Digital Personal Data Protection Act Is An Outlier, Not In A Good Way : Apar Gupta

It is the first law made for processing data in India and it brings several amendments to the Right to Information Act and the Information Technology Act. According to the preamble of the act, the objective is to provide for the processing of digital personal data in a manner that “recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes” and for other connected matters. There is no gainsaying that this act will have a profound impact on the way data generated by internet users will be collected and used, among other things.

But, despite being the first of its kind, the act is not without its concerns. In conversation with Live Law, advocate and digital rights activist Apar Gupta said that the law is an outlier when contrasted with contemporary legislations in other jurisdictions, and not in a good way. According to Gupta, the bill – which has now been passed and signed into law but remains to be enforced – was intended by the government to give effect to the Supreme Court’s 2017 K Puttaswamy judgment which read the right to privacy into Article 21 of the Constitution. However, the endeavour by the government has largely been unsuccessful.

The interview was conducted two days before the Digital Personal Data Protection Bill received the presidential assent and the full interaction may be watched on YouTube. Here are the highlights from the interview:

Exemptions to Data Processors under the Act

While explaining the framework of the law, Gupta highlighted what he said were extremely broad exemptions in the act that essentially rendered the consent of the data principal entirely meaningless. The act defines a data principal as the individual to whom the personal data relates, as well as the lawful guardian of a minor, and the lawful guardian of a person with disability who is acting on their behalf. This is the footing on which the common people is placed, under the new law. Although the data principal is intended to be the primary beneficiary of a data protection law, Gupta expressed apprehensions over its consent requirements.

As an example of the ‘broad exemptions’ under the act, Gupta pointed to Section 7(g), which states that no consent will be required for the government to process data for taking measures to provide medical treatment, or health services during an epidemic, outbreak of disease or any other threat to public health.

Similarly, he highlighted the broad exemptions under Section 7(i) for use of the data for the purposes of employment. This was particularly alarming because India is a country where the government is the single largest employer of people.

“Exemption of certain legitimate uses where consent is presupposed is in variance with several international data protection statutes,” Gupta said, after using these illustrations.

Duties, Positive Obligations and Penalties for Citizens

Gupta pointed out that data protection statutes do not impose duties in terms of penal action for breaches by ordinary people. Section 15 of the Act creates obligations of the data principles to comply with all provisions of this law. These obligations, specifically in Section 15(b) of the Act, also create a broad obligation to not impersonate another person while providing their personal data, which may create room for penalisation in bad faith for persons who may not have digital literacy, such as senior citizens, who depend on their relatives for operating their electronic devices.

Next, Gupta spoke about Section 15(c), which creates a positive obligation on citizens to not suppress any material information while providing personal data for documents to the State. He explained that many people often provided incomplete information relating to their home addresses, and deliberately left other private details out to protect themselves against stalking or harassment. And this law creates room for penalising these citizens in bad faith. A fine of up to Rs. 10,000 can be imposed on an ordinary citizen for non-compliance of any of the duties under Section 15 of the Act.

‘Complete Outlier’ in Contemporary Data Protection Legislations

Because of the host of positive obligations of the data principal, the act is a complete outlier when compared with data protection legislations in other countries, Gupta said.

Another reason the DPDP Act is an outlier, Gupta explained, was because of Section 17(3), which gives the central government the power to exempt some data fiduciaries or class of data fiduciaries from certain obligations under this act as a data process, owing to the ‘volume and nature’ of personal data processed.

For more context, the act identifies ‘data fiduciary’ and ‘data processor’ as the entities or stakeholders that will be collecting or using the data from the data principal. Structurally, the data principal entrusts the data fiduciary with the data, and the data processor then processes personal data on behalf of the data fiduciary.

On the exemption that some data fiduciaries or class of data fiduciaries could be notified to receive, Gupta said that there was no metric of what volume or what nature of personal data processes would give the central government the discretion to grant these exemptions.

In this context, Gupta recommended the work done by Australian academic Graham Greenleaf, who has, among other things, conducted a comparative analysis of all data protection legislations. With reference to this, Gupta explained that these features – positive obligations of data principal, power of central government to grant exemptions to data fiduciaries based on the ‘volume and nature’ of personal data processed, to name a few – cannot be found in data protection statutes across the world, which made the Digital Personal Data Protection Act and outlier.

Amendments to RTI Act

The Right to Information Act, as it existed before the DPDP Act was enacted, maintained a ‘balancing act’ between the right of a person to access public information and protecting individuals from unnecessary invasions of privacy.

Section 8(1)(j) of the RTI Act excludes personal information which has no connection with any ‘public activity or interest’ or which can result in an ‘unwarranted invasion of the privacy of the individual’, from the realm of information that can be sought under the Act. But an exception was made for personal information, the disclosure of which a public information officer or the appellate authority deemed to be justified in the ‘larger public interest’. The proviso to this clause states that personal information which cannot be denied to the Parliament or any state legislature cannot be denied to an RTI applicant either.

The applicability of this provision and the exemption it created has been litigated several times right up to the Supreme Court. And now the section has been amended to exclude the parameter of the ‘larger public interest’ completely. In other words, an RTI applicant cannot seek any information related to ‘personal information’ even if the larger public interest warranted its disclosure. The amendment also takes away the proviso.

Gupta said that Section 8(1)(j) as amended by the legislation no longer maintained a balance between the invasion of privacy and the larger public interest. He said it may be used in an ‘oppressive manner’ to limit the flow of public information and might cause tangible harm to many people.

Data Protection Board ‘Lacks Independence’

Another concern voiced by Gupta is over the power of the central government to demand information from the data protection board that is to be constituted when this act comes into force, and recommend suo moto complaints to it for alleged breaches of data.

The data protection board will be the authority under the act to register and appoint consent managers to resolve issues relating to any unauthorised processing, sharing, or use of data without the consent of the data principal. A consent manager is someone will who will liaise between the data principal and the data fiduciary, and in turn, the data processor, and will serve as a single point of contact to enable the data principal to give, manage, review, and withdraw their consent through a platform.

Gupta argued that the power of a central government to demand information and recommend suo motu complaints to the board was alarming. He explained this with a hypothesis: where a public document is accessed by a journalist or a transparency activist, the central government can file a complaint to the board, leading to a conflict of interest. This is because the central government will appoint this board and determine its members’ service conditions. This gave rise to concerns over the fairness and independence of the data protection board.

In conclusion, Gupta said that the government’s new data protection law needed ‘considerable improvements’. “Several injuries have been caused by the Data Protection Act; not only to privacy but also to transparency,” he said. But he also expressed that hope that over a period of time, lawyers through their analysis, critique and activism can help refine the law in the future.

(Edited by Awstika Das)

Advocate Apar Gupta is a lawyer and writer on democracy and technology. He was involved in several notable constitutional cases in the intersection of technology and democratic rights, such as Shreya Singhal (Section 66A case), Gaurav Vyas (Internet shutdown case), and most notably, KS Puttaswamy, in which the Supreme Court held that the right to privacy was a facet of the right to life under Article 21 of the Constitution. He is also the co-founder of Internet Freedom Foundation, a non-governmental organisation that defends digital privacy, free speech, and innovation.