By Tejaswi Ravinder Battala
Hyderabad, July 18, 2023: About five years after the nine-judge bench of the Supreme Court declared the Right to Privacy as a fundamental right in KS Puttuswamy v. Union of India, the Union Cabinet has formally approved the Digital Personal Data Protection Bill.
Speaking unequivocally of the importance of privacy, the apex court bench held that privacy is a limit on the government’s power as well as the power of private sector entities. The three facets of Privacy include but are not limited to physical privacy, informational privacy, and decisional privacy.
Briefly, the concept of physical privacy deals with physical spaces and surroundings, and informational privacy delves into the digital world where data protection and regulation are necessary, and decisional privacy confers on an individual the right to privately make a choice, to marry the person they love, and the right to conceive.
In the current scenario where 46.5% of the national population, roughly about 660 million people use smartphones, the digital footprints left by them, likely to be invaded by governments, capitalists, and various other data fiduciaries thereby violating their right to privacy. On the contrary, big data can also be used to further the public interest. But the collection and processing of data must be fair, legitimate, and proportionate, leaving room for individuals to consent or not to consent to the use of their personal data.
The present chief justice of the Supreme Court, Justice D Y Chandrachud, observed in Puttuswamy’s judgment that with the increasing ubiquity of electronic devices, information can be accessed, stored, and disseminated without the consent or notice of an individual. The judges expressed an indisputable view that Metadata and data mining make an individual’s personal information subject to private companies and the state. Hence, there is an imminent need for a data protection regime for safeguarding privacy as well as the protection of the autonomy of an individual. Justice Sri Krishna Committee was formed to look into the matter.
The committee chaired by Justice BN Sri Krishna submitted its report and draft bill on Data Protection Framework for India to the Ministry of Electronics and Information Technology on July 27, 2018. Based on the report, the ministry released a draft of the Digital Personal Data Protection Bill and an explanatory note calling for stakeholder consultations on November 18, 2022. The Union Cabinet formally approved the revised version of the Digital Personal Data Protection Bill on July 5.
While the specific changes made to the bill are yet to come to light, reports suggest that the bill has only been fine-tuned in some areas, and no major changes have taken place. Taking this into regard, I have tried to pen down an analysis of the draft bill.
Section 4 contains the applicability and scope of the Bill. It states that the provisions of this Act shall apply to the processing of digital personal data within the territory of India. Further, in subclauses 1 and 2, the applicability has been extended to data processing outside of India in connection to profiling or offering of goods and services to businesses in India. It covers the digital personal data collected from Data Principals online and also the digitized offline data.
Section 4(3) states that the Act shall not apply to non-automated processing of personal data.
However, there is no say about digitized records of personal information on which automated data processing has not been carried out. Also, the digitized records on which automated data processing cannot be carried out have not been taken into the purview of this Act.
Similar to the exemptions granted to the body corporates under SPDI rules, 2011, with respect to processing sensitive personal data, this Act also expressly exempts its application where the personal data of data principals not within the territory of India is processed as part of a contractual obligation with a party outside the territory of India by a person based in India (Section 18 (1) (d)).
Section 2(12) defines Person., includes – (a) an individual; (b) a Hindu Undivided Family; (c) a company; (d) a firm; (e) an association of persons or a body of individuals, whether incorporated or not; (f) the State; and (g) every artificial juristic person, not falling within any of the preceding sub-clauses.
Section 6(1) prescribes that before obtaining the consent of a Data Principal, the Data fiduciary must send an itemized notice containing a description of personal data that has been sought in clear and plain language. Such a notice can be a separate document or a part of the same document. For example, the banks should give notice stating that the purpose of obtaining photocopies of proof of address and identity is for the completion of KYC formalities. And this notice need not be a separate document. It can be printed on the same form used for opening a savings bank account.
Solely by making a privacy notice mandatory, it cannot be assumed that the Data Principal had read out the notice, and had understood the contents. Simply because a website has a page or hyperlink popped up, checking which alone leads to navigating through the website, cannot be assumed as consent freely obtained.
Parallelly, Section 7(1) states consent means any freely given, specific, informed, and unambiguous indication of the Data Principal’s wishes, which signifies agreement to the processing of her personal data for a specific purpose. Any part of the consent which is outside the scope of the specified purpose or constitutes an infringement of provisions of this Act shall be invalid to the extent of such infringement.
For example, where A enters into a contract with B to provide some service, and B consents to processing of her personal data by A and the contract also specifies a condition that B waives her right to file a complaint with the Board, shall be considered invalid.
Further, Section 9(6) imposes an obligation on data fiduciaries that they should not retain the data or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that: (a) the purpose for which such personal data was collected is no longer being served by its retention, and (b) retention is no longer necessary for legal or business purposes.
For example, A opens an account on a social media platform X. After a while, A deletes the account. X must stop retaining A’s personal data and must remove the means by which A’s personal data can be associated.
Section 7(6) grants the Data Principal the right to manage, review or withdraw consent to the Data Fiduciary through a Consent Manager. The consent manager is also a Data Fiduciary, acting on behalf of the Data Principal, resembling a B2B transaction. Similar to the licensed Account Aggregators regulated by the RBI, the businesses are yet to launch consent managers and consent management tools to meet the needs and comply with the rights and duties of Data Principals laid down in this Act.
The obtaining of verifiable parental consent has been made mandatory (under section 10(1)) before processing any personal data of a child. The Data Fiduciaries are forbidden from processing personal data that is likely to cause harm to a child. The Act also prevents them from tracking or behavioral monitoring of children or targeted advertising directed at children. But the procedure to obtain verifiable parental consent has not been discussed in detail.
Section 11(2)(a) calls for the appointment of a Data Protection Officer by a Data Fiduciary, who shall be the point of contact for the grievance redressal mechanism laid out in this Act. An independent Data Auditor also must be appointed to evaluate the compliance of the significant Data Fiduciary with the provisions of this Act.
The compliance framework contains the establishment of the Data Protection Board of India which comprises a chairperson, members officers, and employees deemed public servants defined as Public Servant under Section 21 of the Indian Penal Code. An appeal against any order of the Board shall lie to the High Court (Section 22(2)). The Board may also direct the parties to resolve disputes through alternate dispute resolution.
Over every non-compliance by a data fiduciary, depending on the nature, gravity, and duration of non-compliance etc., factors, the Board shall determine a financial penalty, which might range up to hundreds of crores per instance.
This Act also has an overriding effect in case of inconsistency or conflict between provisions of this Act and any other Law. Section 29(2) states that this Act shall prevail to the effect of such conflict. We have to wait and see how the Constitutional Courts deal with repugnancy after the Act comes into force and it happens to be in conflict with the Laws already in force.
(Tejaswi Ravinder Battala is an Associate with Versus Law Associates. She holds a Master of Law Degree in Constitutional Law from Osmania University, Hyderabad.)