The concept of the right to privacy is widely acknowledged as a fundamental human right, and this is explicitly articulated in Article 12 of the 1948 Universal Declaration of Human Rights:
“No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”[1]
Many western nations have established comprehensive legal frameworks concerning privacy, and there has been a long-standing need for a similar framework in India. The Supreme Court of India has previously expressed strong viewpoints on this matter in various judgments, including:
- P. Sharma v Satish Chandra[2]
- Maneka Gandhi v Union of India[3]
- Kharak Singh v State of UP[4]
- Peoples Union for Civil Liberties v Union of India.[5]
The emergence of the right to privacy for individuals gained prominent attention with the introduction of Aadhar Cards. This pivotal juncture was marked by Retired Justice Puttaswamy’s audacious move to challenge the constitutional validity of The Aadhaar (Targeted Delivery of Financial and Other Subsideries Benefits and Services) Act, 2016 before the Supreme Court, which he pursued through the filing of a writ petition. The crux of the petitioner’s argument rested on the assertion that, in light of the precedents set by prior Supreme Court rulings, the right to privacy holds the status of a fundamental right. In this intricate legal battle, it was contended that the Aadhar procedure, as it stood, transgressed this fundamental right, thus sparking a compelling deliberation on the delicate balance between individual privacy and state-initiated identification mechanisms. The ruling in this judgment established that the concept of informational privacy is encompassed within the right to privacy. While acknowledging the necessity for a data protection legislation, the Court deferred the responsibility of creating such a law to the Parliament.
Acknowledging the significance of safeguarding citizens’ personal data and ensuring data protection, the Ministry of Electronics and Information Technology (“MeitY”), Government of India, established a Committee of Experts on 31st July 2017. This committee was chaired by Justice B. N. Srikrishna, a former Judge of the Supreme Court of India, included members from the government, academia, and industry. Their task was to analyze and identify critical data protection concerns and propose strategies for their resolution. Additionally, the committee was charged with formulating a preliminary draft of the Data Protection Bill. The protection of data was anticipated to greatly enhance the nation’s digital economy.
The report submitted by the Committee suggested strongly that if India is to shape the digital landscape on a global scale in the 21st century, it must construct a legal structure concerning personal data that can serve as a model for emerging economies. Implicit within this perspective is the understanding that safeguarding personal data is pivotal for enabling empowerment, advancement, and innovation. Equally inherent is the necessity to formulate a legal framework for personal data, not just applicable within India, but tailored to the needs of Indians.
Such a framework should deeply comprehend the distinct concerns and aspirations related to personal data that are specific to the Indian population embracing their apprehensions and aspirations. It’s a well-recognized notion that these viewpoints may not necessarily mirror those found in developed nations, which already possess established legal frameworks.
Subsequently, the draft of Personal Data Protection Bill was put forth by the Sri Krishna Committee in 2018. Following amendments based on input from industry and stakeholders, the Ministry of Electronics and Information Technology presented the Personal Data Protection Bill 2019 (“PDPB”) to the Rajya Sabha in December 2019.
This version of the PDPB aimed to revamp India’s legislative structure for overseeing data exchange in private agreements. Among other things, it outlined compliance prerequisites for various types of personal data, expanded individual rights, introduced a central data protection authority, established data localization obligations for specific sensitive data, and set substantial financial penalties for non-compliance.
However, due to several implementation challenges, the PDPB was referred for evaluation to the Joint Committee of the Parliament (“JPC”) in 2019. Subsequently, amid the global pandemic, the JPC devoted approximately two years to scrutinizing and discussing the intricacies of the PDPB.
Finally, The Digital Personal Data Protection Act, 2023 (“Act”), after gaining approval from both houses of the Indian Parliament, received the assent of the President of India on 11th August 2023. This act was later officially published in the Official Gazette by the Central Government. The Act refines its predecessor from November 2022 (“2022 Bill”), incorporating certain strategic adjustments while upholding all fundamental principles.
This comprehensive legislation addresses the complex challenges posed by the digital landscape, establishing a framework that aims to strike a balance between the advantages of data utilization and the imperative to safeguard individuals’ privacy.
Key Provisions of the Act:
1. Informed Consent and Transparent Practices:
At the core of the Act lies the principle of informed consent. Organizations are now obligated to obtain express consent from individuals prior to collecting, processing, or sharing their personal data. This marks a significant departure from the past, where consent often got buried within lengthy terms and conditions. Transparency is likewise emphasized, mandating organizations to furnish easily, explanations that are understandable to the layman, regarding data usage and sharing practices.
2. Data Minimization and Purpose Limitation:
In order to mitigate the risks associated with data breaches and unauthorized access, the Act introduces the concept of data minimization. This mandates the collection of only the minimum necessary data for specific purposes. Moreover, the Act enforces purpose limitation, ensuring that data collected is utilized solely for the intended purpose and not repurposed without explicit consent.
3. Individual Rights and Empowerment:
By granting individuals the right to access their personal data held by organizations, the Act provides them with greater control over their data. This includes the ability to rectify inaccuracies and even request the deletion of their data. These provisions empower individuals, fostering a sense of ownership over their digital identities and thereby also conveying a sense of safety with respect to their personal data.
4. Compulsory Data Security Measures:
Acknowledging the increasing threat of cyberattacks, the Act mandates organizations to implement robust data security measures. Encryption, regular security audits, and immediate breach notification protocols are no longer optional but imperative components of data management strategies.
5. Accountability and Enforcement:
A significant stride towards ensuring adherence, the Act stipulates severe penalties for organizations failing to comply with its provisions. This not only underscores the gravity of data protection but also serves as a deterrent against negligent practices. The ease of access that the internet brings in today’s world, also stands as a huge threat to an individual’s personal data. This Act is a step towards ensuring that the power of the internet is not misused.
6. Managing Cross-Border Data Transfers:
Given the global nature of data flows, the Act addresses the intricacies of cross-border data transfers. Organizations must now ensure that data transferred to foreign jurisdictions receives the same level of protection guaranteed by the Act.
Impact on Individuals and Organizations:
The enactment of the Digital Personal Data Protection Act, 2023 ushers in transformative changes that have far-reaching implications for individuals and organizations alike.
1. Elevated Privacy and Trust:
For individuals, the Act translates into heightened privacy rights and a reassurance that their personal information is treated responsibly. This fosters trust in digital interactions, making individuals more inclined to engage with online services and share their data.
2. Corporate Responsibility and Accountability:
The Act compels organizations to adopt a proactive stance toward data protection. Companies are now compelled to allocate resources to comply with rigorous data security measures and transparent practices. This shift not only minimizes the risk of data breaches but also nurtures a culture of corporate accountability.
3. Fostering Innovation and Data Utilization:
While the Act mandates stringent data protection measures, it does not stifle innovation. Organizations are encouraged to find innovative ways to harness data while upholding individuals’ privacy rights. This equilibrium propels responsible innovation and drives the development of novel technologies that respect privacy.
Global Influence and Harmonization:
As nations worldwide grapple with data privacy regulations, the Digital Personal Data Protection Act, 2023 sets a global benchmark. Its comprehensive approach to data protection serves as a model for other countries, potentially fostering a harmonized international framework for digital privacy.
The Act marks a notable stride in guaranteeing the safeguarding of personal data within India. This was an overdue development, considering the substantial number of internet users in the country, the voluminous data they generate, and India’s involvement in cross-border commerce and investments. While the prevailing data protection regulations did offer some protection for data subjects’ rights, mandated incident reporting, and imposed responsibilities on data processors, the regulatory structures in place were somewhat incomplete and lacking in specificity.
The Act brings about a comprehensive transformation of the framework, supplanting and superseding the existing legislation. It represents a substantial advancement in safeguarding individual privacy in India. By establishing a more transparent and accountable structure for personal data processing, it empowers individuals with greater authority over their personal information. The Act also serves to shield individuals from the improper use of their personal data and fortifies their ability to assert their individual rights concerning their personal data.
Though still in its fledgling phase, the Act marks a noteworthy commencement an initial stride toward reshaping the regulatory landscape for personal data. As the realm of digital data, despite its ubiquity, retains an inherently fluid nature, continually evolving with each passing day, this Act signifies an adaptable approach. As a result, this legislation is poised to undergo continuous evolution, mirroring the ever-changing dimensions of digital information and flexibly adjusting to the shifting tides of time.
Nishka Shah, Associate. M/s. Solomon & Co.
About Solomon & Co.
Solomon & Co. (Advocates & Solicitors) was founded in 1909 and is amongst India’s oldest law-firms. The Firm is a full-service firm that provides legal service to Indian and international companies and high net-worth individuals on all aspects of Indian law.
“Disclaimer”
The information contained in this article is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. The application and impact of laws can vary widely based on the specific facts involved. As such, it should not be used as a substitute for consultation with a competent adviser. Before making any decision or taking any action, the reader should always consult a professional adviser relating to the relevant article posting.
[1] Universal Declaration of Human Rights, 1948
[2] 1954 AIR 300
[3] AIR 1978 SC 597
[4] 1963 AIR 1295
[5] AIR 1997 SC 568