27 Sep 2023 7:30 AM GMT
The much-awaited Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) is reflective of the indispensable mechanism required to ensure the digital autonomy of the users at a time when India becomes the second country with the highest number of internet users (692 million). However, whether digital autonomy is available to everyone equally is the question to...
The much-awaited Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) is reflective of the indispensable mechanism required to ensure the digital autonomy of the users at a time when India becomes the second country with the highest number of internet users (692 million). However, whether digital autonomy is available to everyone equally is the question to reckon with.
Digital accessibility has become one of the primal issues while discussing the digital autonomy of the citizens. This becomes pertinent, especially in the case of persons with disabilities (PWD), where accessibility is not just limited to availing support to access digital channels but also enables them to make decisions at par with any user. Now, with the passage of the DPDP Act 2023, it is vital to analyse how it confers digital autonomy to the PWD.
What does the Act observe?
While it is commendable that the Act incorporated the special needs of the PWD, unlike most foreign legislations, we need to analyse this with a pinch of salt. The definition clause under Section 2(j) defines data principal as the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
The problem here is two folds:
Reading the definition, it uses the term “includes” while denoting a lawful guardian on behalf of the child and disabled users. Now, as far as the former is concerned, it is evident that the data principal would “mean and include” her lawful guardian or parents as she, in no case, is qualified to give valid consent.
However, the difficulty arises in the second case as to whether “includes” will subsume the same meaning here as well. Reading within the context, the word is restrictive in the sense that a lawful guardian has to compulsorily act on behalf of the disabled data principal. Moreover, Just. GP Singh, in his seminal work “Principles of Statutory Interpretation,” has observed that the word “include” can sometimes be considered equivalent to “mean and include.” In such instances, it provides a comprehensive explanation of the meaning that must always be associated with those words or expressions for the legislation’s purposes. So if a data principal is disabled, then does a lawful guardian have to compulsorily act on her behalf or she has the choice to make autonomous decisions? Here arises the second issue.
How Valid Consent to be Obtained?
Section 9(1) of the Act states that: “The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.”
Now, if the definition mandates that a lawful guardian shall act on behalf of the PWD, then the Data Fiduciary has to obtain verifiable consent from the guardian only. The name of the section (“Processing of personal data of children”) itself reflects that it seeks to cover valid consent pertaining to the child. So besides straitjacketing valid consent of PWD with the child, the section imposes mandatory conditions on the data fiduciary to take valid consent of the lawful guardian of the PWD. It reflects that they are not capable of giving valid consent independently without the support of a lawful guardian. However, this inference does not hold water as it affects the autonomy and freedom of the disabled person in making autonomous decisions. Thus, it violates the general principles enshrined under Article 3 of the Convention on the Rights of Persons with Disabilities, which were also reiterated in the Rights of Persons with Disabilities Act, 2016 (RPwD).
Now, although section 6 clearly states that the consent of the Data Principal shall be “free, specific, informed, unconditional and unambiguous with a clear affirmative action”, it will cause severe difficulties in the practical application of the law where the verifiable consent of the PWD will be in question. Moreover, by not making reasonable classification between those who might need a lawful guardian and those who might not, it is highly probable a lawful guardian might exert undue influence over them, especially in the case of women, while giving substituted consent and thus violating Section 13(5) of the RPwD Act, 2016.
Furthermore, as it would dissuade a substantial segment of the population from exercising their digital autonomy, it will also be in violation of the principle of reasonable accommodation as set by several judicial precedents, the most prominent being Vikash Kumar v. UPSC & Ors. This one-size-fits-all all formula is also not in consonance with the landmark judgement of KS Puttaswamy v. Union of India, where the Supreme Court invariably asserted that every individual shall have autonomy over their data and be able to give valid consent while declaring the right to privacy as a fundamental right under Article 21.
Reading Vikash Kumar and Puttaswamy judgement together, it is evident that the present Act, in its current format, assumes a one-size-fits-all formula which adversely affects the principle of reasonable accommodation and the autonomy of the individual to give valid consent over her data. Therefore, if the government does not make necessary changes in the forthcoming rules or by amending the DPDP Act, it is highly probable that the judiciary will read down both sections and broaden the literal view of the definition to give way to the rights of disabled data principals.
Nevertheless, it is noteworthy that the Act has intelligently dealt with the issue of inclusivity of persons with disabilities in an ever-rising digital world. Even the model legislation of the European Union’s General Data Protection Regulation and similar laws of New Zealand, Brazil, Canada and Japan does not define a person with disability while defining a Data Subject (parallel to data principal). Therefore, the Government must relook at these provisions to further bolster the digital autonomy of all internet users and fulfil what the Act aims to achieve: “the right of individuals to protect their personal data”.
The author is a Research Volunteer at Mission Accessibility, an initiative to foster Digital accessibility for PWDs.Views are personal.
Views are personal.