When will India frame exclusive legislation that protect the legitimate rights of data subjects and safeguard the privacy and security of their personal data was the much deliberated issue for long. It was known to the Government and other stakeholders that the available provisions in the Information Technology Act are indeed scanty, inadequate and failing to serve any purpose. Finally, citizens’ long wait has come to an end with the Parliament passing Digital Personal Data Protection Bill, 2023 in its current session which has received Presidential assent. The Act will come into force, upon being notified by the Centre.

For the first time in the 76-year-old chequered history of parliamentary law-making and legislative jurisprudence in Independent India, the left out “she” in legislation has found acceptance. The missing “she” in legislation has been identified, expressly acknowledged and given a unique reference in law-making. The Act explicitly refers to ‘she’ instead of the routine reference to ‘he’. Section 2(y) of the Act says “she” in relation to an individual includes the reference to such individual irrespective of gender.  This novel feature of the legislation has to be generally applauded as an attempt to uphold and recognise gender equality in parliamentary law-making.

But the other side of the legislation does not present a rosy picture. Exemptions envisaged in the Act are exclusions in relation to the otherwise protected personal data and confer unqualified privilege, immunities and discretion to the Government and its functionaries while handling the digital personal data of citizens.

Digital rights are the human and legal rights that allow individuals to access, use, create, and publish digital media. It also permits individuals to access and use computers, electronic devices and telecommunications networks. Digital Rights imply the right to privacy and data protection.  It is beyond doubt that Internet access has an essential role in safeguarding freedom of expression, association, right to education, consumer rights, capacity building,  and so on.

Several countries in the world have their own domestic laws that broadly recognise the rights of data subjects. Internet has now become a global public good and as such it should be accessible to all and respectful to the rights of others. At a time when repressive regimes are restricting access to information and communications and keeping surveillance over the personal data of citizens, democratic governments are expected to work together to ensure that citizens’ personal data is well protected and guarantee access to the internet and adopt general principles to ensure that network use respects universal data rights.

Personal Data as People’s Rights

Digital personal data implies the data by which a person may be identified. Digital personal data is the central theme of the new legislation and the comprehensive legislation ensures the processing of digital personal data for lawful purposes only and in a lawful manner recognising the rights of the data subjects. The obligations of the Data Fiduciaries such as Persons, Companies and Government entities who process data of individuals by collection, storage and other means is seen determined in the Act. The legislation stresses on enhancing the ease of living and doing business and thereby enables digital economy and innovation eco-system.

Consented, lawful and transparent use of personal data alone is permitted by the new legislation, that too, for the specified purpose. Collection of personal data necessary for the purpose, data accuracy, storage limited to necessity is also seen adumbrated. The Act ensures accountability through adjudication of data breaches and imposes reasonable security safeguards in the handling of personal data.

Digital subjects have been guaranteed specific rights in relation to personal data such as right to access information about personal data processed, right to correction and erasure, right to grievance redressal and the right to nominate a person to exercise rights in case of death or incapacity. For enforcing the rights, an affected Data Principal may approach Data Fiduciary in the first instance and, if dissatisfied, can complain to the Data Protection Board against the Data Fiduciary.

Making Fiduciaries Accountable

Data Fiduciaries are obligated to provide necessary security safeguards to prevent personal data breach. They have the duty to intimate personal data breaches to the Data Principal and Data Protection Board. Fiduciaries have to erase data no longer required and also to erase data upon withdrawal of consent. They have to provide grievance redressal mechanism and in the case of Significant Data Fiduciaries, there is a need to appoint data auditors and conduct periodic data protection impact assessment to ensure higher degree of protection.

The Act envisages provisions intended to safeguard the personal data of children and such data can be processed only with parental consent. It cannot be processed if detrimental to their well-being or if it involves tracking, behavioural monitoring or targeted advertising.

Controversial Exemptions

The new legislation contemplates exemptions in the processing of personal data of digital principals.  Such exemptions have been noted in respect of notified agencies in the interest of security, sovereignty and public order; for research, archiving and statistical purposes; for start-ups and other notified categories of Data Fiduciaries; for enforcing legal rights and claims; for performing judicial and regulatory functions; for preventing, detecting, investigating and prosecuting offences; for approved mergers and demergers; for locating defaulters and their financial assets.  These broad arrays of exemptions are likely to be misused by the State and its agencies and thus may hamper the spirit and purpose of the legislation itself.

Given the exemptions, very little could be achieved towards data protection and the protected personal data of the citizens could be inappropriately dealt with. There is no periodical updating of the definition of personal data. Though there is Data Protection Board for mitigating data breaches and for enquiring into breaches and complaints and to impose penalties for breaches, most of the public acts or governmental actions may not be taken cognizance of by the Board as they may fall within the net of exemptions.

The provision for referring complaints relating to data breaches to the alternate dispute resolution mechanisms may weaken the efficacy of the remedy available against breaches and make violations viewed lightly.  The Board has also the power to advice the Government to block the website or app. of a fiduciary for repeatedly violating the provisions and this may also become a haven for the Government to act in tune with its wishes.

With individuals abusing the freedom of expression, with companies potentially exploiting computer users for financial gain and with repressive regimes blocking information from their citizens, what the world needs is a new charter of  data rights, fixing responsibilities on Individuals, Companies and the Government for abuse.

Interventions on personal data must be lawful, specifically warranted and least privacy-invasive. Regulatory measures must protect encryption, envisage independent oversight and scrutiny. Every country has some sort of data privacy and security laws regulating the collection, processing and transfer of personal information concerning its subjects. Its implications in the event of violation may vary from fines, lawsuits, prohibition of site’s use within local jurisdictions.

Will India tune up?

In the ocean of data, personal data is life itself and must be treated with care and respect. Once it has leaked, there’s no getting it back. Protecting it, is part of privacy right, an absolute pre-requisite for an individual and reaffirmed as integral to freedoms guaranteed across fundamental rights and an intrinsic aspect of dignity, autonomy and liberty  by a Nine-Judge Bench of the Supreme Court in Puttaswamy’s case(2017).

India must learn from Europe and US Federal States to mould its future in the digital landscape. The experiences of the American States like Colarado, California, Virginia, New York, and that of Brazil could provide valuable and impressive tips in the course of navigation. The supreme existence of General Data Protection Regulation, 2016 as the sanctum sanctorum of digital rights and entitlements of the data subjects in Europe could be taken into account in law-making and policy formulation.

The British Author, Adlin Sinclair, once observed, “Without faith, hope and trust, there is no promise for the future and without a promising future, life has no direction and no justification”. People of the country still share the faith, hope and trust in democracy and its Institutions and expect that their personal data would be protected from any form of invasion.

(Dr. Pauly Mathew Muricken is a prominent Lawyer, acclaimed writer and distinguished academician based in Kochi)