The Digital Personal Data Protection Act of 2023 is the first of its kind, providing statutory protection for personal data. The origins of this bill can be traced back to the Supreme Court judgment of the Puttaswamy case, which guaranteed the Right to Privacy as a Fundamental Right under Article 21 of the Indian Constitution. However, the protection of personal data requires accessibility to it. Thus, the Act finds itself enveloped in contradictions of its true nature and intention compared to what it claims to achieve.
The objective of this article is to collate some of the important yet controversial sections of this Act and highlight the opinions of various experts about the same.
According to the Act, data published online is denied protection. However, it states that institutions wishing to use the data need prior consent from the individual, which shall be communicated through the issuance of a notice. Only an explicit "no" shall be considered a refusal of data usage. The Act also empowers entities to withdraw their consent, after which data fiduciaries must cease processing personal data.
The concern surrounding these provisions is that the demand for explicit denials could make it easier for companies to misuse the data usage clause. The form in which notices will be sent to users is unknown, and these notices could be in the form of cookies or even hidden. Experts warn that the lack of protection for published data makes it vulnerable to excessive misuse and manipulation.
Similarly, Section 17(2)(b) grants exceptions to personal data collection for research purposes. While the government claims this clause is for activities similar to a census, experts warn against its potential misuse by companies to train AI tools.
Section 8(6) states that in case of a data breach, the entity must immediately communicate it to the Data Protection Board. According to Section 19(1), the Data Protection Board must consist of a Chairperson and the number of members the Central Government may notify. Experts raise two concerns here. Firstly, the Act does not grant the board the ability to investigate and track data breaches proactively, leading to oversight. Secondly, the constitution of the Data Protection Board remains a highly executive process with no judicial members. Even the blocking of an entity for not complying with Act provisions remains a highly executive process, lacking a mechanism of checks on the adjudication process and providing no counter entity to hold the board accountable and keep the process transparent for the public.
Section 10(1) of the Act states that the government may notify significant data fiduciaries based on an assessment of the potential impact on India's sovereignty and integrity. Section 17(2)(a) exempts the state from Act obligations in the name of the country's sovereignty, integrity, and security.
Both these clauses are the most controversial, granting the state indirect surveillance ability without accountability. Such loopholes in the act have the potential to breach the Right to Privacy in the name of national security, threatening citizens' liberty by potentially conflicting with Article 21 and Article 19. These provisions have generated immense anxiety among people who express their opinions on digital platforms, through media, journalists, and the press. The government's ability to block platforms as per Act provisions also provides scope for a complete shutdown of media platforms that don't align with the party in power's ideology.
The Act also does not protect non-personal data, leaving room for companies to combine various strands of non-personal data and create portfolios of individuals, indirectly tracking their information.
While the Act makes promises and guarantees relief in terms of keeping citizens informed about data sharing, data breaches, and the importance of their consent, it equally provides exploitable loopholes that can harm citizens through misuse of their data. The Act also tends to undermine the Right to Information Act, granting Public Information Officers greater scope to delay or even prevent sharing crucial information with the public. It obstructs the flow of information to the regular citizens of the country as all data is now stored digitally and past data is being digitized.
Even Justice B.N. Srikrishna, who headed the Expert Committee on the Digital Data Protection Bill, warns against the mass surveillance proposed by the current Act.
Thus, while the Act creates history with its passing, it presents new dangers and opportunities as well. It is now important for the citizens of the country to become informed and take control of their data while remaining vigilant, more than ever.
Share This Post On
0 comments
Leave a comment
You need to login to leave a comment. Log-in
