masking and encryption technologies to strengthen their measures as the penalties set for such breaches could be as much as INR 250 crores depending on the nature and scale of the breach as provided for in the Schedule annexed to the Act. The fiduciaries would also have to inform the data principal of any such breaches within a “reasonable time-frame”. While the same is yet to be defined, mechanisms to ensure compliance would have to be put in place else the fiduciaries risk facing serious penalties. The positive obligation to ensure compliance and protection has been placed singularly upon the fiduciaries and fosters greater accountability and responsibility, which had previously been missing.
Processing and collecting data of children or certain persons with disabilities
The data fiduciary after the implementation of this Act would have to compulsorily obtain verifiable consent of the parent or lawful guardian of children or certain persons with disabilities, before processing any personal data of said persons. It further restricts targeted advertising and behavioural monitoring or tracking vis-à-vis children. It also restricts the processing of any personal data which may be detrimental to the well-being of a child.
With the onset of increased social media activity, across different mediums, children have? become increasingly vulnerable. The same is without a doubt. What is also an often-concerning pattern is how often parents are completely unaware of just how exposed the child is to the digital world. That being said, the age cut-off for the consent requirement from parents would have to be substantially altered and reduced in this specific context. In a culture like India’s where the parents are already heavily involved in the lives of their children and monitoring the same, the teenagers face increased risk of alienation, control, and monitoring. The age cut-off here need not be the same as the age of attaining majority. Persons with disabilities also face the same risk of alienation and control. The approach may be described as patronising at best as it takes away from the “protected classes” herein their autonomy and right to privacy. A better mechanism ought to be developed.
The worst affected by this would potentially be those at the helm of social media platforms. The data fiduciaries should expect a significant decline in the percentage of children who would consequently be registered on these social media, gaming, and OTT sites as well as in the extent of usage. A recent 2023 survey in fact showed that approximately 73% of the Indian parents from the sample size surveyed, want there to be a need to require parental consent before children can access/register on such platforms.9 This would also create an additional compliance requirement, increased administrative costs and decreased ease of registration for such platforms, which has often been an important factor in their marketability. However, to some extent, this is a regulation certainly welcomed by parents as children may very well be among the most vulnerable groups caught in the new digital wave.
Cross-border transactions
With the increase in trade of digital services across borders, “data” now travels beyond countries and boundaries and has almost become a commodity of sorts. Much like is the case in the trade of more common commodities, the international trade of data too is interdependent and increasingly vital to the global economy. It thus follows that an effective and efficient legal framework for cross-border data transfer is a necessity for every country.
There exists a conflict between two approaches adopted by different nations, on opposite spectrums of each other. On one side is the “single market” approach, as adopted by the European Union intended to enable data trade and transfer across borders freely and with ease.10 On the other end is the approach routed in data sovereignty which essentially refers to the idea that a country has the authority to govern and control the data generated within its borders.11 Where India would stand on the spectrum remains to be seen. While Section 16 of the Act12 gives the Central Government the powers to issue notifications to restrict the transfer of personal data by a fiduciary to certain countries and territories outside India, no specific list has been provided as to what these restrictions would be, to which countries they would apply and to what extent.
However, much like trade of other commodities, such an approach renders trade of data and cross-border transfers of the same also extremely vulnerable to global politics and political relations between countries. Such ambiguity creates an environment of increased volatility for the data fiduciaries, especially those based out of India.
Conclusion
Much of the obligations which will be placed on data fiduciaries remain to be culled out and specifically laid down as significant portions of the Act are dependent upon delegated legislations and subsequent enactments of further rules by the Central Government. On account of this, it certainly seems like some cause for concern as there is increased volatility and uncertainty for the data fiduciaries. The scope and application of this Act is likely to be heavily impacted by external factors such as politics, domestic and global, ruling party ideologies and so forth. That being said, the intention of the legislation shines through as being that to provide some framework of protection and regulations in the interests of the data principal but at the same time, giving the data fiduciaries wide enough scope and freedom to adapt, evolve and thrive in the Indian market.
†Principal Associate at Karanjawala & Co., New Delhi. Author can be reached at varunkrgoel@gmail.com.
††Associate at Karanjawala & Co., New Delhi. Author can be reached at ishikaamittal2000@gmail.com.
1. Digital Personal Data Protection Act, 2023.
2. Digital Personal Data Protection Act, 2023, S. 2.
3. Indranath Gupta and Paarth Naithani, “Separating Personal Data Protection from Non-Personal Data Governance”, (2023) 58(36) Economic and Political Weekly (epw.in, 9-9-2023).
4. Digital Personal Data Protection Act, 2023, S. 5.
5. Digital Personal Data Protection Act, 2023, S. 7.
7. Digital Personal Data Protection Act, 2023, S. 6.
8. Digital Personal Data Protection Act, 2023, S. 8.
9. Samidha Jain, “73% Indian Parents Want Parental Consent for Children to Access Social Media, OTT” (forbesindia.com, 22-9-2023).
10. Carsten Schmidt and Robert Krimmer, “How to Implement the European Digital Single Market: Identifying the Catalyst for Digital Transformation”, (2022) 44(1) Journal of European Integration 59-80, https://doi.org/10.1080/07036337.2021.2011267.
11. Cindy Tian, “Classification of Indigenous Data Sovereignty and Data Privacy: Indigenous and Common Law Patterns”, (2022) 47(1) NDLScholarship 1 (scholarship.law).
