By Abhiraj Bhatia
I. Introduction
The Digital Personal Data Protection Act, 2023 (the Act) was passed by the Lok Sabha on August 7, 2023. The Act was purportedly passed to counter the current influence and intervention of big tech firms in data collection and political and press freedoms, to regulate the digital footprint of a constantly growing number of internet users, and to prevent third-party misuse and exploitation of this enormous amount of data generated by the Indian populace. While some view it as a positive framework, being the first of its kind to regulate digital data privacy, following in the steps of Europe’s GDPR and America’s CCPA, others have termed it almost Orwellian, questioning its impact on the Indian digital landscape.
Post the Puttaswamy judgement that declared privacy as a fundamental right, the first attempt to introduce a data privacy law in India was in 2018 in the form of the Draft Personal Data Protection Bill by the J. Srikrishna Committee, inspired by the EU's GDPR. The GDPR was the most comprehensive data privacy law. Enacted by the EU in 2018 it set the benchmark for all future laws on data privacy across the world. The 2018 bill, following in the footsteps of the GDPR, proposed new consumer rights and business obligations, especially for large tech firms. It aimed for a data protection regime applicable to all, with some exceptions for government entities and suggested a cross-sectoral regulator, the DPA (Data Protection Authority).
In 2019, after stakeholder consultations, the government introduced a new bill maintaining the 2018 framework but with larger government carve-outs, new ideas like governmental power to expropriate non-personal data, and new regulations for social media intermediaries. This bill was studied by a parliamentary committee which revealed its report in 2021, the government withdrew the 2021 bill and reintroduced a new bill in 2022 this new bill was quite open-ended and put little focus on details. The 2023 Act is based, in large part on the 2022 bill.
The Act puts great focus on ensuring that the factum of data collection is made known to the ‘data principal’ i.e. the person whose data is being collected and ensuring that proper consent is attained before the collection and utilisation of any collected data. The debate around the negatives of the Act arises primarily from the exceptions outlined for consent in the Act, which grant significant power to the state, with the state having the power to aggregate databases from information provided to various government agencies. The Act also permits the retention of said data for indefinite periods and gives powers to the government to extend such relaxations to any private entities that it deems fit. While there are legitimate situations, such as disasters or emergencies, where such exceptions are justified, the Act extends the scope of these circumstances to many unreasonable cases. In this article, the author aims to explore some of these shortcomings and their potential ramifications and effects on the Indian digital landscape.
II. The intersection of Sedition and Data Privacy laws
As mentioned before, the debate surrounding the Act arises from the exceptions that have been carved out which bypass the requirement of consent from the data principle for data use. One such section is Section 17(2)(a) which reads as below:
(2) The provisions of this Act shall not apply in respect of the processing of personal data— (a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it;
This section provides a blanket exemption to government agencies, allowing them to use any data without consent for reasons like sovereignty, security, integrity, public order, and preventing incitement. It is pertinent to note the wording of this provision is largely reminiscent of perhaps the most controversial law since the first amendment was made to the constitution, Section 124A of the Indian Penal Code (IPC) - the provision for sedition. While the Supreme Court has now repeatedly declared that there is a need to revisit the laws on sedition, they have historically been overused. What Section 17(2)(a) potentially creates, is a situation where any state agency or any other agency authorised by the state, can collect, store, and analyse any amount of private data on an unspecified number of individuals with complete discretionary powers over its use and dissemination, in the interest of the state. The provisions create a distinct category of activity exempt from data privacy regulations, giving the Indian state freedoms not extended to private entities, especially when such exemptions are unnecessary.
The provision, if interpreted as broadly as the law on sedition has been in the past, would grant unchecked powers to the state for surveillance and monitoring of its population, it could potentially be interpreted to legalise the NSA surveillance disclosures by Edward Snowden. In the infamous Snowden incident, it was revealed that the NSA had tapped the data lines of all of America’s biggest tech corporations and network service providers thereby gaining access to the private data and conversations of millions of its citizens. The reason that the US government gave was that its actions were legal, justified and moral as all of these were carried out for reasons of national security. Similar reasons have been used in the past in India when the provisions on sedition have been misused and the wording of Section 17(2)(a) leaves open the option for similar governmental misuse. This is of course no guarantee that such misuse and misinterpretations will happen but what does become clear is that there are improvements to be desired in the drafting.
III. Data culmination by government agencies and subsequent breaches
Section 7(b) of the Act permits the government to bypass consent requirements if an individual has previously agreed to receive any state benefits. In practical terms, this means that anyone who has previously consented to the government using their data for any purpose could potentially have their data stored, analysed, and shared among various state agencies, extending well beyond the original consented purpose. Consequently, the government could potentially compile databases containing private data of individuals who have provided any information to the government for any reason. While the creation of a database from voluntarily provided information might not seem concerning, the issue lies in its security and dissemination. This database can be shared with all state agencies, significantly increasing the risk of data breaches and theft. This situation isn’t hypothetical; it has already occurred. Recently, it was reported that the personal Aadhar and Passport data of 81.5 crore Indians has been compromised and is available for sale on the dark web for a mere sum of Rs. 66 lakhs (though no official statement was made by the Indian government). This leak resulted from an alleged attack on the Indian Council for Medical Research (ICMR) database. While the collection of voluntary data itself may not pose a problem, the critical issue arises in its distribution, especially if certain government agencies are more vulnerable to compromise.
IV. Other discretionary provisions
At the heart of the issue, Section 17(5) grants the government the authority to selectively render certain provisions of the Act inapplicable to businesses, all within the initial five years of the Act’s enactment. This provision not only raises concerns about the efficacy of the Act but also creates a worrisome avenue for increased surveillance. This loophole essentially undermines the intended purpose of the legislation, potentially allowing businesses to operate without adhering to the intended data protection standards. This loophole essentially undermines the intended purpose of the legislation, potentially allowing businesses to operate without adhering to the intended data protection standards.
Furthermore, this legal provision opens the door to a disturbing possibility: private entities operating spyware software under clandestine arrangements, shielded from scrutiny due to their exemption from specific provisions of the Act. These spyware technologies are frequently acquired through private intermediaries and operated under discreet banners, often with oversight and control by state authorities. This shadowy scenario mirrors past instances such as the notorious Pegasus scandal, where powerful spyware developed by an Israeli tech firm was allegedly misused for unauthorized surveillance of many top politicians, bureaucrats and journalists. Allegations of misuse of the spyware were levelled against the Indian government and the matter was taken to the Supreme Court where the Court ultimately appointed a committee to investigate the allegations.
V. What lies ahead?
The DPDP Act acts as a first step towards ensuring digital privacy in a world where digital presence continues to expand. It can be summed up perfectly with the now famous saying “Data is the new oil”, in such a world, where we leave behind traces of our presence in all our digital activities, it becomes necessary to ensure that the fundamental right to privacy is not breached. As I have written above, the contentions regarding the DPDP Act lie primarily in the exceptions that it has carved out for the state, as I have hopefully established above, these exceptions seem unnecessary. Further, if data can be collected by the state without the person’s consent that would not only be a probable breach of the right to privacy but also against the primary intent of the act, which is to ensure an individual’s right to protect their personal data (preamble of the Act). Certainly, the state must have greater powers than any private entities to ensure security and perform other state functions but the exceptions carved out within the Act seem too ambiguous and discretionary to be just that.
The consequences of these gaps and loopholes within the Act are far-reaching, potentially paving the way for clandestine surveillance activities that compromise individual privacy and civil liberties. This concerning trend not only challenges the fundamental principles of data protection but also erodes public trust in the government’s commitment to safeguarding citizens’ rights in the digital age. Addressing these loopholes is imperative to ensure the Act fulfils its intended purpose and protects citizens from unauthorized surveillance, maintaining the delicate balance between national security and individual privacy.
Abhiraj Bhatia is a second-year law student at Jindal Global Law School.
Comments