Vikram Jeet Singh and Arushi Mukherji
The Digital Personal Data Protection (“DPDP”, or the “Act”) Bill, 2023 emerged after the Indian Government’s yearslong process of introducing a standalone data privacy legislation. Ever since the right to privacy was recognised as a fundamental right in 2017 (in K. S. Puttaswamy vs. Union of Inida AIR 2017 SC 4161), this law was an inevitability. On August 11, 2023, the DPDP Bill received Presidential assent, supplanting the 12 year reign of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
In a rapidly changing digital economy, the Act has been postured to fill a vital gap in data protection in India. And at first glance, the Act does call for compliance in the collection and processing of personal data, towards specific lawful purposes. Data Fiduciaries, or persons who determine ‘the purpose and means of processing of personal data’, have been tasked with several obligations towards protecting individuals’ personal data, failing which would risk steep penalties. The obligations also extend towards the protection of processing of children’s data and the prevention of behavioural tracking and targeted advertising. Significantly, the Act also has extra-territorial application, and allows the Government the power to restrict cross-border transfers by way of notification.
Although much is left to be seen with the eventual introduction of rules and regulations, the Act in its present state could lead to some interesting repercussions. Some of these are very much intentional; and some of these could be said to be ‘unintended’.
The Intended Nuances
A Centrally-appointed Data Board The DPDP Act, 2023, proposes a Data Protection Board of India (“The Board”) charged with enquiring and adjudicating complaints, overseeing intimations of breach of data, etc. This power is supplemented by steep penalties, as high INR 250 Crores. While it performs a quasi-judicial function, it is interesting that the entire Board is appointed by the Central Government. In addition to appointing a Chairperson and the Members, one of its Members must be an expert in the field of law. The Act does not specify any qualifications. Some questions are left unanswered, likely to be dealt with in subordinate legislation. Given that the Act covers all of India, and even certain data activities sited abroad, the centralized composition of its governing Board is a matter of significance.
What are “sufficient grounds” for inquiry Upon receiving a complaint, intimation of data breach, or reference from the Central Government, the Data Protection Board of India is charged with first ascertaining whether there are “sufficient grounds” for proceeding with an official inquiry. If such complaint, intimation, or reference, is found to have “insufficient grounds”, the Board may close the proceedings. There is, however, no clarification yet on what would aid the determination of sufficiency. On one hand, it is right that a regulator is afforded flexibility in its investigative and enforcement powers. That said, it may be useful for certain guiding principles to be prescribed as touchstones; this may be something akin to Section 11 of the TRAI Act, 1997, that charges the telecom regulator with promoting competition and efficiency in telecom services.
Consequential Rule-Making Powers The Act allows for the Central Government to make rules regarding some very consequential matters. This includes the restriction of transfer of data to foreign countries under Section 16. As per Section 41, rules made under Section 16 are subject to Parliamentary approval. However, the extensive rulemaking powers given to the Centre under Section 40 do not seem to be subject to the same process; Section 41 only applies to Sections 16 and 42. This is significant, since Section 40 allows the Government to (inter alia) identify classes of ‘significant’ data fiduciaries, decide exemptions under Section 17, and also decide conditions and terms of appointment of Board members. These are significant powers reserved exclusively to the Central Government, and can be exercised without much legislative fetter.
Centre’s Power of Blocking Data Fiduciaries Under Section 37 of the Act, the Central Government can (inter alia) block public access to certain Data Fiduciaries upon reference from the Board. This could essentially enable the Government to completely shut down a service provider in India. The criteria for making a reference to the Centre is the imposition of penalty on more than 2 occasions and for protecting the “interests of the general public”. Given the severity of the sanction – blocking content – there are several open-ended interpretations of what is in the public interest. While judicial review may be possible, it is questionable to what extent Indian courts will push back against such ‘policy’ decisions. Possible Un-intended Consequences
No specific rights against Data Processors The Act allows Data Fiduciaries to engage Data Processors to process data on their behalf, with explicit obligations only on the former to ensure the protection of data. Fiduciaries are also required to ensure that (for example) if retention of an individual’s data is no longer necessary, they erase the data and cause Data Processors to do the same. It is evident that the obligations of Data Fiduciaries extend to watching over Data Processors as well, the breach of which could lead to inquiry and penalties. However, the Act is silent on enforcing any claim or complaint against Data Processors themselves. While there may be contractual consequences, it remains to be seen if any actions of Data Processors exposes them to sanctions in the first degree.
Possible Consent Fatigue, and the High Cost of Consent Prior to processing personal data, Data Fiduciaries are required to request consent from every individual Data Principal. Every request must be accompanied with a notice informing the Data Principal of the purpose of seeking the data, the manner in which the latter can exercise their rights and the procedure for making complaints. The notice acts as a gateway for informed, specific, and clearly unambiguous consent, such that Data Principals are aware of their rights under the Act. While a welcome move, fielding multiple requests for consent for processing of their data could lead to consent fatigue. The reader will remember how GDPR’s implementation in 2018 led to a barrage of privacy notices over and checkboxes on websites. In some cases, smaller EU businesses shut shop rather than deal with the rigmarole of GDPR consent mechanisms.
A Shrinking Internet for Children Prior to processing the personal data of children, Section 9 of the Act requires Data Fiduciaries to obtain verifiable consent of their parents. Data Fiduciaries are also obligated to not undertake such processing of personal data that may have a detrimental effect on the well-being of children, and not undertake behavioural monitoring and targeted advertisements. Non-compliances can lead to heavy penalties; and given the sensitivity around child care in India, one would expect the Board to be quite stringent in regulating children’s data. While this could be helpful towards protecting the data of this vulnerable group, this could also lead to heavy handed censorship, and outright denial. Being apprehensive of any undue consequences of children accessing their Websites, Data Fiduciaries may shut themselves off from children entirely. Only ‘safe’ content like games or entertainment may be made available, with any borderline controversial content effectively censored. This may lead to a reduction in the level of information available to children online.
Consent Managers between Users and Websites The Act introduces a completely novel concept of ‘Consent Managers’, who would be Board-registered entities for facilitating the giving, managing, reviewing and withdrawing of consent for individual Data Principals. In theory, this novel entity would streamline the process of consent management for both Data Principals and Data Fiduciaries. However, at this point, there is little clarity on how this would work in practice, in part due to the fact that this concept is a novel one. A user-driven Content Manager will essentially need to work as a collective, and it is difficult to predict how it will handle the multiple online channels that consent is required in. At worst, this may become a bottleneck for users to access the Internet, as opposed to providing them with a better online experience.
What some of these pointers reveal about the Act is that there is ample ‘wiggle-room’ for the Government to shape policy and enforcement. Until such time that rules and regulations coalescing the contours of regulations are framed, some portions of the new law will remain frustratingly vague. Some unintended consequences, however, may remain worrisome even when such rules come into play.