India passed its first official enactment on data in the form of the Digital Personal Data Protection Act, 2023, and gradually the rules in its fulfilment are being evaluated. However, there have been suspicions as to how effective the Act really is
By Ashit Srivastava
India may have been a late bloomer on the front of personal data protection, but in the last six months, some giant strides seem to have been taken. India passed its first official enactment in the form of the Digital Personal Data Protection Act, 2023, however, there seems to be several drawbacks on some essential fronts, such as the exemption clause under Section 17, exempting certain governmental agencies as well as certain data fiduciaries from the provision of the enactment. Secondly, the Act does not seem to keep the data principal at the centre of the Act. The objective of personal data protection is to ensure that the digital dignity of an individual is maintained against the excess of the digital executive or even non-State actors. The idea of digital personality hood is a well-established concept across the globe after the cases of Bavarian Lager and Population Census. However, the present enactment is not able to match the standards required to be fulfilled. Thirdly, the ombudsman body under the present Act, known as the Data Protection Board of India (DPBI), to a large extent, has a role of compliance, that is assisting the government.
Though the rules have not been floated in regard to the appointment of the DPBI, the current provision gives the central government the right to appoint the chairperson and members of the Board under the rules prescribed. The role of the ombudsman has to be more independent and more autonomous, though the sections under the Act read as such, but how far there will be functional autonomy in the working of DPBI will be hard to decipher. It has to be understood that the role of the ombudsman has to be more neutral and independent, it has to be the enforcer of data protection principles against the State as well as the Non-State actor.
However, as the rules are being floated and discourse on personal data is becoming a hot button issue, it seems the emphasis of the government is shifting towards purpose-limitation. Of late, there is news that the central government may require social media, e-commerce and gaming intermediaries to permanently delete the personal data of individuals who have been “completely away” from their accounts for at least three years. This seems like a welcome move from an individual perspective. However, from the perspective of a data enthusiast, other considerations need to be balanced. There are three prime competing interests: The interest of the individual (data principal), the interest of the service provider (intermediaries) and the interest of the government. Data is the new oil and every entity mentioned has an interest in this oil. However, the interest of the data principal has to be at the centre of this discourse, because it is the data principal that we want to empower against the giant corporations and the excess of the State surveillance.
Purpose limitation is one of the essential structural elements of the personal data protection ecosystem, the bare meaning of this concept is to ensure that you store the information for a particular purpose and once that purpose is complete, you get rid of the information. It became a foundational basis of personal data along with the principle of data-minimisation. In simpler terms, use as minimal data as possible for providing the services and delete the information once the work of the data is over. The idea is to leave no leverage in the hands of the data intermediary against the data principal.
Similar to Article 5(1)(b) of the General Data Protection Regulation, which provides for purpose limitation, is the concept given under Section 4(1)(b) of the Digital Personal Data Protection Act, 2023. However, the rule that the personal data of users who have been away for three years need to be deleted is not only reflective of the fact that it limits the processing of personal data after one point in time, but it is also indicative that the intermediary cannot store the data of the user for perpetuity for consent given earlier.
However, there are certain concerns against the personal data retention of three years, as this period might be long, going to a certain extent against the hardcore philosophy of purpose-limitation. That would have demanded a deletion of data on the purpose being over. The period of three years might seem disproportionate to the objective, as it keeps the account of the user alive for a longer time, irrespective that the user has stopped using the account long back ago.
One such law was also introduced in Poland when the Ministry of Justice in Poland floated a law providing for obligatory data retention on service providers for 12 months and even making it available to law enforcement agencies (if required and on request). Comparatively, the proposed draft of India seems to retain the data for a longer period.
However, there are exceptions for cases in which the data can be stored for a longer period, under Section 17 (2)(b). The Section reads that the provisions of the Digital Personal Data Protection Act will not apply in cases where the processing of personal data is necessary for research, archiving or statistical purposes, provided the processing is following such standards as may be prescribed.
Additionally, the proposed draft rules will also provide for allied healthcare professionals, medical educational institutions, and health and mental care establishments may be allowed to use some publicly available data for research, archiving and statistical purposes. As already highlighted in Section 17(2)(b). Additionally, the draft rule may also provide for exemption to the educational institute established, owned, or recognised by the central/ state government or local government or institutes of higher education to use such data for research purposes.
Further, there will be safeguards as to what amount of data can be processed and what standards and procedures will be needed to be followed by the institution. If the information collected by the medical institute is sensitive, in those cases the safeguard required will be proportionately high. Additionally, another proposal is for the notification of personal data breaches, under which it will be the responsibility of the data fiduciary to inform the DPBI within 72 hours of becoming aware of the breach of personal data. All these draft proposals seem to be in the right direction, knowing that it is necessary to ensure that the data principal is kept aware as to what is the status of his/her data. Additionally, the time limit of three years for storing data ensures that there is no unwarranted processing of personal data, once the original purpose for which the data was collected is over.
—The writer is Assistant Professor of Law at Dharmashastra National Law University, Jabalpur