Over the past half a decade or more, India has been on the course of formulating a robust data privacy law. The journey commenced when the Ministry of Electronics and Information Technology established an expert committee headed by Justice BN Srikrishna to study the pressing issues in data privacy. Significant developments have transpired since 2017, with the issuance and subsequent withdrawal of several drafts of the proposed law. However, until recently, there were no signs of the enactment of a dedicated data privacy law. The lack of a dedicated law for data privacy prompted concerns from various public policy experts as India’s internet user base rose three-fold during the same timeline, with 61 per cent of the households having internet access, making protection of sensitive data all the more critical.
In what appears to be a conclusive effort, the Digital Personal Data Protection Bill, 2023 (DPDP Bill) was introduced before Parliament and came to be passed by both Lok Sabha and Rajya Sabha on August 9, 2023. The Bill seeks to provide for the processing of digital personal data in a manner that recognises the rights of individuals by protecting their personal data while also permitting the need to process such personal data for lawful purposes.
A quick look at the DPDP Bill would make the intent of the lawmakers clear. The legislature is batting for a simple law with a thematic approach to deal with data privacy issues. The DPDP Bill outlines the broader principles to be adopted, leaving more profound regulation to be introduced through delegated legislation.
In terms of applicability, the DPDP Bill has an intra-and extra-territorial application, and applies to the processing of data outside India, so long as the data principle (individual to whom the data relates) is located within the Indian territory. Further, data collected in digital form and those collected in non-digital form but subsequently digitised would also be covered by the DPDP Bill.
Public Interest to the fore
The DPDP Bill has introduced significant changes to the proposed data privacy law regime. First, the DPDP Bill transitions from deemed consent to specific legitimate uses. While retaining the substance of the old draft, the DPDP Bill outlines circumstances in which personal data may be processed without obtaining proper or explicit consent from the data principle. The 2022 draft faced severe criticism from public policy experts for permitting the non-consented processing of personal data in “public interest” — a term that was held to be vague and a potential foot-in-the-door for abuse. The DPDP Bill has taken a better route by eliminating the public interest clause and defining a handful of cases where personal data may be processed without consent.
The DPDP Bill carves out of its scope all personal data that has been made or caused to be made publicly either by the data principles themselves or any other person who is obligated by applicable law to make such personal data publicly available. By allowing personal data that has been made public to fall outside the DPDP Bill’s protection, the potential for misuse and unregulated personal data processing is left unchecked. This could undermine individuals’ control over their own personal information and may create a loophole that could be exploited by data processors and companies, particularly those engaged in data scraping and profiling activities.
The DPDP Bill has also enhanced the regulation of international data transfer. Unlike its predecessor, which discussed about countries to which data transfer would be permitted or allowed, the latest version of the Bill provides for a restrictive approach where the transfer of personal data would be blocked to a country or territory as may be notified by the central government.
In what continues to remain a heavily debated subject, the DPDP Bill expands the scope of exemptions granted to government instrumentalities. This includes State instrumentalities notified by the central government in the interests of sovereignty and integrity of India, security of state, friendly relations with foreign states, maintaining public order or preventing incitement to cognisable offences.
Data Protection Watchdog
Further, personal data necessary for research, archiving or statistical purposes would also be exempted so long as they adhere to standards that may be prescribed in future. The DPDP Bill, like its predecessors, seeks to establish a Data Protection Board of India to act as a watchdog for compliance of the new data privacy law. But, the members of the Data Protection Board would be appointed by the central government in a manner that may be prescribed by delegated legislation as per the terms of clause 19(2) of the Bill. This provision has been hotly debated as experts suggest that the appointment of officials, to the Data Protection Board, by the central government may potentially undermine their independence in matters concerning data processing by the state or its instrumentalities.
The DPDP Bill has come a long way from its predecessors, which were considered more onerous to business and complicated. The Bill also accounts for the diversity of the Indian population by requiring data fiduciaries to frame their request seeking consent to process personal data in simple language while also giving the option to switch between multiple languages.
The two-decade-old Information Technology Act of 2002 has struggled to match the swift pace of technological advancements, particularly in the context of the post-pandemic landscape. As global awareness regarding the significance of data and data processing platforms grows, it was imperative for India to usher in the long-anticipated data privacy legislation. The DPDP Bill presents itself as a straightforward yet encouraging initial step toward establishing comprehensive data privacy regulations. As India stands on the cusp of introducing a dedicated data privacy law, it becomes intriguing to observe the unfolding trajectory of the country’s journey into the realm of data privacy regulation.
(The writer is the founder and head of Trinity Chambers, Delhi)