The Right to (Pry)-vacy: Understanding India’s Dystopian Data Protection Legislation
Bharat Manwani, 3rd Year Student – BBA LLB, Gujarat National Law University
Abhiraj Rana, 3rd Year Student – BA LLB, Gujarat National Law University
On 24th August 2017, the Supreme Court of India recognized the Right to Privacy, as a fundamental right enshrined within the Indian Constitution. This was a watershed for the evolution of the nation’s data protection laws. The judicial pronouncement was followed by several iterations of legislative proposals, until the Parliament eventually settled for the Digital Personal Data Protection Act, 2023 (DPDP Act). The Indian Government has championed the DPDP Act as a robust framework, aimed towards safeguarding the individual’s personal data and upholding their Right to Privacy. A wide latitude for executive discretion, however, forms a large part of the statute. Within the 44 Sections of the Act, the phrase “as may be prescribed” makes a staggering total of 26 appearances, facilitating blanket exemptions for consent and the lack of an oversight mechanism. The enactment thus discreetly deviates from the very objectives that have underpinned its creation. In legislative or judicial frameworks where such unfettered discretionary powers are unchecked, the Right to Privacy often turns into a casualty.
Key Features and Obligations within the DPDP Act
The DPDP Act is an attempt at balancing the right of individuals to protect their personal data along with the need to process their data. The framework identifies duties and obligations of 2 key parties to the regime; Data Principals and Data Fiduciaries. The former is the individual to whom the personal data belongs, whereas the latter collects and processes that data. Echoing the tenets of the General Data Protection Regulation (GDPR), the DPDP Act requires data fiduciaries to either obtain consent or identify a legitimate cause before collecting or processing such data. By limiting data processing with separate consent requirements specific to each purpose, the DPDP Act ensures that fiduciaries no longer, rely upon “bundled consent” and use that consent to exploit data principals. The framework further obligates fiduciaries to ensure accuracy of data, along with having security safeguards in the event of a data breach. On its face then, the DPDP Act appears to effectively fulfil its proposed objectives. Nevertheless, it cannot possibly fulfil at its intended objective, when simultaneously bestowing excessive discretionary powers at the hands of the executive. The DPDP Act instead raises concerns about the potential misuse of the statute and the erosion of individual freedoms, conflicting with principles of equality and the rule of law.
‘Exempting’ the Right to Privacy
Although a laudable step, the DPDP Act is nevertheless filled with exemptions and waivers, leaving ample scope for the government to engage in arbitrary conduct. Section 7 of the DPDP Act, for example, allows data fiduciaries to process personal data at specific instances, such as when required by law, in order to comply with a court’s decree, or when data principals voluntarily provide their personal data. Section 7(b) of the Act, however, enables government entities to sidestep consent requirements, exempting them from having purpose limitations upon personal data. This in turn could be exceedingly detrimental as it allows state instrumentalities to aggregate databases in the garb of administrative convenience. Regrettably, Section 7(b) is only a minor concern when compared to broader exemptions further laid down within the statute.
India’s data protection law does not merely waive government agencies from the application of certain provisions but exempts them from complying with the whole of the DPDP Act itself. Section 17(2) of the Act provides the Central Government with the above immunity for the sake of maintaining the nation’s sovereignty, integrity, public order, etc. Scholars responsible for the early drafts of India’s data protection laws have already raised concerns upon this newly added provision, remarking, “These are just broad words. What is the sovereignty of the nation?” Section 17(2) brings along severe and far-reaching consequences, offering government agencies the freedom to dispense with obtaining consent, ensuring data security and other such prescribed safeguards within the DPDP Act. The lack of oversight upon state instrumentalities allows the interests of the government to surpass the right to privacy, gradually establishing a modern-day Orwellian state.
Moreover, Section 17(2) of the DPDP Act is superfluous in view of exemptions already laid out within the previous subsection of the statute. Section 17(1)(c) already waives requirements of notice and consent, among others, for the purposes of processing data for the “prevention, detection, investigation or prosecution of any offence or contravention of any law.” In view of Section 17(1)(c) permitting sufficient latitude, the redundant inclusion of Section 17(2) of the Act only signals the government’s desire to ensure a complete non-application of the DPDP Act. Section 17(2) moreover facilitates the establishment of a segregated sphere of activities positioned outside the jurisdiction of data privacy norms, subverting democratic principles and civil liberties. In essence, the DPDP Act is far from “balancing” rights of individuals, and instead shifts the balance towards surveillance and the interests of the government.
The Oversight Vacuum
The Supreme Court of India has historically mandated safeguards for intercepting communication on the grounds as national security, with safeguards including establishing necessity, purpose limitation and storage limitation of said data. The DPDP Act, however, flagrantly undermines these safeguards, leaving absolutely no oversight upon the government’s use of personal data. The United Kingdom’s Data Protection Act of 2018 (UK’s Data Protection Act) is a noteworthy exemplar in this regard. Chapter 3 of the UK Act mandates warrants to be issued by judicial officers, before government agencies can process any personal datasets in the interest of national security. Furthermore, such administrative actions require establishing their necessity and proportionality, along with adequate parliamentary oversight upon the agency’s conduct. The contrast between the UK and the Indian approach underscores the significance of incorporating effective restraints in order to actually “balance” security imperatives and individual liberties.
In an earnest legal regime upholding the Right of Privacy, compensation should exist to address instances where such a right has been infringed. The UK’s Data Protection Act as well as the GDPR outrightly provide for compensation, by compensating data principals as much as $20,000 in the event of damages.
Within the Indian context, Section 43A of the Information Technology Act 2000 (IT Act), earlier reflected such expectations and consequently provided the right to be compensated in the event of a failure to protect data. The DPDP Act, as opposed to existing frameworks, omits any such mechanism for compensating data principals. The legislation, in fact, goes a step further in curtailing the data principal’s right to be compensated by revoking the application of Section 43A of the IT Act. Data principals under the new regime are, in effect, bereft of the ability to be compensated. By solely imposing liabilities upon organizations responsible for breaches, the DPDP disincentivizes data principals from filing complaints altogether. This warrants a careful evaluation of whether the DPDP Act sincerely upholds the right to privacy, while it discards the fundamental legitimate expectations of data protection frameworks.
“…Where discretion is absolute, man has always suffered. Absolute discretion is more destructive of freedom than any of man’s other inventions. Absolute discretion, like corruption, marks the beginning of the end of liberty…” J. Douglas in New York v. United States (1951).
On 11th August 2023, the Digital Personal Data Protection Act received presidential assent, thereby being enacted as India’s first ever data protection legislation. The Indian Parliament while passing the legislation, has debated upon the provisions of the DPDP Act for only a span of two hours. Blanket exemptions and the lack of oversight mechanisms hold potential for significant debate, yet the Parliament has overlooked the opportunity. The DPDP Act, while undoubtedly essential in addressing contemporary privacy challenges, strays into the realm of excessive discretion. These powers are further amplified, with the lack of effective checks and balances upon the government’s conduct. Last but not the least, revoking a data principal’s right to be compensated is far from upholding the individual’s right to privacy. An unfettered discretion, as stipulated within the DPDP Act, may just be the silent architect of a digital totalitarian regime.