Ajay Banerjee
On August 3, a crucial Bill on digital data protection was introduced, amid din, in the Lok Sabha. A week later, the Bill, which will impact everyone, was passed in the two Houses. There was hardly a debate. With the President’s nod on August 11, it has been made into law — Digital Personal Data Protection Act 2023.
The legislation is the outcome of five refinements over six years. In all, 48 organisations and 39 ministries have discussed the matter. The Ministry of Electronics and Information Technology had received nearly 24,000 inputs.
Growing digital footprint
- Between 2015 and 2021, broadband connections and Internet subscriptions have grown 200 per cent in rural areas and 158 per cent in urban areas. More people are accessing the Net for services and the basic data of these individuals is with service providers.
- Since 2014, broadband connections (wireless and wireline) have grown substantially. These are up from 6.1 crore to 83.22 crore as on December 31, 2022. Of these, 79.98 crore are mobile connections whereas 3.23 crore are fixed line. Within 10 months of the launch of 5G services, telecom operators have installed more than three lakh 5G mobile towers across 714 districts.
A six to 10-month timeframe is estimated to have the rules ready and get companies on board. “We might do it faster than that,” says Ashwini Vaishnaw, Union Minister for Electronics and Information Technology.
The big question here is, can India secure personal data of its citizens in a digital economy which thrives on collecting and collating data of users for providing services? Aadhaar numbers, income-tax payments, banking, insurance, credit card details, vaccination information, taxi rides, airline tickets, train tickets and apps supplying groceries, food, medicine, etc, are among the few data-collating services.
Salient points of legislation
- Makes collection and usage of personal data legal but protects it from breaches with fines on entities.
- Limits the scope of data collection. Only relevant data will be collected and collated.
- Provides data protection and accountability of the data-processing entity.
- Ensures accuracy of data.
- Lays down rules regarding reporting a data breach and its process.
A report of the Telecom Regulatory Authority of India, in February, mentioned that as on December 31, 2022, India had 83.22 crore Internet broadband connections. Of these, 79.98 crore were wireless mobile connections. The growing numbers indicate a shift towards a digital economy.
The provisions of the Act have, however, raised questions over data security; blanket exemption to government agencies; issues of privacy; dilution, if any, of the Right to Information Act, besides lowered quantum of fine for data breach.
RED flags over monitoring
- Though the Centre has assured that the Act does not enable surveillance, unbridled exemptions to government entities in collecting, collating and processing data has raised fears of monitoring of individuals.
- This could be as simple as location data gleaned from mobile phones to surveillance enabled by high-end software, like it happened in case of an Israeli firm’s Pegasus spyware.
- The rules that are to follow the Act will need to specify interpretations of security and public order, lest the legislation, argue critics, could be misused to curb dissent.
After getting past Parliament, Vaishnaw assured, “The Act doesn’t take away the rights or exemptions granted to individuals under any other law. This is only about data protection of individuals and does not entail surveillance of a person.”
How will the law apply
It looks to secure and protect digitised personal data and its processing is linked to offering goods and services to individuals within the country. It will also apply to foreign nationals residing in India. Personal data that an individual intentionally makes public will not be covered under this. Data shared by individuals on social media platforms or data made public by law cannot be protected. If a person posts a picture or own location on Facebook, he or she cannot claim any protection of that data made public by self.
Consent and safeguards
The Act has specific categories to define users:
Data principal: The individual whose personal data is collected, stored, or processed.
State: Refers to government bodies or public authorities that can process personal data for specific purposes.
The ‘data fiduciary’ needs to obtain explicit and informed consent from the individual. The consent must be specific to the intended purpose. The individual will be informed about the use of data. It has to be unconditional and unambiguous and the consent will be expressed through clear affirmative action, such as clicking a checkbox or signing a form.
The legal aspects
- A nine-judge Constitutional Bench of the Supreme Court in Justice KS Puttaswamy vs Union of India case established benchmarks for legality, necessity and proportionality when defining Fundamental Right to Privacy.
- So, does the country have procedural guarantees against abuse of interference in privacy? The Joint Parliamentary Committee, in its report, noted that exemptions should be just, fair, reasonable and proportionate.
- “It is in complete contradiction to the Fundamental Right of Privacy upheld by the Supreme Court in the Puttaswamy judgment,” says Congress MP and lawyer Manish Tewari.
- According to Union Minister Ashwini Vaishnaw, “Provisions are not in violation of the Puttaswamy judgment. All three principles of the judgment — legality, legitimacy, and proportionality — have been well taken care of.”
- Does it merit clarification? S Niranjan Reddy of YSR Congress Party suggested in the Rajya Sabha “to address misconceptions around the limitation on privacy rights”.
- The government must issue some directions or guidelines to address concerns, Reddy said.
Vaishnaw assured the Lok Sabha that the consent form for data will be in 22 languages so that more and more people can understand the implications.
However, in case of the State, the framework allows for certain situations to process data without obtaining explicit consent from an individual. These are provisions of subsidies, services, certificates, licences, permits, law, medical emergency, disaster, or tackling breakdown of public order.
Vaishnaw argued, “Exemptions for the government are exactly within the framework of the Constitution.” He cited the General Data Protection Rules of the European Union (GDPR), which have 16 exemptions whereas the Indian law has four exemptions. “There is no question of excessive exemptions,” he added.
When there’s data breach
Penalties to the tune of Rs 250 crore are payable against the misuse of data. The Act lays down obligations on entities handling and processing data to protect the rights of individuals. A Data Protection Board will be set up to ‘investigate complaints, and impose penalties’.
The maximum threshold of penalties was proposed at Rs 500 crore in 2022, but it was reduced to Rs 250 crore. This may come as a relief to small businesses and start-ups, which will face a compliance burden. But is a fine of Rs 250 crore enough for such data breaches? NCP leader Supriya Sule questioned in the Lok Sabha. “What is Rs 250 crore for a big industrial house? It is ridiculous.”
How it impacts RTI
The legislation looks to amend the Right to Information (RTI) Act. The right to access information will allow only personal data which is processed on the basis of consent. This implies that the RTI Act can exempt all personal data about individuals.
“This would mean government officials and ministers can choose not to make disclosures in answers to RTI applications,” said senior Congress leader M Veerappa Moily.
The government has said the Right to Privacy is a fundamental right as per the Supreme Court in the Puttaswamy judgment. Hence, there has to be a ‘consonance’ between privacy and Right to Information.
An amendment will be made to Section 8(G) of the RTI Act. This amendment does not allow any public official or representative to hide any information which is required to be produced by law.
Vaishnaw said, “We have given four rights to the citizens — right to access information, right to correction and erasure, right to grievance redressal, right to nominate in case of death.”