Revolutionary Steps to Shield Data Privacy in India

Soumik Chakraborty, Abhishek Verma | March 2024

On 24th August 2017, a landmark ruling was pronounced by the Hon’ble Supreme Court of India which significantly reshaped the concept of privacy in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. This particular case stands as the cornerstone of Right to Privacy jurisprudence in India. A panel of nine Hon’ble judges unanimously affirmed the right to privacy as a fundamental right under the Constitution of India.

Initially in July 2017, the Indian government constituted a committee with the purpose of conducting an indepth examination of data protection within the nation. This committee was led by the former Supreme Court Justice BN Srikrishna. Thereafter, the Personal Data Protection Bill, 2019 was presented in the Lok Sabha on December 11, 2019, and on the same day, it was forwarded to the Joint Committee for deliberation on ‘The Personal Data Protection Bill, 2019’. On 3rd August 2022, the Central Government took the bold step of retracting the 2019 Personal Data Protection (“PDP”) Bill. In its place, a new bill was introduced, which incorporates a ‘comprehensive framework’ and ‘modern digital privacy regulations’.

Crafting Data Protection Laws for India proved to be a challenging and time-consuming endeavor. Nevertheless, it is essential to remain hopeful until the ultimate resolution, drawing inspiration from the timeless wisdom contained within the Hindu Vedas.

This means “From each debate, there arises knowledge of ultimate principle”.

The Digital Personal Data Protection Bill, 2023, was approved by the Lok Sabha on August 7, 2023, and subsequently, it was ratified by the Rajya Sabha on August 9, 2023 and the same has received Presidential assent on August 11, 2023 now named as The Digital Personal Data Protection Act, 2023 (“The Act”). The prior Personal Data Protection Bills of 2019 and 2022, which had undergone numerous amendments and were fraught with several issues regarding data localization, transparency, and compliance, were finally retracted by the Central Government.

Concept of Privacy

In the case of Justice K.S. Puttaswamy (Supra), the Hon’ble Supreme Court observed that the protection of data must be both intrinsically and instrumentally which means the protection of informational privacy is important aspect.

According to the Chief Justice of India Dr. D. Y. Chandrachud privacy is “Informational Privacy, as an aspect of the right to privacy, is profoundly influenced by the age-old saying that ‘knowledge is power.’ This concept carries significant implications for individuals in a world where data is omnipresent, forming an all-encompassing presence. Each action or transaction by an individual generates electronic traces, often without their awareness. While these isolated pieces of information may appear inconsequential, their collective aggregation can paint a comprehensive picture of individuals. The challenges posed by big data to privacy stem from both governmental and nongovernmental entities”.

Objective & Applicability of The Act

This Act aims to regulate the processing of digital personal data in a manner that respects individuals right to safeguard their personal information while also addressing the necessity of processing such data for lawful purposes and related matters.

The Act pertains to the handling of digital personal data within India, whether collected in digital or non digitized form. The Act exhibits extraterritorial reach, extending to the processing of personal data outside India, regardless of the processing entity’s location, as long as it involves offering goods or services to individuals within India. Further the Act is bifurcated into IX chapters:

Pivotal Aspects of The Act

DATA: As per Section 2(h) of the Act data means to a depiction of data, including information, facts, concepts, opinions, or instructions, presented in a format that is suitable for comprehension, communication, interpretation, or processing, whether by humans or automated systems.
DATA FIDUCIARY: As per Section 2(i) any individual who, either on their own or in collaboration with others, establishes both the intent and the methods for processing personal data.
DATA PRINCIPAL: As per Section 2(j) of the Act This term signifies the person to whom the personal data is relevant, and in cases where the individual is:

A child, it encompasses the parents or legal guardian of that child.
A person with a disability, it includes their legal guardian who acts on their behalf.

NOTICE: As per Section 5 of the Act whenever a request for consent is made to a Data Principal under section 6, it must be accompanied or preceded by a notice provided by the Data Fiduciary to the Data Principal. This notice should include the following information:

An explanation of the personal data being processed and the purpose for which it is intended to be used.
Instructions on how the Data Principal can exercise their rights as outlined in sub-section (4) of section 6 and section 13
Guidance on the process for the Data Principal to file a complaint with the Board, as per the prescribed procedures.

CONSENT: In accordance with Section 6 of the Act, the processing of Personal Data is permissible solely for a defined purpose, contingent upon the consent of the Data Principal, who is the individual involved. This consent must meet specific requirements, including being freely given, informed, unconditional, unambiguous, and requiring a clear affirmative action. Before seeking consent, the Data Fiduciary is obligated to furnish a notice under Section 5, which outlines the Personal Data to be collected and the purpose for processing. It’s worth noting that, as detailed in Section 7, consent is not obligatory for ‘legitimate uses,’ which encompass specific purposes for voluntarily provided data, State-provided benefits or services, State security, responses to medical emergencies, ensuring safety and public order, and employment-related activities. In cases involving individuals with disabilities or those under the age of eighteen (18), consent is granted by their parent(s) or legal guardian. However, it’s crucial to understand that the State and its instrumentalities possess the authority to retain Personal Data and reject requests for data erasure, as specified in Section 17(4).
RIGHTS AND DUTIES OF DATA PRINCIPAL: An individual whose information is undergoing processing is entitled to specific rights, detailed in Sections 12 to 14. These rights encompass: (i) receiving information regarding the processing, (ii) requesting the rectification or deletion of their Personal Data, (iii) designating a proxy to exercise their rights in cases of death or incapacity, (iv) addressing grievances, and (v) withdrawing their consent at any point during or after the processing of Personal Data. Moreover, Section 15 imposes obligations on Data Principals, including the duty not to: (i) file an untrue or frivolous complaint, (ii) withhold essential information when providing their Personal Data, and (iii) provide false details or assume another’s identity in specified circumstances. Violating these obligations will result in penalties in accordance with the Act’s Schedule.
EXEMPTIONS: According to Section 17 of the Act, certain sections from Chapter II (excluding Section 8(1) & (5)) and Chapter III (excluding Section 16) are not applicable in specific situations. These exemptions include instances where these provisions are not applicable: (i) for the prevention, investigation, or prosecution of offenses, (ii) for the enforcement of legal rights or claims, (iii) when the processing is not within the territory of India, and (iv) when the processing is done to determine financial information, assets, and liabilities. Additionally, as per Section 17(2), the Act’s provisions do not apply to the processing of Personal Data: (i) by the State or any other governmental entity in the interest of security and public order, and (ii) when it is necessary for research, archiving, or statistical purposes.

Sum And Substance

The Act introduces a unique approach in protecting Personal Data, addressing longstanding requirements in the face of the growing number of internet users, data generation, and international trade. Nonetheless, there’s a need for further clarity in implementing the Act, which is expected to come with the establishment of the Data Protection Board of India and the formulation of rules under the Act. As a whole, the Act represents India’s distinct perspective on contemporary data protection, informed by extensive post-draft consultations. Although the Act’s provisions are less detailed compared to the European Union’s GDPR, it necessitates a significant change in how Indian businesses must now handle privacy and Personal Data, while also authorizing the government’s role in regulating, safeguarding, and monitoring its citizens personal information.

About Author

Soumik Chakraborty

Soumik Chakraborty is a Law Graduate from the University of Calcutta having passed out in the year 2012. He has an expertise in Civil, Criminal, Matrimonial matters, Arbitration Proceedings, Consumer, Writ matters and also having an exposure of appearing before High Courts, Lower Courts, Consumer Forum, Debts Recovery Tribunals in the State of West Bengal. He also has experience in conducting several Arbitrations, handling high-profile land acquisition cases, ACB and PMLA matters. He is currently a Principal Associate with S Jalan & Co.

Abhishek Verma

Abhishek Gaurav Verma, working as an Associate with S. Jalan & Co., is a BBA LLB graduate from Law College Dehradun, Uttaranchal University in the year 2021. His primary area of practice involves Commercial Civil Suit, Civil Suits, Arbitration, IBC etc.,. He has a considerable experience of appearing before National Company Law Tribunal, NCDRC and various other courts.