Partial protection of privacy is no protection at all | ISPP Partial protection of privacy is no protection at all – Lacunae in DPDP Act | Indian School of Public Policy Humane ClubMade in Humane Club
Vision 2047: Administrative Reforms for a Viksit Bharat
Download Report
table of contents

Partial protection of privacy is no protection at all – Lacunae in DPDP Act

Partial Protection Of Privacy Is No Protection At All – Lacunae In Dpdp Act

In a world where digital surveillance is omnipresent, half-measures in privacy protection are not just inadequate—they’re a step backward. Privacy is as important as life itself. This was upheld in the K S Puttaswamy Judgement putting it under the ambit of Article 21 of Indian Constitution – Right to life and liberty.  The right to privacy is a fundamental human right that is essential for protecting a person’s dignity. Living a meaningful life goes beyond mere existence, it requires the ability to live with respect. To ensure a dignified life and the freedom to make personal choices, it is crucial that individuals have sole authority over who can access their information. Once information is digitised, it knows no boundaries and is remembered forever. Given that India is the second most targeted country for cyber attacks after the United States, it is essential to enact laws to safeguard data protection.

The Digital Personal Data Protection Act, 2023 is a significant step towards safeguarding the data of Indian citizens. Key features include provisions to protect children’s data through mandatory parental control and monitoring.  The penalties imposed for violation of the Act along with restrictions on companies that do not comply with the rules will create greater accountability for data leaks.. However, the Act also has certain loopholes that need the attention of the legislature.

The gaps in the Act increase the vulnerability of the data that is accessible in just a few clicks. Firstly, the Act fails to hold the Data fiduciary and Data processor (who collects and processes data) adequately accountable. Even though the Act requires data to be collected with consent, it does not mention sensitive and critical data like passwords, medical history, sexual orientation, which can cause significant harm to individuals if misused. This can lead to social and financial biases and have a major impact on individuals.  Therefore, it becomes important to handle such data with utmost care to ensure safe processing and storage. 

Secondly, not all stakeholders who can act as data fiduciaries are covered under the act.  Section 3(c) excludes individuals who collect data for personal or domestic use, or for their journalistic or artistic work. This creates a significant loophole, as even data collected for personal use has the potential to be leaked, posing a threat to individuals’ privacy.

Thirdly, Section 17 of the Act provides the government with broad leeway by granting it overarching powers through various exemptions. For instance, the government is not obligated under the Act to adhere to the duties of data principals and data processors if doing so is necessary for reasons related to sovereignty, foreign relations, public order, research, archives, and so on. Besides, the government, if it deems fit, has the authority to declare any data fiduciary outside the scope of the act on the pretext of volume and nature of data processed.These extensive powers of the government become a roadblock to holding the responsible parties accountable when negligence occurs.

There have been several instances of data breaches, such as the Aadhaar data leak in 2018 and the data breach of the train ticketing platform Railyatri in 2022, which exposed the vulnerabilities of government repositories. However, no remedies or accountability measures were implemented by any authority due to a lack of stricter regulations.

Last but not least, under Sections 18 and 19 of the Act, a Data Protection Board of India was established for grievance redressal. However, it has effectively become a captive entity of the State. This is because the board consists of a chairperson and two members who are appointed and re-appointed by the government. Additionally, any other appointments to the board require the government’s approval. Under Section 39, the court is barred from hearing or issuing injunctions regarding matters that fall within the board’s jurisdiction. Furthermore, Section 36 empowers the government to request information from the board at any time, if necessary. This situation hinders the independence of the forum, leaving beneficiaries vulnerable to these gaps.

It is commonly argued that the Act requires the consent of the data principal to be obtained after a clear communication of the purpose for collecting the data. It restricts the use of data to the stated purpose and enshrines the right to access, modify, and delete that data. Additionally, it includes provisions for penalties in cases of data breaches. However, these provisions only apply to digitally recorded data and to data fiduciaries that are not exempted by the government, leaving the guarantee of privacy conditional. This effectively excludes physical data and exempts data fiduciaries from the jurisdiction of the Act.

The Digital Personal Data Protection Act, 2023, represents a step forward in legalising data protection; however, it falls short in adequately guaranteeing the right to privacy. The Act grants the government unchecked powers, undermines the independence of the board, fails to address sensitive data with the necessary rigour, and lacks sufficient accountability for data fiduciaries. As a result, it cannot fulfil its purpose of protecting data from misuse. It is now imperative for the legislature to address these shortcomings. Half-hearted privacy measures are not only ineffective; they create a false sense of security while our personal information remains vulnerable.

Register your Interest to Study at ISPP


References:

1. Srikrishna, B. N. (n.d.). A free and fair digital economy: protecting privacy, empowering Indians. IntheCommitteeofExperts.https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

2. Parliament. (2023). THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023. In THE GAZETTEOFINDIAEXTRAORDINARY.https://prsindia.org/files/bills_acts/bills_parliament/2023/Digital_Personal_Data_Protection_Act,_2023.pdf

3. ETtech. (2023, October 31). Aadhaar data leak | Personal data of 81.5 crore Indians on sale on darkweb:report.TheEconomicTimes.https://economictimes.indiatimes.com/tech/technology/aadhar-data-leak-personal-data-of-81-5-crore-indians-on-sale-on-dark-web-report/articleshow/104856898.cms?from=mdr

4. Deep, A. (2023, January 5). Train ticketing platform RailYatri hit by data breach. The Hindu. https://www.thehindu.com/business/Industry/train-ticketing-platform-railyatri-hit-by-data-breach/article66339367.ece


Saloni Chhaparia
PDM Scholar, Class of 2025

Saloni Chhaparia is a dedicated law student at St. Xavier’s University, Kolkata. She has demonstrated her leadership and organisational skills by orchestrating a national-level trial advocacy competition and serving on the core committee of both the Moot Court and the Law Society. Saloni’s involvement in these activities underscores her commitment to legal excellence and advocacy. She aspires to explore opportunities in public policy, aiming to apply her legal acumen to shape effective and impactful policies.

LinkedIn: https://in.linkedin.com/in/saloni-chhaparia-39444a1b2