India’s Data Protection Act Is More About the Processing of Personal Data Than it Is About Privacy Commentary
Pexels / Pixabay
India’s Data Protection Act Is More About the Processing of Personal Data Than it Is About Privacy
Edited by: JURIST Staff

Six years after the Indian Supreme Court recognised a fundamental right to privacy, the country finally has comprehensive data protection legislation in the form of the Digital Personal Data Protection Act, of 2023 (DPDP Act). The draft Digital Personal Data Protection Bill 2023 (DPDP Bill 2023) was introduced in the lower house of the Indian Parliament, the Lok Sabha, on August 3, 3023, and was passed by both houses of the Parliament in just a week’s time. The law has been in the making for over 6 years and was passed by the parliament after a combined total of only 2 hours of debate and discussion amidst uproar over ethnic tensions in Manipur. The DPDP Bill 2023 sprinted through its final stages and was published as an Act of Parliament in the Official Gazette on August 11, 2023. Notably, this is the first Act of Parliament in India’s legislative history that addresses individuals by the pronoun “she” irrespective of gender, instead of the traditionally used “he”.

The law is transformational as it finally provides a framework for the protection of the personal data of over 1.4 billion people in the world’s largest democracy. However, what started with the S rikrishna Committee proposing the Personal Data Protection Bill, 2018 and several other drafts over the years, with rounds of debate, discussions, consultations and negotiations, can best be described as a lost opportunity to strengthen the individual’s right to privacy. The law, as it stands today, gives sweeping powers to the state, and is likely to facilitate surveillance. It is more about the processing of personal data than about data protection or the right to privacy.

The DPDP Act, like any other comprehensive data protection legislation is based on several underlying fair information principles that are reflected throughout, though not expressly listed. It borrows several of its underlying principles from the likes of the EU’s GDPR. These include an individual’s right to notice, access and erasure, purpose limitation, and breach notification, among many others. The Act applies to the processing of “personal data” within India, where such data is collected digitally, or is digitised at a later stage and to such processing outside India, where it is in relation to offering any goods or services in India. Processing has been defined as automated operations such as collection, storage, organisation, sharing or erasure of personal data. Meaning, data collected and processed non-digitally has been kept outside the ambit of the Act, which excludes volumes of personal data that continue to be collected physically or offline. The Act further excludes personal data made publicly available from its applicability. This prevents individuals from protecting their publicly available personal data from scrapping by search engines or social media platforms.

The Act defines “data principal” as the individual that the personal data relates to (similar to “data subject” in GDPR), and “data fiduciary” as the entity determining the purpose or means of processing personal data (similar to “data controller” under GDPR). The Act prescribes several rights and duties of the data principals as well as creates certain obligations for the data fiduciaries. It defines narrow grounds for the processing of digital personal data. The law also provides for the constitution of a supervisory authority, the “Data Protection Board of India” (Board), which will have the power to inquire into complaints of non-compliance, and impose penalties.

The Act applies to all entities involved in the processing of digital personal data irrespective of their size of operation or ownership status (private or public). It provides for the processing of the personal data of individuals only for certain lawful purposes that the data principals have consented to. In principle, the Act seems to be based on the idea that the consent of the individual is a prerequisite for the processing of personal data. However, Section 7 of the Act specifies certain “legitimate uses” for which a data fiduciary may process the personal data of an individual, without his or her express consent, as suggested by Section 4(1)(b). In an earlier version of the law, the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill 2022), which was released for public consultation in November 2022, the data fiduciary was allowed to assume consent if the processing was considered necessary. Despite criticism, this “deemed consent” clause of the DPDP Bill 2022 has been retained by merely changing the nomenclature to “certain legitimate uses”. Only the public interest sub-clause has been removed from the list of legitimate uses. Notably, the public consultation process announced with the release of the DPDP Bill 2022 lacked transparency, and the comments received were never made public.

Section 5 of the DPDP Act imposes an obligation on the data fiduciary to give notice to the data principal informing her of the personal data and purpose for which the same is to be processed, the manner in which she may exercise her rights as a data principal and how she can make a complaint to the Board. The Notice provision is much weaker than the ones in the previous drafts of 2019 and 2021. Under the present Act, data fiduciaries do not have to inform data principals about the third parties with whom their data may be shared, if their data will be transferred to a foreign nation, and for how long their data will be retained. The draft bills of 2019 and 2021 proposed certain restrictions on the transfer of data to other countries and provided for data localisation. The DPDP Bill of 2022 relaxed these restrictions and allowed the transfer of personal data outside India to countries that are notified by the Central Government. The DPDP Act goes a step further and allows transfer to any country or territory outside India unless blacklisted by the Central Government. Consequently, in the absence of strong data protection laws in the transferee country, the data principal is prevented from protecting her personal data stored there.

One of the major concerns with the DPDP Act of 2023 is the provision for exemptions. Section 17(3) of the Act empowers the Central Government to notify certain data fiduciaries or classes of data fiduciaries, including startups, as data fiduciaries exempted from the application of certain provisions of the Act, including the need to give notice for consent to the data principals. Exempting private actors dilutes individuals’ right to data protection and privacy. This may also give an undue advantage to certain private actors over others. The DPDP Act also provides sweeping exemptions to state actors or instrumentalities. The processing of personal data by notified state instrumentalities will be exempted from the application of the provisions of the Act. The grounds defined for such exemptions are vague and not well-defined, including “maintenance of public order”, and “security of the state”, among others. This raises concerns about unchecked surveillance by the State. The Supreme Court of India in its judgement in Justice K.S. Puttaswamy v Union of India has held that any infringement of the right to privacy should be proportionate to the need for such interference. Unchecked data processing by the state goes against this proportionality test and may lead to a violation of the fundamental right to privacy under Article 21 of the Indian Constitution. Additionally, the Act does not require state instrumentalities to delete the personal data of data principals after fulfilment of the purpose for which it was collected. Further, the Act dilutes purpose limitation as it allows the use of data collected for a specific purpose to be used for another by state instrumentalities for the purpose of granting benefits, subsidies, licenses, etc. The Act exempts the processing of data by the Central Government if the data is provided by an exempted instrumentality of the state. Using the above exemptions, the government may collect data about citizens without any purpose limitation, store them for as long as they want in the absence of a right of erasure, and engage in profiling of citizens for surveillance purposes. The Srikrishna Committee’s Draft Bill in 2018 did allow exemptions to be granted to state institutions, however, it called for a law to provide for parliamentary oversight and judicial approval of non-consensual access to personal data. For interception of communication on grounds  such  as  national security, the Supreme Court in its judgement in People’s Union for Civil Liberties (PUCL) vs Union of India had mandated several safeguards such as establishing necessity, purpose limitation, and storage limitation. The exemptions given to the government and its agencies under the DPDP Act may have far-reaching consequences undermining an individual’s right to privacy.

The Data Protection Board of India will only have adjudicatory powers and no regulatory functions. The members of the Board will be appointed by the Union Government for a short term of two years and will be eligible for re-appointment. Appointment of members by the Union Government and short tenure with the scope for re-appointment may affect the independent functioning of the Board.

The DPDP Act leaves room for a lot to be legislated on by the executive. Time and again the provisions of the Act provide for specific situations for which the Union Government will notify rules at a later stage, leaving stakeholders with uncertainty as to applicability and compliance with the law. The Act will not come into effect until the government notifies an effective date. The government may implement the Act in a phase-wise manner with different dates on which different sections of the Act will come into force.

The DPDP Act is a major milestone in an age of data supremacy, however, the act leaves much to be desired. The wide scope of exemptions for both private actors and state agencies undermines the basic fair information principles. The Act fails to put into place any meaningful safeguards against overbroad surveillance by the state. In effect, the Act seems to facilitate the processing of personal data, instead of focusing on strengthening the right to privacy of an individual. All in all, it is a welcome development which fell short of expectations.

Soumyabrata Chakraborty is a student at Gujarat National Law University.


Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.