The Digital Personal Data Protection Act: India’s Shaky First Step in Writing the Right to Information and Data Privacy into Law
In 2023, the Parliament of India created India’s first comprehensive data privacy act: The Digital Personal Data Protection Act (‘the Act’). The Act created rules for lawful data processing in a manner that protects an individual’s right to privacy pursuant to Article 21 of the Indian Constitution (“No person shall be deprived of his life or personal liberty except according to a procedure established by law.”)[1] The Act also established the Data Protection Board (‘DPB’), an independent agency tasked with monitoring compliance.[2] Additionally, the Act outlined notice and consent requirements for a private entity to collect data, the rights of a person whose data is being collected (‘data principal’), obligations of entities collecting data (‘data fiduciaries’), and exemptions to the above requirements.[3]
While the Act assists in limiting private data fiduciaries’ power to access an individual’s personal data without notice or consent, there are three main issues raised by its exemptions. As shown below, together, these issues grant the Indian State extreme discretionary power to collect and access personal data when compared to private entities.[4] This post argues that the Act's broad grant of power to the State to sidestep notice and consent requirements effectively undermines the goals of the Act itself.
The first issue is that the Act eliminates any consent requirement to use data for a State-sponsored purpose other than the original service for which a data principal provided his information.[5] Section 7(b) of the Act provides a mechanism for the Government to circumvent consent requirements to use a principal’s data where that principal previously received another benefit from the State.[6] For example, if an individual has given his data to the government to receive medical benefits, the State and any other government agency may access and repurpose that data without the individual’s consent.[7] This provision exempts the Government from purpose limitations and eradicates a data principal’s ability to choose where he submits his data and, more importantly, how it is used.[8] Proponents of the Act argue that this provision allows for the Government to provide more efficient and expeditious services and benefits.[9] Critics of the Act, however, are more skeptical of that argument in light of a central goal of the Act, which is to provide protection for specific uses and purposes of data.[10]
The second issue is that the Act undermines itself by opening up the potential for the State itself to violate a data principal’s right to privacy.[11] Section 17(1)(c) of the Act removes the requirement for consent and notice for processing data related to the “prevention…or prosecution of any offen[s]e or contravention of any law.”[12] Section 17(2)(a) extends the above’s application to any “instrumentality of the State as the Central Government may notify,” which allows any entity connected to the State, as long as he is notified by the Government, to access one’s data without consent or notice to serve State interests.[13] Furthermore, the Act does not require the State to delete the data after it has been used, as it does for private data fiduciaries.[14] These provisions open the possibility of unnecessary and unjustified surveillance of data principals, which is in opposition to the purpose of the Act.[15]
The third issue is that the Act increases the influence of the Executive branch and provides little guidance for the DPB to effectively carry out its legal compliance-monitoring duties.[16] It does so by requiring only one member of the DPB to be a legal expert, creating a two-year appointment for members (with scope for re-appointment), and not vesting the DPB with rule-making authority.[17] Section 27 of the Act outlines the parameters of the DPB’s authority, and Section 20 provides the terms of appointment.[18] In writing, the DPB appears to be independent because of 1) lax requirements for legal expertise on the DPB, 2) a limited mandate that vests the DPB with only remedial and investigative authority, and 3) a short-term reappointment process. In practice, however, these very factors may allow the Executive to unduly influence the DPB’s compliance and monitoring activities.
Though the Act constitutes an important first step in addressing the legal issues raised by information and data privacy law, it also creates an imbalance between the power of private and State data fiduciaries.[19] In doing so, it undermines the very protection it purports to provide, eliminates an individual’s ability to consent to the specific use of his data, and expands the State’s influence in shaping the landscape of data privacy law in India.[20]
Sravya Rallapalli is a staff member of Fordham International Law Journal Volume XLVII.
[1] See The Digital Personal Data Protection Act, 2023, §4(1); India Const. art 21.
[2] See The Digital Personal Data Protection Act, 2023, at §27, 28.
[3] Id. at §4(1).
[4] See Anirudh Burman, Understanding India’s New Data Protection Law, Carnegie India (October 13, 2023), https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624.
[5] Supra note 2 at §7(b)(i); The Digital Personal Data Protection Bill, 2023, PRS Legislative Research (2023), https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
[6] The Digital Personal Data Protection Bill, 2023, PRS Legislative Research (2023), https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
[7] See Burman, supra note 4.
[8] See id.
[9] See supra note 6.
[10] See Burman, supra note 4.
[11] See id.
[12] See supra note 2 at §17(1)(c).
[13] See supra note 2 at §17(2)(a).
[14] See supra note 6.
[15] See id.
[16] See id.
[17] See id.
[18] Supra note 2 at §27, 20.
[19] See Burman, supra note 4.
[20] See id.
This is a student blog post and in no way represents the views of the Fordham International Law Journal.