In 2017, the Indian Supreme Court bench of 9 judges unanimously, in the historic case of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors[1] ruled that right to privacy is a fundamental right under Article 21 of the Indian Constitution i.e. right to life and personal liberty. The aforesaid apex court decision has since become a cornerstone for privacy laws in India and also initiated the discussion on the imminent need to enact a law on data privacy in a growing and young digitised economy of India. On 11 August 2023, the Digital Personal Protection Act, 2023 (“Act”) received the assent of the President of India and the country is now all set to embrace a statute that will protect digitised data of the citizens.
As per the recent report released by Cisco[2], it is anticipated that in 2023 India will have around 907.4 million internet users (approximately 64% of the country’s population) giving it a significant bump from 398.2 million users, reported in 2018. Furthermore, in May 2023 the Unified Payments Interface (“UPI”) reportedly recorded around 9.41 billion transactions in May 2023 and the total value of these transactions is estimated to be close to INR 14 trillion[3]. These data are self-explanatory on India’s reliance and use of digital data on a regular basis and therefore, it was the need of the hour for the country to have a legislation to protect citizen’s personal data and the Act could not have been approved at a more opportune time.
The following are some of the salient features of the Act:
Scope
The Act stipulates that it is applicable in case of processing of personal data that is collected in a digital form or in a non-digital form and digitized subsequently[4]. Interestingly, the Act also is applicable in case of digital personal data being processed outside India for the purposes of providing goods/services to owners of the personal data in India[5]. However, this Act is not applicable of the personal data is processed for any personal or domestic purpose[6] or if such data has been made public by the owner of the data or by any other person under a legal obligation to make such data publicly available[7].
Obligations imposed
The Act imposes obligations on the companies (“Data Fiduciaries”) to secure consent from the owners of personal data (“Data Principal”) to process such data.
(a) Notice to Data Principal
The Data Fiduciary has to give a prior notice to the Data Principal about the personal data that is to be processed and the exact purpose for which it will be processed[8]. The Data Fiduciary is also obliged to inform the Data Principal that they have a right to withdraw their consent at any point in time[9] and the Data Principal will be provided with the manner in which they may lodge a complaint with the Data Protection Board established under the Act[10]. It is pertinent to note that such notice has to be given by the Data Fiduciary in the English language or any other language specified in the Eighth Schedule of the Constitution[11]. In cases where the Data Principal had consented to Data Fiduciary’s access to the personal data, prior to the commencement of the Act, the Data Fiduciary is under the obligation to inform the purpose for processing the data, the manner in which the Data Principal may exercise rights and even the manner in which they make a complaint to the board[12]. It is pertinent to note that such consent from the Data Principal should be “free, specific, informed, unconditional and unambiguous with clear affirmative action and shall signify processing of the data for the specified purpose”[13]. Therefore, the Data Fiduciary is under the obligation to ensure that the purpose is clearly specified to the Data Principal while obtaining their consent. If at any juncture, the Data Principal wishes to withdraw their consent, then they shall be allowed to do so and the ease of withdrawing their consent shall be as convenient as the process of giving consent to the Data Principal[14]. The Data Principal also has the right to seek correction or updating their data with the Data Fiduciary[15]. This is a very progressive language in the legislation, given that often it is easy to give consent to use the private data but withdrawing such consent is often an arduous task and now that the statute clearly stipulates that it is the duty of the Data Fiduciary to ensure the ease of withdrawing consent, it creates a more trustworthy environment for the Data Principal to share its data. The Act also grants Data Principals the right to obtain from the Data Fiduciary information such as the data that is being processed by it, the other data processors or Data Fiduciaries with whom the data has been shared and any other information pertaining to the processing of their personal data[16].
(b) “Certain Legitimate Use”
An intriguing phrase introduced in the Act is ‘certain legitimate uses.’ Clause 7 of the Act delves into this concept, encompassing activities such as using data for the initially consented purpose, allowing the state to provide services based on consent or digital availability, enabling state functions for national interest, complying with laws, legal judgments, and medical emergencies. While the language is comprehensive, its extent of application can be quite sweeping and only with efflux of time, its usage by Data Fiduciary/ State government, can be ascertained.Top of Form
© Onus on the Data Fiduciary
It is pertinent to note that the Act specifies that it is solely the responsibility of the Data Fiduciary to be responsible for complying with the provisions of the Act and even if they appoint a Data Processor to process the data or appoint another Data Fiduciary, the Data Fiduciary will be liable to ensure the protection of the data and undertake measures to protect such data [17] However, the Central Government retains the right to restrict the transfer of personal data by a Data Fiduciary to foreign countries or territories outside India[18]. This approach involves a blacklisting method i.e. only the territories explicitly identified are subject to restrictions on personal data transmission. Therefore, in the times to come, Data Fiduciaries will have to keep an eye out for any territory specifically restricted by the central government for data transfer
In the event of breach of data the Data Fiduciary has to inform the Data Protection Board of India (“Board”) and each affected Data Principal of such breach[19]. It is also pertinent to note that basis the nature, gravity, duration and type of breach, the Board will impose monetary penalty on the Data Fiduciary (after conducting an inquiry as per the Act)[20] . This onus on the Data Fiduciary was much required, given the recent surge of reported data breaches from e-commerce platforms such as Bigbasket[21], Cleartrip[22] et. This provision acts as a significant reassurance to Data Principals that pursuant to the enforcement of the Act, such breach of data will not render them remediless. The Data Fiduciary is also responsible for establishing appropriate forum for redressal of the Data Principal’s grievances[23].
(d) Significant Data Fiduciary
If a Data Fiduciary has access to considerable volume of sensitive data or data that can pose risk to the rights of the Data Principal or impact the sovereignty and integrity of India or pose a risk to the electoral democracy or security of state or public order, then the Central Government may classify such fiduciary as a “Significant Data Fiduciary” (“SDF”) and such fiduciary will have more onus on protection of such important data that it may possess. The SDF will be responsible for appointing a Data protection officer for addressing the grievances of the Data Principals and to be the representative of the SDF responsible to the Board. Furthermore, the SDF will also be under the obligation of appointing an auditor to carry out data audit and evaluate that the SDF is in compliance with the provisions of the Act. Accordingly, the SDF will also have to undertake significant data impact assessment among various other steps. This segregation of Data Fiduciary and Significant Data Fiduciary appears to be critical in the wake of incidents such as the Cambridge-Analytica Scandal that surfaced in the United States of America in 2015–16 whereby Cambridge Analytica claimed that it used the personal data of the users of Facebook for its clients and to target political messages to people who could be influenced. Therefore, in a world where information is power, it is necessary to ensure that the SDF are imposed with certain amount of responsibility towards the Data Principals.
(e) Obligations of Data Principal
Needless to say that a Data Principal is granted rights under the Act contingent upon certain compliance by it as well. These include, the Data Principal being compliant with the laws in force in India; not impersonating another person while providing personal data; not suppressing material information while providing information; not registering any false or frivolous grievance under the Act or furnish only authentic information[24].
(f) Exemptions
Easily one of the most discussed aspect of the Act are the exemptions granted under the Act. The Act carves out the following use of personal data as exempt from the applicability of certain provisions of the Act[25]:
i. To enforce legal rights;
ii. By courts and similar bodies for performance of their function;
iii. For preventing, detecting or solving crimes;
iv. Use of personal data of individuals outside India and processed pursuant to any contract entered outside India by an Indian based person;
v. For scheme of arrangement or amalgamation approved by a court or tribunal;
vi. For ascertaining financial information, assets and liabilities of individuals who have defaulted in the payment of loans or advance taken from a financial institution.
Whilst the above exemptions are acceptable, the non-applicability of the provisions of the Act on the following actors, has raked in some amount of concern[26]:
(a) Central or State government or their instrumentalities acting in public interest or for protecting the sovereignty of the country or for research, archival or statistical purposes in a manner that does not directly pertain to the Data Principal;
(b) Certain classes of Data Fiduciaries which may include start-ups as the central government may notify; this will depend on the volume and nature of personal data that is being processed.
In response to the objections raised by members of the Hon’ble Rajya Sabha, Minister Ashwini Vaishnaw (Minister for Railways, Communications and Electronics & Information Technology) clarified specifically on the concern of start-ups being exempt, by stating that the carve out under clause 17, is given to a class of data fiduciaries, including start-ups only with respect to certain compliances under the Act, and this was done with the intent of providing them a flexibility of creating a “regulatory sandbox” and once it is used for proving the product then the Act will apply. Therefore, as per the interpretation of clause 17(2) provided before the Rajya Sabha, it appears that the start-ups can avail the benefit of an exemption under clause 17(2) only if they are in the process of testing a new product that may require collection and processing of personal data and once such product is launched in the market, then the provisions of the Act will be applicable. However, as per my limited understanding, upon reading clause 17(2), the purpose of the provision being a regulatory sandbox is not very clear. We may get further clarity on this once the Board rules on issues pertaining to this provision.
(g) Board
The Act stipulates the establishment of a Board headed by a Chairperson appointed by the Central government along with a few other members[27]. The exact constitution of the Board has not been laid out in the Act and will probably be dealt with in the rules that will follow. It is pertinent to note that the Act itself stipulates that the Board will function as a digital office i.e. the complaints will be filed, heard and decided digitally[28]. This is indeed a forward looking aspect in the legislation moreso, when several courts such as the Supreme Court, the Hon’ble Delhi High Court have also shown inclination towards adopting a digital and more accessible approach for all.
Any appeal from the order or direction of the Board will lie before an Appellate Tribunal within a period of 60 day from the receipt of the order or direction appealed against[29]. Interestingly, the statute mandates that any appeal has to be disposed within 6 months from the date the appeal is presented[30] and upon failure to do so, the Appellate Tribunal will have to record its reasons for being unable to do so[31]. This too is a positive move towards reducing backlog of cases and ensuring speedy disposal of matters. Another, positive provision in this statute is the Board itself recommending the parties to resolve a complaint by mediation, if it seems possible to the Board and the parties also mutually consent to the same[32].
(h) Penalties
The Act stipulates that the Board may upon hearing the parties, impose monetary penalty on the party acting in breach of the provisions of the Act[33]. The Board will quantify the monetary penalty upon considering factors such as the nature, gravity and duration of the breach; the nature of personal data affected by breach; whether such breach was repetitive or if the breaching party gained or avoided any loss; whether the breaching party undertook any measures to avoid such breach etc. The monetary penalties received by the Board will be credited to the Consolidate fund of India.
It is interesting to note that one of the members of the Rajya Sabha argued that whilst the Act contemplates the nature of personal data affected by breach, it fails to distinguish between causal damage suffered by Data Principal as a result of the data breach and reputational damage that a Data Principal may suffer due to such breach. The latter damage being of a more serious nature should in fact attract punitive penalty, as per the member’s recommendation. This is actually an interesting recommendation and it will be worth noting if the Board in the future also considers reputational damage as being different from any other harm/damage suffered by a Data Principal due to data breach. The maximum penalty imposed for breach of provisions of the Act is INR 250 crores[34].
(i) No Prosecution against the Central Government
Whilst the Act is quite forward looking, in quite a surprising provision, it stipulates that no suit or prosecution or legal proceeding shall lie against the central government, board or the chairperson of the board or its members or employees, for an act that is purportedly done or “intended to be done” in good faith under the Act or the rules that are yet to be framed.
The Act is indeed a welcome step towards protecting the privacy of citizens however, the implications and its effectiveness will only be tested once it is enforced.
Endnotes:
[1] (2017) 10 SCC 1, AIR 2017 SC 4161
[2] Cisco annual internet Report — Cisco Annual Internet Report (2018–2023) White Paper (2022) Cisco. Available at: https://www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/annual-internet-report/white-paper-c11-741490.html (Accessed: 14 August 2023).
[3] ETBFSI (2023) UPI transactions at record high, clocks 9.4 bln in May’23 — ET BFSI, ETBFSI.com. Available at: https://bfsi.economictimes.indiatimes.com/news/fintech/upi-transactions-at-record-high-clocks-9-4-bln-in-may23/100671966 (Accessed: 14 August 2023).
[4] Clause 3(1)(a) of the Act.
[5] Clause 3(1)(b) of the Act.
[6] Clause 3(1)©(i) of the Act.
[7] Clause 3(1)© (ii) of the Act
[8] Clause 5(1)(a) of the Act;
[9] Clause 5(1)(b) of the Act
[10]Clause 5(1)© of the Act
[11] Clause 5(3) of the Act
[12] Clause 5(2) of the Act.
[13] Clause 6 of the Act.
[14] Clause 6(4) of the Act.
[15] Clause 12 of the Act
[16] Clause 11 of the Act.
[17] Clause 8 of the Act.
[18] Clause 16 of the Act.
[19] Clause 8(6) of the Act.
[20] Clause 33 of the Act.
[21] Abrams, L. (2021) Hacker leaks 20 million alleged BigBasket user records for free, Bleeping Computer. Available at: https://www.bleepingcomputer.com/news/security/hacker-leaks-20-million-alleged-bigbasket-user-records-for-free/ (Accessed: 21 August 2023).
[22]Singh, J. (2022) Flipkart’s Cleartrip confirms data breach, TechCrunch. Available at: https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/ (Accessed: 21 August 2023).
[23] Clause 8(10) of the Act read with Clause 13 of the Act.
[24] Clause 15 of the Act.
[25] Clause 17(1) of the Act.
[26] Clause 17(2) of the Act.
[27] Clause 27 of the Act.
[28] Clause 28 of the Act.
[29] Clause 29(2) of the Act.
[30] Clause 29(6) of the Act.
[31] Clause 29(7) of the Act.
[32] Clause 31 of the Act.
[33] Clause 33 of the Act.
[34] Schedule (Clause 33(1)).