Categories
India Politics

Serious flaws in the Digital Personal Data Protection Act

The hurriedly passed “Digital Personal Data Protection (DPDP) Act violates all accepted norms of privacy and data protection while also bestowing unchecked powers on the union of India

It is popular knowledge that Right to Privacy is a fundamental right under Article 21 of the Constitution after the Supreme Court’s judgement in the case of Justice KS Puttuswamy vs. Union of India (2017). Now, following the Court’s direction to pass a law regarding Data Protection, the Parliament has passed the Digital Personal Data Protection (DPDP) Act, 2023 and the President has even given her assent to the act. The act is to be enforced in stages as may be necessary.

What does the law say with respect to Data Rights?

The law recognises a Data Principal —the individual to whom the personal data relates to i.e., whose personal data is being engaged with. In cases of children and person with disability, lawful guardians on their behalf will be the Data Principals.  For example, if someone is collecting your personal Data, you are the Data Principal.

The law also recognises the Data Fiduciary —the entity which determines the purpose and means of processing such data after being entrusted with this data by the Data Principal. Essentially, those who are collecting the data for a purpose and processing it, are the Data Fiduciaries. There are certain rights for the Data Principal and additionally, there are certain duties too.

The pillars of data protection legislation in countries worldwide revolve around consent, purpose limitation and storage limitation. Consent means the permission of the person who is giving the data; purpose limitation means the restriction on the person who is collecting the data to use the data only for the purpose for which the data is being collected. Storage limitation means that a limit on storage: the data will only be stored only until it serves that particular purpose for which it was collected in the first place.

Let us understand what the new act does with respect to these principal, non-negotiable, internationally recognised pillars.

Purpose Limitation and Consent:

Section 7 of the Act deals with processing of the data by the Data Fiduciary. Section 7(a) of the Act says that the Data Fiduciary can process the personal data of the Data Principal for a purpose for which the latter has voluntarily provided the data. The rest of the uses raise the question of whether, the Data Fiduciary can process the personal data of the Data Principal for the state or any of its instrumentalities to provide to the Data Principal such subsidy, benefit, service, certificate license or permit etc., if she has previously consented or if the data has been available with the government.

This processing could also be done in the interest of Sovereignty, Integrity of India, or Security of the State, for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal, for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health, for taking measures to ensure safety of or provide assistance or services to any individual during any disaster, or any breakdown of public order and finally, for the purpose of employment.

This means that for all these purposes the Data Fiduciary can process the data without the consent of the data principal.

Apart from the all-encompassing power granted under processing for the security of the state, there is also the additional purpose granted under the Act, “for public order”. Another important use for which the data can be processed is for employment purposes. Many data legislations place processing of some data of employees, such as sensitive data like gender, and Social Media Data under restrictions and regulations.

The DPDP Act, 2023, however, gives a free hand for the processing of employee-related data, without any safeguards to the employer. If an employee’s personal data is allowed to be processed by the employer, without the consent of the former, it could lead to discrimination at the workplace and the new law has no safeguards.

For example, if a woman employee has stated that she is pregnant, and processing of the data could lead to the company firing her.  There have been study after study that reveal that the companies are already apprehensive about hiring women due to the potential maternity benefits that they might have to pay to her. Employee Monitoring restrictions are completely absent in the act.

Storage Limitation- Here too, there is a generic rule that the data should not be stored if the purpose for which it was collected has been served. However, under the (Indian) Act, the Union Government can notify such Data Fiduciaries or Class of Data Fiduciaries, to whom this generic rule will not apply. The central government can do this on consideration of volume and nature of the Personal Data processed. There are no directions as to whether this volume has to be high or low for the fiduciaries to be so exempted or what kinds of nature of data will allow an exemption. Essentially, this means that it is the Union Government who can choose who can store the data and who cannot, under some vague criteria which has not been specified or mentioned under the Act.

There are two more important features of this act. One is the exemptions the Act gives the Union Government and the Act’s de facto amendment to the Right to Information Act, 2005.

Exemptions to the Government

Section 17(2) of the act gives exemption to the government with respect to the processing of the data. The act does not apply to processing of personal data by such instrumentality of the state, in the interests of “sovereignty and integrity of India,” “Security of the State,” “Friendly relations with foreign states,” “maintenance of public order” or “preventing incitement to any cognisable offence” relating to any of these, and the processing by the Central Government of any Personal Data that such instrumentality may furnish to it.

This essentially means that, the government can process the data for the purposes or such data that an instrumentality of the state furnishes to the Union Government, without the consent of the Data Principal.

Section 17(2)(b) also exempts the Central Government and enables the government the processing of such data necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

The Amendment to RTI Act

The Right to Information Act, 2005 empowers Central Public Information Officer or the State Public Information Officer at the appellate authority to give information relating to personal information if such information is in the larger public interest.

Essentially the RTI act says that personal information cannot be disclosed until the Information Officer is satisfied that the larger public interest justifies the disclosure of such information. The pre-amended RTI act places check on the way Information Act could be used to invade the privacy of people but also creates a balance where the larger public interest overrides the right to privacy of people.

Section 44 of the DPDP Act 2023 amends the RTI act and states that there shall be no obligation to give any citizen information which relates to personal information. The DPDP Act removes the balance that was achieved by the RTI act thereby diluting the progressive nature of the RTI act.

Conclusion

The Act only has data protection in its title (!!!) whereas the provisions of the act seem like it is an empowering act for the government to use and process and collect data without any hassle or safeguards.

In essence, the act divides data protection into two different realities one where Data Fiduciaries and Data Principals are responsible for each other and another reality where government is not responsible for anything at all.

Additionally, the Act also creates some punitive duties on Data Principals upon whose breach the Data Principal will be required to pay a fine of Ten Thousand Rupees. This creates both an unnecessary and unjustified burden on the Data Principal while making the government act with impunity. In a way, much of the Act stands as an example of how not to draft and enact a Data Protection Act.

(The author is a legal researcher with the organisation)

Related:

In Garb of Data Protection Bill, Centre Attacking RTI, Allege Information Commissioners

A surveillance regime that violates both Privacy & Right to Life: Digital Personal Data Protection Bill, 2002

Digital Personal Data Protection Bill seeks to amend RTI Act to bar disclosure of personal information

Exit mobile version