Certain legitimate uses allow data fiduciaries to process personal data without consent, this applies when users voluntarily provide data for a specific purpose without objecting to its use
The Lok Sabha passed the Digital Personal Data Protection Bill (DPDP) in August 2023. This new legislation aims to define the responsibilities of entities handling and processing digital data while ensuring the protection of individuals’ right to privacy in India. The DPDP Bill seeks to create a comprehensive framework for personal data protection, covering data acquired both online and offline that has been digitised.
Background & Context
The need for a data protection law has been in the works since the Supreme Court’s landmark Puttaswamy judgment in 2017, which established privacy as fundamental right for Indian citizens. The current DPDP Bill is the third revision of India’s draft data protection law.
Application Of The Bill
The Bill applies to the processing of personal data collected within India’s territory, whether stored digitally or digitised from a non-digital form. It also applies to data processed outside India if it relates to offering goods or services to users within India. For cross-border data flow, the Centre will create a list of approved countries where Indian citizens’ data can be stored. However, the Bill does not apply to data made publicly available by users or data required to be made public under Indian law.
Responsibilities Of Data Fiduciaries
Data fiduciaries, defined as those determining the purpose and means of processing personal data, must only process data for lawful purposes with the individual’s consent or for specific legitimate uses. They must notify users before requesting consent and ensure the notice is clear about what data will be collected and its purpose. Consent must be free, specific, informed, and unambiguous, with users having the right to withdraw consent easily. Personal data should be erased once consent is withdrawn or the data is no longer needed for its original purpose. Data fiduciaries are also required to protect personal data and notify the Data Protection Board and affected parties in case of a data breach.
Mathew Chacko, Partner, Spice Route Legal said “There are valid public policy reasons why the DPDPA needs to be tempered at the edges in order to ensure adequate protection for the data principals. We expect some of this to be by way of the rules – for example, rules on child protection, consent, interception, appeals, etc. in fact, we hope that the rules will temper down the over reliance on consent as a ground for processing. We also expect guidance from the DPDPB to smooth over certain rough edges and our increasingly active data disputes team expect constitutional challenges to also play a role in- and I fully expect that the Long shadow of Puttaswamy will ensure that rights of Indian citizens are protected adequately.
Perhaps, the lived experience of the law will persuade the DPB or the central government to introduce a slightly more fleshed out ground for processing data that is similar to legitimate interest in Europe or contractual necessity in Singapore. Fingers crossed!”
Legitimate Uses Without Consent
Certain legitimate uses allow data fiduciaries to process personal data without consent. This applies when users voluntarily provide data for a specific purpose without objecting to its use. Examples include providing a mobile number to a store to receive a receipt. It also covers instances where the state needs data for legal functions, security, providing subsidies, or services, and in situations like court orders, employment, medical emergencies, epidemics, and disasters.
Processing Children’s Data
For processing personal data of children (under 18), verifiable consent must be obtained from a parent or lawful guardian. The Bill prohibits processing that may harm a child’s well-being.
Sandeep Agrawal, Director & Co-founder of Teamlease RegTech expressed “The Digital Personal Data Protection Act, 2023 (DPDP Act), introduced last year was a critical step towards addressing the regulatory arbitrage around data privacy. However, the implementation of the DPDP Act has been deferred due to the absence of subordinate rules and regulations. The oncoming release of the draft personal data protection rules marks the home stretch for the operationalisation of the new regulatory framework. The communication also aligns with the first 100 days expectations of the new government. The overarching act and its delegated legislation will reshape the regulatory framework around collecting, processing, transferring, storing, and disposing of personal and sensitive data. Increased accountability and transparency brought about by the new ecosystem will boost systemic trust by outlining all stakeholders’ duties, responsibilities, rights, and liabilities. Citizens will be able to actively manage access to their personal data either directly or through consent managers. This will bring about the desired uniformity in the compliance environment surrounding personal data. India is home to 800+ million internet users actively engaging in the digital economy. The amount of sensitive data that is being collected, stored, processed, and transmitted raises legitimate concerns about data protection. With the DPDP Act sharing the same principles that were used to develop the GDPR, it will build trust among users that the data protection regulations use the highest international standards. In a DPI-powered economy, the DPDP Act will cement India’s position as a leading digital economy.”
Exemptions Under The Bill
The Central Government can be exempted from the Bill in matters related to national security, public order, and sovereignty. The government and its instrumentalities are not required to delete personal data they have collected, even if the original purpose has been fulfilled. The Central Government can also exempt specific data fiduciaries, including startups, from the Bill’s provisions for up to five years.
Rights & Duties Of Data Principals
Individuals, termed as data principals, have the right to request a summary of their processed personal data and the identities of other entities with whom the data has been shared. They can request correction, completion, and erasure of their data, unless retention is required by law. Data principals can also access grievance redressal mechanisms provided by data fiduciaries or consent managers. They can nominate someone to exercise their rights in case of death or incapacity. Data principals must comply with applicable laws, provide accurate data, and avoid false complaints.
“The DPDPA is expected to enforce stricter data protection protocols, ensuring that personal data is safeguarded against breaches and unauthorised access, in the ever-evolving digital landscape.It is a transformative step for enhancing the privacy and data protection rights of Indian citizens. By establishing higher accountability and responsibility for entities, including internet companies and mobile apps, the Act ensures transparency and answerability in handling personal data. Emphasising the “Right to Privacy,” the Act extends its protective measures beyond India, covering data processing activities abroad related to Indian citizens. This comprehensive approach, applying to all data forms, fortifies data security and empowers individuals with better control over their information. Ultimately, the DPDP Act fosters trust in digital services, encouraging a safer and more ethical digital environment.” Stated Darshil Shah, Founder and Director, TreadBinary
Criticisms & Concerns
Critics argue that the Bill expands exemptions with each revision. Prateek Waghre, policy director at the Internet Freedom Foundation, noted, “Apart from retaining the power to exempt any government instrumentality, the Union Government now has the power to exempt certain data fiduciaries including private entities and startups.” The concept of “legitimate uses” has also been criticized for being too broad, potentially allowing data processing without informed consent in many situations.
Nikhil Pahwa, founder and editor of Medianama, highlighted concerns about publicly available data. He said, “From a privacy perspective, it means that any information being made public can be scraped and copied and used by anyone anywhere,” referencing lawsuits against Clearview AI for scraping social media photos.
The Bill also seeks to amend the Right to Information (RTI) Act, restricting its scope and giving “wide discretionary powers” to the Union government. This amendment could prevent disclosure of personal information in official records.
While the DPDP Bill aims to protect personal data and privacy, its broad exemptions and the expansive definition of legitimate uses have raised concerns about its effectiveness and potential for misuse. The inclusion of data localisation measures and narrowed duties of data principals are seen as positive steps, but critics argue that the Bill still falls short in protecting individual privacy comprehensively.
